About matching (also was: Multiple Targets)
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Thu May 5 08:36:08 CEST 2005
On Wed, 4 May 2005, Jonas Berlin wrote:
> >>And if that flag was set, netfilter would also assert that the return
> >>value of the target in question is IPT_CONTINUE ?
> >
> > No, targets may return other values. Something like this
>
> I know. But my point was, _should_ these targets with the "cascade flag"
> set be allowed to return anything else?
>
> For example LOG, MARK, CONNMARK and CLASSIFY targets always return
> IPT_CONTINUE. I could agree that NF_DROP could also be allowed if a bad
> packet was recognized or some other problem. But should NF_STOLEN or
> NF_REPEAT or others really be allowed from these targets with "cascade
> flag" set? If there wasn't any restriction on the return value, I don't
> know if there's much point of having a cascade flag either?
In my opinion cascade targets should return IPT_CONTINUE. They may
return NF_DROP in error conditions, but other return values are not
allowed.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter-devel
mailing list