netfilter: x_tables: use pr ratelimiting in matches/targets

all of these print simple error message - use single pr_ratelimit call. checkpatch complains about lines > 80 but this would require splitting several "literals" over multiple lines which is worse. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-02-09 15:52:06 +01:00 · 2018-02-09 15:52:06 +01:00 · c08e5e1ee6
parent cc48baefdf
commit c08e5e1ee6
3 changed files with 40 additions and 33 deletions
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@ -9,6 +9,8 @@
 * the Free Software Foundation.
 */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/icmp.h>
@ -312,15 +314,15 @@ hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par)
 static int hmark_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_hmark_info *info = par->targinfo;
 	const char *errmsg = "proto mask must be zero with L3 mode";
 	if (!info->hmodulus)
 		return -EINVAL;
 	if (info->proto_mask &&
-	    (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) {
+	    (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)))
-		pr_info("xt_HMARK: proto mask must be zero with L3 mode\n");
+		goto err;
-		return -EINVAL;
+
 	}
 	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
 	    (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
 			     XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))))
@ -329,10 +331,13 @@ static int hmark_tg_check(const struct xt_tgchk_param *par)
 	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) &&
 	    (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) |
 			     XT_HMARK_FLAG(XT_HMARK_DPORT)))) {
-		pr_info("xt_HMARK: spi-set and port-set can't be combined\n");
+		errmsg = "spi-set and port-set can't be combined";
-		return -EINVAL;
+		goto err;
 	}
 	return 0;
 err:
 	pr_info_ratelimited("%s\n", errmsg);
 	return -EINVAL;
 }
 static struct xt_target hmark_tg_reg[] __read_mostly = {
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@ -164,48 +164,47 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 {
 	const char *errmsg = "both incoming and outgoing interface limitation cannot be selected";
 	struct xt_addrtype_info_v1 *info = par->matchinfo;
 	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
-	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
-		pr_info("both incoming and outgoing "
+		goto err;
 			"interface limitation cannot be selected\n");
 		return -EINVAL;
 	}
 	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
 	    (1 << NF_INET_LOCAL_IN)) &&
 	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
-		pr_info("output interface limitation "
+		errmsg = "output interface limitation not valid in PREROUTING and INPUT";
-			"not valid in PREROUTING and INPUT\n");
+		goto err;
 		return -EINVAL;
 	}
 	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
 	    (1 << NF_INET_LOCAL_OUT)) &&
 	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
-		pr_info("input interface limitation "
+		errmsg = "input interface limitation not valid in POSTROUTING and OUTPUT";
-			"not valid in POSTROUTING and OUTPUT\n");
+		goto err;
 		return -EINVAL;
 	}
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 	if (par->family == NFPROTO_IPV6) {
 		if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
-			pr_err("ipv6 BLACKHOLE matching not supported\n");
+			errmsg = "ipv6 BLACKHOLE matching not supported";
-			return -EINVAL;
+			goto err;
 		}
 		if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
-			pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not supported\n");
+			errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not supported";
-			return -EINVAL;
+			goto err;
 		}
 		if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
-			pr_err("ipv6 does not support BROADCAST matching\n");
+			errmsg = "ipv6 does not support BROADCAST matching";
-			return -EINVAL;
+			goto err;
 		}
 	}
 #endif
 	return 0;
 err:
 	pr_info_ratelimited("%s\n", errmsg);
 	return -EINVAL;
 }
 static struct xt_match addrtype_mt_reg[] __read_mostly = {
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@ -132,26 +132,29 @@ policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 static int policy_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_policy_info *info = par->matchinfo;
 	const char *errmsg = "neither incoming nor outgoing policy selected";
 	if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT)))
 		goto err;
 	if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
 		pr_info("neither incoming nor outgoing policy selected\n");
 		return -EINVAL;
 	}
 	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
 	    (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
-		pr_info("output policy not valid in PREROUTING and INPUT\n");
+		errmsg = "output policy not valid in PREROUTING and INPUT";
-		return -EINVAL;
+		goto err;
 	}
 	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
 	    (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
-		pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
+		errmsg = "input policy not valid in POSTROUTING and OUTPUT";
-		return -EINVAL;
+		goto err;
 	}
 	if (info->len > XT_POLICY_MAX_ELEM) {
-		pr_info("too many policy elements\n");
+		errmsg = "too many policy elements";
-		return -EINVAL;
+		goto err;
 	}
 	return 0;
 err:
 	pr_info_ratelimited("%s\n", errmsg);
 	return -EINVAL;
 }
 static struct xt_match policy_mt_reg[] __read_mostly = {