Apply "netfilter: nf_queue: Make the queue_handler pernet" to 4.4-stable

2018-02-09 Thread Eric Biggers 
Hi Greg, can you please apply commit dc3ee32e96d7 ("netfilter: nf_queue: Make
the queue_handler pernet") to 4.4-stable?  syzbot is hitting the crash in
nfqnl_nf_hook_drop() by interrupting thread creation in pg_net_init().  An OOM
condition is not required, contrary to what is suggested by the original commit
message.

Thanks,

Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf 9/9] netfilter: x_tables: use pr ratelimiting in all remaining spots

2018-02-09 Thread Florian Westphal 
Signed-off-by: Florian Westphal 
---
 net/ipv4/netfilter/ipt_ECN.c   |  2 +-
 net/ipv4/netfilter/ipt_REJECT.c|  4 ++--
 net/ipv4/netfilter/ipt_rpfilter.c  |  2 +-
 net/ipv6/netfilter/ip6t_REJECT.c   |  4 ++--
 net/ipv6/netfilter/ip6t_rpfilter.c |  2 +-
 net/ipv6/netfilter/ip6t_srh.c  |  6 --
 net/netfilter/xt_AUDIT.c   |  4 ++--
 net/netfilter/xt_CHECKSUM.c|  3 ++-
 net/netfilter/xt_CONNSECMARK.c |  6 +++---
 net/netfilter/xt_LED.c |  2 +-
 net/netfilter/xt_SECMARK.c | 14 --
 net/netfilter/xt_TCPMSS.c  | 10 --
 net/netfilter/xt_TPROXY.c  |  6 ++
 net/netfilter/xt_bpf.c |  4 +++-
 net/netfilter/xt_cgroup.c  |  8 +---
 net/netfilter/xt_cluster.c |  8 +++-
 net/netfilter/xt_connbytes.c   |  4 ++--
 net/netfilter/xt_connlabel.c   |  7 ---
 net/netfilter/xt_connmark.c|  8 
 net/netfilter/xt_conntrack.c   |  4 ++--
 net/netfilter/xt_ecn.c |  4 ++--
 net/netfilter/xt_hashlimit.c   | 24 +---
 net/netfilter/xt_helper.c  |  4 ++--
 net/netfilter/xt_ipcomp.c  |  2 +-
 net/netfilter/xt_ipvs.c|  3 ++-
 net/netfilter/xt_l2tp.c| 22 +-
 net/netfilter/xt_limit.c   |  4 ++--
 net/netfilter/xt_nat.c |  5 +++--
 net/netfilter/xt_nfacct.c  |  6 --
 net/netfilter/xt_physdev.c |  4 +---
 net/netfilter/xt_recent.c  | 14 ++
 net/netfilter/xt_socket.c  | 10 ++
 net/netfilter/xt_state.c   |  4 ++--
 net/netfilter/xt_time.c|  6 +++---
 34 files changed, 116 insertions(+), 104 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 39ff167e6d86..aaaf9a81fbc9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -106,7 +106,7 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
 
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
-   pr_info("cannot use TCP operations on a non-tcp rule\n");
+   pr_info_ratelimited("cannot use operation on non-tcp rule\n");
return -EINVAL;
}
return 0;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 8bd0d7b26632..e8bed3390e58 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
const struct ipt_entry *e = par->entryinfo;
 
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
-   pr_info("ECHOREPLY no longer supported.\n");
+   pr_info_ratelimited("ECHOREPLY no longer supported.\n");
return -EINVAL;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
-   pr_info("TCP_RESET invalid for non-tcp\n");
+   pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
return -EINVAL;
}
}
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c 
b/net/ipv4/netfilter/ipt_rpfilter.c
index 5d107dd9098e..fd01f13c896a 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -105,7 +105,7 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
const struct xt_rpfilter_info *info = par->matchinfo;
unsigned int options = ~XT_RPFILTER_OPTION_MASK;
if (info->flags & options) {
-   pr_info("unknown options encountered");
+   pr_info_ratelimited("unknown options\n");
return -EINVAL;
}
 
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index fa51a205918d..38dea8ff680f 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -85,14 +85,14 @@ static int reject_tg6_check(const struct xt_tgchk_param 
*par)
const struct ip6t_entry *e = par->entryinfo;
 
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
-   pr_info("ECHOREPLY is not supported.\n");
+   pr_info_ratelimited("ECHOREPLY is not supported\n");
return -EINVAL;
} else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (!(e->ipv6.flags & IP6T_F_PROTO) ||
e->ipv6.proto != IPPROTO_TCP ||
(e->ipv6.invflags & XT_INV_PROTO)) {
-   pr_info("TCP_RESET illegal for non-tcp\n");
+   pr_info_ratelimited("TCP_RESET illegal for non-tcp\n");
return -EINVAL;
}

[PATCH v2 nf 8/9] netfilter: x_tables: use pr ratelimiting in matches/targets

2018-02-09 Thread Florian Westphal 
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.

Signed-off-by: Florian Westphal 
---
 net/netfilter/xt_HMARK.c| 17 +++--
 net/netfilter/xt_addrtype.c | 33 -
 net/netfilter/xt_policy.c   | 23 +--
 3 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index dd08cc1f86c7..9c75f419cd80 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -9,6 +9,8 @@
  * the Free Software Foundation.
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -312,15 +314,15 @@ hmark_tg_v4(struct sk_buff *skb, const struct 
xt_action_param *par)
 static int hmark_tg_check(const struct xt_tgchk_param *par)
 {
const struct xt_hmark_info *info = par->targinfo;
+   const char *errmsg = "proto mask must be zero with L3 mode";
 
if (!info->hmodulus)
return -EINVAL;
 
if (info->proto_mask &&
-   (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) {
-   pr_info("xt_HMARK: proto mask must be zero with L3 mode\n");
-   return -EINVAL;
-   }
+   (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)))
+   goto err;
+
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
(info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
 XT_HMARK_FLAG(XT_HMARK_DPORT_MASK
@@ -329,10 +331,13 @@ static int hmark_tg_check(const struct xt_tgchk_param 
*par)
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) &&
(info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) |
 XT_HMARK_FLAG(XT_HMARK_DPORT {
-   pr_info("xt_HMARK: spi-set and port-set can't be combined\n");
-   return -EINVAL;
+   errmsg = "spi-set and port-set can't be combined";
+   goto err;
}
return 0;
+err:
+   pr_info_ratelimited("%s\n", errmsg);
+   return -EINVAL;
 }
 
 static struct xt_target hmark_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 911a7c0da504..89e281b3bfc2 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -164,48 +164,47 @@ addrtype_mt_v1(const struct sk_buff *skb, struct 
xt_action_param *par)
 
 static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 {
+   const char *errmsg = "both incoming and outgoing interface limitation 
cannot be selected";
struct xt_addrtype_info_v1 *info = par->matchinfo;
 
if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
-   info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
-   pr_info("both incoming and outgoing "
-   "interface limitation cannot be selected\n");
-   return -EINVAL;
-   }
+   info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
+   goto err;
 
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN)) &&
info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
-   pr_info("output interface limitation "
-   "not valid in PREROUTING and INPUT\n");
-   return -EINVAL;
+   errmsg = "output interface limitation not valid in PREROUTING 
and INPUT";
+   goto err;
}
 
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT)) &&
info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
-   pr_info("input interface limitation "
-   "not valid in POSTROUTING and OUTPUT\n");
-   return -EINVAL;
+   errmsg = "input interface limitation not valid in POSTROUTING 
and OUTPUT";
+   goto err;
}
 
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
if (par->family == NFPROTO_IPV6) {
if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
-   pr_err("ipv6 BLACKHOLE matching not supported\n");
-   return -EINVAL;
+   errmsg = "ipv6 BLACKHOLE matching not supported";
+   goto err;
}
if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
-   pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not 
supported\n");
-   return -EINVAL;
+   errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not 
supported";
+   goto err;
}
if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
-   pr_err("ipv6 does not support BROADCAST matching\n");
-   return -EINVAL;
+   errmsg = "ipv6

[PATCH v2 nf 7/9] netfilter: x_tables: rate-limit table mismatch warnings

2018-02-09 Thread Florian Westphal 
Signed-off-by: Florian Westphal 
---
no changes.

 net/ipv4/netfilter/ipt_rpfilter.c  | 4 ++--
 net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++--
 net/netfilter/xt_CONNSECMARK.c | 4 ++--
 net/netfilter/xt_SECMARK.c | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_rpfilter.c 
b/net/ipv4/netfilter/ipt_rpfilter.c
index 37fb9552e858..5d107dd9098e 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -111,8 +111,8 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
 
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "raw") != 0) {
-   pr_info("match only valid in the \'raw\' "
-   "or \'mangle\' tables, not \'%s\'.\n", par->table);
+   pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, 
not \'%s\'\n",
+   par->table);
return -EINVAL;
}
 
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c 
b/net/ipv6/netfilter/ip6t_rpfilter.c
index b12e61b7b16c..ddf3111f9810 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -109,8 +109,8 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
 
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "raw") != 0) {
-   pr_info("match only valid in the \'raw\' "
-   "or \'mangle\' tables, not \'%s\'.\n", par->table);
+   pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, 
not \'%s\'\n",
+   par->table);
return -EINVAL;
}
 
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index da56c06a443c..6f30cd399e42 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -91,8 +91,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param 
*par)
 
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
-   pr_info("target only valid in the \'mangle\' "
-   "or \'security\' tables, not \'%s\'.\n", par->table);
+   pr_info_ratelimited("only valid in \'mangle\' or \'security\' 
table, not \'%s\'\n",
+   par->table);
return -EINVAL;
}
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 9faf5e050b79..5c5cd782fab5 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -86,8 +86,8 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
 
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
-   pr_info("target only valid in the \'mangle\' "
-   "or \'security\' tables, not \'%s\'.\n", par->table);
+   pr_info_ratelimited("only valid in \'mangle\' or \'security\' 
table, not \'%s\'\n",
+   par->table);
return -EINVAL;
}
 
-- 
2.13.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf 1/9] netfilter: x_tables: remove pr_info where possible

2018-02-09 Thread Florian Westphal 
remove several pr_info messages that cannot be triggered with iptables,
the check is only to ensure input is sane.

iptables(8) already prints error messages in these cases.

Signed-off-by: Florian Westphal 
---
 Changes since v2:
  - remove a few more pr_info (dscp, checksum)
 net/ipv4/netfilter/ipt_ECN.c | 10 --
 net/netfilter/xt_CHECKSUM.c  |  5 ++---
 net/netfilter/xt_DSCP.c  |  4 +---
 net/netfilter/xt_HL.c| 13 +++--
 net/netfilter/xt_HMARK.c | 10 --
 net/netfilter/xt_LED.c   |  4 +---
 net/netfilter/xt_dscp.c  |  4 +---
 7 files changed, 16 insertions(+), 34 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 270765236f5e..39ff167e6d86 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -98,14 +98,12 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
const struct ipt_ECN_info *einfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
 
-   if (einfo->operation & IPT_ECN_OP_MASK) {
-   pr_info("unsupported ECN operation %x\n", einfo->operation);
+   if (einfo->operation & IPT_ECN_OP_MASK)
return -EINVAL;
-   }
-   if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
-   pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
+
+   if (einfo->ip_ect & ~IPT_ECN_IP_MASK)
return -EINVAL;
-   }
+
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
pr_info("cannot use TCP operations on a non-tcp rule\n");
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef8cd26..ea3c5701fb0f 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -39,10 +39,9 @@ static int checksum_tg_check(const struct xt_tgchk_param 
*par)
pr_info("unsupported CHECKSUM operation %x\n", 
einfo->operation);
return -EINVAL;
}
-   if (!einfo->operation) {
-   pr_info("no CHECKSUM operation enabled\n");
+   if (!einfo->operation)
return -EINVAL;
-   }
+
return 0;
 }
 
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3f83d38c4e5b..098ed851b7a7 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -66,10 +66,8 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
 {
const struct xt_DSCP_info *info = par->targinfo;
 
-   if (info->dscp > XT_DSCP_MAX) {
-   pr_info("dscp %x out of range\n", info->dscp);
+   if (info->dscp > XT_DSCP_MAX)
return -EDOM;
-   }
return 0;
 }
 
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87ed9bd..4653b071bed4 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -105,10 +105,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par)
 {
const struct ipt_TTL_info *info = par->targinfo;
 
-   if (info->mode > IPT_TTL_MAXMODE) {
-   pr_info("TTL: invalid or unknown mode %u\n", info->mode);
+   if (info->mode > IPT_TTL_MAXMODE)
return -EINVAL;
-   }
if (info->mode != IPT_TTL_SET && info->ttl == 0)
return -EINVAL;
return 0;
@@ -118,15 +116,10 @@ static int hl_tg6_check(const struct xt_tgchk_param *par)
 {
const struct ip6t_HL_info *info = par->targinfo;
 
-   if (info->mode > IP6T_HL_MAXMODE) {
-   pr_info("invalid or unknown mode %u\n", info->mode);
+   if (info->mode > IP6T_HL_MAXMODE)
return -EINVAL;
-   }
-   if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
-   pr_info("increment/decrement does not "
-   "make sense with value 0\n");
+   if (info->mode != IP6T_HL_SET && info->hop_limit == 0)
return -EINVAL;
-   }
return 0;
 }
 
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index 60e6dbe12460..dd08cc1f86c7 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -313,10 +313,9 @@ static int hmark_tg_check(const struct xt_tgchk_param *par)
 {
const struct xt_hmark_info *info = par->targinfo;
 
-   if (!info->hmodulus) {
-   pr_info("xt_HMARK: hash modulus can't be zero\n");
+   if (!info->hmodulus)
return -EINVAL;
-   }
+
if (info->proto_mask &&
(info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) {
pr_info("xt_HMARK: proto mask must be zero with L3 mode\n");
@@ -324,10 +323,9 @@ static int hmark_tg_check(const struct xt_tgchk_param *par)
}
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
(info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
-XT_HMARK_FLAG(XT_HMARK_DPORT_MASK {
-   pr_info("xt_HMARK:

[PATCH v2 nf 2/9] netfilter: x_tables: use pr ratelimiting in xt core

2018-02-09 Thread Florian Westphal 
most messages are converted to info, since they occur in response to
wrong usage.

Size mismatch however is a real error (xtables ABI bug) that should not
occur.

Signed-off-by: Florian Westphal 
---
 changes since v1:
  - use info (not err) for most cases.
 net/netfilter/x_tables.c | 70 +++-
 1 file changed, 34 insertions(+), 36 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 97e06a04c0d4..fa1655aff8d3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -434,36 +434,35 @@ int xt_check_match(struct xt_mtchk_param *par,
 * ebt_among is exempt from centralized matchsize checking
 * because it uses a dynamic-size data set.
 */
-   pr_err("%s_tables: %s.%u match: invalid size "
-  "%u (kernel) != (user) %u\n",
-  xt_prefix[par->family], par->match->name,
-  par->match->revision,
-  XT_ALIGN(par->match->matchsize), size);
+   pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u 
(kernel) != (user) %u\n",
+  xt_prefix[par->family], par->match->name,
+  par->match->revision,
+  XT_ALIGN(par->match->matchsize), size);
return -EINVAL;
}
if (par->match->table != NULL &&
strcmp(par->match->table, par->table) != 0) {
-   pr_err("%s_tables: %s match: only valid in %s table, not %s\n",
-  xt_prefix[par->family], par->match->name,
-  par->match->table, par->table);
+   pr_info_ratelimited("%s_tables: %s match: only valid in %s 
table, not %s\n",
+   xt_prefix[par->family], par->match->name,
+   par->match->table, par->table);
return -EINVAL;
}
if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
char used[64], allow[64];
 
-   pr_err("%s_tables: %s match: used from hooks %s, but only "
-  "valid from %s\n",
-  xt_prefix[par->family], par->match->name,
-  textify_hooks(used, sizeof(used), par->hook_mask,
-par->family),
-  textify_hooks(allow, sizeof(allow), par->match->hooks,
-par->family));
+   pr_info_ratelimited("%s_tables: %s match: used from hooks %s, 
but only valid from %s\n",
+   xt_prefix[par->family], par->match->name,
+   textify_hooks(used, sizeof(used),
+ par->hook_mask, par->family),
+   textify_hooks(allow, sizeof(allow),
+ par->match->hooks,
+ par->family));
return -EINVAL;
}
if (par->match->proto && (par->match->proto != proto || inv_proto)) {
-   pr_err("%s_tables: %s match: only valid for protocol %u\n",
-  xt_prefix[par->family], par->match->name,
-  par->match->proto);
+   pr_info_ratelimited("%s_tables: %s match: only valid for 
protocol %u\n",
+   xt_prefix[par->family], par->match->name,
+   par->match->proto);
return -EINVAL;
}
if (par->match->checkentry != NULL) {
@@ -814,36 +813,35 @@ int xt_check_target(struct xt_tgchk_param *par,
int ret;
 
if (XT_ALIGN(par->target->targetsize) != size) {
-   pr_err("%s_tables: %s.%u target: invalid size "
-  "%u (kernel) != (user) %u\n",
-  xt_prefix[par->family], par->target->name,
-  par->target->revision,
-  XT_ALIGN(par->target->targetsize), size);
+   pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u 
(kernel) != (user) %u\n",
+  xt_prefix[par->family], par->target->name,
+  par->target->revision,
+  XT_ALIGN(par->target->targetsize), size);
return -EINVAL;
}
if (par->target->table != NULL &&
strcmp(par->target->table, par->table) != 0) {
-   pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
-  xt_prefix[par->family], par->target->name,
-  par->target->table, par->table);
+   pr_info_ratelimited("%s_tables: %s target: only valid in %s 
table, not %s\n",
+   xt_prefix[par->family],

[PATCH v2 nf 5/9] netfilter: xt_set: use pr ratelimiting

2018-02-09 Thread Florian Westphal 
also convert this to info for consistency.
These errors are informational message to user, given iptables doesn't
have netlink extack equivalent.

Signed-off-by: Florian Westphal 
---
 patch is new in v2 (split away from different patch).
 net/netfilter/xt_set.c | 50 +-
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 16b6b11ee83f..6f4c5217d835 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -92,12 +92,12 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
 
if (index == IPSET_INVALID_ID) {
-   pr_warn("Cannot find set identified by id %u to match\n",
-   info->match_set.index);
+   pr_info_ratelimited("Cannot find set identified by id %u to 
match\n",
+   info->match_set.index);
return -ENOENT;
}
if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
-   pr_warn("Protocol error: set match dimension is over the 
limit!\n");
+   pr_info_ratelimited("set match dimension is over the limit!\n");
ip_set_nfnl_put(par->net, info->match_set.index);
return -ERANGE;
}
@@ -143,12 +143,12 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par)
index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
 
if (index == IPSET_INVALID_ID) {
-   pr_warn("Cannot find set identified by id %u to match\n",
-   info->match_set.index);
+   pr_info_ratelimited("Cannot find set identified by id %u to 
match\n",
+   info->match_set.index);
return -ENOENT;
}
if (info->match_set.dim > IPSET_DIM_MAX) {
-   pr_warn("Protocol error: set match dimension is over the 
limit!\n");
+   pr_info_ratelimited("set match dimension is over the limit!\n");
ip_set_nfnl_put(par->net, info->match_set.index);
return -ERANGE;
}
@@ -241,8 +241,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
if (info->add_set.index != IPSET_INVALID_ID) {
index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
if (index == IPSET_INVALID_ID) {
-   pr_warn("Cannot find add_set index %u as target\n",
-   info->add_set.index);
+   pr_info_ratelimited("Cannot find add_set index %u as 
target\n",
+   info->add_set.index);
return -ENOENT;
}
}
@@ -250,8 +250,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
if (info->del_set.index != IPSET_INVALID_ID) {
index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
if (index == IPSET_INVALID_ID) {
-   pr_warn("Cannot find del_set index %u as target\n",
-   info->del_set.index);
+   pr_info_ratelimited("Cannot find del_set index %u as 
target\n",
+   info->del_set.index);
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_nfnl_put(par->net, info->add_set.index);
return -ENOENT;
@@ -259,7 +259,7 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
}
if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 ||
info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
-   pr_warn("Protocol error: SET target dimension is over the 
limit!\n");
+   pr_info_ratelimited("SET target dimension over the limit!\n");
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_nfnl_put(par->net, info->add_set.index);
if (info->del_set.index != IPSET_INVALID_ID)
@@ -316,8 +316,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
if (info->add_set.index != IPSET_INVALID_ID) {
index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
if (index == IPSET_INVALID_ID) {
-   pr_warn("Cannot find add_set index %u as target\n",
-   info->add_set.index);
+   pr_info_ratelimited("Cannot find add_set index %u as 
target\n",
+   info->add_set.index);
return -ENOENT;
}
}
@@ -325,8 +325,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
if (info->del_set.index != IPSET_INVALID_ID) {
index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
if

[PATCH v2 nf 6/9] netfilter: bridge: use pr ratelimiting

2018-02-09 Thread Florian Westphal 
ebt_among still uses pr_err -- these errors indicate ebtables tool bug,
not a usage error.

Signed-off-by: Florian Westphal 
---
 patch is new in v2 (split away from different patch).

 net/bridge/netfilter/ebt_among.c | 10 +-
 net/bridge/netfilter/ebt_limit.c |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 279527f8b1fe..ce7152a12bd8 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct xt_mtchk_param 
*par)
expected_length += ebt_mac_wormhash_size(wh_src);
 
if (em->match_size != EBT_ALIGN(expected_length)) {
-   pr_info("wrong size: %d against expected %d, rounded to %zd\n",
-   em->match_size, expected_length,
-   EBT_ALIGN(expected_length));
+   pr_err_ratelimited("wrong size: %d against expected %d, rounded 
to %zd\n",
+  em->match_size, expected_length,
+  EBT_ALIGN(expected_length));
return -EINVAL;
}
if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
-   pr_info("dst integrity fail: %x\n", -err);
+   pr_err_ratelimited("dst integrity fail: %x\n", -err);
return -EINVAL;
}
if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
-   pr_info("src integrity fail: %x\n", -err);
+   pr_err_ratelimited("src integrity fail: %x\n", -err);
return -EINVAL;
}
return 0;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 61a9f1be1263..165b9d678cf1 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -72,8 +72,8 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param 
*par)
/* Check for overflow. */
if (info->burst == 0 ||
user2credits(info->avg * info->burst) < user2credits(info->avg)) {
-   pr_info("overflow, try lower: %u/%u\n",
-   info->avg, info->burst);
+   pr_info_ratelimited("overflow, try lower: %u/%u\n",
+   info->avg, info->burst);
return -EINVAL;
}
 
-- 
2.13.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf 4/9] netfilter: xt_NFQUEUE: use pr ratelimiting

2018-02-09 Thread Florian Westphal 
switch this to info, since these aren't really errors.
We only use printk because we cannot report meaningful errors
in the xtables framework.

Signed-off-by: Florian Westphal 
---
 Patch is new in v2.
 net/netfilter/xt_NFQUEUE.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index a360b99a958a..a9aca80a32ae 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -8,6 +8,8 @@
  *
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 
@@ -67,13 +69,13 @@ static int nfqueue_tg_check(const struct xt_tgchk_param 
*par)
init_hashrandom(_initval);
 
if (info->queues_total == 0) {
-   pr_err("NFQUEUE: number of total queues is 0\n");
+   pr_info_ratelimited("number of total queues is 0\n");
return -EINVAL;
}
maxid = info->queues_total - 1 + info->queuenum;
if (maxid > 0x) {
-   pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
-  info->queues_total, maxid);
+   pr_info_ratelimited("number of queues (%u) out of range (got 
%u)\n",
+   info->queues_total, maxid);
return -ERANGE;
}
if (par->target->revision == 2 && info->flags > 1)
-- 
2.13.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf 0/9] netfilter: x_tables: use printk ratelimiting

2018-02-09 Thread Florian Westphal 
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.

Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a large
volume of error messages (which are useless there).

First patch get rid of printks that should never be triggered, as userland
doesn't generate such malformed rules.

The other patches convert all matches/targets.

In some cases, modules used pr_err() for errors that are just a
hint to and user as to why the rule was rejected, so this uses
pr_info_ratelimited everywhere.

Only exceptions are when the error appears to be due to a bug, i.e.
ABI breakage and other incompatible changes that should not happen.

Note that most patches introduce overly long lines, but splitting these
would make it necessary to split the error messages which is worse.

 46 files changed, 264 insertions(+), 262 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf 3/9] netfilter: xt_CT: use pr ratelimiting

2018-02-09 Thread Florian Westphal 
checkpatch complains about line > 80 but this would require splitting
"literal" over two lines which is worse.

Signed-off-by: Florian Westphal 
---
 no changes since v1.
 net/netfilter/xt_CT.c | 25 +
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 5a152e2acfd5..8790190c6feb 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -82,15 +82,14 @@ xt_ct_set_helper(struct nf_conn *ct, const char 
*helper_name,
 
proto = xt_ct_find_proto(par);
if (!proto) {
-   pr_info("You must specify a L4 protocol, and not use "
-   "inversions on it.\n");
+   pr_info_ratelimited("You must specify a L4 protocol and not use 
inversions on it\n");
return -ENOENT;
}
 
helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
proto);
if (helper == NULL) {
-   pr_info("No such helper \"%s\"\n", helper_name);
+   pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
return -ENOENT;
}
 
@@ -124,6 +123,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct 
xt_tgchk_param *par,
const struct nf_conntrack_l4proto *l4proto;
struct ctnl_timeout *timeout;
struct nf_conn_timeout *timeout_ext;
+   const char *errmsg = NULL;
int ret = 0;
u8 proto;
 
@@ -131,29 +131,29 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct 
xt_tgchk_param *par,
timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
if (timeout_find_get == NULL) {
ret = -ENOENT;
-   pr_info("Timeout policy base is empty\n");
+   errmsg = "Timeout policy base is empty";
goto out;
}
 
proto = xt_ct_find_proto(par);
if (!proto) {
ret = -EINVAL;
-   pr_info("You must specify a L4 protocol, and not use "
-   "inversions on it.\n");
+   errmsg = "You must specify a L4 protocol and not use inversions 
on it";
goto out;
}
 
timeout = timeout_find_get(par->net, timeout_name);
if (timeout == NULL) {
ret = -ENOENT;
-   pr_info("No such timeout policy \"%s\"\n", timeout_name);
+   pr_info_ratelimited("No such timeout policy \"%s\"\n",
+   timeout_name);
goto out;
}
 
if (timeout->l3num != par->family) {
ret = -EINVAL;
-   pr_info("Timeout policy `%s' can only be used by L3 protocol "
-   "number %d\n", timeout_name, timeout->l3num);
+   pr_info_ratelimited("Timeout policy `%s' can only be used by 
L%d protocol number %d\n",
+   timeout_name, 3, timeout->l3num);
goto err_put_timeout;
}
/* Make sure the timeout policy matches any existing protocol tracker,
@@ -162,9 +162,8 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct 
xt_tgchk_param *par,
l4proto = __nf_ct_l4proto_find(par->family, proto);
if (timeout->l4proto->l4proto != l4proto->l4proto) {
ret = -EINVAL;
-   pr_info("Timeout policy `%s' can only be used by L4 protocol "
-   "number %d\n",
-   timeout_name, timeout->l4proto->l4proto);
+   pr_info_ratelimited("Timeout policy `%s' can only be used by 
L%d protocol number %d\n",
+   timeout_name, 4, timeout->l4proto->l4proto);
goto err_put_timeout;
}
timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
@@ -180,6 +179,8 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct 
xt_tgchk_param *par,
__xt_ct_tg_timeout_put(timeout);
 out:
rcu_read_unlock();
+   if (errmsg)
+   pr_info_ratelimited("%s\n", errmsg);
return ret;
 #else
return -EOPNOTSUPP;
-- 
2.13.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] src: fix build with older glibc

2018-02-09 Thread Baruch Siach 
glibc before 2.19 missed the definition of IPPROTO_MH. This leads to
build failure:

parser_bison.y: In function 'nft_parse':
parser_bison.y:3793:21: error: 'IPPROTO_MH' undeclared (first use in this 
function)
| MH { $$ = IPPROTO_MH; }
 ^

Since we have a local definition of IPPROTO_MH in headers.h use that to
fix the build.

Signed-off-by: Baruch Siach 
---
 src/parser_bison.y | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2e79109f4da3..578bfdc10429 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -29,6 +29,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
-- 
2.15.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html