> I should be able to write "-m tcp --dport 80 -j ACCEPT" once and have it work with both.
Kind of like how PF does it?
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
block all
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
Similar functionality is provided in nftables for linux ('inet' filter applies to both ipv4 and ipv6). But, outside of the most trivial use cases of just block/allow a port, it doesn't really work out to be that useful because of other restrictions. E.g., if you are collecting IPs that have e.g., created new connections to some set of ports greater than n times within a time period to rate limit them, you are out of luck and will need separate rules for ipv4 and ipv6 since you cannot save a mix of ipv4 and ipv6 addresses to the same list.
Kind of like how PF does it?
* https://docs.freebsd.org/en/books/handbook/firewalls/#pf-tut...If an address family ("af") is not specified, the rule applies to both:
* https://www.freebsd.org/cgi/man.cgi?query=pf.conf * https://www.openbsd.org/faq/pf/filter.html#syntaxPerhaps the protocol isn't the problem and you're just using firewall software that doesn't have very good syntax?