What we tried to do

Hi guys,
We tried changing the traffic filter example in the examples section from a block-list to an allow-list.
To do so, we changed the default action of the tables to be drop, instead of NoAction. We then run the program with no rules applied, to see if every packet is indeed dropped.

The problem

When we run in verbose mode, the compiler states that every received packet is dropped.
The problem is that when we open a Netcat connection between 2 laptops connected to the p4pi network, or when we open a Netcat connection between a connected laptop and the p4pi itself, the messages get through and reach the other side, even though all the packets seem to be dropped.

We tried writing a simpler program that just calls drop on every packet in MyIngress' apply, and again it states that every packet is dropped, but the connection goes through.

What we think / don't understand

The example shows the capability of the firewall by running an iperf server inside the gigport namespace. This does work for us.
The problem is when we use Netcat outside of the gigport namespace - between 2 laptops or a laptop and the p4pi.
Do we need to run something inside the gigport namespace?
Can we expend the firewall capabilities to support blocking communication between 2 connected devices?

Thank you for your help.