[PATCH xtables] xtables: display legacy/nf_tables flavor in error messages, too

Florian Westphal <fw@xxxxxxxxx> · Fri, 29 Jun 2018 16:14:31 +0200

Also, in nf_tables backend case, only show more than one error
if we're iptables-restore, else we get very long concatenated errorline.

old:
iptables v1.6.2: can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2: iptables: CHAIN_ADD failed (Device or resource busy): chain PREROUTINGCHAIN_ADD failed (Device or resource busy): chain INPUTCHAIN_ADD failed (Device or resource busy): chain POSTROUTINGCHAIN_ADD failed (Device or resource busy): chain OUTPUT
iptables-restore v1.6.2: iptables-restore:
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

now:

iptables v1.6.2 (legacy): can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2 (nf_tables):  CHAIN_ADD failed (Device or resource busy): chain PREROUTING
iptables-restore v1.6.2 (nf_tables):
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 iptables/ip6tables.c |  2 +-
 iptables/iptables.c  |  2 +-
 iptables/nft.c       | 14 +++++---------
 iptables/xtables.c   |  2 +-
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 12f82c7f831a..2cb115f5e036 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -283,7 +283,7 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
diff --git a/iptables/iptables.c b/iptables/iptables.c
index fe9fd15b93df..08ea7afa0416 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -276,7 +276,7 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
diff --git a/iptables/nft.c b/iptables/nft.c
index b7ee83522fb0..3cacf5feb317 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -300,7 +300,7 @@ static int mnl_append_error(const struct nft_handle *h,
 		snprintf(errmsg, sizeof(errmsg), "\nline %u: %s failed (%s)",
 			 o->error.lineno, type_name[o->type], strerror(err->err));
 	else
-		snprintf(errmsg, sizeof(errmsg), "%s failed (%s)",
+		snprintf(errmsg, sizeof(errmsg), " %s failed (%s)",
 			 type_name[o->type], strerror(err->err));
 
 	switch (o->type) {
@@ -2484,6 +2484,7 @@ static int nft_action(struct nft_handle *h, int action)
 	struct obj_update *n, *tmp;
 	struct mnl_err *err, *ne;
 	unsigned int buflen, i, len;
+	bool show_errors = true;
 	char errmsg[1024];
 	uint32_t seq = 1;
 	int ret = 0;
@@ -2572,20 +2573,15 @@ static int nft_action(struct nft_handle *h, int action)
 
 	i = 0;
 	buflen = sizeof(errmsg);
-	if (!list_empty(&h->err_list)) {
-		len = snprintf(errmsg, buflen + i, "%s: ", xt_params->program_name);
-		if (len > 0) {
-			i += len;
-			buflen -= len;
-		}
-	}
 
 	list_for_each_entry_safe(n, tmp, &h->obj_list, head) {
 		list_for_each_entry_safe(err, ne, &h->err_list, head) {
 			if (err->seqnum > n->seq)
 				break;
 
-			if (err->seqnum == n->seq) {
+			if (err->seqnum == n->seq && show_errors) {
+				if (n->error.lineno == 0)
+					show_errors = false;
 				len = mnl_append_error(h, n, err, errmsg + i, buflen);
 				if (len > 0 && len <= buflen) {
 					buflen -= len;
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 53f94b6f9d80..2a4e0ec69e60 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -260,7 +260,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
-- 
2.16.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






