* Why are default policies not possible for user-defined chains?
@ 2002-07-08 16:32 Jan Humme
2002-07-08 16:56 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: Jan Humme @ 2002-07-08 16:32 UTC (permalink / raw)
To: netfilter
What is the reason that iptables does not support default policies on user-chains?
It seems like such a natural extension, and easy to implement. Or not? Is
there perhaps a catch that I am overlooking?
Jan Humme.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Why are default policies not possible for user-defined chains?
2002-07-08 16:32 Why are default policies not possible for user-defined chains? Jan Humme
@ 2002-07-08 16:56 ` Antony Stone
0 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2002-07-08 16:56 UTC (permalink / raw)
To: netfilter
On Monday 08 July 2002 5:32 pm, Jan Humme wrote:
> What is the reason that iptables does not support default policies on
> user-chains?
I suppose it's partly because there's not a lot of point (that I can see).
You can only call a user-defined chain from one of the built-in chains (or
from another user-defined chain, which has to be called from a built-in
chain, etc...) therefore ultimately it's the default policy of the built-in
chain which determines what happens to a packet if none of the rules match.
> It seems like such a natural extension, and easy to implement. Or not? Is
> there perhaps a catch that I am overlooking?
It's easy enough to put a DROP, or ACCEPT, or whatever, as the last rule in
your user-defined chain, thereby catching any packets which haven't already
matched.....
Antony.
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Why are default policies not possible for user-defined chains ?
@ 2002-07-08 22:34 George Vieira
2002-07-08 22:42 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: George Vieira @ 2002-07-08 22:34 UTC (permalink / raw)
To: netfilter
You could put a RETURN at the end too couldn't you, so it'll return back to
the chain it came from and then end up with the original chains DEFAULT
policy... no?
thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au
-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Tuesday, 09 July 2002 2:57 AM
To: netfilter@lists.samba.org
Subject: Re: Why are default policies not possible for user-defined
chains?
On Monday 08 July 2002 5:32 pm, Jan Humme wrote:
> What is the reason that iptables does not support default policies on
> user-chains?
I suppose it's partly because there's not a lot of point (that I can see).
You can only call a user-defined chain from one of the built-in chains (or
from another user-defined chain, which has to be called from a built-in
chain, etc...) therefore ultimately it's the default policy of the built-in
chain which determines what happens to a packet if none of the rules match.
> It seems like such a natural extension, and easy to implement. Or not? Is
> there perhaps a catch that I am overlooking?
It's easy enough to put a DROP, or ACCEPT, or whatever, as the last rule in
your user-defined chain, thereby catching any packets which haven't already
matched.....
Antony.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Why are default policies not possible for user-defined chains ?
2002-07-08 22:34 Why are default policies not possible for user-defined chains ? George Vieira
@ 2002-07-08 22:42 ` Antony Stone
0 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2002-07-08 22:42 UTC (permalink / raw)
To: netfilter
On Monday 08 July 2002 11:34 pm, George Vieira wrote:
> You could put a RETURN at the end too couldn't you, so it'll return back to
> the chain it came from and then end up with the original chains DEFAULT
> policy... no?
Not much point putting a RETURN at the end of a chain, because that's what
it's going to do anyway when it falls off the end.
Antony.
> -----Original Message-----
> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
> Sent: Tuesday, 09 July 2002 2:57 AM
> To: netfilter@lists.samba.org
> Subject: Re: Why are default policies not possible for user-defined
> chains?
>
> On Monday 08 July 2002 5:32 pm, Jan Humme wrote:
> > What is the reason that iptables does not support default policies on
> > user-chains?
>
> I suppose it's partly because there's not a lot of point (that I can see).
>
> You can only call a user-defined chain from one of the built-in chains (or
> from another user-defined chain, which has to be called from a built-in
> chain, etc...) therefore ultimately it's the default policy of the built-in
> chain which determines what happens to a packet if none of the rules match.
>
> > It seems like such a natural extension, and easy to implement. Or not? Is
> > there perhaps a catch that I am overlooking?
>
> It's easy enough to put a DROP, or ACCEPT, or whatever, as the last rule in
> your user-defined chain, thereby catching any packets which haven't already
> matched.....
>
>
>
> Antony.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-07-08 22:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-07-08 16:32 Why are default policies not possible for user-defined chains? Jan Humme
2002-07-08 16:56 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2002-07-08 22:34 Why are default policies not possible for user-defined chains ? George Vieira
2002-07-08 22:42 ` Antony Stone
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox