On Mon, Jun 23, 2003 at 02:49:09PM +0300, Arvanitis Kostas wrote: > Is it possible to specify more than one instance of a match extension for a > given rule? The code seems to accept this, but when I try giving two TCP > match options using iptables, it exits with an unclear error: > root@xxxx# iptables -t nat -A POSTROUTING --source 10.0.0.0/8 -mtcp > --destination-port 8080 --syn -mtcp --destination-port 80 -j MASQUERADE > I know that my example can be accomplished using multiport, but it is just > used to clarify my question, which is: Can more than one instance of a match > extension exist for a single rule? Even if not, is this something possible in > a future version of iptables? no, this is not possible due to some architectural limitations. I think in the early development this was something optionally to be implemented (there are some comments in the code), but never was followed. It is unlikely that this is going to change, since I'm not aware of anybody being in urgent need to have that feature, and it would involve lots of code change. btw: since this is a development question, why didn't you ask it on the developer list? -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00487.pgp
Description: PGP signature
