Don't use the Match from the Firewall in Forwarding if a rule allowed the packet. If a packet has been allowed, that means the Forwarding module can send it where it needs to go matching on its header files (which have already been given the OK by the Firewall). If a Firewall rule is very general, e.g. allow all packets through switch 1, then the first packet that traverses the switch will cause Forwarding to insert a general from from port A to port B with no specific hheader field matches (since they weren't specified in the Firewall rule).