Acho que você encontrará sua resposta no comentário principal de libip4tc.c
:
/* Library which manipulates firewall rules. Version 0.1. */
/* Architecture of firewall rules is as follows:
*
* Chains go INPUT, FORWARD, OUTPUT then user chains.
* Each user chain starts with an ERROR node.
* Every chain ends with an unconditional jump: a RETURN for user chains,
* and a POLICY for built-ins.
*/