[iptables PATCH] arptables: Warn when ignoring '-p' option

[iptables PATCH] arptables: Warn when ignoring '-p' option

[Phil Sutter]

Legacy arptables has been silently ignoring this flag (plus mandatory
argument) since day 1. Retain compatibility to that behaviour but inform
users that a part of their rule does nothing.

Since arp is the only family which didn't provide a proto_parse
callback, implement one for the sole purpose of printing the warning. As
a side-effect, caller no longer has to check callback's existence.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-arp.c | 8 ++++++++
 iptables/xshared.c | 3 +--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2140a88d4a6a9..d1e352e54f97c 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -452,6 +452,13 @@ static int get16_and_mask(const char *from, uint16_t *to,
 	return ret;
 }
 
+static void nft_arp_proto_parse_warn(struct iptables_command_state *cs,
+				     struct xtables_args *args)
+{
+	fprintf(stderr,
+		"Warning: Ignoring '-p' option not supported by arptables\n");
+}
+
 static void nft_arp_post_parse(int command,
 			       struct iptables_command_state *cs,
 			       struct xtables_args *args)
@@ -831,6 +838,7 @@ struct nft_family_ops nft_family_ops_arp = {
 	.save_chain		= nft_arp_save_chain,
 	.rule_parse		= &nft_ruleparse_ops_arp,
 	.cmd_parse		= {
+		.proto_parse	= nft_arp_proto_parse_warn,
 		.post_parse	= nft_arp_post_parse,
 		.option_name	= nft_arp_option_name,
 		.option_invert	= nft_arp_option_invert,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 26e91e370eb84..263dcc32e5eb1 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1657,8 +1657,7 @@ void do_parse(int argc, char *argv[],
 			cs->protocol = optarg;
 
 			/* This needs to happen here to parse extensions */
-			if (p->ops->proto_parse)
-				p->ops->proto_parse(cs, args);
+			p->ops->proto_parse(cs, args);
 			break;
 
 		case 's':
-- 
2.51.0

Re: [iptables PATCH] arptables: Warn when ignoring '-p' option

[Pablo Neira Ayuso]

On Thu, Apr 02, 2026 at 04:52:16PM +0200, Phil Sutter wrote:
> Legacy arptables has been silently ignoring this flag (plus mandatory
> argument) since day 1. Retain compatibility to that behaviour but inform
> users that a part of their rule does nothing.
> 
> Since arp is the only family which didn't provide a proto_parse
> callback, implement one for the sole purpose of printing the warning. As
> a side-effect, caller no longer has to check callback's existence.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [iptables PATCH] arptables: Warn when ignoring '-p' option

[Phil Sutter]

On Fri, Apr 03, 2026 at 12:52:34PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 02, 2026 at 04:52:16PM +0200, Phil Sutter wrote:
> > Legacy arptables has been silently ignoring this flag (plus mandatory
> > argument) since day 1. Retain compatibility to that behaviour but inform
> > users that a part of their rule does nothing.
> > 
> > Since arp is the only family which didn't provide a proto_parse
> > callback, implement one for the sole purpose of printing the warning. As
> > a side-effect, caller no longer has to check callback's existence.
> > 
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> 
> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Patch applied, thanks!