On Tue, Aug 04, 2015 at 11:25:11AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Mon, Aug 03, 2015 at 04:04:46AM +0000, Kyeong Yoo wrote: > > > I found this is useful for me to match multiple DSCP values in a rule. > > > > > > For example, if you want to handle traffic with a list of DSCP same way, > > > instead of using this: > > > > > > -A FORWARD ...cond1... -m dscp --dscp-class AF11 -j TARGET > > > -A FORWARD ...cond1... -m dscp --dscp-class AF21 -j TARGET > > > -A FORWARD ...cond1... -m dscp --dscp-class AF31 -j TARGET > > > -A FORWARD ...cond2... -m dscp --dscp 10 -j TARGET > > > -A FORWARD ...cond2... -m dscp --dscp 20 -j TARGET > > > > > > you can use: > > > > > > -A FORWARD ...cond1... -m dscp --dscp-multi AF11,AF21,AF31 -j TARGET > > > -A FORWARD ...cond2... -m dscp --dscp-multi 10,20 -j TARGET > > > > We support multiple matches in a rule for long time already: > > > > -A FORWARD ...cond1... -m dscp --dscp-class AF11 \ > > -m dscp --dscp-class AF21 \ > > -m dscp --dscp-class AF31 \ > > Yes, but that won't work since this is foo && bar, not foo || bar. Oh I see. I don't like this combo updates, we may keep receiving patches to do the same thing for other matches in iptables. nftables resolves this problem through dictionaries, please have a look at that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
