On Thu, Jan 27, 2022 at 06:08:31PM +0100, Phil Sutter wrote: > Hi Pablo, > > On Thu, Jan 27, 2022 at 05:28:39PM +0100, Pablo Neira Ayuso wrote: > > On Thu, Jan 20, 2022 at 11:16:53AM +0100, Phil Sutter wrote: > > > Expected behaviour in both variants is: > > > > > > * Print help without error, append extension help if -m and/or -j > > > options are present > > > * Indicate lack of permissions in an error message for anything else > > > > > > With iptables-nft, this was broken basically from day 1. Shared use of > > > do_parse() then somewhat broke legacy: it started complaining about > > > inability to create a lock file. > > > > > > Fix this by making iptables-nft assume extension revision 0 is present > > > if permissions don't allow to verify. This is consistent with legacy. > > > > > > Second part is to exit directly after printing help - this avoids having > > > to make the following code "nop-aware" to prevent privileged actions. > > > > On top of this patch, it should be possible to allow for some > > nfnetlink command to be used from unpriviledged process. > > > > I'm attaching a sketch patch, it skips module autoload which is should > > not be triggered by an unpriviledged process. > > > > This should allow for better help with -m/-j if the module is present. > > That's interesting. What's the use-case? With my patch, extension help > text printing works fine as unprivileged user. Does it allow to drop the > "revision == 0 && EPERM" hack? Your patch is needed because we have to deal with older kernels. You assume revision 0 in case of EPERM. My patch provides better help if the module is present since there is no need to assume revision 0. Anyway, I think your approach is fine for the unpriviledged scenario you describe. I just wanted to write here that there is room to extend nfnetlink to support for unpriviledged requests.
