hm2_eth: print iptables commands when running unprivileged

Previously when iptables was unavailable (rootless via 'make setcap',
or no_iptables=1), the driver logged a single line saying isolation
was disabled and nothing else. The user had no way to recover the
exact rules they would need to install manually, and hm2_eth(9) does
not document them.

Refactor install_iptables_rule() to a print-or-exec dual mode: build
the command unconditionally, then either shell it (when iptables is
available) or LL_PRINT it as advice (when not). Drop the outer
use_iptables() gates on the setup paths in start_board() and
rtapi_app_main() so the print branch is reached. Cleanup paths keep
their gate since there is nothing to print on teardown.

The probe in use_iptables() now also emits the chain-setup commands
(iptables -N <CHAIN>; iptables -I OUTPUT 1 -j <CHAIN>) at the time
it discovers iptables is unreachable, so the user gets a complete
recipe: chain setup once, plus per-board / per-interface rules
logged inline as boards come up.

Reported by @hdiethelm in PR #3964 review while testing 7I96S under
'make setcap'.

Author: grandixximo

src/hal/drivers/mesa-hostmot2/hm2_eth.c

@@ -489,9 +489,13 @@ static bool use_iptables() {
         // leaving side effects.
         if(shell(IPTABLES " -n -L INPUT > /dev/null 2>&1") != EXIT_SUCCESS) {
             LL_PRINT("iptables is not available to this process "
-                     "(running unprivileged?); skipping automatic rule "
-                     "installation.  Configure firewall externally to "
-                     "isolate the hm2-eth interface.\n");
+                     "(running unprivileged?); automatic rule "
+                     "installation will be skipped.  To enable hm2-eth "
+                     "isolation manually, run the following as root, "
+                     "plus the per-board and per-interface rules logged "
+                     "below as boards come up:\n"
+                     "    " IPTABLES " -N " CHAIN "\n"
+                     "    " IPTABLES " -I OUTPUT 1 -j " CHAIN "\n");
             return (iptables_state = 0);
         }
         if(!chain_exists()) {
@@ -585,6 +589,13 @@ static int install_iptables_rule(const char *fmt, ...) {
         return -ENOSPC;
     }
 
+    // When iptables is unavailable (rootless / no_iptables=1), emit the
+    // command for the user to run manually rather than skipping silently.
+    if(!use_iptables()) {
+        LL_PRINT("    %s\n", commandbuf);
+        return 0;
+    }
+
     int res = shell(commandbuf);
     if(res == EXIT_SUCCESS) return 0;
 
@@ -629,8 +640,12 @@ static int install_iptables_perinterface(const char *ifbuf) {
         ifbuf);
     if(res < 0) return res;
 
-    res = eshellf(HM2_LLIO_NAME, "/sbin/sysctl -q net.ipv6.conf.%s.disable_ipv6=1", ifbuf);
-    if(res < 0) return res;
+    if(use_iptables()) {
+        res = eshellf(HM2_LLIO_NAME, "/sbin/sysctl -q net.ipv6.conf.%s.disable_ipv6=1", ifbuf);
+        if(res < 0) return res;
+    } else {
+        LL_PRINT("    /sbin/sysctl -q net.ipv6.conf.%s.disable_ipv6=1\n", ifbuf);
+    }
 
     return 0;
 }
@@ -734,11 +749,11 @@ static int init_board(hm2_eth_t *board, const char *board_ip) {
         return -errno;
     }
 
-    if(use_iptables())
-    {
-        ret = install_iptables_board(board->sockfd);
-        if(ret < 0) return ret;
-    }
+    // install_iptables_board() falls through to a print-only mode when
+    // iptables is not available (see install_iptables_rule()), so it is
+    // safe to call unconditionally.
+    ret = install_iptables_board(board->sockfd);
+    if(ret < 0) return ret;
 
     board->write_packet_ptr = board->write_packet;
     board->read_packet_ptr = board->read_packet;
@@ -1620,8 +1635,8 @@ int rtapi_app_main(void) {
         if(!added)
             goto error;
         if(*added) continue;
-        if(use_iptables())
-            install_iptables_perinterface(ifptr);
+        // Print-or-exec depending on iptables availability; see install_iptables_rule().
+        install_iptables_perinterface(ifptr);
         *added = 1;
     }