From e69bf6691534b9afe50c87e5e99cf0fe05304b22 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 7 Oct 2022 10:04:06 +0200
Subject: rule: do not display handle for implicit chain

Implicit chains do not allow for incremental updates, do not display rule
handle since kernel refuses to update an implicit chain which is already
bound.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 1caee58f..d1ee6c2e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1058,13 +1058,19 @@ static void chain_print_declaration(const struct chain *chain,
 void chain_rules_print(const struct chain *chain, struct output_ctx *octx,
 		       const char *indent)
 {
+	unsigned int flags = octx->flags;
 	struct rule *rule;
 
+	if (chain->flags & CHAIN_F_BINDING)
+		octx->flags &= ~NFT_CTX_OUTPUT_HANDLE;
+
 	list_for_each_entry(rule, &chain->rules, list) {
 		nft_print(octx, "\t\t%s", indent ? : "");
 		rule_print(rule, octx);
 		nft_print(octx, "\n");
 	}
+
+	octx->flags = flags;
 }
 
 static void chain_print(const struct chain *chain, struct output_ctx *octx)
-- 
cgit v1.2.3