Policy targets...

Policy targets...

[Gáspár Lajos]

Hi all,

I was reading the iptables manual because I needed the correct arguments 
of the policy (-P) command.
Here it is:

       -P, --policy chain target
              Set the policy for the chain to the given target.  See the 
section TARGETS for the legal targets.  Only built-in (non-user-defined) 
chains can
              have policies, and neither built-in nor user-defined 
chains can be policy targets.

So I checked the TARGETS.

TARGETS
       A  firewall rule specifies criteria for a packet, and a target.  
If the packet does not match, the next rule in the chain is the 
examined; if it does
       match, then the next rule is specified by the value of the 
target, which can be the name of a user-defined chain or one of the 
special values ACCEPT,
       DROP, QUEUE, or RETURN.

My question is: What is the difference between the ACCEPT and the RETURN 
target in policy ??? :D

Thanx.

Swifty

Re: Policy targets...

[Pedro Gonçalves]

Gáspár Lajos wrote:
> Hi all,
>
> I was reading the iptables manual because I needed the correct 
> arguments of the policy (-P) command.
> Here it is:
>
>       -P, --policy chain target
>              Set the policy for the chain to the given target.  See 
> the section TARGETS for the legal targets.  Only built-in 
> (non-user-defined) chains can
>              have policies, and neither built-in nor user-defined 
> chains can be policy targets.
>
> So I checked the TARGETS.
>
> TARGETS
>       A  firewall rule specifies criteria for a packet, and a target.  
> If the packet does not match, the next rule in the chain is the 
> examined; if it does
>       match, then the next rule is specified by the value of the 
> target, which can be the name of a user-defined chain or one of the 
> special values ACCEPT,
>       DROP, QUEUE, or RETURN.
>
> My question is: What is the difference between the ACCEPT and the 
> RETURN target in policy ??? :D

in http://node1.yo-linux.com/cgi-bin/man2html?cgi_command=iptables :

TARGETS
(...)

*ACCEPT means to let the packet through.*	
DROP means to drop the on the floor.  
QUEUE means to pass the packet to userspace  (if ported  by  the kernel).  
*RETURN means stop traversing this chain and
       resume at the next rule in the previous (calling) chain.	 If  the  end
       of a built-in chain is reached or a rule in a built-in chain with tar-
       get RETURN is matched, the target specified by the chain policy deter-
       mines the fate of the packet.*

Best Regards
pandre

Re: Policy targets...

[Gáspár Lajos]

Pedro Gonçalves írta:
>
> *ACCEPT means to let the packet through.*   
> DROP means to drop the on the floor.  QUEUE means to pass the packet 
> to userspace  (if ported  by  the kernel).  *RETURN means stop 
> traversing this chain and
>       resume at the next rule in the previous (calling) chain.     If  
> the  end
>       of a built-in chain is reached or a rule in a built-in chain 
> with tar-
>       get RETURN is matched, the target specified by the chain policy 
> deter-
>       mines the fate of the packet.*
>
Thanx for the answer but my question was that what happens when the 
CHAIN POLICY is RETURN... :D (The packet will be returned to the sender 
??? :D [Don't get seriously, just kidding.])

iptables -t nat -P PREROUTING ACCEPT

vs.

iptables -t nat -P PREROUTING RETURN

> Best Regards
> pandre

Re: Policy targets...

[Gáspár Lajos]

Pedro Gonçalves írta:
>> Thanx for the answer but my question was that what happens when the 
>> CHAIN POLICY is RETURN... 
> Sorry, I didn't understand that in you original email.
No problem... :D
> I don't think that "RETURN" is a valid policy target, I think that 
> only "ACCEPT" or "DROP" may be used as policy targets.
> At least, I've never used that target neither seen anyone using it, 
> but maybe someone in the list can provide more info.
I tried and it gives me an error:

fw1:~# iptables -t nat -P PREROUTING RETURN
iptables: Bad policy name

So you won !
Maybe someone should fix the manual....
> Best Regards
> pandre
Thanx anyway... :D

Swifty

Re: Policy targets...

[Gáspár Lajos]

jwlargent írta:

...
>> fw1:~# iptables -t nat -P PREROUTING RETURN
>> iptables: Bad policy name
>>
>> So you won !
>> Maybe someone should fix the manual....
>>     
>
> Maybe you should just read the manual, RETURN is not a policy for the
> nat table.
>   
Believe me... I read many times... :D
> - From the man page:
>
>  nat:
>                   This table is consulted when a packet  that
> creates  a  new
>                   connection  is encountered.  It consists of three
> built-ins:
>                   PREROUTING (for altering packets as soon as they
> come  in),
>                   OUTPUT  (for altering locally-generated packets
> before rout-
>                   ing), and POSTROUTING (for  altering  packets  as
> they  are
>                   about to go out).
>
>   
Yeah... That is right.... But wait a minute... I am talking about 
DEFAULT POLICY and you are talking about BUILT-IN CHAINS !!!

iptables -t nat -A PREROUTING -j RETURN != iptables -t nat -P PREROUTING 
RETURN

The first works, the second not...

I think that it is a bit confusing to use ACCEPT as a policy tartget and 
a rule target.
(In nat/mangle/raw ACCEPT means CONTINUE. In filter it means OK, LET IT 
THORUGH.)
 That is why I tried to use RETURN in the policy.

 From the man page:

       -P, --policy chain target
              Set the policy for the chain to the given target.  See the 
section TARGETS for the legal targets.  Only built-in (non-user-defined) 
chains can
              have policies, and neither built-in nor user-defined 
chains can be policy targets.


TARGETS
       A  firewall rule specifies criteria for a packet, and a target.  
If the packet does not match, the next rule in the chain is the 
examined; if it does
       match, then the next rule is specified by the value of the 
target, which can be the name of a user-defined chain or one of the 
special values ACCEPT,
       DROP, QUEUE, or RETURN.

       ACCEPT  means  to let the packet through.  DROP means to drop the 
packet on the floor.  QUEUE means to pass the packet to userspace.  (How 
the packet
       can be received by a userspace process differs by the particular 
queue handler.  2.4.x and 2.6.x kernels up to 2.6.13 include the 
ip_queue queue han-
       dler.   Kernels 2.6.14 and later additionally include the 
nfnetlink_queue queue handler.  Packets with a target of QUEUE will be 
sent to queue number
       '0' in this case. Please also see the NFQUEUE target as described 
later in this man page.)  RETURN means stop traversing this chain and 
resume at the
       next  rule  in  the previous (calling) chain.  If the end of a 
built-in chain is reached or a rule in a built-in chain with target 
RETURN is matched,
       the target specified by the chain policy determines the fate of 
the packet.

> - --
> Jeff Largent
> System Administrator
> Visual Lease Services Inc.
> http://www.vlsmaps.com
> (405) 379-5280
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGSINWd02kARNrtZkRAsmPAJ4uJRdRreTDnz4Dy1XWYhCyuwFwhQCcCR7N
> oAjjEJXXbHXfW3Xi0AvlFl4=
> =jVxY
> -----END PGP SIGNATURE-----
>
>   

Re: Policy targets...

[Petr Pisar]

On 2007-05-11, Gáspár Lajos <swifty@freemail.hu> wrote:
> Hi all,
>
> I was reading the iptables manual because I needed the correct arguments 
> of the policy (-P) command.
> Here it is:
>
>        -P, --policy chain target
>               Set the policy for the chain to the given target.  See the 
> section TARGETS for the legal targets.  Only built-in (non-user-defined) 
> chains can
>               have policies, and neither built-in nor user-defined 
> chains can be policy targets.
>
> So I checked the TARGETS.
>
> TARGETS
>        A  firewall rule specifies criteria for a packet, and a target.  
> If the packet does not match, the next rule in the chain is the 
> examined; if it does
>        match, then the next rule is specified by the value of the 
> target, which can be the name of a user-defined chain or one of the 
> special values ACCEPT,
>        DROP, QUEUE, or RETURN.
>
> My question is: What is the difference between the ACCEPT and the RETURN 
> target in policy ??? :D
>
I think this is missunderstadning in man page. If you read the TARGETS
section carefully you could see here is nothing about policy even if -P
paragraph referres to it.

My opinion is ACCEPT and DROP only are valid policies. I don't know
where I have this idea from but I'm pretty sure that other targets have
not sense in policy context.

-- Petr

Re: Policy targets...

[Gáspár Lajos]

Hi!

Petr Pisar írta:
> On 2007-05-11, G?sp?r Lajos <swifty@freemail.hu> wrote:
>   
>> Hi all,
>>
>> I was reading the iptables manual because I needed the correct arguments 
>> of the policy (-P) command.
>> Here it is:
>>
>>        -P, --policy chain target
>>               Set the policy for the chain to the given target.  See the 
>> section TARGETS for the legal targets.  Only built-in (non-user-defined) 
>> chains can
>>               have policies, and neither built-in nor user-defined 
>> chains can be policy targets.
>>
>> So I checked the TARGETS.
>>
>> TARGETS
>>        A  firewall rule specifies criteria for a packet, and a target.  
>> If the packet does not match, the next rule in the chain is the 
>> examined; if it does
>>        match, then the next rule is specified by the value of the 
>> target, which can be the name of a user-defined chain or one of the 
>> special values ACCEPT,
>>        DROP, QUEUE, or RETURN.
>>
>> My question is: What is the difference between the ACCEPT and the RETURN 
>> target in policy ??? :D
>>
>>     
> I think this is missunderstadning in man page. If you read the TARGETS
> section carefully you could see here is nothing about policy even if -P
> paragraph referres to it.
>   
Okay. That is right. There is nothing about policy in TARGETS section. 
But there is no "POLICYTARGETS" section! :D
> My opinion is ACCEPT and DROP only are valid policies. I don't know
> where I have this idea from but I'm pretty sure that other targets have
> not sense in policy context.
>
> -- Petr
I agree! I was just curious. :D

Swifty