xtables: display legacy/nf_tables flavor in error messages, too

Also, in nf_tables backend case, only show more than one error
if we're iptables-restore, else we get very long concatenated errorline.

old:
iptables v1.6.2: can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2: iptables: CHAIN_ADD failed (Device or resource busy): chain PREROUTINGCHAIN_ADD failed (Device or resource busy): chain INPUTCHAIN_ADD failed (Device or resource busy): chain POSTROUTINGCHAIN_ADD failed (Device or resource busy): chain OUTPUT
iptables-restore v1.6.2: iptables-restore:
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

now:

iptables v1.6.2 (legacy): can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2 (nf_tables):  CHAIN_ADD failed (Device or resource busy): chain PREROUTING
iptables-restore v1.6.2 (nf_tables):
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 12f82c7f831a4b9c78f80ad6b06b3596cf666aa0..2cb115f5e0367a01c529555a4a9a6484d679cfe1 100644 (file)
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -283,7 +283,7 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
        va_list args;
 
        va_start(args, msg);
-       fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+       fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
        vfprintf(stderr, msg, args);
        va_end(args);
        fprintf(stderr, "\n");

diff --git a/iptables/iptables.c b/iptables/iptables.c
index fe9fd15b93df024ad5d0d7a27c0d0c073e400b5c..08ea7afa0416f3332e11a187ad484ea4f251ef13 100644 (file)
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -276,7 +276,7 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
        va_list args;
 
        va_start(args, msg);
-       fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+       fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
        vfprintf(stderr, msg, args);
        va_end(args);
        fprintf(stderr, "\n");

diff --git a/iptables/nft.c b/iptables/nft.c
index b7ee83522fb0abf954dbd9b1fab2730b159c4c3d..3cacf5feb317fa39a8648ca2b145681a33d22b24 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -300,7 +300,7 @@ static int mnl_append_error(const struct nft_handle *h,
                snprintf(errmsg, sizeof(errmsg), "\nline %u: %s failed (%s)",
                         o->error.lineno, type_name[o->type], strerror(err->err));
        else
-               snprintf(errmsg, sizeof(errmsg), "%s failed (%s)",
+               snprintf(errmsg, sizeof(errmsg), " %s failed (%s)",
                         type_name[o->type], strerror(err->err));
 
        switch (o->type) {
@@ -2484,6 +2484,7 @@ static int nft_action(struct nft_handle *h, int action)
        struct obj_update *n, *tmp;
        struct mnl_err *err, *ne;
        unsigned int buflen, i, len;
+       bool show_errors = true;
        char errmsg[1024];
        uint32_t seq = 1;
        int ret = 0;
@@ -2572,20 +2573,15 @@ static int nft_action(struct nft_handle *h, int action)
 
        i = 0;
        buflen = sizeof(errmsg);
-       if (!list_empty(&h->err_list)) {
-               len = snprintf(errmsg, buflen + i, "%s: ", xt_params->program_name);
-               if (len > 0) {
-                       i += len;
-                       buflen -= len;
-               }
-       }
 
        list_for_each_entry_safe(n, tmp, &h->obj_list, head) {
                list_for_each_entry_safe(err, ne, &h->err_list, head) {
                        if (err->seqnum > n->seq)
                                break;
 
-                       if (err->seqnum == n->seq) {
+                       if (err->seqnum == n->seq && show_errors) {
+                               if (n->error.lineno == 0)
+                                       show_errors = false;
                                len = mnl_append_error(h, n, err, errmsg + i, buflen);
                                if (len > 0 && len <= buflen) {
                                        buflen -= len;

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 53f94b6f9d804f98c35e622a6a053581078612cf..2a4e0ec69e60b5a1ec3973bad08e362706103ed0 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -260,7 +260,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
        va_list args;
 
        va_start(args, msg);
-       fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
+       fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers);
        vfprintf(stderr, msg, args);
        va_end(args);
        fprintf(stderr, "\n");