netfilter: nf_tables: fix missing return trace at the end of non-base chain
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 11 May 2014 15:14:49 +0000 (17:14 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 12 May 2014 14:33:11 +0000 (16:33 +0200)
Display "return" for implicit rule at the end of a non-base chain,
instead of when popping chain from the stack.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_core.c

index be08a96..421c36a 100644 (file)
@@ -182,18 +182,16 @@ next_rule:
        case NFT_RETURN:
                if (unlikely(pkt->skb->nf_trace))
                        nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RETURN);
-
-               /* fall through */
+               break;
        case NFT_CONTINUE:
+               if (unlikely(pkt->skb->nf_trace && !(chain->flags & NFT_BASE_CHAIN)))
+                       nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);
                break;
        default:
                WARN_ON(1);
        }
 
        if (stackptr > 0) {
-               if (unlikely(pkt->skb->nf_trace))
-                       nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);
-
                stackptr--;
                chain = jumpstack[stackptr].chain;
                rule  = jumpstack[stackptr].rule;