7

From the man page of my distro, I am especially interested in the bold part below.

-j, --jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

-g, --goto chain

This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.

I fear I misunderstand what -g actually does.

How exactly is -g now different from -j?

sjas
  • 18,644
  • 14
  • 87
  • 92

1 Answers1

8

When a matched rule in a current chain specifies the target RETURN, or when the end of the current chain is reached, processing continues in the previous chain that jumped to the current chain, traversing it from the next rule that was still not processed, i.e. the rule below the one that actually specified the current chain as its target and triggered the jump to the current chain.

However if the jump to the current chain was done via -g (rather than via -j), processing would not continue in that previous chain, but rather in the chain before that, assuming the jump there was done with -j. If that is also not the case (i.e. even there -g was used), then the chain before that would be taken into account, and so on. In other words, the most recent chain that actually specified the next chain with -j, rather than with -g would be processed next.

If no such chain is found (i.e. all chains up to and including the built-in chain specified -g), or the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the built-in chain policy determines the fate of the packet.

Yoel
  • 9,144
  • 7
  • 42
  • 57
  • So `-g` basically jumps back to to the last chain 'activated' by `-j`, or the built-in chain origin. If there cannot be found any matching rule for the packet in question, the default policy will come into effect. – sjas Jul 24 '15 at 11:40
  • Yes, however the jump back is to the most recent chain that "activated" the next chain via `-j` and it occurs only when the currently processed chain specifies the target `RETURN` or if the currently processed chain doesn't specify any target at all. – Yoel Jul 24 '15 at 14:54