Netfilter IPT_RETURN & IPT_CONTINUE

Netfilter IPT_RETURN & IPT_CONTINUE

[Daniel Ivanov]

In a simple hook , when i return IPT_RETURN after the userspace 
processing it does not have the effect or a RETURN jump for example. It 
says to the kernel : DROP THIS PACKET.
If i pass continue : i continue traversing the chain. The simple effect 
that i want to achieve is to just accept the packet and stop traversing 
the current chain. Is that possible? I'm rather new to nf hooking and 
that's why i ask.

Re: Netfilter IPT_RETURN & IPT_CONTINUE

[Henrik Nordstrom]

On Thu, 27 Oct 2005, Daniel Ivanov wrote:

> In a simple hook , when i return IPT_RETURN after the userspace processing it 
> does not have the effect or a RETURN jump for example. It says to the kernel 
> : DROP THIS PACKET.

Are we talking about a queue userspace application here? Or a custom 
netfilter hook?

queue handlers, just as netfilter hooks, should return core netfilter 
verdicts (NF_xxx), not iptables verdicts (IPT_xxx).  Only iptables 
targets/matches may return iptables verdicts.

> If i pass continue : i continue traversing the chain. The simple effect that 
> i want to achieve is to just accept the packet and stop traversing the 
> current chain. Is that possible? I'm rather new to nf hooking and that's why 
> i ask.

QUEUE is by design a terminal target and terminates the entire table it is 
called from, causing the packet to be sent to userspace for further 
processing. When the packet returns it will continue on the next netfilter 
handler at that hook or continue in the TCP/IP stack if there is no 
additional handlers at this hook.


If your question is if it is possible for a netfilter module to stop 
processing of further netfilter modules attached to the same hook then no, 
not without stealing the packet (NF_STOLEN verdict, similar to DROP but 
indicates you have taken over processing of this packet)

Regards
Henrik