What happens when there's no custom chain to jump in a table in iptables?

Tony Han

5/7/23, 8:15 AM

I'm looking into how iptables work in Kubernetes for packets from a pod to a service. For the outbound, it goes through OUTPUT chain first(nat then filter in my case). Part of the iptables-save result is like:

# Generated by iptables-save v1.4.21 on 
*nat
-A KUBE-SERVICES ...
# other rules in nat table

*filter
:OUTPUT ACCEPT [9:1136]
:KUBE-FIREWALL - [0:0]   # it seems there's no failures
:KUBE-SERVICES - [0:0]

-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
# no KUBE-SERVICES chain in filter table

# no rules in other tables

We can see from -A OUTPUT -m conntrack , it jumps to KUBE-SERVICES, but I can't find a KUBE-SERVICES chain in filter table. What happens when it doesn't exist?

There's a KUBE-SERVICES chain in nat table, but I guess it won't go to nat table from filter table?

166

0 + 0

networking

linux

iptables

kubernetes

Score:1

Server

Bob

5/7/23, 9:09 AM

I think your question is rooted in the fact that iptables-save output does not include counters in custom chains.

Only the default chains in each table (see man 8 iptables for which that are in each table) will have packet/byte counters saved.

All other chains in are always saved with [0:0] values.

You may want to add the iptables-save -c flag to include packet/traffic counters for all rules to see how packets traverse your chains and rules. That should also give an indication to where their fate is decided.

Because AFAIK the usual behaviour with a -j target is that when the rules in the target chain have been processed and didn't result in a dispositive match , then processing returns to the original chain and the next rule(s) there will be processed. So I suspect that when a custom target is empty that is also what happens, processing will immediately continue with the next rule in the chain.

0 + 0

Score:0

Server

AlexD

5/7/23, 9:09 AM

:KUBE-SERVICES - [0:0] line defines the chain KUBE-SERVICES in the filter table. It has no rules and is empty but it is still defined.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What happens when there's no custom chain to jump in a table in iptables?

TH: จะเกิดอะไรขึ้นเมื่อไม่มีเชนที่กำหนดเองเพื่อกระโดดในตารางใน iptables

RO: Ce se întâmplă când nu există un lanț personalizat pentru a sări într-un tabel în iptables?

RU: Что происходит, когда в iptables нет пользовательской цепочки для перехода к таблице?

VI: Điều gì xảy ra khi không có chuỗi tùy chỉnh để nhảy vào một bảng trong iptables?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.