tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: x_tables: get rid of old and inconsistent debugging

The dprintf() and duprintf() functions are enabled at compile time,
these days we have better runtime debugging through pr_debug() and
static keys.

On top of this, this debugging is so old that I don't expect anyone
using this anymore, so let's get rid of this.

IP_NF_ASSERT() is still left in place, although this needs that
NETFILTER_DEBUG is enabled, I think these assertions provide useful
context information when reading the code.

Note that ARP_NF_ASSERT() has been removed as there is no user of
this.

Kill also DEBUG_ALLOW_ALL and a couple of pr_error() and pr_debug()
spots that are inconsistently placed in the code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso d7cdf816 3b78155b

+117 -573
+36 -181
net/ipv4/netfilter/arp_tables.c
··· 34 34 MODULE_AUTHOR("David S. Miller <davem@redhat.com>"); 35 35 MODULE_DESCRIPTION("arptables core"); 36 36 37 - /*#define DEBUG_ARP_TABLES*/ 38 - /*#define DEBUG_ARP_TABLES_USER*/ 39 - 40 - #ifdef DEBUG_ARP_TABLES 41 - #define dprintf(format, args...) pr_debug(format, ## args) 42 - #else 43 - #define dprintf(format, args...) 44 - #endif 45 - 46 - #ifdef DEBUG_ARP_TABLES_USER 47 - #define duprintf(format, args...) pr_debug(format, ## args) 48 - #else 49 - #define duprintf(format, args...) 50 - #endif 51 - 52 - #ifdef CONFIG_NETFILTER_DEBUG 53 - #define ARP_NF_ASSERT(x) WARN_ON(!(x)) 54 - #else 55 - #define ARP_NF_ASSERT(x) 56 - #endif 57 - 58 37 void *arpt_alloc_initial_table(const struct xt_table *info) 59 38 { 60 39 return xt_alloc_initial_table(arpt, ARPT); ··· 92 113 #define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg))) 93 114 94 115 if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop, 95 - ARPT_INV_ARPOP)) { 96 - dprintf("ARP operation field mismatch.\n"); 97 - dprintf("ar_op: %04x info->arpop: %04x info->arpop_mask: %04x\n", 98 - arphdr->ar_op, arpinfo->arpop, arpinfo->arpop_mask); 116 + ARPT_INV_ARPOP)) 99 117 return 0; 100 - } 101 118 102 119 if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd, 103 - ARPT_INV_ARPHRD)) { 104 - dprintf("ARP hardware address format mismatch.\n"); 105 - dprintf("ar_hrd: %04x info->arhrd: %04x info->arhrd_mask: %04x\n", 106 - arphdr->ar_hrd, arpinfo->arhrd, arpinfo->arhrd_mask); 120 + ARPT_INV_ARPHRD)) 107 121 return 0; 108 - } 109 122 110 123 if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro, 111 - ARPT_INV_ARPPRO)) { 112 - dprintf("ARP protocol address format mismatch.\n"); 113 - dprintf("ar_pro: %04x info->arpro: %04x info->arpro_mask: %04x\n", 114 - arphdr->ar_pro, arpinfo->arpro, arpinfo->arpro_mask); 124 + ARPT_INV_ARPPRO)) 115 125 return 0; 116 - } 117 126 118 127 if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln, 119 - ARPT_INV_ARPHLN)) { 120 - dprintf("ARP hardware address length mismatch.\n"); 121 - dprintf("ar_hln: %02x info->arhln: %02x info->arhln_mask: %02x\n", 122 - arphdr->ar_hln, arpinfo->arhln, arpinfo->arhln_mask); 128 + ARPT_INV_ARPHLN)) 123 129 return 0; 124 - } 125 130 126 131 src_devaddr = arpptr; 127 132 arpptr += dev->addr_len; ··· 118 155 if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len), 119 156 ARPT_INV_SRCDEVADDR) || 120 157 FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len), 121 - ARPT_INV_TGTDEVADDR)) { 122 - dprintf("Source or target device address mismatch.\n"); 123 - 158 + ARPT_INV_TGTDEVADDR)) 124 159 return 0; 125 - } 126 160 127 161 if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr, 128 162 ARPT_INV_SRCIP) || 129 163 FWINV(((tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr), 130 - ARPT_INV_TGTIP)) { 131 - dprintf("Source or target IP address mismatch.\n"); 132 - 133 - dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n", 134 - &src_ipaddr, 135 - &arpinfo->smsk.s_addr, 136 - &arpinfo->src.s_addr, 137 - arpinfo->invflags & ARPT_INV_SRCIP ? " (INV)" : ""); 138 - dprintf("TGT: %pI4 Mask: %pI4 Target: %pI4.%s\n", 139 - &tgt_ipaddr, 140 - &arpinfo->tmsk.s_addr, 141 - &arpinfo->tgt.s_addr, 142 - arpinfo->invflags & ARPT_INV_TGTIP ? " (INV)" : ""); 164 + ARPT_INV_TGTIP)) 143 165 return 0; 144 - } 145 166 146 167 /* Look for ifname matches. */ 147 168 ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask); 148 169 149 - if (FWINV(ret != 0, ARPT_INV_VIA_IN)) { 150 - dprintf("VIA in mismatch (%s vs %s).%s\n", 151 - indev, arpinfo->iniface, 152 - arpinfo->invflags & ARPT_INV_VIA_IN ? " (INV)" : ""); 170 + if (FWINV(ret != 0, ARPT_INV_VIA_IN)) 153 171 return 0; 154 - } 155 172 156 173 ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask); 157 174 158 - if (FWINV(ret != 0, ARPT_INV_VIA_OUT)) { 159 - dprintf("VIA out mismatch (%s vs %s).%s\n", 160 - outdev, arpinfo->outiface, 161 - arpinfo->invflags & ARPT_INV_VIA_OUT ? " (INV)" : ""); 175 + if (FWINV(ret != 0, ARPT_INV_VIA_OUT)) 162 176 return 0; 163 - } 164 177 165 178 return 1; 166 179 #undef FWINV ··· 144 205 145 206 static inline int arp_checkentry(const struct arpt_arp *arp) 146 207 { 147 - if (arp->flags & ~ARPT_F_MASK) { 148 - duprintf("Unknown flag bits set: %08X\n", 149 - arp->flags & ~ARPT_F_MASK); 208 + if (arp->flags & ~ARPT_F_MASK) 150 209 return 0; 151 - } 152 - if (arp->invflags & ~ARPT_INV_MASK) { 153 - duprintf("Unknown invflag bits set: %08X\n", 154 - arp->invflags & ~ARPT_INV_MASK); 210 + if (arp->invflags & ~ARPT_INV_MASK) 155 211 return 0; 156 - } 157 212 158 213 return 1; 159 214 } ··· 339 406 = (void *)arpt_get_target_c(e); 340 407 int visited = e->comefrom & (1 << hook); 341 408 342 - if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { 343 - pr_notice("arptables: loop hook %u pos %u %08X.\n", 344 - hook, pos, e->comefrom); 409 + if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) 345 410 return 0; 346 - } 411 + 347 412 e->comefrom 348 413 |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); 349 414 ··· 354 423 355 424 if ((strcmp(t->target.u.user.name, 356 425 XT_STANDARD_TARGET) == 0) && 357 - t->verdict < -NF_MAX_VERDICT - 1) { 358 - duprintf("mark_source_chains: bad " 359 - "negative verdict (%i)\n", 360 - t->verdict); 426 + t->verdict < -NF_MAX_VERDICT - 1) 361 427 return 0; 362 - } 363 428 364 429 /* Return: backtrack through the last 365 430 * big jump. ··· 389 462 XT_STANDARD_TARGET) == 0 && 390 463 newpos >= 0) { 391 464 /* This a jump; chase it. */ 392 - duprintf("Jump rule %u -> %u\n", 393 - pos, newpos); 394 465 e = (struct arpt_entry *) 395 466 (entry0 + newpos); 396 467 if (!find_jump_target(newinfo, e)) ··· 405 480 pos = newpos; 406 481 } 407 482 } 408 - next: 409 - duprintf("Finished chain %u\n", hook); 483 + next: ; 410 484 } 411 485 return 1; 412 486 } ··· 413 489 static inline int check_target(struct arpt_entry *e, const char *name) 414 490 { 415 491 struct xt_entry_target *t = arpt_get_target(e); 416 - int ret; 417 492 struct xt_tgchk_param par = { 418 493 .table = name, 419 494 .entryinfo = e, ··· 422 499 .family = NFPROTO_ARP, 423 500 }; 424 501 425 - ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false); 426 - if (ret < 0) { 427 - duprintf("arp_tables: check failed for `%s'.\n", 428 - t->u.kernel.target->name); 429 - return ret; 430 - } 431 - return 0; 502 + return xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false); 432 503 } 433 504 434 505 static inline int ··· 442 525 target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, 443 526 t->u.user.revision); 444 527 if (IS_ERR(target)) { 445 - duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 446 528 ret = PTR_ERR(target); 447 529 goto out; 448 530 } ··· 487 571 488 572 if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 || 489 573 (unsigned char *)e + sizeof(struct arpt_entry) >= limit || 490 - (unsigned char *)e + e->next_offset > limit) { 491 - duprintf("Bad offset %p\n", e); 574 + (unsigned char *)e + e->next_offset > limit) 492 575 return -EINVAL; 493 - } 494 576 495 577 if (e->next_offset 496 - < sizeof(struct arpt_entry) + sizeof(struct xt_entry_target)) { 497 - duprintf("checking: element %p size %u\n", 498 - e, e->next_offset); 578 + < sizeof(struct arpt_entry) + sizeof(struct xt_entry_target)) 499 579 return -EINVAL; 500 - } 501 580 502 581 if (!arp_checkentry(&e->arp)) 503 582 return -EINVAL; ··· 509 598 if ((unsigned char *)e - base == hook_entries[h]) 510 599 newinfo->hook_entry[h] = hook_entries[h]; 511 600 if ((unsigned char *)e - base == underflows[h]) { 512 - if (!check_underflow(e)) { 513 - pr_debug("Underflows must be unconditional and " 514 - "use the STANDARD target with " 515 - "ACCEPT/DROP\n"); 601 + if (!check_underflow(e)) 516 602 return -EINVAL; 517 - } 603 + 518 604 newinfo->underflow[h] = underflows[h]; 519 605 } 520 606 } ··· 556 648 newinfo->underflow[i] = 0xFFFFFFFF; 557 649 } 558 650 559 - duprintf("translate_table: size %u\n", newinfo->size); 560 651 i = 0; 561 652 562 653 /* Walk through entries, checking offsets. */ ··· 572 665 XT_ERROR_TARGET) == 0) 573 666 ++newinfo->stacksize; 574 667 } 575 - duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); 576 668 if (ret != 0) 577 669 return ret; 578 670 579 - if (i != repl->num_entries) { 580 - duprintf("translate_table: %u not %u entries\n", 581 - i, repl->num_entries); 671 + if (i != repl->num_entries) 582 672 return -EINVAL; 583 - } 584 673 585 674 /* Check hooks all assigned */ 586 675 for (i = 0; i < NF_ARP_NUMHOOKS; i++) { 587 676 /* Only hooks which are valid */ 588 677 if (!(repl->valid_hooks & (1 << i))) 589 678 continue; 590 - if (newinfo->hook_entry[i] == 0xFFFFFFFF) { 591 - duprintf("Invalid hook entry %u %u\n", 592 - i, repl->hook_entry[i]); 679 + if (newinfo->hook_entry[i] == 0xFFFFFFFF) 593 680 return -EINVAL; 594 - } 595 - if (newinfo->underflow[i] == 0xFFFFFFFF) { 596 - duprintf("Invalid underflow %u %u\n", 597 - i, repl->underflow[i]); 681 + if (newinfo->underflow[i] == 0xFFFFFFFF) 598 682 return -EINVAL; 599 - } 600 683 } 601 684 602 685 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) ··· 794 897 struct xt_table *t; 795 898 int ret; 796 899 797 - if (*len != sizeof(struct arpt_getinfo)) { 798 - duprintf("length %u != %Zu\n", *len, 799 - sizeof(struct arpt_getinfo)); 900 + if (*len != sizeof(struct arpt_getinfo)) 800 901 return -EINVAL; 801 - } 802 902 803 903 if (copy_from_user(name, user, sizeof(name)) != 0) 804 904 return -EFAULT; ··· 851 957 struct arpt_get_entries get; 852 958 struct xt_table *t; 853 959 854 - if (*len < sizeof(get)) { 855 - duprintf("get_entries: %u < %Zu\n", *len, sizeof(get)); 960 + if (*len < sizeof(get)) 856 961 return -EINVAL; 857 - } 858 962 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 859 963 return -EFAULT; 860 - if (*len != sizeof(struct arpt_get_entries) + get.size) { 861 - duprintf("get_entries: %u != %Zu\n", *len, 862 - sizeof(struct arpt_get_entries) + get.size); 964 + if (*len != sizeof(struct arpt_get_entries) + get.size) 863 965 return -EINVAL; 864 - } 966 + 865 967 get.name[sizeof(get.name) - 1] = '\0'; 866 968 867 969 t = xt_find_table_lock(net, NFPROTO_ARP, get.name); 868 970 if (!IS_ERR_OR_NULL(t)) { 869 971 const struct xt_table_info *private = t->private; 870 972 871 - duprintf("t->private->number = %u\n", 872 - private->number); 873 973 if (get.size == private->size) 874 974 ret = copy_entries_to_user(private->size, 875 975 t, uptr->entrytable); 876 - else { 877 - duprintf("get_entries: I've got %u not %u!\n", 878 - private->size, get.size); 976 + else 879 977 ret = -EAGAIN; 880 - } 978 + 881 979 module_put(t->me); 882 980 xt_table_unlock(t); 883 981 } else ··· 907 1021 908 1022 /* You lied! */ 909 1023 if (valid_hooks != t->valid_hooks) { 910 - duprintf("Valid hook crap: %08X vs %08X\n", 911 - valid_hooks, t->valid_hooks); 912 1024 ret = -EINVAL; 913 1025 goto put_module; 914 1026 } ··· 916 1032 goto put_module; 917 1033 918 1034 /* Update module usage count based on number of rules */ 919 - duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", 920 - oldinfo->number, oldinfo->initial_entries, newinfo->number); 921 1035 if ((oldinfo->number > oldinfo->initial_entries) || 922 1036 (newinfo->number <= oldinfo->initial_entries)) 923 1037 module_put(t->me); ··· 984 1102 ret = translate_table(newinfo, loc_cpu_entry, &tmp); 985 1103 if (ret != 0) 986 1104 goto free_newinfo; 987 - 988 - duprintf("arp_tables: Translated table\n"); 989 1105 990 1106 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 991 1107 tmp.num_counters, tmp.counters); ··· 1082 1202 unsigned int entry_offset; 1083 1203 int ret, off; 1084 1204 1085 - duprintf("check_compat_entry_size_and_hooks %p\n", e); 1086 1205 if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || 1087 1206 (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit || 1088 - (unsigned char *)e + e->next_offset > limit) { 1089 - duprintf("Bad offset %p, limit = %p\n", e, limit); 1207 + (unsigned char *)e + e->next_offset > limit) 1090 1208 return -EINVAL; 1091 - } 1092 1209 1093 1210 if (e->next_offset < sizeof(struct compat_arpt_entry) + 1094 - sizeof(struct compat_xt_entry_target)) { 1095 - duprintf("checking: element %p size %u\n", 1096 - e, e->next_offset); 1211 + sizeof(struct compat_xt_entry_target)) 1097 1212 return -EINVAL; 1098 - } 1099 1213 1100 1214 if (!arp_checkentry(&e->arp)) 1101 1215 return -EINVAL; ··· 1106 1232 target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, 1107 1233 t->u.user.revision); 1108 1234 if (IS_ERR(target)) { 1109 - duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1110 - t->u.user.name); 1111 1235 ret = PTR_ERR(target); 1112 1236 goto out; 1113 1237 } ··· 1175 1303 size = compatr->size; 1176 1304 info->number = compatr->num_entries; 1177 1305 1178 - duprintf("translate_compat_table: size %u\n", info->size); 1179 1306 j = 0; 1180 1307 xt_compat_lock(NFPROTO_ARP); 1181 1308 xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); ··· 1189 1318 } 1190 1319 1191 1320 ret = -EINVAL; 1192 - if (j != compatr->num_entries) { 1193 - duprintf("translate_compat_table: %u not %u entries\n", 1194 - j, compatr->num_entries); 1321 + if (j != compatr->num_entries) 1195 1322 goto out_unlock; 1196 - } 1197 1323 1198 1324 ret = -ENOMEM; 1199 1325 newinfo = xt_alloc_table_info(size); ··· 1281 1413 if (ret != 0) 1282 1414 goto free_newinfo; 1283 1415 1284 - duprintf("compat_do_replace: Translated table\n"); 1285 - 1286 1416 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1287 1417 tmp.num_counters, compat_ptr(tmp.counters)); 1288 1418 if (ret) ··· 1313 1447 break; 1314 1448 1315 1449 default: 1316 - duprintf("do_arpt_set_ctl: unknown request %i\n", cmd); 1317 1450 ret = -EINVAL; 1318 1451 } 1319 1452 ··· 1395 1530 struct compat_arpt_get_entries get; 1396 1531 struct xt_table *t; 1397 1532 1398 - if (*len < sizeof(get)) { 1399 - duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get)); 1533 + if (*len < sizeof(get)) 1400 1534 return -EINVAL; 1401 - } 1402 1535 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 1403 1536 return -EFAULT; 1404 - if (*len != sizeof(struct compat_arpt_get_entries) + get.size) { 1405 - duprintf("compat_get_entries: %u != %zu\n", 1406 - *len, sizeof(get) + get.size); 1537 + if (*len != sizeof(struct compat_arpt_get_entries) + get.size) 1407 1538 return -EINVAL; 1408 - } 1539 + 1409 1540 get.name[sizeof(get.name) - 1] = '\0'; 1410 1541 1411 1542 xt_compat_lock(NFPROTO_ARP); ··· 1410 1549 const struct xt_table_info *private = t->private; 1411 1550 struct xt_table_info info; 1412 1551 1413 - duprintf("t->private->number = %u\n", private->number); 1414 1552 ret = compat_table_info(private, &info); 1415 1553 if (!ret && get.size == info.size) { 1416 1554 ret = compat_copy_entries_to_user(private->size, 1417 1555 t, uptr->entrytable); 1418 - } else if (!ret) { 1419 - duprintf("compat_get_entries: I've got %u not %u!\n", 1420 - private->size, get.size); 1556 + } else if (!ret) 1421 1557 ret = -EAGAIN; 1422 - } 1558 + 1423 1559 xt_compat_flush_offsets(NFPROTO_ARP); 1424 1560 module_put(t->me); 1425 1561 xt_table_unlock(t); ··· 1468 1610 break; 1469 1611 1470 1612 default: 1471 - duprintf("do_arpt_set_ctl: unknown request %i\n", cmd); 1472 1613 ret = -EINVAL; 1473 1614 } 1474 1615 ··· 1510 1653 } 1511 1654 1512 1655 default: 1513 - duprintf("do_arpt_get_ctl: unknown request %i\n", cmd); 1514 1656 ret = -EINVAL; 1515 1657 } 1516 1658 ··· 1554 1698 memcpy(loc_cpu_entry, repl->entries, repl->size); 1555 1699 1556 1700 ret = translate_table(newinfo, loc_cpu_entry, repl); 1557 - duprintf("arpt_register_table: translate table gives %d\n", ret); 1558 1701 if (ret != 0) 1559 1702 goto out_free; 1560 1703
+40 -204
net/ipv4/netfilter/ip_tables.c
··· 35 35 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 36 36 MODULE_DESCRIPTION("IPv4 packet filter"); 37 37 38 - /*#define DEBUG_IP_FIREWALL*/ 39 - /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */ 40 - /*#define DEBUG_IP_FIREWALL_USER*/ 41 - 42 - #ifdef DEBUG_IP_FIREWALL 43 - #define dprintf(format, args...) pr_info(format , ## args) 44 - #else 45 - #define dprintf(format, args...) 46 - #endif 47 - 48 - #ifdef DEBUG_IP_FIREWALL_USER 49 - #define duprintf(format, args...) pr_info(format , ## args) 50 - #else 51 - #define duprintf(format, args...) 52 - #endif 53 - 54 38 #ifdef CONFIG_NETFILTER_DEBUG 55 39 #define IP_NF_ASSERT(x) WARN_ON(!(x)) 56 40 #else 57 41 #define IP_NF_ASSERT(x) 58 - #endif 59 - 60 - #if 0 61 - /* All the better to debug you with... */ 62 - #define static 63 - #define inline 64 42 #endif 65 43 66 44 void *ipt_alloc_initial_table(const struct xt_table *info) ··· 63 85 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, 64 86 IPT_INV_SRCIP) || 65 87 FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, 66 - IPT_INV_DSTIP)) { 67 - dprintf("Source or dest mismatch.\n"); 68 - 69 - dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n", 70 - &ip->saddr, &ipinfo->smsk.s_addr, &ipinfo->src.s_addr, 71 - ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : ""); 72 - dprintf("DST: %pI4 Mask: %pI4 Target: %pI4.%s\n", 73 - &ip->daddr, &ipinfo->dmsk.s_addr, &ipinfo->dst.s_addr, 74 - ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : ""); 88 + IPT_INV_DSTIP)) 75 89 return false; 76 - } 77 90 78 91 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask); 79 92 80 - if (FWINV(ret != 0, IPT_INV_VIA_IN)) { 81 - dprintf("VIA in mismatch (%s vs %s).%s\n", 82 - indev, ipinfo->iniface, 83 - ipinfo->invflags & IPT_INV_VIA_IN ? " (INV)" : ""); 93 + if (FWINV(ret != 0, IPT_INV_VIA_IN)) 84 94 return false; 85 - } 86 95 87 96 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask); 88 97 89 - if (FWINV(ret != 0, IPT_INV_VIA_OUT)) { 90 - dprintf("VIA out mismatch (%s vs %s).%s\n", 91 - outdev, ipinfo->outiface, 92 - ipinfo->invflags & IPT_INV_VIA_OUT ? " (INV)" : ""); 98 + if (FWINV(ret != 0, IPT_INV_VIA_OUT)) 93 99 return false; 94 - } 95 100 96 101 /* Check specific protocol */ 97 102 if (ipinfo->proto && 98 - FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) { 99 - dprintf("Packet protocol %hi does not match %hi.%s\n", 100 - ip->protocol, ipinfo->proto, 101 - ipinfo->invflags & IPT_INV_PROTO ? " (INV)" : ""); 103 + FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) 102 104 return false; 103 - } 104 105 105 106 /* If we have a fragment rule but the packet is not a fragment 106 107 * then we return zero */ 107 - if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) { 108 - dprintf("Fragment rule but not fragment.%s\n", 109 - ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : ""); 108 + if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) 110 109 return false; 111 - } 112 110 113 111 return true; 114 112 } ··· 92 138 static bool 93 139 ip_checkentry(const struct ipt_ip *ip) 94 140 { 95 - if (ip->flags & ~IPT_F_MASK) { 96 - duprintf("Unknown flag bits set: %08X\n", 97 - ip->flags & ~IPT_F_MASK); 141 + if (ip->flags & ~IPT_F_MASK) 98 142 return false; 99 - } 100 - if (ip->invflags & ~IPT_INV_MASK) { 101 - duprintf("Unknown invflag bits set: %08X\n", 102 - ip->invflags & ~IPT_INV_MASK); 143 + if (ip->invflags & ~IPT_INV_MASK) 103 144 return false; 104 - } 105 145 return true; 106 146 } 107 147 ··· 294 346 295 347 e = get_entry(table_base, private->hook_entry[hook]); 296 348 297 - pr_debug("Entering %s(hook %u), UF %p\n", 298 - table->name, hook, 299 - get_entry(table_base, private->underflow[hook])); 300 - 301 349 do { 302 350 const struct xt_entry_target *t; 303 351 const struct xt_entry_match *ematch; ··· 340 396 if (stackidx == 0) { 341 397 e = get_entry(table_base, 342 398 private->underflow[hook]); 343 - pr_debug("Underflow (this is normal) " 344 - "to %p\n", e); 345 399 } else { 346 400 e = jumpstack[--stackidx]; 347 - pr_debug("Pulled %p out from pos %u\n", 348 - e, stackidx); 349 401 e = ipt_next_entry(e); 350 402 } 351 403 continue; 352 404 } 353 405 if (table_base + v != ipt_next_entry(e) && 354 - !(e->ip.flags & IPT_F_GOTO)) { 406 + !(e->ip.flags & IPT_F_GOTO)) 355 407 jumpstack[stackidx++] = e; 356 - pr_debug("Pushed %p into pos %u\n", 357 - e, stackidx - 1); 358 - } 359 408 360 409 e = get_entry(table_base, v); 361 410 continue; ··· 366 429 /* Verdict */ 367 430 break; 368 431 } while (!acpar.hotdrop); 369 - pr_debug("Exiting %s; sp at %u\n", __func__, stackidx); 370 432 371 433 xt_write_recseq_end(addend); 372 434 local_bh_enable(); 373 435 374 - #ifdef DEBUG_ALLOW_ALL 375 - return NF_ACCEPT; 376 - #else 377 436 if (acpar.hotdrop) 378 437 return NF_DROP; 379 438 else return verdict; 380 - #endif 381 439 } 382 440 383 441 static bool find_jump_target(const struct xt_table_info *t, ··· 412 480 = (void *)ipt_get_target_c(e); 413 481 int visited = e->comefrom & (1 << hook); 414 482 415 - if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 416 - pr_err("iptables: loop hook %u pos %u %08X.\n", 417 - hook, pos, e->comefrom); 483 + if (e->comefrom & (1 << NF_INET_NUMHOOKS)) 418 484 return 0; 419 - } 485 + 420 486 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); 421 487 422 488 /* Unconditional return/END. */ ··· 426 496 427 497 if ((strcmp(t->target.u.user.name, 428 498 XT_STANDARD_TARGET) == 0) && 429 - t->verdict < -NF_MAX_VERDICT - 1) { 430 - duprintf("mark_source_chains: bad " 431 - "negative verdict (%i)\n", 432 - t->verdict); 499 + t->verdict < -NF_MAX_VERDICT - 1) 433 500 return 0; 434 - } 435 501 436 502 /* Return: backtrack through the last 437 503 big jump. */ 438 504 do { 439 505 e->comefrom ^= (1<<NF_INET_NUMHOOKS); 440 - #ifdef DEBUG_IP_FIREWALL_USER 441 - if (e->comefrom 442 - & (1 << NF_INET_NUMHOOKS)) { 443 - duprintf("Back unset " 444 - "on hook %u " 445 - "rule %u\n", 446 - hook, pos); 447 - } 448 - #endif 449 506 oldpos = pos; 450 507 pos = e->counters.pcnt; 451 508 e->counters.pcnt = 0; ··· 460 543 XT_STANDARD_TARGET) == 0 && 461 544 newpos >= 0) { 462 545 /* This a jump; chase it. */ 463 - duprintf("Jump rule %u -> %u\n", 464 - pos, newpos); 465 546 e = (struct ipt_entry *) 466 547 (entry0 + newpos); 467 548 if (!find_jump_target(newinfo, e)) ··· 476 561 pos = newpos; 477 562 } 478 563 } 479 - next: 480 - duprintf("Finished chain %u\n", hook); 564 + next: ; 481 565 } 482 566 return 1; 483 567 } ··· 498 584 check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) 499 585 { 500 586 const struct ipt_ip *ip = par->entryinfo; 501 - int ret; 502 587 503 588 par->match = m->u.kernel.match; 504 589 par->matchinfo = m->data; 505 590 506 - ret = xt_check_match(par, m->u.match_size - sizeof(*m), 507 - ip->proto, ip->invflags & IPT_INV_PROTO); 508 - if (ret < 0) { 509 - duprintf("check failed for `%s'.\n", par->match->name); 510 - return ret; 511 - } 512 - return 0; 591 + return xt_check_match(par, m->u.match_size - sizeof(*m), 592 + ip->proto, ip->invflags & IPT_INV_PROTO); 513 593 } 514 594 515 595 static int ··· 514 606 515 607 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name, 516 608 m->u.user.revision); 517 - if (IS_ERR(match)) { 518 - duprintf("find_check_match: `%s' not found\n", m->u.user.name); 609 + if (IS_ERR(match)) 519 610 return PTR_ERR(match); 520 - } 521 611 m->u.kernel.match = match; 522 612 523 613 ret = check_match(m, par); ··· 540 634 .hook_mask = e->comefrom, 541 635 .family = NFPROTO_IPV4, 542 636 }; 543 - int ret; 544 637 545 - ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 546 - e->ip.proto, e->ip.invflags & IPT_INV_PROTO); 547 - if (ret < 0) { 548 - duprintf("check failed for `%s'.\n", 549 - t->u.kernel.target->name); 550 - return ret; 551 - } 552 - return 0; 638 + return xt_check_target(&par, t->u.target_size - sizeof(*t), 639 + e->ip.proto, e->ip.invflags & IPT_INV_PROTO); 553 640 } 554 641 555 642 static int ··· 579 680 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name, 580 681 t->u.user.revision); 581 682 if (IS_ERR(target)) { 582 - duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 583 683 ret = PTR_ERR(target); 584 684 goto cleanup_matches; 585 685 } ··· 632 734 633 735 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 || 634 736 (unsigned char *)e + sizeof(struct ipt_entry) >= limit || 635 - (unsigned char *)e + e->next_offset > limit) { 636 - duprintf("Bad offset %p\n", e); 737 + (unsigned char *)e + e->next_offset > limit) 637 738 return -EINVAL; 638 - } 639 739 640 740 if (e->next_offset 641 - < sizeof(struct ipt_entry) + sizeof(struct xt_entry_target)) { 642 - duprintf("checking: element %p size %u\n", 643 - e, e->next_offset); 741 + < sizeof(struct ipt_entry) + sizeof(struct xt_entry_target)) 644 742 return -EINVAL; 645 - } 646 743 647 744 if (!ip_checkentry(&e->ip)) 648 745 return -EINVAL; ··· 654 761 if ((unsigned char *)e - base == hook_entries[h]) 655 762 newinfo->hook_entry[h] = hook_entries[h]; 656 763 if ((unsigned char *)e - base == underflows[h]) { 657 - if (!check_underflow(e)) { 658 - pr_debug("Underflows must be unconditional and " 659 - "use the STANDARD target with " 660 - "ACCEPT/DROP\n"); 764 + if (!check_underflow(e)) 661 765 return -EINVAL; 662 - } 766 + 663 767 newinfo->underflow[h] = underflows[h]; 664 768 } 665 769 } ··· 708 818 newinfo->underflow[i] = 0xFFFFFFFF; 709 819 } 710 820 711 - duprintf("translate_table: size %u\n", newinfo->size); 712 821 i = 0; 713 822 /* Walk through entries, checking offsets. */ 714 823 xt_entry_foreach(iter, entry0, newinfo->size) { ··· 724 835 ++newinfo->stacksize; 725 836 } 726 837 727 - if (i != repl->num_entries) { 728 - duprintf("translate_table: %u not %u entries\n", 729 - i, repl->num_entries); 838 + if (i != repl->num_entries) 730 839 return -EINVAL; 731 - } 732 840 733 841 /* Check hooks all assigned */ 734 842 for (i = 0; i < NF_INET_NUMHOOKS; i++) { 735 843 /* Only hooks which are valid */ 736 844 if (!(repl->valid_hooks & (1 << i))) 737 845 continue; 738 - if (newinfo->hook_entry[i] == 0xFFFFFFFF) { 739 - duprintf("Invalid hook entry %u %u\n", 740 - i, repl->hook_entry[i]); 846 + if (newinfo->hook_entry[i] == 0xFFFFFFFF) 741 847 return -EINVAL; 742 - } 743 - if (newinfo->underflow[i] == 0xFFFFFFFF) { 744 - duprintf("Invalid underflow %u %u\n", 745 - i, repl->underflow[i]); 848 + if (newinfo->underflow[i] == 0xFFFFFFFF) 746 849 return -EINVAL; 747 - } 748 850 } 749 851 750 852 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) ··· 963 1083 struct xt_table *t; 964 1084 int ret; 965 1085 966 - if (*len != sizeof(struct ipt_getinfo)) { 967 - duprintf("length %u != %zu\n", *len, 968 - sizeof(struct ipt_getinfo)); 1086 + if (*len != sizeof(struct ipt_getinfo)) 969 1087 return -EINVAL; 970 - } 971 1088 972 1089 if (copy_from_user(name, user, sizeof(name)) != 0) 973 1090 return -EFAULT; ··· 1022 1145 struct ipt_get_entries get; 1023 1146 struct xt_table *t; 1024 1147 1025 - if (*len < sizeof(get)) { 1026 - duprintf("get_entries: %u < %zu\n", *len, sizeof(get)); 1148 + if (*len < sizeof(get)) 1027 1149 return -EINVAL; 1028 - } 1029 1150 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 1030 1151 return -EFAULT; 1031 - if (*len != sizeof(struct ipt_get_entries) + get.size) { 1032 - duprintf("get_entries: %u != %zu\n", 1033 - *len, sizeof(get) + get.size); 1152 + if (*len != sizeof(struct ipt_get_entries) + get.size) 1034 1153 return -EINVAL; 1035 - } 1036 1154 get.name[sizeof(get.name) - 1] = '\0'; 1037 1155 1038 1156 t = xt_find_table_lock(net, AF_INET, get.name); 1039 1157 if (!IS_ERR_OR_NULL(t)) { 1040 1158 const struct xt_table_info *private = t->private; 1041 - duprintf("t->private->number = %u\n", private->number); 1042 1159 if (get.size == private->size) 1043 1160 ret = copy_entries_to_user(private->size, 1044 1161 t, uptr->entrytable); 1045 - else { 1046 - duprintf("get_entries: I've got %u not %u!\n", 1047 - private->size, get.size); 1162 + else 1048 1163 ret = -EAGAIN; 1049 - } 1164 + 1050 1165 module_put(t->me); 1051 1166 xt_table_unlock(t); 1052 1167 } else ··· 1074 1205 1075 1206 /* You lied! */ 1076 1207 if (valid_hooks != t->valid_hooks) { 1077 - duprintf("Valid hook crap: %08X vs %08X\n", 1078 - valid_hooks, t->valid_hooks); 1079 1208 ret = -EINVAL; 1080 1209 goto put_module; 1081 1210 } ··· 1083 1216 goto put_module; 1084 1217 1085 1218 /* Update module usage count based on number of rules */ 1086 - duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", 1087 - oldinfo->number, oldinfo->initial_entries, newinfo->number); 1088 1219 if ((oldinfo->number > oldinfo->initial_entries) || 1089 1220 (newinfo->number <= oldinfo->initial_entries)) 1090 1221 module_put(t->me); ··· 1150 1285 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp); 1151 1286 if (ret != 0) 1152 1287 goto free_newinfo; 1153 - 1154 - duprintf("Translated table\n"); 1155 1288 1156 1289 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1157 1290 tmp.num_counters, tmp.counters); ··· 1276 1413 1277 1414 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name, 1278 1415 m->u.user.revision); 1279 - if (IS_ERR(match)) { 1280 - duprintf("compat_check_calc_match: `%s' not found\n", 1281 - m->u.user.name); 1416 + if (IS_ERR(match)) 1282 1417 return PTR_ERR(match); 1283 - } 1418 + 1284 1419 m->u.kernel.match = match; 1285 1420 *size += xt_compat_match_offset(match); 1286 1421 return 0; ··· 1310 1449 unsigned int j; 1311 1450 int ret, off; 1312 1451 1313 - duprintf("check_compat_entry_size_and_hooks %p\n", e); 1314 1452 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || 1315 1453 (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit || 1316 - (unsigned char *)e + e->next_offset > limit) { 1317 - duprintf("Bad offset %p, limit = %p\n", e, limit); 1454 + (unsigned char *)e + e->next_offset > limit) 1318 1455 return -EINVAL; 1319 - } 1320 1456 1321 1457 if (e->next_offset < sizeof(struct compat_ipt_entry) + 1322 - sizeof(struct compat_xt_entry_target)) { 1323 - duprintf("checking: element %p size %u\n", 1324 - e, e->next_offset); 1458 + sizeof(struct compat_xt_entry_target)) 1325 1459 return -EINVAL; 1326 - } 1327 1460 1328 1461 if (!ip_checkentry(&e->ip)) 1329 1462 return -EINVAL; ··· 1341 1486 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name, 1342 1487 t->u.user.revision); 1343 1488 if (IS_ERR(target)) { 1344 - duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1345 - t->u.user.name); 1346 1489 ret = PTR_ERR(target); 1347 1490 goto release_matches; 1348 1491 } ··· 1422 1569 size = compatr->size; 1423 1570 info->number = compatr->num_entries; 1424 1571 1425 - duprintf("translate_compat_table: size %u\n", info->size); 1426 1572 j = 0; 1427 1573 xt_compat_lock(AF_INET); 1428 1574 xt_compat_init_offsets(AF_INET, compatr->num_entries); ··· 1436 1584 } 1437 1585 1438 1586 ret = -EINVAL; 1439 - if (j != compatr->num_entries) { 1440 - duprintf("translate_compat_table: %u not %u entries\n", 1441 - j, compatr->num_entries); 1587 + if (j != compatr->num_entries) 1442 1588 goto out_unlock; 1443 - } 1444 1589 1445 1590 ret = -ENOMEM; 1446 1591 newinfo = xt_alloc_table_info(size); ··· 1534 1685 if (ret != 0) 1535 1686 goto free_newinfo; 1536 1687 1537 - duprintf("compat_do_replace: Translated table\n"); 1538 - 1539 1688 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1540 1689 tmp.num_counters, compat_ptr(tmp.counters)); 1541 1690 if (ret) ··· 1567 1720 break; 1568 1721 1569 1722 default: 1570 - duprintf("do_ipt_set_ctl: unknown request %i\n", cmd); 1571 1723 ret = -EINVAL; 1572 1724 } 1573 1725 ··· 1616 1770 struct compat_ipt_get_entries get; 1617 1771 struct xt_table *t; 1618 1772 1619 - if (*len < sizeof(get)) { 1620 - duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get)); 1773 + if (*len < sizeof(get)) 1621 1774 return -EINVAL; 1622 - } 1623 1775 1624 1776 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 1625 1777 return -EFAULT; 1626 1778 1627 - if (*len != sizeof(struct compat_ipt_get_entries) + get.size) { 1628 - duprintf("compat_get_entries: %u != %zu\n", 1629 - *len, sizeof(get) + get.size); 1779 + if (*len != sizeof(struct compat_ipt_get_entries) + get.size) 1630 1780 return -EINVAL; 1631 - } 1781 + 1632 1782 get.name[sizeof(get.name) - 1] = '\0'; 1633 1783 1634 1784 xt_compat_lock(AF_INET); ··· 1632 1790 if (!IS_ERR_OR_NULL(t)) { 1633 1791 const struct xt_table_info *private = t->private; 1634 1792 struct xt_table_info info; 1635 - duprintf("t->private->number = %u\n", private->number); 1636 1793 ret = compat_table_info(private, &info); 1637 - if (!ret && get.size == info.size) { 1794 + if (!ret && get.size == info.size) 1638 1795 ret = compat_copy_entries_to_user(private->size, 1639 1796 t, uptr->entrytable); 1640 - } else if (!ret) { 1641 - duprintf("compat_get_entries: I've got %u not %u!\n", 1642 - private->size, get.size); 1797 + else if (!ret) 1643 1798 ret = -EAGAIN; 1644 - } 1799 + 1645 1800 xt_compat_flush_offsets(AF_INET); 1646 1801 module_put(t->me); 1647 1802 xt_table_unlock(t); ··· 1691 1852 break; 1692 1853 1693 1854 default: 1694 - duprintf("do_ipt_set_ctl: unknown request %i\n", cmd); 1695 1855 ret = -EINVAL; 1696 1856 } 1697 1857 ··· 1742 1904 } 1743 1905 1744 1906 default: 1745 - duprintf("do_ipt_get_ctl: unknown request %i\n", cmd); 1746 1907 ret = -EINVAL; 1747 1908 } 1748 1909 ··· 1843 2006 /* We've been asked to examine this packet, and we 1844 2007 * can't. Hence, no choice but to drop. 1845 2008 */ 1846 - duprintf("Dropping evil ICMP tinygram.\n"); 1847 2009 par->hotdrop = true; 1848 2010 return false; 1849 2011 }
+41 -188
net/ipv6/netfilter/ip6_tables.c
··· 39 39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 40 40 MODULE_DESCRIPTION("IPv6 packet filter"); 41 41 42 - /*#define DEBUG_IP_FIREWALL*/ 43 - /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */ 44 - /*#define DEBUG_IP_FIREWALL_USER*/ 45 - 46 - #ifdef DEBUG_IP_FIREWALL 47 - #define dprintf(format, args...) pr_info(format , ## args) 48 - #else 49 - #define dprintf(format, args...) 50 - #endif 51 - 52 - #ifdef DEBUG_IP_FIREWALL_USER 53 - #define duprintf(format, args...) pr_info(format , ## args) 54 - #else 55 - #define duprintf(format, args...) 56 - #endif 57 - 58 42 #ifdef CONFIG_NETFILTER_DEBUG 59 43 #define IP_NF_ASSERT(x) WARN_ON(!(x)) 60 44 #else 61 45 #define IP_NF_ASSERT(x) 62 - #endif 63 - 64 - #if 0 65 - /* All the better to debug you with... */ 66 - #define static 67 - #define inline 68 46 #endif 69 47 70 48 void *ip6t_alloc_initial_table(const struct xt_table *info) ··· 78 100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk, 79 101 &ip6info->src), IP6T_INV_SRCIP) || 80 102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk, 81 - &ip6info->dst), IP6T_INV_DSTIP)) { 82 - dprintf("Source or dest mismatch.\n"); 83 - /* 84 - dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr, 85 - ipinfo->smsk.s_addr, ipinfo->src.s_addr, 86 - ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : ""); 87 - dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr, 88 - ipinfo->dmsk.s_addr, ipinfo->dst.s_addr, 89 - ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/ 103 + &ip6info->dst), IP6T_INV_DSTIP)) 90 104 return false; 91 - } 92 105 93 106 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask); 94 107 95 - if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { 96 - dprintf("VIA in mismatch (%s vs %s).%s\n", 97 - indev, ip6info->iniface, 98 - ip6info->invflags & IP6T_INV_VIA_IN ? " (INV)" : ""); 108 + if (FWINV(ret != 0, IP6T_INV_VIA_IN)) 99 109 return false; 100 - } 101 110 102 111 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask); 103 112 104 - if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { 105 - dprintf("VIA out mismatch (%s vs %s).%s\n", 106 - outdev, ip6info->outiface, 107 - ip6info->invflags & IP6T_INV_VIA_OUT ? " (INV)" : ""); 113 + if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) 108 114 return false; 109 - } 110 115 111 116 /* ... might want to do something with class and flowlabel here ... */ 112 117 ··· 105 144 return false; 106 145 } 107 146 *fragoff = _frag_off; 108 - 109 - dprintf("Packet protocol %hi ?= %s%hi.\n", 110 - protohdr, 111 - ip6info->invflags & IP6T_INV_PROTO ? "!":"", 112 - ip6info->proto); 113 147 114 148 if (ip6info->proto == protohdr) { 115 149 if (ip6info->invflags & IP6T_INV_PROTO) ··· 125 169 static bool 126 170 ip6_checkentry(const struct ip6t_ip6 *ipv6) 127 171 { 128 - if (ipv6->flags & ~IP6T_F_MASK) { 129 - duprintf("Unknown flag bits set: %08X\n", 130 - ipv6->flags & ~IP6T_F_MASK); 172 + if (ipv6->flags & ~IP6T_F_MASK) 131 173 return false; 132 - } 133 - if (ipv6->invflags & ~IP6T_INV_MASK) { 134 - duprintf("Unknown invflag bits set: %08X\n", 135 - ipv6->invflags & ~IP6T_INV_MASK); 174 + if (ipv6->invflags & ~IP6T_INV_MASK) 136 175 return false; 137 - } 176 + 138 177 return true; 139 178 } 140 179 ··· 397 446 xt_write_recseq_end(addend); 398 447 local_bh_enable(); 399 448 400 - #ifdef DEBUG_ALLOW_ALL 401 - return NF_ACCEPT; 402 - #else 403 449 if (acpar.hotdrop) 404 450 return NF_DROP; 405 451 else return verdict; 406 - #endif 407 452 } 408 453 409 454 static bool find_jump_target(const struct xt_table_info *t, ··· 439 492 = (void *)ip6t_get_target_c(e); 440 493 int visited = e->comefrom & (1 << hook); 441 494 442 - if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 443 - pr_err("iptables: loop hook %u pos %u %08X.\n", 444 - hook, pos, e->comefrom); 495 + if (e->comefrom & (1 << NF_INET_NUMHOOKS)) 445 496 return 0; 446 - } 497 + 447 498 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); 448 499 449 500 /* Unconditional return/END. */ ··· 453 508 454 509 if ((strcmp(t->target.u.user.name, 455 510 XT_STANDARD_TARGET) == 0) && 456 - t->verdict < -NF_MAX_VERDICT - 1) { 457 - duprintf("mark_source_chains: bad " 458 - "negative verdict (%i)\n", 459 - t->verdict); 511 + t->verdict < -NF_MAX_VERDICT - 1) 460 512 return 0; 461 - } 462 513 463 514 /* Return: backtrack through the last 464 515 big jump. */ 465 516 do { 466 517 e->comefrom ^= (1<<NF_INET_NUMHOOKS); 467 - #ifdef DEBUG_IP_FIREWALL_USER 468 - if (e->comefrom 469 - & (1 << NF_INET_NUMHOOKS)) { 470 - duprintf("Back unset " 471 - "on hook %u " 472 - "rule %u\n", 473 - hook, pos); 474 - } 475 - #endif 476 518 oldpos = pos; 477 519 pos = e->counters.pcnt; 478 520 e->counters.pcnt = 0; ··· 487 555 XT_STANDARD_TARGET) == 0 && 488 556 newpos >= 0) { 489 557 /* This a jump; chase it. */ 490 - duprintf("Jump rule %u -> %u\n", 491 - pos, newpos); 492 558 e = (struct ip6t_entry *) 493 559 (entry0 + newpos); 494 560 if (!find_jump_target(newinfo, e)) ··· 503 573 pos = newpos; 504 574 } 505 575 } 506 - next: 507 - duprintf("Finished chain %u\n", hook); 576 + next: ; 508 577 } 509 578 return 1; 510 579 } ··· 524 595 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) 525 596 { 526 597 const struct ip6t_ip6 *ipv6 = par->entryinfo; 527 - int ret; 528 598 529 599 par->match = m->u.kernel.match; 530 600 par->matchinfo = m->data; 531 601 532 - ret = xt_check_match(par, m->u.match_size - sizeof(*m), 533 - ipv6->proto, ipv6->invflags & IP6T_INV_PROTO); 534 - if (ret < 0) { 535 - duprintf("ip_tables: check failed for `%s'.\n", 536 - par.match->name); 537 - return ret; 538 - } 539 - return 0; 602 + return xt_check_match(par, m->u.match_size - sizeof(*m), 603 + ipv6->proto, ipv6->invflags & IP6T_INV_PROTO); 540 604 } 541 605 542 606 static int ··· 540 618 541 619 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name, 542 620 m->u.user.revision); 543 - if (IS_ERR(match)) { 544 - duprintf("find_check_match: `%s' not found\n", m->u.user.name); 621 + if (IS_ERR(match)) 545 622 return PTR_ERR(match); 546 - } 623 + 547 624 m->u.kernel.match = match; 548 625 549 626 ret = check_match(m, par); ··· 567 646 .hook_mask = e->comefrom, 568 647 .family = NFPROTO_IPV6, 569 648 }; 570 - int ret; 571 649 572 650 t = ip6t_get_target(e); 573 - ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 574 - e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); 575 - if (ret < 0) { 576 - duprintf("ip_tables: check failed for `%s'.\n", 577 - t->u.kernel.target->name); 578 - return ret; 579 - } 580 - return 0; 651 + return xt_check_target(&par, t->u.target_size - sizeof(*t), 652 + e->ipv6.proto, 653 + e->ipv6.invflags & IP6T_INV_PROTO); 581 654 } 582 655 583 656 static int ··· 608 693 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name, 609 694 t->u.user.revision); 610 695 if (IS_ERR(target)) { 611 - duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 612 696 ret = PTR_ERR(target); 613 697 goto cleanup_matches; 614 698 } ··· 660 746 661 747 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 || 662 748 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit || 663 - (unsigned char *)e + e->next_offset > limit) { 664 - duprintf("Bad offset %p\n", e); 749 + (unsigned char *)e + e->next_offset > limit) 665 750 return -EINVAL; 666 - } 667 751 668 752 if (e->next_offset 669 - < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) { 670 - duprintf("checking: element %p size %u\n", 671 - e, e->next_offset); 753 + < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) 672 754 return -EINVAL; 673 - } 674 755 675 756 if (!ip6_checkentry(&e->ipv6)) 676 757 return -EINVAL; ··· 682 773 if ((unsigned char *)e - base == hook_entries[h]) 683 774 newinfo->hook_entry[h] = hook_entries[h]; 684 775 if ((unsigned char *)e - base == underflows[h]) { 685 - if (!check_underflow(e)) { 686 - pr_debug("Underflows must be unconditional and " 687 - "use the STANDARD target with " 688 - "ACCEPT/DROP\n"); 776 + if (!check_underflow(e)) 689 777 return -EINVAL; 690 - } 778 + 691 779 newinfo->underflow[h] = underflows[h]; 692 780 } 693 781 } ··· 736 830 newinfo->underflow[i] = 0xFFFFFFFF; 737 831 } 738 832 739 - duprintf("translate_table: size %u\n", newinfo->size); 740 833 i = 0; 741 834 /* Walk through entries, checking offsets. */ 742 835 xt_entry_foreach(iter, entry0, newinfo->size) { ··· 752 847 ++newinfo->stacksize; 753 848 } 754 849 755 - if (i != repl->num_entries) { 756 - duprintf("translate_table: %u not %u entries\n", 757 - i, repl->num_entries); 850 + if (i != repl->num_entries) 758 851 return -EINVAL; 759 - } 760 852 761 853 /* Check hooks all assigned */ 762 854 for (i = 0; i < NF_INET_NUMHOOKS; i++) { 763 855 /* Only hooks which are valid */ 764 856 if (!(repl->valid_hooks & (1 << i))) 765 857 continue; 766 - if (newinfo->hook_entry[i] == 0xFFFFFFFF) { 767 - duprintf("Invalid hook entry %u %u\n", 768 - i, repl->hook_entry[i]); 858 + if (newinfo->hook_entry[i] == 0xFFFFFFFF) 769 859 return -EINVAL; 770 - } 771 - if (newinfo->underflow[i] == 0xFFFFFFFF) { 772 - duprintf("Invalid underflow %u %u\n", 773 - i, repl->underflow[i]); 860 + if (newinfo->underflow[i] == 0xFFFFFFFF) 774 861 return -EINVAL; 775 - } 776 862 } 777 863 778 864 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) ··· 991 1095 struct xt_table *t; 992 1096 int ret; 993 1097 994 - if (*len != sizeof(struct ip6t_getinfo)) { 995 - duprintf("length %u != %zu\n", *len, 996 - sizeof(struct ip6t_getinfo)); 1098 + if (*len != sizeof(struct ip6t_getinfo)) 997 1099 return -EINVAL; 998 - } 999 1100 1000 1101 if (copy_from_user(name, user, sizeof(name)) != 0) 1001 1102 return -EFAULT; ··· 1050 1157 struct ip6t_get_entries get; 1051 1158 struct xt_table *t; 1052 1159 1053 - if (*len < sizeof(get)) { 1054 - duprintf("get_entries: %u < %zu\n", *len, sizeof(get)); 1160 + if (*len < sizeof(get)) 1055 1161 return -EINVAL; 1056 - } 1057 1162 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 1058 1163 return -EFAULT; 1059 - if (*len != sizeof(struct ip6t_get_entries) + get.size) { 1060 - duprintf("get_entries: %u != %zu\n", 1061 - *len, sizeof(get) + get.size); 1164 + if (*len != sizeof(struct ip6t_get_entries) + get.size) 1062 1165 return -EINVAL; 1063 - } 1166 + 1064 1167 get.name[sizeof(get.name) - 1] = '\0'; 1065 1168 1066 1169 t = xt_find_table_lock(net, AF_INET6, get.name); 1067 1170 if (!IS_ERR_OR_NULL(t)) { 1068 1171 struct xt_table_info *private = t->private; 1069 - duprintf("t->private->number = %u\n", private->number); 1070 1172 if (get.size == private->size) 1071 1173 ret = copy_entries_to_user(private->size, 1072 1174 t, uptr->entrytable); 1073 - else { 1074 - duprintf("get_entries: I've got %u not %u!\n", 1075 - private->size, get.size); 1175 + else 1076 1176 ret = -EAGAIN; 1077 - } 1177 + 1078 1178 module_put(t->me); 1079 1179 xt_table_unlock(t); 1080 1180 } else ··· 1103 1217 1104 1218 /* You lied! */ 1105 1219 if (valid_hooks != t->valid_hooks) { 1106 - duprintf("Valid hook crap: %08X vs %08X\n", 1107 - valid_hooks, t->valid_hooks); 1108 1220 ret = -EINVAL; 1109 1221 goto put_module; 1110 1222 } ··· 1112 1228 goto put_module; 1113 1229 1114 1230 /* Update module usage count based on number of rules */ 1115 - duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", 1116 - oldinfo->number, oldinfo->initial_entries, newinfo->number); 1117 1231 if ((oldinfo->number > oldinfo->initial_entries) || 1118 1232 (newinfo->number <= oldinfo->initial_entries)) 1119 1233 module_put(t->me); ··· 1179 1297 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp); 1180 1298 if (ret != 0) 1181 1299 goto free_newinfo; 1182 - 1183 - duprintf("ip_tables: Translated table\n"); 1184 1300 1185 1301 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1186 1302 tmp.num_counters, tmp.counters); ··· 1304 1424 1305 1425 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name, 1306 1426 m->u.user.revision); 1307 - if (IS_ERR(match)) { 1308 - duprintf("compat_check_calc_match: `%s' not found\n", 1309 - m->u.user.name); 1427 + if (IS_ERR(match)) 1310 1428 return PTR_ERR(match); 1311 - } 1429 + 1312 1430 m->u.kernel.match = match; 1313 1431 *size += xt_compat_match_offset(match); 1314 1432 return 0; ··· 1338 1460 unsigned int j; 1339 1461 int ret, off; 1340 1462 1341 - duprintf("check_compat_entry_size_and_hooks %p\n", e); 1342 1463 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || 1343 1464 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit || 1344 - (unsigned char *)e + e->next_offset > limit) { 1345 - duprintf("Bad offset %p, limit = %p\n", e, limit); 1465 + (unsigned char *)e + e->next_offset > limit) 1346 1466 return -EINVAL; 1347 - } 1348 1467 1349 1468 if (e->next_offset < sizeof(struct compat_ip6t_entry) + 1350 - sizeof(struct compat_xt_entry_target)) { 1351 - duprintf("checking: element %p size %u\n", 1352 - e, e->next_offset); 1469 + sizeof(struct compat_xt_entry_target)) 1353 1470 return -EINVAL; 1354 - } 1355 1471 1356 1472 if (!ip6_checkentry(&e->ipv6)) 1357 1473 return -EINVAL; ··· 1369 1497 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name, 1370 1498 t->u.user.revision); 1371 1499 if (IS_ERR(target)) { 1372 - duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1373 - t->u.user.name); 1374 1500 ret = PTR_ERR(target); 1375 1501 goto release_matches; 1376 1502 } ··· 1447 1577 size = compatr->size; 1448 1578 info->number = compatr->num_entries; 1449 1579 1450 - duprintf("translate_compat_table: size %u\n", info->size); 1451 1580 j = 0; 1452 1581 xt_compat_lock(AF_INET6); 1453 1582 xt_compat_init_offsets(AF_INET6, compatr->num_entries); ··· 1461 1592 } 1462 1593 1463 1594 ret = -EINVAL; 1464 - if (j != compatr->num_entries) { 1465 - duprintf("translate_compat_table: %u not %u entries\n", 1466 - j, compatr->num_entries); 1595 + if (j != compatr->num_entries) 1467 1596 goto out_unlock; 1468 - } 1469 1597 1470 1598 ret = -ENOMEM; 1471 1599 newinfo = xt_alloc_table_info(size); ··· 1553 1687 if (ret != 0) 1554 1688 goto free_newinfo; 1555 1689 1556 - duprintf("compat_do_replace: Translated table\n"); 1557 - 1558 1690 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1559 1691 tmp.num_counters, compat_ptr(tmp.counters)); 1560 1692 if (ret) ··· 1586 1722 break; 1587 1723 1588 1724 default: 1589 - duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd); 1590 1725 ret = -EINVAL; 1591 1726 } 1592 1727 ··· 1635 1772 struct compat_ip6t_get_entries get; 1636 1773 struct xt_table *t; 1637 1774 1638 - if (*len < sizeof(get)) { 1639 - duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get)); 1775 + if (*len < sizeof(get)) 1640 1776 return -EINVAL; 1641 - } 1642 1777 1643 1778 if (copy_from_user(&get, uptr, sizeof(get)) != 0) 1644 1779 return -EFAULT; 1645 1780 1646 - if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) { 1647 - duprintf("compat_get_entries: %u != %zu\n", 1648 - *len, sizeof(get) + get.size); 1781 + if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) 1649 1782 return -EINVAL; 1650 - } 1783 + 1651 1784 get.name[sizeof(get.name) - 1] = '\0'; 1652 1785 1653 1786 xt_compat_lock(AF_INET6); ··· 1651 1792 if (!IS_ERR_OR_NULL(t)) { 1652 1793 const struct xt_table_info *private = t->private; 1653 1794 struct xt_table_info info; 1654 - duprintf("t->private->number = %u\n", private->number); 1655 1795 ret = compat_table_info(private, &info); 1656 - if (!ret && get.size == info.size) { 1796 + if (!ret && get.size == info.size) 1657 1797 ret = compat_copy_entries_to_user(private->size, 1658 1798 t, uptr->entrytable); 1659 - } else if (!ret) { 1660 - duprintf("compat_get_entries: I've got %u not %u!\n", 1661 - private->size, get.size); 1799 + else if (!ret) 1662 1800 ret = -EAGAIN; 1663 - } 1801 + 1664 1802 xt_compat_flush_offsets(AF_INET6); 1665 1803 module_put(t->me); 1666 1804 xt_table_unlock(t); ··· 1710 1854 break; 1711 1855 1712 1856 default: 1713 - duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd); 1714 1857 ret = -EINVAL; 1715 1858 } 1716 1859 ··· 1761 1906 } 1762 1907 1763 1908 default: 1764 - duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd); 1765 1909 ret = -EINVAL; 1766 1910 } 1767 1911 ··· 1862 2008 /* We've been asked to examine this packet, and we 1863 2009 * can't. Hence, no choice but to drop. 1864 2010 */ 1865 - duprintf("Dropping evil ICMP tinygram.\n"); 1866 2011 par->hotdrop = true; 1867 2012 return false; 1868 2013 }