iptables/SOURCES/0072-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch
2023-10-17 13:52:06 +00:00

66 lines
2.2 KiB
Diff

From 26dc3496694dc71c95164b6885c7422196802c6d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 4 May 2022 11:19:16 +0200
Subject: [PATCH] nft: Fix EPERM handling for extensions without rev 0
Treating revision 0 as compatible in EPERM case works fine as long as
there is a revision 0 of that extension defined in DSO. Fix the code for
others: Extend the EPERM handling to all revisions and keep the existing
warning for revision 0.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8468fd4f7c85c21ab375402bc80d0188412b6cbf)
---
iptables/nft.c | 11 +++++++----
.../shell/testcases/iptables/0008-unprivileged_0 | 6 ++++++
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 2393940d7f64a..c130369f78348 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3294,15 +3294,18 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
err:
mnl_socket_close(nl);
- /* pretend revision 0 is valid -
+ /* ignore EPERM and errors for revision 0 -
* this is required for printing extension help texts as user, also
* helps error messaging on unavailable kernel extension */
- if (ret < 0 && rev == 0) {
- if (errno != EPERM)
+ if (ret < 0) {
+ if (errno == EPERM)
+ return 1;
+ if (rev == 0) {
fprintf(stderr,
"Warning: Extension %s revision 0 not supported, missing kernel module?\n",
name);
- return 1;
+ return 1;
+ }
}
return ret < 0 ? 0 : 1;
diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
index 43e3bc8721dbd..983531fef4720 100755
--- a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
@@ -35,6 +35,12 @@ let "rc+=$?"
grep_or_rc "DNAT target options:" <<< "$out"
let "rc+=$?"
+# TEE has no revision 0
+out=$(run $XT_MULTI iptables -j TEE --help)
+let "rc+=$?"
+grep_or_rc "TEE target options:" <<< "$out"
+let "rc+=$?"
+
out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
let "rc+=$?"
grep_or_rc "tcp match options:" <<< "$out"
--
2.40.0