Hi
Here's a small patch that reworks the iptables/ip6tables error reporting a
bit. The purpose of this patch is to try to provide more resonable error
messages.
Currently a lot of functions in libiptc sets a pointer called iptc_fn to
point to the current function, and then they set errno to an error
code.
This has at least one major shortcoming:
int some_other_function(void) {
iptc_fn = some_other_function;
...
return 1;
}
void some_function(void) {
iptc_fn = some_function;
if (some_other_function())
errno = ENOENT;
}
Now we have iptc_fn == some_other_function but errno was meant for
some_function, a mismatch has occured, which will cause the wrong error
message to be printed.
What this patch does is to add TC_ERROR (iptc_error/ip6tc_error) which
sets both iptc_errfn and iptc_errno at the same time, and it's only called
when an error is detected. Thus we don't have any mismatches anymore.
Example of error messages:
loop:
old:
# iptables -I INPUT -j tuut
iptables: Too many levels of symbolic links
new:
# iptables -I INPUT -j tuut
iptables: Loop found in table
chain not found:
old:
# iptables -I foo -j ACCEPT
iptables: No chain/target/match by that name
new:
# iptables -I foo -j ACCEPT
iptables: No chain by that name
jump to predefined chain:
old:
# iptables -I tuut -j INPUT
iptables: Invalid argument
new:
# iptables -I tuut -j INPUT
iptables: Can't jump to a built-in target
removal of not empty chain:
old:
# iptables -X tuut
iptables: Directory not empty
new:
# iptables -X tuut
iptables: Chain is not empty
removal of chain with references:
old:
# iptables -X tuut
iptables: Too many links
new:
# iptables -X tuut
iptables: Can't delete chain with references left
Unknown errors will now be displayed like:
(this is made up)
"Unknown error, iptc_commit: 30 (foo not in phase with the moon)"
function, error code and strerror() (might give a clue).
(line number can be added if needed)
And if something signals an error (return value) but doesn't call
iptc_error()/ip6tc_error() it looks like this:
"Something forgot to set the error reason"
Please test and report success or failure. I'm likely to have missed
some/many errors.
/Martin
Here's a small patch that reworks the iptables/ip6tables error reporting a
bit. The purpose of this patch is to try to provide more resonable error
messages.
Currently a lot of functions in libiptc sets a pointer called iptc_fn to
point to the current function, and then they set errno to an error
code.
This has at least one major shortcoming:
int some_other_function(void) {
iptc_fn = some_other_function;
...
return 1;
}
void some_function(void) {
iptc_fn = some_function;
if (some_other_function())
errno = ENOENT;
}
Now we have iptc_fn == some_other_function but errno was meant for
some_function, a mismatch has occured, which will cause the wrong error
message to be printed.
What this patch does is to add TC_ERROR (iptc_error/ip6tc_error) which
sets both iptc_errfn and iptc_errno at the same time, and it's only called
when an error is detected. Thus we don't have any mismatches anymore.
Example of error messages:
loop:
old:
# iptables -I INPUT -j tuut
iptables: Too many levels of symbolic links
new:
# iptables -I INPUT -j tuut
iptables: Loop found in table
chain not found:
old:
# iptables -I foo -j ACCEPT
iptables: No chain/target/match by that name
new:
# iptables -I foo -j ACCEPT
iptables: No chain by that name
jump to predefined chain:
old:
# iptables -I tuut -j INPUT
iptables: Invalid argument
new:
# iptables -I tuut -j INPUT
iptables: Can't jump to a built-in target
removal of not empty chain:
old:
# iptables -X tuut
iptables: Directory not empty
new:
# iptables -X tuut
iptables: Chain is not empty
removal of chain with references:
old:
# iptables -X tuut
iptables: Too many links
new:
# iptables -X tuut
iptables: Can't delete chain with references left
Unknown errors will now be displayed like:
(this is made up)
"Unknown error, iptc_commit: 30 (foo not in phase with the moon)"
function, error code and strerror() (might give a clue).
(line number can be added if needed)
And if something signals an error (return value) but doesn't call
iptc_error()/ip6tc_error() it looks like this:
"Something forgot to set the error reason"
Please test and report success or failure. I'm likely to have missed
some/many errors.
/Martin
Attached Files:
-
iptables-errorreport.patch (32.9 KB)
