> > <snip> > > >Up to the (false) conclusion, all your assumptions are true. I believe > I see > >the source of your confusion, which was also mine when I started with > >iptables. > >Each built-in chain is traversed at a different location (a.k.a. hook) > in > >the packet path. See two graphic variations of this below. > >A terminating target means that the packet has completed traversing > the > >current built-in chain, but might be further processed by other > chains, by > >means of a different hook. > >Specifically for the FILTER table, which is your main concern for a > >firewall, its hooks are located such that each packet goes through > exactly > >one built-in chain of the table. > > > >HTH, > >Gilad > > This seems at odds with another answer I got to this question: > > "DROP target means packet is dropped and no other chains are > traversed. ACCEPT means that no more rules in the current built-in > chain get considered but traversal of next built-in chain occurs." > > This answer seems to say that there are 2 different behaviors for > "terminating" targets - that one (DROP) behaves as I interpreted the > documentation, while the other (ACCEPT) behaves as you describe above. > > I can't seem to reconcile these two answers. > -- It's simple. The other guy phrased things better than me :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
