netfilter: xtables: replace custom duprintf with pr_debug

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
author: Jan Engelhardt <jengelh@medozas.de> 2010-03-17 21:22:32 -0400
committer: Jan Engelhardt <jengelh@medozas.de> 2010-03-18 09:20:07 -0400
commit: be91fd5e323b46450ca82f6828e933e3791fb2f2 (patch)
tree: 1a664fb7887e8a0d7f1507780d3533e669e1c3a3
parent: 85bc3f38147c5d3fb1eb9ca2236536389b592cae (diff)
7 files changed, 41 insertions, 79 deletions
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b399de..4f27e170c630 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -5,7 +5,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -18,21 +18,15 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
 MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
-#ifdef DEBUG_CONNTRACK
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the spi is matched by the range, 0 otherwise */
 static inline bool
 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
 {
        bool r;
-        duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
+        pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
-                min,spi,max);
+                 invert ? '!' : ' ', min, spi, max);
        r=(spi >= min && spi <= max) ^ invert;
-        duprintf(" result %s\n",r? "PASS" : "FAILED");
+        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
@@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("Dropping evil AH tinygram.\n");
+                pr_debug("Dropping evil AH tinygram.\n");
                *par->hotdrop = true;
                return 0;
        }
@@ -67,7 +61,7 @@ static bool ah_mt_check(const struct xt_mtchk_param *par)
        /* Must specify no unknown invflags */
        if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
-                duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
+                pr_debug("unknown flags %X\n", ahinfo->invflags);
                return false;
        }
        return true;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e66577b..0181eb81d24b 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -11,6 +11,7 @@
 * Based on net/netfilter/xt_tcpudp.c
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/module.h>
 #include <net/ip.h>
@@ -24,12 +25,6 @@
 MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
 MODULE_LICENSE("GPL");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the type is matched by the range, 0 otherwise */
 static inline bool
 type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
@@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        if (mh == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil MH tinygram.\n");
+                pr_debug("Dropping evil MH tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
        if (mh->ip6mh_proto != IPPROTO_NONE) {
-                duprintf("Dropping invalid MH Payload Proto: %u\n",
+                pr_debug("Dropping invalid MH Payload Proto: %u\n",
                         mh->ip6mh_proto);
                *par->hotdrop = true;
                return false;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0a12cedfe9e3..9a248d4a877f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -12,7 +12,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kernel.h>
 #include <linux/socket.h>
 #include <linux/net.h>
@@ -54,12 +54,6 @@ struct xt_af {
 static struct xt_af *xt;
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
        [NFPROTO_UNSPEC] = "x",
        [NFPROTO_IPV4]   = "ip",
@@ -720,7 +714,7 @@ xt_replace_table(struct xt_table *table,
        /* Check inside lock: is the old number correct? */
        if (num_counters != private->number) {
-                duprintf("num_counters != table->private->number (%u/%u)\n",
+                pr_debug("num_counters != table->private->number (%u/%u)\n",
                         num_counters, private->number);
                local_bh_enable();
                *error = -EAGAIN;
@@ -777,7 +771,7 @@ struct xt_table *xt_register_table(struct net *net,
                goto unlock;
        private = table->private;
-        duprintf("table->private->number = %u\n", private->number);
+        pr_debug("table->private->number = %u\n", private->number);
        /* save number of initial entries */
        private->initial_entries = private->number;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 609439967c2c..f9deecbef875 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/in.h>
@@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
 MODULE_ALIAS("ipt_esp");
 MODULE_ALIAS("ip6t_esp");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the spi is matched by the range, 0 otherwise */
 static inline bool
 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
 {
        bool r;
-        duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
+        pr_debug("esp spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
-                 min, spi, max);
+                 invert ? '!' : ' ', min, spi, max);
        r = (spi >= min && spi <= max) ^ invert;
-        duprintf(" result %s\n", r ? "PASS" : "FAILED");
+        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
@@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("Dropping evil ESP tinygram.\n");
+                pr_debug("Dropping evil ESP tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
@@ -71,7 +65,7 @@ static bool esp_mt_check(const struct xt_mtchk_param *par)
        const struct xt_esp *espinfo = par->matchinfo;
        if (espinfo->invflags & ~XT_ESP_INV_MASK) {
-                duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
+                pr_debug("unknown flags %X\n", espinfo->invflags);
                return false;
        }
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2dd3900..4fa90c86fdb5 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -8,7 +8,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/types.h>
 #include <linux/udp.h>
@@ -26,12 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
 MODULE_ALIAS("ipt_multiport");
 MODULE_ALIAS("ip6t_multiport");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the port is matched by the test, 0 otherwise. */
 static inline bool
 ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
@@ -63,7 +57,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
                if (minfo->pflags[i]) {
                        /* range port matching */
                        e = minfo->ports[++i];
-                        duprintf("src or dst matches with %d-%d?\n", s, e);
+                        pr_debug("src or dst matches with %d-%d?\n", s, e);
                        if (minfo->flags == XT_MULTIPORT_SOURCE
                            && src >= s && src <= e)
@@ -77,7 +71,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
                                return true ^ minfo->invert;
                } else {
                        /* exact port matching */
-                        duprintf("src or dst matches with %d?\n", s);
+                        pr_debug("src or dst matches with %d?\n", s);
                        if (minfo->flags == XT_MULTIPORT_SOURCE
                            && src == s)
@@ -109,7 +103,7 @@ multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+                pr_debug("Dropping evil offset=0 tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
@@ -133,7 +127,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+                pr_debug("Dropping evil offset=0 tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada9128f..43c7e1de532c 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/ip.h>
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
 MODULE_ALIAS("ipt_sctp");
 MODULE_ALIAS("ip6t_sctp");
-#ifdef DEBUG_SCTP
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 #define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
                                              || (!!((invflag) & (option)) ^ (cond)))
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
        const struct xt_sctp_flag_info *flag_info = info->flag_info;
        int flag_count = info->flag_count;
-#ifdef DEBUG_SCTP
+#ifdef DEBUG
        int i = 0;
 #endif
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
        do {
                sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
                if (sch == NULL || sch->length == 0) {
-                        duprintf("Dropping invalid SCTP packet.\n");
+                        pr_debug("Dropping invalid SCTP packet.\n");
                        *hotdrop = true;
                        return false;
                }
+#ifdef DEBUG
-                duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
+                pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
-                                ++i, offset, sch->type, htons(sch->length), sch->flags);
+                         "\tflags: %x\n",
+                         ++i, offset, sch->type, htons(sch->length),
+                         sch->flags);
+#endif
                offset += (ntohs(sch->length) + 3) & ~3;
-                duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);
+                pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
                if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
                        switch (chunk_match_type) {
@@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        sctp_sctphdr_t _sh;
        if (par->fragoff != 0) {
-                duprintf("Dropping non-first fragment.. FIXME\n");
+                pr_debug("Dropping non-first fragment.. FIXME\n");
                return false;
        }
        sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
        if (sh == NULL) {
-                duprintf("Dropping evil TCP offset=0 tinygram.\n");
+                pr_debug("Dropping evil TCP offset=0 tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
-        duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
+        pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
        return  SCCHECK(ntohs(sh->source) >= info->spts[0]
                        && ntohs(sh->source) <= info->spts[1],
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc4934eed..b53887f83c44 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/module.h>
 #include <net/ip.h>
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
 MODULE_ALIAS("ip6t_udp");
 MODULE_ALIAS("ip6t_tcp");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the port is matched by the range, 0 otherwise */
 static inline bool
 port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
        u_int8_t _opt[60 - sizeof(struct tcphdr)];
        unsigned int i;
-        duprintf("tcp_match: finding option\n");
+        pr_debug("finding option\n");
        if (!optlen)
                return invert;
@@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                   flag overwrite to pass the direction checks.
                */
                if (par->fragoff == 1) {
-                        duprintf("Dropping evil TCP offset=1 frag.\n");
+                        pr_debug("Dropping evil TCP offset=1 frag.\n");
                        *par->hotdrop = true;
                }
                /* Must not be a fragment. */
@@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (th == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil TCP offset=0 tinygram.\n");
+                pr_debug("Dropping evil TCP offset=0 tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
@@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (uh == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil UDP tinygram.\n");
+                pr_debug("Dropping evil UDP tinygram.\n");
                *par->hotdrop = true;
                return false;
        }
author	Jan Engelhardt <jengelh@medozas.de>	2010-03-17 21:22:32 -0400
committer	Jan Engelhardt <jengelh@medozas.de>	2010-03-18 09:20:07 -0400
commit	be91fd5e323b46450ca82f6828e933e3791fb2f2 (patch)
tree	1a664fb7887e8a0d7f1507780d3533e669e1c3a3
parent	85bc3f38147c5d3fb1eb9ca2236536389b592cae (diff)

diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 0104c0b399de..4f27e170c630 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c
@@ -5,7 +5,7 @@
5	* it under the terms of the GNU General Public License version 2 as	5	* it under the terms of the GNU General Public License version 2 as
6	* published by the Free Software Foundation.	6	* published by the Free Software Foundation.
7	*/	7	*/
8		8	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9	#include <linux/in.h>	9	#include <linux/in.h>
10	#include <linux/module.h>	10	#include <linux/module.h>
11	#include <linux/skbuff.h>	11	#include <linux/skbuff.h>
@@ -18,21 +18,15 @@ MODULE_LICENSE("GPL");
18	MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");	18	MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
19	MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");	19	MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
20		20
21	#ifdef DEBUG_CONNTRACK
22	#define duprintf(format, args...) printk(format , ## args)
23	#else
24	#define duprintf(format, args...)
25	#endif
26
27	/* Returns 1 if the spi is matched by the range, 0 otherwise */	21	/* Returns 1 if the spi is matched by the range, 0 otherwise */
28	static inline bool	22	static inline bool
29	spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)	23	spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
30	{	24	{
31	bool r;	25	bool r;
32	duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',	26	pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33	min,spi,max);	27	invert ? '!' : ' ', min, spi, max);
34	r=(spi >= min && spi <= max) ^ invert;	28	r=(spi >= min && spi <= max) ^ invert;
35	duprintf(" result %s\n",r? "PASS" : "FAILED");	29	pr_debug(" result %s\n", r ? "PASS" : "FAILED");
36	return r;	30	return r;
37	}	31	}
38		32
@@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff skb, const struct xt_match_param par)
51	/* We've been asked to examine this packet, and we	45	/* We've been asked to examine this packet, and we
52	* can't. Hence, no choice but to drop.	46	* can't. Hence, no choice but to drop.
53	*/	47	*/
54	duprintf("Dropping evil AH tinygram.\n");	48	pr_debug("Dropping evil AH tinygram.\n");
55	*par->hotdrop = true;	49	*par->hotdrop = true;
56	return 0;	50	return 0;
57	}	51	}
@@ -67,7 +61,7 @@ static bool ah_mt_check(const struct xt_mtchk_param *par)
67		61
68	/* Must specify no unknown invflags */	62	/* Must specify no unknown invflags */
69	if (ahinfo->invflags & ~IPT_AH_INV_MASK) {	63	if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
70	duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);	64	pr_debug("unknown flags %X\n", ahinfo->invflags);
71	return false;	65	return false;
72	}	66	}
73	return true;	67	return true;


diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index aafe4e66577b..0181eb81d24b 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -11,6 +11,7 @@
11	* Based on net/netfilter/xt_tcpudp.c	11	* Based on net/netfilter/xt_tcpudp.c
12	*	12	*
13	*/	13	*/
		14	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14	#include <linux/types.h>	15	#include <linux/types.h>
15	#include <linux/module.h>	16	#include <linux/module.h>
16	#include <net/ip.h>	17	#include <net/ip.h>
@@ -24,12 +25,6 @@
24	MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");	25	MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
25	MODULE_LICENSE("GPL");	26	MODULE_LICENSE("GPL");
26		27
27	#ifdef DEBUG_IP_FIREWALL_USER
28	#define duprintf(format, args...) printk(format , ## args)
29	#else
30	#define duprintf(format, args...)
31	#endif
32
33	/* Returns 1 if the type is matched by the range, 0 otherwise */	28	/* Returns 1 if the type is matched by the range, 0 otherwise */
34	static inline bool	29	static inline bool
35	type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)	30	type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
@@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff skb, const struct xt_match_param par)
51	if (mh == NULL) {	46	if (mh == NULL) {
52	/* We've been asked to examine this packet, and we	47	/* We've been asked to examine this packet, and we
53	can't. Hence, no choice but to drop. */	48	can't. Hence, no choice but to drop. */
54	duprintf("Dropping evil MH tinygram.\n");	49	pr_debug("Dropping evil MH tinygram.\n");
55	*par->hotdrop = true;	50	*par->hotdrop = true;
56	return false;	51	return false;
57	}	52	}
58		53
59	if (mh->ip6mh_proto != IPPROTO_NONE) {	54	if (mh->ip6mh_proto != IPPROTO_NONE) {
60	duprintf("Dropping invalid MH Payload Proto: %u\n",	55	pr_debug("Dropping invalid MH Payload Proto: %u\n",
61	mh->ip6mh_proto);	56	mh->ip6mh_proto);
62	*par->hotdrop = true;	57	*par->hotdrop = true;
63	return false;	58	return false;


diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 0a12cedfe9e3..9a248d4a877f 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c
@@ -12,7 +12,7 @@
12	* published by the Free Software Foundation.	12	* published by the Free Software Foundation.
13	*	13	*
14	*/	14	*/
15		15	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16	#include <linux/kernel.h>	16	#include <linux/kernel.h>
17	#include <linux/socket.h>	17	#include <linux/socket.h>
18	#include <linux/net.h>	18	#include <linux/net.h>
@@ -54,12 +54,6 @@ struct xt_af {
54		54
55	static struct xt_af *xt;	55	static struct xt_af *xt;
56		56
57	#ifdef DEBUG_IP_FIREWALL_USER
58	#define duprintf(format, args...) printk(format , ## args)
59	#else
60	#define duprintf(format, args...)
61	#endif
62
63	static const char *const xt_prefix[NFPROTO_NUMPROTO] = {	57	static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
64	[NFPROTO_UNSPEC] = "x",	58	[NFPROTO_UNSPEC] = "x",
65	[NFPROTO_IPV4] = "ip",	59	[NFPROTO_IPV4] = "ip",
@@ -720,7 +714,7 @@ xt_replace_table(struct xt_table *table,
720		714
721	/* Check inside lock: is the old number correct? */	715	/* Check inside lock: is the old number correct? */
722	if (num_counters != private->number) {	716	if (num_counters != private->number) {
723	duprintf("num_counters != table->private->number (%u/%u)\n",	717	pr_debug("num_counters != table->private->number (%u/%u)\n",
724	num_counters, private->number);	718	num_counters, private->number);
725	local_bh_enable();	719	local_bh_enable();
726	*error = -EAGAIN;	720	*error = -EAGAIN;
@@ -777,7 +771,7 @@ struct xt_table xt_register_table(struct net net,
777	goto unlock;	771	goto unlock;
778		772
779	private = table->private;	773	private = table->private;
780	duprintf("table->private->number = %u\n", private->number);	774	pr_debug("table->private->number = %u\n", private->number);
781		775
782	/* save number of initial entries */	776	/* save number of initial entries */
783	private->initial_entries = private->number;	777	private->initial_entries = private->number;


diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c index 609439967c2c..f9deecbef875 100644 --- a/net/netfilter/xt_esp.c +++ b/net/netfilter/xt_esp.c
@@ -6,7 +6,7 @@
6	* it under the terms of the GNU General Public License version 2 as	6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.	7	* published by the Free Software Foundation.
8	*/	8	*/
9		9	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10	#include <linux/module.h>	10	#include <linux/module.h>
11	#include <linux/skbuff.h>	11	#include <linux/skbuff.h>
12	#include <linux/in.h>	12	#include <linux/in.h>
@@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
24	MODULE_ALIAS("ipt_esp");	24	MODULE_ALIAS("ipt_esp");
25	MODULE_ALIAS("ip6t_esp");	25	MODULE_ALIAS("ip6t_esp");
26		26
27	#if 0
28	#define duprintf(format, args...) printk(format , ## args)
29	#else
30	#define duprintf(format, args...)
31	#endif
32
33	/* Returns 1 if the spi is matched by the range, 0 otherwise */	27	/* Returns 1 if the spi is matched by the range, 0 otherwise */
34	static inline bool	28	static inline bool
35	spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)	29	spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36	{	30	{
37	bool r;	31	bool r;
38	duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',	32	pr_debug("esp spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
39	min, spi, max);	33	invert ? '!' : ' ', min, spi, max);
40	r = (spi >= min && spi <= max) ^ invert;	34	r = (spi >= min && spi <= max) ^ invert;
41	duprintf(" result %s\n", r ? "PASS" : "FAILED");	35	pr_debug(" result %s\n", r ? "PASS" : "FAILED");
42	return r;	36	return r;
43	}	37	}
44		38
@@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff skb, const struct xt_match_param par)
57	/* We've been asked to examine this packet, and we	51	/* We've been asked to examine this packet, and we
58	* can't. Hence, no choice but to drop.	52	* can't. Hence, no choice but to drop.
59	*/	53	*/
60	duprintf("Dropping evil ESP tinygram.\n");	54	pr_debug("Dropping evil ESP tinygram.\n");
61	*par->hotdrop = true;	55	*par->hotdrop = true;
62	return false;	56	return false;
63	}	57	}
@@ -71,7 +65,7 @@ static bool esp_mt_check(const struct xt_mtchk_param *par)
71	const struct xt_esp *espinfo = par->matchinfo;	65	const struct xt_esp *espinfo = par->matchinfo;
72		66
73	if (espinfo->invflags & ~XT_ESP_INV_MASK) {	67	if (espinfo->invflags & ~XT_ESP_INV_MASK) {
74	duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);	68	pr_debug("unknown flags %X\n", espinfo->invflags);
75	return false;	69	return false;
76	}	70	}
77		71


diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c index d06bb2dd3900..4fa90c86fdb5 100644 --- a/net/netfilter/xt_multiport.c +++ b/net/netfilter/xt_multiport.c
@@ -8,7 +8,7 @@
8	* it under the terms of the GNU General Public License version 2 as	8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.	9	* published by the Free Software Foundation.
10	*/	10	*/
11		11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12	#include <linux/module.h>	12	#include <linux/module.h>
13	#include <linux/types.h>	13	#include <linux/types.h>
14	#include <linux/udp.h>	14	#include <linux/udp.h>
@@ -26,12 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
26	MODULE_ALIAS("ipt_multiport");	26	MODULE_ALIAS("ipt_multiport");
27	MODULE_ALIAS("ip6t_multiport");	27	MODULE_ALIAS("ip6t_multiport");
28		28
29	#if 0
30	#define duprintf(format, args...) printk(format , ## args)
31	#else
32	#define duprintf(format, args...)
33	#endif
34
35	/* Returns 1 if the port is matched by the test, 0 otherwise. */	29	/* Returns 1 if the port is matched by the test, 0 otherwise. */
36	static inline bool	30	static inline bool
37	ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,	31	ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
@@ -63,7 +57,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
63	if (minfo->pflags[i]) {	57	if (minfo->pflags[i]) {
64	/* range port matching */	58	/* range port matching */
65	e = minfo->ports[++i];	59	e = minfo->ports[++i];
66	duprintf("src or dst matches with %d-%d?\n", s, e);	60	pr_debug("src or dst matches with %d-%d?\n", s, e);
67		61
68	if (minfo->flags == XT_MULTIPORT_SOURCE	62	if (minfo->flags == XT_MULTIPORT_SOURCE
69	&& src >= s && src <= e)	63	&& src >= s && src <= e)
@@ -77,7 +71,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
77	return true ^ minfo->invert;	71	return true ^ minfo->invert;
78	} else {	72	} else {
79	/* exact port matching */	73	/* exact port matching */
80	duprintf("src or dst matches with %d?\n", s);	74	pr_debug("src or dst matches with %d?\n", s);
81		75
82	if (minfo->flags == XT_MULTIPORT_SOURCE	76	if (minfo->flags == XT_MULTIPORT_SOURCE
83	&& src == s)	77	&& src == s)
@@ -109,7 +103,7 @@ multiport_mt_v0(const struct sk_buff skb, const struct xt_match_param par)
109	/* We've been asked to examine this packet, and we	103	/* We've been asked to examine this packet, and we
110	* can't. Hence, no choice but to drop.	104	* can't. Hence, no choice but to drop.
111	*/	105	*/
112	duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");	106	pr_debug("Dropping evil offset=0 tinygram.\n");
113	*par->hotdrop = true;	107	*par->hotdrop = true;
114	return false;	108	return false;
115	}	109	}
@@ -133,7 +127,7 @@ multiport_mt(const struct sk_buff skb, const struct xt_match_param par)
133	/* We've been asked to examine this packet, and we	127	/* We've been asked to examine this packet, and we
134	* can't. Hence, no choice but to drop.	128	* can't. Hence, no choice but to drop.
135	*/	129	*/
136	duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");	130	pr_debug("Dropping evil offset=0 tinygram.\n");
137	*par->hotdrop = true;	131	*par->hotdrop = true;
138	return false;	132	return false;
139	}	133	}


diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index a189ada9128f..43c7e1de532c 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c
@@ -1,3 +1,4 @@
		1	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1	#include <linux/module.h>	2	#include <linux/module.h>
2	#include <linux/skbuff.h>	3	#include <linux/skbuff.h>
3	#include <net/ip.h>	4	#include <net/ip.h>
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
15	MODULE_ALIAS("ipt_sctp");	16	MODULE_ALIAS("ipt_sctp");
16	MODULE_ALIAS("ip6t_sctp");	17	MODULE_ALIAS("ip6t_sctp");
17		18
18	#ifdef DEBUG_SCTP
19	#define duprintf(format, args...) printk(format , ## args)
20	#else
21	#define duprintf(format, args...)
22	#endif
23
24	#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \	19	#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
25	\|\| (!!((invflag) & (option)) ^ (cond)))	20	\|\| (!!((invflag) & (option)) ^ (cond)))
26		21
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
52	const struct xt_sctp_flag_info *flag_info = info->flag_info;	47	const struct xt_sctp_flag_info *flag_info = info->flag_info;
53	int flag_count = info->flag_count;	48	int flag_count = info->flag_count;
54		49
55	#ifdef DEBUG_SCTP	50	#ifdef DEBUG
56	int i = 0;	51	int i = 0;
57	#endif	52	#endif
58		53
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
62	do {	57	do {
63	sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);	58	sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
64	if (sch == NULL \|\| sch->length == 0) {	59	if (sch == NULL \|\| sch->length == 0) {
65	duprintf("Dropping invalid SCTP packet.\n");	60	pr_debug("Dropping invalid SCTP packet.\n");
66	*hotdrop = true;	61	*hotdrop = true;
67	return false;	62	return false;
68	}	63	}
69		64	#ifdef DEBUG
70	duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",	65	pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
71	++i, offset, sch->type, htons(sch->length), sch->flags);	66	"\tflags: %x\n",
72		67	++i, offset, sch->type, htons(sch->length),
		68	sch->flags);
		69	#endif
73	offset += (ntohs(sch->length) + 3) & ~3;	70	offset += (ntohs(sch->length) + 3) & ~3;
74		71
75	duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);	72	pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
76		73
77	if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {	74	if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
78	switch (chunk_match_type) {	75	switch (chunk_match_type) {
@@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff skb, const struct xt_match_param par)
124	sctp_sctphdr_t _sh;	121	sctp_sctphdr_t _sh;
125		122
126	if (par->fragoff != 0) {	123	if (par->fragoff != 0) {
127	duprintf("Dropping non-first fragment.. FIXME\n");	124	pr_debug("Dropping non-first fragment.. FIXME\n");
128	return false;	125	return false;
129	}	126	}
130		127
131	sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);	128	sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
132	if (sh == NULL) {	129	if (sh == NULL) {
133	duprintf("Dropping evil TCP offset=0 tinygram.\n");	130	pr_debug("Dropping evil TCP offset=0 tinygram.\n");
134	*par->hotdrop = true;	131	*par->hotdrop = true;
135	return false;	132	return false;
136	}	133	}
137	duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));	134	pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
138		135
139	return SCCHECK(ntohs(sh->source) >= info->spts[0]	136	return SCCHECK(ntohs(sh->source) >= info->spts[0]
140	&& ntohs(sh->source) <= info->spts[1],	137	&& ntohs(sh->source) <= info->spts[1],


diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index 1ebdc4934eed..b53887f83c44 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c
@@ -1,3 +1,4 @@
		1	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1	#include <linux/types.h>	2	#include <linux/types.h>
2	#include <linux/module.h>	3	#include <linux/module.h>
3	#include <net/ip.h>	4	#include <net/ip.h>
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
19	MODULE_ALIAS("ip6t_udp");	20	MODULE_ALIAS("ip6t_udp");
20	MODULE_ALIAS("ip6t_tcp");	21	MODULE_ALIAS("ip6t_tcp");
21		22
22	#ifdef DEBUG_IP_FIREWALL_USER
23	#define duprintf(format, args...) printk(format , ## args)
24	#else
25	#define duprintf(format, args...)
26	#endif
27
28
29	/* Returns 1 if the port is matched by the range, 0 otherwise */	23	/* Returns 1 if the port is matched by the range, 0 otherwise */
30	static inline bool	24	static inline bool
31	port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)	25	port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
46	u_int8_t _opt[60 - sizeof(struct tcphdr)];	40	u_int8_t _opt[60 - sizeof(struct tcphdr)];
47	unsigned int i;	41	unsigned int i;
48		42
49	duprintf("tcp_match: finding option\n");	43	pr_debug("finding option\n");
50		44
51	if (!optlen)	45	if (!optlen)
52	return invert;	46	return invert;
@@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff skb, const struct xt_match_param par)
82	flag overwrite to pass the direction checks.	76	flag overwrite to pass the direction checks.
83	*/	77	*/
84	if (par->fragoff == 1) {	78	if (par->fragoff == 1) {
85	duprintf("Dropping evil TCP offset=1 frag.\n");	79	pr_debug("Dropping evil TCP offset=1 frag.\n");
86	*par->hotdrop = true;	80	*par->hotdrop = true;
87	}	81	}
88	/* Must not be a fragment. */	82	/* Must not be a fragment. */
@@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff skb, const struct xt_match_param par)
95	if (th == NULL) {	89	if (th == NULL) {
96	/* We've been asked to examine this packet, and we	90	/* We've been asked to examine this packet, and we
97	can't. Hence, no choice but to drop. */	91	can't. Hence, no choice but to drop. */
98	duprintf("Dropping evil TCP offset=0 tinygram.\n");	92	pr_debug("Dropping evil TCP offset=0 tinygram.\n");
99	*par->hotdrop = true;	93	*par->hotdrop = true;
100	return false;	94	return false;
101	}	95	}
@@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff skb, const struct xt_match_param par)
148	if (uh == NULL) {	142	if (uh == NULL) {
149	/* We've been asked to examine this packet, and we	143	/* We've been asked to examine this packet, and we
150	can't. Hence, no choice but to drop. */	144	can't. Hence, no choice but to drop. */
151	duprintf("Dropping evil UDP tinygram.\n");	145	pr_debug("Dropping evil UDP tinygram.\n");
152	*par->hotdrop = true;	146	*par->hotdrop = true;
153	return false;	147	return false;
154	}	148	}