Mailing List Archive: iptables: Devel

[PATCH RFT] Improve iptables error reporting

Index | Next | Previous | View Threaded

gandalf at wlug

Aug 11, 2007, 4:21 PM

Post #1 of 3 (5444 views)
Permalink

[PATCH RFT] Improve iptables error reporting

Hi

Here's a small patch that reworks the iptables/ip6tables error reporting a
bit. The purpose of this patch is to try to provide more resonable error
messages.

Currently a lot of functions in libiptc sets a pointer called iptc_fn to
point to the current function, and then they set errno to an error
code.

This has at least one major shortcoming:

int some_other_function(void) {
iptc_fn = some_other_function;
...

return 1;
}

void some_function(void) {
iptc_fn = some_function;
if (some_other_function())
errno = ENOENT;
}

Now we have iptc_fn == some_other_function but errno was meant for
some_function, a mismatch has occured, which will cause the wrong error
message to be printed.

What this patch does is to add TC_ERROR (iptc_error/ip6tc_error) which
sets both iptc_errfn and iptc_errno at the same time, and it's only called
when an error is detected. Thus we don't have any mismatches anymore.

Example of error messages:
loop:
old:
# iptables -I INPUT -j tuut
iptables: Too many levels of symbolic links
new:
# iptables -I INPUT -j tuut
iptables: Loop found in table

chain not found:
old:
# iptables -I foo -j ACCEPT
iptables: No chain/target/match by that name
new:
# iptables -I foo -j ACCEPT
iptables: No chain by that name

jump to predefined chain:
old:
# iptables -I tuut -j INPUT
iptables: Invalid argument
new:
# iptables -I tuut -j INPUT
iptables: Can't jump to a built-in target

removal of not empty chain:
old:
# iptables -X tuut
iptables: Directory not empty
new:
# iptables -X tuut
iptables: Chain is not empty

removal of chain with references:
old:
# iptables -X tuut
iptables: Too many links
new:
# iptables -X tuut
iptables: Can't delete chain with references left

Unknown errors will now be displayed like:
(this is made up)

"Unknown error, iptc_commit: 30 (foo not in phase with the moon)"

function, error code and strerror() (might give a clue).
(line number can be added if needed)

And if something signals an error (return value) but doesn't call
iptc_error()/ip6tc_error() it looks like this:

"Something forgot to set the error reason"

Please test and report success or failure. I'm likely to have missed
some/many errors.

/Martin

Attachments:

iptables-errorreport.patch (32.9 KB)

gandalf at wlug

Sep 11, 2007, 1:42 AM

Post #2 of 3 (5131 views)
Permalink

Re: [PATCH RFT] Improve iptables error reporting [In reply to]

On Sun, 12 Aug 2007, Martin Josefsson wrote:

> Here's a small patch that reworks the iptables/ip6tables error reporting a
> bit. The purpose of this patch is to try to provide more resonable error
> messages.

[snip]

> Please test and report success or failure. I'm likely to have missed
> some/many errors.

No takers on this?
Maybe we should merge it to make people test it? :)

I've attached an updated patch (diffed against 070910 snapshot)

/Martin

Attachments:

iptables-errorreport.patch-20070910 (32.0 KB)

kaber at trash

Sep 19, 2007, 5:56 AM

Post #3 of 3 (5138 views)
Permalink

Re: [PATCH RFT] Improve iptables error reporting [In reply to]

Martin Josefsson wrote:
> On Sun, 12 Aug 2007, Martin Josefsson wrote:
>
>> Here's a small patch that reworks the iptables/ip6tables error
>> reporting a bit. The purpose of this patch is to try to provide more
>> resonable error messages.
>
>
> [snip]
>
>> Please test and report success or failure. I'm likely to have missed
>> some/many errors.
>
>
> No takers on this?

I'm testing it locally. So far nicer error messages, no problems.

> Maybe we should merge it to make people test it? :)

I think thats a good idea, we need a few -rcs for the next release
anyway.

BTW, Pablo, any plans for the rc-release?

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads