• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 8468fd4f7c85c21ab375402bc80d0188412b6cbf Mon Sep 17 00:00:00 2001
2From: Phil Sutter <phil@nwl.cc>
3Date: Wed, 4 May 2022 11:19:16 +0200
4Subject: nft: Fix EPERM handling for extensions without rev 0
5
6Treating revision 0 as compatible in EPERM case works fine as long as
7there is a revision 0 of that extension defined in DSO. Fix the code for
8others: Extend the EPERM handling to all revisions and keep the existing
9warning for revision 0.
10
11Conflict: NA
12Reference:
13https://git.netfilter.org/iptables/commit/?id=8468fd4f7c85c21ab375402bc80d0188412b6cbf
14Fixes: 17534cb18ed0a ("Improve error messages for unsupported
15extensions")
16Signed-off-by: Phil Sutter <phil@nwl.cc>
17---
18 iptables/nft.c                                        | 11 +++++++----
19 .../shell/testcases/iptables/0008-unprivileged_0      |  7 +++++++
20 2 files changed, 14 insertions(+), 4 deletions(-)
21
22diff --git a/iptables/nft.c b/iptables/nft.c
23index 18bf21c..ebab3cc 100644
24--- a/iptables/nft.c
25+++ b/iptables/nft.c
26@@ -3245,15 +3245,18 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
27 err:
28 	mnl_socket_close(nl);
29
30-   /* pretend revision 0 is valid -
31+    /* ignore EPERM and errors for revision 0 -
32     * this is required for printing extension help texts as user, also
33     * helps error messaging on unavailable kernel extension */
34-    if (ret < 0 && rev == 0) {
35-        if (errno != EPERM)
36+    if (ret < 0) {
37+        if (errno == EPERM)
38+            return 1;
39+        if (rev == 0) {
40             fprintf(stderr,
41                 "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
42                 name);
43-        return 1;
44+            return 1;
45+        }
46     }
47 	return ret < 0 ? 0 : 1;
48 }
49diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
50index 0914c88..1f1d342 100644
51--- a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
52+++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
53@@ -34,6 +34,13 @@ let "rc+=$?"
54 grep_or_rc "DNAT target options:" <<< "$out"
55 let "rc+=$?"
56
57+# TEE has no revision 0
58+out=$(run $XT_MULTI iptables -j TEE --help)
59+let "rc+=$?"
60+grep_or_rc "TEE target options:" <<< "$out"
61+let "rc+=$?"
62+
63+
64 out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
65 let "rc+=$?"
66 grep_or_rc "tcp match options:" <<< "$out"
67--
682.23.0
69
70