You've already forked linux-apfs
mirror of
https://github.com/linux-apfs/linux-apfs.git
synced 2026-05-01 15:00:59 -07:00
netfilter: x_tables: use pr ratelimiting in all remaining spots
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
parent
c08e5e1ee6
commit
b26066447b
@@ -106,7 +106,7 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
|
||||
|
||||
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
|
||||
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
|
||||
pr_info("cannot use TCP operations on a non-tcp rule\n");
|
||||
pr_info_ratelimited("cannot use operation on non-tcp rule\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
return 0;
|
||||
|
||||
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
|
||||
const struct ipt_entry *e = par->entryinfo;
|
||||
|
||||
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
|
||||
pr_info("ECHOREPLY no longer supported.\n");
|
||||
pr_info_ratelimited("ECHOREPLY no longer supported.\n");
|
||||
return -EINVAL;
|
||||
} else if (rejinfo->with == IPT_TCP_RESET) {
|
||||
/* Must specify that it's a TCP packet */
|
||||
if (e->ip.proto != IPPROTO_TCP ||
|
||||
(e->ip.invflags & XT_INV_PROTO)) {
|
||||
pr_info("TCP_RESET invalid for non-tcp\n");
|
||||
pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -105,7 +105,7 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
|
||||
const struct xt_rpfilter_info *info = par->matchinfo;
|
||||
unsigned int options = ~XT_RPFILTER_OPTION_MASK;
|
||||
if (info->flags & options) {
|
||||
pr_info("unknown options encountered");
|
||||
pr_info_ratelimited("unknown options\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -85,14 +85,14 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
|
||||
const struct ip6t_entry *e = par->entryinfo;
|
||||
|
||||
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
|
||||
pr_info("ECHOREPLY is not supported.\n");
|
||||
pr_info_ratelimited("ECHOREPLY is not supported\n");
|
||||
return -EINVAL;
|
||||
} else if (rejinfo->with == IP6T_TCP_RESET) {
|
||||
/* Must specify that it's a TCP packet */
|
||||
if (!(e->ipv6.flags & IP6T_F_PROTO) ||
|
||||
e->ipv6.proto != IPPROTO_TCP ||
|
||||
(e->ipv6.invflags & XT_INV_PROTO)) {
|
||||
pr_info("TCP_RESET illegal for non-tcp\n");
|
||||
pr_info_ratelimited("TCP_RESET illegal for non-tcp\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -103,7 +103,7 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
|
||||
unsigned int options = ~XT_RPFILTER_OPTION_MASK;
|
||||
|
||||
if (info->flags & options) {
|
||||
pr_info("unknown options encountered");
|
||||
pr_info_ratelimited("unknown options\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -122,12 +122,14 @@ static int srh_mt6_check(const struct xt_mtchk_param *par)
|
||||
const struct ip6t_srh *srhinfo = par->matchinfo;
|
||||
|
||||
if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
|
||||
pr_err("unknown srh match flags %X\n", srhinfo->mt_flags);
|
||||
pr_info_ratelimited("unknown srh match flags %X\n",
|
||||
srhinfo->mt_flags);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
|
||||
pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags);
|
||||
pr_info_ratelimited("unknown srh invflags %X\n",
|
||||
srhinfo->mt_invflags);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -120,8 +120,8 @@ static int audit_tg_check(const struct xt_tgchk_param *par)
|
||||
const struct xt_audit_info *info = par->targinfo;
|
||||
|
||||
if (info->type > XT_AUDIT_TYPE_MAX) {
|
||||
pr_info("Audit type out of range (valid range: 0..%hhu)\n",
|
||||
XT_AUDIT_TYPE_MAX);
|
||||
pr_info_ratelimited("Audit type out of range (valid range: 0..%hhu)\n",
|
||||
XT_AUDIT_TYPE_MAX);
|
||||
return -ERANGE;
|
||||
}
|
||||
|
||||
|
||||
@@ -36,7 +36,8 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
|
||||
const struct xt_CHECKSUM_info *einfo = par->targinfo;
|
||||
|
||||
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
|
||||
pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
|
||||
pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
|
||||
einfo->operation);
|
||||
return -EINVAL;
|
||||
}
|
||||
if (!einfo->operation)
|
||||
|
||||
@@ -102,14 +102,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
|
||||
break;
|
||||
|
||||
default:
|
||||
pr_info("invalid mode: %hu\n", info->mode);
|
||||
pr_info_ratelimited("invalid mode: %hu\n", info->mode);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0)
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -136,7 +136,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
|
||||
|
||||
err = led_trigger_register(&ledinternal->netfilter_led_trigger);
|
||||
if (err) {
|
||||
pr_err("Trigger name is already in use.\n");
|
||||
pr_info_ratelimited("Trigger name is already in use.\n");
|
||||
goto exit_alloc;
|
||||
}
|
||||
|
||||
|
||||
@@ -60,18 +60,20 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
|
||||
&info->secid);
|
||||
if (err) {
|
||||
if (err == -EINVAL)
|
||||
pr_info("invalid security context \'%s\'\n", info->secctx);
|
||||
pr_info_ratelimited("invalid security context \'%s\'\n",
|
||||
info->secctx);
|
||||
return err;
|
||||
}
|
||||
|
||||
if (!info->secid) {
|
||||
pr_info("unable to map security context \'%s\'\n", info->secctx);
|
||||
pr_info_ratelimited("unable to map security context \'%s\'\n",
|
||||
info->secctx);
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
err = security_secmark_relabel_packet(info->secid);
|
||||
if (err) {
|
||||
pr_info("unable to obtain relabeling permission\n");
|
||||
pr_info_ratelimited("unable to obtain relabeling permission\n");
|
||||
return err;
|
||||
}
|
||||
|
||||
@@ -92,8 +94,8 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
|
||||
}
|
||||
|
||||
if (mode && mode != info->mode) {
|
||||
pr_info("mode already set to %hu cannot mix with "
|
||||
"rules for mode %hu\n", mode, info->mode);
|
||||
pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
|
||||
mode, info->mode);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -101,7 +103,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
|
||||
case SECMARK_MODE_SEL:
|
||||
break;
|
||||
default:
|
||||
pr_info("invalid mode: %hu\n", info->mode);
|
||||
pr_info_ratelimited("invalid mode: %hu\n", info->mode);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -273,8 +273,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
|
||||
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
|
||||
(1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING))) != 0) {
|
||||
pr_info("path-MTU clamping only supported in "
|
||||
"FORWARD, OUTPUT and POSTROUTING hooks\n");
|
||||
pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if (par->nft_compat)
|
||||
@@ -283,7 +282,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
|
||||
xt_ematch_foreach(ematch, e)
|
||||
if (find_syn_match(ematch))
|
||||
return 0;
|
||||
pr_info("Only works on TCP SYN packets\n");
|
||||
pr_info_ratelimited("Only works on TCP SYN packets\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -298,8 +297,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
|
||||
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
|
||||
(1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING))) != 0) {
|
||||
pr_info("path-MTU clamping only supported in "
|
||||
"FORWARD, OUTPUT and POSTROUTING hooks\n");
|
||||
pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if (par->nft_compat)
|
||||
@@ -308,7 +306,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
|
||||
xt_ematch_foreach(ematch, e)
|
||||
if (find_syn_match(ematch))
|
||||
return 0;
|
||||
pr_info("Only works on TCP SYN packets\n");
|
||||
pr_info_ratelimited("Only works on TCP SYN packets\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -540,8 +540,7 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par)
|
||||
!(i->invflags & IP6T_INV_PROTO))
|
||||
return 0;
|
||||
|
||||
pr_info("Can be used only in combination with "
|
||||
"either -p tcp or -p udp\n");
|
||||
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
#endif
|
||||
@@ -559,8 +558,7 @@ static int tproxy_tg4_check(const struct xt_tgchk_param *par)
|
||||
&& !(i->invflags & IPT_INV_PROTO))
|
||||
return 0;
|
||||
|
||||
pr_info("Can be used only in combination with "
|
||||
"either -p tcp or -p udp\n");
|
||||
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -7,6 +7,8 @@
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
|
||||
#include <linux/module.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/skbuff.h>
|
||||
@@ -34,7 +36,7 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len,
|
||||
program.filter = insns;
|
||||
|
||||
if (bpf_prog_create(ret, &program)) {
|
||||
pr_info("bpf: check failed: parse error\n");
|
||||
pr_info_ratelimited("check failed: parse error\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -12,6 +12,8 @@
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
@@ -48,7 +50,7 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
|
||||
}
|
||||
|
||||
if (info->has_path && info->has_classid) {
|
||||
pr_info("xt_cgroup: both path and classid specified\n");
|
||||
pr_info_ratelimited("path and classid specified\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -56,8 +58,8 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
|
||||
if (info->has_path) {
|
||||
cgrp = cgroup_get_from_path(info->path);
|
||||
if (IS_ERR(cgrp)) {
|
||||
pr_info("xt_cgroup: invalid path, errno=%ld\n",
|
||||
PTR_ERR(cgrp));
|
||||
pr_info_ratelimited("invalid path, errno=%ld\n",
|
||||
PTR_ERR(cgrp));
|
||||
return -EINVAL;
|
||||
}
|
||||
info->priv = cgrp;
|
||||
|
||||
@@ -135,14 +135,12 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
|
||||
struct xt_cluster_match_info *info = par->matchinfo;
|
||||
|
||||
if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
|
||||
pr_info("you have exceeded the maximum "
|
||||
"number of cluster nodes (%u > %u)\n",
|
||||
info->total_nodes, XT_CLUSTER_NODES_MAX);
|
||||
pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
|
||||
info->total_nodes, XT_CLUSTER_NODES_MAX);
|
||||
return -EINVAL;
|
||||
}
|
||||
if (info->node_mask >= (1ULL << info->total_nodes)) {
|
||||
pr_info("this node mask cannot be "
|
||||
"higher than the total number of nodes\n");
|
||||
pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
|
||||
return -EDOM;
|
||||
}
|
||||
return 0;
|
||||
|
||||
@@ -112,8 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0)
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
|
||||
/*
|
||||
* This filter cannot function correctly unless connection tracking
|
||||
|
||||
@@ -57,14 +57,15 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
|
||||
int ret;
|
||||
|
||||
if (info->options & ~options) {
|
||||
pr_err("Unknown options in mask %x\n", info->options);
|
||||
pr_info_ratelimited("Unknown options in mask %x\n",
|
||||
info->options);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0) {
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -79,8 +79,8 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0)
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -109,8 +109,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0)
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -272,8 +272,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0)
|
||||
pr_info("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user