From: Phil Sutter Date: Thu, 2 Apr 2026 14:20:09 +0000 (+0200) Subject: arptables: Warn when ignoring '-p' option X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fiptables.git arptables: Warn when ignoring '-p' option Legacy arptables has been silently ignoring this flag (plus mandatory argument) since day 1. Retain compatibility to that behaviour but inform users that a part of their rule does nothing. Since arp is the only family which didn't provide a proto_parse callback, implement one for the sole purpose of printing the warning. As a side-effect, caller no longer has to check callback's existence. Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso --- diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 2140a88d..d1e352e5 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -452,6 +452,13 @@ out_err: return ret; } +static void nft_arp_proto_parse_warn(struct iptables_command_state *cs, + struct xtables_args *args) +{ + fprintf(stderr, + "Warning: Ignoring '-p' option not supported by arptables\n"); +} + static void nft_arp_post_parse(int command, struct iptables_command_state *cs, struct xtables_args *args) @@ -831,6 +838,7 @@ struct nft_family_ops nft_family_ops_arp = { .save_chain = nft_arp_save_chain, .rule_parse = &nft_ruleparse_ops_arp, .cmd_parse = { + .proto_parse = nft_arp_proto_parse_warn, .post_parse = nft_arp_post_parse, .option_name = nft_arp_option_name, .option_invert = nft_arp_option_invert, diff --git a/iptables/xshared.c b/iptables/xshared.c index 26e91e37..263dcc32 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1657,8 +1657,7 @@ void do_parse(int argc, char *argv[], cs->protocol = optarg; /* This needs to happen here to parse extensions */ - if (p->ops->proto_parse) - p->ops->proto_parse(cs, args); + p->ops->proto_parse(cs, args); break; case 's':