In udev rules, the %k, %b, %n variables are nice and all, but you can also use the variables you’re comparing and setting such as ID_FS_TYPE, KERNEL, SUBSYSTEM, PHYSDEVPATH, etc. When you run a command in a udev rule, there’s nothing stopping you from calling a shell and executing a few commands without actually calling a standalone script to do the dirty work. If you write out the array of environment variables from inside an external program, you can get a better understanding of just which part of the device discovery is matching your rule and getting processed.

Which is better? Which is faster? For a desktop system, I don’t think it really matters if you have to process a bunch of rules. How many can there be, and how much network traffic are you seeing anyway? It’s probably more efficient to modify your sysctl.conf, but it seems more organized to do it all with iptables.