aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-02-09 09:52:07 -0500
committerPablo Neira Ayuso <pablo@netfilter.org>2018-02-14 15:05:38 -0500
commitb26066447bb8599b393b2dd2bbeb68767e09ba07 (patch)
tree1f48acc4a27a21291342c4a12df60f2d1bceaae2
parentc08e5e1ee6d65917af2bb12c2c568d637a682c44 (diff)
netfilter: x_tables: use pr ratelimiting in all remaining spots
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c2
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c4
-rw-r--r--net/ipv4/netfilter/ipt_rpfilter.c2
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c4
-rw-r--r--net/ipv6/netfilter/ip6t_rpfilter.c2
-rw-r--r--net/ipv6/netfilter/ip6t_srh.c6
-rw-r--r--net/netfilter/xt_AUDIT.c4
-rw-r--r--net/netfilter/xt_CHECKSUM.c3
-rw-r--r--net/netfilter/xt_CONNSECMARK.c6
-rw-r--r--net/netfilter/xt_LED.c2
-rw-r--r--net/netfilter/xt_SECMARK.c14
-rw-r--r--net/netfilter/xt_TCPMSS.c10
-rw-r--r--net/netfilter/xt_TPROXY.c6
-rw-r--r--net/netfilter/xt_bpf.c4
-rw-r--r--net/netfilter/xt_cgroup.c8
-rw-r--r--net/netfilter/xt_cluster.c8
-rw-r--r--net/netfilter/xt_connbytes.c4
-rw-r--r--net/netfilter/xt_connlabel.c7
-rw-r--r--net/netfilter/xt_connmark.c8
-rw-r--r--net/netfilter/xt_conntrack.c4
-rw-r--r--net/netfilter/xt_ecn.c4
-rw-r--r--net/netfilter/xt_hashlimit.c24
-rw-r--r--net/netfilter/xt_helper.c4
-rw-r--r--net/netfilter/xt_ipcomp.c2
-rw-r--r--net/netfilter/xt_ipvs.c3
-rw-r--r--net/netfilter/xt_l2tp.c22
-rw-r--r--net/netfilter/xt_limit.c4
-rw-r--r--net/netfilter/xt_nat.c5
-rw-r--r--net/netfilter/xt_nfacct.c6
-rw-r--r--net/netfilter/xt_physdev.c4
-rw-r--r--net/netfilter/xt_recent.c14
-rw-r--r--net/netfilter/xt_socket.c10
-rw-r--r--net/netfilter/xt_state.c4
-rw-r--r--net/netfilter/xt_time.c6
34 files changed, 116 insertions, 104 deletions
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 39ff167e6d86..aaaf9a81fbc9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -106,7 +106,7 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
106 106
107 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && 107 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
108 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { 108 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
109 pr_info("cannot use TCP operations on a non-tcp rule\n"); 109 pr_info_ratelimited("cannot use operation on non-tcp rule\n");
110 return -EINVAL; 110 return -EINVAL;
111 } 111 }
112 return 0; 112 return 0;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 8bd0d7b26632..e8bed3390e58 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
74 const struct ipt_entry *e = par->entryinfo; 74 const struct ipt_entry *e = par->entryinfo;
75 75
76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
77 pr_info("ECHOREPLY no longer supported.\n"); 77 pr_info_ratelimited("ECHOREPLY no longer supported.\n");
78 return -EINVAL; 78 return -EINVAL;
79 } else if (rejinfo->with == IPT_TCP_RESET) { 79 } else if (rejinfo->with == IPT_TCP_RESET) {
80 /* Must specify that it's a TCP packet */ 80 /* Must specify that it's a TCP packet */
81 if (e->ip.proto != IPPROTO_TCP || 81 if (e->ip.proto != IPPROTO_TCP ||
82 (e->ip.invflags & XT_INV_PROTO)) { 82 (e->ip.invflags & XT_INV_PROTO)) {
83 pr_info("TCP_RESET invalid for non-tcp\n"); 83 pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
84 return -EINVAL; 84 return -EINVAL;
85 } 85 }
86 } 86 }
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 5d107dd9098e..fd01f13c896a 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -105,7 +105,7 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
105 const struct xt_rpfilter_info *info = par->matchinfo; 105 const struct xt_rpfilter_info *info = par->matchinfo;
106 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 106 unsigned int options = ~XT_RPFILTER_OPTION_MASK;
107 if (info->flags & options) { 107 if (info->flags & options) {
108 pr_info("unknown options encountered"); 108 pr_info_ratelimited("unknown options\n");
109 return -EINVAL; 109 return -EINVAL;
110 } 110 }
111 111
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index fa51a205918d..38dea8ff680f 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -85,14 +85,14 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
85 const struct ip6t_entry *e = par->entryinfo; 85 const struct ip6t_entry *e = par->entryinfo;
86 86
87 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { 87 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
88 pr_info("ECHOREPLY is not supported.\n"); 88 pr_info_ratelimited("ECHOREPLY is not supported\n");
89 return -EINVAL; 89 return -EINVAL;
90 } else if (rejinfo->with == IP6T_TCP_RESET) { 90 } else if (rejinfo->with == IP6T_TCP_RESET) {
91 /* Must specify that it's a TCP packet */ 91 /* Must specify that it's a TCP packet */
92 if (!(e->ipv6.flags & IP6T_F_PROTO) || 92 if (!(e->ipv6.flags & IP6T_F_PROTO) ||
93 e->ipv6.proto != IPPROTO_TCP || 93 e->ipv6.proto != IPPROTO_TCP ||
94 (e->ipv6.invflags & XT_INV_PROTO)) { 94 (e->ipv6.invflags & XT_INV_PROTO)) {
95 pr_info("TCP_RESET illegal for non-tcp\n"); 95 pr_info_ratelimited("TCP_RESET illegal for non-tcp\n");
96 return -EINVAL; 96 return -EINVAL;
97 } 97 }
98 } 98 }
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index ddf3111f9810..94deb69bbbda 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -103,7 +103,7 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
103 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 103 unsigned int options = ~XT_RPFILTER_OPTION_MASK;
104 104
105 if (info->flags & options) { 105 if (info->flags & options) {
106 pr_info("unknown options encountered"); 106 pr_info_ratelimited("unknown options\n");
107 return -EINVAL; 107 return -EINVAL;
108 } 108 }
109 109
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
index 9642164107ce..33719d5560c8 100644
--- a/net/ipv6/netfilter/ip6t_srh.c
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -122,12 +122,14 @@ static int srh_mt6_check(const struct xt_mtchk_param *par)
122 const struct ip6t_srh *srhinfo = par->matchinfo; 122 const struct ip6t_srh *srhinfo = par->matchinfo;
123 123
124 if (srhinfo->mt_flags & ~IP6T_SRH_MASK) { 124 if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
125 pr_err("unknown srh match flags %X\n", srhinfo->mt_flags); 125 pr_info_ratelimited("unknown srh match flags %X\n",
126 srhinfo->mt_flags);
126 return -EINVAL; 127 return -EINVAL;
127 } 128 }
128 129
129 if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) { 130 if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
130 pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags); 131 pr_info_ratelimited("unknown srh invflags %X\n",
132 srhinfo->mt_invflags);
131 return -EINVAL; 133 return -EINVAL;
132 } 134 }
133 135
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index c502419d6306..f368ee6741db 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -120,8 +120,8 @@ static int audit_tg_check(const struct xt_tgchk_param *par)
120 const struct xt_audit_info *info = par->targinfo; 120 const struct xt_audit_info *info = par->targinfo;
121 121
122 if (info->type > XT_AUDIT_TYPE_MAX) { 122 if (info->type > XT_AUDIT_TYPE_MAX) {
123 pr_info("Audit type out of range (valid range: 0..%hhu)\n", 123 pr_info_ratelimited("Audit type out of range (valid range: 0..%hhu)\n",
124 XT_AUDIT_TYPE_MAX); 124 XT_AUDIT_TYPE_MAX);
125 return -ERANGE; 125 return -ERANGE;
126 } 126 }
127 127
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index ea3c5701fb0f..9f4151ec3e06 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -36,7 +36,8 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
36 const struct xt_CHECKSUM_info *einfo = par->targinfo; 36 const struct xt_CHECKSUM_info *einfo = par->targinfo;
37 37
38 if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { 38 if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
39 pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); 39 pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
40 einfo->operation);
40 return -EINVAL; 41 return -EINVAL;
41 } 42 }
42 if (!einfo->operation) 43 if (!einfo->operation)
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 6f30cd399e42..f3f1caac949b 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -102,14 +102,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
102 break; 102 break;
103 103
104 default: 104 default:
105 pr_info("invalid mode: %hu\n", info->mode); 105 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
106 return -EINVAL; 106 return -EINVAL;
107 } 107 }
108 108
109 ret = nf_ct_netns_get(par->net, par->family); 109 ret = nf_ct_netns_get(par->net, par->family);
110 if (ret < 0) 110 if (ret < 0)
111 pr_info("cannot load conntrack support for proto=%u\n", 111 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
112 par->family); 112 par->family);
113 return ret; 113 return ret;
114} 114}
115 115
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index ece311c11fdc..4472424e7ead 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -136,7 +136,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
136 136
137 err = led_trigger_register(&ledinternal->netfilter_led_trigger); 137 err = led_trigger_register(&ledinternal->netfilter_led_trigger);
138 if (err) { 138 if (err) {
139 pr_err("Trigger name is already in use.\n"); 139 pr_info_ratelimited("Trigger name is already in use.\n");
140 goto exit_alloc; 140 goto exit_alloc;
141 } 141 }
142 142
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 5c5cd782fab5..4ad5fe27e08b 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -60,18 +60,20 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
60 &info->secid); 60 &info->secid);
61 if (err) { 61 if (err) {
62 if (err == -EINVAL) 62 if (err == -EINVAL)
63 pr_info("invalid security context \'%s\'\n", info->secctx); 63 pr_info_ratelimited("invalid security context \'%s\'\n",
64 info->secctx);
64 return err; 65 return err;
65 } 66 }
66 67
67 if (!info->secid) { 68 if (!info->secid) {
68 pr_info("unable to map security context \'%s\'\n", info->secctx); 69 pr_info_ratelimited("unable to map security context \'%s\'\n",
70 info->secctx);
69 return -ENOENT; 71 return -ENOENT;
70 } 72 }
71 73
72 err = security_secmark_relabel_packet(info->secid); 74 err = security_secmark_relabel_packet(info->secid);
73 if (err) { 75 if (err) {
74 pr_info("unable to obtain relabeling permission\n"); 76 pr_info_ratelimited("unable to obtain relabeling permission\n");
75 return err; 77 return err;
76 } 78 }
77 79
@@ -92,8 +94,8 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
92 } 94 }
93 95
94 if (mode && mode != info->mode) { 96 if (mode && mode != info->mode) {
95 pr_info("mode already set to %hu cannot mix with " 97 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
96 "rules for mode %hu\n", mode, info->mode); 98 mode, info->mode);
97 return -EINVAL; 99 return -EINVAL;
98 } 100 }
99 101
@@ -101,7 +103,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
101 case SECMARK_MODE_SEL: 103 case SECMARK_MODE_SEL:
102 break; 104 break;
103 default: 105 default:
104 pr_info("invalid mode: %hu\n", info->mode); 106 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
105 return -EINVAL; 107 return -EINVAL;
106 } 108 }
107 109
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 99bb8e410f22..98efb202f8b4 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -273,8 +273,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
273 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 273 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
274 (1 << NF_INET_LOCAL_OUT) | 274 (1 << NF_INET_LOCAL_OUT) |
275 (1 << NF_INET_POST_ROUTING))) != 0) { 275 (1 << NF_INET_POST_ROUTING))) != 0) {
276 pr_info("path-MTU clamping only supported in " 276 pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
277 "FORWARD, OUTPUT and POSTROUTING hooks\n");
278 return -EINVAL; 277 return -EINVAL;
279 } 278 }
280 if (par->nft_compat) 279 if (par->nft_compat)
@@ -283,7 +282,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
283 xt_ematch_foreach(ematch, e) 282 xt_ematch_foreach(ematch, e)
284 if (find_syn_match(ematch)) 283 if (find_syn_match(ematch))
285 return 0; 284 return 0;
286 pr_info("Only works on TCP SYN packets\n"); 285 pr_info_ratelimited("Only works on TCP SYN packets\n");
287 return -EINVAL; 286 return -EINVAL;
288} 287}
289 288
@@ -298,8 +297,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
298 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 297 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
299 (1 << NF_INET_LOCAL_OUT) | 298 (1 << NF_INET_LOCAL_OUT) |
300 (1 << NF_INET_POST_ROUTING))) != 0) { 299 (1 << NF_INET_POST_ROUTING))) != 0) {
301 pr_info("path-MTU clamping only supported in " 300 pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
302 "FORWARD, OUTPUT and POSTROUTING hooks\n");
303 return -EINVAL; 301 return -EINVAL;
304 } 302 }
305 if (par->nft_compat) 303 if (par->nft_compat)
@@ -308,7 +306,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
308 xt_ematch_foreach(ematch, e) 306 xt_ematch_foreach(ematch, e)
309 if (find_syn_match(ematch)) 307 if (find_syn_match(ematch))
310 return 0; 308 return 0;
311 pr_info("Only works on TCP SYN packets\n"); 309 pr_info_ratelimited("Only works on TCP SYN packets\n");
312 return -EINVAL; 310 return -EINVAL;
313} 311}
314#endif 312#endif
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 17d7705e3bd4..8c89323c06af 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -540,8 +540,7 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par)
540 !(i->invflags & IP6T_INV_PROTO)) 540 !(i->invflags & IP6T_INV_PROTO))
541 return 0; 541 return 0;
542 542
543 pr_info("Can be used only in combination with " 543 pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
544 "either -p tcp or -p udp\n");
545 return -EINVAL; 544 return -EINVAL;
546} 545}
547#endif 546#endif
@@ -559,8 +558,7 @@ static int tproxy_tg4_check(const struct xt_tgchk_param *par)
559 && !(i->invflags & IPT_INV_PROTO)) 558 && !(i->invflags & IPT_INV_PROTO))
560 return 0; 559 return 0;
561 560
562 pr_info("Can be used only in combination with " 561 pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
563 "either -p tcp or -p udp\n");
564 return -EINVAL; 562 return -EINVAL;
565} 563}
566 564
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 06b090d8e901..a2cf8a6236d6 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -7,6 +7,8 @@
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
10#include <linux/module.h> 12#include <linux/module.h>
11#include <linux/syscalls.h> 13#include <linux/syscalls.h>
12#include <linux/skbuff.h> 14#include <linux/skbuff.h>
@@ -34,7 +36,7 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len,
34 program.filter = insns; 36 program.filter = insns;
35 37
36 if (bpf_prog_create(ret, &program)) { 38 if (bpf_prog_create(ret, &program)) {
37 pr_info("bpf: check failed: parse error\n"); 39 pr_info_ratelimited("check failed: parse error\n");
38 return -EINVAL; 40 return -EINVAL;
39 } 41 }
40 42
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 891f4e7e8ea7..7df2dece57d3 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -12,6 +12,8 @@
12 * published by the Free Software Foundation. 12 * published by the Free Software Foundation.
13 */ 13 */
14 14
15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16
15#include <linux/skbuff.h> 17#include <linux/skbuff.h>
16#include <linux/module.h> 18#include <linux/module.h>
17#include <linux/netfilter/x_tables.h> 19#include <linux/netfilter/x_tables.h>
@@ -48,7 +50,7 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
48 } 50 }
49 51
50 if (info->has_path && info->has_classid) { 52 if (info->has_path && info->has_classid) {
51 pr_info("xt_cgroup: both path and classid specified\n"); 53 pr_info_ratelimited("path and classid specified\n");
52 return -EINVAL; 54 return -EINVAL;
53 } 55 }
54 56
@@ -56,8 +58,8 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
56 if (info->has_path) { 58 if (info->has_path) {
57 cgrp = cgroup_get_from_path(info->path); 59 cgrp = cgroup_get_from_path(info->path);
58 if (IS_ERR(cgrp)) { 60 if (IS_ERR(cgrp)) {
59 pr_info("xt_cgroup: invalid path, errno=%ld\n", 61 pr_info_ratelimited("invalid path, errno=%ld\n",
60 PTR_ERR(cgrp)); 62 PTR_ERR(cgrp));
61 return -EINVAL; 63 return -EINVAL;
62 } 64 }
63 info->priv = cgrp; 65 info->priv = cgrp;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 57ef175dfbfa..0068688995c8 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,14 +135,12 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
135 struct xt_cluster_match_info *info = par->matchinfo; 135 struct xt_cluster_match_info *info = par->matchinfo;
136 136
137 if (info->total_nodes > XT_CLUSTER_NODES_MAX) { 137 if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
138 pr_info("you have exceeded the maximum " 138 pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
139 "number of cluster nodes (%u > %u)\n", 139 info->total_nodes, XT_CLUSTER_NODES_MAX);
140 info->total_nodes, XT_CLUSTER_NODES_MAX);
141 return -EINVAL; 140 return -EINVAL;
142 } 141 }
143 if (info->node_mask >= (1ULL << info->total_nodes)) { 142 if (info->node_mask >= (1ULL << info->total_nodes)) {
144 pr_info("this node mask cannot be " 143 pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
145 "higher than the total number of nodes\n");
146 return -EDOM; 144 return -EDOM;
147 } 145 }
148 return 0; 146 return 0;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index cad0b7b5eb35..93cb018c3055 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,8 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
112 112
113 ret = nf_ct_netns_get(par->net, par->family); 113 ret = nf_ct_netns_get(par->net, par->family);
114 if (ret < 0) 114 if (ret < 0)
115 pr_info("cannot load conntrack support for proto=%u\n", 115 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
116 par->family); 116 par->family);
117 117
118 /* 118 /*
119 * This filter cannot function correctly unless connection tracking 119 * This filter cannot function correctly unless connection tracking
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
index 23372879e6e3..4fa4efd24353 100644
--- a/net/netfilter/xt_connlabel.c
+++ b/net/netfilter/xt_connlabel.c
@@ -57,14 +57,15 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
57 int ret; 57 int ret;
58 58
59 if (info->options & ~options) { 59 if (info->options & ~options) {
60 pr_err("Unknown options in mask %x\n", info->options); 60 pr_info_ratelimited("Unknown options in mask %x\n",
61 info->options);
61 return -EINVAL; 62 return -EINVAL;
62 } 63 }
63 64
64 ret = nf_ct_netns_get(par->net, par->family); 65 ret = nf_ct_netns_get(par->net, par->family);
65 if (ret < 0) { 66 if (ret < 0) {
66 pr_info("cannot load conntrack support for proto=%u\n", 67 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
67 par->family); 68 par->family);
68 return ret; 69 return ret;
69 } 70 }
70 71
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ec377cc6a369..809639ce6f5a 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -79,8 +79,8 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
79 79
80 ret = nf_ct_netns_get(par->net, par->family); 80 ret = nf_ct_netns_get(par->net, par->family);
81 if (ret < 0) 81 if (ret < 0)
82 pr_info("cannot load conntrack support for proto=%u\n", 82 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
83 par->family); 83 par->family);
84 return ret; 84 return ret;
85} 85}
86 86
@@ -109,8 +109,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
109 109
110 ret = nf_ct_netns_get(par->net, par->family); 110 ret = nf_ct_netns_get(par->net, par->family);
111 if (ret < 0) 111 if (ret < 0)
112 pr_info("cannot load conntrack support for proto=%u\n", 112 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
113 par->family); 113 par->family);
114 return ret; 114 return ret;
115} 115}
116 116
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 39cf1d019240..df80fe7d391c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,8 +272,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
272 272
273 ret = nf_ct_netns_get(par->net, par->family); 273 ret = nf_ct_netns_get(par->net, par->family);
274 if (ret < 0) 274 if (ret < 0)
275 pr_info("cannot load conntrack support for proto=%u\n", 275 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
276 par->family); 276 par->family);
277 return ret; 277 return ret;
278} 278}
279 279
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 3c831a8efebc..c7ad4afa5fb8 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -97,7 +97,7 @@ static int ecn_mt_check4(const struct xt_mtchk_param *par)
97 97
98 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 98 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { 99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
100 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 100 pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
101 return -EINVAL; 101 return -EINVAL;
102 } 102 }
103 103
@@ -139,7 +139,7 @@ static int ecn_mt_check6(const struct xt_mtchk_param *par)
139 139
140 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 140 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
141 (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) { 141 (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
142 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 142 pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
143 return -EINVAL; 143 return -EINVAL;
144 } 144 }
145 145
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index ca6847403ca2..aa96027f4418 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -523,7 +523,8 @@ static u64 user2rate(u64 user)
523 if (user != 0) { 523 if (user != 0) {
524 return div64_u64(XT_HASHLIMIT_SCALE_v2, user); 524 return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
525 } else { 525 } else {
526 pr_warn("invalid rate from userspace: %llu\n", user); 526 pr_info_ratelimited("invalid rate from userspace: %llu\n",
527 user);
527 return 0; 528 return 0;
528 } 529 }
529} 530}
@@ -865,33 +866,34 @@ static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
865 } 866 }
866 867
867 if (cfg->mode & ~XT_HASHLIMIT_ALL) { 868 if (cfg->mode & ~XT_HASHLIMIT_ALL) {
868 pr_info("Unknown mode mask %X, kernel too old?\n", 869 pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n",
869 cfg->mode); 870 cfg->mode);
870 return -EINVAL; 871 return -EINVAL;
871 } 872 }
872 873
873 /* Check for overflow. */ 874 /* Check for overflow. */
874 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) { 875 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
875 if (cfg->avg == 0 || cfg->avg > U32_MAX) { 876 if (cfg->avg == 0 || cfg->avg > U32_MAX) {
876 pr_info("hashlimit invalid rate\n"); 877 pr_info_ratelimited("invalid rate\n");
877 return -ERANGE; 878 return -ERANGE;
878 } 879 }
879 880
880 if (cfg->interval == 0) { 881 if (cfg->interval == 0) {
881 pr_info("hashlimit invalid interval\n"); 882 pr_info_ratelimited("invalid interval\n");
882 return -EINVAL; 883 return -EINVAL;
883 } 884 }
884 } else if (cfg->mode & XT_HASHLIMIT_BYTES) { 885 } else if (cfg->mode & XT_HASHLIMIT_BYTES) {
885 if (user2credits_byte(cfg->avg) == 0) { 886 if (user2credits_byte(cfg->avg) == 0) {
886 pr_info("overflow, rate too high: %llu\n", cfg->avg); 887 pr_info_ratelimited("overflow, rate too high: %llu\n",
888 cfg->avg);
887 return -EINVAL; 889 return -EINVAL;
888 } 890 }
889 } else if (cfg->burst == 0 || 891 } else if (cfg->burst == 0 ||
890 user2credits(cfg->avg * cfg->burst, revision) < 892 user2credits(cfg->avg * cfg->burst, revision) <
891 user2credits(cfg->avg, revision)) { 893 user2credits(cfg->avg, revision)) {
892 pr_info("overflow, try lower: %llu/%llu\n", 894 pr_info_ratelimited("overflow, try lower: %llu/%llu\n",
893 cfg->avg, cfg->burst); 895 cfg->avg, cfg->burst);
894 return -ERANGE; 896 return -ERANGE;
895 } 897 }
896 898
897 mutex_lock(&hashlimit_mutex); 899 mutex_lock(&hashlimit_mutex);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 38a78151c0e9..fd077aeaaed9 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -61,8 +61,8 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
61 61
62 ret = nf_ct_netns_get(par->net, par->family); 62 ret = nf_ct_netns_get(par->net, par->family);
63 if (ret < 0) { 63 if (ret < 0) {
64 pr_info("cannot load conntrack support for proto=%u\n", 64 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
65 par->family); 65 par->family);
66 return ret; 66 return ret;
67 } 67 }
68 info->name[sizeof(info->name) - 1] = '\0'; 68 info->name[sizeof(info->name) - 1] = '\0';
diff --git a/net/netfilter/xt_ipcomp.c b/net/netfilter/xt_ipcomp.c
index 7ca64a50db04..57f1df575701 100644
--- a/net/netfilter/xt_ipcomp.c
+++ b/net/netfilter/xt_ipcomp.c
@@ -72,7 +72,7 @@ static int comp_mt_check(const struct xt_mtchk_param *par)
72 72
73 /* Must specify no unknown invflags */ 73 /* Must specify no unknown invflags */
74 if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) { 74 if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) {
75 pr_err("unknown flags %X\n", compinfo->invflags); 75 pr_info_ratelimited("unknown flags %X\n", compinfo->invflags);
76 return -EINVAL; 76 return -EINVAL;
77 } 77 }
78 return 0; 78 return 0;
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 42540d26c2b8..1d950a6100af 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -158,7 +158,8 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par)
158 && par->family != NFPROTO_IPV6 158 && par->family != NFPROTO_IPV6
159#endif 159#endif
160 ) { 160 ) {
161 pr_info("protocol family %u not supported\n", par->family); 161 pr_info_ratelimited("protocol family %u not supported\n",
162 par->family);
162 return -EINVAL; 163 return -EINVAL;
163 } 164 }
164 165
diff --git a/net/netfilter/xt_l2tp.c b/net/netfilter/xt_l2tp.c
index 8aee572771f2..c43482bf48e6 100644
--- a/net/netfilter/xt_l2tp.c
+++ b/net/netfilter/xt_l2tp.c
@@ -216,7 +216,7 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
216 /* Check for invalid flags */ 216 /* Check for invalid flags */
217 if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION | 217 if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
218 XT_L2TP_TYPE)) { 218 XT_L2TP_TYPE)) {
219 pr_info("unknown flags: %x\n", info->flags); 219 pr_info_ratelimited("unknown flags: %x\n", info->flags);
220 return -EINVAL; 220 return -EINVAL;
221 } 221 }
222 222
@@ -225,7 +225,8 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
225 (!(info->flags & XT_L2TP_SID)) && 225 (!(info->flags & XT_L2TP_SID)) &&
226 ((!(info->flags & XT_L2TP_TYPE)) || 226 ((!(info->flags & XT_L2TP_TYPE)) ||
227 (info->type != XT_L2TP_TYPE_CONTROL))) { 227 (info->type != XT_L2TP_TYPE_CONTROL))) {
228 pr_info("invalid flags combination: %x\n", info->flags); 228 pr_info_ratelimited("invalid flags combination: %x\n",
229 info->flags);
229 return -EINVAL; 230 return -EINVAL;
230 } 231 }
231 232
@@ -234,19 +235,22 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
234 */ 235 */
235 if (info->flags & XT_L2TP_VERSION) { 236 if (info->flags & XT_L2TP_VERSION) {
236 if ((info->version < 2) || (info->version > 3)) { 237 if ((info->version < 2) || (info->version > 3)) {
237 pr_info("wrong L2TP version: %u\n", info->version); 238 pr_info_ratelimited("wrong L2TP version: %u\n",
239 info->version);
238 return -EINVAL; 240 return -EINVAL;
239 } 241 }
240 242
241 if (info->version == 2) { 243 if (info->version == 2) {
242 if ((info->flags & XT_L2TP_TID) && 244 if ((info->flags & XT_L2TP_TID) &&
243 (info->tid > 0xffff)) { 245 (info->tid > 0xffff)) {
244 pr_info("v2 tid > 0xffff: %u\n", info->tid); 246 pr_info_ratelimited("v2 tid > 0xffff: %u\n",
247 info->tid);
245 return -EINVAL; 248 return -EINVAL;
246 } 249 }
247 if ((info->flags & XT_L2TP_SID) && 250 if ((info->flags & XT_L2TP_SID) &&
248 (info->sid > 0xffff)) { 251 (info->sid > 0xffff)) {
249 pr_info("v2 sid > 0xffff: %u\n", info->sid); 252 pr_info_ratelimited("v2 sid > 0xffff: %u\n",
253 info->sid);
250 return -EINVAL; 254 return -EINVAL;
251 } 255 }
252 } 256 }
@@ -268,13 +272,13 @@ static int l2tp_mt_check4(const struct xt_mtchk_param *par)
268 272
269 if ((ip->proto != IPPROTO_UDP) && 273 if ((ip->proto != IPPROTO_UDP) &&
270 (ip->proto != IPPROTO_L2TP)) { 274 (ip->proto != IPPROTO_L2TP)) {
271 pr_info("missing protocol rule (udp|l2tpip)\n"); 275 pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
272 return -EINVAL; 276 return -EINVAL;
273 } 277 }
274 278
275 if ((ip->proto == IPPROTO_L2TP) && 279 if ((ip->proto == IPPROTO_L2TP) &&
276 (info->version == 2)) { 280 (info->version == 2)) {
277 pr_info("v2 doesn't support IP mode\n"); 281 pr_info_ratelimited("v2 doesn't support IP mode\n");
278 return -EINVAL; 282 return -EINVAL;
279 } 283 }
280 284
@@ -295,13 +299,13 @@ static int l2tp_mt_check6(const struct xt_mtchk_param *par)
295 299
296 if ((ip->proto != IPPROTO_UDP) && 300 if ((ip->proto != IPPROTO_UDP) &&
297 (ip->proto != IPPROTO_L2TP)) { 301 (ip->proto != IPPROTO_L2TP)) {
298 pr_info("missing protocol rule (udp|l2tpip)\n"); 302 pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
299 return -EINVAL; 303 return -EINVAL;
300 } 304 }
301 305
302 if ((ip->proto == IPPROTO_L2TP) && 306 if ((ip->proto == IPPROTO_L2TP) &&
303 (info->version == 2)) { 307 (info->version == 2)) {
304 pr_info("v2 doesn't support IP mode\n"); 308 pr_info_ratelimited("v2 doesn't support IP mode\n");
305 return -EINVAL; 309 return -EINVAL;
306 } 310 }
307 311
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 61403b77361c..55d18cd67635 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -106,8 +106,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
106 /* Check for overflow. */ 106 /* Check for overflow. */
107 if (r->burst == 0 107 if (r->burst == 0
108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
109 pr_info("Overflow, try lower: %u/%u\n", 109 pr_info_ratelimited("Overflow, try lower: %u/%u\n",
110 r->avg, r->burst); 110 r->avg, r->burst);
111 return -ERANGE; 111 return -ERANGE;
112 } 112 }
113 113
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index 0fd14d1eb09d..bdb689cdc829 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -8,6 +8,8 @@
8 * published by the Free Software Foundation. 8 * published by the Free Software Foundation.
9 */ 9 */
10 10
11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
11#include <linux/module.h> 13#include <linux/module.h>
12#include <linux/skbuff.h> 14#include <linux/skbuff.h>
13#include <linux/netfilter.h> 15#include <linux/netfilter.h>
@@ -19,8 +21,7 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)
19 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; 21 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
20 22
21 if (mr->rangesize != 1) { 23 if (mr->rangesize != 1) {
22 pr_info("%s: multiple ranges no longer supported\n", 24 pr_info_ratelimited("multiple ranges no longer supported\n");
23 par->target->name);
24 return -EINVAL; 25 return -EINVAL;
25 } 26 }
26 return nf_ct_netns_get(par->net, par->family); 27 return nf_ct_netns_get(par->net, par->family);
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index 6f92d25590a8..c8674deed4eb 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -6,6 +6,8 @@
6 * it under the terms of the GNU General Public License version 2 (or any 6 * it under the terms of the GNU General Public License version 2 (or any
7 * later at your option) as published by the Free Software Foundation. 7 * later at your option) as published by the Free Software Foundation.
8 */ 8 */
9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
9#include <linux/module.h> 11#include <linux/module.h>
10#include <linux/skbuff.h> 12#include <linux/skbuff.h>
11 13
@@ -39,8 +41,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
39 41
40 nfacct = nfnl_acct_find_get(par->net, info->name); 42 nfacct = nfnl_acct_find_get(par->net, info->name);
41 if (nfacct == NULL) { 43 if (nfacct == NULL) {
42 pr_info("xt_nfacct: accounting object with name `%s' " 44 pr_info_ratelimited("accounting object `%s' does not exists\n",
43 "does not exists\n", info->name); 45 info->name);
44 return -ENOENT; 46 return -ENOENT;
45 } 47 }
46 info->nfacct = nfacct; 48 info->nfacct = nfacct;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index bb33598e4530..9d6d67b953ac 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -107,9 +107,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
107 info->invert & XT_PHYSDEV_OP_BRIDGED) && 107 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
108 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | 108 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
109 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { 109 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
110 pr_info("using --physdev-out and --physdev-is-out are only " 110 pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n");
111 "supported in the FORWARD and POSTROUTING chains with "
112 "bridged traffic.\n");
113 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) 111 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
114 return -EINVAL; 112 return -EINVAL;
115 } 113 }
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 245fa350a7a8..6d232d18faff 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -342,8 +342,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
342 net_get_random_once(&hash_rnd, sizeof(hash_rnd)); 342 net_get_random_once(&hash_rnd, sizeof(hash_rnd));
343 343
344 if (info->check_set & ~XT_RECENT_VALID_FLAGS) { 344 if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
345 pr_info("Unsupported user space flags (%08x)\n", 345 pr_info_ratelimited("Unsupported userspace flags (%08x)\n",
346 info->check_set); 346 info->check_set);
347 return -EINVAL; 347 return -EINVAL;
348 } 348 }
349 if (hweight8(info->check_set & 349 if (hweight8(info->check_set &
@@ -357,8 +357,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
357 if ((info->check_set & XT_RECENT_REAP) && !info->seconds) 357 if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
358 return -EINVAL; 358 return -EINVAL;
359 if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) { 359 if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) {
360 pr_info("hitcount (%u) is larger than allowed maximum (%u)\n", 360 pr_info_ratelimited("hitcount (%u) is larger than allowed maximum (%u)\n",
361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); 361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
362 return -EINVAL; 362 return -EINVAL;
363 } 363 }
364 if (info->name[0] == '\0' || 364 if (info->name[0] == '\0' ||
@@ -587,7 +587,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
587 add = true; 587 add = true;
588 break; 588 break;
589 default: 589 default:
590 pr_info("Need \"+ip\", \"-ip\" or \"/\"\n"); 590 pr_info_ratelimited("Need \"+ip\", \"-ip\" or \"/\"\n");
591 return -EINVAL; 591 return -EINVAL;
592 } 592 }
593 593
@@ -601,10 +601,8 @@ recent_mt_proc_write(struct file *file, const char __user *input,
601 succ = in4_pton(c, size, (void *)&addr, '\n', NULL); 601 succ = in4_pton(c, size, (void *)&addr, '\n', NULL);
602 } 602 }
603 603
604 if (!succ) { 604 if (!succ)
605 pr_info("illegal address written to procfs\n");
606 return -EINVAL; 605 return -EINVAL;
607 }
608 606
609 spin_lock_bh(&recent_lock); 607 spin_lock_bh(&recent_lock);
610 e = recent_entry_lookup(t, &addr, family, 0); 608 e = recent_entry_lookup(t, &addr, family, 0);
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 575d2153e3b8..2ac7f674d19b 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -171,7 +171,8 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par)
171 return err; 171 return err;
172 172
173 if (info->flags & ~XT_SOCKET_FLAGS_V1) { 173 if (info->flags & ~XT_SOCKET_FLAGS_V1) {
174 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); 174 pr_info_ratelimited("unknown flags 0x%x\n",
175 info->flags & ~XT_SOCKET_FLAGS_V1);
175 return -EINVAL; 176 return -EINVAL;
176 } 177 }
177 return 0; 178 return 0;
@@ -187,7 +188,8 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
187 return err; 188 return err;
188 189
189 if (info->flags & ~XT_SOCKET_FLAGS_V2) { 190 if (info->flags & ~XT_SOCKET_FLAGS_V2) {
190 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); 191 pr_info_ratelimited("unknown flags 0x%x\n",
192 info->flags & ~XT_SOCKET_FLAGS_V2);
191 return -EINVAL; 193 return -EINVAL;
192 } 194 }
193 return 0; 195 return 0;
@@ -203,8 +205,8 @@ static int socket_mt_v3_check(const struct xt_mtchk_param *par)
203 if (err) 205 if (err)
204 return err; 206 return err;
205 if (info->flags & ~XT_SOCKET_FLAGS_V3) { 207 if (info->flags & ~XT_SOCKET_FLAGS_V3) {
206 pr_info("unknown flags 0x%x\n", 208 pr_info_ratelimited("unknown flags 0x%x\n",
207 info->flags & ~XT_SOCKET_FLAGS_V3); 209 info->flags & ~XT_SOCKET_FLAGS_V3);
208 return -EINVAL; 210 return -EINVAL;
209 } 211 }
210 return 0; 212 return 0;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 5fbd79194d21..0b41c0befe3c 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -44,8 +44,8 @@ static int state_mt_check(const struct xt_mtchk_param *par)
44 44
45 ret = nf_ct_netns_get(par->net, par->family); 45 ret = nf_ct_netns_get(par->net, par->family);
46 if (ret < 0) 46 if (ret < 0)
47 pr_info("cannot load conntrack support for proto=%u\n", 47 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
48 par->family); 48 par->family);
49 return ret; 49 return ret;
50} 50}
51 51
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 1b01eec1fbda..0160f505e337 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -235,13 +235,13 @@ static int time_mt_check(const struct xt_mtchk_param *par)
235 235
236 if (info->daytime_start > XT_TIME_MAX_DAYTIME || 236 if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
237 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 237 info->daytime_stop > XT_TIME_MAX_DAYTIME) {
238 pr_info("invalid argument - start or " 238 pr_info_ratelimited("invalid argument - start or stop time greater than 23:59:59\n");
239 "stop time greater than 23:59:59\n");
240 return -EDOM; 239 return -EDOM;
241 } 240 }
242 241
243 if (info->flags & ~XT_TIME_ALL_FLAGS) { 242 if (info->flags & ~XT_TIME_ALL_FLAGS) {
244 pr_info("unknown flags 0x%x\n", info->flags & ~XT_TIME_ALL_FLAGS); 243 pr_info_ratelimited("unknown flags 0x%x\n",
244 info->flags & ~XT_TIME_ALL_FLAGS);
245 return -EINVAL; 245 return -EINVAL;
246 } 246 }
247 247
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-24 01:38:52 -0400