> What about simply returning by an error code if there is an attempt to > create a chain wich clashes with a target name?
Wasn't there recent discussion about "how do I find all available target names"? But I agree in principle, that would be the least intrusive shorttime "rationalization" of the now-very-order-dependant behaviour. I could still shoot myself in the foot by installing a new target into a running system (easily done with patch-o-matic and kernel modules). My already-user-defined-chains will continue to work as before - until the next fresh run of my iptables init scripts / iptables-restore. With my proposal, that shooting would not happen - it's just that the newly installed module won't be accessible without using the special "+TARGET" syntax I invented. regards Patrick
