[Bug 1699] New: docs/nft-wiki: verdict statements have incomplete documentation

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Aug 10 18:36:19 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1699

            Bug ID: 1699
           Summary: docs/nft-wiki: verdict statements have incomplete
                    documentation
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: evil.function at proton.me

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Verdict_statements

Specifically the return statement, but the others could use some enhancement,
too.

As stated in the above wiki section, it sounds like a 'jump' /must/ have an
explicit 'return' in the jumped-to chain in order to return processing to the
calling chain.  This is easily proven false by tsting:

chain base {
    jump user_chain
    counter # Will we get here?  Yes, even though wiki implies otherwise.
}

chain user_chain {
    counter
    # Implicit, undocumented 'return' here...
}

Maybe something like this:

o return: Return from the current chain and continue at the next rule of the
last chain. In a base chain it is equivalent to accept.  There is an implicit
'return' at the end of any user chain, such that a 'jump' to the chain will
return control to the statement following the 'jump' when none of the rules in
the user chain trigger a terminating verdict.

o jump <chain>: Continue at the first rule of <chain>. It will continue at the
next rule after a return statement is issued, or when processing reaches the
end of the chain.

o goto <chain>: Similar to jump, but after the new chain the evaluation will
continue at the last chain instead of the one containing the goto statement. 
This is effectively a jump, but it never returns from the destination chain.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230810/e6be141b/attachment.html>

More information about the netfilter-buglog mailing list