[Fwd: ACCEPT/DROP] - Venkatesh Prasad Ranganath

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Venkatesh Prasad Ranganath <vranganath@cox.net>
To: netfilter-devel@lists.netfilter.org
Subject: [Fwd: ACCEPT/DROP]
Date: Fri, 20 Dec 2002 07:54:38 -0600	[thread overview]
Message-ID: <3E03211E.20900@cox.net> (raw)

Hi,

I was looking into the iptables implementation and was intrigued about 
how iptables would handle a situation in which we have identical rules 
except for their targets which are contradicting, say ACCEPT and DROP. 
 By looking at ipt_do_table() function it seems that the first 
non-IPT_RETURN  verdict from any standard target will end the traversal 
of a chain of a table, which seems to be a bit odd.  First, such 
conflicting rules must not be allowed.  Even beyond, this fails in the 
situation where you have a dropping rule added after an accepting rule.

For example, a packet from m.n.o.p to a.b.c.d would be accepted at 
a.b.c.d because of the first rule, although it had to be dropped 
according to the second rule.   And this would result because of the 
order in which the rules are added to the table.

iptables -A INPUT -d a.b.c.d -j ACCEPT
iptables -A INPUT -s m.n.o.p -j DROP

Is my understanding correct?  If so, I am curious to know how nf-hipac 
behaves in such situations?

waiting for reply,

-- 

Venkatesh Prasad Ranganath,
Dept. Computing and Information Science,
Kansas State University, US.
web: http://www.cis.ksu.edu/~rvprasad

next             reply	other threads:[~2002-12-20 13:54 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-20 13:54 Venkatesh Prasad Ranganath [this message]
2002-12-21 14:12 ` [Fwd: ACCEPT/DROP] Markus Schaber
2002-12-24 16:04   ` Patrick McHardy
2002-12-24 16:57     ` Miguel Amador L.
2002-12-25 11:48     ` Thomas Heinz
2003-01-01 23:10       ` Markus Schaber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E03211E.20900@cox.net \
    --to=vranganath@cox.net \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.