Before Onload accelerates a socket it first checks the Onload firewall module. If the firewall module indicates the acceleration of the socket would violate a firewall rule, the acceleration request is denied and the socket is handed off to the kernel. Network traffic sent or received on the socket is not accelerated.
Onload firewall rules are parsed in ascending numerical order. The first rule to match the newly created socket - which can indicate to accelerate or decelerate the socket - is selected and no further rules are parsed.
If the Onload firewall rules are an exact copy of the kernel iptables, with no additional rules added by the Onload user, then a socket handed off to the kernel because of an iptables rule violation will be unable to receive data through either path.
Changing rules using onload_iptables will not interrupt existing network connections.