Newbie Question -- iptables flow of control

I don't understand what happens to packets after they match a rule in
a chain. According to the packet filtering howto, if a packet matches
a statement with -j DROP, the packet is killed right there. I presume
that means that the packet is not tested against any other rules;
right?

After a packet matches a rule with -j ACCEPT, does the packet then
continue down to the next rule in that chain, or are all the other
rules in that chain skipped and flow of control transfers back to the
calling chain?

Bob Simon wrote:

> I don't understand what happens to packets after they match a rule in
> a chain. According to the packet filtering howto, if a packet matches
> a statement with -j DROP, the packet is killed right there. I presume
> that means that the packet is not tested against any other rules;
> right?

Correct. Processing of the packet stops there. The packet is discarded as if
it had never been received.

> After a packet matches a rule with -j ACCEPT, does the packet then
> continue down to the next rule in that chain, or are all the other
> rules in that chain skipped and flow of control transfers back to the
> calling chain?

Neither. -j ACCEPT says to pass the packet /unconditionally/ on to the
internal network. With "-j ACCEPT", you've stated that you do not need any
further tests to determine whether or not the packet is acceptable; the
packet is acceptable entirely because you "-j ACCEPT" it.

--
Lew Pitcher, IT Consultant, Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)