tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: x_tables: use pr ratelimiting in matches/targets

all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso c08e5e1e cc48baef

+40 -33
+11 -6
net/netfilter/xt_HMARK.c
··· 9 9 * the Free Software Foundation. 10 10 */ 11 11 12 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 + 12 14 #include <linux/module.h> 13 15 #include <linux/skbuff.h> 14 16 #include <linux/icmp.h> ··· 314 312 static int hmark_tg_check(const struct xt_tgchk_param *par) 315 313 { 316 314 const struct xt_hmark_info *info = par->targinfo; 315 + const char *errmsg = "proto mask must be zero with L3 mode"; 317 316 318 317 if (!info->hmodulus) 319 318 return -EINVAL; 320 319 321 320 if (info->proto_mask && 322 - (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) { 323 - pr_info("xt_HMARK: proto mask must be zero with L3 mode\n"); 324 - return -EINVAL; 325 - } 321 + (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) 322 + goto err; 323 + 326 324 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) && 327 325 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) | 328 326 XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) ··· 331 329 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) && 332 330 (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) | 333 331 XT_HMARK_FLAG(XT_HMARK_DPORT)))) { 334 - pr_info("xt_HMARK: spi-set and port-set can't be combined\n"); 335 - return -EINVAL; 332 + errmsg = "spi-set and port-set can't be combined"; 333 + goto err; 336 334 } 337 335 return 0; 336 + err: 337 + pr_info_ratelimited("%s\n", errmsg); 338 + return -EINVAL; 338 339 } 339 340 340 341 static struct xt_target hmark_tg_reg[] __read_mostly = {
+16 -17
net/netfilter/xt_addrtype.c
··· 164 164 165 165 static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) 166 166 { 167 + const char *errmsg = "both incoming and outgoing interface limitation cannot be selected"; 167 168 struct xt_addrtype_info_v1 *info = par->matchinfo; 168 169 169 170 if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN && 170 - info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { 171 - pr_info("both incoming and outgoing " 172 - "interface limitation cannot be selected\n"); 173 - return -EINVAL; 174 - } 171 + info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) 172 + goto err; 175 173 176 174 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 177 175 (1 << NF_INET_LOCAL_IN)) && 178 176 info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) { 179 - pr_info("output interface limitation " 180 - "not valid in PREROUTING and INPUT\n"); 181 - return -EINVAL; 177 + errmsg = "output interface limitation not valid in PREROUTING and INPUT"; 178 + goto err; 182 179 } 183 180 184 181 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 185 182 (1 << NF_INET_LOCAL_OUT)) && 186 183 info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) { 187 - pr_info("input interface limitation " 188 - "not valid in POSTROUTING and OUTPUT\n"); 189 - return -EINVAL; 184 + errmsg = "input interface limitation not valid in POSTROUTING and OUTPUT"; 185 + goto err; 190 186 } 191 187 192 188 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 193 189 if (par->family == NFPROTO_IPV6) { 194 190 if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) { 195 - pr_err("ipv6 BLACKHOLE matching not supported\n"); 196 - return -EINVAL; 191 + errmsg = "ipv6 BLACKHOLE matching not supported"; 192 + goto err; 197 193 } 198 194 if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) { 199 - pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not supported\n"); 200 - return -EINVAL; 195 + errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not supported"; 196 + goto err; 201 197 } 202 198 if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) { 203 - pr_err("ipv6 does not support BROADCAST matching\n"); 204 - return -EINVAL; 199 + errmsg = "ipv6 does not support BROADCAST matching"; 200 + goto err; 205 201 } 206 202 } 207 203 #endif 208 204 return 0; 205 + err: 206 + pr_info_ratelimited("%s\n", errmsg); 207 + return -EINVAL; 209 208 } 210 209 211 210 static struct xt_match addrtype_mt_reg[] __read_mostly = {
+13 -10
net/netfilter/xt_policy.c
··· 132 132 static int policy_mt_check(const struct xt_mtchk_param *par) 133 133 { 134 134 const struct xt_policy_info *info = par->matchinfo; 135 + const char *errmsg = "neither incoming nor outgoing policy selected"; 135 136 136 - if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { 137 - pr_info("neither incoming nor outgoing policy selected\n"); 138 - return -EINVAL; 139 - } 137 + if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) 138 + goto err; 139 + 140 140 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 141 141 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { 142 - pr_info("output policy not valid in PREROUTING and INPUT\n"); 143 - return -EINVAL; 142 + errmsg = "output policy not valid in PREROUTING and INPUT"; 143 + goto err; 144 144 } 145 145 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 146 146 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { 147 - pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); 148 - return -EINVAL; 147 + errmsg = "input policy not valid in POSTROUTING and OUTPUT"; 148 + goto err; 149 149 } 150 150 if (info->len > XT_POLICY_MAX_ELEM) { 151 - pr_info("too many policy elements\n"); 152 - return -EINVAL; 151 + errmsg = "too many policy elements"; 152 + goto err; 153 153 } 154 154 return 0; 155 + err: 156 + pr_info_ratelimited("%s\n", errmsg); 157 + return -EINVAL; 155 158 } 156 159 157 160 static struct xt_match policy_mt_reg[] __read_mostly = {