diff --git a/firewallmngr/Makefile b/firewallmngr/Makefile
index a689c714a..e5f15508c 100644
--- a/firewallmngr/Makefile
+++ b/firewallmngr/Makefile
@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.9
+PKG_VERSION:=1.0.10
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
@@ -55,8 +55,8 @@ endif
 define Package/firewallmngr/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
-ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	$(INSTALL_DIR) $(1)/etc/init.d
+ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	$(INSTALL_DIR) $(1)/lib/port-trigger
 
 	$(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/
@@ -69,6 +69,9 @@ endif
 	$(INSTALL_BIN) ./files/firewall.service $(1)/etc/
 	$(INSTALL_DATA) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/
 
+	$(INSTALL_BIN) ./files/etc/init.d/l2filter $(1)/etc/init.d
+	$(INSTALL_DATA) ./files/etc/config/l2filter $(1)/etc/config/
+
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
 endef
diff --git a/firewallmngr/files/etc/config/l2filter b/firewallmngr/files/etc/config/l2filter
new file mode 100644
index 000000000..5bf163ca5
--- /dev/null
+++ b/firewallmngr/files/etc/config/l2filter
@@ -0,0 +1,26 @@
+#L2 filter UCI file
+
+config chain 'qos_output'
+	option target 'qos_output'
+	option table 'nat'
+	option chain 'OUTPUT'
+	option policy 'RETURN'
+
+config chain 'dscp2pbits'
+	option target 'dscp2pbits'
+	option table 'broute'
+	option chain 'BROUTING'
+	option policy 'RETURN'
+
+config chain 'qos'
+	option target 'qos'
+	option table 'broute'
+	option chain 'BROUTING'
+	option policy 'RETURN'
+
+config chain 'prevlanxlate'
+	option target 'prevlanxlate'
+	option table 'broute'
+	option chain 'BROUTING'
+	option policy 'RETURN'
+	option append 'false'
diff --git a/firewallmngr/files/etc/init.d/l2filter b/firewallmngr/files/etc/init.d/l2filter
new file mode 100755
index 000000000..d04446b5e
--- /dev/null
+++ b/firewallmngr/files/etc/init.d/l2filter
@@ -0,0 +1,93 @@
+#!/bin/sh /etc/rc.common
+
+# Start after bdmf shell, wanconf, and switch-script but before the network-script
+START=20
+STOP=10
+
+USE_PROCD=1
+
+. /lib/functions.sh
+
+handle_ebtables_chain() {
+	local sid="$1"
+	local table
+	local chain
+	local target
+	local policy
+	local append
+	local enabled
+	local ret
+
+	config_get table "$sid" table filter
+	config_get chain "$sid" chain
+	config_get policy "$sid" policy RETURN
+	config_get target "$sid" target
+	config_get_bool append "$sid" append 1
+	config_get_bool enabled "$sid" enabled 1
+
+	[ "$enabled" = "0" ] && return
+	[ -z "${chain}" -o -z "${target}" ] && return
+
+	if [ "$append" != "0" ]; then
+		append="-A"
+	else
+		append="-I"
+	fi
+
+	ebtables --concurrent -t "$table" -N "$target" -P "$policy" 2> /dev/null
+	ret=$?
+
+	if [ $ret -eq 0 ]; then
+		ebtables --concurrent -t "$table" ${append} "$chain" -j "$target"
+	else
+		ebtables --concurrent -t "$table" -D "$chain" -j "$target"
+		ebtables --concurrent -t "$table" ${append} "$chain" -j "$target"
+	fi
+}
+
+handle_ebtables_rule() {
+	local sid="$1"
+	local table
+	local chain
+	local target
+	local match
+	local value
+	local enabled
+	local ret
+
+	config_get table "$sid" table filter
+	config_get chain "$sid" chain
+	config_get match "$sid" match
+	config_get value "$sid" value
+	config_get target "$sid" target RETURN
+	config_get_bool append "$sid" append 1
+	config_get_bool enabled "$sid" enabled 1
+
+	[ "$enabled" = "0" ] && return
+	[ -z "${chain}" -o -z "${target}" ] && return
+
+	if [ "$append" != "0" ]; then
+		append="-A"
+	else
+		append="-I"
+	fi
+
+	ebtables --concurrent -t "$table" -D "$chain" ${match} -j "$target" ${value} 2> /dev/null
+	ebtables --concurrent -t "$table" ${append} "$chain" ${match} -j "$target" ${value}
+}
+
+start_service() {
+	config_load l2filter
+	config_foreach handle_ebtables_chain chain
+	config_foreach handle_ebtables_rule rule
+}
+
+reload_service() {
+	stop
+	start
+}
+
+
+service_triggers() {
+	procd_add_reload_trigger l2filter
+}
diff --git a/qosmngr/Makefile b/qosmngr/Makefile
index 3c6e141f2..2e1be00f9 100644
--- a/qosmngr/Makefile
+++ b/qosmngr/Makefile
@@ -30,7 +30,7 @@ define Package/qosmngr
   TITLE:=QoS Manager
   DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libqos +!(TARGET_brcmbca||TARGET_airoha):tc-full
   DEPENDS+=+kmod-vlantranslation +kmod-dscp2pbit +!(TARGET_brcmbca):ebtables-legacy
-  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
+  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +firewallmngr
 endef
 
 define Package/qosmngr/description
diff --git a/qosmngr/files/common/lib/qos/classify.sh b/qosmngr/files/common/lib/qos/classify.sh
index 3a2e61828..1129b350e 100755
--- a/qosmngr/files/common/lib/qos/classify.sh
+++ b/qosmngr/files/common/lib/qos/classify.sh
@@ -122,7 +122,7 @@ setup_qos() {
         cp /etc/config/qos /tmp/qos/qos
     fi
 
-    create_ebtables_chains
+    /etc/init.d/l2filter restart # Imitate the existing behaviour.
     create_iptables_chains
 }
 
diff --git a/qosmngr/files/common/lib/qos/ebtables.sh b/qosmngr/files/common/lib/qos/ebtables.sh
index 704c39a2a..5049913f8 100755
--- a/qosmngr/files/common/lib/qos/ebtables.sh
+++ b/qosmngr/files/common/lib/qos/ebtables.sh
@@ -508,46 +508,6 @@ handle_ebtables_dscp2pbit() {
     BR_RULE_DSCP2PBIT=" -i $in_if -j dscp2pbit --dscp2pbit-mapping $dscp2pbit_mapping_list --dscp2pbit-target CONTINUE"
 }
 
-create_ebtables_chains() {
-
-    ebtables --concurrent -t nat -N qos_output -P RETURN 2> /dev/null
-    ret=$?
-    if [ $ret -eq 0 ]; then
-        ebtables --concurrent -t nat -A OUTPUT -j qos_output
-    else
-        ebtables --concurrent -t nat -D OUTPUT -j qos_output
-        ebtables --concurrent -t nat -A OUTPUT -j qos_output
-    fi
-
-    ebtables --concurrent -t broute -N dscp2pbits -P RETURN 2> /dev/null
-    ret=$?
-    if [ $ret -eq 0 ]; then
-        ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
-    else
-        ebtables --concurrent -t broute -D BROUTING -j dscp2pbits
-        ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
-    fi
-
-    ebtables --concurrent -t broute -N qos -P RETURN 2> /dev/null
-    ret=$?
-    if [ $ret -eq 0 ]; then
-        ebtables --concurrent -t broute -A BROUTING -j qos
-    else
-        ebtables --concurrent -t broute -D BROUTING -j qos
-        ebtables --concurrent -t broute -A BROUTING -j qos
-    fi
-
-    ebtables --concurrent -t broute -N prevlanxlate -P RETURN 2> /dev/null
-    ret=$?
-
-    if [ $ret -eq 0 ]; then
-        ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
-    else
-        ebtables --concurrent -t broute -D BROUTING -j prevlanxlate
-        ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
-    fi
-}
-
 flush_ebtables_chains() {
     echo "ebtables --concurrent -t nat -F qos_output" > /tmp/qos/classify.ebtables
     echo "ebtables --concurrent -t broute -F qos" > /tmp/qos/classify.ebtables