* Policy targets...
@ 2007-05-11 10:14 Gáspár Lajos
2007-05-11 10:21 ` Pedro Gonçalves
2007-05-15 11:13 ` Petr Pisar
0 siblings, 2 replies; 7+ messages in thread
From: Gáspár Lajos @ 2007-05-11 10:14 UTC (permalink / raw)
To: Netfilter IPtableMailinglist
Hi all,
I was reading the iptables manual because I needed the correct arguments
of the policy (-P) command.
Here it is:
-P, --policy chain target
Set the policy for the chain to the given target. See the
section TARGETS for the legal targets. Only built-in (non-user-defined)
chains can
have policies, and neither built-in nor user-defined
chains can be policy targets.
So I checked the TARGETS.
TARGETS
A firewall rule specifies criteria for a packet, and a target.
If the packet does not match, the next rule in the chain is the
examined; if it does
match, then the next rule is specified by the value of the
target, which can be the name of a user-defined chain or one of the
special values ACCEPT,
DROP, QUEUE, or RETURN.
My question is: What is the difference between the ACCEPT and the RETURN
target in policy ??? :D
Thanx.
Swifty
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Policy targets...
2007-05-11 10:14 Policy targets Gáspár Lajos
@ 2007-05-11 10:21 ` Pedro Gonçalves
2007-05-11 10:34 ` Gáspár Lajos
2007-05-15 11:13 ` Petr Pisar
1 sibling, 1 reply; 7+ messages in thread
From: Pedro Gonçalves @ 2007-05-11 10:21 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: Netfilter IPtableMailinglist
Gáspár Lajos wrote:
> Hi all,
>
> I was reading the iptables manual because I needed the correct
> arguments of the policy (-P) command.
> Here it is:
>
> -P, --policy chain target
> Set the policy for the chain to the given target. See
> the section TARGETS for the legal targets. Only built-in
> (non-user-defined) chains can
> have policies, and neither built-in nor user-defined
> chains can be policy targets.
>
> So I checked the TARGETS.
>
> TARGETS
> A firewall rule specifies criteria for a packet, and a target.
> If the packet does not match, the next rule in the chain is the
> examined; if it does
> match, then the next rule is specified by the value of the
> target, which can be the name of a user-defined chain or one of the
> special values ACCEPT,
> DROP, QUEUE, or RETURN.
>
> My question is: What is the difference between the ACCEPT and the
> RETURN target in policy ??? :D
in http://node1.yo-linux.com/cgi-bin/man2html?cgi_command=iptables :
TARGETS
(...)
*ACCEPT means to let the packet through.*
DROP means to drop the on the floor.
QUEUE means to pass the packet to userspace (if ported by the kernel).
*RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. If the end
of a built-in chain is reached or a rule in a built-in chain with tar-
get RETURN is matched, the target specified by the chain policy deter-
mines the fate of the packet.*
Best Regards
pandre
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Policy targets...
2007-05-11 10:21 ` Pedro Gonçalves
@ 2007-05-11 10:34 ` Gáspár Lajos
[not found] ` <46444B26.6010206@gmail.com>
0 siblings, 1 reply; 7+ messages in thread
From: Gáspár Lajos @ 2007-05-11 10:34 UTC (permalink / raw)
To: Pedro Gonçalves; +Cc: Netfilter IPtableMailinglist
Pedro Gonçalves írta:
>
> *ACCEPT means to let the packet through.*
> DROP means to drop the on the floor. QUEUE means to pass the packet
> to userspace (if ported by the kernel). *RETURN means stop
> traversing this chain and
> resume at the next rule in the previous (calling) chain. If
> the end
> of a built-in chain is reached or a rule in a built-in chain
> with tar-
> get RETURN is matched, the target specified by the chain policy
> deter-
> mines the fate of the packet.*
>
Thanx for the answer but my question was that what happens when the
CHAIN POLICY is RETURN... :D (The packet will be returned to the sender
??? :D [Don't get seriously, just kidding.])
iptables -t nat -P PREROUTING ACCEPT
vs.
iptables -t nat -P PREROUTING RETURN
> Best Regards
> pandre
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Policy targets...
2007-05-11 10:14 Policy targets Gáspár Lajos
2007-05-11 10:21 ` Pedro Gonçalves
@ 2007-05-15 11:13 ` Petr Pisar
2007-05-21 16:13 ` Gáspár Lajos
1 sibling, 1 reply; 7+ messages in thread
From: Petr Pisar @ 2007-05-15 11:13 UTC (permalink / raw)
To: netfilter
On 2007-05-11, Gáspár Lajos <swifty@freemail.hu> wrote:
> Hi all,
>
> I was reading the iptables manual because I needed the correct arguments
> of the policy (-P) command.
> Here it is:
>
> -P, --policy chain target
> Set the policy for the chain to the given target. See the
> section TARGETS for the legal targets. Only built-in (non-user-defined)
> chains can
> have policies, and neither built-in nor user-defined
> chains can be policy targets.
>
> So I checked the TARGETS.
>
> TARGETS
> A firewall rule specifies criteria for a packet, and a target.
> If the packet does not match, the next rule in the chain is the
> examined; if it does
> match, then the next rule is specified by the value of the
> target, which can be the name of a user-defined chain or one of the
> special values ACCEPT,
> DROP, QUEUE, or RETURN.
>
> My question is: What is the difference between the ACCEPT and the RETURN
> target in policy ??? :D
>
I think this is missunderstadning in man page. If you read the TARGETS
section carefully you could see here is nothing about policy even if -P
paragraph referres to it.
My opinion is ACCEPT and DROP only are valid policies. I don't know
where I have this idea from but I'm pretty sure that other targets have
not sense in policy context.
-- Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Policy targets...
2007-05-15 11:13 ` Petr Pisar
@ 2007-05-21 16:13 ` Gáspár Lajos
0 siblings, 0 replies; 7+ messages in thread
From: Gáspár Lajos @ 2007-05-21 16:13 UTC (permalink / raw)
To: Petr Pisar; +Cc: netfilter
Hi!
Petr Pisar írta:
> On 2007-05-11, G?sp?r Lajos <swifty@freemail.hu> wrote:
>
>> Hi all,
>>
>> I was reading the iptables manual because I needed the correct arguments
>> of the policy (-P) command.
>> Here it is:
>>
>> -P, --policy chain target
>> Set the policy for the chain to the given target. See the
>> section TARGETS for the legal targets. Only built-in (non-user-defined)
>> chains can
>> have policies, and neither built-in nor user-defined
>> chains can be policy targets.
>>
>> So I checked the TARGETS.
>>
>> TARGETS
>> A firewall rule specifies criteria for a packet, and a target.
>> If the packet does not match, the next rule in the chain is the
>> examined; if it does
>> match, then the next rule is specified by the value of the
>> target, which can be the name of a user-defined chain or one of the
>> special values ACCEPT,
>> DROP, QUEUE, or RETURN.
>>
>> My question is: What is the difference between the ACCEPT and the RETURN
>> target in policy ??? :D
>>
>>
> I think this is missunderstadning in man page. If you read the TARGETS
> section carefully you could see here is nothing about policy even if -P
> paragraph referres to it.
>
Okay. That is right. There is nothing about policy in TARGETS section.
But there is no "POLICYTARGETS" section! :D
> My opinion is ACCEPT and DROP only are valid policies. I don't know
> where I have this idea from but I'm pretty sure that other targets have
> not sense in policy context.
>
> -- Petr
I agree! I was just curious. :D
Swifty
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-05-21 16:13 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-11 10:14 Policy targets Gáspár Lajos
2007-05-11 10:21 ` Pedro Gonçalves
2007-05-11 10:34 ` Gáspár Lajos
[not found] ` <46444B26.6010206@gmail.com>
2007-05-11 11:03 ` Gáspár Lajos
[not found] ` <46488357.90209@vlsmaps.com>
2007-05-15 9:03 ` Gáspár Lajos
2007-05-15 11:13 ` Petr Pisar
2007-05-21 16:13 ` Gáspár Lajos
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.