Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7e9bc10d authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: fix missing return trace at the end of non-base chain 



Display "return" for implicit rule at the end of a non-base chain,
instead of when popping chain from the stack.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f7e7e39b

net/netfilter/nf_tables_core.c

+3 −5
Original line number Diff line number Diff line
@@ -182,18 +182,16 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) 
	case NFT_RETURN:

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RETURN);



		/* fall through */

		break;

	case NFT_CONTINUE:

		if (unlikely(pkt->skb->nf_trace && !(chain->flags & NFT_BASE_CHAIN)))

			nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);

		break;

	default:

		WARN_ON(1);

	}



	if (stackptr > 0) {

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);



		stackptr--;

		chain = jumpstack[stackptr].chain;

		rule  = jumpstack[stackptr].rule;