|
 |
aca4c4 |
From 3696c4af80496a0dd5a3637e4be11754e2cdc99e Mon Sep 17 00:00:00 2001
|
|
|
aca4c4 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
aca4c4 |
Date: Wed, 4 May 2022 11:19:16 +0200
|
|
|
aca4c4 |
Subject: [PATCH] nft: Fix EPERM handling for extensions without rev 0
|
|
|
aca4c4 |
|
|
|
aca4c4 |
Treating revision 0 as compatible in EPERM case works fine as long as
|
|
|
aca4c4 |
there is a revision 0 of that extension defined in DSO. Fix the code for
|
|
|
aca4c4 |
others: Extend the EPERM handling to all revisions and keep the existing
|
|
|
aca4c4 |
warning for revision 0.
|
|
|
aca4c4 |
|
|
|
aca4c4 |
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
|
|
|
aca4c4 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
aca4c4 |
(cherry picked from commit 8468fd4f7c85c21ab375402bc80d0188412b6cbf)
|
|
|
aca4c4 |
---
|
|
|
aca4c4 |
iptables/nft.c | 11 +++++++----
|
|
|
aca4c4 |
.../shell/testcases/iptables/0008-unprivileged_0 | 6 ++++++
|
|
|
aca4c4 |
2 files changed, 13 insertions(+), 4 deletions(-)
|
|
|
aca4c4 |
|
|
|
aca4c4 |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
aca4c4 |
index 9643abf2d0085..9839e8c683708 100644
|
|
|
aca4c4 |
--- a/iptables/nft.c
|
|
|
aca4c4 |
+++ b/iptables/nft.c
|
|
|
aca4c4 |
@@ -3110,15 +3110,18 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
|
|
|
aca4c4 |
err:
|
|
|
aca4c4 |
mnl_socket_close(nl);
|
|
|
aca4c4 |
|
|
|
aca4c4 |
- /* pretend revision 0 is valid -
|
|
|
aca4c4 |
+ /* ignore EPERM and errors for revision 0 -
|
|
|
aca4c4 |
* this is required for printing extension help texts as user, also
|
|
|
aca4c4 |
* helps error messaging on unavailable kernel extension */
|
|
|
aca4c4 |
- if (ret < 0 && rev == 0) {
|
|
|
aca4c4 |
- if (errno != EPERM)
|
|
|
aca4c4 |
+ if (ret < 0) {
|
|
|
aca4c4 |
+ if (errno == EPERM)
|
|
|
aca4c4 |
+ return 1;
|
|
|
aca4c4 |
+ if (rev == 0) {
|
|
|
aca4c4 |
fprintf(stderr,
|
|
|
aca4c4 |
"Warning: Extension %s revision 0 not supported, missing kernel module?\n",
|
|
|
aca4c4 |
name);
|
|
|
aca4c4 |
- return 1;
|
|
|
aca4c4 |
+ return 1;
|
|
|
aca4c4 |
+ }
|
|
|
aca4c4 |
}
|
|
|
aca4c4 |
|
|
|
aca4c4 |
return ret < 0 ? 0 : 1;
|
|
|
aca4c4 |
diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
|
|
|
aca4c4 |
index 43e3bc8721dbd..983531fef4720 100755
|
|
|
aca4c4 |
--- a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
|
|
|
aca4c4 |
+++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
|
|
|
aca4c4 |
@@ -35,6 +35,12 @@ let "rc+=$?"
|
|
|
aca4c4 |
grep_or_rc "DNAT target options:" <<< "$out"
|
|
|
aca4c4 |
let "rc+=$?"
|
|
|
aca4c4 |
|
|
|
aca4c4 |
+# TEE has no revision 0
|
|
|
aca4c4 |
+out=$(run $XT_MULTI iptables -j TEE --help)
|
|
|
aca4c4 |
+let "rc+=$?"
|
|
|
aca4c4 |
+grep_or_rc "TEE target options:" <<< "$out"
|
|
|
aca4c4 |
+let "rc+=$?"
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
|
|
|
aca4c4 |
let "rc+=$?"
|
|
|
aca4c4 |
grep_or_rc "tcp match options:" <<< "$out"
|
|
|
aca4c4 |
--
|
|
|
aca4c4 |
2.34.1
|
|
|
aca4c4 |
|