While adding testing for inversion of multiport, noticed that documentation about --ports is *wrong*. Ports do not have to be equal: either dest or src being in list is enough for match.
diff --git a/extensions/libipt_multiport.man b/extensions/libipt_multiport.man
index cead84e..4c07608 100644
--- a/extensions/libipt_multiport.man
+++ b/extensions/libipt_multiport.man
@@ -15,5 +15,5 @@
is a convenient alias for this option.
.TP
.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
+Match if either the source or destination ports are equal to one of
+the given ports.