[PLUG] iptables redux
Evan Heidtmann
clydefrog at adnap.no-ip.com
Tue Aug 17 16:41:02 UTC 2004
On Tue, 2004-08-17 at 16:20, Roderick A. Anderson wrote:
> On Tue, 17 Aug 2004, Wil Cooley wrote:
>
> > That's correct. A -j jump interrupts rule-processing and unless the
> > jumped-to chain has a 'RETURN' jump, it ends there.
>
> 'jumped-to' chain as in REJECT, DROP, DENY, ALLOW but is the next rule
> still processed? Say one that allows or denys SMB/CIF connections.
Once a packet matches a rule that jumps to REJECT, DROP, DENY, or ALLOW,
netfilter takes that action and stops going through the rules.
>From 'man iptables':
TARGETS
A firewall rule specifies criteria for a packet, and a
target. If the packet does not match, the next rule in
the chain is the examined; if it does match, then the
next rule is specified by the value of the target,
which can be the name of a user-defined chain or one of
the special values ACCEPT, DROP, QUEUE, or RETURN.
ACCEPT means to let the packet through. DROP means to
drop the packet on the floor. QUEUE means to pass the
packet to userspace (if supported by the kernel).
RETURN means stop traversing this chain and resume at
the next rule in the previous (calling) chain. If the
end of a built-in chain is reached or a rule in a
built-in chain with target RETURN is matched, the tar-
get specified by the chain policy determines the fate
of the packet.
Evan
More information about the PLUG
mailing list