[iptables PATCH v3 0/6] Some more code de-duplication

[iptables PATCH v3 0/6] Some more code de-duplication

[Phil Sutter]

No change in patches 1 to 3 and 6.

Patch 4 is new: Extend program_version field with variant string instead
of introducing a separate field. This made patch 5 a bit smaller, due to
less differences between basic_exit_err() and xtables_exit_error().

Phil Sutter (6):
  xshared: Share print_match_save() between legacy ip*tables
  xshared: Share a common printhelp function
  xshared: Share exit_tryhelp()
  xtables_globals: Embed variant name in .program_version
  libxtables: Extend basic_exit_err()
  iptables-*-restore: Drop pointless line reference

 iptables/ip6tables.c        | 157 ++----------------------------------
 iptables/iptables-restore.c |   2 +-
 iptables/iptables-save.c    |   2 +-
 iptables/iptables.c         | 157 ++----------------------------------
 iptables/xshared.c          | 143 ++++++++++++++++++++++++++++++++
 iptables/xshared.h          |   5 ++
 iptables/xtables-arp.c      |   4 +-
 iptables/xtables-eb.c       |  10 +--
 iptables/xtables-restore.c  |   2 +-
 iptables/xtables-save.c     |   2 +-
 iptables/xtables.c          | 135 +++----------------------------
 libxtables/xtables.c        |  12 +++
 12 files changed, 194 insertions(+), 437 deletions(-)

-- 
2.33.0

[iptables PATCH v3 1/6] xshared: Share print_match_save() between legacy ip*tables

[Phil Sutter]

The only difference between the former two copies was the type of
ip*_entry parameter. But since it is treated opaque, just hide that
detail by casting to void.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c | 31 -------------------------------
 iptables/iptables.c  | 31 -------------------------------
 iptables/xshared.c   | 30 ++++++++++++++++++++++++++++++
 iptables/xshared.h   |  2 ++
 4 files changed, 32 insertions(+), 62 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 5a64566eecd2a..0509c36c839b7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -644,37 +644,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	return found;
 }
 
-static int print_match_save(const struct xt_entry_match *e,
-			const struct ip6t_ip6 *ip)
-{
-	const char *name = e->u.user.name;
-	const int revision = e->u.user.revision;
-	struct xtables_match *match, *mt, *mt2;
-
-	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
-	if (match) {
-		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
-						       match, revision);
-		if (!mt2)
-			mt2 = match;
-		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
-
-		/* some matches don't provide a save function */
-		if (mt && mt->save)
-			mt->save(ip, e);
-		else if (match->save)
-			printf(unsupported_rev);
-	} else {
-		if (e->u.match_size) {
-			fprintf(stderr,
-				"Can't find library for match `%s'\n",
-				name);
-			exit(1);
-		}
-	}
-	return 0;
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
diff --git a/iptables/iptables.c b/iptables/iptables.c
index ac51c612d92f2..a69d42387f062 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -642,37 +642,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 
 #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
 
-static int print_match_save(const struct xt_entry_match *e,
-			const struct ipt_ip *ip)
-{
-	const char *name = e->u.user.name;
-	const int revision = e->u.user.revision;
-	struct xtables_match *match, *mt, *mt2;
-
-	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
-	if (match) {
-		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
-						       match, revision);
-		if (!mt2)
-			mt2 = match;
-		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
-
-		/* some matches don't provide a save function */
-		if (mt && mt->save)
-			mt->save(ip, e);
-		else if (match->save)
-			printf(unsupported_rev);
-	} else {
-		if (e->u.match_size) {
-			fprintf(stderr,
-				"Can't find library for match `%s'\n",
-				name);
-			exit(1);
-		}
-	}
-	return 0;
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
diff --git a/iptables/xshared.c b/iptables/xshared.c
index a1ca2b0fd7e3e..94a2d08815d92 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1119,3 +1119,33 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		printf(" -f");
 	}
 }
+
+int print_match_save(const struct xt_entry_match *e, const void *ip)
+{
+	const char *name = e->u.user.name;
+	const int revision = e->u.user.revision;
+	struct xtables_match *match, *mt, *mt2;
+
+	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
+	if (match) {
+		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
+						       match, revision);
+		if (!mt2)
+			mt2 = match;
+		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
+
+		/* some matches don't provide a save function */
+		if (mt && mt->save)
+			mt->save(ip, e);
+		else if (match->save)
+			printf(" [unsupported revision]");
+	} else {
+		if (e->u.match_size) {
+			fprintf(stderr,
+				"Can't find library for match `%s'\n",
+				name);
+			exit(1);
+		}
+	}
+	return 0;
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 060c62ef0b5ca..1ee64d9e4010d 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -257,4 +257,6 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		       const char *outiface, unsigned const char *outiface_mask,
 		       uint16_t proto, int frag, uint8_t invflags);
 
+int print_match_save(const struct xt_entry_match *e, const void *ip);
+
 #endif /* IPTABLES_XSHARED_H */
-- 
2.33.0

[iptables PATCH v3 2/6] xshared: Share a common printhelp function

[Phil Sutter]

Help texts in legacy and nft variants are supposed to be identical, but
those of iptables and ip6tables largely overlapped already. By referring
to xt_params and afinfo pointers, it is relatively trivial to craft a
suitable help text on demand, so duplicated help texts can be
eliminated.

As a side-effect, this fixes ip6tables-nft help text - it was identical
to that of iptables-nft.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c |  79 +--------------------------------
 iptables/iptables.c  |  78 +-------------------------------
 iptables/xshared.c   | 103 +++++++++++++++++++++++++++++++++++++++++++
 iptables/xshared.h   |   2 +
 iptables/xtables.c   |  85 +----------------------------------
 5 files changed, 108 insertions(+), 239 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 0509c36c839b7..46f7785b8a9c5 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -114,84 +114,7 @@ exit_tryhelp(int status)
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"       %s -I chain [rulenum] rule-specification [options]\n"
-"       %s -R chain rulenum rule-specification [options]\n"
-"       %s -D chain rulenum [options]\n"
-"       %s -[LS] [chain [rulenum]] [options]\n"
-"       %s -[FZ] [chain] [options]\n"
-"       %s -[NX] chain\n"
-"       %s -E old-chain-name new-chain-name\n"
-"       %s -P chain target [options]\n"
-"       %s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"            -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"            -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Error (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Nothing (line is ignored by iptables-restore)\n"
-"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][,...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][,...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IP6T_F_GOTO
-"  --goto	-g chain\n"
-"				jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				interval to wait for xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-/*"[!] --fragment	-f		match second or further fragments only\n"*/
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
+	xtables_printhelp(matches);
 	exit(0);
 }
 
diff --git a/iptables/iptables.c b/iptables/iptables.c
index a69d42387f062..7b4503498865d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -112,83 +112,7 @@ exit_tryhelp(int status)
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"       %s -I chain [rulenum] rule-specification [options]\n"
-"       %s -R chain rulenum rule-specification [options]\n"
-"       %s -D chain rulenum [options]\n"
-"       %s -[LS] [chain [rulenum]] [options]\n"
-"       %s -[FZ] [chain] [options]\n"
-"       %s -[NX] chain\n"
-"       %s -E old-chain-name new-chain-name\n"
-"       %s -P chain target [options]\n"
-"       %s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"            -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"            -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Error (line is ignored by iptables-restore)\n"
-"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-" --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IPT_F_GOTO
-"  --goto      -g chain\n"
-"                              jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-"[!] --fragment	-f		match second or further fragments only\n"
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
+	xtables_printhelp(matches);
 	exit(0);
 }
 
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 94a2d08815d92..9b32610772ba5 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1149,3 +1149,106 @@ int print_match_save(const struct xt_entry_match *e, const void *ip)
 	}
 	return 0;
 }
+
+void
+xtables_printhelp(const struct xtables_rule_match *matches)
+{
+	const char *prog_name = xt_params->program_name;
+	const char *prog_vers = xt_params->program_version;
+
+	printf("%s v%s\n\n"
+"Usage: %s -[ACD] chain rule-specification [options]\n"
+"       %s -I chain [rulenum] rule-specification [options]\n"
+"       %s -R chain rulenum rule-specification [options]\n"
+"       %s -D chain rulenum [options]\n"
+"       %s -[LS] [chain [rulenum]] [options]\n"
+"       %s -[FZ] [chain] [options]\n"
+"       %s -[NX] chain\n"
+"       %s -E old-chain-name new-chain-name\n"
+"       %s -P chain target [options]\n"
+"       %s -h (print this help information)\n\n",
+	       prog_name, prog_vers, prog_name, prog_name,
+	       prog_name, prog_name, prog_name, prog_name,
+	       prog_name, prog_name, prog_name, prog_name);
+
+	printf(
+"Commands:\n"
+"Either long or short options are allowed.\n"
+"  --append  -A chain		Append to chain\n"
+"  --check   -C chain		Check for the existence of a rule\n"
+"  --delete  -D chain		Delete matching rule from chain\n"
+"  --delete  -D chain rulenum\n"
+"				Delete rule rulenum (1 = first) from chain\n"
+"  --insert  -I chain [rulenum]\n"
+"				Insert in chain as rulenum (default 1=first)\n"
+"  --replace -R chain rulenum\n"
+"				Replace rule rulenum (1 = first) in chain\n"
+"  --list    -L [chain [rulenum]]\n"
+"				List the rules in a chain or all chains\n"
+"  --list-rules -S [chain [rulenum]]\n"
+"				Print the rules in a chain or all chains\n"
+"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
+"  --zero    -Z [chain [rulenum]]\n"
+"				Zero counters in chain or all chains\n"
+"  --new     -N chain		Create a new user-defined chain\n"
+"  --delete-chain\n"
+"            -X [chain]		Delete a user-defined chain\n"
+"  --policy  -P chain target\n"
+"				Change policy on chain to target\n"
+"  --rename-chain\n"
+"            -E old-chain new-chain\n"
+"				Change chain name, (moving any references)\n");
+
+	printf(
+"Options:\n"
+"    --ipv4	-4		%s (line is ignored by ip6tables-restore)\n"
+"    --ipv6	-6		%s (line is ignored by iptables-restore)\n"
+"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
+"[!] --source	-s address[/mask][...]\n"
+"				source specification\n"
+"[!] --destination -d address[/mask][...]\n"
+"				destination specification\n"
+"[!] --in-interface -i input name[+]\n"
+"				network interface name ([+] for wildcard)\n"
+" --jump	-j target\n"
+"				target for rule (may load target extension)\n",
+	afinfo->family == NFPROTO_IPV4 ? "Nothing" : "Error",
+	afinfo->family == NFPROTO_IPV4 ? "Error" : "Nothing");
+
+	if (0
+#ifdef IPT_F_GOTO
+	    || afinfo->family == NFPROTO_IPV4
+#endif
+#ifdef IP6T_F_GOTO
+	    || afinfo->family == NFPROTO_IPV6
+#endif
+	   )
+		printf(
+"  --goto      -g chain\n"
+"			       jump to chain with no return\n");
+	printf(
+"  --match	-m match\n"
+"				extended match (may load extension)\n"
+"  --numeric	-n		numeric output of addresses and ports\n"
+"[!] --out-interface -o output name[+]\n"
+"				network interface name ([+] for wildcard)\n"
+"  --table	-t table	table to manipulate (default: `filter')\n"
+"  --verbose	-v		verbose mode\n"
+"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
+"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
+"				interval to wait for xtables lock\n"
+"				default is 1 second\n"
+"  --line-numbers		print line numbers when listing\n"
+"  --exact	-x		expand numbers (display exact values)\n");
+
+	if (afinfo->family == NFPROTO_IPV4)
+		printf(
+"[!] --fragment	-f		match second or further fragments only\n");
+
+	printf(
+"  --modprobe=<command>		try to insert modules using this command\n"
+"  --set-counters PKTS BYTES	set the counter during insert/append\n"
+"[!] --version	-V		print package version.\n");
+
+	print_extension_helps(xtables_targets, matches);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 1ee64d9e4010d..3310954c1f441 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -259,4 +259,6 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 
 int print_match_save(const struct xt_entry_match *e, const void *ip);
 
+void xtables_printhelp(const struct xtables_rule_match *matches);
+
 #endif /* IPTABLES_XSHARED_H */
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 32b93d2bfc8cd..36324a5de22a8 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -87,7 +87,6 @@ static struct option original_opts[] = {
 };
 
 void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-static void printhelp(const struct xtables_rule_match *m);
 
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
@@ -96,7 +95,7 @@ struct xtables_globals xtables_globals = {
 	.orig_opts = original_opts,
 	.exit_err = xtables_exit_error,
 	.compat_rev = nft_compatible_revision,
-	.print_help = printhelp,
+	.print_help = xtables_printhelp,
 };
 
 #define opts xt_params->opts
@@ -114,88 +113,6 @@ exit_tryhelp(int status)
 	exit(status);
 }
 
-static void
-printhelp(const struct xtables_rule_match *matches)
-{
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"	%s -I chain [rulenum] rule-specification [options]\n"
-"	%s -R chain rulenum rule-specification [options]\n"
-"	%s -D chain rulenum [options]\n"
-"	%s -[LS] [chain [rulenum]] [options]\n"
-"	%s -[FZ] [chain] [options]\n"
-"	%s -[NX] chain\n"
-"	%s -E old-chain-name new-chain-name\n"
-"	%s -P chain target [options]\n"
-"	%s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"	     -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"	     -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Error (line is ignored by iptables-restore)\n"
-"[!] --proto	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-" --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IPT_F_GOTO
-"  --goto      -g chain\n"
-"			       jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-"[!] --fragment	-f		match second or further fragments only\n"
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
-}
-
 void
 xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 {
-- 
2.33.0

[iptables PATCH v3 3/6] xshared: Share exit_tryhelp()

[Phil Sutter]

The function existed three times in identical form. Avoid having to
declare extern int line in xshared.c by making it a parameter.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c | 19 ++++---------------
 iptables/iptables.c  | 19 ++++---------------
 iptables/xshared.c   | 10 ++++++++++
 iptables/xshared.h   |  1 +
 iptables/xtables.c   | 21 +++++----------------
 5 files changed, 24 insertions(+), 46 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 46f7785b8a9c5..788966d6b68af 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -100,17 +100,6 @@ struct xtables_globals ip6tables_globals = {
 #define prog_name ip6tables_globals.program_name
 #define prog_vers ip6tables_globals.program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
@@ -129,7 +118,7 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		exit_tryhelp(status, line);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps ip6tables or your kernel needs to be upgraded.\n");
@@ -1106,7 +1095,7 @@ int do_command6(int argc, char *argv[], char **table,
 			if (line != -1)
 				return 1; /* success: line ignored */
 			fprintf(stderr, "This is the IPv6 version of ip6tables.\n");
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		case '6':
 			/* This is indeed the IPv6 ip6tables */
@@ -1123,7 +1112,7 @@ int do_command6(int argc, char *argv[], char **table,
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		default:
 			if (command_default(&cs, &ip6tables_globals, invert))
@@ -1372,7 +1361,7 @@ int do_command6(int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		exit_tryhelp(2, line);
 	}
 
 	if (verbose > 1)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7b4503498865d..78fff9ef77b81 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -98,17 +98,6 @@ struct xtables_globals iptables_globals = {
 #define prog_name iptables_globals.program_name
 #define prog_vers iptables_globals.program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
@@ -127,7 +116,7 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		exit_tryhelp(status, line);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps iptables or your kernel needs to be upgraded.\n");
@@ -1093,7 +1082,7 @@ int do_command4(int argc, char *argv[], char **table,
 			if (line != -1)
 				return 1; /* success: line ignored */
 			fprintf(stderr, "This is the IPv4 version of iptables.\n");
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		case 1: /* non option */
 			if (optarg[0] == '!' && optarg[1] == '\0') {
@@ -1106,7 +1095,7 @@ int do_command4(int argc, char *argv[], char **table,
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		default:
 			if (command_default(&cs, &iptables_globals, invert))
@@ -1353,7 +1342,7 @@ int do_command4(int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		exit_tryhelp(2, line);
 	}
 
 	if (verbose > 1)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9b32610772ba5..efee7a30b39fd 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1252,3 +1252,13 @@ xtables_printhelp(const struct xtables_rule_match *matches)
 
 	print_extension_helps(xtables_targets, matches);
 }
+
+void exit_tryhelp(int status, int line)
+{
+	if (line != -1)
+		fprintf(stderr, "Error occurred at line: %d\n", line);
+	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
+			xt_params->program_name, xt_params->program_name);
+	xtables_free_opts(1);
+	exit(status);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 3310954c1f441..2c05b0d7c4ace 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -260,5 +260,6 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 int print_match_save(const struct xt_entry_match *e, const void *ip);
 
 void xtables_printhelp(const struct xtables_rule_match *matches);
+void exit_tryhelp(int status, int line) __attribute__((noreturn));
 
 #endif /* IPTABLES_XSHARED_H */
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 36324a5de22a8..d53fd758ac72d 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -102,17 +102,6 @@ struct xtables_globals xtables_globals = {
 #define prog_name xt_params->program_name
 #define prog_vers xt_params->program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 void
 xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 {
@@ -124,7 +113,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		exit_tryhelp(status, line);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps iptables or your kernel needs to be upgraded.\n");
@@ -631,7 +620,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			if (p->restore && args->family == AF_INET6)
 				return;
 
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		case '6':
 			if (args->family == AF_INET6)
@@ -640,7 +629,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			if (p->restore && args->family == AF_INET)
 				return;
 
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		case 1: /* non option */
 			if (optarg[0] == '!' && optarg[1] == '\0') {
@@ -653,7 +642,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			exit_tryhelp(2, line);
 
 		default:
 			if (command_default(cs, xt_params, invert))
@@ -849,7 +838,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		exit_tryhelp(2, line);
 	}
 
 	*table = p.table;
-- 
2.33.0

[iptables PATCH v3 4/6] xtables_globals: Embed variant name in .program_version

[Phil Sutter]

Both are constant strings, so precompiler may concat them.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c        | 6 +++---
 iptables/iptables-restore.c | 2 +-
 iptables/iptables-save.c    | 2 +-
 iptables/iptables.c         | 6 +++---
 iptables/xtables-arp.c      | 2 +-
 iptables/xtables-eb.c       | 4 ++--
 iptables/xtables-restore.c  | 2 +-
 iptables/xtables-save.c     | 2 +-
 iptables/xtables.c          | 6 +++---
 9 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 788966d6b68af..44d2c08cddc42 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -90,7 +90,7 @@ static struct option original_opts[] = {
 void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ip6tables_globals = {
 	.option_offset = 0,
-	.program_version = PACKAGE_VERSION,
+	.program_version = PACKAGE_VERSION " (legacy)",
 	.orig_opts = original_opts,
 	.exit_err = ip6tables_exit_error,
 	.compat_rev = xtables_compatible_revision,
@@ -113,7 +113,7 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
@@ -1049,7 +1049,7 @@ int do_command6(int argc, char *argv[], char **table,
 			if (invert)
 				printf("Not %s ;-)\n", prog_vers);
 			else
-				printf("%s v%s (legacy)\n",
+				printf("%s v%s\n",
 				       prog_name, prog_vers);
 			exit(0);
 
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index cc2c2b8b10086..a3efb067d3d90 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -117,7 +117,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
 				verbose = 1;
 				break;
 			case 'V':
-				printf("%s v%s (legacy)\n",
+				printf("%s v%s\n",
 				       xt_params->program_name,
 				       xt_params->program_version);
 				exit(0);
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 4efd66673f5de..a114e98bb62dc 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -173,7 +173,7 @@ do_iptables_save(struct iptables_save_cb *cb, int argc, char *argv[])
 			do_output(cb, tablename);
 			exit(0);
 		case 'V':
-			printf("%s v%s (legacy)\n",
+			printf("%s v%s\n",
 			       xt_params->program_name,
 			       xt_params->program_version);
 			exit(0);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 78fff9ef77b81..191877ec1bb06 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -88,7 +88,7 @@ void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __a
 
 struct xtables_globals iptables_globals = {
 	.option_offset = 0,
-	.program_version = PACKAGE_VERSION,
+	.program_version = PACKAGE_VERSION " (legacy)",
 	.orig_opts = original_opts,
 	.exit_err = iptables_exit_error,
 	.compat_rev = xtables_compatible_revision,
@@ -111,7 +111,7 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
@@ -1032,7 +1032,7 @@ int do_command4(int argc, char *argv[], char **table,
 			if (invert)
 				printf("Not %s ;-)\n", prog_vers);
 			else
-				printf("%s v%s (legacy)\n",
+				printf("%s v%s\n",
 				       prog_name, prog_vers);
 			exit(0);
 
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index cca19438a877e..8a226330a7124 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -88,7 +88,7 @@ extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ..
 static void printhelp(const struct xtables_rule_match *m);
 struct xtables_globals arptables_globals = {
 	.option_offset		= 0,
-	.program_version	= PACKAGE_VERSION,
+	.program_version	= PACKAGE_VERSION " (nf_tables)",
 	.optstring		= OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */,
 	.orig_opts		= original_opts,
 	.exit_err		= xtables_exit_error,
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3f58754d14cee..604d4d39e90f7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -219,7 +219,7 @@ struct option ebt_original_options[] =
 extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ebtables_globals = {
 	.option_offset 		= 0,
-	.program_version	= PACKAGE_VERSION,
+	.program_version	= PACKAGE_VERSION " (nf_tables)",
 	.optstring		= OPTSTRING_COMMON "h",
 	.orig_opts		= ebt_original_options,
 	.exit_err		= xtables_exit_error,
@@ -860,7 +860,7 @@ print_zero:
 			if (OPT_COMMANDS)
 				xtables_error(PARAMETER_PROBLEM,
 					      "Multiple commands are not allowed");
-			printf("%s %s (nf_tables)\n", prog_name, prog_vers);
+			printf("%s %s\n", prog_name, prog_vers);
 			exit(0);
 		case 'h': /* Help */
 			if (OPT_COMMANDS)
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index aa8b397f29ac7..8ca2abffa5d36 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -312,7 +312,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 				verbose = 1;
 				break;
 			case 'V':
-				printf("%s v%s (nf_tables)\n", prog_name, prog_vers);
+				printf("%s v%s\n", prog_name, prog_vers);
 				exit(0);
 			case 't':
 				p.testing = 1;
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index c6ebb0ec94c4f..03d2b980d5371 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -184,7 +184,7 @@ xtables_save_main(int family, int argc, char *argv[],
 			dump = true;
 			break;
 		case 'V':
-			printf("%s v%s (nf_tables)\n", prog_name, prog_vers);
+			printf("%s v%s\n", prog_name, prog_vers);
 			exit(0);
 		default:
 			fprintf(stderr,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index d53fd758ac72d..a6b10cf846d58 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -90,7 +90,7 @@ void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __at
 
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
-	.program_version = PACKAGE_VERSION,
+	.program_version = PACKAGE_VERSION " (nf_tables)",
 	.optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
 	.orig_opts = original_opts,
 	.exit_err = xtables_exit_error,
@@ -108,7 +108,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers);
+	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
@@ -554,7 +554,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			if (invert)
 				printf("Not %s ;-)\n", prog_vers);
 			else
-				printf("%s v%s (nf_tables)\n",
+				printf("%s v%s\n",
 				       prog_name, prog_vers);
 			exit(0);
 
-- 
2.33.0

[iptables PATCH v3 5/6] libxtables: Extend basic_exit_err()

[Phil Sutter]

Basically merge the function with xtables_exit_error,
printing a status-specific footer for parameter or version problems.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v2:
- No need to account for possible program_variant.

Changes since v1:
- Do not require existence of exit_tryhelp() in libxtables, instead
  merge its code into basic_exit_error() - it's merely two printf()
  calls after all.
---
 iptables/ip6tables.c   | 22 ----------------------
 iptables/iptables.c    | 23 -----------------------
 iptables/xtables-arp.c |  2 --
 iptables/xtables-eb.c  |  2 --
 iptables/xtables.c     | 23 -----------------------
 libxtables/xtables.c   | 12 ++++++++++++
 6 files changed, 12 insertions(+), 72 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 44d2c08cddc42..2f3ff034fbbb7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -87,12 +87,10 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ip6tables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION " (legacy)",
 	.orig_opts = original_opts,
-	.exit_err = ip6tables_exit_error,
 	.compat_rev = xtables_compatible_revision,
 };
 
@@ -107,26 +105,6 @@ exit_printhelp(const struct xtables_rule_match *matches)
 	exit(0);
 }
 
-void
-ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status, line);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps ip6tables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 191877ec1bb06..ba04fbc6a806e 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -84,13 +84,10 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-
 struct xtables_globals iptables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION " (legacy)",
 	.orig_opts = original_opts,
-	.exit_err = iptables_exit_error,
 	.compat_rev = xtables_compatible_revision,
 };
 
@@ -105,26 +102,6 @@ exit_printhelp(const struct xtables_rule_match *matches)
 	exit(0);
 }
 
-void
-iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status, line);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps iptables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 8a226330a7124..805fb19a5f937 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -84,14 +84,12 @@ static struct option original_opts[] = {
 
 #define opts xt_params->opts
 
-extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 static void printhelp(const struct xtables_rule_match *m);
 struct xtables_globals arptables_globals = {
 	.option_offset		= 0,
 	.program_version	= PACKAGE_VERSION " (nf_tables)",
 	.optstring		= OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */,
 	.orig_opts		= original_opts,
-	.exit_err		= xtables_exit_error,
 	.compat_rev		= nft_compatible_revision,
 	.print_help		= printhelp,
 };
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 604d4d39e90f7..ed8f733246ca3 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -216,13 +216,11 @@ struct option ebt_original_options[] =
 	{ 0 }
 };
 
-extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ebtables_globals = {
 	.option_offset 		= 0,
 	.program_version	= PACKAGE_VERSION " (nf_tables)",
 	.optstring		= OPTSTRING_COMMON "h",
 	.orig_opts		= ebt_original_options,
-	.exit_err		= xtables_exit_error,
 	.compat_rev		= nft_compatible_revision,
 };
 
diff --git a/iptables/xtables.c b/iptables/xtables.c
index a6b10cf846d58..5255fa340d55d 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -86,14 +86,11 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION " (nf_tables)",
 	.optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
 	.orig_opts = original_opts,
-	.exit_err = xtables_exit_error,
 	.compat_rev = nft_compatible_revision,
 	.print_help = xtables_printhelp,
 };
@@ -102,26 +99,6 @@ struct xtables_globals xtables_globals = {
 #define prog_name xt_params->program_name
 #define prog_vers xt_params->program_version
 
-void
-xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status, line);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps iptables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index d670175db2236..50fd6a44b0100 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -90,6 +90,18 @@ void basic_exit_err(enum xtables_exittype status, const char *msg, ...)
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
+	if (status == PARAMETER_PROBLEM) {
+		if (line != -1)
+			fprintf(stderr, "Error occurred at line: %d\n", line);
+		fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
+				xt_params->program_name, xt_params->program_name);
+	} else if (status == VERSION_PROBLEM) {
+		fprintf(stderr,
+			"Perhaps %s or your kernel needs to be upgraded.\n",
+			xt_params->program_name);
+	}
+	/* On error paths, make sure that we don't leak memory */
+	xtables_free_opts(1);
 	exit(status);
 }
 
-- 
2.33.0

[iptables PATCH v3 6/6] iptables-*-restore: Drop pointless line reference

[Phil Sutter]

There's no need to mention the offending line number in error message
when calling xtables_error() with a status of PARAMETER_PROBLEM as that
will cause a call to xtables_exit_tryhelp() which in turn prints "Error
occurred at line: N".

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 4 ++--
 iptables/iptables.c   | 4 ++--
 iptables/xtables-eb.c | 4 ++--
 iptables/xtables.c    | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 2f3ff034fbbb7..b4604f83cf8a4 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1012,8 +1012,8 @@ int do_command6(int argc, char *argv[], char **table,
 					   "unexpected ! flag before --table");
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			*table = optarg;
 			table_set = true;
 			break;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index ba04fbc6a806e..7dc4cbc1c9c22 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -994,8 +994,8 @@ int do_command4(int argc, char *argv[], char **table,
 					   "unexpected ! flag before --table");
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			*table = optarg;
 			table_set = true;
 			break;
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index ed8f733246ca3..060e06c57a481 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -894,8 +894,8 @@ print_zero:
 			ebt_check_option2(&flags, OPT_TABLE);
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			if (!nft_table_builtin_find(h, optarg))
 				xtables_error(VERSION_PROBLEM,
 					      "table '%s' does not exist",
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 5255fa340d55d..57bec76c31fb3 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -512,8 +512,8 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 					   "unexpected ! flag before --table");
 			if (p->restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			if (!nft_table_builtin_find(h, optarg))
 				xtables_error(VERSION_PROBLEM,
 					      "table '%s' does not exist",
-- 
2.33.0

Re: [iptables PATCH v3 0/6] Some more code de-duplication

[Pablo Neira Ayuso]

On Thu, Dec 16, 2021 at 01:58:34PM +0100, Phil Sutter wrote:
> No change in patches 1 to 3 and 6.
> 
> Patch 4 is new: Extend program_version field with variant string instead
> of introducing a separate field. This made patch 5 a bit smaller, due to
> less differences between basic_exit_err() and xtables_exit_error().

LGTM, thanks