netfilter: nf_tables: fix trace of matching non-terminal rule
Add the corresponding trace if we have a full match in a non-terminal rule. Note that the traces will look slightly different than in x_tables since the log message after all expressions have been evaluated (contrary to x_tables, that emits it before the target action). This manifests in two differences in nf_tables wrt. x_tables: 1) The rule that enables the tracing is included in the trace. 2) If the rule emits some log message, that is shown before the trace log message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
7e9bc10db2
commit
3b084e99a3
1 changed files with 3 additions and 1 deletions
|
@ -144,8 +144,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
|
|||
switch (data[NFT_REG_VERDICT].verdict) {
|
||||
case NFT_BREAK:
|
||||
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
|
||||
/* fall through */
|
||||
continue;
|
||||
case NFT_CONTINUE:
|
||||
if (unlikely(pkt->skb->nf_trace))
|
||||
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
|
||||
continue;
|
||||
}
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue