I'm reading iptables' man page at https://linux.die.net/man/8/iptables, and I've got a question regarding the use of user-defined chains:
In the Targets section, it says
If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
And underneath in the Options section, it also says
Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
So my question is, what happens when a packet goes into a user-defined chain, and reaches the end without matching any of the rules? In other words, what is the default action of a user-defined chain?
The reason I'm asking is I'm wondering if it's necessary to add a catch-all rule to the end of every user-defined chain. Something like
iptables -A MY-CHAIN -j RETURN
Or is this the default behavior? Or something else?
Best Answer
If none of the rules in a user-defined chain match, the default behavior is effectively
RETURN
: processing will continue at the next rule in the parent chain.(from the Linux 2.4 Packet Filtering HOWTO)