[iptables PATCH 0/6] Some more code de-duplication

[iptables PATCH 0/6] Some more code de-duplication

[Phil Sutter]

Patch 1 merges a common function in legacy ip*tables, the remaining
ones deal with help printing:

Patch 2 merges the three almost identical copies of iptables help text
into a single function.

Patches 3, 4 and 5 extend libxtables enough to provide a default
exit_err callback which all ip*tables may use as-is.

Patch 6 removes duplicated info from output in a specific error
condition. The benefit here is mostly that there are four spots less
which make use of that global 'line' variable.

Phil Sutter (6):
  xshared: Share print_match_save() between legacy ip*tables
  xshared: Share a common printhelp function
  libxtables: Add xtables_exit_tryhelp()
  xtables_globals: Introduce program_variant
  libxtables: Extend basic_exit_err()
  iptables-*-restore: Drop pointless line reference

 include/xtables.h      |   3 +-
 iptables/ip6tables.c   | 154 ++---------------------------------------
 iptables/iptables.c    | 154 ++---------------------------------------
 iptables/xshared.c     | 133 +++++++++++++++++++++++++++++++++++
 iptables/xshared.h     |   4 ++
 iptables/xtables-arp.c |   3 +-
 iptables/xtables-eb.c  |   7 +-
 iptables/xtables.c     | 132 +++--------------------------------
 libxtables/xtables.c   |  26 ++++++-
 9 files changed, 190 insertions(+), 426 deletions(-)

-- 
2.33.0

[iptables PATCH 1/6] xshared: Share print_match_save() between legacy ip*tables

[Phil Sutter]

The only difference between the former two copies was the type of
ip*_entry parameter. But since it is treated opaque, just hide that
detail by casting to void.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c | 31 -------------------------------
 iptables/iptables.c  | 31 -------------------------------
 iptables/xshared.c   | 30 ++++++++++++++++++++++++++++++
 iptables/xshared.h   |  2 ++
 4 files changed, 32 insertions(+), 62 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 5a64566eecd2a..0509c36c839b7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -644,37 +644,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	return found;
 }
 
-static int print_match_save(const struct xt_entry_match *e,
-			const struct ip6t_ip6 *ip)
-{
-	const char *name = e->u.user.name;
-	const int revision = e->u.user.revision;
-	struct xtables_match *match, *mt, *mt2;
-
-	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
-	if (match) {
-		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
-						       match, revision);
-		if (!mt2)
-			mt2 = match;
-		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
-
-		/* some matches don't provide a save function */
-		if (mt && mt->save)
-			mt->save(ip, e);
-		else if (match->save)
-			printf(unsupported_rev);
-	} else {
-		if (e->u.match_size) {
-			fprintf(stderr,
-				"Can't find library for match `%s'\n",
-				name);
-			exit(1);
-		}
-	}
-	return 0;
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
diff --git a/iptables/iptables.c b/iptables/iptables.c
index ac51c612d92f2..a69d42387f062 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -642,37 +642,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 
 #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
 
-static int print_match_save(const struct xt_entry_match *e,
-			const struct ipt_ip *ip)
-{
-	const char *name = e->u.user.name;
-	const int revision = e->u.user.revision;
-	struct xtables_match *match, *mt, *mt2;
-
-	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
-	if (match) {
-		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
-						       match, revision);
-		if (!mt2)
-			mt2 = match;
-		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
-
-		/* some matches don't provide a save function */
-		if (mt && mt->save)
-			mt->save(ip, e);
-		else if (match->save)
-			printf(unsupported_rev);
-	} else {
-		if (e->u.match_size) {
-			fprintf(stderr,
-				"Can't find library for match `%s'\n",
-				name);
-			exit(1);
-		}
-	}
-	return 0;
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
diff --git a/iptables/xshared.c b/iptables/xshared.c
index a1ca2b0fd7e3e..94a2d08815d92 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1119,3 +1119,33 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		printf(" -f");
 	}
 }
+
+int print_match_save(const struct xt_entry_match *e, const void *ip)
+{
+	const char *name = e->u.user.name;
+	const int revision = e->u.user.revision;
+	struct xtables_match *match, *mt, *mt2;
+
+	match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
+	if (match) {
+		mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD,
+						       match, revision);
+		if (!mt2)
+			mt2 = match;
+		printf(" -m %s", mt2->alias ? mt2->alias(e) : name);
+
+		/* some matches don't provide a save function */
+		if (mt && mt->save)
+			mt->save(ip, e);
+		else if (match->save)
+			printf(" [unsupported revision]");
+	} else {
+		if (e->u.match_size) {
+			fprintf(stderr,
+				"Can't find library for match `%s'\n",
+				name);
+			exit(1);
+		}
+	}
+	return 0;
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 060c62ef0b5ca..1ee64d9e4010d 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -257,4 +257,6 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		       const char *outiface, unsigned const char *outiface_mask,
 		       uint16_t proto, int frag, uint8_t invflags);
 
+int print_match_save(const struct xt_entry_match *e, const void *ip);
+
 #endif /* IPTABLES_XSHARED_H */
-- 
2.33.0

[iptables PATCH 2/6] xshared: Share a common printhelp function

[Phil Sutter]

Help texts in legacy and nft variants are supposed to be identical, but
those of iptables and ip6tables largely overlapped already. By referring
to xt_params and afinfo pointers, it is relatively trivial to craft a
suitable help text on demand, so duplicated help texts can be
eliminated.

As a side-effect, this fixes ip6tables-nft help text - it was identical
to that of iptables-nft.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c |  79 +--------------------------------
 iptables/iptables.c  |  78 +-------------------------------
 iptables/xshared.c   | 103 +++++++++++++++++++++++++++++++++++++++++++
 iptables/xshared.h   |   2 +
 iptables/xtables.c   |  85 +----------------------------------
 5 files changed, 108 insertions(+), 239 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 0509c36c839b7..46f7785b8a9c5 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -114,84 +114,7 @@ exit_tryhelp(int status)
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"       %s -I chain [rulenum] rule-specification [options]\n"
-"       %s -R chain rulenum rule-specification [options]\n"
-"       %s -D chain rulenum [options]\n"
-"       %s -[LS] [chain [rulenum]] [options]\n"
-"       %s -[FZ] [chain] [options]\n"
-"       %s -[NX] chain\n"
-"       %s -E old-chain-name new-chain-name\n"
-"       %s -P chain target [options]\n"
-"       %s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"            -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"            -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Error (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Nothing (line is ignored by iptables-restore)\n"
-"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][,...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][,...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IP6T_F_GOTO
-"  --goto	-g chain\n"
-"				jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				interval to wait for xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-/*"[!] --fragment	-f		match second or further fragments only\n"*/
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
+	xtables_printhelp(matches);
 	exit(0);
 }
 
diff --git a/iptables/iptables.c b/iptables/iptables.c
index a69d42387f062..7b4503498865d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -112,83 +112,7 @@ exit_tryhelp(int status)
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"       %s -I chain [rulenum] rule-specification [options]\n"
-"       %s -R chain rulenum rule-specification [options]\n"
-"       %s -D chain rulenum [options]\n"
-"       %s -[LS] [chain [rulenum]] [options]\n"
-"       %s -[FZ] [chain] [options]\n"
-"       %s -[NX] chain\n"
-"       %s -E old-chain-name new-chain-name\n"
-"       %s -P chain target [options]\n"
-"       %s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"            -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"            -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Error (line is ignored by iptables-restore)\n"
-"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-" --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IPT_F_GOTO
-"  --goto      -g chain\n"
-"                              jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-"[!] --fragment	-f		match second or further fragments only\n"
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
+	xtables_printhelp(matches);
 	exit(0);
 }
 
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 94a2d08815d92..9b32610772ba5 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1149,3 +1149,106 @@ int print_match_save(const struct xt_entry_match *e, const void *ip)
 	}
 	return 0;
 }
+
+void
+xtables_printhelp(const struct xtables_rule_match *matches)
+{
+	const char *prog_name = xt_params->program_name;
+	const char *prog_vers = xt_params->program_version;
+
+	printf("%s v%s\n\n"
+"Usage: %s -[ACD] chain rule-specification [options]\n"
+"       %s -I chain [rulenum] rule-specification [options]\n"
+"       %s -R chain rulenum rule-specification [options]\n"
+"       %s -D chain rulenum [options]\n"
+"       %s -[LS] [chain [rulenum]] [options]\n"
+"       %s -[FZ] [chain] [options]\n"
+"       %s -[NX] chain\n"
+"       %s -E old-chain-name new-chain-name\n"
+"       %s -P chain target [options]\n"
+"       %s -h (print this help information)\n\n",
+	       prog_name, prog_vers, prog_name, prog_name,
+	       prog_name, prog_name, prog_name, prog_name,
+	       prog_name, prog_name, prog_name, prog_name);
+
+	printf(
+"Commands:\n"
+"Either long or short options are allowed.\n"
+"  --append  -A chain		Append to chain\n"
+"  --check   -C chain		Check for the existence of a rule\n"
+"  --delete  -D chain		Delete matching rule from chain\n"
+"  --delete  -D chain rulenum\n"
+"				Delete rule rulenum (1 = first) from chain\n"
+"  --insert  -I chain [rulenum]\n"
+"				Insert in chain as rulenum (default 1=first)\n"
+"  --replace -R chain rulenum\n"
+"				Replace rule rulenum (1 = first) in chain\n"
+"  --list    -L [chain [rulenum]]\n"
+"				List the rules in a chain or all chains\n"
+"  --list-rules -S [chain [rulenum]]\n"
+"				Print the rules in a chain or all chains\n"
+"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
+"  --zero    -Z [chain [rulenum]]\n"
+"				Zero counters in chain or all chains\n"
+"  --new     -N chain		Create a new user-defined chain\n"
+"  --delete-chain\n"
+"            -X [chain]		Delete a user-defined chain\n"
+"  --policy  -P chain target\n"
+"				Change policy on chain to target\n"
+"  --rename-chain\n"
+"            -E old-chain new-chain\n"
+"				Change chain name, (moving any references)\n");
+
+	printf(
+"Options:\n"
+"    --ipv4	-4		%s (line is ignored by ip6tables-restore)\n"
+"    --ipv6	-6		%s (line is ignored by iptables-restore)\n"
+"[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
+"[!] --source	-s address[/mask][...]\n"
+"				source specification\n"
+"[!] --destination -d address[/mask][...]\n"
+"				destination specification\n"
+"[!] --in-interface -i input name[+]\n"
+"				network interface name ([+] for wildcard)\n"
+" --jump	-j target\n"
+"				target for rule (may load target extension)\n",
+	afinfo->family == NFPROTO_IPV4 ? "Nothing" : "Error",
+	afinfo->family == NFPROTO_IPV4 ? "Error" : "Nothing");
+
+	if (0
+#ifdef IPT_F_GOTO
+	    || afinfo->family == NFPROTO_IPV4
+#endif
+#ifdef IP6T_F_GOTO
+	    || afinfo->family == NFPROTO_IPV6
+#endif
+	   )
+		printf(
+"  --goto      -g chain\n"
+"			       jump to chain with no return\n");
+	printf(
+"  --match	-m match\n"
+"				extended match (may load extension)\n"
+"  --numeric	-n		numeric output of addresses and ports\n"
+"[!] --out-interface -o output name[+]\n"
+"				network interface name ([+] for wildcard)\n"
+"  --table	-t table	table to manipulate (default: `filter')\n"
+"  --verbose	-v		verbose mode\n"
+"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
+"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
+"				interval to wait for xtables lock\n"
+"				default is 1 second\n"
+"  --line-numbers		print line numbers when listing\n"
+"  --exact	-x		expand numbers (display exact values)\n");
+
+	if (afinfo->family == NFPROTO_IPV4)
+		printf(
+"[!] --fragment	-f		match second or further fragments only\n");
+
+	printf(
+"  --modprobe=<command>		try to insert modules using this command\n"
+"  --set-counters PKTS BYTES	set the counter during insert/append\n"
+"[!] --version	-V		print package version.\n");
+
+	print_extension_helps(xtables_targets, matches);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 1ee64d9e4010d..3310954c1f441 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -259,4 +259,6 @@ void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 
 int print_match_save(const struct xt_entry_match *e, const void *ip);
 
+void xtables_printhelp(const struct xtables_rule_match *matches);
+
 #endif /* IPTABLES_XSHARED_H */
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 32b93d2bfc8cd..36324a5de22a8 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -87,7 +87,6 @@ static struct option original_opts[] = {
 };
 
 void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-static void printhelp(const struct xtables_rule_match *m);
 
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
@@ -96,7 +95,7 @@ struct xtables_globals xtables_globals = {
 	.orig_opts = original_opts,
 	.exit_err = xtables_exit_error,
 	.compat_rev = nft_compatible_revision,
-	.print_help = printhelp,
+	.print_help = xtables_printhelp,
 };
 
 #define opts xt_params->opts
@@ -114,88 +113,6 @@ exit_tryhelp(int status)
 	exit(status);
 }
 
-static void
-printhelp(const struct xtables_rule_match *matches)
-{
-	printf("%s v%s\n\n"
-"Usage: %s -[ACD] chain rule-specification [options]\n"
-"	%s -I chain [rulenum] rule-specification [options]\n"
-"	%s -R chain rulenum rule-specification [options]\n"
-"	%s -D chain rulenum [options]\n"
-"	%s -[LS] [chain [rulenum]] [options]\n"
-"	%s -[FZ] [chain] [options]\n"
-"	%s -[NX] chain\n"
-"	%s -E old-chain-name new-chain-name\n"
-"	%s -P chain target [options]\n"
-"	%s -h (print this help information)\n\n",
-	       prog_name, prog_vers, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name,
-	       prog_name, prog_name, prog_name, prog_name);
-
-	printf(
-"Commands:\n"
-"Either long or short options are allowed.\n"
-"  --append  -A chain		Append to chain\n"
-"  --check   -C chain		Check for the existence of a rule\n"
-"  --delete  -D chain		Delete matching rule from chain\n"
-"  --delete  -D chain rulenum\n"
-"				Delete rule rulenum (1 = first) from chain\n"
-"  --insert  -I chain [rulenum]\n"
-"				Insert in chain as rulenum (default 1=first)\n"
-"  --replace -R chain rulenum\n"
-"				Replace rule rulenum (1 = first) in chain\n"
-"  --list    -L [chain [rulenum]]\n"
-"				List the rules in a chain or all chains\n"
-"  --list-rules -S [chain [rulenum]]\n"
-"				Print the rules in a chain or all chains\n"
-"  --flush   -F [chain]		Delete all rules in  chain or all chains\n"
-"  --zero    -Z [chain [rulenum]]\n"
-"				Zero counters in chain or all chains\n"
-"  --new     -N chain		Create a new user-defined chain\n"
-"  --delete-chain\n"
-"	     -X [chain]		Delete a user-defined chain\n"
-"  --policy  -P chain target\n"
-"				Change policy on chain to target\n"
-"  --rename-chain\n"
-"	     -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n"
-
-"Options:\n"
-"    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)\n"
-"    --ipv6	-6		Error (line is ignored by iptables-restore)\n"
-"[!] --proto	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask][...]\n"
-"				source specification\n"
-"[!] --destination -d address[/mask][...]\n"
-"				destination specification\n"
-"[!] --in-interface -i input name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-" --jump	-j target\n"
-"				target for rule (may load target extension)\n"
-#ifdef IPT_F_GOTO
-"  --goto      -g chain\n"
-"			       jump to chain with no return\n"
-#endif
-"  --match	-m match\n"
-"				extended match (may load extension)\n"
-"  --numeric	-n		numeric output of addresses and ports\n"
-"[!] --out-interface -o output name[+]\n"
-"				network interface name ([+] for wildcard)\n"
-"  --table	-t table	table to manipulate (default: `filter')\n"
-"  --verbose	-v		verbose mode\n"
-"  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up\n"
-"  --wait-interval -W [usecs]	wait time to try to acquire xtables lock\n"
-"				default is 1 second\n"
-"  --line-numbers		print line numbers when listing\n"
-"  --exact	-x		expand numbers (display exact values)\n"
-"[!] --fragment	-f		match second or further fragments only\n"
-"  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version.\n");
-
-	print_extension_helps(xtables_targets, matches);
-}
-
 void
 xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 {
-- 
2.33.0

[iptables PATCH 3/6] libxtables: Add xtables_exit_tryhelp()

[Phil Sutter]

This is just the exit_tryhelp() function which existed three times in
identical form with a more suitable name.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/xtables.h    |  1 +
 iptables/ip6tables.c | 19 ++++---------------
 iptables/iptables.c  | 19 ++++---------------
 iptables/xtables.c   | 21 +++++----------------
 libxtables/xtables.c | 10 ++++++++++
 5 files changed, 24 insertions(+), 46 deletions(-)

diff --git a/include/xtables.h b/include/xtables.h
index ca674c2663eb4..fdf77d83199d0 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -501,6 +501,7 @@ xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
 
 extern struct xtables_globals *xt_params;
 #define xtables_error (xt_params->exit_err)
+extern void xtables_exit_tryhelp(int status) __attribute__((noreturn));
 
 extern void xtables_param_act(unsigned int, const char *, ...);
 
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 46f7785b8a9c5..b0ee512b83c52 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -100,17 +100,6 @@ struct xtables_globals ip6tables_globals = {
 #define prog_name ip6tables_globals.program_name
 #define prog_vers ip6tables_globals.program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
@@ -129,7 +118,7 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		xtables_exit_tryhelp(status);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps ip6tables or your kernel needs to be upgraded.\n");
@@ -1106,7 +1095,7 @@ int do_command6(int argc, char *argv[], char **table,
 			if (line != -1)
 				return 1; /* success: line ignored */
 			fprintf(stderr, "This is the IPv6 version of ip6tables.\n");
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		case '6':
 			/* This is indeed the IPv6 ip6tables */
@@ -1123,7 +1112,7 @@ int do_command6(int argc, char *argv[], char **table,
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		default:
 			if (command_default(&cs, &ip6tables_globals, invert))
@@ -1372,7 +1361,7 @@ int do_command6(int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		xtables_exit_tryhelp(2);
 	}
 
 	if (verbose > 1)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7b4503498865d..5bb262447fa48 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -98,17 +98,6 @@ struct xtables_globals iptables_globals = {
 #define prog_name iptables_globals.program_name
 #define prog_vers iptables_globals.program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 static void
 exit_printhelp(const struct xtables_rule_match *matches)
 {
@@ -127,7 +116,7 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		xtables_exit_tryhelp(status);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps iptables or your kernel needs to be upgraded.\n");
@@ -1093,7 +1082,7 @@ int do_command4(int argc, char *argv[], char **table,
 			if (line != -1)
 				return 1; /* success: line ignored */
 			fprintf(stderr, "This is the IPv4 version of iptables.\n");
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		case 1: /* non option */
 			if (optarg[0] == '!' && optarg[1] == '\0') {
@@ -1106,7 +1095,7 @@ int do_command4(int argc, char *argv[], char **table,
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		default:
 			if (command_default(&cs, &iptables_globals, invert))
@@ -1353,7 +1342,7 @@ int do_command4(int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		xtables_exit_tryhelp(2);
 	}
 
 	if (verbose > 1)
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 36324a5de22a8..94eae958698d4 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -102,17 +102,6 @@ struct xtables_globals xtables_globals = {
 #define prog_name xt_params->program_name
 #define prog_vers xt_params->program_version
 
-static void __attribute__((noreturn))
-exit_tryhelp(int status)
-{
-	if (line != -1)
-		fprintf(stderr, "Error occurred at line: %d\n", line);
-	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
-			prog_name, prog_name);
-	xtables_free_opts(1);
-	exit(status);
-}
-
 void
 xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 {
@@ -124,7 +113,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
 	va_end(args);
 	fprintf(stderr, "\n");
 	if (status == PARAMETER_PROBLEM)
-		exit_tryhelp(status);
+		xtables_exit_tryhelp(status);
 	if (status == VERSION_PROBLEM)
 		fprintf(stderr,
 			"Perhaps iptables or your kernel needs to be upgraded.\n");
@@ -631,7 +620,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			if (p->restore && args->family == AF_INET6)
 				return;
 
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		case '6':
 			if (args->family == AF_INET6)
@@ -640,7 +629,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			if (p->restore && args->family == AF_INET)
 				return;
 
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		case 1: /* non option */
 			if (optarg[0] == '!' && optarg[1] == '\0') {
@@ -653,7 +642,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 				continue;
 			}
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
-			exit_tryhelp(2);
+			xtables_exit_tryhelp(2);
 
 		default:
 			if (command_default(cs, xt_params, invert))
@@ -849,7 +838,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 		break;
 	default:
 		/* We should never reach this... */
-		exit_tryhelp(2);
+		xtables_exit_tryhelp(2);
 	}
 
 	*table = p.table;
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index d670175db2236..7112c76beee18 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -81,6 +81,16 @@ void basic_exit_err(enum xtables_exittype status, const char *msg, ...) __attrib
 
 struct xtables_globals *xt_params = NULL;
 
+void xtables_exit_tryhelp(int status)
+{
+	if (line != -1)
+		fprintf(stderr, "Error occurred at line: %d\n", line);
+	fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
+			xt_params->program_name, xt_params->program_name);
+	xtables_free_opts(1);
+	exit(status);
+}
+
 void basic_exit_err(enum xtables_exittype status, const char *msg, ...)
 {
 	va_list args;
-- 
2.33.0

[iptables PATCH 4/6] xtables_globals: Introduce program_variant

[Phil Sutter]

This is supposed to hold the variant name (either "legacy" or
"nf_tables") for use in shared help/error printing functions.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/xtables.h      | 2 +-
 iptables/ip6tables.c   | 1 +
 iptables/iptables.c    | 1 +
 iptables/xtables-arp.c | 1 +
 iptables/xtables-eb.c  | 1 +
 iptables/xtables.c     | 1 +
 6 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/xtables.h b/include/xtables.h
index fdf77d83199d0..8e6bab0a4364d 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -419,7 +419,7 @@ enum xtables_exittype {
 struct xtables_globals
 {
 	unsigned int option_offset;
-	const char *program_name, *program_version;
+	const char *program_name, *program_version, *program_variant;
 	const char *optstring;
 	struct option *orig_opts;
 	struct option *opts;
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index b0ee512b83c52..babb5af629660 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -91,6 +91,7 @@ void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __
 struct xtables_globals ip6tables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
+	.program_variant = "legacy",
 	.orig_opts = original_opts,
 	.exit_err = ip6tables_exit_error,
 	.compat_rev = xtables_compatible_revision,
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 5bb262447fa48..75c605aa86121 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -89,6 +89,7 @@ void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __a
 struct xtables_globals iptables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
+	.program_variant = "legacy",
 	.orig_opts = original_opts,
 	.exit_err = iptables_exit_error,
 	.compat_rev = xtables_compatible_revision,
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index cca19438a877e..24d020de23370 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -89,6 +89,7 @@ static void printhelp(const struct xtables_rule_match *m);
 struct xtables_globals arptables_globals = {
 	.option_offset		= 0,
 	.program_version	= PACKAGE_VERSION,
+	.program_variant	= "nf_tables",
 	.optstring		= OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */,
 	.orig_opts		= original_opts,
 	.exit_err		= xtables_exit_error,
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3f58754d14cee..b78d5b6aa74f5 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -220,6 +220,7 @@ extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ..
 struct xtables_globals ebtables_globals = {
 	.option_offset 		= 0,
 	.program_version	= PACKAGE_VERSION,
+	.program_variant	= "nf_tables",
 	.optstring		= OPTSTRING_COMMON "h",
 	.orig_opts		= ebt_original_options,
 	.exit_err		= xtables_exit_error,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 94eae958698d4..0f24532bc2b4a 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -91,6 +91,7 @@ void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __at
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
+	.program_variant = "nf_tables",
 	.optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
 	.orig_opts = original_opts,
 	.exit_err = xtables_exit_error,
-- 
2.33.0

[iptables PATCH 5/6] libxtables: Extend basic_exit_err()

[Phil Sutter]

Basically merge the function with xtables_exit_error, optionally
printing the program variant (if set) and a status-specific footer.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c   | 22 ----------------------
 iptables/iptables.c    | 23 -----------------------
 iptables/xtables-arp.c |  2 --
 iptables/xtables-eb.c  |  2 --
 iptables/xtables.c     | 23 -----------------------
 libxtables/xtables.c   | 16 +++++++++++++++-
 6 files changed, 15 insertions(+), 73 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index babb5af629660..68ecb9982ab73 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -87,13 +87,11 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ip6tables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
 	.program_variant = "legacy",
 	.orig_opts = original_opts,
-	.exit_err = ip6tables_exit_error,
 	.compat_rev = xtables_compatible_revision,
 };
 
@@ -108,26 +106,6 @@ exit_printhelp(const struct xtables_rule_match *matches)
 	exit(0);
 }
 
-void
-ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		xtables_exit_tryhelp(status);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps ip6tables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 75c605aa86121..a09709bc59c35 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -84,14 +84,11 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-
 struct xtables_globals iptables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
 	.program_variant = "legacy",
 	.orig_opts = original_opts,
-	.exit_err = iptables_exit_error,
 	.compat_rev = xtables_compatible_revision,
 };
 
@@ -106,26 +103,6 @@ exit_printhelp(const struct xtables_rule_match *matches)
 	exit(0);
 }
 
-void
-iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		xtables_exit_tryhelp(status);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps iptables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 24d020de23370..479749390f8cc 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -84,7 +84,6 @@ static struct option original_opts[] = {
 
 #define opts xt_params->opts
 
-extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 static void printhelp(const struct xtables_rule_match *m);
 struct xtables_globals arptables_globals = {
 	.option_offset		= 0,
@@ -92,7 +91,6 @@ struct xtables_globals arptables_globals = {
 	.program_variant	= "nf_tables",
 	.optstring		= OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */,
 	.orig_opts		= original_opts,
-	.exit_err		= xtables_exit_error,
 	.compat_rev		= nft_compatible_revision,
 	.print_help		= printhelp,
 };
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index b78d5b6aa74f5..5ac122971c644 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -216,14 +216,12 @@ struct option ebt_original_options[] =
 	{ 0 }
 };
 
-extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ebtables_globals = {
 	.option_offset 		= 0,
 	.program_version	= PACKAGE_VERSION,
 	.program_variant	= "nf_tables",
 	.optstring		= OPTSTRING_COMMON "h",
 	.orig_opts		= ebt_original_options,
-	.exit_err		= xtables_exit_error,
 	.compat_rev		= nft_compatible_revision,
 };
 
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 0f24532bc2b4a..6bbd3642d66db 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -86,15 +86,12 @@ static struct option original_opts[] = {
 	{NULL},
 };
 
-void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
-
 struct xtables_globals xtables_globals = {
 	.option_offset = 0,
 	.program_version = PACKAGE_VERSION,
 	.program_variant = "nf_tables",
 	.optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
 	.orig_opts = original_opts,
-	.exit_err = xtables_exit_error,
 	.compat_rev = nft_compatible_revision,
 	.print_help = xtables_printhelp,
 };
@@ -103,26 +100,6 @@ struct xtables_globals xtables_globals = {
 #define prog_name xt_params->program_name
 #define prog_vers xt_params->program_version
 
-void
-xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
-{
-	va_list args;
-
-	va_start(args, msg);
-	fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers);
-	vfprintf(stderr, msg, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (status == PARAMETER_PROBLEM)
-		xtables_exit_tryhelp(status);
-	if (status == VERSION_PROBLEM)
-		fprintf(stderr,
-			"Perhaps iptables or your kernel needs to be upgraded.\n");
-	/* On error paths, make sure that we don't leak memory */
-	xtables_free_opts(1);
-	exit(status);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 7112c76beee18..ca0fafd4b61df 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -96,10 +96,24 @@ void basic_exit_err(enum xtables_exittype status, const char *msg, ...)
 	va_list args;
 
 	va_start(args, msg);
-	fprintf(stderr, "%s v%s: ", xt_params->program_name, xt_params->program_version);
+	fprintf(stderr, "%s v%s",
+		xt_params->program_name, xt_params->program_version);
+	if (xt_params->program_variant)
+		fprintf(stderr, " (%s)", xt_params->program_variant);
+	fprintf(stderr, ": ");
+
 	vfprintf(stderr, msg, args);
 	va_end(args);
 	fprintf(stderr, "\n");
+
+	if (status == PARAMETER_PROBLEM)
+		xtables_exit_tryhelp(status);
+	if (status == VERSION_PROBLEM)
+		fprintf(stderr,
+			"Perhaps %s or your kernel needs to be upgraded.\n",
+			xt_params->program_name);
+	/* On error paths, make sure that we don't leak memory */
+	xtables_free_opts(1);
 	exit(status);
 }
 
-- 
2.33.0

[iptables PATCH 6/6] iptables-*-restore: Drop pointless line reference

[Phil Sutter]

There's no need to mention the offending line number in error message
when calling xtables_error() with a status of PARAMETER_PROBLEM as that
will cause a call to xtables_exit_tryhelp() which in turn prints "Error
occurred at line: N".

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 4 ++--
 iptables/iptables.c   | 4 ++--
 iptables/xtables-eb.c | 4 ++--
 iptables/xtables.c    | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 68ecb9982ab73..950ae94d326ea 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1013,8 +1013,8 @@ int do_command6(int argc, char *argv[], char **table,
 					   "unexpected ! flag before --table");
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			*table = optarg;
 			table_set = true;
 			break;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index a09709bc59c35..82bd1c8c08d1e 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -995,8 +995,8 @@ int do_command4(int argc, char *argv[], char **table,
 					   "unexpected ! flag before --table");
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			*table = optarg;
 			table_set = true;
 			break;
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 5ac122971c644..382b108ed0fc7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -895,8 +895,8 @@ print_zero:
 			ebt_check_option2(&flags, OPT_TABLE);
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			if (!nft_table_builtin_find(h, optarg))
 				xtables_error(VERSION_PROBLEM,
 					      "table '%s' does not exist",
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 6bbd3642d66db..e6f22e3f41d05 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -513,8 +513,8 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 					   "unexpected ! flag before --table");
 			if (p->restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
-					      "The -t option (seen in line %u) cannot be used in %s.\n",
-					      line, xt_params->program_name);
+					      "The -t option cannot be used in %s.\n",
+					      xt_params->program_name);
 			if (!nft_table_builtin_find(h, optarg))
 				xtables_error(VERSION_PROBLEM,
 					      "table '%s' does not exist",
-- 
2.33.0

Re: [iptables PATCH 3/6] libxtables: Add xtables_exit_tryhelp()

[Pablo Neira Ayuso]

On Thu, Dec 09, 2021 at 01:22:54AM +0100, Phil Sutter wrote:
> This is just the exit_tryhelp() function which existed three times in
> identical form with a more suitable name.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  include/xtables.h    |  1 +
>  iptables/ip6tables.c | 19 ++++---------------
>  iptables/iptables.c  | 19 ++++---------------
>  iptables/xtables.c   | 21 +++++----------------
>  libxtables/xtables.c | 10 ++++++++++
>  5 files changed, 24 insertions(+), 46 deletions(-)
> 
> diff --git a/include/xtables.h b/include/xtables.h
> index ca674c2663eb4..fdf77d83199d0 100644
> --- a/include/xtables.h
> +++ b/include/xtables.h
> @@ -501,6 +501,7 @@ xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
>  
>  extern struct xtables_globals *xt_params;
>  #define xtables_error (xt_params->exit_err)
> +extern void xtables_exit_tryhelp(int status) __attribute__((noreturn));

Probably add this to xshared.c instead of libxtables?

Re: [iptables PATCH 3/6] libxtables: Add xtables_exit_tryhelp()

[Phil Sutter]

Hi Pablo,

On Thu, Dec 09, 2021 at 01:37:40AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Dec 09, 2021 at 01:22:54AM +0100, Phil Sutter wrote:
> > This is just the exit_tryhelp() function which existed three times in
> > identical form with a more suitable name.
> > 
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> >  include/xtables.h    |  1 +
> >  iptables/ip6tables.c | 19 ++++---------------
> >  iptables/iptables.c  | 19 ++++---------------
> >  iptables/xtables.c   | 21 +++++----------------
> >  libxtables/xtables.c | 10 ++++++++++
> >  5 files changed, 24 insertions(+), 46 deletions(-)
> > 
> > diff --git a/include/xtables.h b/include/xtables.h
> > index ca674c2663eb4..fdf77d83199d0 100644
> > --- a/include/xtables.h
> > +++ b/include/xtables.h
> > @@ -501,6 +501,7 @@ xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
> >  
> >  extern struct xtables_globals *xt_params;
> >  #define xtables_error (xt_params->exit_err)
> > +extern void xtables_exit_tryhelp(int status) __attribute__((noreturn));
> 
> Probably add this to xshared.c instead of libxtables?

It's tricky, basic_exit_err() will start using it two patches later. So
while xtables_exit_tryhelp() is not relevant to libxtables itself, it
must be there.

Cheers, Phil