tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: x_tables: use pr ratelimiting in all remaining spots

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso b2606644 c08e5e1e

+116 -104
+1 -1
net/ipv4/netfilter/ipt_ECN.c
··· 106 106 107 107 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && 108 108 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { 109 - pr_info("cannot use TCP operations on a non-tcp rule\n"); 109 + pr_info_ratelimited("cannot use operation on non-tcp rule\n"); 110 110 return -EINVAL; 111 111 } 112 112 return 0;
+2 -2
net/ipv4/netfilter/ipt_REJECT.c
··· 74 74 const struct ipt_entry *e = par->entryinfo; 75 75 76 76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 77 - pr_info("ECHOREPLY no longer supported.\n"); 77 + pr_info_ratelimited("ECHOREPLY no longer supported.\n"); 78 78 return -EINVAL; 79 79 } else if (rejinfo->with == IPT_TCP_RESET) { 80 80 /* Must specify that it's a TCP packet */ 81 81 if (e->ip.proto != IPPROTO_TCP || 82 82 (e->ip.invflags & XT_INV_PROTO)) { 83 - pr_info("TCP_RESET invalid for non-tcp\n"); 83 + pr_info_ratelimited("TCP_RESET invalid for non-tcp\n"); 84 84 return -EINVAL; 85 85 } 86 86 }
+1 -1
net/ipv4/netfilter/ipt_rpfilter.c
··· 105 105 const struct xt_rpfilter_info *info = par->matchinfo; 106 106 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 107 107 if (info->flags & options) { 108 - pr_info("unknown options encountered"); 108 + pr_info_ratelimited("unknown options\n"); 109 109 return -EINVAL; 110 110 } 111 111
+2 -2
net/ipv6/netfilter/ip6t_REJECT.c
··· 85 85 const struct ip6t_entry *e = par->entryinfo; 86 86 87 87 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { 88 - pr_info("ECHOREPLY is not supported.\n"); 88 + pr_info_ratelimited("ECHOREPLY is not supported\n"); 89 89 return -EINVAL; 90 90 } else if (rejinfo->with == IP6T_TCP_RESET) { 91 91 /* Must specify that it's a TCP packet */ 92 92 if (!(e->ipv6.flags & IP6T_F_PROTO) || 93 93 e->ipv6.proto != IPPROTO_TCP || 94 94 (e->ipv6.invflags & XT_INV_PROTO)) { 95 - pr_info("TCP_RESET illegal for non-tcp\n"); 95 + pr_info_ratelimited("TCP_RESET illegal for non-tcp\n"); 96 96 return -EINVAL; 97 97 } 98 98 }
+1 -1
net/ipv6/netfilter/ip6t_rpfilter.c
··· 103 103 unsigned int options = ~XT_RPFILTER_OPTION_MASK; 104 104 105 105 if (info->flags & options) { 106 - pr_info("unknown options encountered"); 106 + pr_info_ratelimited("unknown options\n"); 107 107 return -EINVAL; 108 108 } 109 109
+4 -2
net/ipv6/netfilter/ip6t_srh.c
··· 122 122 const struct ip6t_srh *srhinfo = par->matchinfo; 123 123 124 124 if (srhinfo->mt_flags & ~IP6T_SRH_MASK) { 125 - pr_err("unknown srh match flags %X\n", srhinfo->mt_flags); 125 + pr_info_ratelimited("unknown srh match flags %X\n", 126 + srhinfo->mt_flags); 126 127 return -EINVAL; 127 128 } 128 129 129 130 if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) { 130 - pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags); 131 + pr_info_ratelimited("unknown srh invflags %X\n", 132 + srhinfo->mt_invflags); 131 133 return -EINVAL; 132 134 } 133 135
+2 -2
net/netfilter/xt_AUDIT.c
··· 120 120 const struct xt_audit_info *info = par->targinfo; 121 121 122 122 if (info->type > XT_AUDIT_TYPE_MAX) { 123 - pr_info("Audit type out of range (valid range: 0..%hhu)\n", 124 - XT_AUDIT_TYPE_MAX); 123 + pr_info_ratelimited("Audit type out of range (valid range: 0..%hhu)\n", 124 + XT_AUDIT_TYPE_MAX); 125 125 return -ERANGE; 126 126 } 127 127
+2 -1
net/netfilter/xt_CHECKSUM.c
··· 36 36 const struct xt_CHECKSUM_info *einfo = par->targinfo; 37 37 38 38 if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { 39 - pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); 39 + pr_info_ratelimited("unsupported CHECKSUM operation %x\n", 40 + einfo->operation); 40 41 return -EINVAL; 41 42 } 42 43 if (!einfo->operation)
+3 -3
net/netfilter/xt_CONNSECMARK.c
··· 102 102 break; 103 103 104 104 default: 105 - pr_info("invalid mode: %hu\n", info->mode); 105 + pr_info_ratelimited("invalid mode: %hu\n", info->mode); 106 106 return -EINVAL; 107 107 } 108 108 109 109 ret = nf_ct_netns_get(par->net, par->family); 110 110 if (ret < 0) 111 - pr_info("cannot load conntrack support for proto=%u\n", 112 - par->family); 111 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 112 + par->family); 113 113 return ret; 114 114 } 115 115
+1 -1
net/netfilter/xt_LED.c
··· 136 136 137 137 err = led_trigger_register(&ledinternal->netfilter_led_trigger); 138 138 if (err) { 139 - pr_err("Trigger name is already in use.\n"); 139 + pr_info_ratelimited("Trigger name is already in use.\n"); 140 140 goto exit_alloc; 141 141 } 142 142
+8 -6
net/netfilter/xt_SECMARK.c
··· 60 60 &info->secid); 61 61 if (err) { 62 62 if (err == -EINVAL) 63 - pr_info("invalid security context \'%s\'\n", info->secctx); 63 + pr_info_ratelimited("invalid security context \'%s\'\n", 64 + info->secctx); 64 65 return err; 65 66 } 66 67 67 68 if (!info->secid) { 68 - pr_info("unable to map security context \'%s\'\n", info->secctx); 69 + pr_info_ratelimited("unable to map security context \'%s\'\n", 70 + info->secctx); 69 71 return -ENOENT; 70 72 } 71 73 72 74 err = security_secmark_relabel_packet(info->secid); 73 75 if (err) { 74 - pr_info("unable to obtain relabeling permission\n"); 76 + pr_info_ratelimited("unable to obtain relabeling permission\n"); 75 77 return err; 76 78 } 77 79 ··· 94 92 } 95 93 96 94 if (mode && mode != info->mode) { 97 - pr_info("mode already set to %hu cannot mix with " 98 - "rules for mode %hu\n", mode, info->mode); 95 + pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n", 96 + mode, info->mode); 99 97 return -EINVAL; 100 98 } 101 99 ··· 103 101 case SECMARK_MODE_SEL: 104 102 break; 105 103 default: 106 - pr_info("invalid mode: %hu\n", info->mode); 104 + pr_info_ratelimited("invalid mode: %hu\n", info->mode); 107 105 return -EINVAL; 108 106 } 109 107
+4 -6
net/netfilter/xt_TCPMSS.c
··· 273 273 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 274 274 (1 << NF_INET_LOCAL_OUT) | 275 275 (1 << NF_INET_POST_ROUTING))) != 0) { 276 - pr_info("path-MTU clamping only supported in " 277 - "FORWARD, OUTPUT and POSTROUTING hooks\n"); 276 + pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n"); 278 277 return -EINVAL; 279 278 } 280 279 if (par->nft_compat) ··· 282 283 xt_ematch_foreach(ematch, e) 283 284 if (find_syn_match(ematch)) 284 285 return 0; 285 - pr_info("Only works on TCP SYN packets\n"); 286 + pr_info_ratelimited("Only works on TCP SYN packets\n"); 286 287 return -EINVAL; 287 288 } 288 289 ··· 297 298 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 298 299 (1 << NF_INET_LOCAL_OUT) | 299 300 (1 << NF_INET_POST_ROUTING))) != 0) { 300 - pr_info("path-MTU clamping only supported in " 301 - "FORWARD, OUTPUT and POSTROUTING hooks\n"); 301 + pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n"); 302 302 return -EINVAL; 303 303 } 304 304 if (par->nft_compat) ··· 306 308 xt_ematch_foreach(ematch, e) 307 309 if (find_syn_match(ematch)) 308 310 return 0; 309 - pr_info("Only works on TCP SYN packets\n"); 311 + pr_info_ratelimited("Only works on TCP SYN packets\n"); 310 312 return -EINVAL; 311 313 } 312 314 #endif
+2 -4
net/netfilter/xt_TPROXY.c
··· 540 540 !(i->invflags & IP6T_INV_PROTO)) 541 541 return 0; 542 542 543 - pr_info("Can be used only in combination with " 544 - "either -p tcp or -p udp\n"); 543 + pr_info_ratelimited("Can be used only with -p tcp or -p udp\n"); 545 544 return -EINVAL; 546 545 } 547 546 #endif ··· 558 559 && !(i->invflags & IPT_INV_PROTO)) 559 560 return 0; 560 561 561 - pr_info("Can be used only in combination with " 562 - "either -p tcp or -p udp\n"); 562 + pr_info_ratelimited("Can be used only with -p tcp or -p udp\n"); 563 563 return -EINVAL; 564 564 } 565 565
+3 -1
net/netfilter/xt_bpf.c
··· 7 7 * published by the Free Software Foundation. 8 8 */ 9 9 10 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 + 10 12 #include <linux/module.h> 11 13 #include <linux/syscalls.h> 12 14 #include <linux/skbuff.h> ··· 36 34 program.filter = insns; 37 35 38 36 if (bpf_prog_create(ret, &program)) { 39 - pr_info("bpf: check failed: parse error\n"); 37 + pr_info_ratelimited("check failed: parse error\n"); 40 38 return -EINVAL; 41 39 } 42 40
+5 -3
net/netfilter/xt_cgroup.c
··· 12 12 * published by the Free Software Foundation. 13 13 */ 14 14 15 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 + 15 17 #include <linux/skbuff.h> 16 18 #include <linux/module.h> 17 19 #include <linux/netfilter/x_tables.h> ··· 50 48 } 51 49 52 50 if (info->has_path && info->has_classid) { 53 - pr_info("xt_cgroup: both path and classid specified\n"); 51 + pr_info_ratelimited("path and classid specified\n"); 54 52 return -EINVAL; 55 53 } 56 54 ··· 58 56 if (info->has_path) { 59 57 cgrp = cgroup_get_from_path(info->path); 60 58 if (IS_ERR(cgrp)) { 61 - pr_info("xt_cgroup: invalid path, errno=%ld\n", 62 - PTR_ERR(cgrp)); 59 + pr_info_ratelimited("invalid path, errno=%ld\n", 60 + PTR_ERR(cgrp)); 63 61 return -EINVAL; 64 62 } 65 63 info->priv = cgrp;
+3 -5
net/netfilter/xt_cluster.c
··· 135 135 struct xt_cluster_match_info *info = par->matchinfo; 136 136 137 137 if (info->total_nodes > XT_CLUSTER_NODES_MAX) { 138 - pr_info("you have exceeded the maximum " 139 - "number of cluster nodes (%u > %u)\n", 140 - info->total_nodes, XT_CLUSTER_NODES_MAX); 138 + pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n", 139 + info->total_nodes, XT_CLUSTER_NODES_MAX); 141 140 return -EINVAL; 142 141 } 143 142 if (info->node_mask >= (1ULL << info->total_nodes)) { 144 - pr_info("this node mask cannot be " 145 - "higher than the total number of nodes\n"); 143 + pr_info_ratelimited("node mask cannot exceed total number of nodes\n"); 146 144 return -EDOM; 147 145 } 148 146 return 0;
+2 -2
net/netfilter/xt_connbytes.c
··· 112 112 113 113 ret = nf_ct_netns_get(par->net, par->family); 114 114 if (ret < 0) 115 - pr_info("cannot load conntrack support for proto=%u\n", 116 - par->family); 115 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 116 + par->family); 117 117 118 118 /* 119 119 * This filter cannot function correctly unless connection tracking
+4 -3
net/netfilter/xt_connlabel.c
··· 57 57 int ret; 58 58 59 59 if (info->options & ~options) { 60 - pr_err("Unknown options in mask %x\n", info->options); 60 + pr_info_ratelimited("Unknown options in mask %x\n", 61 + info->options); 61 62 return -EINVAL; 62 63 } 63 64 64 65 ret = nf_ct_netns_get(par->net, par->family); 65 66 if (ret < 0) { 66 - pr_info("cannot load conntrack support for proto=%u\n", 67 - par->family); 67 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 68 + par->family); 68 69 return ret; 69 70 } 70 71
+4 -4
net/netfilter/xt_connmark.c
··· 79 79 80 80 ret = nf_ct_netns_get(par->net, par->family); 81 81 if (ret < 0) 82 - pr_info("cannot load conntrack support for proto=%u\n", 83 - par->family); 82 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 83 + par->family); 84 84 return ret; 85 85 } 86 86 ··· 109 109 110 110 ret = nf_ct_netns_get(par->net, par->family); 111 111 if (ret < 0) 112 - pr_info("cannot load conntrack support for proto=%u\n", 113 - par->family); 112 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 113 + par->family); 114 114 return ret; 115 115 } 116 116
+2 -2
net/netfilter/xt_conntrack.c
··· 272 272 273 273 ret = nf_ct_netns_get(par->net, par->family); 274 274 if (ret < 0) 275 - pr_info("cannot load conntrack support for proto=%u\n", 276 - par->family); 275 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 276 + par->family); 277 277 return ret; 278 278 } 279 279
+2 -2
net/netfilter/xt_ecn.c
··· 97 97 98 98 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 99 99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { 100 - pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 100 + pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n"); 101 101 return -EINVAL; 102 102 } 103 103 ··· 139 139 140 140 if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) && 141 141 (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) { 142 - pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 142 + pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n"); 143 143 return -EINVAL; 144 144 } 145 145
+13 -11
net/netfilter/xt_hashlimit.c
··· 523 523 if (user != 0) { 524 524 return div64_u64(XT_HASHLIMIT_SCALE_v2, user); 525 525 } else { 526 - pr_warn("invalid rate from userspace: %llu\n", user); 526 + pr_info_ratelimited("invalid rate from userspace: %llu\n", 527 + user); 527 528 return 0; 528 529 } 529 530 } ··· 866 865 } 867 866 868 867 if (cfg->mode & ~XT_HASHLIMIT_ALL) { 869 - pr_info("Unknown mode mask %X, kernel too old?\n", 870 - cfg->mode); 868 + pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n", 869 + cfg->mode); 871 870 return -EINVAL; 872 871 } 873 872 874 873 /* Check for overflow. */ 875 874 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) { 876 875 if (cfg->avg == 0 || cfg->avg > U32_MAX) { 877 - pr_info("hashlimit invalid rate\n"); 876 + pr_info_ratelimited("invalid rate\n"); 878 877 return -ERANGE; 879 878 } 880 879 881 880 if (cfg->interval == 0) { 882 - pr_info("hashlimit invalid interval\n"); 881 + pr_info_ratelimited("invalid interval\n"); 883 882 return -EINVAL; 884 883 } 885 884 } else if (cfg->mode & XT_HASHLIMIT_BYTES) { 886 885 if (user2credits_byte(cfg->avg) == 0) { 887 - pr_info("overflow, rate too high: %llu\n", cfg->avg); 886 + pr_info_ratelimited("overflow, rate too high: %llu\n", 887 + cfg->avg); 888 888 return -EINVAL; 889 889 } 890 890 } else if (cfg->burst == 0 || 891 - user2credits(cfg->avg * cfg->burst, revision) < 892 - user2credits(cfg->avg, revision)) { 893 - pr_info("overflow, try lower: %llu/%llu\n", 894 - cfg->avg, cfg->burst); 895 - return -ERANGE; 891 + user2credits(cfg->avg * cfg->burst, revision) < 892 + user2credits(cfg->avg, revision)) { 893 + pr_info_ratelimited("overflow, try lower: %llu/%llu\n", 894 + cfg->avg, cfg->burst); 895 + return -ERANGE; 896 896 } 897 897 898 898 mutex_lock(&hashlimit_mutex);
+2 -2
net/netfilter/xt_helper.c
··· 61 61 62 62 ret = nf_ct_netns_get(par->net, par->family); 63 63 if (ret < 0) { 64 - pr_info("cannot load conntrack support for proto=%u\n", 65 - par->family); 64 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 65 + par->family); 66 66 return ret; 67 67 } 68 68 info->name[sizeof(info->name) - 1] = '\0';
+1 -1
net/netfilter/xt_ipcomp.c
··· 72 72 73 73 /* Must specify no unknown invflags */ 74 74 if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) { 75 - pr_err("unknown flags %X\n", compinfo->invflags); 75 + pr_info_ratelimited("unknown flags %X\n", compinfo->invflags); 76 76 return -EINVAL; 77 77 } 78 78 return 0;
+2 -1
net/netfilter/xt_ipvs.c
··· 158 158 && par->family != NFPROTO_IPV6 159 159 #endif 160 160 ) { 161 - pr_info("protocol family %u not supported\n", par->family); 161 + pr_info_ratelimited("protocol family %u not supported\n", 162 + par->family); 162 163 return -EINVAL; 163 164 } 164 165
+13 -9
net/netfilter/xt_l2tp.c
··· 216 216 /* Check for invalid flags */ 217 217 if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION | 218 218 XT_L2TP_TYPE)) { 219 - pr_info("unknown flags: %x\n", info->flags); 219 + pr_info_ratelimited("unknown flags: %x\n", info->flags); 220 220 return -EINVAL; 221 221 } 222 222 ··· 225 225 (!(info->flags & XT_L2TP_SID)) && 226 226 ((!(info->flags & XT_L2TP_TYPE)) || 227 227 (info->type != XT_L2TP_TYPE_CONTROL))) { 228 - pr_info("invalid flags combination: %x\n", info->flags); 228 + pr_info_ratelimited("invalid flags combination: %x\n", 229 + info->flags); 229 230 return -EINVAL; 230 231 } 231 232 ··· 235 234 */ 236 235 if (info->flags & XT_L2TP_VERSION) { 237 236 if ((info->version < 2) || (info->version > 3)) { 238 - pr_info("wrong L2TP version: %u\n", info->version); 237 + pr_info_ratelimited("wrong L2TP version: %u\n", 238 + info->version); 239 239 return -EINVAL; 240 240 } 241 241 242 242 if (info->version == 2) { 243 243 if ((info->flags & XT_L2TP_TID) && 244 244 (info->tid > 0xffff)) { 245 - pr_info("v2 tid > 0xffff: %u\n", info->tid); 245 + pr_info_ratelimited("v2 tid > 0xffff: %u\n", 246 + info->tid); 246 247 return -EINVAL; 247 248 } 248 249 if ((info->flags & XT_L2TP_SID) && 249 250 (info->sid > 0xffff)) { 250 - pr_info("v2 sid > 0xffff: %u\n", info->sid); 251 + pr_info_ratelimited("v2 sid > 0xffff: %u\n", 252 + info->sid); 251 253 return -EINVAL; 252 254 } 253 255 } ··· 272 268 273 269 if ((ip->proto != IPPROTO_UDP) && 274 270 (ip->proto != IPPROTO_L2TP)) { 275 - pr_info("missing protocol rule (udp|l2tpip)\n"); 271 + pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n"); 276 272 return -EINVAL; 277 273 } 278 274 279 275 if ((ip->proto == IPPROTO_L2TP) && 280 276 (info->version == 2)) { 281 - pr_info("v2 doesn't support IP mode\n"); 277 + pr_info_ratelimited("v2 doesn't support IP mode\n"); 282 278 return -EINVAL; 283 279 } 284 280 ··· 299 295 300 296 if ((ip->proto != IPPROTO_UDP) && 301 297 (ip->proto != IPPROTO_L2TP)) { 302 - pr_info("missing protocol rule (udp|l2tpip)\n"); 298 + pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n"); 303 299 return -EINVAL; 304 300 } 305 301 306 302 if ((ip->proto == IPPROTO_L2TP) && 307 303 (info->version == 2)) { 308 - pr_info("v2 doesn't support IP mode\n"); 304 + pr_info_ratelimited("v2 doesn't support IP mode\n"); 309 305 return -EINVAL; 310 306 } 311 307
+2 -2
net/netfilter/xt_limit.c
··· 106 106 /* Check for overflow. */ 107 107 if (r->burst == 0 108 108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 109 - pr_info("Overflow, try lower: %u/%u\n", 110 - r->avg, r->burst); 109 + pr_info_ratelimited("Overflow, try lower: %u/%u\n", 110 + r->avg, r->burst); 111 111 return -ERANGE; 112 112 } 113 113
+3 -2
net/netfilter/xt_nat.c
··· 8 8 * published by the Free Software Foundation. 9 9 */ 10 10 11 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 12 + 11 13 #include <linux/module.h> 12 14 #include <linux/skbuff.h> 13 15 #include <linux/netfilter.h> ··· 21 19 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; 22 20 23 21 if (mr->rangesize != 1) { 24 - pr_info("%s: multiple ranges no longer supported\n", 25 - par->target->name); 22 + pr_info_ratelimited("multiple ranges no longer supported\n"); 26 23 return -EINVAL; 27 24 } 28 25 return nf_ct_netns_get(par->net, par->family);
+4 -2
net/netfilter/xt_nfacct.c
··· 6 6 * it under the terms of the GNU General Public License version 2 (or any 7 7 * later at your option) as published by the Free Software Foundation. 8 8 */ 9 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 10 + 9 11 #include <linux/module.h> 10 12 #include <linux/skbuff.h> 11 13 ··· 41 39 42 40 nfacct = nfnl_acct_find_get(par->net, info->name); 43 41 if (nfacct == NULL) { 44 - pr_info("xt_nfacct: accounting object with name `%s' " 45 - "does not exists\n", info->name); 42 + pr_info_ratelimited("accounting object `%s' does not exists\n", 43 + info->name); 46 44 return -ENOENT; 47 45 } 48 46 info->nfacct = nfacct;
+1 -3
net/netfilter/xt_physdev.c
··· 107 107 info->invert & XT_PHYSDEV_OP_BRIDGED) && 108 108 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | 109 109 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { 110 - pr_info("using --physdev-out and --physdev-is-out are only " 111 - "supported in the FORWARD and POSTROUTING chains with " 112 - "bridged traffic.\n"); 110 + pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n"); 113 111 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) 114 112 return -EINVAL; 115 113 }
+6 -8
net/netfilter/xt_recent.c
··· 342 342 net_get_random_once(&hash_rnd, sizeof(hash_rnd)); 343 343 344 344 if (info->check_set & ~XT_RECENT_VALID_FLAGS) { 345 - pr_info("Unsupported user space flags (%08x)\n", 346 - info->check_set); 345 + pr_info_ratelimited("Unsupported userspace flags (%08x)\n", 346 + info->check_set); 347 347 return -EINVAL; 348 348 } 349 349 if (hweight8(info->check_set & ··· 357 357 if ((info->check_set & XT_RECENT_REAP) && !info->seconds) 358 358 return -EINVAL; 359 359 if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) { 360 - pr_info("hitcount (%u) is larger than allowed maximum (%u)\n", 361 - info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); 360 + pr_info_ratelimited("hitcount (%u) is larger than allowed maximum (%u)\n", 361 + info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); 362 362 return -EINVAL; 363 363 } 364 364 if (info->name[0] == '\0' || ··· 587 587 add = true; 588 588 break; 589 589 default: 590 - pr_info("Need \"+ip\", \"-ip\" or \"/\"\n"); 590 + pr_info_ratelimited("Need \"+ip\", \"-ip\" or \"/\"\n"); 591 591 return -EINVAL; 592 592 } 593 593 ··· 601 601 succ = in4_pton(c, size, (void *)&addr, '\n', NULL); 602 602 } 603 603 604 - if (!succ) { 605 - pr_info("illegal address written to procfs\n"); 604 + if (!succ) 606 605 return -EINVAL; 607 - } 608 606 609 607 spin_lock_bh(&recent_lock); 610 608 e = recent_entry_lookup(t, &addr, family, 0);
+6 -4
net/netfilter/xt_socket.c
··· 171 171 return err; 172 172 173 173 if (info->flags & ~XT_SOCKET_FLAGS_V1) { 174 - pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); 174 + pr_info_ratelimited("unknown flags 0x%x\n", 175 + info->flags & ~XT_SOCKET_FLAGS_V1); 175 176 return -EINVAL; 176 177 } 177 178 return 0; ··· 188 187 return err; 189 188 190 189 if (info->flags & ~XT_SOCKET_FLAGS_V2) { 191 - pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); 190 + pr_info_ratelimited("unknown flags 0x%x\n", 191 + info->flags & ~XT_SOCKET_FLAGS_V2); 192 192 return -EINVAL; 193 193 } 194 194 return 0; ··· 205 203 if (err) 206 204 return err; 207 205 if (info->flags & ~XT_SOCKET_FLAGS_V3) { 208 - pr_info("unknown flags 0x%x\n", 209 - info->flags & ~XT_SOCKET_FLAGS_V3); 206 + pr_info_ratelimited("unknown flags 0x%x\n", 207 + info->flags & ~XT_SOCKET_FLAGS_V3); 210 208 return -EINVAL; 211 209 } 212 210 return 0;
+2 -2
net/netfilter/xt_state.c
··· 44 44 45 45 ret = nf_ct_netns_get(par->net, par->family); 46 46 if (ret < 0) 47 - pr_info("cannot load conntrack support for proto=%u\n", 48 - par->family); 47 + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 48 + par->family); 49 49 return ret; 50 50 } 51 51
+3 -3
net/netfilter/xt_time.c
··· 235 235 236 236 if (info->daytime_start > XT_TIME_MAX_DAYTIME || 237 237 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 238 - pr_info("invalid argument - start or " 239 - "stop time greater than 23:59:59\n"); 238 + pr_info_ratelimited("invalid argument - start or stop time greater than 23:59:59\n"); 240 239 return -EDOM; 241 240 } 242 241 243 242 if (info->flags & ~XT_TIME_ALL_FLAGS) { 244 - pr_info("unknown flags 0x%x\n", info->flags & ~XT_TIME_ALL_FLAGS); 243 + pr_info_ratelimited("unknown flags 0x%x\n", 244 + info->flags & ~XT_TIME_ALL_FLAGS); 245 245 return -EINVAL; 246 246 } 247 247