Le ven 28/02/2003 à 14:09, William Olbrys a écrit : > I have a question about table traversal. > Suppose I have two chains, in this order in a table. > > iptables -A FORWARD -s 10.1.2.3 -j ACCEPT > iptables -A FORWARD -s 10.1.2.0/255.255.255.0 -j DROP > > Under this scenario a packet from 10.1.2.3 would fall under both rules. > But would the packets be dropped or allowed to go through? Once it has > found a match for a packet will it traverse the rest of the table or > simply pass to the next one? Rules evaluation is sequential, meaning that the first matching rule's target applies. In the exemple you give, packet will be allowed and is sent to next table attached to the actual hook. In this cas, there's no more table to evaluate, so packet is sent to NF_IP_POSTROUTING, and will be evaluate in all table that have a chain attached to this hook. -- Cédric Blancher <blancher@cartel-securite.fr> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE