>> > I suggest to turn -j NFACCT into -m nfacct instead, so that we can add >> > counting-down mode and matching capabilities, so as to replace >> > xt_quota*. >> >> This makes sense. >> >> My only concern is that -m nfacct will not really match anything (not >> by default at least). >> >> But with -m nfacct, we can use it in one single multi-match rule, which >> comes in handy. > > I second that turning it into a "match" makes it more flexible. I've often wished I could apply multiple targets to a single rule, ie. mangle like so, and then ACCEPT, instead of having to create a separate chain... It sounds like there should be matches, targets, and non-decisive actions, which happen after the matches, don't affect matching, and before the targets... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
