From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 8 Apr 2026 11:05:18 +0000 (+0200)
Subject: main: consolidate EPERM to non-root users
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fnftables.git

main: consolidate EPERM to non-root users

Move the check added by 3cfb9e4b3e40 ("src: report EPERM for non-root users")
to the main function.

EPERM is also possible when removing a ruleset that is owned by a
process, tone it down to suggest that root is maybe needed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/libnftables.c b/src/libnftables.c
index 66b03a11..bc42c32d 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -630,13 +630,8 @@ int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf)
 	parser_rc = rc;
 
 	rc = nft_evaluate(nft, &msgs, &cmds);
-	if (rc < 0) {
-		if (errno == EPERM) {
-			fprintf(stderr, "%s (you must be root)\n",
-				strerror(errno));
-		}
+	if (rc < 0)
 		goto err;
-	}
 
 	if (parser_rc) {
 		rc = parser_rc;
diff --git a/src/main.c b/src/main.c
index 29b0533d..4cb51ff7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -548,6 +548,8 @@ int main(int argc, char * const *argv)
 		goto out_fail;
 	}
 
+	if (rc && errno == EPERM)
+		 fprintf(stderr, "Error: %s (perhaps you must be root?)\n", strerror(errno));
 out:
 	nft_ctx_free(nft);
 	return rc;