From patchwork Wed Feb 13 10:11:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1041132 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zwKT3hMLz9s5c for ; Wed, 13 Feb 2019 21:11:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387771AbfBMKLZ (ORCPT ); Wed, 13 Feb 2019 05:11:25 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33316 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726159AbfBMKLZ (ORCPT ); Wed, 13 Feb 2019 05:11:25 -0500 Received: from localhost ([::1]:46406 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gtrVj-0003R3-H9; Wed, 13 Feb 2019 11:11:23 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 1/5] xtables: Fix error message when zeroing a non-existent chain Date: Wed, 13 Feb 2019 11:11:23 +0100 Message-Id: <20190213101127.2195-2-phil@nwl.cc> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190213101127.2195-1-phil@nwl.cc> References: <20190213101127.2195-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Previously, error message was a bit misleading: | # iptables-nft -Z noexist | iptables: Incompatible with this kernel. Set errno value so that the typical "No chain/target/match by that name." is printed instead. Signed-off-by: Phil Sutter --- iptables/nft.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/iptables/nft.c b/iptables/nft.c index d708fb6176b88..60b0531f4c8c8 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -3235,8 +3235,10 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, if (chain) { c = nftnl_chain_list_lookup_byname(list, chain); - if (!c) + if (!c) { + errno = ENOENT; return 0; + } ret = __nft_chain_zero_counters(c, &d); goto err; From patchwork Wed Feb 13 10:11:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1041130 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zwKP4TMSz9s5c for ; Wed, 13 Feb 2019 21:11:21 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731283AbfBMKLU (ORCPT ); Wed, 13 Feb 2019 05:11:20 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33310 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726159AbfBMKLU (ORCPT ); Wed, 13 Feb 2019 05:11:20 -0500 Received: from localhost ([::1]:46400 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gtrVe-0003Qi-6f; Wed, 13 Feb 2019 11:11:18 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 2/5] xtables: Move new chain check to where it belongs Date: Wed, 13 Feb 2019 11:11:24 +0100 Message-Id: <20190213101127.2195-3-phil@nwl.cc> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190213101127.2195-1-phil@nwl.cc> References: <20190213101127.2195-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Instead of checking chain existence in xtables.c, do it in nft_chain_user_add() and reuse predefined error message. Signed-off-by: Phil Sutter --- iptables/nft.c | 5 +++++ iptables/xtables.c | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 60b0531f4c8c8..c1b8ba3aa4bcf 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1726,6 +1726,11 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) nft_xt_builtin_init(h, table); + if (nft_chain_exists(h, table, chain)) { + errno = EEXIST; + return 0; + } + c = nftnl_chain_alloc(); if (c == NULL) return 0; diff --git a/iptables/xtables.c b/iptables/xtables.c index 1d777554076d7..44986a37aaf50 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1069,9 +1069,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], xtables_error(PARAMETER_PROBLEM, "Chain '%s' does not exist", cs->jumpto); } - if (!p->xlate && p->command == CMD_NEW_CHAIN && - nft_chain_exists(h, p->table, p->chain)) - xtables_error(OTHER_PROBLEM, "Chain already exists"); } int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, From patchwork Wed Feb 13 10:11:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1041137 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zwKv0mM3z9s5c for ; Wed, 13 Feb 2019 21:11:47 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388385AbfBMKLq (ORCPT ); Wed, 13 Feb 2019 05:11:46 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33340 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731472AbfBMKLq (ORCPT ); Wed, 13 Feb 2019 05:11:46 -0500 Received: from localhost ([::1]:46430 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gtrW4-0003SL-R0; Wed, 13 Feb 2019 11:11:44 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 3/5] xtables: Fix error messages in commands with rule number Date: Wed, 13 Feb 2019 11:11:25 +0100 Message-Id: <20190213101127.2195-4-phil@nwl.cc> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190213101127.2195-1-phil@nwl.cc> References: <20190213101127.2195-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Use E2BIG if rule identified by given number is not found. ENOENT is used if referenced chain is not found. Without this, a command specifying a non-existing chain in combination with a rule number like e.g.: 'iptables-nft -I nonexist 23 -j ACCEPT' returns "Index of insertion too big." instead of "No chain/target/match by that name." like legacy iptables does. Signed-off-by: Phil Sutter --- iptables/nft.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index c1b8ba3aa4bcf..f42a1be734ba8 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2235,7 +2235,7 @@ int nft_rule_insert(struct nft_handle *h, const char *chain, return nft_rule_append(h, chain, table, data, NULL, verbose); - errno = ENOENT; + errno = E2BIG; goto err; } } @@ -2276,7 +2276,7 @@ int nft_rule_delete_num(struct nft_handle *h, const char *chain, if (ret < 0) errno = ENOMEM; } else - errno = ENOENT; + errno = E2BIG; return ret; } @@ -2304,7 +2304,7 @@ int nft_rule_replace(struct nft_handle *h, const char *chain, ret = nft_rule_append(h, chain, table, data, r, verbose); } else - errno = ENOENT; + errno = E2BIG; return ret; } @@ -2985,10 +2985,10 @@ const char *nft_strerror(int err) { nft_chain_user_del, EMLINK, "Can't delete chain with references left" }, { nft_chain_user_add, EEXIST, "Chain already exists" }, - { nft_rule_insert, ENOENT, "Index of insertion too big" }, + { nft_rule_insert, E2BIG, "Index of insertion too big" }, { nft_rule_check, ENOENT, "Bad rule (does a matching rule exist in that chain?)" }, - { nft_rule_replace, ENOENT, "Index of replacement too big" }, - { nft_rule_delete_num, ENOENT, "Index of deletion too big" }, + { nft_rule_replace, E2BIG, "Index of replacement too big" }, + { nft_rule_delete_num, E2BIG, "Index of deletion too big" }, /* { TC_READ_COUNTER, E2BIG, "Index of counter too big" }, { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" }, */ /* ENOENT for DELETE probably means no matching rule */ From patchwork Wed Feb 13 10:11:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1041135 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zwKh1Qx2z9s5c for ; Wed, 13 Feb 2019 21:11:36 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388128AbfBMKLf (ORCPT ); Wed, 13 Feb 2019 05:11:35 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33328 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731472AbfBMKLf (ORCPT ); Wed, 13 Feb 2019 05:11:35 -0500 Received: from localhost ([::1]:46418 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gtrVu-0003Rg-6E; Wed, 13 Feb 2019 11:11:34 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 4/5] xtables: Fix error message for chain renaming Date: Wed, 13 Feb 2019 11:11:26 +0100 Message-Id: <20190213101127.2195-5-phil@nwl.cc> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190213101127.2195-1-phil@nwl.cc> References: <20190213101127.2195-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org If the new name already exists, legacy iptables prints "File exists.". This is a bit exotic, but more appropriate than "No chain/target/match by that name." printed by iptables-nft without this patch. Signed-off-by: Phil Sutter --- iptables/nft.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/iptables/nft.c b/iptables/nft.c index f42a1be734ba8..a297d9856001a 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1855,7 +1855,12 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, uint64_t handle; int ret; - nft_fn = nft_chain_user_add; + nft_fn = nft_chain_user_rename; + + if (nft_chain_exists(h, table, newname)) { + errno = EEXIST; + return 0; + } /* If built-in chains don't exist for this table, create them */ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) @@ -2985,6 +2990,7 @@ const char *nft_strerror(int err) { nft_chain_user_del, EMLINK, "Can't delete chain with references left" }, { nft_chain_user_add, EEXIST, "Chain already exists" }, + { nft_chain_user_rename, EEXIST, "File exists" }, { nft_rule_insert, E2BIG, "Index of insertion too big" }, { nft_rule_check, ENOENT, "Bad rule (does a matching rule exist in that chain?)" }, { nft_rule_replace, E2BIG, "Index of replacement too big" }, From patchwork Wed Feb 13 10:11:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1041133 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zwKb0NXqz9s7T for ; Wed, 13 Feb 2019 21:11:31 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388095AbfBMKLa (ORCPT ); Wed, 13 Feb 2019 05:11:30 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33322 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731472AbfBMKLa (ORCPT ); Wed, 13 Feb 2019 05:11:30 -0500 Received: from localhost ([::1]:46412 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gtrVo-0003RM-Qb; Wed, 13 Feb 2019 11:11:28 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 5/5] tests: Extend return codes check by error messages Date: Wed, 13 Feb 2019 11:11:27 +0100 Message-Id: <20190213101127.2195-6-phil@nwl.cc> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190213101127.2195-1-phil@nwl.cc> References: <20190213101127.2195-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Check that error messages match between legacy and nft code. Signed-off-by: Phil Sutter --- .../testcases/iptables/0004-return-codes_0 | 59 +++++++++++++++---- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 index 9d2493992bd69..15f3a3e9efb68 100755 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 @@ -5,44 +5,77 @@ global_rc=0 -cmd() { # (rc, cmd, [args ...]) +cmd() { # (rc, msg, cmd, [args ...]) rc_exp=$1; shift - $XT_MULTI "$@" + msg_exp="" + [ $rc_exp != 0 ] && { + msg_exp="$1"; shift + } + + msg="$($XT_MULTI "$@" 2>&1 >/dev/null)" rc=$? [ $rc -eq $rc_exp ] || { - echo "---> expected $rc_exp, got $rc for command '$@'" + echo "---> expected return code $rc_exp, got $rc for command '$@'" + global_rc=1 + } + + [ -n "$msg_exp" ] || return + grep -q "$msg_exp" <<< $msg || { + echo "---> expected error message '$msg_exp', got '$msg' for command '$@'" global_rc=1 } } +EEXIST_F="File exists." +EEXIST="Chain already exists." +ENOENT="No chain/target/match by that name." +E2BIG_I="Index of insertion too big." +E2BIG_D="Index of deletion too big." +E2BIG_R="Index of replacement too big." +EBADRULE="Bad rule (does a matching rule exist in that chain?)." +ENOTGT="Couldn't load target \`foobar':No such file or directory" +ENOMTH="Couldn't load match \`foobar':No such file or directory" +ENOTBL="can't initialize iptables table \`foobar': Table does not exist" + # test chain creation cmd 0 iptables -N foo -cmd 1 iptables -N foo +cmd 1 "$EEXIST" iptables -N foo # iptables-nft allows this - bug or feature? #cmd 2 iptables -N "invalid name" # test chain flushing/zeroing cmd 0 iptables -F foo cmd 0 iptables -Z foo -cmd 1 iptables -F bar -cmd 1 iptables -Z bar +cmd 1 "$ENOENT" iptables -F bar +cmd 1 "$ENOENT" iptables -Z bar # test chain rename cmd 0 iptables -E foo bar -cmd 1 iptables -E foo bar +cmd 1 "$EEXIST_F" iptables -E foo bar # test rule adding cmd 0 iptables -A INPUT -j ACCEPT -cmd 1 iptables -A noexist -j ACCEPT +cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT + +# test rulenum commands +cmd 1 "$E2BIG_I" iptables -I INPUT 23 -j ACCEPT +cmd 1 "$E2BIG_D" iptables -D INPUT 23 +cmd 1 "$E2BIG_R" iptables -R INPUT 23 -j ACCEPT +cmd 1 "$ENOENT" iptables -I nonexist 23 -j ACCEPT +cmd 1 "$ENOENT" iptables -D nonexist 23 +cmd 1 "$ENOENT" iptables -R nonexist 23 -j ACCEPT # test rule checking cmd 0 iptables -C INPUT -j ACCEPT -cmd 1 iptables -C FORWARD -j ACCEPT -cmd 1 iptables -C nonexist -j ACCEPT -cmd 2 iptables -C INPUT -j foobar -cmd 2 iptables -C INPUT -m foobar -j ACCEPT -cmd 3 iptables -t foobar -C INPUT -j ACCEPT +cmd 1 "$EBADRULE" iptables -C FORWARD -j ACCEPT +cmd 1 "$BADRULE" iptables -C nonexist -j ACCEPT +cmd 2 "$ENOMTH" iptables -C INPUT -m foobar -j ACCEPT +# messages of those don't match, but iptables-nft ones are actually nicer. +#cmd 2 "$ENOTGT" iptables -C INPUT -j foobar +#cmd 3 "$ENOTBL" iptables -t foobar -C INPUT -j ACCEPT +cmd 2 "" iptables -C INPUT -j foobar +cmd 3 "" iptables -t foobar -C INPUT -j ACCEPT exit $global_rc