Re: Policy targets... - Gáspár Lajos

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: jwlargent <jwlargent@vlsmaps.com>
Cc: Netfilter IPtableMailinglist <netfilter@lists.netfilter.org>
Subject: Re: Policy targets...
Date: Tue, 15 May 2007 11:03:19 +0200	[thread overview]
Message-ID: <46497757.7090100@freemail.hu> (raw)
In-Reply-To: <46488357.90209@vlsmaps.com>

jwlargent írta:

...
>> fw1:~# iptables -t nat -P PREROUTING RETURN
>> iptables: Bad policy name
>>
>> So you won !
>> Maybe someone should fix the manual....
>>     
>
> Maybe you should just read the manual, RETURN is not a policy for the
> nat table.
>   
Believe me... I read many times... :D
> - From the man page:
>
>  nat:
>                   This table is consulted when a packet  that
> creates  a  new
>                   connection  is encountered.  It consists of three
> built-ins:
>                   PREROUTING (for altering packets as soon as they
> come  in),
>                   OUTPUT  (for altering locally-generated packets
> before rout-
>                   ing), and POSTROUTING (for  altering  packets  as
> they  are
>                   about to go out).
>
>   
Yeah... That is right.... But wait a minute... I am talking about 
DEFAULT POLICY and you are talking about BUILT-IN CHAINS !!!

iptables -t nat -A PREROUTING -j RETURN != iptables -t nat -P PREROUTING 
RETURN

The first works, the second not...

I think that it is a bit confusing to use ACCEPT as a policy tartget and 
a rule target.
(In nat/mangle/raw ACCEPT means CONTINUE. In filter it means OK, LET IT 
THORUGH.)
 That is why I tried to use RETURN in the policy.

 From the man page:

       -P, --policy chain target
              Set the policy for the chain to the given target.  See the 
section TARGETS for the legal targets.  Only built-in (non-user-defined) 
chains can
              have policies, and neither built-in nor user-defined 
chains can be policy targets.


TARGETS
       A  firewall rule specifies criteria for a packet, and a target.  
If the packet does not match, the next rule in the chain is the 
examined; if it does
       match, then the next rule is specified by the value of the 
target, which can be the name of a user-defined chain or one of the 
special values ACCEPT,
       DROP, QUEUE, or RETURN.

       ACCEPT  means  to let the packet through.  DROP means to drop the 
packet on the floor.  QUEUE means to pass the packet to userspace.  (How 
the packet
       can be received by a userspace process differs by the particular 
queue handler.  2.4.x and 2.6.x kernels up to 2.6.13 include the 
ip_queue queue han-
       dler.   Kernels 2.6.14 and later additionally include the 
nfnetlink_queue queue handler.  Packets with a target of QUEUE will be 
sent to queue number
       '0' in this case. Please also see the NFQUEUE target as described 
later in this man page.)  RETURN means stop traversing this chain and 
resume at the
       next  rule  in  the previous (calling) chain.  If the end of a 
built-in chain is reached or a rule in a built-in chain with target 
RETURN is matched,
       the target specified by the chain policy determines the fate of 
the packet.

> - --
> Jeff Largent
> System Administrator
> Visual Lease Services Inc.
> http://www.vlsmaps.com
> (405) 379-5280
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGSINWd02kARNrtZkRAsmPAJ4uJRdRreTDnz4Dy1XWYhCyuwFwhQCcCR7N
> oAjjEJXXbHXfW3Xi0AvlFl4=
> =jVxY
> -----END PGP SIGNATURE-----
>
>

next prev parent reply	other threads:[~2007-05-15  9:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-11 10:14 Policy targets Gáspár Lajos
2007-05-11 10:21 ` Pedro Gonçalves
2007-05-11 10:34   ` Gáspár Lajos
     [not found]     ` <46444B26.6010206@gmail.com>
2007-05-11 11:03       ` Gáspár Lajos
     [not found]         ` <46488357.90209@vlsmaps.com>
2007-05-15  9:03           ` Gáspár Lajos [this message]
2007-05-15 11:13 ` Petr Pisar
2007-05-21 16:13   ` Gáspár Lajos

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46497757.7090100@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=jwlargent@vlsmaps.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.