From 2028e54ab443cff20bd5f6cbaba9535275fbd0bc Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 29 Jun 2018 16:14:31 +0200
Subject: xtables: display legacy/nf_tables flavor in error messages, too

Also, in nf_tables backend case, only show more than one error
if we're iptables-restore, else we get very long concatenated errorline.

old:
iptables v1.6.2: can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2: iptables: CHAIN_ADD failed (Device or resource busy): chain PREROUTINGCHAIN_ADD failed (Device or resource busy): chain INPUTCHAIN_ADD failed (Device or resource busy): chain POSTROUTINGCHAIN_ADD failed (Device or resource busy): chain OUTPUT
iptables-restore v1.6.2: iptables-restore:
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

now:

iptables v1.6.2 (legacy): can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2 (nf_tables):  CHAIN_ADD failed (Device or resource busy): chain PREROUTING
iptables-restore v1.6.2 (nf_tables):
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

(limited to 'iptables/nft.c')

diff --git a/iptables/nft.c b/iptables/nft.c
index b7ee8352..3cacf5fe 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -300,7 +300,7 @@ static int mnl_append_error(const struct nft_handle *h,
 		snprintf(errmsg, sizeof(errmsg), "\nline %u: %s failed (%s)",
 			 o->error.lineno, type_name[o->type], strerror(err->err));
 	else
-		snprintf(errmsg, sizeof(errmsg), "%s failed (%s)",
+		snprintf(errmsg, sizeof(errmsg), " %s failed (%s)",
 			 type_name[o->type], strerror(err->err));
 
 	switch (o->type) {
@@ -2484,6 +2484,7 @@ static int nft_action(struct nft_handle *h, int action)
 	struct obj_update *n, *tmp;
 	struct mnl_err *err, *ne;
 	unsigned int buflen, i, len;
+	bool show_errors = true;
 	char errmsg[1024];
 	uint32_t seq = 1;
 	int ret = 0;
@@ -2572,20 +2573,15 @@ static int nft_action(struct nft_handle *h, int action)
 
 	i = 0;
 	buflen = sizeof(errmsg);
-	if (!list_empty(&h->err_list)) {
-		len = snprintf(errmsg, buflen + i, "%s: ", xt_params->program_name);
-		if (len > 0) {
-			i += len;
-			buflen -= len;
-		}
-	}
 
 	list_for_each_entry_safe(n, tmp, &h->obj_list, head) {
 		list_for_each_entry_safe(err, ne, &h->err_list, head) {
 			if (err->seqnum > n->seq)
 				break;
 
-			if (err->seqnum == n->seq) {
+			if (err->seqnum == n->seq && show_errors) {
+				if (n->error.lineno == 0)
+					show_errors = false;
 				len = mnl_append_error(h, n, err, errmsg + i, buflen);
 				if (len > 0 && len <= buflen) {
 					buflen -= len;
-- 
cgit v1.2.3