rule: do not display handle for implicit chain

Implicit chains do not allow for incremental updates, do not display rule
handle since kernel refuses to update an implicit chain which is already
bound.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/rule.c b/src/rule.c
index 1caee58fb76222ce527dd2fca72a12715c83bde2..d1ee6c2ee067c322616e4cc2caae8d686956bb9d 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1058,13 +1058,19 @@ static void chain_print_declaration(const struct chain *chain,
 void chain_rules_print(const struct chain *chain, struct output_ctx *octx,
                       const char *indent)
 {
+       unsigned int flags = octx->flags;
        struct rule *rule;
 
+       if (chain->flags & CHAIN_F_BINDING)
+               octx->flags &= ~NFT_CTX_OUTPUT_HANDLE;
+
        list_for_each_entry(rule, &chain->rules, list) {
                nft_print(octx, "\t\t%s", indent ? : "");
                rule_print(rule, octx);
                nft_print(octx, "\n");
        }
+
+       octx->flags = flags;
 }
 
 static void chain_print(const struct chain *chain, struct output_ctx *octx)