diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-09 09:52:06 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-14 15:05:37 -0500 |
| commit | c08e5e1ee6d65917af2bb12c2c568d637a682c44 (patch) | |
| tree | 6e7800e72b2bd32ea425b36dcc1fdc8d977c25b1 | |
| parent | cc48baefdfff83e3774811f69eb181b8850bd8af (diff) | |
netfilter: x_tables: use pr ratelimiting in matches/targets
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/xt_HMARK.c | 17 | ||||
| -rw-r--r-- | net/netfilter/xt_addrtype.c | 33 | ||||
| -rw-r--r-- | net/netfilter/xt_policy.c | 23 |
3 files changed, 40 insertions, 33 deletions
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c index dd08cc1f86c7..9c75f419cd80 100644 --- a/net/netfilter/xt_HMARK.c +++ b/net/netfilter/xt_HMARK.c | |||
| @@ -9,6 +9,8 @@ | |||
| 9 | * the Free Software Foundation. | 9 | * the Free Software Foundation. |
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
| 13 | |||
| 12 | #include <linux/module.h> | 14 | #include <linux/module.h> |
| 13 | #include <linux/skbuff.h> | 15 | #include <linux/skbuff.h> |
| 14 | #include <linux/icmp.h> | 16 | #include <linux/icmp.h> |
| @@ -312,15 +314,15 @@ hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 312 | static int hmark_tg_check(const struct xt_tgchk_param *par) | 314 | static int hmark_tg_check(const struct xt_tgchk_param *par) |
| 313 | { | 315 | { |
| 314 | const struct xt_hmark_info *info = par->targinfo; | 316 | const struct xt_hmark_info *info = par->targinfo; |
| 317 | const char *errmsg = "proto mask must be zero with L3 mode"; | ||
| 315 | 318 | ||
| 316 | if (!info->hmodulus) | 319 | if (!info->hmodulus) |
| 317 | return -EINVAL; | 320 | return -EINVAL; |
| 318 | 321 | ||
| 319 | if (info->proto_mask && | 322 | if (info->proto_mask && |
| 320 | (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) { | 323 | (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) |
| 321 | pr_info("xt_HMARK: proto mask must be zero with L3 mode\n"); | 324 | goto err; |
| 322 | return -EINVAL; | 325 | |
| 323 | } | ||
| 324 | if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) && | 326 | if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) && |
| 325 | (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) | | 327 | (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) | |
| 326 | XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) | 328 | XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) |
| @@ -329,10 +331,13 @@ static int hmark_tg_check(const struct xt_tgchk_param *par) | |||
| 329 | if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) && | 331 | if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) && |
| 330 | (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) | | 332 | (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) | |
| 331 | XT_HMARK_FLAG(XT_HMARK_DPORT)))) { | 333 | XT_HMARK_FLAG(XT_HMARK_DPORT)))) { |
| 332 | pr_info("xt_HMARK: spi-set and port-set can't be combined\n"); | 334 | errmsg = "spi-set and port-set can't be combined"; |
| 333 | return -EINVAL; | 335 | goto err; |
| 334 | } | 336 | } |
| 335 | return 0; | 337 | return 0; |
| 338 | err: | ||
| 339 | pr_info_ratelimited("%s\n", errmsg); | ||
| 340 | return -EINVAL; | ||
| 336 | } | 341 | } |
| 337 | 342 | ||
| 338 | static struct xt_target hmark_tg_reg[] __read_mostly = { | 343 | static struct xt_target hmark_tg_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c index 911a7c0da504..89e281b3bfc2 100644 --- a/net/netfilter/xt_addrtype.c +++ b/net/netfilter/xt_addrtype.c | |||
| @@ -164,48 +164,47 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 164 | 164 | ||
| 165 | static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) | 165 | static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) |
| 166 | { | 166 | { |
| 167 | const char *errmsg = "both incoming and outgoing interface limitation cannot be selected"; | ||
| 167 | struct xt_addrtype_info_v1 *info = par->matchinfo; | 168 | struct xt_addrtype_info_v1 *info = par->matchinfo; |
| 168 | 169 | ||
| 169 | if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN && | 170 | if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN && |
| 170 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { | 171 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) |
| 171 | pr_info("both incoming and outgoing " | 172 | goto err; |
| 172 | "interface limitation cannot be selected\n"); | ||
| 173 | return -EINVAL; | ||
| 174 | } | ||
| 175 | 173 | ||
| 176 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 174 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
| 177 | (1 << NF_INET_LOCAL_IN)) && | 175 | (1 << NF_INET_LOCAL_IN)) && |
| 178 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { | 176 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { |
| 179 | pr_info("output interface limitation " | 177 | errmsg = "output interface limitation not valid in PREROUTING and INPUT"; |
| 180 | "not valid in PREROUTING and INPUT\n"); | 178 | goto err; |
| 181 | return -EINVAL; | ||
| 182 | } | 179 | } |
| 183 | 180 | ||
| 184 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 181 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
| 185 | (1 << NF_INET_LOCAL_OUT)) && | 182 | (1 << NF_INET_LOCAL_OUT)) && |
| 186 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) { | 183 | info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) { |
| 187 | pr_info("input interface limitation " | 184 | errmsg = "input interface limitation not valid in POSTROUTING and OUTPUT"; |
| 188 | "not valid in POSTROUTING and OUTPUT\n"); | 185 | goto err; |
| 189 | return -EINVAL; | ||
| 190 | } | 186 | } |
| 191 | 187 | ||
| 192 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) | 188 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
| 193 | if (par->family == NFPROTO_IPV6) { | 189 | if (par->family == NFPROTO_IPV6) { |
| 194 | if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) { | 190 | if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) { |
| 195 | pr_err("ipv6 BLACKHOLE matching not supported\n"); | 191 | errmsg = "ipv6 BLACKHOLE matching not supported"; |
| 196 | return -EINVAL; | 192 | goto err; |
| 197 | } | 193 | } |
| 198 | if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) { | 194 | if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) { |
| 199 | pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not supported\n"); | 195 | errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not supported"; |
| 200 | return -EINVAL; | 196 | goto err; |
| 201 | } | 197 | } |
| 202 | if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) { | 198 | if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) { |
| 203 | pr_err("ipv6 does not support BROADCAST matching\n"); | 199 | errmsg = "ipv6 does not support BROADCAST matching"; |
| 204 | return -EINVAL; | 200 | goto err; |
| 205 | } | 201 | } |
| 206 | } | 202 | } |
| 207 | #endif | 203 | #endif |
| 208 | return 0; | 204 | return 0; |
| 205 | err: | ||
| 206 | pr_info_ratelimited("%s\n", errmsg); | ||
| 207 | return -EINVAL; | ||
| 209 | } | 208 | } |
| 210 | 209 | ||
| 211 | static struct xt_match addrtype_mt_reg[] __read_mostly = { | 210 | static struct xt_match addrtype_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c index 5639fb03bdd9..13f8ccf946d6 100644 --- a/net/netfilter/xt_policy.c +++ b/net/netfilter/xt_policy.c | |||
| @@ -132,26 +132,29 @@ policy_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 132 | static int policy_mt_check(const struct xt_mtchk_param *par) | 132 | static int policy_mt_check(const struct xt_mtchk_param *par) |
| 133 | { | 133 | { |
| 134 | const struct xt_policy_info *info = par->matchinfo; | 134 | const struct xt_policy_info *info = par->matchinfo; |
| 135 | const char *errmsg = "neither incoming nor outgoing policy selected"; | ||
| 136 | |||
| 137 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) | ||
| 138 | goto err; | ||
| 135 | 139 | ||
| 136 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { | ||
| 137 | pr_info("neither incoming nor outgoing policy selected\n"); | ||
| 138 | return -EINVAL; | ||
| 139 | } | ||
| 140 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 140 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
| 141 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { | 141 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { |
| 142 | pr_info("output policy not valid in PREROUTING and INPUT\n"); | 142 | errmsg = "output policy not valid in PREROUTING and INPUT"; |
| 143 | return -EINVAL; | 143 | goto err; |
| 144 | } | 144 | } |
| 145 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 145 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
| 146 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { | 146 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { |
| 147 | pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); | 147 | errmsg = "input policy not valid in POSTROUTING and OUTPUT"; |
| 148 | return -EINVAL; | 148 | goto err; |
| 149 | } | 149 | } |
| 150 | if (info->len > XT_POLICY_MAX_ELEM) { | 150 | if (info->len > XT_POLICY_MAX_ELEM) { |
| 151 | pr_info("too many policy elements\n"); | 151 | errmsg = "too many policy elements"; |
| 152 | return -EINVAL; | 152 | goto err; |
| 153 | } | 153 | } |
| 154 | return 0; | 154 | return 0; |
| 155 | err: | ||
| 156 | pr_info_ratelimited("%s\n", errmsg); | ||
| 157 | return -EINVAL; | ||
| 155 | } | 158 | } |
| 156 | 159 | ||
| 157 | static struct xt_match policy_mt_reg[] __read_mostly = { | 160 | static struct xt_match policy_mt_reg[] __read_mostly = { |