> Is it hard to extend the source and destination match functions to accept > multiple arguments? Yes, they are pretty wired into iptables. And I would worry about their performance. But it should be easy to create a new match to do it. There is already multiport and mport. The equivalent for addresses should not be hard. Simon