19a0061b6Sopenharmony_ciFrom 17534cb18ed0a5052dc45c117401251359dba6aa Mon Sep 17 00:00:00 2001
29a0061b6Sopenharmony_ciFrom: Phil Sutter <phil@nwl.cc>
39a0061b6Sopenharmony_ciDate: Fri, 11 Feb 2022 17:47:22 +0100
49a0061b6Sopenharmony_ciSubject: Improve error messages for unsupported extensions
59a0061b6Sopenharmony_ci
69a0061b6Sopenharmony_ciIf a given extension was not supported by the kernel, iptables would
79a0061b6Sopenharmony_ciprint a rather confusing error message if extension parameters were
89a0061b6Sopenharmony_cigiven:
99a0061b6Sopenharmony_ci
109a0061b6Sopenharmony_ci| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko
119a0061b6Sopenharmony_ci| # iptables -A FORWARD -j LOG --log-prefix foo
129a0061b6Sopenharmony_ci| iptables v1.8.7 (legacy): unknown option "--log-prefix"
139a0061b6Sopenharmony_ci
149a0061b6Sopenharmony_ciAvoid this by pretending extension revision 0 is always supported. It is
159a0061b6Sopenharmony_cithe same hack as used to successfully print extension help texts as
169a0061b6Sopenharmony_ciunprivileged user, extended to all error codes to serve privileged ones
179a0061b6Sopenharmony_cias well.
189a0061b6Sopenharmony_ci
199a0061b6Sopenharmony_ciIn addition, print a warning if kernel rejected revision 0 and it's not
209a0061b6Sopenharmony_cia permissions problem. This helps users find out which extension in a
219a0061b6Sopenharmony_cirule the kernel didn't like.
229a0061b6Sopenharmony_ci
239a0061b6Sopenharmony_ciFinally, the above commands result in these messages:
249a0061b6Sopenharmony_ci
259a0061b6Sopenharmony_ci| Warning: Extension LOG revision 0 not supported, missing kernel
269a0061b6Sopenharmony_cimodule?
279a0061b6Sopenharmony_ci| iptables: No chain/target/match by that name.
289a0061b6Sopenharmony_ci
299a0061b6Sopenharmony_ciOr, for iptables-nft:
309a0061b6Sopenharmony_ci
319a0061b6Sopenharmony_ci| Warning: Extension LOG revision 0 not supported, missing kernel
329a0061b6Sopenharmony_cimodule?
339a0061b6Sopenharmony_ci| iptables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or
349a0061b6Sopenharmony_cidirectory): rule in chain FORWARD
359a0061b6Sopenharmony_ci
369a0061b6Sopenharmony_ciConflict: NA
379a0061b6Sopenharmony_ciReference:
389a0061b6Sopenharmony_cihttps://git.netfilter.org/iptables/commit/?id=17534cb18ed0a5052dc45c117401251359dba6aa
399a0061b6Sopenharmony_ciSigned-off-by: Phil Sutter <phil@nwl.cc>
409a0061b6Sopenharmony_ci---
419a0061b6Sopenharmony_ci iptables/nft.c       | 13 +++++++++----
429a0061b6Sopenharmony_ci libxtables/xtables.c |  7 ++++++-
439a0061b6Sopenharmony_ci 2 files changed, 15 insertions(+), 5 deletions(-)
449a0061b6Sopenharmony_ci
459a0061b6Sopenharmony_cidiff --git a/iptables/nft.c b/iptables/nft.c
469a0061b6Sopenharmony_ciindex c9a4940..18bf21c 100644
479a0061b6Sopenharmony_ci--- a/iptables/nft.c
489a0061b6Sopenharmony_ci+++ b/iptables/nft.c
499a0061b6Sopenharmony_ci@@ -3245,11 +3245,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
509a0061b6Sopenharmony_ci err:
519a0061b6Sopenharmony_ci 	mnl_socket_close(nl);
529a0061b6Sopenharmony_ci 
539a0061b6Sopenharmony_ci-    /* pretend revision 0 is valid if not permitted to check -
549a0061b6Sopenharmony_ci-    * this is required for printing extension help texts as user */
559a0061b6Sopenharmony_ci-    if (ret < 0 && errno == EPERM && rev == 0)
569a0061b6Sopenharmony_ci+   /* pretend revision 0 is valid -
579a0061b6Sopenharmony_ci+    * this is required for printing extension help texts as user, also
589a0061b6Sopenharmony_ci+    * helps error messaging on unavailable kernel extension */
599a0061b6Sopenharmony_ci+    if (ret < 0 && rev == 0) {
609a0061b6Sopenharmony_ci+        if (errno != EPERM)
619a0061b6Sopenharmony_ci+            fprintf(stderr,
629a0061b6Sopenharmony_ci+                "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
639a0061b6Sopenharmony_ci+                name);
649a0061b6Sopenharmony_ci         return 1;
659a0061b6Sopenharmony_ci-
669a0061b6Sopenharmony_ci+    }
679a0061b6Sopenharmony_ci 	return ret < 0 ? 0 : 1;
689a0061b6Sopenharmony_ci }
699a0061b6Sopenharmony_ci 
709a0061b6Sopenharmony_cidiff --git a/libxtables/xtables.c b/libxtables/xtables.c
719a0061b6Sopenharmony_ciindex bc42ba8..1f585e5 100644
729a0061b6Sopenharmony_ci--- a/libxtables/xtables.c
739a0061b6Sopenharmony_ci+++ b/libxtables/xtables.c
749a0061b6Sopenharmony_ci@@ -923,7 +923,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
759a0061b6Sopenharmony_ci 		/* Definitely don't support this? */
769a0061b6Sopenharmony_ci 		if (errno == ENOENT || errno == EPROTONOSUPPORT) {
779a0061b6Sopenharmony_ci 			close(sockfd);
789a0061b6Sopenharmony_ci-			return 0;
799a0061b6Sopenharmony_ci+               /* Pretend revision 0 support for better error messaging */
809a0061b6Sopenharmony_ci+               if (revision == 0)
819a0061b6Sopenharmony_ci+                   fprintf(stderr,
829a0061b6Sopenharmony_ci+                       "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
839a0061b6Sopenharmony_ci+                       name);
849a0061b6Sopenharmony_ci+               return (revision == 0);
859a0061b6Sopenharmony_ci 		} else if (errno == ENOPROTOOPT) {
869a0061b6Sopenharmony_ci 			close(sockfd);
879a0061b6Sopenharmony_ci 			/* Assume only revision 0 support (old kernel) */
889a0061b6Sopenharmony_ci-- 
899a0061b6Sopenharmony_ci2.23.0
909a0061b6Sopenharmony_ci
91