How to limit specific traffic through gre tunnel?

[iwanthome]

I want to use ACL to limit traffic through gre tunnel.When I do it, I find some problem,please help me.
what's mean of "in" and "out"?I know in and out when interface is ethernet or serial,but how about is it when interace is tunnel?
suppose my topu is like this:
---gre---int tunn 0---router-----ether0
int tunn 0
ip addr 1.1.1.1 255.255.255.252
tunnel source 10.10.10.253
tunnel destination 9.1.1.1
ip access-group 110 out
int ethernet 0
ip addr 10.10.10.253 255.255.255.0
access-list 110 permit ip host 9.1.1.8 host 10.10.10.222
so access-list 110 is right or it must be:
access-list 110 permit ip host 10.10.10.222 host 9.1.1.8
thanks!

 

[iwanthome]

I don't know which process order is right.
I think router will encapsulation gre first,then check output access-list,and deencapsulation gre,then check input access-list,am I right?