From 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 30 Jun 2022 18:04:39 +0200
Subject: libxtables: Fix unsupported extension warning corner case

Some extensions are not supported in revision 0 by user space anymore,
for those the warning in xtables_compatible_revision() does not print as
no revision 0 is tried.

To fix this, one has to track if none of the user space supported
revisions were accepted by the kernel. Therefore add respective logic to
xtables_find_{target,match}().

Note that this does not lead to duplicated warnings for unsupported
extensions that have a revision 0 because xtables_compatible_revision()
returns true for them to allow for extension's help output.

For the record, these ip6tables extensions are affected: set/SET,
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
for both families.

Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 libxtables/xtables.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'libxtables/xtables.c')

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index dc645162..479dbae0 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -776,6 +776,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 	bool found = false;
+	bool seen = false;
 
 	if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
@@ -794,6 +795,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
 			ptr = *dptr;
 			*dptr = (*dptr)->next;
+			seen = true;
 			if (!found &&
 			    xtables_fully_register_pending_match(ptr, prev)) {
 				found = true;
@@ -807,6 +809,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 		dptr = &((*dptr)->next);
 	}
 
+	if (seen && !found)
+		fprintf(stderr,
+			"Warning: Extension %s is not supported, missing kernel module?\n",
+			name);
+
 	for (ptr = xtables_matches; ptr; ptr = ptr->next) {
 		if (extension_cmp(name, ptr->name, ptr->family)) {
 			struct xtables_match *clone;
@@ -899,6 +906,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 	struct xtables_target **dptr;
 	struct xtables_target *ptr;
 	bool found = false;
+	bool seen = false;
 
 	/* Standard target? */
 	if (strcmp(name, "") == 0
@@ -917,6 +925,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
 			ptr = *dptr;
 			*dptr = (*dptr)->next;
+			seen = true;
 			if (!found &&
 			    xtables_fully_register_pending_target(ptr, prev)) {
 				found = true;
@@ -930,6 +939,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 		dptr = &((*dptr)->next);
 	}
 
+	if (seen && !found)
+		fprintf(stderr,
+			"Warning: Extension %s is not supported, missing kernel module?\n",
+			name);
+
 	for (ptr = xtables_targets; ptr; ptr = ptr->next) {
 		if (extension_cmp(name, ptr->name, ptr->family)) {
 			struct xtables_target *clone;
-- 
cgit v1.2.3