I'm testing a script that runs before ferm and output rules that are later included by ferm, and after I opened this PR, I noticed that more modules (in this case, -m comment --comment) does not accept the same parameter multiple times for a single match instance.
So I wonder, why did you put this restriction in the first place @MaxKellermann?
I know that this is an old project, so maybe you don't remember 😅, but if it was just for sake of cleaner iptables output, it might be worth removing this restriction altogether and just keep what was input by the user...

So if user input:

mod set match-set valid-sources src mod set ! match-set invalid-dests MASQUERADE;

it would correctly render:

-A POSTROUTING --match set --match-set valid-sources src --match set ! --match-set invalid-dests dst --jump MASQUERADE

instead of current behavior:

-A POSTROUTING --match set --match-set valid-sources src ! --match-set invalid-dests dst --jump MASQUERADE

Currently, I patched ferm like this PR (but now included the comment module in the regex), but if there was no downside, I'd prefer removing it altogether...

I think this might need a more evolved patch, as I just tested this:

comment this comment is comment a comment test NOP;

and ferm outputs:
-A INPUT --match comment --comment this --comment is --comment a --comment test

which iptables complains:

iptables -A POSTROUTING --match comment --comment this --comment is --comment a --comment test
iptables v1.8.4 (legacy): comment: option "--comment" can only be used once.

Try `iptables -h' or 'iptables --help' for more information.