iptables: missing connlabel.conf causes unnecessary error messages

iptables: missing connlabel.conf causes unnecessary error messages

[Thomas De Schampheleire]

Hi,

Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e
removed the default /etc/xtables/connlabel.conf file distributed with netfilter.

>From this commit onwards, every call to iptables will show the message:
    cannot open connlabel.conf, not registering 'connlabel' match: No
such file or directory

Creating an empty connlabel.conf file does not really help, the
message now becomes:
    cannot open connlabel.conf, not registering 'connlabel' match: Success

In order to remove the message, we have to specify at least one label,
for example '0 foo'.

I don't think this is correct behavior: even when not using connlabel
at all, iptables will print an error/warning in its default
installation. The only way to remove this warning is to create a dummy
rule.

Moreover, I do not understand the reasoning of the mentioned commit:
what is the problem in respecting sysconfdir? There are so many
applications and libraries that use autoconf and can have
configuration files in a place respecting sysconfdir.

Finally, even if you do not want to provide a default file with the
iptables installation, an empty file (created by the user) should hide
the error message.

What is your view on this?

Thanks,
Thomas

Re: iptables: missing connlabel.conf causes unnecessary error messages

[Florian Westphal]

Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
> Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e
> removed the default /etc/xtables/connlabel.conf file distributed with netfilter.
> 
> From this commit onwards, every call to iptables will show the message:
>     cannot open connlabel.conf, not registering 'connlabel' match: No
> such file or directory

Right, this happens for static builds.

> Creating an empty connlabel.conf file does not really help, the
> message now becomes:
>     cannot open connlabel.conf, not registering 'connlabel' match: Success

Thats a bug.

> Moreover, I do not understand the reasoning of the mentioned commit:
> what is the problem in respecting sysconfdir? There are so many
> applications and libraries that use autoconf and can have
> configuration files in a place respecting sysconfdir.

Because then every libnetfiler_conntrack mapping call in
non-iptables software has to 'guess' where iptables' sysconfdir is.

> Finally, even if you do not want to provide a default file with the
> iptables installation, an empty file (created by the user) should hide
> the error message.
> 
> What is your view on this?

Agreed.
If there are no other comments, I will push following patch later today:

connlabel: do not open config file from _init hook

else, static builds will print this for every iptables invocation,
even 'iptables -L'.  Delay opening until we need to translate a mapping.

diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
 	XTOPT_TABLEEND,
 };
 
+/* cannot do this via _init, else static builds might spew error message
+ * for every iptables invocation.
+ */
+static void connlabel_open(void)
+{
+	if (map)
+		return;
+
+	map = nfct_labelmap_new(NULL);
+	if (!map && errno)
+		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
+			strerror(errno));
+}
+
 static void connlabel_mt_parse(struct xt_option_call *cb)
 {
 	struct xt_connlabel_mtinfo *info = cb->data;
 	int tmp;
 
+	connlabel_open();
 	xtables_option_parse(cb);
 
 	switch (cb->entry->id) {
@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
 
 static const char *connlabel_get_name(int b)
 {
-	const char *name = nfct_labelmap_get_name(map, b);
+	const char *name;
+
+	connlabel_open();
+
+	name = nfct_labelmap_get_name(map, b);
 	if (name && strcmp(name, ""))
 		return name;
 	return NULL;
@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
 
 void _init(void)
 {
-	map = nfct_labelmap_new(NULL);
-	if (!map) {
-		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
-			connlabel_mt_reg.name, strerror(errno));
-		return;
-	}
 	xtables_register_match(&connlabel_mt_reg);
 }

Re: iptables: missing connlabel.conf causes unnecessary error messages

[Thomas De Schampheleire]

Hi Florian,

On Fri, Sep 5, 2014 at 11:13 AM, Florian Westphal <fw@strlen.de> wrote:
> Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
>> Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e
>> removed the default /etc/xtables/connlabel.conf file distributed with netfilter.
>>
>> From this commit onwards, every call to iptables will show the message:
>>     cannot open connlabel.conf, not registering 'connlabel' match: No
>> such file or directory
>
> Right, this happens for static builds.

If with 'static' you mean 'statically linked', then this is not correct.
My iptables application is dynamically linked:

~ # LD_TRACE_LOADED_OBJECTS=1 iptables
        libip4tc.so.0 => /usr/lib32/libip4tc.so.0 (0x006f1000)
        libip6tc.so.0 => /usr/lib32/libip6tc.so.0 (0x00707000)
        libxtables.so.10 => /usr/lib32/libxtables.so.10 (0x0071d000)
        libnetfilter_conntrack.so.3 =>
/usr/lib32/libnetfilter_conntrack.so.3 (0x00737000)
        libmnl.so.0 => /usr/lib32/libmnl.so.0 (0x0075c000)
        libnfnetlink.so.0 => /usr/lib32/libnfnetlink.so.0 (0x00770000)
        libdl.so.2 => /lib32/libdl.so.2 (0x00785000)
        libm.so.6 => /lib32/libm.so.6 (0x00798000)
        libc.so.6 => /lib32/libc.so.6 (0x00883000)
        /lib32/ld.so.1 (0x006c2000)

A prerequisite to seeing this message does seem to be the presence of
libnetfilter_conntrack (during the compilation of iptables).

>
>> Creating an empty connlabel.conf file does not really help, the
>> message now becomes:
>>     cannot open connlabel.conf, not registering 'connlabel' match: Success
>
> Thats a bug.
>
>> Moreover, I do not understand the reasoning of the mentioned commit:
>> what is the problem in respecting sysconfdir? There are so many
>> applications and libraries that use autoconf and can have
>> configuration files in a place respecting sysconfdir.
>
> Because then every libnetfiler_conntrack mapping call in
> non-iptables software has to 'guess' where iptables' sysconfdir is.

Ok, understood.

>
>> Finally, even if you do not want to provide a default file with the
>> iptables installation, an empty file (created by the user) should hide
>> the error message.
>>
>> What is your view on this?
>
> Agreed.
> If there are no other comments, I will push following patch later today:

Deferring the opening of the file until you really need it seems a
good solution indeed.
However, the 'static' mentions in your proposed patch may need
adaptation based on the discussion above.

Thanks,
Thomas

Re: iptables: missing connlabel.conf causes unnecessary error messages

[Florian Westphal]

Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
> On Fri, Sep 5, 2014 at 11:13 AM, Florian Westphal <fw@strlen.de> wrote:
> > Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
> >> Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e
> >> removed the default /etc/xtables/connlabel.conf file distributed with netfilter.
> >>
> >> From this commit onwards, every call to iptables will show the message:
> >>     cannot open connlabel.conf, not registering 'connlabel' match: No
> >> such file or directory
> >
> > Right, this happens for static builds.
> 
> If with 'static' you mean 'statically linked', then this is not correct.
> My iptables application is dynamically linked:

I meant --enable-static during configure stage.

Re: iptables: missing connlabel.conf causes unnecessary error messages

[Thomas De Schampheleire]

On Fri, Sep 5, 2014 at 11:51 AM, Florian Westphal <fw@strlen.de> wrote:
> Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
>> On Fri, Sep 5, 2014 at 11:13 AM, Florian Westphal <fw@strlen.de> wrote:
>> > Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:
>> >> Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e
>> >> removed the default /etc/xtables/connlabel.conf file distributed with netfilter.
>> >>
>> >> From this commit onwards, every call to iptables will show the message:
>> >>     cannot open connlabel.conf, not registering 'connlabel' match: No
>> >> such file or directory
>> >
>> > Right, this happens for static builds.
>>
>> If with 'static' you mean 'statically linked', then this is not correct.
>> My iptables application is dynamically linked:
>
> I meant --enable-static during configure stage.

Ok, I see, this is indeed a flag passed in my configure step.

Thanks,
Thomas