🚸 dont rely on return

xynat

@@ -141,16 +141,13 @@ xynat_ruleset_update_in(){
 	
 	# maybe allow host access
 	if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
-		iptables -A "${chain_id}_IN" -j RETURN
+		iptables -A "${chain_id}_IN" -j ACCEPT
 	elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
-		iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+		iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 	fi
 	
 	# reject all packets
 	iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
-	
-	# default: return
-	iptables -A "${chain_id}_IN" -j RETURN
 }
 
 
@@ -165,21 +162,18 @@ xynat_ruleset_update_out(){
 	
 	## ADD RULES ##
 	# allow related icmp messages
-	iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j RETURN
+	iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 	
 	# enforce correct vm address
 	iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
 	# maybe allow host access
 	if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
-		iptables -A "${chain_id}_OUT" -j RETURN
+		iptables -A "${chain_id}_OUT" -j ACCEPT
 	fi
 	
 	# reject all other packets
 	iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
-	
-	# default: return
-	iptables -A "${chain_id}_OUT" -j RETURN
 }
 
 
@@ -196,14 +190,14 @@ xynat_ruleset_update_fwi(){
 	# enforce correct vm address
 	iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
-	# ignore allowed local addresses
+	# accept allowed local addresses
 	for a in ${arg_allow[*]:-}; do
-		iptables -A "${chain_id}_FWI" -d "$a" -j RETURN
+		iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
 	done
 	
-	# ignore allowed incomming local addresses
+	# accept allowed incomming local addresses
 	for a in ${arg_allow_in[*]:-}; do
-		iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+		iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 	done
 	
 	# reject filtered packets
@@ -211,8 +205,8 @@ xynat_ruleset_update_fwi(){
 		iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
 	done
 	
-	# default: return
+	# default: allow
-	iptables -A "${chain_id}_FWI" -j RETURN
+	iptables -A "${chain_id}_FWI" -j ACCEPT
 }
 
 
@@ -229,9 +223,9 @@ xynat_ruleset_update_fwo(){
 	# enforce correct vm address
 	iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
-	# ignore allowed local addresses
+	# accept allowed local addresses
 	for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
-		iptables -A "${chain_id}_FWO" -s "$a" -j RETURN
+		iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
 	done
 	
 	# reject filtered packets
@@ -239,8 +233,8 @@ xynat_ruleset_update_fwo(){
 		iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
 	done
 	
-	# default: return
+	# default: accept
-	iptables -A "${chain_id}_FWO" -j RETURN
+	iptables -A "${chain_id}_FWO" -j ACCEPT
 }