diff options
author | Phil Sutter <phil@nwl.cc> | 2022-06-30 18:04:39 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-07-02 02:15:30 +0200 |
commit | 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37 (patch) | |
tree | 7d13934ba33f0aa0b8490bdef01d69c50168e979 | |
parent | 9ea7e6aa638d0dfa14613f6f97e6dc06c857e609 (diff) |
libxtables: Fix unsupported extension warning corner case
Some extensions are not supported in revision 0 by user space anymore,
for those the warning in xtables_compatible_revision() does not print as
no revision 0 is tried.
To fix this, one has to track if none of the user space supported
revisions were accepted by the kernel. Therefore add respective logic to
xtables_find_{target,match}().
Note that this does not lead to duplicated warnings for unsupported
extensions that have a revision 0 because xtables_compatible_revision()
returns true for them to allow for extension's help output.
For the record, these ip6tables extensions are affected: set/SET,
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
for both families.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rw-r--r-- | libxtables/xtables.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libxtables/xtables.c b/libxtables/xtables.c index dc645162..479dbae0 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -776,6 +776,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, struct xtables_match *ptr; const char *icmp6 = "icmp6"; bool found = false; + bool seen = false; if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, @@ -794,6 +795,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; + seen = true; if (!found && xtables_fully_register_pending_match(ptr, prev)) { found = true; @@ -807,6 +809,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_matches; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_match *clone; @@ -899,6 +906,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) struct xtables_target **dptr; struct xtables_target *ptr; bool found = false; + bool seen = false; /* Standard target? */ if (strcmp(name, "") == 0 @@ -917,6 +925,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; + seen = true; if (!found && xtables_fully_register_pending_target(ptr, prev)) { found = true; @@ -930,6 +939,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_targets; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_target *clone; |