On Fri, 15 Aug 2008, Jan Engelhardt wrote: > On Friday 2008-08-15 15:31, Jozsef Kadlecsik wrote: > >> For example: > >> > >> iptables -t mangle -A PREROUTING -m a --mac-source 00:11:22:33:44:55 > >> -m b --mac-source 00:11:22:33:44:55 -j ACCEPT > >> > >> the above command will fail due to the later match. > > > >Yes: you should use match-specific options, like > > > >iptables -t mangle -A PREROUTING -m a --a-mac-source 00:11:22:33:44:55 > >-m b --b-mac-source 00:11:22:33:44:55 -j ACCEPT > > I disagree. If you chain multiple matches, e.g. > > -m condition --name FOO -m conidtion --name BAR > > you can't choose a different option name naturally. And you don't choose - why should you? The (not-mistyped) example above *is* supported by iptables. With the suggested patch we'd loose it. And currently we do not enforce that match options let be strictly packed together, i.e. you can type -m foo -m bar --foo-option --bar-option > Hence I am of the opinion that different matches should also support > this syntax. Why should different matches use the same syntax? Would it make the rules more readable and less error prone if the same option names could be used at different kind of matches? Of course not. So in my opinion the feature would not buy us anything but could lead to confusion, not to mention loosing a valuable feature and breaking backward compatibility. Therefore I'm against it. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
