From mboxrd@z Thu Jan 1 00:00:00 1970 From: Data Shock Subject: RE: Is a match-all rule with jump to empty chain processed? Date: Tue, 14 Sep 2010 16:34:45 -0400 Message-ID: References: , Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@vger.kernel.org Thank you for your reply. > Jumping to arbitrary tables is not within the design. I'm not sure I understand this statement. Can you please elaborate? > That is a chain, not a table. Ooops!=A0 My mistake.=A0 I've been using iptables so much that I find m= yself mistakenly calling chains "tables".=A0 I thought I had checked fo= r that before sending my e-mail. :) > And yes, it is processed including > overhead, as is done in many other kernel subsystems. The kernel real= ly > is not responsible for the user's misdeeds. not use empty chains :) OK.=A0 I thought that the code might optimize and ignore the jump if th= e chain was empty, as if the rule was simply: "-t filter -A INPUT".=A0 = This way it would just count the packet and data without needing to pro= cess an empty chain, possibly avoiding call stack and other overhead fo= r what is basically a no-op.=A0 I have not had a chance to trace the co= de to find out exactly how it operates. I appreciate the information.