rpms / iptables

Clone
Source Code
GIT

Blame SOURCES/0073-Improve-error-messages-for-unsupported-extensions.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8s
  2.   SOURCES
  3.   0073-Improve-error-messages-for-unsupported-extensions.patch
Blob History Raw
aca4c4 
From 4243bd97f3c703a75e795fdc6dd2273a7c74e85c Mon Sep 17 00:00:00 2001
aca4c4 
From: Phil Sutter <phil@nwl.cc>
aca4c4 
Date: Fri, 11 Feb 2022 17:47:22 +0100
aca4c4 
Subject: [PATCH] Improve error messages for unsupported extensions
aca4c4
aca4c4 
If a given extension was not supported by the kernel, iptables would
aca4c4 
print a rather confusing error message if extension parameters were
aca4c4 
given:
aca4c4
aca4c4 
| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko
aca4c4 
| # iptables -A FORWARD -j LOG --log-prefix foo
aca4c4 
| iptables v1.8.7 (legacy): unknown option "--log-prefix"
aca4c4
aca4c4 
Avoid this by pretending extension revision 0 is always supported. It is
aca4c4 
the same hack as used to successfully print extension help texts as
aca4c4 
unprivileged user, extended to all error codes to serve privileged ones
aca4c4 
as well.
aca4c4
aca4c4 
In addition, print a warning if kernel rejected revision 0 and it's not
aca4c4 
a permissions problem. This helps users find out which extension in a
aca4c4 
rule the kernel didn't like.
aca4c4
aca4c4 
Finally, the above commands result in these messages:
aca4c4
aca4c4 
| Warning: Extension LOG revision 0 not supported, missing kernel module?
aca4c4 
| iptables: No chain/target/match by that name.
aca4c4
aca4c4 
Or, for iptables-nft:
aca4c4
aca4c4 
| Warning: Extension LOG revision 0 not supported, missing kernel module?
aca4c4 
| iptables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain FORWARD
aca4c4
aca4c4 
Signed-off-by: Phil Sutter <phil@nwl.cc>
aca4c4 
(cherry picked from commit 17534cb18ed0a5052dc45c117401251359dba6aa)
aca4c4 
---
aca4c4 
 iptables/nft.c       | 12 +++++++++---
aca4c4 
 libxtables/xtables.c |  7 ++++++-
aca4c4 
 2 files changed, 15 insertions(+), 4 deletions(-)
aca4c4
aca4c4 
diff --git a/iptables/nft.c b/iptables/nft.c
aca4c4 
index c5cc6f83bf573..9643abf2d0085 100644
aca4c4 
--- a/iptables/nft.c
aca4c4 
+++ b/iptables/nft.c
aca4c4 
@@ -3110,10 +3110,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
aca4c4 
 err:
aca4c4 
 	mnl_socket_close(nl);
aca4c4
aca4c4 
-	/* pretend revision 0 is valid if not permitted to check -
aca4c4 
-	 * this is required for printing extension help texts as user */
aca4c4 
-	if (ret < 0 && errno == EPERM && rev == 0)
aca4c4 
+	/* pretend revision 0 is valid -
aca4c4 
+	 * this is required for printing extension help texts as user, also
aca4c4 
+	 * helps error messaging on unavailable kernel extension */
aca4c4 
+	if (ret < 0 && rev == 0) {
aca4c4 
+		if (errno != EPERM)
aca4c4 
+			fprintf(stderr,
aca4c4 
+				"Warning: Extension %s revision 0 not supported, missing kernel module?\n",
aca4c4 
+				name);
aca4c4 
 		return 1;
aca4c4 
+	}
aca4c4
aca4c4 
 	return ret < 0 ? 0 : 1;
aca4c4 
 }
aca4c4 
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
aca4c4 
index 57ad0330a454c..a5c8d7e2c17ef 100644
aca4c4 
--- a/libxtables/xtables.c
aca4c4 
+++ b/libxtables/xtables.c
aca4c4 
@@ -968,7 +968,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
aca4c4 
 		/* Definitely don't support this? */
aca4c4 
 		if (errno == ENOENT || errno == EPROTONOSUPPORT) {
aca4c4 
 			close(sockfd);
aca4c4 
-			return 0;
aca4c4 
+			/* Pretend revision 0 support for better error messaging */
aca4c4 
+			if (revision == 0)
aca4c4 
+				fprintf(stderr,
aca4c4 
+					"Warning: Extension %s revision 0 not supported, missing kernel module?\n",
aca4c4 
+					name);
aca4c4 
+			return (revision == 0);
aca4c4 
 		} else if (errno == ENOPROTOOPT) {
aca4c4 
 			close(sockfd);
aca4c4 
 			/* Assume only revision 0 support (old kernel) */
aca4c4 
--
aca4c4 
2.34.1
aca4c4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation