What happens when there's no custom chain to jump in a table in iptables?

Question

I'm looking into how iptables work in Kubernetes for packets from a pod to a service. For the outbound, it goes through OUTPUT chain first(nat then filter in my case). Part of the iptables-save result is like:

# Generated by iptables-save v1.4.21 on 
*nat
-A KUBE-SERVICES ...
# other rules in nat table

*filter
:OUTPUT ACCEPT [9:1136]
:KUBE-FIREWALL - [0:0]   # it seems there's no failures
:KUBE-SERVICES - [0:0]

-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
# no KUBE-SERVICES chain in filter table

# no rules in other tables

We can see from -A OUTPUT -m conntrack , it jumps to KUBE-SERVICES, but I can't find a KUBE-SERVICES chain in filter table. What happens when it doesn't exist?

There's a KUBE-SERVICES chain in nat table, but I guess it won't go to nat table from filter table?

score 1 · Answer 1 · answered Jan 07 '22 at 09:09

I think your question is rooted in the fact that iptables-save output does not include counters in custom chains.

Only the default chains in each table (see man 8 iptables for which that are in each table) will have packet/byte counters saved.

All other chains in are always saved with [0:0] values.

You may want to add the iptables-save -c flag to include packet/traffic counters for all rules to see how packets traverse your chains and rules. That should also give an indication to where their fate is decided.

Because AFAIK the usual behaviour with a -j target is that when the rules in the target chain have been processed and didn't result in a dispositive match , then processing returns to the original chain and the next rule(s) there will be processed. So I suspect that when a custom target is empty that is also what happens, processing will immediately continue with the next rule in the chain.

score 0 · Answer 2 · answered Jan 07 '22 at 09:09

0

:KUBE-SERVICES - [0:0] line defines the chain KUBE-SERVICES in the filter table. It has no rules and is empty but it is still defined.

answered Jan 07 '22 at 09:09

AlexD

8,179
2
28
38

What happens when there's no custom chain to jump in a table in iptables?

2 Answers2