Add and return PermissionDenied error when not root

[jpittis]

As discussed in #4, the current implementation does not return an error when the process does not have permission to use iptables.

Fortunately, iptables returns a special status code for permission errors:

$ sudo iptables --list foobar; echo $?
iptables: No chain/target/match by that name.
1
$ iptables --list; echo $?
Fatal: can't open lock file /run/xtables.lock: Permission denied
4

This patch does three things:

1. Adds the PermissionDenied error.
2. Maps an exit status of 4 to a PermissionDenied error.
3. Runs rustfmt.

I can see why the maintainers might not like 3). The reformat diff is pretty small so I didn't revert it. If you'd like me to revert it and or patch it in a separate commit, please ask.

Finally, I didn't add any tests to this patch. Likely the code that tests this will need to be run without sudo to trigger the PermissionDenied path. I'm not sure of the nicest way to do this so I was going to wait for the maintainers to discuss.

Thanks!

[yaa110]

Thank you for the contribution.
Please reformat the code in a separated commit.
I think, the library should return an error with non-zero values of status codes, rather than translating the status code of 4 to "Permission denied". So, the client could decide how to handle exceptions.

[jpittis]

I can see why you'd rather the caller interpret the exit status.

ffcd436 adds a BadExitStatus error. I haven't updated any of the tests yet. Because a non-zero exit status is now being returned as an error, this means that for most of the methods that previously returned bool, will now only return true. Therefore I've re-written their types from bool to unit.

This would be very much so a breaking change. What do you think of this approach?

[jpittis]

I'm starting to see that this is a more complex change than I originally expected.

For example, on my system when I attempt to check the existence of a rule that does not exist for a chain that does not eixst:

$ sudo iptables -C INPUT -j MY_INPUT; echo $?
iptables v1.8.2 (legacy): Couldn't load target `MY_INPUT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
2

But if we try to check for the rule that does not exist for a chain that does exist:

$ sudo iptables -C INPUT -j MY_INPUT; echo $?
iptables: No chain/target/match by that name.
1

I'm going to keep on trying to understand this behavior better before continuing with this PR.

[yaa110]

Please refactor return values like the example I provided as comment

[yaa110]

self.run(&["-t", table, "-F"]).and_then(|_| Ok(()))

[yaa110]

output.status.code().and_then(|i| if i == 0 { Ok(output) } else { Err(IPTError::BadExitStatus(i)) })

[jpittis]

AFAIK this is invalid: and_then return type Option.

[Ulrar]

Is this still being worked on ? I was also surprised to see my program "work" without any errors when ran as a regular user.

[jpittis]

I've abandoned this so it's not currently being worked on. Might have time to work on it this weekend.

[jpittis]

I've had some time to look at this again. Wondering if we may want to preserve IPTResult<bool> instead of IPTResult<()> in some cases. Thoughts?

Things for sure left to do:

• Update doc comments to express new API.

[jpittis]

Here's an example where the result type should maybe be IPResult<bool> instead. Thoughts?