> > > User defined chains are *not* tied to specific tables > > > as far as I can tell. > > > > Huh? User defined chains are tied to the table they are created in. > > And I sometimes hate iptables for that... > > Why? Reusability? What you do in mangle is not what you do in nat is > not what you do in filter so I see little if not at all reusability.
I often have user defined chains with nothing but a list of "-s IP -j ACCEPT" in them. In a "higher level" chain, I select on protocol and port, jumping to such an "IP address list" chain. It sometimes happens that I need the exact same list of IP addresses both in the filter and nat/mangle tables, and I have to duplicate them, then. I hate it when I have to duplicate stuff needlessly. On the other hand, as the chains are generated (e.g. by parsing /etc/hosts.allow), it's not a problem to handle the situation, and iptables cannot be changed to the "slightly better" behaviour for compatibility reasons. So don't get me wrong: this is not a feature request. best regards Patrick
