[{"id":3674727,"web_url":"http://patchwork.ozlabs.org/comment/3674727/","msgid":"<adZEAkrcCcXEau_1@strlen.de>","list_archive_url":null,"date":"2026-04-08T12:03:24","subject":"Re: [PATCH nft 1/5] libnftables: report EPERM to non-root users with\n -f/--filename","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> Similar to 3cfb9e4b3e40 (\"src: report EPERM for non-root users\").\n> \n> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> ---\n>  src/libnftables.c | 7 ++++++-\n>  1 file changed, 6 insertions(+), 1 deletion(-)\n> \n> diff --git a/src/libnftables.c b/src/libnftables.c\n> index 66b03a1170bb..e3218da9f48f 100644\n> --- a/src/libnftables.c\n> +++ b/src/libnftables.c\n> @@ -767,8 +767,13 @@ static int __nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename\n>  \t\tnft_optimize(nft, &cmds);\n>  \n>  \trc = nft_evaluate(nft, &msgs, &cmds);\n> -\tif (rc < 0)\n> +\tif (rc < 0) {\n> +\t\tif (errno == EPERM) {\n> +\t\t\tfprintf(stderr, \"%s (you must be root)\\n\",\n> +\t\t\t\tstrerror(errno));\n> +\t\t}\n>  \t\tgoto err;\n> +\t}\n\nHmm, should the library leave stderr alone?","headers":{"Return-Path":"\n <netfilter-devel+bounces-11731-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=104.64.211.4; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11731-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org [104.64.211.4])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frMH9736Lz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 22:06:29 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 8594B3027544\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  8 Apr 2026 12:03:31 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7D2AF37756B;\n\tWed,  8 Apr 2026 12:03:28 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 805F13B3C12\n\tfor <netfilter-devel@vger.kernel.org>; Wed,  8 Apr 2026 12:03:26 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 65B6360560; Wed, 08 Apr 2026 14:03:24 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775649808; cv=none;\n b=YV7PgvmnPoHjDv2s7NcxGz2lFJxESdC+rZubyNYsvOqbSnhsQAnPNa5FGLTMeZdj96OtIVURtULg9GN+dCBq25Q4Kx40clERI0DM0KeHt9z1pHX0Sw7YIhvtHcPGF78bKthfgqeUYbMSfK3Kfm3tc0qyXD9F8CogcAgYnS8Igwg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775649808; c=relaxed/simple;\n\tbh=7MBcAQywZ3WuOvRoUdZduVx/NOQ7b3i9A9gVJPziq2c=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=BgStBefOb7YcSlofNz+UylQICXfJoi42WrP1l1lek3e+ylPyRnU5CKDS+yyQVk0LoIFQEKH+pTWDCWxlQCcxddUXF6/nXJW5MHrLyNhS3wUgj032aQc/5npGbLxpiSnt14zwXb4eTjJd0m9ftnOxMtg+PWSi59mcSqUNzoIgCjQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Wed, 8 Apr 2026 14:03:24 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org, phil@nwl.cc","Subject":"Re: [PATCH nft 1/5] libnftables: report EPERM to non-root users with\n -f/--filename","Message-ID":"<adZEAkrcCcXEau_1@strlen.de>","References":"<20260408115922.48676-1-pablo@netfilter.org>\n <20260408115922.48676-2-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260408115922.48676-2-pablo@netfilter.org>"}},{"id":3674798,"web_url":"http://patchwork.ozlabs.org/comment/3674798/","msgid":"<adZiMtndiQnSaLZw@chamomile>","list_archive_url":null,"date":"2026-04-08T14:12:02","subject":"Re: [PATCH nft 1/5] libnftables: report EPERM to non-root users with\n -f/--filename","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Apr 08, 2026 at 02:03:24PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > Similar to 3cfb9e4b3e40 (\"src: report EPERM for non-root users\").\n> > \n> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> > ---\n> >  src/libnftables.c | 7 ++++++-\n> >  1 file changed, 6 insertions(+), 1 deletion(-)\n> > \n> > diff --git a/src/libnftables.c b/src/libnftables.c\n> > index 66b03a1170bb..e3218da9f48f 100644\n> > --- a/src/libnftables.c\n> > +++ b/src/libnftables.c\n> > @@ -767,8 +767,13 @@ static int __nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename\n> >  \t\tnft_optimize(nft, &cmds);\n> >  \n> >  \trc = nft_evaluate(nft, &msgs, &cmds);\n> > -\tif (rc < 0)\n> > +\tif (rc < 0) {\n> > +\t\tif (errno == EPERM) {\n> > +\t\t\tfprintf(stderr, \"%s (you must be root)\\n\",\n> > +\t\t\t\tstrerror(errno));\n> > +\t\t}\n> >  \t\tgoto err;\n> > +\t}\n> \n> Hmm, should the library leave stderr alone?\n\nThis can be handled instead from src/main.c","headers":{"Return-Path":"\n <netfilter-devel+bounces-11735-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=o0OGah6d;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11735-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"o0OGah6d\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frQCj1rgrz1xv0\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 09 Apr 2026 00:18:41 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D1CF63031EA8\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  8 Apr 2026 14:12:14 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CEA1F2DFA3A;\n\tWed,  8 Apr 2026 14:12:12 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 856713D3304\n\tfor <netfilter-devel@vger.kernel.org>; Wed,  8 Apr 2026 14:12:08 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 96D2E6017D;\n\tWed,  8 Apr 2026 16:12:05 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775657532; cv=none;\n b=Gfotu8UouCsWIIIt5Nigl95bgzmHchmqg2H4p1exIEd5KiBerDhVNktd+NbZe5Rjhpm9w26Ok4LtLie/soyvRD1SvdMnxS1PsOser68ctT+X/5mkyCQ+mEhTCV0+RqyWU5YO5NBpWkiSO0EmWrFto9fpKnNPGJi94PsrzuUJqUc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775657532; c=relaxed/simple;\n\tbh=K9ieUjYbDBMqZKltftnrsH7MwPRGTVxnwtZS1MSZ+zs=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=LPp0+9KeUPuNv5fCvCEmT5ct6q30zJ+JLn0B3cA1oHTMtwMnlcrtEqb507IDP8U6i4nP0XbxQmTmU8V/udAvxtwHLPE2naJ1hVdFS/XnuVuQBf6i9NVRjnH/hwdXQ8DAvheUWJbPo0WZFmBDIBdH9NJXv2L3DFpeYdqTfdBEhZA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=o0OGah6d; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1775657525;\n\tbh=zVpw5f2C8z8g7TLx99LrF4RNqTu3/Oo/ou2fmRS/4t8=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=o0OGah6drMOITm/3jQAEZ7HIFS8c3Vh7jHAMWjwEB1f1S97VDsAd8VQjvP3xx6l0o\n\t f2tMCN4KMFvKlZtPewNewHl2SU44oKrnqQWrW0BsKU2orUuCRtCyrIIyQGU+xmxi6s\n\t CR/T9U/mzqpyX2mz4DfE3uXjtYVlxRjqCGOiekIZ4oRAhjciosluIp0D2fPejYbOwb\n\t P0IcNucEKnwTkkg0SNgH9chQ4NBRXNOT1vq+Y4hO3VIrTxjek4//fNJAVXWneAa9hE\n\t 3OTonnTAwRqWnhxAvMcDfXtpAyWEuVl1CnvhiKYeUkglgwXrak2A4Rr5/+vGmk+5kC\n\t 2X2TIJKQauIsw==","Date":"Wed, 8 Apr 2026 16:12:02 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org, phil@nwl.cc","Subject":"Re: [PATCH nft 1/5] libnftables: report EPERM to non-root users with\n -f/--filename","Message-ID":"<adZiMtndiQnSaLZw@chamomile>","References":"<20260408115922.48676-1-pablo@netfilter.org>\n <20260408115922.48676-2-pablo@netfilter.org>\n <adZEAkrcCcXEau_1@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<adZEAkrcCcXEau_1@strlen.de>"}}]