Commit 3b084e99 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: fix trace of matching non-terminal rule

Add the corresponding trace if we have a full match in a non-terminal
rule. Note that the traces will look slightly different than in
x_tables since the log message after all expressions have been
evaluated (contrary to x_tables, that emits it before the target
action). This manifests in two differences in nf_tables wrt. x_tables:

1) The rule that enables the tracing is included in the trace.

2) If the rule emits some log message, that is shown before the
   trace log message.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7e9bc10d
...@@ -144,8 +144,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) ...@@ -144,8 +144,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
switch (data[NFT_REG_VERDICT].verdict) { switch (data[NFT_REG_VERDICT].verdict) {
case NFT_BREAK: case NFT_BREAK:
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE; data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
/* fall through */ continue;
case NFT_CONTINUE: case NFT_CONTINUE:
if (unlikely(pkt->skb->nf_trace))
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
continue; continue;
} }
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment