Hi Rusty,

I've been working on the versioning stuff last days. I've tested with 
the mark target.

As I told you, I propose to add an option called --release to the 
current syntax of iptables which works as follows:

a) New version of matches/targets: iptables -I INPUT -t mangle -j MARK 
--release 1 --and-mark 0x1

b) Primitive version. To keep backward compatibility, the syntax is the 
same, no modification: iptables -I INPUT -t mangle -j MARK --set-mark 0x1

Optionally, someone could apply this: iptables -I INPUT -t mangle -j 
MARK --release 0 --set-mark 0x1

To finish, some comments about what I have in mind for next days:

1) Test this stuff in nfsim with a test case based on yours.
2) Clean up the kernel patch that I sent you some weeks ago and rename 
field `version' to `release'
3) port mport match to multiport to test that versioning stuff is 
working fine with matches.
4) More testing...

Please, comments welcome.

--
Pablo