From patchwork Wed Dec 17 08:26:22 2008 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jozsef Kadlecsik X-Patchwork-Id: 14436 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 2EF76DDF46 for ; Wed, 17 Dec 2008 19:26:33 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753555AbYLQI02 (ORCPT ); Wed, 17 Dec 2008 03:26:28 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752401AbYLQI02 (ORCPT ); Wed, 17 Dec 2008 03:26:28 -0500 Received: from smtp-in.kfki.hu ([148.6.0.28]:42677 "EHLO smtp2.kfki.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751548AbYLQI00 (ORCPT ); Wed, 17 Dec 2008 03:26:26 -0500 Received: from localhost (localhost [127.0.0.1]) by smtp2.kfki.hu (Postfix) with ESMTP id B568D1F41C8; Wed, 17 Dec 2008 09:26:24 +0100 (CET) Received: from smtp2.kfki.hu ([127.0.0.1]) by localhost (smtp2.kfki.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12485-02; Wed, 17 Dec 2008 09:26:24 +0100 (CET) Received: from blackhole.kfki.hu (blackhole.kfki.hu [148.6.0.114]) by smtp2.kfki.hu (Postfix) with ESMTP id 542EA1F41C6; Wed, 17 Dec 2008 09:26:22 +0100 (CET) Received: by blackhole.kfki.hu (Postfix, from userid 1000) id 3EF52BBFC9; Wed, 17 Dec 2008 09:26:22 +0100 (CET) Date: Wed, 17 Dec 2008 09:26:22 +0100 (CET) From: Jozsef Kadlecsik To: Jan Engelhardt cc: Dave Jones , David Miller , ajax@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Patrick McHardy Subject: Re: [PATCH] net: Remove a noisy printk In-Reply-To: Message-ID: References: <1229033625-30825-1-git-send-email-ajax@redhat.com> <20081211.203243.124017657.davem@davemloft.net> <20081214200353.GA2994@redhat.com> User-Agent: Alpine 2.00 (DEB 1167 2008-08-23) MIME-Version: 1.0 X-Virus-Scanned: Debian amavisd-new at smtp2.kfki.hu Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, 16 Dec 2008, Jan Engelhardt wrote: > Here is a patch that attempts silence both the fraction > that wants to keep the printk and those to get rid of it. > It trips up on the bloatmeters, though. Based on your patch, here is another one: the printk is removed from everywhere except the filter tables where it's controlled by the module parameter. The checking against short packets was missing from ip6table_raw.c, so it's added as well. Bests regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index 1ea677d..9527e2a 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c @@ -19,6 +19,10 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Netfilter Core Team "); MODULE_DESCRIPTION("iptables filter table"); +/* Default log short RAW packets */ +static unsigned int happy_cracking = 1; +module_param(happy_cracking, bool, 0400); + #define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \ (1 << NF_INET_FORWARD) | \ (1 << NF_INET_LOCAL_OUT)) @@ -94,7 +98,8 @@ ipt_local_out_hook(unsigned int hook, /* root is playing with raw sockets. */ if (skb->len < sizeof(struct iphdr) || ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) + if (happy_cracking && net_ratelimit()) + /* FIXME: log process pid */ printk("iptable_filter: ignoring short SOCK_RAW " "packet.\n"); return NF_ACCEPT; diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index da59182..773d6ed 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c @@ -132,12 +132,8 @@ ipt_local_hook(unsigned int hook, /* root is playing with raw sockets. */ if (skb->len < sizeof(struct iphdr) - || ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) - printk("iptable_mangle: ignoring short SOCK_RAW " - "packet.\n"); + || ip_hdrlen(skb) < sizeof(struct iphdr)) return NF_ACCEPT; - } /* Save things which could affect route */ mark = skb->mark; diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index fddce77..71547fa 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c @@ -65,12 +65,8 @@ ipt_local_hook(unsigned int hook, { /* root is playing with raw sockets. */ if (skb->len < sizeof(struct iphdr) || - ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) - printk("iptable_raw: ignoring short SOCK_RAW " - "packet.\n"); + ip_hdrlen(skb) < sizeof(struct iphdr)) return NF_ACCEPT; - } return ipt_do_table(skb, hook, in, out, nf_local_out_net(in, out)->ipv4.iptable_raw); } diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 7eb0b61..d20c0a0 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -185,11 +185,8 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum, { /* root is playing with raw sockets. */ if (skb->len < sizeof(struct iphdr) || - ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) - printk("ipt_hook: happy cracking.\n"); + ip_hdrlen(skb) < sizeof(struct iphdr)) return NF_ACCEPT; - } return nf_conntrack_in(PF_INET, hooknum, skb); } diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 55a2c29..a74b0e6 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c @@ -17,6 +17,10 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Netfilter Core Team "); MODULE_DESCRIPTION("ip6tables filter table"); +/* Default log short RAW packets */ +static unsigned int happy_cracking = 1; +module_param(happy_cracking, bool, 0400); + #define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \ (1 << NF_INET_FORWARD) | \ (1 << NF_INET_LOCAL_OUT)) @@ -89,15 +93,14 @@ ip6t_local_out_hook(unsigned int hook, const struct net_device *out, int (*okfn)(struct sk_buff *)) { -#if 0 /* root is playing with raw sockets. */ - if (skb->len < sizeof(struct iphdr) - || ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) - printk("ip6t_hook: happy cracking.\n"); + if (skb->len < sizeof(struct ipv6hdr)) { + if (happy_cracking && net_ratelimit()) + /* FIXME: log process pid */ + printk("ip6table_filter: ignoring short SOCK_RAW " + "packet.\n"); return NF_ACCEPT; } -#endif return ip6t_do_table(skb, hook, in, out, nf_local_out_net(in, out)->ipv6.ip6table_filter); diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index f405cea..5c93909 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c @@ -89,15 +89,9 @@ ip6t_local_hook(unsigned int hook, u_int8_t hop_limit; u_int32_t flowlabel, mark; -#if 0 /* root is playing with raw sockets. */ - if (skb->len < sizeof(struct iphdr) - || ip_hdrlen(skb) < sizeof(struct iphdr)) { - if (net_ratelimit()) - printk("ip6t_hook: happy cracking.\n"); + if (skb->len < sizeof(struct ipv6hdr)) return NF_ACCEPT; - } -#endif /* save source/dest address, mark, hoplimit, flowlabel, priority, */ memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr)); diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 92b9107..4e24ff9 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c @@ -54,6 +54,19 @@ ip6t_hook(unsigned int hook, return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_raw); } +static unsigned int +ip6t_local_hook(unsigned int hook, + struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + int (*okfn)(struct sk_buff *)) +{ + /* root is playing with raw sockets. */ + if (skb->len < sizeof(struct ipv6hdr)) + return NF_ACCEPT; + return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_raw); +} + static struct nf_hook_ops ip6t_ops[] __read_mostly = { { .hook = ip6t_hook, @@ -63,7 +76,7 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { .owner = THIS_MODULE, }, { - .hook = ip6t_hook, + .hook = ip6t_local_hook, .pf = PF_INET6, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP6_PRI_FIRST, diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 85050c0..462360e 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c @@ -245,11 +245,8 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum, int (*okfn)(struct sk_buff *)) { /* root is playing with raw sockets. */ - if (skb->len < sizeof(struct ipv6hdr)) { - if (net_ratelimit()) - printk("ipv6_conntrack_local: packet too short\n"); + if (skb->len < sizeof(struct ipv6hdr)) return NF_ACCEPT; - } return ipv6_conntrack_in(hooknum, skb, in, out, okfn); }