Thank you for your reply. > Jumping to arbitrary tables is not within the design. I'm not sure I understand this statement. Can you please elaborate? > That is a chain, not a table. Ooops! My mistake. I've been using iptables so much that I find myself mistakenly calling chains "tables". I thought I had checked for that before sending my e-mail. :) > And yes, it is processed including > overhead, as is done in many other kernel subsystems. The kernel really > is not responsible for the user's misdeeds. not use empty chains :) OK. I thought that the code might optimize and ignore the jump if the chain was empty, as if the rule was simply: "-t filter -A INPUT". This way it would just count the packet and data without needing to process an empty chain, possibly avoiding call stack and other overhead for what is basically a no-op. I have not had a chance to trace the code to find out exactly how it operates. I appreciate the information. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html