I've been digging into the documentation quite a bit lately. I seem to have found something of a discrepancy between how the iptables man pages and then shorewall man pages describe the bypass feature of the nfqueue target.
In the `iptables-extentions` man page on my system it says: > --queue-bypass > By default, if no userspace program is listening on an NFQUEUE, then all > packets that are to be queued are dropped. When this option is used, the > NFQUEUE rule behaves like ACCEPT instead, and the packet will move on to > the next table. However, the `shorewall-rules` man page says: > Beginning with Shorewall 4.6.10, the keyword bypass can be given. By default, > if no userspace program is listening on an NFQUEUE, then all packets that are > to be queued are dropped. When this option is used, the NFQUEUE rule is > silently bypassed instead. The packet will move on to the next rule. So `iptables-extensions` says that, when no userspace application is listening, the packet is `ACCEPT`ed and moves on to the next _table_ (skipping any further rules in the current chain or parent chains in the current table). While `shorewall-rules` seems to say that the packet continues in the current table and chain (to the next _rule_)... the way it would with a `LOG` target. Past exchanges on this mailing list seem to also imply that nfqueue w/bypass keeps the packet in the current table and chain. I'm not proficient with C and don't trust my ability to read the netfilter code and understand what it is saying. So I ask, which is correct? Or is there something going on here that makes both correct and is too subtle for me to recognize with my current understanding? Regards, J Cliff Armstrong _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
