diff --git a/awall/model.lua b/awall/model.lua
index 126841bfe2b37002750968cb7099f35bca19ddc3..3ef5a3d04d694add3478d78aad79920d9acc22e5 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -113,10 +113,10 @@ function M.Zone:optfrags(dir)
       aopts = {}
       for i, hostdef in listpairs(self.addr) do
 	 for i, addr in ipairs(resolve(hostdef, self)) do
-	    table.insert(aopts,
-			 {family=addr[1],
-			  [aprop]=addr[2],
-			  opts='-'..aopt..' '..addr[2]})
+	    table.insert(
+	       aopts,
+	       {family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]}
+	    )
 	 end
       end
    end
@@ -125,7 +125,7 @@ function M.Zone:optfrags(dir)
    if self.ipsec ~= nil then
       popt = {
 	 {
-	    opts='-m policy --dir '..dir..' --pol '..
+	    match='-m policy --dir '..dir..' --pol '..
 	       (self.ipsec and 'ipsec' or 'none')
 	 }
       }
@@ -134,7 +134,7 @@ function M.Zone:optfrags(dir)
    return combinations(
       maplist(
 	 self.iface,
-	 function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end
+	 function(x) return {[iprop]=x, match='-'..iopt..' '..x} end
       ),
       aopts,
       popt
@@ -358,7 +358,7 @@ function M.Rule:servoptfrags()
 		  self.reverse and sdef['reply-type'] or sdef.type
 	       )
 	    end
-	    table.insert(res, {family=family, opts=opts})
+	    table.insert(res, {family=family, match=opts})
 	 end
       end
    end
@@ -396,10 +396,10 @@ function M.Rule:servoptfrags()
 		  until len == 0
 	       end
 
-	       table.insert(ofrags, {opts=opts})
+	       table.insert(ofrags, {match=opts})
 	    until len == 0
 
-	 else table.insert(ofrags, {opts=propt}) end
+	 else table.insert(ofrags, {match=propt}) end
       end
 
       extend(res, combinations(ofrags, {{family=family}}))
@@ -487,12 +487,12 @@ function M.Rule:trules()
 						     return 'dst'
 						  end),
 					 ',')
-	 table.insert(ipsetofrags, {family=setdef.family, opts=setopts})
+	 table.insert(ipsetofrags, {family=setdef.family, match=setopts})
       end
       ofrags = combinations(ofrags, ipsetofrags)
    end
 
-   if self.match then ofrags = combinations(ofrags, {{opts=self.match}}) end
+   if self.match then ofrags = combinations(ofrags, {{match=self.match}}) end
 
    ofrags = combinations(ofrags, self:servoptfrags())
 
@@ -561,10 +561,12 @@ function M.Rule:trules()
 	       ofs = {{chain='FORWARD'}, {chain='OUTPUT'}}
 	       recursive = true
 	    elseif ofrag.chain == 'INPUT' then
-	       ofs = {{opts='-m addrtype --dst-type LOCAL', chain='PREROUTING'}}
+	       ofs = {
+	          {match='-m addrtype --dst-type LOCAL', chain='PREROUTING'}
+	       }
 	    elseif ofrag.chain == 'FORWARD' then
 	       ofs = {
-		  {opts='-m addrtype ! --dst-type LOCAL', chain='PREROUTING'}
+		  {match='-m addrtype ! --dst-type LOCAL', chain='PREROUTING'}
 	       }
 	    end
 
@@ -703,7 +705,7 @@ function M.Limit:limitofrags(name)
 	 ofrags,
 	 {
 	    family=family,
-	    opts=keys[1] and
+	    match=keys[1] and
 	       '-m hashlimit --hashlimit-upto '..rate..' --hashlimit-burst '..
 	       self:intrate()..' --hashlimit-mode '..table.concat(keys, ',')..
 	       maskopts..' --hashlimit-name '..(name or self:uniqueid()) or
diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua
index e991e1e4b9d6b941f1931f66a01709040a8085e5..b29dcab2e48e8a30c6ccb7c93b01c61895f127c1 100644
--- a/awall/modules/clampmss.lua
+++ b/awall/modules/clampmss.lua
@@ -1,6 +1,6 @@
 --[[
 TCP MSS clamping module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -13,7 +13,7 @@ local ClampMSSRule = model.class(model.Rule)
 function ClampMSSRule:table() return 'mangle' end
 
 function ClampMSSRule:servoptfrags()
-   return {{opts='-p tcp --tcp-flags SYN,RST SYN'}}
+   return {{match='-p tcp --tcp-flags SYN,RST SYN'}}
 end
 
 function ClampMSSRule:target()
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index 48165b4e5269af362754747d1faf469d026d9f81..849127a9922feaf785f1ad3f7331d89020156454 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -65,7 +65,7 @@ function FilterLimit:recentofrags(name)
       local rec = {
 	 {
 	    family=family,
-	    opts='-m recent --name '..name..' --r'..
+	    match='-m recent --name '..name..' --r'..
 	       ({src='source', dest='dest'})[attr]..' --mask '..mask
 	 }
       }
@@ -74,10 +74,10 @@ function FilterLimit:recentofrags(name)
 	 uofs,
 	 combinations(
 	    rec,
-	    {{opts='--update --hitcount '..count..' --seconds '..interval}}
+	    {{match='--update --hitcount '..count..' --seconds '..interval}}
 	 )
       )
-      extend(sofs, combinations(rec, {{opts='--set'}}))
+      extend(sofs, combinations(rec, {{match='--set'}}))
    end
 
    return uofs, sofs
@@ -188,7 +188,8 @@ function RelatedRule:servoptfrags()
 	 if helper then
 	    helpers[helper] = {
 	       family=sdef.family,
-	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
+	       match='-m conntrack --ctstate RELATED -m helper --helper '..
+	          helper
 	    }
 	 end
       end
@@ -400,11 +401,11 @@ local function stateful(config)
 
       local er = combinations(
 	 fchains,
-	 {{opts='-m conntrack --ctstate ESTABLISHED'}}
+	 {{match='-m conntrack --ctstate ESTABLISHED'}}
       )
       for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
 	 table.insert(
-	    er, {chain=chain, opts='-'..chain:sub(1, 1):lower()..' lo'}
+	    er, {chain=chain, match='-'..chain:sub(1, 1):lower()..' lo'}
 	 )
       end
       extend(
@@ -449,8 +450,8 @@ local function stateful(config)
    return res
 end
 
-local icmp = {{family='inet', table='filter', opts='-p icmp'}}
-local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
+local icmp = {{family='inet', table='filter', match='-p icmp'}}
+local icmp6 = {{family='inet6', table='filter', match='-p icmpv6'}}
 local ir = combinations(
    icmp6,
    {{chain='INPUT'}, {chain='OUTPUT'}},
@@ -462,12 +463,11 @@ extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
 local function icmprules(ofrag, oname, types)
    extend(
       ir,
-      combinations(ofrag,
-		   {{chain='icmp-routing', target='ACCEPT'}},
-		   util.map(types,
-			    function(t)
-			       return {opts='--'..oname..' '..t}
-			    end))
+      combinations(
+         ofrag,
+	 {{chain='icmp-routing', target='ACCEPT'}},
+	 util.map(types, function(t) return {match='--'..oname..' '..t} end)
+      )
    )
 end
 icmprules(icmp, 'icmp-type', {3, 11, 12})
@@ -481,6 +481,6 @@ return {
       ['%filter-after']={rules=ir, after='filter'}
    },
    achains=combinations(
-      {{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}}
+      {{chain='tarpit'}}, {{match='-p tcp', target='TARPIT'}, {target='DROP'}}
    )
 }
diff --git a/awall/modules/log.lua b/awall/modules/log.lua
index a4ce1e59890956d665276b1017a81545f4e2e14d..076a8a0f5e22ca349362b5eac27fdd8b1d3db137 100644
--- a/awall/modules/log.lua
+++ b/awall/modules/log.lua
@@ -1,6 +1,6 @@
 --[[
 Packet logging module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -35,12 +35,12 @@ function Log:matchofrags()
 
 	 if sel == 'every' then
 	    ofrags = {
-	       {opts='-m statistic --mode nth --every '..value..' --packet 0'}
+	       {match='-m statistic --mode nth --every '..value..' --packet 0'}
 	    }
 	 elseif sel == 'limit' then
 	    ofrags = self:create(LogLimit, value, 'loglimit'):limitofrags()
 	 elseif sel == 'probability' then
-	    ofrags = {{opts='-m statistic --mode random --probability '..value}}
+	    ofrags = {{match='-m statistic --mode random --probability '..value}}
 	 else assert(false) end
       end
    end
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua
index 7b0be1af508707435355ada88ef22c87a4ba2312..56348d3030e425a1302870507391b12977c8f347 100644
--- a/awall/modules/mark.lua
+++ b/awall/modules/mark.lua
@@ -1,6 +1,6 @@
 --[[
 Packet marking module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -30,7 +30,7 @@ function RouteTrackRule:target() return self:uniqueid('mark') end
 
 function RouteTrackRule:servoptfrags()
    return combinations(
-      RouteTrackRule.super(self):servoptfrags(), {{opts='-m mark --mark 0'}}
+      RouteTrackRule.super(self):servoptfrags(), {{match='-m mark --mark 0'}}
    )
 end
 
@@ -50,7 +50,7 @@ local function restoremark(config)
 	 {
 	    {
 	       table='mangle',
-	       opts='-m connmark ! --mark 0',
+	       match='-m connmark ! --mark 0',
 	       target='CONNMARK --restore-mark'
 	    }
 	 }
diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua
index cc549f893d1cdc101e94ca2cb1ce7256f637c238..0ee9c9456206d7cc26c7dc0e8d7ddc623392792c 100644
--- a/awall/modules/masquerade.lua
+++ b/awall/modules/masquerade.lua
@@ -1,6 +1,6 @@
 --[[
 IPSet-based masquerading module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -14,14 +14,14 @@ return {
 	       family='inet',
 	       table='nat',
 	       chain='POSTROUTING',
-	       opts='-m set --match-set awall-masquerade src',
+	       match='-m set --match-set awall-masquerade src',
 	       target='awall-masquerade'
 	    },
 	    {
 	       family='inet',
 	       table='nat',
 	       chain='awall-masquerade',
-	       opts='-m set ! --match-set awall-masquerade dst',
+	       match='-m set ! --match-set awall-masquerade dst',
 	       target='MASQUERADE'
 	    }
 	 },
diff --git a/awall/modules/tproxy.lua b/awall/modules/tproxy.lua
index 045150033d93ad45f8f26dd853ffff9ecea77c70..5831f3b8813b243247d9f834e8d5d45342707ef3 100644
--- a/awall/modules/tproxy.lua
+++ b/awall/modules/tproxy.lua
@@ -1,6 +1,6 @@
 --[[
 Transparent proxy module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -55,7 +55,7 @@ local function divert(config)
       )
       table.insert(
 	 ofrags,
-	 {chain='PREROUTING', opts='-m socket', target='divert'}
+	 {chain='PREROUTING', match='-m socket', target='divert'}
       )
       return combinations(
 	 {{family='inet'}, {family='inet6'}},
diff --git a/awall/optfrag.lua b/awall/optfrag.lua
index e24177f5f343b82f73479b90262ce6b7d7e2bce7..cedf42f569deb89e13adbadb52fae61cfca01c32 100644
--- a/awall/optfrag.lua
+++ b/awall/optfrag.lua
@@ -1,6 +1,6 @@
 --[[
 Option fragment module for Alpine Wall
-Copyright (C) 2012-2014 Kaarle Ritvanen
+Copyright (C) 2012-2016 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -24,12 +24,12 @@ function M.combinations(of1, ...)
 
 	 local of = {}
 	 for k, v in pairs(x) do
-	    if k ~= 'opts' then of[k] = v end
+	    if k ~= 'match' then of[k] = v end
 	 end
 
 	 local match = true
 	 for k, v in pairs(y) do
-	    if k ~= 'opts' then
+	    if k ~= 'match' then
 	       if of[k] and v ~= of[k] then
 		  match = false
 		  break
@@ -39,10 +39,10 @@ function M.combinations(of1, ...)
 	 end
 
 	 if match then
-	    if x.opts then
-	       if y.opts then of.opts = x.opts..' '..y.opts
-	       else of.opts = x.opts end
-	    else of.opts = y.opts end
+	    if x.match then
+	       if y.match then of.match = x.match..' '..y.match
+	       else of.match = x.match end
+	    else of.match = y.match end
 	    table.insert(res, of)
 	 end
       end
@@ -54,7 +54,7 @@ end
 function M.location(of) return of.family..'/'..of.table..'/'..of.chain end
 
 function M.command(of)
-   return (of.opts and of.opts..' ' or '')..
+   return (of.match and of.match..' ' or '')..
       (of.target and '-j '..of.target or '')
 end