[iptables PATCH] iptables: Add missing error codes

[iptables PATCH] iptables: Add missing error codes

[Jacek Tomasiak]

Without these, commands like `iptables -n -L CHAIN` sometimes print
"Incompatible with this kernel" instead of "No chain/target/match
by that name".

Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
---
 iptables/nft.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index f5368578..c2cbc9d7 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2812,8 +2812,10 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 
 	if (chain) {
 		c = nft_chain_find(h, table, chain);
-		if (!c)
+		if (!c) {
+			errno = ENOENT;
 			return 0;
+		}
 
 		if (rulenum)
 			d.save_fmt = true;	/* skip header printing */
@@ -2920,8 +2922,10 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
 
 	if (chain) {
 		c = nft_chain_find(h, table, chain);
-		if (!c)
+		if (!c) {
+			errno = ENOENT;
 			return 0;
+		}
 
 		if (!rulenum)
 			nft_rule_list_chain_save(c, &counters);
@@ -2953,8 +2957,10 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
 	nft_fn = nft_rule_delete;
 
 	c = nft_chain_find(h, table, chain);
-	if (!c)
+	if (!c) {
+		errno = ENOENT;
 		return 0;
+	}
 
 	r = nft_rule_find(h, c, NULL, rulenum);
 	if (r == NULL) {
-- 
2.35.3

Re: [iptables PATCH] iptables: Add missing error codes

[Phil Sutter]

Hi,

On Tue, Jan 23, 2024 at 11:14:27AM +0100, Jacek Tomasiak wrote:
> Without these, commands like `iptables -n -L CHAIN` sometimes print
> "Incompatible with this kernel" instead of "No chain/target/match
> by that name".

Thanks for the fix! I see errno value is tainted by unrelated code-paths
if not explicitly set, but I failed to find a working reproducer. Do you
have one at hand? Would be good to add a test and maybe add a Fixes: tag
unless this is a day-1 bug.

Cheers, Phil

Re: [iptables PATCH] iptables: Add missing error codes

[Jacek Tomasiak]

Hi,

> (...) I failed to find a working reproducer. Do you
> have one at hand? Would be good to add a test and maybe add a Fixes: tag
> unless this is a day-1 bug.

Unfortunately I see this behavior only inside our products. I couldn't reproduce
it in any other environment. I suspect that this is related to some
kernel configuration
or modules which are present there but I didn't investigate it further.

Regards,
Jacek

-- 
| PZDR Jacek aka SkaZi                                       \\
| mail: jacek.tomasiak@gmail.com "Oset nie ma zadnego       /O `----.
| XMPP/Jabber: skazi@tomasiak.pl  pozytku z tego, ze     * (_.-.     )\
|                                 sie na nim siedzi..." *|* rs //--// X

Re: [iptables PATCH] iptables: Add missing error codes

[Phil Sutter]

On Tue, Jan 23, 2024 at 05:14:50PM +0100, Jacek Tomasiak wrote:
> > (...) I failed to find a working reproducer. Do you
> > have one at hand? Would be good to add a test and maybe add a Fixes: tag
> > unless this is a day-1 bug.
> 
> Unfortunately I see this behavior only inside our products. I couldn't reproduce
> it in any other environment. I suspect that this is related to some
> kernel configuration
> or modules which are present there but I didn't investigate it further.

Thanks for your feedback, I applied the patch as-is.

Thanks, Phil