RE: iptables terminating targets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gilad Benjamini" <gilad.benjamini@gmail.com>
To: BrainChild@Skyler.com, netfilter@vger.kernel.org
Subject: RE: iptables terminating targets
Date: Mon, 5 Jan 2009 12:57:11 -0800	[thread overview]
Message-ID: <49627434.1d078e0a.1f5a.3263@mx.google.com> (raw)
In-Reply-To: <4ls4m4hj393j1ekptolcv97rsk8je5isuv@4ax.com>

> 
> <snip>
> 
> >Up to the (false) conclusion, all your assumptions are true. I believe
> I see
> >the source of your confusion, which was also mine when I started with
> >iptables.
> >Each built-in chain is traversed at a different location (a.k.a. hook)
> in
> >the packet path. See two graphic variations of this below.
> >A terminating target means that the packet has completed traversing
> the
> >current built-in chain, but might be further processed by other
> chains, by
> >means of a different hook.
> >Specifically for the FILTER table, which is your main concern for a
> >firewall, its hooks are located such that each packet goes through
> exactly
> >one built-in chain of the table.
> >
> >HTH,
> >Gilad
> 
> This seems at odds with another answer I got to this question:
> 
> "DROP target means packet is dropped and no other chains are
> traversed. ACCEPT means that no more rules in the current built-in
> chain get considered but traversal of next built-in chain occurs."
> 
> This answer seems to say that there are 2 different behaviors for
> "terminating" targets - that one (DROP) behaves as I interpreted the
> documentation, while the other (ACCEPT) behaves as you describe above.
> 
> I can't seem to reconcile these two answers.
> --

It's simple. The other guy phrased things better than me :-)

     prev parent reply	other threads:[~2009-01-05 20:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-05 16:24 Q: iptables terminating targets Indiana Epilepsy and Child Neurology
2009-01-05 16:31 ` Marek Kierdelewicz
2009-01-05 20:22 ` Gilad Benjamini
     [not found]   ` <4ls4m4hj393j1ekptolcv97rsk8je5isuv@4ax.com>
2009-01-05 20:57     ` Gilad Benjamini [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49627434.1d078e0a.1f5a.3263@mx.google.com \
    --to=gilad.benjamini@gmail.com \
    --cc=BrainChild@Skyler.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.