From 4243bd97f3c703a75e795fdc6dd2273a7c74e85c Mon Sep 17 00:00:00 2001

From: Phil Sutter <phil@nwl.cc>

Date: Fri, 11 Feb 2022 17:47:22 +0100

Subject: [PATCH] Improve error messages for unsupported extensions

If a given extension was not supported by the kernel, iptables would

print a rather confusing error message if extension parameters were

given:

| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko

| # iptables -A FORWARD -j LOG --log-prefix foo

| iptables v1.8.7 (legacy): unknown option "--log-prefix"

Avoid this by pretending extension revision 0 is always supported. It is

the same hack as used to successfully print extension help texts as

unprivileged user, extended to all error codes to serve privileged ones

as well.

In addition, print a warning if kernel rejected revision 0 and it's not

a permissions problem. This helps users find out which extension in a

rule the kernel didn't like.

Finally, the above commands result in these messages:

| Warning: Extension LOG revision 0 not supported, missing kernel module?

| iptables: No chain/target/match by that name.

Or, for iptables-nft:

| Warning: Extension LOG revision 0 not supported, missing kernel module?

| iptables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain FORWARD

Signed-off-by: Phil Sutter <phil@nwl.cc>

(cherry picked from commit 17534cb18ed0a5052dc45c117401251359dba6aa)

---

 iptables/nft.c       | 12 +++++++++---

 libxtables/xtables.c |  7 ++++++-

 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c

index c5cc6f83bf573..9643abf2d0085 100644

--- a/iptables/nft.c

+++ b/iptables/nft.c

@@ -3110,10 +3110,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)

 err:

 	mnl_socket_close(nl);

-	/* pretend revision 0 is valid if not permitted to check -

-	 * this is required for printing extension help texts as user */

-	if (ret < 0 && errno == EPERM && rev == 0)

+	/* pretend revision 0 is valid -

+	 * this is required for printing extension help texts as user, also

+	 * helps error messaging on unavailable kernel extension */

+	if (ret < 0 && rev == 0) {

+		if (errno != EPERM)

+			fprintf(stderr,

+				"Warning: Extension %s revision 0 not supported, missing kernel module?\n",

+				name);

 		return 1;

+	}

 	return ret < 0 ? 0 : 1;

 }

diff --git a/libxtables/xtables.c b/libxtables/xtables.c

index 57ad0330a454c..a5c8d7e2c17ef 100644

--- a/libxtables/xtables.c

+++ b/libxtables/xtables.c

@@ -968,7 +968,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)

 		/* Definitely don't support this? */

 		if (errno == ENOENT || errno == EPROTONOSUPPORT) {

 			close(sockfd);

-			return 0;

+			/* Pretend revision 0 support for better error messaging */

+			if (revision == 0)

+				fprintf(stderr,

+					"Warning: Extension %s revision 0 not supported, missing kernel module?\n",

+					name);

+			return (revision == 0);

 		} else if (errno == ENOPROTOOPT) {

 			close(sockfd);

 			/* Assume only revision 0 support (old kernel) */

-- 

2.34.1