Why is this MAC address iptables whitelisting not working?

This is on a router. I have $mac as the MAC of one client and $set is an ipset of type hash:net. My intention is to deny access to all networks in $set, except for $mac who can access the networks.

-A lan_forward -m mac ! --mac-source $mac -m set --match-set $set dst -j REJECT

But this isn't working. It blocks $set for everyone no matter what the MAC address is. What is the problem? When I turn it into a LOG target I see this:

[ 4128.497456] Blocked website: IN=lanbridge OUT=tun0 MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.186 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21305 DF PROTO=TCP SPT=40030 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

I can confirm with tcpdump that it is rejecting the connection with TCP RST despite having the whitelisted MAC. EDIT! I found out the problem: My problem was that I had more than one rule:

-A lan_forward -m mac ! --mac-source $mac1 -m set --match-set $set dst -j REJECT
-A lan_forward -m mac ! --mac-source $mac2 -m set --match-set $set dst -j REJECT
-A lan_forward -m mac ! --mac-source $mac3 -m set --match-set $set dst -j REJECT

So even if the first matched, the second would fail and reject. I almost decided to use MARK but I don't think this is a proper use of packet marking, so instead I just ACCEPT all outgoing from all the MACs, then block all outgoing to the networks specified in the ipset. I just have to remember not to add anything after the ACCEPT rule that I want to apply to any of the MACs I'm filtering.