Karma Fusebox asked:
I am quite unable to find out what the consequences of a missing RETURN-rule at the end of user-defined iptables chains are. Obviously “iptables [missing] return [jump]” are really, really bad keywords to look for.
The manpage and any blog or howto I could dig up just tell me what
-j RETURN does (which is quite obvious) but not what happens if it is missing. Also, I cannot seem to set up sane experimental rules to try it out…
iptables -N userchainA iptables -A INPUT -j userchainA iptables -N userchainB iptables -A INPUT -j userchainB iptables -A INPUT -j ACCEPT iptables -A userchainA ... # anything here, that DOES NOT MATCH #### no explicit return from userchainA! iptables -A userchainB ... # anything here, that DOES NOT MATCH iptables -A userchainB -j RETURN
Given these rules, anything works just fine. Packets travel through all the chains and finally hit the
ACCEPT from INPUT as if the (missing)
-j RETURN from
userchainA would be done implicitly. Is this the case?
Why is this working? I would have expected some kind of error or at least a log message about execution falling of a chain.
When iptables reaches the end of a user-defined chain, flow returns to the next rule in the calling chain. The RETURN is therefore implicit; it does not need to be explicitly given.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.