diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-09 09:52:00 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-14 15:05:33 -0500 |
| commit | 1b6cd67191e16a66f69c9881d878204c3143f03f (patch) | |
| tree | c1384b21cd7fa87a38ef0ae5af5de8513eca35d6 /net | |
| parent | 0cc9501f94592125b2012452c57054b8215bcf33 (diff) | |
netfilter: x_tables: use pr ratelimiting in xt core
most messages are converted to info, since they occur in response to
wrong usage.
Size mismatch however is a real error (xtables ABI bug) that should not
occur.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/x_tables.c | 70 |
1 files changed, 34 insertions, 36 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 97e06a04c0d4..fa1655aff8d3 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
| @@ -434,36 +434,35 @@ int xt_check_match(struct xt_mtchk_param *par, | |||
| 434 | * ebt_among is exempt from centralized matchsize checking | 434 | * ebt_among is exempt from centralized matchsize checking |
| 435 | * because it uses a dynamic-size data set. | 435 | * because it uses a dynamic-size data set. |
| 436 | */ | 436 | */ |
| 437 | pr_err("%s_tables: %s.%u match: invalid size " | 437 | pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n", |
| 438 | "%u (kernel) != (user) %u\n", | 438 | xt_prefix[par->family], par->match->name, |
| 439 | xt_prefix[par->family], par->match->name, | 439 | par->match->revision, |
| 440 | par->match->revision, | 440 | XT_ALIGN(par->match->matchsize), size); |
| 441 | XT_ALIGN(par->match->matchsize), size); | ||
| 442 | return -EINVAL; | 441 | return -EINVAL; |
| 443 | } | 442 | } |
| 444 | if (par->match->table != NULL && | 443 | if (par->match->table != NULL && |
| 445 | strcmp(par->match->table, par->table) != 0) { | 444 | strcmp(par->match->table, par->table) != 0) { |
| 446 | pr_err("%s_tables: %s match: only valid in %s table, not %s\n", | 445 | pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n", |
| 447 | xt_prefix[par->family], par->match->name, | 446 | xt_prefix[par->family], par->match->name, |
| 448 | par->match->table, par->table); | 447 | par->match->table, par->table); |
| 449 | return -EINVAL; | 448 | return -EINVAL; |
| 450 | } | 449 | } |
| 451 | if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { | 450 | if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { |
| 452 | char used[64], allow[64]; | 451 | char used[64], allow[64]; |
| 453 | 452 | ||
| 454 | pr_err("%s_tables: %s match: used from hooks %s, but only " | 453 | pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n", |
| 455 | "valid from %s\n", | 454 | xt_prefix[par->family], par->match->name, |
| 456 | xt_prefix[par->family], par->match->name, | 455 | textify_hooks(used, sizeof(used), |
| 457 | textify_hooks(used, sizeof(used), par->hook_mask, | 456 | par->hook_mask, par->family), |
| 458 | par->family), | 457 | textify_hooks(allow, sizeof(allow), |
| 459 | textify_hooks(allow, sizeof(allow), par->match->hooks, | 458 | par->match->hooks, |
| 460 | par->family)); | 459 | par->family)); |
| 461 | return -EINVAL; | 460 | return -EINVAL; |
| 462 | } | 461 | } |
| 463 | if (par->match->proto && (par->match->proto != proto || inv_proto)) { | 462 | if (par->match->proto && (par->match->proto != proto || inv_proto)) { |
| 464 | pr_err("%s_tables: %s match: only valid for protocol %u\n", | 463 | pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n", |
| 465 | xt_prefix[par->family], par->match->name, | 464 | xt_prefix[par->family], par->match->name, |
| 466 | par->match->proto); | 465 | par->match->proto); |
| 467 | return -EINVAL; | 466 | return -EINVAL; |
| 468 | } | 467 | } |
| 469 | if (par->match->checkentry != NULL) { | 468 | if (par->match->checkentry != NULL) { |
| @@ -814,36 +813,35 @@ int xt_check_target(struct xt_tgchk_param *par, | |||
| 814 | int ret; | 813 | int ret; |
| 815 | 814 | ||
| 816 | if (XT_ALIGN(par->target->targetsize) != size) { | 815 | if (XT_ALIGN(par->target->targetsize) != size) { |
| 817 | pr_err("%s_tables: %s.%u target: invalid size " | 816 | pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n", |
| 818 | "%u (kernel) != (user) %u\n", | 817 | xt_prefix[par->family], par->target->name, |
| 819 | xt_prefix[par->family], par->target->name, | 818 | par->target->revision, |
| 820 | par->target->revision, | 819 | XT_ALIGN(par->target->targetsize), size); |
| 821 | XT_ALIGN(par->target->targetsize), size); | ||
| 822 | return -EINVAL; | 820 | return -EINVAL; |
| 823 | } | 821 | } |
| 824 | if (par->target->table != NULL && | 822 | if (par->target->table != NULL && |
| 825 | strcmp(par->target->table, par->table) != 0) { | 823 | strcmp(par->target->table, par->table) != 0) { |
| 826 | pr_err("%s_tables: %s target: only valid in %s table, not %s\n", | 824 | pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n", |
| 827 | xt_prefix[par->family], par->target->name, | 825 | xt_prefix[par->family], par->target->name, |
| 828 | par->target->table, par->table); | 826 | par->target->table, par->table); |
| 829 | return -EINVAL; | 827 | return -EINVAL; |
| 830 | } | 828 | } |
| 831 | if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { | 829 | if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { |
| 832 | char used[64], allow[64]; | 830 | char used[64], allow[64]; |
| 833 | 831 | ||
| 834 | pr_err("%s_tables: %s target: used from hooks %s, but only " | 832 | pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n", |
| 835 | "usable from %s\n", | 833 | xt_prefix[par->family], par->target->name, |
| 836 | xt_prefix[par->family], par->target->name, | 834 | textify_hooks(used, sizeof(used), |
| 837 | textify_hooks(used, sizeof(used), par->hook_mask, | 835 | par->hook_mask, par->family), |
| 838 | par->family), | 836 | textify_hooks(allow, sizeof(allow), |
| 839 | textify_hooks(allow, sizeof(allow), par->target->hooks, | 837 | par->target->hooks, |
| 840 | par->family)); | 838 | par->family)); |
| 841 | return -EINVAL; | 839 | return -EINVAL; |
| 842 | } | 840 | } |
| 843 | if (par->target->proto && (par->target->proto != proto || inv_proto)) { | 841 | if (par->target->proto && (par->target->proto != proto || inv_proto)) { |
| 844 | pr_err("%s_tables: %s target: only valid for protocol %u\n", | 842 | pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n", |
| 845 | xt_prefix[par->family], par->target->name, | 843 | xt_prefix[par->family], par->target->name, |
| 846 | par->target->proto); | 844 | par->target->proto); |
| 847 | return -EINVAL; | 845 | return -EINVAL; |
| 848 | } | 846 | } |
| 849 | if (par->target->checkentry != NULL) { | 847 | if (par->target->checkentry != NULL) { |