diff --git a/loxilb-ebpf b/loxilb-ebpf
index 4bf6e3e36..a3edc2fdf 160000
--- a/loxilb-ebpf
+++ b/loxilb-ebpf
@@ -1 +1 @@
-Subproject commit 4bf6e3e36ae7de560fe2cfe6811cb635333af979
+Subproject commit a3edc2fdf2906f0bcd4a0131af839f184802dd48
diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go
index 62f2715a8..9be090f2e 100644
--- a/pkg/loxinet/rules.go
+++ b/pkg/loxinet/rules.go
@@ -1040,7 +1040,7 @@ func (R *RuleH) addAllowedLbSrc(CIDR string, lbMark uint32) *allowedSrcElem {
 		return nil
 	}
 
-	if lbMark >= 14 {
+	if lbMark >= 30 {
 		tk.LogIt(tk.LogError, "allowed-src lbmark out-of-range\n")
 		return nil
 	}
@@ -1080,7 +1080,7 @@ addFw:
 		R.lbSrcMap[CIDR] = srcElem
 	}
 
-	tk.LogIt(tk.LogInfo, "added allowed-cidr %s: 0x%x\n", srcPref.String(), srcElem.lbmark)
+	tk.LogIt(tk.LogInfo, "added allowed-cidr %s: 0x%x(%v)\n", srcPref.String(), srcElem.lbmark, srcElem.ref)
 
 	return srcElem
 }
@@ -1091,7 +1091,7 @@ func (R *RuleH) deleteAllowedLbSrc(CIDR string, lbMark uint32) error {
 		return errors.New("no such allowed src prefix")
 	}
 
-	if lbMark >= 14 {
+	if lbMark >= 30 {
 		tk.LogIt(tk.LogError, "allowed-src lbmark out-of-range\n")
 		return nil
 	}
@@ -1660,10 +1660,27 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al
 		if eRule.hChk.prbType != serv.ProbeType || eRule.hChk.prbPort != serv.ProbePort ||
 			eRule.hChk.prbReq != serv.ProbeReq || eRule.hChk.prbResp != serv.ProbeResp ||
 			eRule.pTO != serv.PersistTimeout || eRule.act.action.(*ruleLBActs).sel != lBActs.sel ||
-			eRule.act.action.(*ruleLBActs).mode != lBActs.mode {
+			eRule.act.action.(*ruleLBActs).mode != lBActs.mode ||
+			len(allowedSources) != len(eRule.srcList) {
 			ruleChg = true
 		}
 
+		if len(allowedSources) == len(eRule.srcList) {
+			for _, newSrc := range allowedSources {
+				srcMatch := false
+				for _, src := range eRule.srcList {
+					if src.srcPref.String() != newSrc.Prefix {
+						srcMatch = true
+						break
+					}
+				}
+				if !srcMatch {
+					ruleChg = true
+					break
+				}
+			}
+		}
+
 		if !ruleChg {
 			return RuleExistsErr, errors.New("lbrule-exists error")
 		}
@@ -1691,6 +1708,26 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al
 			}
 		}
 
+		eSrcList := eRule.srcList
+		eRule.srcList = nil
+
+		for _, allowedSource := range allowedSources {
+			srcElem := R.addAllowedLbSrc(allowedSource.Prefix, uint32(eRule.ruleNum))
+			if srcElem == nil {
+				for _, src := range eRule.srcList {
+					R.deleteAllowedLbSrc(src.srcPref.String(), uint32(eRule.ruleNum))
+				}
+				eRule.srcList = eSrcList
+				tk.LogIt(tk.LogError, "nat lb-rule - %s:%s allowedSRC error\n", eRule.tuples.String(), eRule.act.String())
+				return RuleAllocErr, errors.New("rule-allowed-src error")
+			}
+			eRule.srcList = append(eRule.srcList, srcElem)
+		}
+
+		for _, srcElem := range eSrcList {
+			R.deleteAllowedLbSrc(srcElem.srcPref.String(), uint32(eRule.ruleNum))
+		}
+
 		// Update the rule
 		eRule.hChk.prbType = serv.ProbeType
 		eRule.hChk.prbPort = serv.ProbePort
@@ -2004,8 +2041,9 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er
 	eFw := R.tables[RtFw].eMap[rt.ruleKey()]
 
 	if eFw != nil {
-		if fwOpts.opt.fwMark != fwOptArgs.Mark {
-			fwOpts.opt.fwMark = fwOptArgs.Mark
+		if eFw.act.action.(*ruleFwOpts).opt.fwMark != fwOptArgs.Mark {
+			eFw.Fw2DP(DpRemove)
+			eFw.act.action.(*ruleFwOpts).opt.fwMark = fwOptArgs.Mark
 			eFw.Fw2DP(DpCreate)
 		}
 		// If a FW rule already exists