netfilter: nf_tables: fix trace of matching non-terminal rule
Add the corresponding trace if we have a full match in a non-terminal rule. Note that the traces will look slightly different than in x_tables since the log message after all expressions have been evaluated (contrary to x_tables, that emits it before the target action). This manifests in two differences in nf_tables wrt. x_tables: 1) The rule that enables the tracing is included in the trace. 2) If the rule emits some log message, that is shown before the trace log message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso
parent
7e9bc10db2
commit
3b084e99a3
1 changed files with 3 additions and 1 deletions
|
|
@ -144,8 +144,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
|
||||||
switch (data[NFT_REG_VERDICT].verdict) {
|
switch (data[NFT_REG_VERDICT].verdict) {
|
||||||
case NFT_BREAK:
|
case NFT_BREAK:
|
||||||
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
|
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
|
||||||
/* fall through */
|
continue;
|
||||||
case NFT_CONTINUE:
|
case NFT_CONTINUE:
|
||||||
|
if (unlikely(pkt->skb->nf_trace))
|
||||||
|
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue