aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2018-02-21 14:49:55 -0500
committerDavid S. Miller <davem@davemloft.net>2018-02-21 14:49:55 -0500
commit943a0d4a9b450757860f1ead9ca8100883bb8967 (patch)
tree72d29aff65b379d591bccc015d092eb6ca5f473d
parent5ae437ad5a2ed573b1ebb04e0afa70b8869f88dd (diff)
parentcfc2c740533368b96e2be5e0a4e8c3cace7d9814 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains large batch with Netfilter fixes for your net tree, mostly due to syzbot report fixups and pr_err() ratelimiting, more specifically, they are: 1) Get rid of superfluous unnecessary check in x_tables before vmalloc(), we don't hit BUG there anymore, patch from Michal Hock, suggested by Andrew Morton. 2) Race condition in proc file creation in ipt_CLUSTERIP, from Cong Wang. 3) Drop socket lock that results in circular locking dependency, patch from Paolo Abeni. 4) Drop packet if case of malformed blob that makes backpointer jump in x_tables, from Florian Westphal. 5) Fix refcount leak due to race in ipt_CLUSTERIP in clusterip_config_find_get(), from Cong Wang. 6) Several patches to ratelimit pr_err() for x_tables since this can be a problem where CAP_NET_ADMIN semantics can protect us in untrusted namespace, from Florian Westphal. 7) Missing .gitignore update for new autogenerated asn1 state machine for the SNMP NAT helper, from Zhu Lingshan. 8) Missing timer initialization in xt_LED, from Paolo Abeni. 9) Do not allow negative port range in NAT, also from Paolo. 10) Lock imbalance in the xt_hashlimit rate match mode, patch from Eric Dumazet. 11) Initialize workqueue before timer in the idletimer match, from Eric Dumazet. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--.gitignore4
-rw-r--r--net/bridge/netfilter/ebt_among.c10
-rw-r--r--net/bridge/netfilter/ebt_limit.c4
-rw-r--r--net/ipv4/ip_sockglue.c7
-rw-r--r--net/ipv4/netfilter/arp_tables.c4
-rw-r--r--net/ipv4/netfilter/ip_tables.c7
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c20
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c12
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c4
-rw-r--r--net/ipv4/netfilter/ipt_rpfilter.c6
-rw-r--r--net/ipv6/ipv6_sockglue.c10
-rw-r--r--net/ipv6/netfilter/ip6_tables.c4
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c4
-rw-r--r--net/ipv6/netfilter/ip6t_rpfilter.c6
-rw-r--r--net/ipv6/netfilter/ip6t_srh.c6
-rw-r--r--net/netfilter/nf_nat_proto_common.c7
-rw-r--r--net/netfilter/x_tables.c74
-rw-r--r--net/netfilter/xt_AUDIT.c4
-rw-r--r--net/netfilter/xt_CHECKSUM.c8
-rw-r--r--net/netfilter/xt_CONNSECMARK.c10
-rw-r--r--net/netfilter/xt_CT.c25
-rw-r--r--net/netfilter/xt_DSCP.c4
-rw-r--r--net/netfilter/xt_HL.c13
-rw-r--r--net/netfilter/xt_HMARK.c27
-rw-r--r--net/netfilter/xt_IDLETIMER.c9
-rw-r--r--net/netfilter/xt_LED.c16
-rw-r--r--net/netfilter/xt_NFQUEUE.c8
-rw-r--r--net/netfilter/xt_SECMARK.c18
-rw-r--r--net/netfilter/xt_TCPMSS.c10
-rw-r--r--net/netfilter/xt_TPROXY.c6
-rw-r--r--net/netfilter/xt_addrtype.c33
-rw-r--r--net/netfilter/xt_bpf.c4
-rw-r--r--net/netfilter/xt_cgroup.c8
-rw-r--r--net/netfilter/xt_cluster.c8
-rw-r--r--net/netfilter/xt_connbytes.c4
-rw-r--r--net/netfilter/xt_connlabel.c7
-rw-r--r--net/netfilter/xt_connmark.c8
-rw-r--r--net/netfilter/xt_conntrack.c4
-rw-r--r--net/netfilter/xt_dscp.c4
-rw-r--r--net/netfilter/xt_ecn.c4
-rw-r--r--net/netfilter/xt_hashlimit.c26
-rw-r--r--net/netfilter/xt_helper.c4
-rw-r--r--net/netfilter/xt_ipcomp.c2
-rw-r--r--net/netfilter/xt_ipvs.c3
-rw-r--r--net/netfilter/xt_l2tp.c22
-rw-r--r--net/netfilter/xt_limit.c4
-rw-r--r--net/netfilter/xt_nat.c5
-rw-r--r--net/netfilter/xt_nfacct.c6
-rw-r--r--net/netfilter/xt_physdev.c4
-rw-r--r--net/netfilter/xt_policy.c23
-rw-r--r--net/netfilter/xt_recent.c14
-rw-r--r--net/netfilter/xt_set.c50
-rw-r--r--net/netfilter/xt_socket.c10
-rw-r--r--net/netfilter/xt_state.c4
-rw-r--r--net/netfilter/xt_time.c6
55 files changed, 314 insertions, 300 deletions
diff --git a/.gitignore b/.gitignore
index 705e09913dc2..1be78fd8163b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -127,3 +127,7 @@ all.config
127 127
128# Kdevelop4 128# Kdevelop4
129*.kdev4 129*.kdev4
130
131#Automatically generated by ASN.1 compiler
132net/ipv4/netfilter/nf_nat_snmp_basic-asn1.c
133net/ipv4/netfilter/nf_nat_snmp_basic-asn1.h
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 279527f8b1fe..ce7152a12bd8 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
187 expected_length += ebt_mac_wormhash_size(wh_src); 187 expected_length += ebt_mac_wormhash_size(wh_src);
188 188
189 if (em->match_size != EBT_ALIGN(expected_length)) { 189 if (em->match_size != EBT_ALIGN(expected_length)) {
190 pr_info("wrong size: %d against expected %d, rounded to %zd\n", 190 pr_err_ratelimited("wrong size: %d against expected %d, rounded to %zd\n",
191 em->match_size, expected_length, 191 em->match_size, expected_length,
192 EBT_ALIGN(expected_length)); 192 EBT_ALIGN(expected_length));
193 return -EINVAL; 193 return -EINVAL;
194 } 194 }
195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { 195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
196 pr_info("dst integrity fail: %x\n", -err); 196 pr_err_ratelimited("dst integrity fail: %x\n", -err);
197 return -EINVAL; 197 return -EINVAL;
198 } 198 }
199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { 199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
200 pr_info("src integrity fail: %x\n", -err); 200 pr_err_ratelimited("src integrity fail: %x\n", -err);
201 return -EINVAL; 201 return -EINVAL;
202 } 202 }
203 return 0; 203 return 0;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 61a9f1be1263..165b9d678cf1 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -72,8 +72,8 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
72 /* Check for overflow. */ 72 /* Check for overflow. */
73 if (info->burst == 0 || 73 if (info->burst == 0 ||
74 user2credits(info->avg * info->burst) < user2credits(info->avg)) { 74 user2credits(info->avg * info->burst) < user2credits(info->avg)) {
75 pr_info("overflow, try lower: %u/%u\n", 75 pr_info_ratelimited("overflow, try lower: %u/%u\n",
76 info->avg, info->burst); 76 info->avg, info->burst);
77 return -EINVAL; 77 return -EINVAL;
78 } 78 }
79 79
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 008be04ac1cc..9c41a0cef1a5 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1567,10 +1567,7 @@ int ip_getsockopt(struct sock *sk, int level,
1567 if (get_user(len, optlen)) 1567 if (get_user(len, optlen))
1568 return -EFAULT; 1568 return -EFAULT;
1569 1569
1570 lock_sock(sk); 1570 err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
1571 err = nf_getsockopt(sk, PF_INET, optname, optval,
1572 &len);
1573 release_sock(sk);
1574 if (err >= 0) 1571 if (err >= 0)
1575 err = put_user(len, optlen); 1572 err = put_user(len, optlen);
1576 return err; 1573 return err;
@@ -1602,9 +1599,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
1602 if (get_user(len, optlen)) 1599 if (get_user(len, optlen))
1603 return -EFAULT; 1600 return -EFAULT;
1604 1601
1605 lock_sock(sk);
1606 err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len); 1602 err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len);
1607 release_sock(sk);
1608 if (err >= 0) 1603 if (err >= 0)
1609 err = put_user(len, optlen); 1604 err = put_user(len, optlen);
1610 return err; 1605 return err;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 4ffe302f9b82..e3e420f3ba7b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
252 } 252 }
253 if (table_base + v 253 if (table_base + v
254 != arpt_next_entry(e)) { 254 != arpt_next_entry(e)) {
255 if (unlikely(stackidx >= private->stacksize)) {
256 verdict = NF_DROP;
257 break;
258 }
255 jumpstack[stackidx++] = e; 259 jumpstack[stackidx++] = e;
256 } 260 }
257 261
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 9a71f3149507..e38395a8dcf2 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
330 continue; 330 continue;
331 } 331 }
332 if (table_base + v != ipt_next_entry(e) && 332 if (table_base + v != ipt_next_entry(e) &&
333 !(e->ip.flags & IPT_F_GOTO)) 333 !(e->ip.flags & IPT_F_GOTO)) {
334 if (unlikely(stackidx >= private->stacksize)) {
335 verdict = NF_DROP;
336 break;
337 }
334 jumpstack[stackidx++] = e; 338 jumpstack[stackidx++] = e;
339 }
335 340
336 e = get_entry(table_base, v); 341 e = get_entry(table_base, v);
337 continue; 342 continue;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..4b02ab39ebc5 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -107,12 +107,6 @@ clusterip_config_entry_put(struct net *net, struct clusterip_config *c)
107 107
108 local_bh_disable(); 108 local_bh_disable();
109 if (refcount_dec_and_lock(&c->entries, &cn->lock)) { 109 if (refcount_dec_and_lock(&c->entries, &cn->lock)) {
110 list_del_rcu(&c->list);
111 spin_unlock(&cn->lock);
112 local_bh_enable();
113
114 unregister_netdevice_notifier(&c->notifier);
115
116 /* In case anyone still accesses the file, the open/close 110 /* In case anyone still accesses the file, the open/close
117 * functions are also incrementing the refcount on their own, 111 * functions are also incrementing the refcount on their own,
118 * so it's safe to remove the entry even if it's in use. */ 112 * so it's safe to remove the entry even if it's in use. */
@@ -120,6 +114,12 @@ clusterip_config_entry_put(struct net *net, struct clusterip_config *c)
120 if (cn->procdir) 114 if (cn->procdir)
121 proc_remove(c->pde); 115 proc_remove(c->pde);
122#endif 116#endif
117 list_del_rcu(&c->list);
118 spin_unlock(&cn->lock);
119 local_bh_enable();
120
121 unregister_netdevice_notifier(&c->notifier);
122
123 return; 123 return;
124 } 124 }
125 local_bh_enable(); 125 local_bh_enable();
@@ -154,8 +154,12 @@ clusterip_config_find_get(struct net *net, __be32 clusterip, int entry)
154#endif 154#endif
155 if (unlikely(!refcount_inc_not_zero(&c->refcount))) 155 if (unlikely(!refcount_inc_not_zero(&c->refcount)))
156 c = NULL; 156 c = NULL;
157 else if (entry) 157 else if (entry) {
158 refcount_inc(&c->entries); 158 if (unlikely(!refcount_inc_not_zero(&c->entries))) {
159 clusterip_config_put(c);
160 c = NULL;
161 }
162 }
159 } 163 }
160 rcu_read_unlock_bh(); 164 rcu_read_unlock_bh();
161 165
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 270765236f5e..aaaf9a81fbc9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -98,17 +98,15 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
98 const struct ipt_ECN_info *einfo = par->targinfo; 98 const struct ipt_ECN_info *einfo = par->targinfo;
99 const struct ipt_entry *e = par->entryinfo; 99 const struct ipt_entry *e = par->entryinfo;
100 100
101 if (einfo->operation & IPT_ECN_OP_MASK) { 101 if (einfo->operation & IPT_ECN_OP_MASK)
102 pr_info("unsupported ECN operation %x\n", einfo->operation);
103 return -EINVAL; 102 return -EINVAL;
104 } 103
105 if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { 104 if (einfo->ip_ect & ~IPT_ECN_IP_MASK)
106 pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
107 return -EINVAL; 105 return -EINVAL;
108 } 106
109 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && 107 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
110 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { 108 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
111 pr_info("cannot use TCP operations on a non-tcp rule\n"); 109 pr_info_ratelimited("cannot use operation on non-tcp rule\n");
112 return -EINVAL; 110 return -EINVAL;
113 } 111 }
114 return 0; 112 return 0;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 8bd0d7b26632..e8bed3390e58 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
74 const struct ipt_entry *e = par->entryinfo; 74 const struct ipt_entry *e = par->entryinfo;
75 75
76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
77 pr_info("ECHOREPLY no longer supported.\n"); 77 pr_info_ratelimited("ECHOREPLY no longer supported.\n");
78 return -EINVAL; 78 return -EINVAL;
79 } else if (rejinfo->with == IPT_TCP_RESET) { 79 } else if (rejinfo->with == IPT_TCP_RESET) {
80 /* Must specify that it's a TCP packet */ 80 /* Must specify that it's a TCP packet */
81 if (e->ip.proto != IPPROTO_TCP || 81 if (e->ip.proto != IPPROTO_TCP ||
82 (e->ip.invflags & XT_INV_PROTO)) { 82 (e->ip.invflags & XT_INV_PROTO)) {
83 pr_info("TCP_RESET invalid for non-tcp\n"); 83 pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
84 return -EINVAL; 84 return -EINVAL;
85 } 85 }
86 } 86 }
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 37fb9552e858..fd01f13c896a 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -105,14 +105,14 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
105 const struct xt_rpfilter_info *info = par->matchinfo; 105 const struct xt_rpfilter_info *info = par->matchinfo;
106 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 106 unsigned int options = ~XT_RPFILTER_OPTION_MASK;
107 if (info->flags & options) { 107 if (info->flags & options) {
108 pr_info("unknown options encountered"); 108 pr_info_ratelimited("unknown options\n");
109 return -EINVAL; 109 return -EINVAL;
110 } 110 }
111 111
112 if (strcmp(par->table, "mangle") != 0 && 112 if (strcmp(par->table, "mangle") != 0 &&
113 strcmp(par->table, "raw") != 0) { 113 strcmp(par->table, "raw") != 0) {
114 pr_info("match only valid in the \'raw\' " 114 pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, not \'%s\'\n",
115 "or \'mangle\' tables, not \'%s\'.\n", par->table); 115 par->table);
116 return -EINVAL; 116 return -EINVAL;
117 } 117 }
118 118
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index d78d41fc4b1a..24535169663d 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -1367,10 +1367,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname,
1367 if (get_user(len, optlen)) 1367 if (get_user(len, optlen))
1368 return -EFAULT; 1368 return -EFAULT;
1369 1369
1370 lock_sock(sk); 1370 err = nf_getsockopt(sk, PF_INET6, optname, optval, &len);
1371 err = nf_getsockopt(sk, PF_INET6, optname, optval,
1372 &len);
1373 release_sock(sk);
1374 if (err >= 0) 1371 if (err >= 0)
1375 err = put_user(len, optlen); 1372 err = put_user(len, optlen);
1376 } 1373 }
@@ -1409,10 +1406,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
1409 if (get_user(len, optlen)) 1406 if (get_user(len, optlen))
1410 return -EFAULT; 1407 return -EFAULT;
1411 1408
1412 lock_sock(sk); 1409 err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len);
1413 err = compat_nf_getsockopt(sk, PF_INET6,
1414 optname, optval, &len);
1415 release_sock(sk);
1416 if (err >= 0) 1410 if (err >= 0)
1417 err = put_user(len, optlen); 1411 err = put_user(len, optlen);
1418 } 1412 }
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index af4c917e0836..62358b93bbac 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
352 } 352 }
353 if (table_base + v != ip6t_next_entry(e) && 353 if (table_base + v != ip6t_next_entry(e) &&
354 !(e->ipv6.flags & IP6T_F_GOTO)) { 354 !(e->ipv6.flags & IP6T_F_GOTO)) {
355 if (unlikely(stackidx >= private->stacksize)) {
356 verdict = NF_DROP;
357 break;
358 }
355 jumpstack[stackidx++] = e; 359 jumpstack[stackidx++] = e;
356 } 360 }
357 361
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index fa51a205918d..38dea8ff680f 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -85,14 +85,14 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
85 const struct ip6t_entry *e = par->entryinfo; 85 const struct ip6t_entry *e = par->entryinfo;
86 86
87 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { 87 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
88 pr_info("ECHOREPLY is not supported.\n"); 88 pr_info_ratelimited("ECHOREPLY is not supported\n");
89 return -EINVAL; 89 return -EINVAL;
90 } else if (rejinfo->with == IP6T_TCP_RESET) { 90 } else if (rejinfo->with == IP6T_TCP_RESET) {
91 /* Must specify that it's a TCP packet */ 91 /* Must specify that it's a TCP packet */
92 if (!(e->ipv6.flags & IP6T_F_PROTO) || 92 if (!(e->ipv6.flags & IP6T_F_PROTO) ||
93 e->ipv6.proto != IPPROTO_TCP || 93 e->ipv6.proto != IPPROTO_TCP ||
94 (e->ipv6.invflags & XT_INV_PROTO)) { 94 (e->ipv6.invflags & XT_INV_PROTO)) {
95 pr_info("TCP_RESET illegal for non-tcp\n"); 95 pr_info_ratelimited("TCP_RESET illegal for non-tcp\n");
96 return -EINVAL; 96 return -EINVAL;
97 } 97 }
98 } 98 }
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index b12e61b7b16c..94deb69bbbda 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -103,14 +103,14 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
103 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 103 unsigned int options = ~XT_RPFILTER_OPTION_MASK;
104 104
105 if (info->flags & options) { 105 if (info->flags & options) {
106 pr_info("unknown options encountered"); 106 pr_info_ratelimited("unknown options\n");
107 return -EINVAL; 107 return -EINVAL;
108 } 108 }
109 109
110 if (strcmp(par->table, "mangle") != 0 && 110 if (strcmp(par->table, "mangle") != 0 &&
111 strcmp(par->table, "raw") != 0) { 111 strcmp(par->table, "raw") != 0) {
112 pr_info("match only valid in the \'raw\' " 112 pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, not \'%s\'\n",
113 "or \'mangle\' tables, not \'%s\'.\n", par->table); 113 par->table);
114 return -EINVAL; 114 return -EINVAL;
115 } 115 }
116 116
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
index 9642164107ce..33719d5560c8 100644
--- a/net/ipv6/netfilter/ip6t_srh.c
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -122,12 +122,14 @@ static int srh_mt6_check(const struct xt_mtchk_param *par)
122 const struct ip6t_srh *srhinfo = par->matchinfo; 122 const struct ip6t_srh *srhinfo = par->matchinfo;
123 123
124 if (srhinfo->mt_flags & ~IP6T_SRH_MASK) { 124 if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
125 pr_err("unknown srh match flags %X\n", srhinfo->mt_flags); 125 pr_info_ratelimited("unknown srh match flags %X\n",
126 srhinfo->mt_flags);
126 return -EINVAL; 127 return -EINVAL;
127 } 128 }
128 129
129 if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) { 130 if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
130 pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags); 131 pr_info_ratelimited("unknown srh invflags %X\n",
132 srhinfo->mt_invflags);
131 return -EINVAL; 133 return -EINVAL;
132 } 134 }
133 135
diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index fbce552a796e..7d7466dbf663 100644
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
41 const struct nf_conn *ct, 41 const struct nf_conn *ct,
42 u16 *rover) 42 u16 *rover)
43{ 43{
44 unsigned int range_size, min, i; 44 unsigned int range_size, min, max, i;
45 __be16 *portptr; 45 __be16 *portptr;
46 u_int16_t off; 46 u_int16_t off;
47 47
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
71 } 71 }
72 } else { 72 } else {
73 min = ntohs(range->min_proto.all); 73 min = ntohs(range->min_proto.all);
74 range_size = ntohs(range->max_proto.all) - min + 1; 74 max = ntohs(range->max_proto.all);
75 if (unlikely(max < min))
76 swap(max, min);
77 range_size = max - min + 1;
75 } 78 }
76 79
77 if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { 80 if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2f685ee1f9c8..fa1655aff8d3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -434,36 +434,35 @@ int xt_check_match(struct xt_mtchk_param *par,
434 * ebt_among is exempt from centralized matchsize checking 434 * ebt_among is exempt from centralized matchsize checking
435 * because it uses a dynamic-size data set. 435 * because it uses a dynamic-size data set.
436 */ 436 */
437 pr_err("%s_tables: %s.%u match: invalid size " 437 pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
438 "%u (kernel) != (user) %u\n", 438 xt_prefix[par->family], par->match->name,
439 xt_prefix[par->family], par->match->name, 439 par->match->revision,
440 par->match->revision, 440 XT_ALIGN(par->match->matchsize), size);
441 XT_ALIGN(par->match->matchsize), size);
442 return -EINVAL; 441 return -EINVAL;
443 } 442 }
444 if (par->match->table != NULL && 443 if (par->match->table != NULL &&
445 strcmp(par->match->table, par->table) != 0) { 444 strcmp(par->match->table, par->table) != 0) {
446 pr_err("%s_tables: %s match: only valid in %s table, not %s\n", 445 pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
447 xt_prefix[par->family], par->match->name, 446 xt_prefix[par->family], par->match->name,
448 par->match->table, par->table); 447 par->match->table, par->table);
449 return -EINVAL; 448 return -EINVAL;
450 } 449 }
451 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { 450 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
452 char used[64], allow[64]; 451 char used[64], allow[64];
453 452
454 pr_err("%s_tables: %s match: used from hooks %s, but only " 453 pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
455 "valid from %s\n", 454 xt_prefix[par->family], par->match->name,
456 xt_prefix[par->family], par->match->name, 455 textify_hooks(used, sizeof(used),
457 textify_hooks(used, sizeof(used), par->hook_mask, 456 par->hook_mask, par->family),
458 par->family), 457 textify_hooks(allow, sizeof(allow),
459 textify_hooks(allow, sizeof(allow), par->match->hooks, 458 par->match->hooks,
460 par->family)); 459 par->family));
461 return -EINVAL; 460 return -EINVAL;
462 } 461 }
463 if (par->match->proto && (par->match->proto != proto || inv_proto)) { 462 if (par->match->proto && (par->match->proto != proto || inv_proto)) {
464 pr_err("%s_tables: %s match: only valid for protocol %u\n", 463 pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
465 xt_prefix[par->family], par->match->name, 464 xt_prefix[par->family], par->match->name,
466 par->match->proto); 465 par->match->proto);
467 return -EINVAL; 466 return -EINVAL;
468 } 467 }
469 if (par->match->checkentry != NULL) { 468 if (par->match->checkentry != NULL) {
@@ -814,36 +813,35 @@ int xt_check_target(struct xt_tgchk_param *par,
814 int ret; 813 int ret;
815 814
816 if (XT_ALIGN(par->target->targetsize) != size) { 815 if (XT_ALIGN(par->target->targetsize) != size) {
817 pr_err("%s_tables: %s.%u target: invalid size " 816 pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
818 "%u (kernel) != (user) %u\n", 817 xt_prefix[par->family], par->target->name,
819 xt_prefix[par->family], par->target->name, 818 par->target->revision,
820 par->target->revision, 819 XT_ALIGN(par->target->targetsize), size);
821 XT_ALIGN(par->target->targetsize), size);
822 return -EINVAL; 820 return -EINVAL;
823 } 821 }
824 if (par->target->table != NULL && 822 if (par->target->table != NULL &&
825 strcmp(par->target->table, par->table) != 0) { 823 strcmp(par->target->table, par->table) != 0) {
826 pr_err("%s_tables: %s target: only valid in %s table, not %s\n", 824 pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
827 xt_prefix[par->family], par->target->name, 825 xt_prefix[par->family], par->target->name,
828 par->target->table, par->table); 826 par->target->table, par->table);
829 return -EINVAL; 827 return -EINVAL;
830 } 828 }
831 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { 829 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
832 char used[64], allow[64]; 830 char used[64], allow[64];
833 831
834 pr_err("%s_tables: %s target: used from hooks %s, but only " 832 pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
835 "usable from %s\n", 833 xt_prefix[par->family], par->target->name,
836 xt_prefix[par->family], par->target->name, 834 textify_hooks(used, sizeof(used),
837 textify_hooks(used, sizeof(used), par->hook_mask, 835 par->hook_mask, par->family),
838 par->family), 836 textify_hooks(allow, sizeof(allow),
839 textify_hooks(allow, sizeof(allow), par->target->hooks, 837 par->target->hooks,
840 par->family)); 838 par->family));
841 return -EINVAL; 839 return -EINVAL;
842 } 840 }
843 if (par->target->proto && (par->target->proto != proto || inv_proto)) { 841 if (par->target->proto && (par->target->proto != proto || inv_proto)) {
844 pr_err("%s_tables: %s target: only valid for protocol %u\n", 842 pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
845 xt_prefix[par->family], par->target->name, 843 xt_prefix[par->family], par->target->name,
846 par->target->proto); 844 par->target->proto);
847 return -EINVAL; 845 return -EINVAL;
848 } 846 }
849 if (par->target->checkentry != NULL) { 847 if (par->target->checkentry != NULL) {
@@ -1004,10 +1002,6 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
1004 if (sz < sizeof(*info)) 1002 if (sz < sizeof(*info))
1005 return NULL; 1003 return NULL;
1006 1004
1007 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
1008 if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
1009 return NULL;
1010
1011 /* __GFP_NORETRY is not fully supported by kvmalloc but it should 1005 /* __GFP_NORETRY is not fully supported by kvmalloc but it should
1012 * work reasonably well if sz is too large and bail out rather 1006 * work reasonably well if sz is too large and bail out rather
1013 * than shoot all processes down before realizing there is nothing 1007 * than shoot all processes down before realizing there is nothing
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index c502419d6306..f368ee6741db 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -120,8 +120,8 @@ static int audit_tg_check(const struct xt_tgchk_param *par)
120 const struct xt_audit_info *info = par->targinfo; 120 const struct xt_audit_info *info = par->targinfo;
121 121
122 if (info->type > XT_AUDIT_TYPE_MAX) { 122 if (info->type > XT_AUDIT_TYPE_MAX) {
123 pr_info("Audit type out of range (valid range: 0..%hhu)\n", 123 pr_info_ratelimited("Audit type out of range (valid range: 0..%hhu)\n",
124 XT_AUDIT_TYPE_MAX); 124 XT_AUDIT_TYPE_MAX);
125 return -ERANGE; 125 return -ERANGE;
126 } 126 }
127 127
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef8cd26..9f4151ec3e06 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -36,13 +36,13 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
36 const struct xt_CHECKSUM_info *einfo = par->targinfo; 36 const struct xt_CHECKSUM_info *einfo = par->targinfo;
37 37
38 if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { 38 if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
39 pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); 39 pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
40 einfo->operation);
40 return -EINVAL; 41 return -EINVAL;
41 } 42 }
42 if (!einfo->operation) { 43 if (!einfo->operation)
43 pr_info("no CHECKSUM operation enabled\n");
44 return -EINVAL; 44 return -EINVAL;
45 } 45
46 return 0; 46 return 0;
47} 47}
48 48
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index da56c06a443c..f3f1caac949b 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -91,8 +91,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
91 91
92 if (strcmp(par->table, "mangle") != 0 && 92 if (strcmp(par->table, "mangle") != 0 &&
93 strcmp(par->table, "security") != 0) { 93 strcmp(par->table, "security") != 0) {
94 pr_info("target only valid in the \'mangle\' " 94 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
95 "or \'security\' tables, not \'%s\'.\n", par->table); 95 par->table);
96 return -EINVAL; 96 return -EINVAL;
97 } 97 }
98 98
@@ -102,14 +102,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
102 break; 102 break;
103 103
104 default: 104 default:
105 pr_info("invalid mode: %hu\n", info->mode); 105 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
106 return -EINVAL; 106 return -EINVAL;
107 } 107 }
108 108
109 ret = nf_ct_netns_get(par->net, par->family); 109 ret = nf_ct_netns_get(par->net, par->family);
110 if (ret < 0) 110 if (ret < 0)
111 pr_info("cannot load conntrack support for proto=%u\n", 111 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
112 par->family); 112 par->family);
113 return ret; 113 return ret;
114} 114}
115 115
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 5a152e2acfd5..8790190c6feb 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -82,15 +82,14 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
82 82
83 proto = xt_ct_find_proto(par); 83 proto = xt_ct_find_proto(par);
84 if (!proto) { 84 if (!proto) {
85 pr_info("You must specify a L4 protocol, and not use " 85 pr_info_ratelimited("You must specify a L4 protocol and not use inversions on it\n");
86 "inversions on it.\n");
87 return -ENOENT; 86 return -ENOENT;
88 } 87 }
89 88
90 helper = nf_conntrack_helper_try_module_get(helper_name, par->family, 89 helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
91 proto); 90 proto);
92 if (helper == NULL) { 91 if (helper == NULL) {
93 pr_info("No such helper \"%s\"\n", helper_name); 92 pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
94 return -ENOENT; 93 return -ENOENT;
95 } 94 }
96 95
@@ -124,6 +123,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
124 const struct nf_conntrack_l4proto *l4proto; 123 const struct nf_conntrack_l4proto *l4proto;
125 struct ctnl_timeout *timeout; 124 struct ctnl_timeout *timeout;
126 struct nf_conn_timeout *timeout_ext; 125 struct nf_conn_timeout *timeout_ext;
126 const char *errmsg = NULL;
127 int ret = 0; 127 int ret = 0;
128 u8 proto; 128 u8 proto;
129 129
@@ -131,29 +131,29 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
131 timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook); 131 timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
132 if (timeout_find_get == NULL) { 132 if (timeout_find_get == NULL) {
133 ret = -ENOENT; 133 ret = -ENOENT;
134 pr_info("Timeout policy base is empty\n"); 134 errmsg = "Timeout policy base is empty";
135 goto out; 135 goto out;
136 } 136 }
137 137
138 proto = xt_ct_find_proto(par); 138 proto = xt_ct_find_proto(par);
139 if (!proto) { 139 if (!proto) {
140 ret = -EINVAL; 140 ret = -EINVAL;
141 pr_info("You must specify a L4 protocol, and not use " 141 errmsg = "You must specify a L4 protocol and not use inversions on it";
142 "inversions on it.\n");
143 goto out; 142 goto out;
144 } 143 }
145 144
146 timeout = timeout_find_get(par->net, timeout_name); 145 timeout = timeout_find_get(par->net, timeout_name);
147 if (timeout == NULL) { 146 if (timeout == NULL) {
148 ret = -ENOENT; 147 ret = -ENOENT;
149 pr_info("No such timeout policy \"%s\"\n", timeout_name); 148 pr_info_ratelimited("No such timeout policy \"%s\"\n",
149 timeout_name);
150 goto out; 150 goto out;
151 } 151 }
152 152
153 if (timeout->l3num != par->family) { 153 if (timeout->l3num != par->family) {
154 ret = -EINVAL; 154 ret = -EINVAL;
155 pr_info("Timeout policy `%s' can only be used by L3 protocol " 155 pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
156 "number %d\n", timeout_name, timeout->l3num); 156 timeout_name, 3, timeout->l3num);
157 goto err_put_timeout; 157 goto err_put_timeout;
158 } 158 }
159 /* Make sure the timeout policy matches any existing protocol tracker, 159 /* Make sure the timeout policy matches any existing protocol tracker,
@@ -162,9 +162,8 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
162 l4proto = __nf_ct_l4proto_find(par->family, proto); 162 l4proto = __nf_ct_l4proto_find(par->family, proto);
163 if (timeout->l4proto->l4proto != l4proto->l4proto) { 163 if (timeout->l4proto->l4proto != l4proto->l4proto) {
164 ret = -EINVAL; 164 ret = -EINVAL;
165 pr_info("Timeout policy `%s' can only be used by L4 protocol " 165 pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
166 "number %d\n", 166 timeout_name, 4, timeout->l4proto->l4proto);
167 timeout_name, timeout->l4proto->l4proto);
168 goto err_put_timeout; 167 goto err_put_timeout;
169 } 168 }
170 timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC); 169 timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
@@ -180,6 +179,8 @@ err_put_timeout:
180 __xt_ct_tg_timeout_put(timeout); 179 __xt_ct_tg_timeout_put(timeout);
181out: 180out:
182 rcu_read_unlock(); 181 rcu_read_unlock();
182 if (errmsg)
183 pr_info_ratelimited("%s\n", errmsg);
183 return ret; 184 return ret;
184#else 185#else
185 return -EOPNOTSUPP; 186 return -EOPNOTSUPP;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3f83d38c4e5b..098ed851b7a7 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -66,10 +66,8 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
66{ 66{
67 const struct xt_DSCP_info *info = par->targinfo; 67 const struct xt_DSCP_info *info = par->targinfo;
68 68
69 if (info->dscp > XT_DSCP_MAX) { 69 if (info->dscp > XT_DSCP_MAX)
70 pr_info("dscp %x out of range\n", info->dscp);
71 return -EDOM; 70 return -EDOM;
72 }
73 return 0; 71 return 0;
74} 72}
75 73
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87ed9bd..4653b071bed4 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -105,10 +105,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par)
105{ 105{
106 const struct ipt_TTL_info *info = par->targinfo; 106 const struct ipt_TTL_info *info = par->targinfo;
107 107
108 if (info->mode > IPT_TTL_MAXMODE) { 108 if (info->mode > IPT_TTL_MAXMODE)
109 pr_info("TTL: invalid or unknown mode %u\n", info->mode);
110 return -EINVAL; 109 return -EINVAL;
111 }
112 if (info->mode != IPT_TTL_SET && info->ttl == 0) 110 if (info->mode != IPT_TTL_SET && info->ttl == 0)
113 return -EINVAL; 111 return -EINVAL;
114 return 0; 112 return 0;
@@ -118,15 +116,10 @@ static int hl_tg6_check(const struct xt_tgchk_param *par)
118{ 116{
119 const struct ip6t_HL_info *info = par->targinfo; 117 const struct ip6t_HL_info *info = par->targinfo;
120 118
121 if (info->mode > IP6T_HL_MAXMODE) { 119 if (info->mode > IP6T_HL_MAXMODE)
122 pr_info("invalid or unknown mode %u\n", info->mode);
123 return -EINVAL; 120 return -EINVAL;
124 } 121 if (info->mode != IP6T_HL_SET && info->hop_limit == 0)
125 if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
126 pr_info("increment/decrement does not "
127 "make sense with value 0\n");
128 return -EINVAL; 122 return -EINVAL;
129 }
130 return 0; 123 return 0;
131} 124}
132 125
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index 60e6dbe12460..9c75f419cd80 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -9,6 +9,8 @@
9 * the Free Software Foundation. 9 * the Free Software Foundation.
10 */ 10 */
11 11
12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
12#include <linux/module.h> 14#include <linux/module.h>
13#include <linux/skbuff.h> 15#include <linux/skbuff.h>
14#include <linux/icmp.h> 16#include <linux/icmp.h>
@@ -312,29 +314,30 @@ hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par)
312static int hmark_tg_check(const struct xt_tgchk_param *par) 314static int hmark_tg_check(const struct xt_tgchk_param *par)
313{ 315{
314 const struct xt_hmark_info *info = par->targinfo; 316 const struct xt_hmark_info *info = par->targinfo;
317 const char *errmsg = "proto mask must be zero with L3 mode";
315 318
316 if (!info->hmodulus) { 319 if (!info->hmodulus)
317 pr_info("xt_HMARK: hash modulus can't be zero\n");
318 return -EINVAL; 320 return -EINVAL;
319 } 321
320 if (info->proto_mask && 322 if (info->proto_mask &&
321 (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) { 323 (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)))
322 pr_info("xt_HMARK: proto mask must be zero with L3 mode\n"); 324 goto err;
323 return -EINVAL; 325
324 }
325 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) && 326 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
326 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) | 327 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
327 XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) { 328 XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))))
328 pr_info("xt_HMARK: spi-mask and port-mask can't be combined\n");
329 return -EINVAL; 329 return -EINVAL;
330 } 330
331 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) && 331 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) &&
332 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) | 332 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) |
333 XT_HMARK_FLAG(XT_HMARK_DPORT)))) { 333 XT_HMARK_FLAG(XT_HMARK_DPORT)))) {
334 pr_info("xt_HMARK: spi-set and port-set can't be combined\n"); 334 errmsg = "spi-set and port-set can't be combined";
335 return -EINVAL; 335 goto err;
336 } 336 }
337 return 0; 337 return 0;
338err:
339 pr_info_ratelimited("%s\n", errmsg);
340 return -EINVAL;
338} 341}
339 342
340static struct xt_target hmark_tg_reg[] __read_mostly = { 343static struct xt_target hmark_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 6c2482b709b1..1ac6600bfafd 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -146,11 +146,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info)
146 timer_setup(&info->timer->timer, idletimer_tg_expired, 0); 146 timer_setup(&info->timer->timer, idletimer_tg_expired, 0);
147 info->timer->refcnt = 1; 147 info->timer->refcnt = 1;
148 148
149 INIT_WORK(&info->timer->work, idletimer_tg_work);
150
149 mod_timer(&info->timer->timer, 151 mod_timer(&info->timer->timer,
150 msecs_to_jiffies(info->timeout * 1000) + jiffies); 152 msecs_to_jiffies(info->timeout * 1000) + jiffies);
151 153
152 INIT_WORK(&info->timer->work, idletimer_tg_work);
153
154 return 0; 154 return 0;
155 155
156out_free_attr: 156out_free_attr:
@@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
191 pr_debug("timeout value is zero\n"); 191 pr_debug("timeout value is zero\n");
192 return -EINVAL; 192 return -EINVAL;
193 } 193 }
194 194 if (info->timeout >= INT_MAX / 1000) {
195 pr_debug("timeout value is too big\n");
196 return -EINVAL;
197 }
195 if (info->label[0] == '\0' || 198 if (info->label[0] == '\0' ||
196 strnlen(info->label, 199 strnlen(info->label,
197 MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) { 200 MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 1dcad893df78..19846445504d 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -111,10 +111,8 @@ static int led_tg_check(const struct xt_tgchk_param *par)
111 struct xt_led_info_internal *ledinternal; 111 struct xt_led_info_internal *ledinternal;
112 int err; 112 int err;
113 113
114 if (ledinfo->id[0] == '\0') { 114 if (ledinfo->id[0] == '\0')
115 pr_info("No 'id' parameter given.\n");
116 return -EINVAL; 115 return -EINVAL;
117 }
118 116
119 mutex_lock(&xt_led_mutex); 117 mutex_lock(&xt_led_mutex);
120 118
@@ -138,13 +136,14 @@ static int led_tg_check(const struct xt_tgchk_param *par)
138 136
139 err = led_trigger_register(&ledinternal->netfilter_led_trigger); 137 err = led_trigger_register(&ledinternal->netfilter_led_trigger);
140 if (err) { 138 if (err) {
141 pr_err("Trigger name is already in use.\n"); 139 pr_info_ratelimited("Trigger name is already in use.\n");
142 goto exit_alloc; 140 goto exit_alloc;
143 } 141 }
144 142
145 /* See if we need to set up a timer */ 143 /* Since the letinternal timer can be shared between multiple targets,
146 if (ledinfo->delay > 0) 144 * always set it up, even if the current target does not need it
147 timer_setup(&ledinternal->timer, led_timeout_callback, 0); 145 */
146 timer_setup(&ledinternal->timer, led_timeout_callback, 0);
148 147
149 list_add_tail(&ledinternal->list, &xt_led_triggers); 148 list_add_tail(&ledinternal->list, &xt_led_triggers);
150 149
@@ -181,8 +180,7 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
181 180
182 list_del(&ledinternal->list); 181 list_del(&ledinternal->list);
183 182
184 if (ledinfo->delay > 0) 183 del_timer_sync(&ledinternal->timer);
185 del_timer_sync(&ledinternal->timer);
186 184
187 led_trigger_unregister(&ledinternal->netfilter_led_trigger); 185 led_trigger_unregister(&ledinternal->netfilter_led_trigger);
188 186
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index a360b99a958a..a9aca80a32ae 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -8,6 +8,8 @@
8 * 8 *
9 */ 9 */
10 10
11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
11#include <linux/module.h> 13#include <linux/module.h>
12#include <linux/skbuff.h> 14#include <linux/skbuff.h>
13 15
@@ -67,13 +69,13 @@ static int nfqueue_tg_check(const struct xt_tgchk_param *par)
67 init_hashrandom(&jhash_initval); 69 init_hashrandom(&jhash_initval);
68 70
69 if (info->queues_total == 0) { 71 if (info->queues_total == 0) {
70 pr_err("NFQUEUE: number of total queues is 0\n"); 72 pr_info_ratelimited("number of total queues is 0\n");
71 return -EINVAL; 73 return -EINVAL;
72 } 74 }
73 maxid = info->queues_total - 1 + info->queuenum; 75 maxid = info->queues_total - 1 + info->queuenum;
74 if (maxid > 0xffff) { 76 if (maxid > 0xffff) {
75 pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", 77 pr_info_ratelimited("number of queues (%u) out of range (got %u)\n",
76 info->queues_total, maxid); 78 info->queues_total, maxid);
77 return -ERANGE; 79 return -ERANGE;
78 } 80 }
79 if (par->target->revision == 2 && info->flags > 1) 81 if (par->target->revision == 2 && info->flags > 1)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 9faf5e050b79..4ad5fe27e08b 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -60,18 +60,20 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
60 &info->secid); 60 &info->secid);
61 if (err) { 61 if (err) {
62 if (err == -EINVAL) 62 if (err == -EINVAL)
63 pr_info("invalid security context \'%s\'\n", info->secctx); 63 pr_info_ratelimited("invalid security context \'%s\'\n",
64 info->secctx);
64 return err; 65 return err;
65 } 66 }
66 67
67 if (!info->secid) { 68 if (!info->secid) {
68 pr_info("unable to map security context \'%s\'\n", info->secctx); 69 pr_info_ratelimited("unable to map security context \'%s\'\n",
70 info->secctx);
69 return -ENOENT; 71 return -ENOENT;
70 } 72 }
71 73
72 err = security_secmark_relabel_packet(info->secid); 74 err = security_secmark_relabel_packet(info->secid);
73 if (err) { 75 if (err) {
74 pr_info("unable to obtain relabeling permission\n"); 76 pr_info_ratelimited("unable to obtain relabeling permission\n");
75 return err; 77 return err;
76 } 78 }
77 79
@@ -86,14 +88,14 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
86 88
87 if (strcmp(par->table, "mangle") != 0 && 89 if (strcmp(par->table, "mangle") != 0 &&
88 strcmp(par->table, "security") != 0) { 90 strcmp(par->table, "security") != 0) {
89 pr_info("target only valid in the \'mangle\' " 91 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
90 "or \'security\' tables, not \'%s\'.\n", par->table); 92 par->table);
91 return -EINVAL; 93 return -EINVAL;
92 } 94 }
93 95
94 if (mode && mode != info->mode) { 96 if (mode && mode != info->mode) {
95 pr_info("mode already set to %hu cannot mix with " 97 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
96 "rules for mode %hu\n", mode, info->mode); 98 mode, info->mode);
97 return -EINVAL; 99 return -EINVAL;
98 } 100 }
99 101
@@ -101,7 +103,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
101 case SECMARK_MODE_SEL: 103 case SECMARK_MODE_SEL:
102 break; 104 break;
103 default: 105 default:
104 pr_info("invalid mode: %hu\n", info->mode); 106 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
105 return -EINVAL; 107 return -EINVAL;
106 } 108 }
107 109
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 99bb8e410f22..98efb202f8b4 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -273,8 +273,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
273 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 273 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
274 (1 << NF_INET_LOCAL_OUT) | 274 (1 << NF_INET_LOCAL_OUT) |
275 (1 << NF_INET_POST_ROUTING))) != 0) { 275 (1 << NF_INET_POST_ROUTING))) != 0) {
276 pr_info("path-MTU clamping only supported in " 276 pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
277 "FORWARD, OUTPUT and POSTROUTING hooks\n");
278 return -EINVAL; 277 return -EINVAL;
279 } 278 }
280 if (par->nft_compat) 279 if (par->nft_compat)
@@ -283,7 +282,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
283 xt_ematch_foreach(ematch, e) 282 xt_ematch_foreach(ematch, e)
284 if (find_syn_match(ematch)) 283 if (find_syn_match(ematch))
285 return 0; 284 return 0;
286 pr_info("Only works on TCP SYN packets\n"); 285 pr_info_ratelimited("Only works on TCP SYN packets\n");
287 return -EINVAL; 286 return -EINVAL;
288} 287}
289 288
@@ -298,8 +297,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
298 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 297 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
299 (1 << NF_INET_LOCAL_OUT) | 298 (1 << NF_INET_LOCAL_OUT) |
300 (1 << NF_INET_POST_ROUTING))) != 0) { 299 (1 << NF_INET_POST_ROUTING))) != 0) {
301 pr_info("path-MTU clamping only supported in " 300 pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
302 "FORWARD, OUTPUT and POSTROUTING hooks\n");
303 return -EINVAL; 301 return -EINVAL;
304 } 302 }
305 if (par->nft_compat) 303 if (par->nft_compat)
@@ -308,7 +306,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
308 xt_ematch_foreach(ematch, e) 306 xt_ematch_foreach(ematch, e)
309 if (find_syn_match(ematch)) 307 if (find_syn_match(ematch))
310 return 0; 308 return 0;
311 pr_info("Only works on TCP SYN packets\n"); 309 pr_info_ratelimited("Only works on TCP SYN packets\n");
312 return -EINVAL; 310 return -EINVAL;
313} 311}
314#endif 312#endif
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 17d7705e3bd4..8c89323c06af 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -540,8 +540,7 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par)
540 !(i->invflags & IP6T_INV_PROTO)) 540 !(i->invflags & IP6T_INV_PROTO))
541 return 0; 541 return 0;
542 542
543 pr_info("Can be used only in combination with " 543 pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
544 "either -p tcp or -p udp\n");
545 return -EINVAL; 544 return -EINVAL;
546} 545}
547#endif 546#endif
@@ -559,8 +558,7 @@ static int tproxy_tg4_check(const struct xt_tgchk_param *par)
559 && !(i->invflags & IPT_INV_PROTO)) 558 && !(i->invflags & IPT_INV_PROTO))
560 return 0; 559 return 0;
561 560
562 pr_info("Can be used only in combination with " 561 pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
563 "either -p tcp or -p udp\n");
564 return -EINVAL; 562 return -EINVAL;
565} 563}
566 564
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 911a7c0da504..89e281b3bfc2 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -164,48 +164,47 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
164 164
165static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) 165static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
166{ 166{
167 const char *errmsg = "both incoming and outgoing interface limitation cannot be selected";
167 struct xt_addrtype_info_v1 *info = par->matchinfo; 168 struct xt_addrtype_info_v1 *info = par->matchinfo;
168 169
169 if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN && 170 if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
170 info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { 171 info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
171 pr_info("both incoming and outgoing " 172 goto err;
172 "interface limitation cannot be selected\n");
173 return -EINVAL;
174 }
175 173
176 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 174 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
177 (1 << NF_INET_LOCAL_IN)) && 175 (1 << NF_INET_LOCAL_IN)) &&
178 info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { 176 info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
179 pr_info("output interface limitation " 177 errmsg = "output interface limitation not valid in PREROUTING and INPUT";
180 "not valid in PREROUTING and INPUT\n"); 178 goto err;
181 return -EINVAL;
182 } 179 }
183 180
184 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 181 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
185 (1 << NF_INET_LOCAL_OUT)) && 182 (1 << NF_INET_LOCAL_OUT)) &&
186 info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) { 183 info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
187 pr_info("input interface limitation " 184 errmsg = "input interface limitation not valid in POSTROUTING and OUTPUT";
188 "not valid in POSTROUTING and OUTPUT\n"); 185 goto err;
189 return -EINVAL;
190 } 186 }
191 187
192#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 188#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
193 if (par->family == NFPROTO_IPV6) { 189 if (par->family == NFPROTO_IPV6) {
194 if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) { 190 if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
195 pr_err("ipv6 BLACKHOLE matching not supported\n"); 191 errmsg = "ipv6 BLACKHOLE matching not supported";
196 return -EINVAL; 192 goto err;
197 } 193 }
198 if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) { 194 if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
199 pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not supported\n"); 195 errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not supported";
200 return -EINVAL; 196 goto err;
201 } 197 }
202 if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) { 198 if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
203 pr_err("ipv6 does not support BROADCAST matching\n"); 199 errmsg = "ipv6 does not support BROADCAST matching";
204 return -EINVAL; 200 goto err;
205 } 201 }
206 } 202 }
207#endif 203#endif
208 return 0; 204 return 0;
205err:
206 pr_info_ratelimited("%s\n", errmsg);
207 return -EINVAL;
209} 208}
210 209
211static struct xt_match addrtype_mt_reg[] __read_mostly = { 210static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 06b090d8e901..a2cf8a6236d6 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -7,6 +7,8 @@
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
10#include <linux/module.h> 12#include <linux/module.h>
11#include <linux/syscalls.h> 13#include <linux/syscalls.h>
12#include <linux/skbuff.h> 14#include <linux/skbuff.h>
@@ -34,7 +36,7 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len,
34 program.filter = insns; 36 program.filter = insns;
35 37
36 if (bpf_prog_create(ret, &program)) { 38 if (bpf_prog_create(ret, &program)) {
37 pr_info("bpf: check failed: parse error\n"); 39 pr_info_ratelimited("check failed: parse error\n");
38 return -EINVAL; 40 return -EINVAL;
39 } 41 }
40 42
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 891f4e7e8ea7..7df2dece57d3 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -12,6 +12,8 @@
12 * published by the Free Software Foundation. 12 * published by the Free Software Foundation.
13 */ 13 */
14 14
15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16
15#include <linux/skbuff.h> 17#include <linux/skbuff.h>
16#include <linux/module.h> 18#include <linux/module.h>
17#include <linux/netfilter/x_tables.h> 19#include <linux/netfilter/x_tables.h>
@@ -48,7 +50,7 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
48 } 50 }
49 51
50 if (info->has_path && info->has_classid) { 52 if (info->has_path && info->has_classid) {
51 pr_info("xt_cgroup: both path and classid specified\n"); 53 pr_info_ratelimited("path and classid specified\n");
52 return -EINVAL; 54 return -EINVAL;
53 } 55 }
54 56
@@ -56,8 +58,8 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
56 if (info->has_path) { 58 if (info->has_path) {
57 cgrp = cgroup_get_from_path(info->path); 59 cgrp = cgroup_get_from_path(info->path);
58 if (IS_ERR(cgrp)) { 60 if (IS_ERR(cgrp)) {
59 pr_info("xt_cgroup: invalid path, errno=%ld\n", 61 pr_info_ratelimited("invalid path, errno=%ld\n",
60 PTR_ERR(cgrp)); 62 PTR_ERR(cgrp));
61 return -EINVAL; 63 return -EINVAL;
62 } 64 }
63 info->priv = cgrp; 65 info->priv = cgrp;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 57ef175dfbfa..0068688995c8 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,14 +135,12 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
135 struct xt_cluster_match_info *info = par->matchinfo; 135 struct xt_cluster_match_info *info = par->matchinfo;
136 136
137 if (info->total_nodes > XT_CLUSTER_NODES_MAX) { 137 if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
138 pr_info("you have exceeded the maximum " 138 pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
139 "number of cluster nodes (%u > %u)\n", 139 info->total_nodes, XT_CLUSTER_NODES_MAX);
140 info->total_nodes, XT_CLUSTER_NODES_MAX);
141 return -EINVAL; 140 return -EINVAL;
142 } 141 }
143 if (info->node_mask >= (1ULL << info->total_nodes)) { 142 if (info->node_mask >= (1ULL << info->total_nodes)) {
144 pr_info("this node mask cannot be " 143 pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
145 "higher than the total number of nodes\n");
146 return -EDOM; 144 return -EDOM;
147 } 145 }
148 return 0; 146 return 0;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index cad0b7b5eb35..93cb018c3055 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,8 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
112 112
113 ret = nf_ct_netns_get(par->net, par->family); 113 ret = nf_ct_netns_get(par->net, par->family);
114 if (ret < 0) 114 if (ret < 0)
115 pr_info("cannot load conntrack support for proto=%u\n", 115 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
116 par->family); 116 par->family);
117 117
118 /* 118 /*
119 * This filter cannot function correctly unless connection tracking 119 * This filter cannot function correctly unless connection tracking
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
index 23372879e6e3..4fa4efd24353 100644
--- a/net/netfilter/xt_connlabel.c
+++ b/net/netfilter/xt_connlabel.c
@@ -57,14 +57,15 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
57 int ret; 57 int ret;
58 58
59 if (info->options & ~options) { 59 if (info->options & ~options) {
60 pr_err("Unknown options in mask %x\n", info->options); 60 pr_info_ratelimited("Unknown options in mask %x\n",
61 info->options);
61 return -EINVAL; 62 return -EINVAL;
62 } 63 }
63 64
64 ret = nf_ct_netns_get(par->net, par->family); 65 ret = nf_ct_netns_get(par->net, par->family);
65 if (ret < 0) { 66 if (ret < 0) {
66 pr_info("cannot load conntrack support for proto=%u\n", 67 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
67 par->family); 68 par->family);
68 return ret; 69 return ret;
69 } 70 }
70 71
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ec377cc6a369..809639ce6f5a 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -79,8 +79,8 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
79 79
80 ret = nf_ct_netns_get(par->net, par->family); 80 ret = nf_ct_netns_get(par->net, par->family);
81 if (ret < 0) 81 if (ret < 0)
82 pr_info("cannot load conntrack support for proto=%u\n", 82 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
83 par->family); 83 par->family);
84 return ret; 84 return ret;
85} 85}
86 86
@@ -109,8 +109,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
109 109
110 ret = nf_ct_netns_get(par->net, par->family); 110 ret = nf_ct_netns_get(par->net, par->family);
111 if (ret < 0) 111 if (ret < 0)
112 pr_info("cannot load conntrack support for proto=%u\n", 112 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
113 par->family); 113 par->family);
114 return ret; 114 return ret;
115} 115}
116 116
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 39cf1d019240..df80fe7d391c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,8 +272,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
272 272
273 ret = nf_ct_netns_get(par->net, par->family); 273 ret = nf_ct_netns_get(par->net, par->family);
274 if (ret < 0) 274 if (ret < 0)
275 pr_info("cannot load conntrack support for proto=%u\n", 275 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
276 par->family); 276 par->family);
277 return ret; 277 return ret;
278} 278}
279 279
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 236ac8008909..a4c2b862f820 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -46,10 +46,8 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
46{ 46{
47 const struct xt_dscp_info *info = par->matchinfo; 47 const struct xt_dscp_info *info = par->matchinfo;
48 48
49 if (info->dscp > XT_DSCP_MAX) { 49 if (info->dscp > XT_DSCP_MAX)
50 pr_info("dscp %x out of range\n", info->dscp);
51 return -EDOM; 50 return -EDOM;
52 }
53 51
54 return 0; 52 return 0;
55} 53}
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 3c831a8efebc..c7ad4afa5fb8 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -97,7 +97,7 @@ static int ecn_mt_check4(const struct xt_mtchk_param *par)
97 97
98 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 98 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { 99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
100 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 100 pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
101 return -EINVAL; 101 return -EINVAL;
102 } 102 }
103 103
@@ -139,7 +139,7 @@ static int ecn_mt_check6(const struct xt_mtchk_param *par)
139 139
140 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 140 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
141 (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) { 141 (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
142 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 142 pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
143 return -EINVAL; 143 return -EINVAL;
144 } 144 }
145 145
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index ca6847403ca2..66f5aca62a08 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -523,7 +523,8 @@ static u64 user2rate(u64 user)
523 if (user != 0) { 523 if (user != 0) {
524 return div64_u64(XT_HASHLIMIT_SCALE_v2, user); 524 return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
525 } else { 525 } else {
526 pr_warn("invalid rate from userspace: %llu\n", user); 526 pr_info_ratelimited("invalid rate from userspace: %llu\n",
527 user);
527 return 0; 528 return 0;
528 } 529 }
529} 530}
@@ -774,7 +775,7 @@ hashlimit_mt_common(const struct sk_buff *skb, struct xt_action_param *par,
774 if (!dh->rateinfo.prev_window && 775 if (!dh->rateinfo.prev_window &&
775 (dh->rateinfo.current_rate <= dh->rateinfo.burst)) { 776 (dh->rateinfo.current_rate <= dh->rateinfo.burst)) {
776 spin_unlock(&dh->lock); 777 spin_unlock(&dh->lock);
777 rcu_read_unlock_bh(); 778 local_bh_enable();
778 return !(cfg->mode & XT_HASHLIMIT_INVERT); 779 return !(cfg->mode & XT_HASHLIMIT_INVERT);
779 } else { 780 } else {
780 goto overlimit; 781 goto overlimit;
@@ -865,33 +866,34 @@ static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
865 } 866 }
866 867
867 if (cfg->mode & ~XT_HASHLIMIT_ALL) { 868 if (cfg->mode & ~XT_HASHLIMIT_ALL) {
868 pr_info("Unknown mode mask %X, kernel too old?\n", 869 pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n",
869 cfg->mode); 870 cfg->mode);
870 return -EINVAL; 871 return -EINVAL;
871 } 872 }
872 873
873 /* Check for overflow. */ 874 /* Check for overflow. */
874 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) { 875 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
875 if (cfg->avg == 0 || cfg->avg > U32_MAX) { 876 if (cfg->avg == 0 || cfg->avg > U32_MAX) {
876 pr_info("hashlimit invalid rate\n"); 877 pr_info_ratelimited("invalid rate\n");
877 return -ERANGE; 878 return -ERANGE;
878 } 879 }
879 880
880 if (cfg->interval == 0) { 881 if (cfg->interval == 0) {
881 pr_info("hashlimit invalid interval\n"); 882 pr_info_ratelimited("invalid interval\n");
882 return -EINVAL; 883 return -EINVAL;
883 } 884 }
884 } else if (cfg->mode & XT_HASHLIMIT_BYTES) { 885 } else if (cfg->mode & XT_HASHLIMIT_BYTES) {
885 if (user2credits_byte(cfg->avg) == 0) { 886 if (user2credits_byte(cfg->avg) == 0) {
886 pr_info("overflow, rate too high: %llu\n", cfg->avg); 887 pr_info_ratelimited("overflow, rate too high: %llu\n",
888 cfg->avg);
887 return -EINVAL; 889 return -EINVAL;
888 } 890 }
889 } else if (cfg->burst == 0 || 891 } else if (cfg->burst == 0 ||
890 user2credits(cfg->avg * cfg->burst, revision) < 892 user2credits(cfg->avg * cfg->burst, revision) <
891 user2credits(cfg->avg, revision)) { 893 user2credits(cfg->avg, revision)) {
892 pr_info("overflow, try lower: %llu/%llu\n", 894 pr_info_ratelimited("overflow, try lower: %llu/%llu\n",
893 cfg->avg, cfg->burst); 895 cfg->avg, cfg->burst);
894 return -ERANGE; 896 return -ERANGE;
895 } 897 }
896 898
897 mutex_lock(&hashlimit_mutex); 899 mutex_lock(&hashlimit_mutex);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 38a78151c0e9..fd077aeaaed9 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -61,8 +61,8 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
61 61
62 ret = nf_ct_netns_get(par->net, par->family); 62 ret = nf_ct_netns_get(par->net, par->family);
63 if (ret < 0) { 63 if (ret < 0) {
64 pr_info("cannot load conntrack support for proto=%u\n", 64 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
65 par->family); 65 par->family);
66 return ret; 66 return ret;
67 } 67 }
68 info->name[sizeof(info->name) - 1] = '\0'; 68 info->name[sizeof(info->name) - 1] = '\0';
diff --git a/net/netfilter/xt_ipcomp.c b/net/netfilter/xt_ipcomp.c
index 7ca64a50db04..57f1df575701 100644
--- a/net/netfilter/xt_ipcomp.c
+++ b/net/netfilter/xt_ipcomp.c
@@ -72,7 +72,7 @@ static int comp_mt_check(const struct xt_mtchk_param *par)
72 72
73 /* Must specify no unknown invflags */ 73 /* Must specify no unknown invflags */
74 if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) { 74 if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) {
75 pr_err("unknown flags %X\n", compinfo->invflags); 75 pr_info_ratelimited("unknown flags %X\n", compinfo->invflags);
76 return -EINVAL; 76 return -EINVAL;
77 } 77 }
78 return 0; 78 return 0;
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 42540d26c2b8..1d950a6100af 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -158,7 +158,8 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par)
158 && par->family != NFPROTO_IPV6 158 && par->family != NFPROTO_IPV6
159#endif 159#endif
160 ) { 160 ) {
161 pr_info("protocol family %u not supported\n", par->family); 161 pr_info_ratelimited("protocol family %u not supported\n",
162 par->family);
162 return -EINVAL; 163 return -EINVAL;
163 } 164 }
164 165
diff --git a/net/netfilter/xt_l2tp.c b/net/netfilter/xt_l2tp.c
index 8aee572771f2..c43482bf48e6 100644
--- a/net/netfilter/xt_l2tp.c
+++ b/net/netfilter/xt_l2tp.c
@@ -216,7 +216,7 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
216 /* Check for invalid flags */ 216 /* Check for invalid flags */
217 if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION | 217 if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
218 XT_L2TP_TYPE)) { 218 XT_L2TP_TYPE)) {
219 pr_info("unknown flags: %x\n", info->flags); 219 pr_info_ratelimited("unknown flags: %x\n", info->flags);
220 return -EINVAL; 220 return -EINVAL;
221 } 221 }
222 222
@@ -225,7 +225,8 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
225 (!(info->flags & XT_L2TP_SID)) && 225 (!(info->flags & XT_L2TP_SID)) &&
226 ((!(info->flags & XT_L2TP_TYPE)) || 226 ((!(info->flags & XT_L2TP_TYPE)) ||
227 (info->type != XT_L2TP_TYPE_CONTROL))) { 227 (info->type != XT_L2TP_TYPE_CONTROL))) {
228 pr_info("invalid flags combination: %x\n", info->flags); 228 pr_info_ratelimited("invalid flags combination: %x\n",
229 info->flags);
229 return -EINVAL; 230 return -EINVAL;
230 } 231 }
231 232
@@ -234,19 +235,22 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
234 */ 235 */
235 if (info->flags & XT_L2TP_VERSION) { 236 if (info->flags & XT_L2TP_VERSION) {
236 if ((info->version < 2) || (info->version > 3)) { 237 if ((info->version < 2) || (info->version > 3)) {
237 pr_info("wrong L2TP version: %u\n", info->version); 238 pr_info_ratelimited("wrong L2TP version: %u\n",
239 info->version);
238 return -EINVAL; 240 return -EINVAL;
239 } 241 }
240 242
241 if (info->version == 2) { 243 if (info->version == 2) {
242 if ((info->flags & XT_L2TP_TID) && 244 if ((info->flags & XT_L2TP_TID) &&
243 (info->tid > 0xffff)) { 245 (info->tid > 0xffff)) {
244 pr_info("v2 tid > 0xffff: %u\n", info->tid); 246 pr_info_ratelimited("v2 tid > 0xffff: %u\n",
247 info->tid);
245 return -EINVAL; 248 return -EINVAL;
246 } 249 }
247 if ((info->flags & XT_L2TP_SID) && 250 if ((info->flags & XT_L2TP_SID) &&
248 (info->sid > 0xffff)) { 251 (info->sid > 0xffff)) {
249 pr_info("v2 sid > 0xffff: %u\n", info->sid); 252 pr_info_ratelimited("v2 sid > 0xffff: %u\n",
253 info->sid);
250 return -EINVAL; 254 return -EINVAL;
251 } 255 }
252 } 256 }
@@ -268,13 +272,13 @@ static int l2tp_mt_check4(const struct xt_mtchk_param *par)
268 272
269 if ((ip->proto != IPPROTO_UDP) && 273 if ((ip->proto != IPPROTO_UDP) &&
270 (ip->proto != IPPROTO_L2TP)) { 274 (ip->proto != IPPROTO_L2TP)) {
271 pr_info("missing protocol rule (udp|l2tpip)\n"); 275 pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
272 return -EINVAL; 276 return -EINVAL;
273 } 277 }
274 278
275 if ((ip->proto == IPPROTO_L2TP) && 279 if ((ip->proto == IPPROTO_L2TP) &&
276 (info->version == 2)) { 280 (info->version == 2)) {
277 pr_info("v2 doesn't support IP mode\n"); 281 pr_info_ratelimited("v2 doesn't support IP mode\n");
278 return -EINVAL; 282 return -EINVAL;
279 } 283 }
280 284
@@ -295,13 +299,13 @@ static int l2tp_mt_check6(const struct xt_mtchk_param *par)
295 299
296 if ((ip->proto != IPPROTO_UDP) && 300 if ((ip->proto != IPPROTO_UDP) &&
297 (ip->proto != IPPROTO_L2TP)) { 301 (ip->proto != IPPROTO_L2TP)) {
298 pr_info("missing protocol rule (udp|l2tpip)\n"); 302 pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
299 return -EINVAL; 303 return -EINVAL;
300 } 304 }
301 305
302 if ((ip->proto == IPPROTO_L2TP) && 306 if ((ip->proto == IPPROTO_L2TP) &&
303 (info->version == 2)) { 307 (info->version == 2)) {
304 pr_info("v2 doesn't support IP mode\n"); 308 pr_info_ratelimited("v2 doesn't support IP mode\n");
305 return -EINVAL; 309 return -EINVAL;
306 } 310 }
307 311
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 61403b77361c..55d18cd67635 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -106,8 +106,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
106 /* Check for overflow. */ 106 /* Check for overflow. */
107 if (r->burst == 0 107 if (r->burst == 0
108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
109 pr_info("Overflow, try lower: %u/%u\n", 109 pr_info_ratelimited("Overflow, try lower: %u/%u\n",
110 r->avg, r->burst); 110 r->avg, r->burst);
111 return -ERANGE; 111 return -ERANGE;
112 } 112 }
113 113
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index 0fd14d1eb09d..bdb689cdc829 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -8,6 +8,8 @@
8 * published by the Free Software Foundation. 8 * published by the Free Software Foundation.
9 */ 9 */
10 10
11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
11#include <linux/module.h> 13#include <linux/module.h>
12#include <linux/skbuff.h> 14#include <linux/skbuff.h>
13#include <linux/netfilter.h> 15#include <linux/netfilter.h>
@@ -19,8 +21,7 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)
19 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; 21 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
20 22
21 if (mr->rangesize != 1) { 23 if (mr->rangesize != 1) {
22 pr_info("%s: multiple ranges no longer supported\n", 24 pr_info_ratelimited("multiple ranges no longer supported\n");
23 par->target->name);
24 return -EINVAL; 25 return -EINVAL;
25 } 26 }
26 return nf_ct_netns_get(par->net, par->family); 27 return nf_ct_netns_get(par->net, par->family);
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index 6f92d25590a8..c8674deed4eb 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -6,6 +6,8 @@
6 * it under the terms of the GNU General Public License version 2 (or any 6 * it under the terms of the GNU General Public License version 2 (or any
7 * later at your option) as published by the Free Software Foundation. 7 * later at your option) as published by the Free Software Foundation.
8 */ 8 */
9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
9#include <linux/module.h> 11#include <linux/module.h>
10#include <linux/skbuff.h> 12#include <linux/skbuff.h>
11 13
@@ -39,8 +41,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
39 41
40 nfacct = nfnl_acct_find_get(par->net, info->name); 42 nfacct = nfnl_acct_find_get(par->net, info->name);
41 if (nfacct == NULL) { 43 if (nfacct == NULL) {
42 pr_info("xt_nfacct: accounting object with name `%s' " 44 pr_info_ratelimited("accounting object `%s' does not exists\n",
43 "does not exists\n", info->name); 45 info->name);
44 return -ENOENT; 46 return -ENOENT;
45 } 47 }
46 info->nfacct = nfacct; 48 info->nfacct = nfacct;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index bb33598e4530..9d6d67b953ac 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -107,9 +107,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
107 info->invert & XT_PHYSDEV_OP_BRIDGED) && 107 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
108 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | 108 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
109 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { 109 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
110 pr_info("using --physdev-out and --physdev-is-out are only " 110 pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n");
111 "supported in the FORWARD and POSTROUTING chains with "
112 "bridged traffic.\n");
113 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) 111 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
114 return -EINVAL; 112 return -EINVAL;
115 } 113 }
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 5639fb03bdd9..13f8ccf946d6 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -132,26 +132,29 @@ policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
132static int policy_mt_check(const struct xt_mtchk_param *par) 132static int policy_mt_check(const struct xt_mtchk_param *par)
133{ 133{
134 const struct xt_policy_info *info = par->matchinfo; 134 const struct xt_policy_info *info = par->matchinfo;
135 const char *errmsg = "neither incoming nor outgoing policy selected";
136
137 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT)))
138 goto err;
135 139
136 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
137 pr_info("neither incoming nor outgoing policy selected\n");
138 return -EINVAL;
139 }
140 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 140 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
141 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { 141 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
142 pr_info("output policy not valid in PREROUTING and INPUT\n"); 142 errmsg = "output policy not valid in PREROUTING and INPUT";
143 return -EINVAL; 143 goto err;
144 } 144 }
145 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 145 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
146 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { 146 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
147 pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); 147 errmsg = "input policy not valid in POSTROUTING and OUTPUT";
148 return -EINVAL; 148 goto err;
149 } 149 }
150 if (info->len > XT_POLICY_MAX_ELEM) { 150 if (info->len > XT_POLICY_MAX_ELEM) {
151 pr_info("too many policy elements\n"); 151 errmsg = "too many policy elements";
152 return -EINVAL; 152 goto err;
153 } 153 }
154 return 0; 154 return 0;
155err:
156 pr_info_ratelimited("%s\n", errmsg);
157 return -EINVAL;
155} 158}
156 159
157static struct xt_match policy_mt_reg[] __read_mostly = { 160static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 245fa350a7a8..6d232d18faff 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -342,8 +342,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
342 net_get_random_once(&hash_rnd, sizeof(hash_rnd)); 342 net_get_random_once(&hash_rnd, sizeof(hash_rnd));
343 343
344 if (info->check_set & ~XT_RECENT_VALID_FLAGS) { 344 if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
345 pr_info("Unsupported user space flags (%08x)\n", 345 pr_info_ratelimited("Unsupported userspace flags (%08x)\n",
346 info->check_set); 346 info->check_set);
347 return -EINVAL; 347 return -EINVAL;
348 } 348 }
349 if (hweight8(info->check_set & 349 if (hweight8(info->check_set &
@@ -357,8 +357,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
357 if ((info->check_set & XT_RECENT_REAP) && !info->seconds) 357 if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
358 return -EINVAL; 358 return -EINVAL;
359 if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) { 359 if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) {
360 pr_info("hitcount (%u) is larger than allowed maximum (%u)\n", 360 pr_info_ratelimited("hitcount (%u) is larger than allowed maximum (%u)\n",
361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); 361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
362 return -EINVAL; 362 return -EINVAL;
363 } 363 }
364 if (info->name[0] == '\0' || 364 if (info->name[0] == '\0' ||
@@ -587,7 +587,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
587 add = true; 587 add = true;
588 break; 588 break;
589 default: 589 default:
590 pr_info("Need \"+ip\", \"-ip\" or \"/\"\n"); 590 pr_info_ratelimited("Need \"+ip\", \"-ip\" or \"/\"\n");
591 return -EINVAL; 591 return -EINVAL;
592 } 592 }
593 593
@@ -601,10 +601,8 @@ recent_mt_proc_write(struct file *file, const char __user *input,
601 succ = in4_pton(c, size, (void *)&addr, '\n', NULL); 601 succ = in4_pton(c, size, (void *)&addr, '\n', NULL);
602 } 602 }
603 603
604 if (!succ) { 604 if (!succ)
605 pr_info("illegal address written to procfs\n");
606 return -EINVAL; 605 return -EINVAL;
607 }
608 606
609 spin_lock_bh(&recent_lock); 607 spin_lock_bh(&recent_lock);
610 e = recent_entry_lookup(t, &addr, family, 0); 608 e = recent_entry_lookup(t, &addr, family, 0);
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 16b6b11ee83f..6f4c5217d835 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -92,12 +92,12 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
92 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); 92 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
93 93
94 if (index == IPSET_INVALID_ID) { 94 if (index == IPSET_INVALID_ID) {
95 pr_warn("Cannot find set identified by id %u to match\n", 95 pr_info_ratelimited("Cannot find set identified by id %u to match\n",
96 info->match_set.index); 96 info->match_set.index);
97 return -ENOENT; 97 return -ENOENT;
98 } 98 }
99 if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) { 99 if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
100 pr_warn("Protocol error: set match dimension is over the limit!\n"); 100 pr_info_ratelimited("set match dimension is over the limit!\n");
101 ip_set_nfnl_put(par->net, info->match_set.index); 101 ip_set_nfnl_put(par->net, info->match_set.index);
102 return -ERANGE; 102 return -ERANGE;
103 } 103 }
@@ -143,12 +143,12 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par)
143 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); 143 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
144 144
145 if (index == IPSET_INVALID_ID) { 145 if (index == IPSET_INVALID_ID) {
146 pr_warn("Cannot find set identified by id %u to match\n", 146 pr_info_ratelimited("Cannot find set identified by id %u to match\n",
147 info->match_set.index); 147 info->match_set.index);
148 return -ENOENT; 148 return -ENOENT;
149 } 149 }
150 if (info->match_set.dim > IPSET_DIM_MAX) { 150 if (info->match_set.dim > IPSET_DIM_MAX) {
151 pr_warn("Protocol error: set match dimension is over the limit!\n"); 151 pr_info_ratelimited("set match dimension is over the limit!\n");
152 ip_set_nfnl_put(par->net, info->match_set.index); 152 ip_set_nfnl_put(par->net, info->match_set.index);
153 return -ERANGE; 153 return -ERANGE;
154 } 154 }
@@ -241,8 +241,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
241 if (info->add_set.index != IPSET_INVALID_ID) { 241 if (info->add_set.index != IPSET_INVALID_ID) {
242 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); 242 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
243 if (index == IPSET_INVALID_ID) { 243 if (index == IPSET_INVALID_ID) {
244 pr_warn("Cannot find add_set index %u as target\n", 244 pr_info_ratelimited("Cannot find add_set index %u as target\n",
245 info->add_set.index); 245 info->add_set.index);
246 return -ENOENT; 246 return -ENOENT;
247 } 247 }
248 } 248 }
@@ -250,8 +250,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
250 if (info->del_set.index != IPSET_INVALID_ID) { 250 if (info->del_set.index != IPSET_INVALID_ID) {
251 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); 251 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
252 if (index == IPSET_INVALID_ID) { 252 if (index == IPSET_INVALID_ID) {
253 pr_warn("Cannot find del_set index %u as target\n", 253 pr_info_ratelimited("Cannot find del_set index %u as target\n",
254 info->del_set.index); 254 info->del_set.index);
255 if (info->add_set.index != IPSET_INVALID_ID) 255 if (info->add_set.index != IPSET_INVALID_ID)
256 ip_set_nfnl_put(par->net, info->add_set.index); 256 ip_set_nfnl_put(par->net, info->add_set.index);
257 return -ENOENT; 257 return -ENOENT;
@@ -259,7 +259,7 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
259 } 259 }
260 if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 || 260 if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 ||
261 info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) { 261 info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
262 pr_warn("Protocol error: SET target dimension is over the limit!\n"); 262 pr_info_ratelimited("SET target dimension over the limit!\n");
263 if (info->add_set.index != IPSET_INVALID_ID) 263 if (info->add_set.index != IPSET_INVALID_ID)
264 ip_set_nfnl_put(par->net, info->add_set.index); 264 ip_set_nfnl_put(par->net, info->add_set.index);
265 if (info->del_set.index != IPSET_INVALID_ID) 265 if (info->del_set.index != IPSET_INVALID_ID)
@@ -316,8 +316,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
316 if (info->add_set.index != IPSET_INVALID_ID) { 316 if (info->add_set.index != IPSET_INVALID_ID) {
317 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); 317 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
318 if (index == IPSET_INVALID_ID) { 318 if (index == IPSET_INVALID_ID) {
319 pr_warn("Cannot find add_set index %u as target\n", 319 pr_info_ratelimited("Cannot find add_set index %u as target\n",
320 info->add_set.index); 320 info->add_set.index);
321 return -ENOENT; 321 return -ENOENT;
322 } 322 }
323 } 323 }
@@ -325,8 +325,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
325 if (info->del_set.index != IPSET_INVALID_ID) { 325 if (info->del_set.index != IPSET_INVALID_ID) {
326 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); 326 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
327 if (index == IPSET_INVALID_ID) { 327 if (index == IPSET_INVALID_ID) {
328 pr_warn("Cannot find del_set index %u as target\n", 328 pr_info_ratelimited("Cannot find del_set index %u as target\n",
329 info->del_set.index); 329 info->del_set.index);
330 if (info->add_set.index != IPSET_INVALID_ID) 330 if (info->add_set.index != IPSET_INVALID_ID)
331 ip_set_nfnl_put(par->net, info->add_set.index); 331 ip_set_nfnl_put(par->net, info->add_set.index);
332 return -ENOENT; 332 return -ENOENT;
@@ -334,7 +334,7 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
334 } 334 }
335 if (info->add_set.dim > IPSET_DIM_MAX || 335 if (info->add_set.dim > IPSET_DIM_MAX ||
336 info->del_set.dim > IPSET_DIM_MAX) { 336 info->del_set.dim > IPSET_DIM_MAX) {
337 pr_warn("Protocol error: SET target dimension is over the limit!\n"); 337 pr_info_ratelimited("SET target dimension over the limit!\n");
338 if (info->add_set.index != IPSET_INVALID_ID) 338 if (info->add_set.index != IPSET_INVALID_ID)
339 ip_set_nfnl_put(par->net, info->add_set.index); 339 ip_set_nfnl_put(par->net, info->add_set.index);
340 if (info->del_set.index != IPSET_INVALID_ID) 340 if (info->del_set.index != IPSET_INVALID_ID)
@@ -444,8 +444,8 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
444 index = ip_set_nfnl_get_byindex(par->net, 444 index = ip_set_nfnl_get_byindex(par->net,
445 info->add_set.index); 445 info->add_set.index);
446 if (index == IPSET_INVALID_ID) { 446 if (index == IPSET_INVALID_ID) {
447 pr_warn("Cannot find add_set index %u as target\n", 447 pr_info_ratelimited("Cannot find add_set index %u as target\n",
448 info->add_set.index); 448 info->add_set.index);
449 return -ENOENT; 449 return -ENOENT;
450 } 450 }
451 } 451 }
@@ -454,8 +454,8 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
454 index = ip_set_nfnl_get_byindex(par->net, 454 index = ip_set_nfnl_get_byindex(par->net,
455 info->del_set.index); 455 info->del_set.index);
456 if (index == IPSET_INVALID_ID) { 456 if (index == IPSET_INVALID_ID) {
457 pr_warn("Cannot find del_set index %u as target\n", 457 pr_info_ratelimited("Cannot find del_set index %u as target\n",
458 info->del_set.index); 458 info->del_set.index);
459 if (info->add_set.index != IPSET_INVALID_ID) 459 if (info->add_set.index != IPSET_INVALID_ID)
460 ip_set_nfnl_put(par->net, 460 ip_set_nfnl_put(par->net,
461 info->add_set.index); 461 info->add_set.index);
@@ -465,7 +465,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
465 465
466 if (info->map_set.index != IPSET_INVALID_ID) { 466 if (info->map_set.index != IPSET_INVALID_ID) {
467 if (strncmp(par->table, "mangle", 7)) { 467 if (strncmp(par->table, "mangle", 7)) {
468 pr_warn("--map-set only usable from mangle table\n"); 468 pr_info_ratelimited("--map-set only usable from mangle table\n");
469 return -EINVAL; 469 return -EINVAL;
470 } 470 }
471 if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) | 471 if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) |
@@ -473,14 +473,14 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
473 !(par->hook_mask & (1 << NF_INET_FORWARD | 473 !(par->hook_mask & (1 << NF_INET_FORWARD |
474 1 << NF_INET_LOCAL_OUT | 474 1 << NF_INET_LOCAL_OUT |
475 1 << NF_INET_POST_ROUTING))) { 475 1 << NF_INET_POST_ROUTING))) {
476 pr_warn("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n"); 476 pr_info_ratelimited("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");
477 return -EINVAL; 477 return -EINVAL;
478 } 478 }
479 index = ip_set_nfnl_get_byindex(par->net, 479 index = ip_set_nfnl_get_byindex(par->net,
480 info->map_set.index); 480 info->map_set.index);
481 if (index == IPSET_INVALID_ID) { 481 if (index == IPSET_INVALID_ID) {
482 pr_warn("Cannot find map_set index %u as target\n", 482 pr_info_ratelimited("Cannot find map_set index %u as target\n",
483 info->map_set.index); 483 info->map_set.index);
484 if (info->add_set.index != IPSET_INVALID_ID) 484 if (info->add_set.index != IPSET_INVALID_ID)
485 ip_set_nfnl_put(par->net, 485 ip_set_nfnl_put(par->net,
486 info->add_set.index); 486 info->add_set.index);
@@ -494,7 +494,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
494 if (info->add_set.dim > IPSET_DIM_MAX || 494 if (info->add_set.dim > IPSET_DIM_MAX ||
495 info->del_set.dim > IPSET_DIM_MAX || 495 info->del_set.dim > IPSET_DIM_MAX ||
496 info->map_set.dim > IPSET_DIM_MAX) { 496 info->map_set.dim > IPSET_DIM_MAX) {
497 pr_warn("Protocol error: SET target dimension is over the limit!\n"); 497 pr_info_ratelimited("SET target dimension over the limit!\n");
498 if (info->add_set.index != IPSET_INVALID_ID) 498 if (info->add_set.index != IPSET_INVALID_ID)
499 ip_set_nfnl_put(par->net, info->add_set.index); 499 ip_set_nfnl_put(par->net, info->add_set.index);
500 if (info->del_set.index != IPSET_INVALID_ID) 500 if (info->del_set.index != IPSET_INVALID_ID)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 575d2153e3b8..2ac7f674d19b 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -171,7 +171,8 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par)
171 return err; 171 return err;
172 172
173 if (info->flags & ~XT_SOCKET_FLAGS_V1) { 173 if (info->flags & ~XT_SOCKET_FLAGS_V1) {
174 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); 174 pr_info_ratelimited("unknown flags 0x%x\n",
175 info->flags & ~XT_SOCKET_FLAGS_V1);
175 return -EINVAL; 176 return -EINVAL;
176 } 177 }
177 return 0; 178 return 0;
@@ -187,7 +188,8 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
187 return err; 188 return err;
188 189
189 if (info->flags & ~XT_SOCKET_FLAGS_V2) { 190 if (info->flags & ~XT_SOCKET_FLAGS_V2) {
190 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); 191 pr_info_ratelimited("unknown flags 0x%x\n",
192 info->flags & ~XT_SOCKET_FLAGS_V2);
191 return -EINVAL; 193 return -EINVAL;
192 } 194 }
193 return 0; 195 return 0;
@@ -203,8 +205,8 @@ static int socket_mt_v3_check(const struct xt_mtchk_param *par)
203 if (err) 205 if (err)
204 return err; 206 return err;
205 if (info->flags & ~XT_SOCKET_FLAGS_V3) { 207 if (info->flags & ~XT_SOCKET_FLAGS_V3) {
206 pr_info("unknown flags 0x%x\n", 208 pr_info_ratelimited("unknown flags 0x%x\n",
207 info->flags & ~XT_SOCKET_FLAGS_V3); 209 info->flags & ~XT_SOCKET_FLAGS_V3);
208 return -EINVAL; 210 return -EINVAL;
209 } 211 }
210 return 0; 212 return 0;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 5fbd79194d21..0b41c0befe3c 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -44,8 +44,8 @@ static int state_mt_check(const struct xt_mtchk_param *par)
44 44
45 ret = nf_ct_netns_get(par->net, par->family); 45 ret = nf_ct_netns_get(par->net, par->family);
46 if (ret < 0) 46 if (ret < 0)
47 pr_info("cannot load conntrack support for proto=%u\n", 47 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
48 par->family); 48 par->family);
49 return ret; 49 return ret;
50} 50}
51 51
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 1b01eec1fbda..0160f505e337 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -235,13 +235,13 @@ static int time_mt_check(const struct xt_mtchk_param *par)
235 235
236 if (info->daytime_start > XT_TIME_MAX_DAYTIME || 236 if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
237 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 237 info->daytime_stop > XT_TIME_MAX_DAYTIME) {
238 pr_info("invalid argument - start or " 238 pr_info_ratelimited("invalid argument - start or stop time greater than 23:59:59\n");
239 "stop time greater than 23:59:59\n");
240 return -EDOM; 239 return -EDOM;
241 } 240 }
242 241
243 if (info->flags & ~XT_TIME_ALL_FLAGS) { 242 if (info->flags & ~XT_TIME_ALL_FLAGS) {
244 pr_info("unknown flags 0x%x\n", info->flags & ~XT_TIME_ALL_FLAGS); 243 pr_info_ratelimited("unknown flags 0x%x\n",
244 info->flags & ~XT_TIME_ALL_FLAGS);
245 return -EINVAL; 245 return -EINVAL;
246 } 246 }
247 247
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-24 12:36:28 -0400