From: Patrick McHardy <kaber@trash.net>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Dave Jones <davej@redhat.com>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Jan Engelhardt <jengelh@medozas.de>,
David Miller <davem@davemloft.net>,
ajax@redhat.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] net: Remove a noisy printk
Date: Mon, 12 Jan 2009 06:02:48 +0100 [thread overview]
Message-ID: <496ACEF8.2030605@trash.net> (raw)
In-Reply-To: <200812191151.55607.rusty@rustcorp.com.au>
[-- Attachment #1: Type: text/plain, Size: 954 bytes --]
Rusty Russell wrote:
> On Monday 15 December 2008 06:33:53 Dave Jones wrote:
>> On Sun, Dec 14, 2008 at 06:09:17PM +0100, Jozsef Kadlecsik wrote:
>> > In a >normal< system one usually does not use raw sockets. So if a root
>> > process do use raw socket, at least netfilter sends a notification and
>> > there's a chance that someone take notice it by checking the kernel logs.
>>
>> 'normal' systems are irrelevant here. This message is triggerable remotely.
>
> I don't think it can be. This is for truncated locally-generated outgoing
> packets, which can only happen when root is playing with raw sockets.
Yes, it can only be triggered locally by root.
> As you can probably tell, I was the one who wrote this printk :) IMHO,
> one reasonable complaint is sufficient to have it removed, so just remove
> it. If anyone thinks it's valuable, put a static counter < 5 around it
> and add pid/comm info.
I've queued this patch to remove it.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-patch, Size: 3605 bytes --]
commit ea1926cabd0076846119a7e10f29070907fc296c
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Jan 12 06:01:48 2009 +0100
netfilter: remove "happy cracking" message
Don't spam logs for locally generated short packets. these can only
be generated by root.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index c922431..52cb693 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -93,13 +93,8 @@ ipt_local_out_hook(unsigned int hook,
{
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("iptable_filter: ignoring short SOCK_RAW "
- "packet.\n");
+ ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- }
-
return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_filter);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 69f2c42..3929d20 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -132,12 +132,8 @@ ipt_local_hook(unsigned int hook,
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("iptable_mangle: ignoring short SOCK_RAW "
- "packet.\n");
+ || ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- }
/* Save things which could affect route */
mark = skb->mark;
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 8faebfe..7f65d18 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -65,12 +65,8 @@ ipt_local_hook(unsigned int hook,
{
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("iptable_raw: ignoring short SOCK_RAW "
- "packet.\n");
+ ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- }
return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_raw);
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 36f3be3..a52a35f 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -96,12 +96,8 @@ ipt_local_out_hook(unsigned int hook,
{
/* Somebody is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk(KERN_INFO "iptable_security: ignoring short "
- "SOCK_RAW packet.\n");
+ || ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- }
return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_security);
}
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index b2141e1..4beb04f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -145,11 +145,8 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
{
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("ipt_hook: happy cracking.\n");
+ ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- }
return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
}
prev parent reply other threads:[~2009-01-12 5:03 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-11 22:13 [PATCH] net: Remove a noisy printk Adam Jackson
2008-12-11 22:13 ` [PATCH] ACPI: Silence blacklist warnings Adam Jackson
2008-12-11 22:13 ` [PATCH] x86: Don't print error for lack of i8042 chip Adam Jackson
2008-12-11 22:13 ` [PATCH] PCI: Don't carp about BAR allocation failures in quiet boot Adam Jackson
2008-12-11 22:26 ` [PATCH] net: Remove a noisy printk Sam Ravnborg
2008-12-12 4:32 ` David Miller
2008-12-13 22:13 ` Jan Engelhardt
2008-12-14 17:09 ` Jozsef Kadlecsik
2008-12-14 18:06 ` Jan Engelhardt
2008-12-14 20:15 ` Jozsef Kadlecsik
2008-12-15 12:23 ` Patrick McHardy
2008-12-15 13:25 ` Jozsef Kadlecsik
2008-12-15 13:32 ` Patrick McHardy
2008-12-14 20:03 ` Dave Jones
2008-12-16 19:59 ` Jozsef Kadlecsik
2008-12-16 20:03 ` Jan Engelhardt
2008-12-16 20:00 ` Jan Engelhardt
2008-12-17 8:26 ` Jozsef Kadlecsik
2008-12-19 1:21 ` Rusty Russell
2009-01-12 5:02 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=496ACEF8.2030605@trash.net \
--to=kaber@trash.net \
--cc=ajax@redhat.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jengelh@medozas.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.