pointed out by redsh on #netfilter: uses "of" instead of "or". While at it, explain continue and update return statement. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- doc/statements.txt | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 51dd0b371f92..a5822cf0aeb7 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -6,16 +6,31 @@ The verdict statement alters control flow in the ruleset and issues policy decis {accept | drop | queue | continue | return} {jump | goto} 'chain' +*accept* and *drop* are absolute verdicts -- they terminate ruleset evaluation immediately. + [horizontal] *accept*:: Terminate ruleset evaluation and accept the packet. +The packet can still be dropped later by another hook, for instance accept +in the forward hook still allows to drop the packet later in the postrouting hook, +or another forward base chain that has a higher priority number and is evaluated +afterwards in the processing pipeline. *drop*:: Terminate ruleset evaluation and drop the packet. +The drop occurs instantly, no further chains or hooks are evaluated. +It is not possible to accept the packet in a later chain again, as those +are not evaluated anymore for the packet. *queue*:: Terminate ruleset evaluation and queue the packet to userspace. -*continue*:: Continue ruleset evaluation with the next rule. FIXME +Userspace must provide a drop or accept verdict. In case of accept, processing +resumes with the next base chain hook, not the rule following the queue verdict. +*continue*:: Continue ruleset evaluation with the next rule. This + is the default behaviour in case a rule issues no verdict. *return*:: Return from the current chain and continue evaluation at the - next rule in the last chain. If issued in a base chain, it is equivalent to *accept*. + next rule in the last chain. If issued in a base chain, it is equivalent to the + base chain policy. *jump* 'chain':: Continue evaluation at the first rule in 'chain'. The current position in the ruleset is pushed to a call stack and evaluation will continue - there when the new chain is entirely evaluated of a *return* verdict is issued. + there when the new chain is entirely evaluated or a *return* verdict is issued. + In case an absolute verdict is issued by a rule in the chain, ruleset evaluation + terminates immediately and the specific action is taken. *goto* 'chain':: Similar to *jump*, but the current position is not pushed to the call stack, meaning that after the new chain evaluation will continue at the last chain instead of the one containing the goto statement. -- 2.20.1