On Sun, 6 Oct 2002 12:43:50 -0400, Hal Burgiss wrote: > > > > LOG doesn't terminate processing. > > > > > > Of course not ... > > > > Why "of course"? With ipchains a LOG target is the end of a chain. > > "Of course", because there was no implication otherwise, and because > it is clearly documented as such. > > > With netfilter it is different. > > There was no LOG *target* with ipchains. Just a command line option, > that could be combined with other options and/or Targets. Targets are > a different concept altogether, and even with ipchains, only one > Target per rule is allowed. This much is no different. What is > distinctly different is that logging with ipchains was activated with > a command line option, and with iptables it is only via a Target. The > LOG target does not terminate a _chain_, as some (most?) other Targets > do.
You're right. Ipchains had an ordinary "-l" option which could be added to do logging and jumping to a target with "-j" at once. But it *could* be the same with iptables (e.g. -j LOG -j ACCEPT as a substitute for -l -j ACCEPT), because the netfilter LOG target returns to the chain. To the end-user -j LOG is also just a command-line option. Didn't want to turn this thread into a discussion of the netfilter architecture. Just the "of course" that surprised me. And yes, it's documented. But if everyone would read the manual page (=> "man iptables" or visit http://www.netfilter.org) before posting here, the list would be less crowded. ;)
msg01448/pgp00000.pgp
Description: PGP signature
