Improve iptables error reporting

Hi

Here's a small patch that reworks the iptables/ip6tables
error reporting a 
bit. The purpose of this patch is to try to provide more
resonable error 
messages.

Currently a lot of functions in libiptc sets a pointer
called iptc_fn to 
point to the current function, and then they set errno to an
error 
code.

This has at least one major shortcoming:

int some_other_function(void) {
 	iptc_fn = some_other_function;
 	...

 	return 1;
}

void some_function(void) {
 	iptc_fn = some_function;
 	if (some_other_function())
 		errno = ENOENT;
}

Now we have iptc_fn == some_other_function but errno was
meant for 
some_function, a mismatch has occured, which will cause the
wrong error 
message to be printed.

What this patch does is to add TC_ERROR
(iptc_error/ip6tc_error) which 
sets both iptc_errfn and iptc_errno at the same time, and
it's only called 
when an error is detected. Thus we don't have any mismatches
anymore.

Example of error messages:
loop:
 	old:
 		# iptables -I INPUT -j tuut
 		iptables: Too many levels of symbolic links
 	new:
 		# iptables -I INPUT -j tuut
 		iptables: Loop found in table

chain not found:
 	old:
 		# iptables -I foo -j ACCEPT
 		iptables: No chain/target/match by that name
 	new:
 		# iptables -I foo -j ACCEPT
 		iptables: No chain by that name

jump to predefined chain:
 	old:
 		# iptables -I tuut -j INPUT
 		iptables: Invalid argument
 	new:
 		# iptables -I tuut -j INPUT
 		iptables: Can't jump to a built-in target

removal of not empty chain:
 	old:
 		# iptables -X tuut
 		iptables: Directory not empty
 	new:
 		# iptables -X tuut
 		iptables: Chain is not empty

removal of chain with references:
 	old:
 		# iptables -X tuut
 		iptables: Too many links
 	new:
 		# iptables -X tuut
 		iptables: Can't delete chain with references left


Unknown errors will now be displayed like:
(this is made up)

"Unknown error, iptc_commit: 30 (foo not in phase with
the moon)"

function, error code and strerror() (might give a clue).
(line number can be added if needed)

And if something signals an error (return value) but doesn't
call 
iptc_error()/ip6tc_error() it looks like this:

"Something forgot to set the error reason"


Please test and report success or failure. I'm likely to
have missed 
some/many errors.

/Martin

Martin Josefsson wrote:
> On Sun, 12 Aug 2007, Martin Josefsson wrote:
> 
>> Here's a small patch that reworks the
iptables/ip6tables error
>> reporting a bit. The purpose of this patch is to
try to provide more
>> resonable error messages.
> 
> 
> [snip]
> 
>> Please test and report success or failure. I'm
likely to have missed
>> some/many errors.
> 
> 
> No takers on this?


I'm testing it locally. So far nicer error messages, no
problems.

> Maybe we should merge it to make people test it? 


I think thats a good idea, we need a few -rcs for the next
release
anyway.

BTW, Pablo, any plans for the rc-release?