[iptables PATCH 0/5] Some minor fixes

[iptables PATCH 0/5] Some minor fixes

[Phil Sutter]

Correct some things I noticed while working on something else. Nothing
depends on those, so push them separately.

Phil Sutter (5):
  tests: iptables-test: Append stderr output to log file
  man: xtables-legacy.8: Join two paragraphs
  man: ebtables-nft.8: Note that --concurrent is a NOP
  gitignore: Ignore generated arptables-translate.8
  xshared: iptables does not support '-b'

 iptables-test.py          | 6 ++++++
 iptables/.gitignore       | 1 +
 iptables/ebtables-nft.8   | 3 ++-
 iptables/xshared.h        | 2 +-
 iptables/xtables-legacy.8 | 1 -
 5 files changed, 10 insertions(+), 3 deletions(-)

-- 
2.43.0

[iptables PATCH 1/5] tests: iptables-test: Append stderr output to log file

[Phil Sutter]

Right now this merely contains a number of intrapositioned negation
warnings, but might be useful in future when debugging unexpected
failures.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables-test.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/iptables-test.py b/iptables-test.py
index cefe42335d25d..77278925d7217 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -132,6 +132,8 @@ STDERR_IS_TTY = sys.stderr.isatty()
                             stdin=subprocess.PIPE,
                             stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     out, err = proc.communicate()
+    if len(err):
+        print(err, file=log_file)
 
     #
     # check for segfaults
@@ -333,6 +335,8 @@ STDERR_IS_TTY = sys.stderr.isatty()
                             stderr = subprocess.PIPE)
     restore_data = "\n".join(restore_data) + "\n"
     out, err = proc.communicate(input = restore_data)
+    if len(err):
+        print(err, file=log_file)
 
     if proc.returncode == -11:
         reason = iptables + "-restore segfaults!"
@@ -358,6 +362,8 @@ STDERR_IS_TTY = sys.stderr.isatty()
                             stdout = subprocess.PIPE,
                             stderr = subprocess.PIPE)
     out, err = proc.communicate()
+    if len(err):
+        print(err, file=log_file)
 
     if proc.returncode == -11:
         reason = iptables + "-save segfaults!"
-- 
2.43.0

[iptables PATCH 2/5] man: xtables-legacy.8: Join two paragraphs

[Phil Sutter]

The second one referring to xtables-monitor seems out of context without
the first one, join them.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-legacy.8 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8
index 6db7d2cb4357a..fa26a555c5e90 100644
--- a/iptables/xtables-legacy.8
+++ b/iptables/xtables-legacy.8
@@ -63,7 +63,6 @@ updates might be lost.  This can be worked around partially with the \-\-wait op
 
 There is also no method to monitor changes to the ruleset, except periodically calling
 iptables-legacy-save and checking for any differences in output.
-
 .B xtables\-monitor(8)
 will need the
 .B xtables\-nft(8)
-- 
2.43.0

[iptables PATCH 3/5] man: ebtables-nft.8: Note that --concurrent is a NOP

[Phil Sutter]

For obvious reasons, ebtables-nft does not need file-based locking to
prevent concurrency.

Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ebtables-nft.8 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 29c7d9faf8106..8698165024de1 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -358,7 +358,8 @@ When talking to the kernel, use this
 to try to automatically load missing kernel modules.
 .TP
 .B --concurrent
-Use a file lock to support concurrent scripts updating the ebtables kernel tables.
+This would use a file lock to support concurrent scripts updating the ebtables
+kernel tables. It is not needed with \fBebtables-nft\fP though and thus ignored.
 
 .SS
 RULE SPECIFICATIONS
-- 
2.43.0

[iptables PATCH 4/5] gitignore: Ignore generated arptables-translate.8

[Phil Sutter]

It is a semantic link created by the build system.

Fixes: 68ff869e94a1b ("Makefile: Install arptables-translate link and man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/.gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/iptables/.gitignore b/iptables/.gitignore
index 8141e34d8b629..b922239279654 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -1,3 +1,4 @@
+/arptables-translate.8
 /ebtables-translate.8
 /ip6tables
 /ip6tables.8
-- 
2.43.0

[iptables PATCH 5/5] xshared: iptables does not support '-b'

[Phil Sutter]

This flag is merely known to iptables-restore but actively rejected
there and it does not use IPT_OPTSTRING at all.

Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xshared.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/xshared.h b/iptables/xshared.h
index 0018b7c70bd83..a111e79793b54 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,7 @@ struct xtables_rule_match;
 struct xtables_target;
 
 #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:R:S::VX::Z::" "c:d:i:j:o:p:s:t:v"
-#define IPT_OPTSTRING	OPTSTRING_COMMON "W::" "46bfg:h::m:nw::x"
+#define IPT_OPTSTRING	OPTSTRING_COMMON "W::" "46fg:h::m:nw::x"
 #define ARPT_OPTSTRING	OPTSTRING_COMMON "h::l:nx" /* "m:" */
 #define EBT_OPTSTRING	OPTSTRING_COMMON "h"
 
-- 
2.43.0

Re: [iptables PATCH 0/5] Some minor fixes

[Phil Sutter]

On Wed, Oct 09, 2024 at 12:50:32PM +0200, Phil Sutter wrote:
> Correct some things I noticed while working on something else. Nothing
> depends on those, so push them separately.
> 
> Phil Sutter (5):
>   tests: iptables-test: Append stderr output to log file
>   man: xtables-legacy.8: Join two paragraphs
>   man: ebtables-nft.8: Note that --concurrent is a NOP
>   gitignore: Ignore generated arptables-translate.8
>   xshared: iptables does not support '-b'

Series applied.