netfilter: nf_ct_helper: better logging for dropped packets

Connection tracking helpers have to drop packets under exceptional
situations. Currently, the user gets the following logging message
in case that happens:

	nf_ct_%s: dropping packet ...

However, depending on the helper, there are different reasons why a
packet can be dropped.

This patch modifies the existing code to provide more specific
error message in the scope of each helper to help users to debug
the reason why the packet has been dropped, ie:

	nf_ct_%s: dropping packet: reason ...

Thanks to Joe Perches for many formatting suggestions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 2 insertions, 8 deletions

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 48990ada0e1e..2820aa18b542 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -100,7 +100,6 @@ static unsigned int ipv4_helper(unsigned int hooknum,
         enum ip_conntrack_info ctinfo;
         const struct nf_conn_help *help;
         const struct nf_conntrack_helper *helper;
-        unsigned int ret;
 
         /* This is where we call the helper: as the packet goes out. */
         ct = nf_ct_get(skb, &ctinfo);
@@ -116,13 +115,8 @@ static unsigned int ipv4_helper(unsigned int hooknum,
         if (!helper)
                 return NF_ACCEPT;
 
-        ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
-                           ct, ctinfo);
-        if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
-                nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
-                              "nf_ct_%s: dropping packet", helper->name);
-        }
-        return ret;
+        return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
+                            ct, ctinfo);
 }
 
 static unsigned int ipv4_confirm(unsigned int hooknum,