[PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths

[Fernando Fernandez Mancera <fmancera@suse.de>]

Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE in the
xtables matching and target execution loops. This prevents unnecessary
system panics when panic_on_warn=1 is enabled in production systems.
Also, remove a redundant hook verification macro block in xt_NETMAP.c.

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
 net/ipv4/netfilter/ip_tables.c    |  6 +++---
 net/ipv4/netfilter/iptable_nat.c  |  4 +++-
 net/ipv6/netfilter/ip6_tables.c   |  6 +++---
 net/ipv6/netfilter/ip6table_nat.c |  4 +++-
 net/netfilter/x_tables.c          | 12 +++++++++---
 net/netfilter/xt_NETMAP.c         |  4 ----
 net/netfilter/xt_cluster.c        |  4 ++--
 net/netfilter/xt_nat.c            | 30 +++++++++++++++---------------
 net/netfilter/xt_socket.c         |  3 ++-
 9 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f917a9004a01..99d01b5c7edc 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -254,7 +254,7 @@ ipt_do_table(void *priv,
 	acpar.hotdrop = false;
 	acpar.state   = state;
 
-	WARN_ON(!(table->valid_hooks & (1 << hook)));
+	DEBUG_NET_WARN_ON_ONCE(!(table->valid_hooks & (1 << hook)));
 	local_bh_disable();
 	addend = xt_write_recseq_begin();
 	private = READ_ONCE(table->private); /* Address dependency. */
@@ -279,7 +279,7 @@ ipt_do_table(void *priv,
 		const struct xt_entry_match *ematch;
 		struct xt_counters *counter;
 
-		WARN_ON(!e);
+		DEBUG_NET_WARN_ON_ONCE(!e);
 		if (!ip_packet_match(ip, indev, outdev,
 		    &e->ip, acpar.fragoff)) {
  no_match:
@@ -298,7 +298,7 @@ ipt_do_table(void *priv,
 		ADD_COUNTER(*counter, skb->len, 1);
 
 		t = ipt_get_target_c(e);
-		WARN_ON(!t->u.kernel.target);
+		DEBUG_NET_WARN_ON_ONCE(!t->u.kernel.target);
 
 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
 		/* The packet is traced: log it */
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a0df72554025..bb866f076d4d 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -65,8 +65,10 @@ static int ipt_nat_register_lookups(struct net *net)
 
 	xt_nat_net = net_generic(net, iptable_nat_net_id);
 	table = xt_find_table(net, NFPROTO_IPV4, "nat");
-	if (WARN_ON_ONCE(!table))
+	if (unlikely(!table)) {
+		DEBUG_NET_WARN_ON_ONCE(1);
 		return -ENOENT;
+	}
 
 	ops = kmemdup(nf_nat_ipv4_ops, sizeof(nf_nat_ipv4_ops), GFP_KERNEL);
 	if (!ops)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index ecf79d05a51b..3147326786a5 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -275,7 +275,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
 	acpar.hotdrop = false;
 	acpar.state   = state;
 
-	WARN_ON(!(table->valid_hooks & (1 << hook)));
+	DEBUG_NET_WARN_ON_ONCE(!(table->valid_hooks & (1 << hook)));
 
 	local_bh_disable();
 	addend = xt_write_recseq_begin();
@@ -301,7 +301,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
 		const struct xt_entry_match *ematch;
 		struct xt_counters *counter;
 
-		WARN_ON(!e);
+		DEBUG_NET_WARN_ON_ONCE(!e);
 		acpar.thoff = 0;
 		if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
 		    &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
@@ -321,7 +321,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
 		ADD_COUNTER(*counter, skb->len, 1);
 
 		t = ip6t_get_target_c(e);
-		WARN_ON(!t->u.kernel.target);
+		DEBUG_NET_WARN_ON_ONCE(!t->u.kernel.target);
 
 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
 		/* The packet is traced: log it */
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index c2394e2c94b5..03ed7a5803d0 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -66,8 +66,10 @@ static int ip6t_nat_register_lookups(struct net *net)
 	int i, ret;
 
 	table = xt_find_table(net, NFPROTO_IPV6, "nat");
-	if (WARN_ON_ONCE(!table))
+	if (unlikely(!table)) {
+		DEBUG_NET_WARN_ON_ONCE(1);
 		return -ENOENT;
+	}
 
 	xt_nat_net = net_generic(net, ip6table_nat_net_id);
 	ops = kmemdup(nf_nat_ipv6_ops, sizeof(nf_nat_ipv6_ops), GFP_KERNEL);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4e6708c23922..b8b6e03a6116 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -714,8 +714,10 @@ int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
 
 	WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
 
-	if (WARN_ON(!xp->compat_tab))
+	if (unlikely(!xp->compat_tab)) {
+		DEBUG_NET_WARN_ON_ONCE(1);
 		return -ENOMEM;
+	}
 
 	if (xp->cur >= xp->number)
 		return -EINVAL;
@@ -769,8 +771,10 @@ int xt_compat_init_offsets(u8 af, unsigned int number)
 	if (!number || number > (INT_MAX / sizeof(struct compat_delta)))
 		return -EINVAL;
 
-	if (WARN_ON(xt[af].compat_tab))
+	if (unlikely(xt[af].compat_tab)) {
+		DEBUG_NET_WARN_ON_ONCE(1);
 		return -EINVAL;
+	}
 
 	mem = sizeof(struct compat_delta) * number;
 	if (mem > XT_MAX_TABLE_SIZE)
@@ -1973,8 +1977,10 @@ int xt_register_template(const struct xt_table *table,
 	mutex_lock(&xt[af].mutex);
 
 	list_for_each_entry(t, &xt_templates[af], list) {
-		if (WARN_ON_ONCE(strcmp(table->name, t->name) == 0))
+		if (strcmp(table->name, t->name) == 0) {
+			DEBUG_NET_WARN_ON_ONCE(1);
 			goto out_unlock;
+		}
 	}
 
 	ret = -ENOMEM;
diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c
index cb2ee80d84fa..180d3b2138c3 100644
--- a/net/netfilter/xt_NETMAP.c
+++ b/net/netfilter/xt_NETMAP.c
@@ -74,10 +74,6 @@ netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
 	struct nf_nat_range2 newrange;
 
-	WARN_ON(xt_hooknum(par) != NF_INET_PRE_ROUTING &&
-		xt_hooknum(par) != NF_INET_POST_ROUTING &&
-		xt_hooknum(par) != NF_INET_LOCAL_OUT &&
-		xt_hooknum(par) != NF_INET_LOCAL_IN);
 	ct = nf_ct_get(skb, &ctinfo);
 
 	netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 908fd5f2c3c8..c2d4feac1888 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -49,7 +49,7 @@ xt_cluster_hash(const struct nf_conn *ct,
 		hash = xt_cluster_hash_ipv6(nf_ct_orig_ipv6_src(ct), info);
 		break;
 	default:
-		WARN_ON(1);
+		DEBUG_NET_WARN_ON_ONCE(1);
 		break;
 	}
 
@@ -69,7 +69,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
 		is_multicast = ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr);
 		break;
 	default:
-		WARN_ON(1);
+		DEBUG_NET_WARN_ON_ONCE(1);
 		break;
 	}
 	return is_multicast;
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index b4f7bbc3f3ca..1572092c41f0 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -57,9 +57,9 @@ xt_snat_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-		  ctinfo == IP_CT_RELATED_REPLY)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+				  ctinfo == IP_CT_RELATED_REPLY)));
 
 	xt_nat_convert_range(&range, &mr->range[0]);
 	return nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
@@ -74,8 +74,8 @@ xt_dnat_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
 
 	xt_nat_convert_range(&range, &mr->range[0]);
 	return nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
@@ -90,9 +90,9 @@ xt_snat_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-		  ctinfo == IP_CT_RELATED_REPLY)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+				  ctinfo == IP_CT_RELATED_REPLY)));
 
 	memcpy(&range, range_v1, sizeof(*range_v1));
 	memset(&range.base_proto, 0, sizeof(range.base_proto));
@@ -109,8 +109,8 @@ xt_dnat_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
 
 	memcpy(&range, range_v1, sizeof(*range_v1));
 	memset(&range.base_proto, 0, sizeof(range.base_proto));
@@ -126,9 +126,9 @@ xt_snat_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-		  ctinfo == IP_CT_RELATED_REPLY)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+				  ctinfo == IP_CT_RELATED_REPLY)));
 
 	return nf_nat_setup_info(ct, range, NF_NAT_MANIP_SRC);
 }
@@ -141,8 +141,8 @@ xt_dnat_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	WARN_ON(!(ct != NULL &&
-		 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+	DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+				 (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
 
 	return nf_nat_setup_info(ct, range, NF_NAT_MANIP_DST);
 }
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 811e53bee408..e3f68b0734d1 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -161,7 +161,8 @@ static int socket_mt_enable_defrag(struct net *net, int family)
 		return nf_defrag_ipv6_enable(net);
 #endif
 	}
-	WARN_ONCE(1, "Unknown family %d\n", family);
+	pr_warn_once("xt_socket: Unknown family %d\n", family);
+	DEBUG_NET_WARN_ON_ONCE(1);
 	return 0;
 }
 
-- 
2.54.0