From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH v2 nf 0/9] netfilter: x_tables: use printk ratelimiting
Date: Fri, 9 Feb 2018 15:51:58 +0100 [thread overview]
Message-ID: <20180209145207.2097-1-fw@strlen.de> (raw)
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.
Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a large
volume of error messages (which are useless there).
First patch get rid of printks that should never be triggered, as userland
doesn't generate such malformed rules.
The other patches convert all matches/targets.
In some cases, modules used pr_err() for errors that are just a
hint to and user as to why the rule was rejected, so this uses
pr_info_ratelimited everywhere.
Only exceptions are when the error appears to be due to a bug, i.e.
ABI breakage and other incompatible changes that should not happen.
Note that most patches introduce overly long lines, but splitting these
would make it necessary to split the error messages which is worse.
46 files changed, 264 insertions(+), 262 deletions(-)
next reply other threads:[~2018-02-09 14:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-09 14:51 Florian Westphal [this message]
2018-02-09 14:51 ` [PATCH v2 nf 1/9] netfilter: x_tables: remove pr_info where possible Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 2/9] netfilter: x_tables: use pr ratelimiting in xt core Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 3/9] netfilter: xt_CT: use pr ratelimiting Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 4/9] netfilter: xt_NFQUEUE: " Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 5/9] netfilter: xt_set: " Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 6/9] netfilter: bridge: " Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 7/9] netfilter: x_tables: rate-limit table mismatch warnings Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 8/9] netfilter: x_tables: use pr ratelimiting in matches/targets Florian Westphal
2018-02-09 14:52 ` [PATCH v2 nf 9/9] netfilter: x_tables: use pr ratelimiting in all remaining spots Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180209145207.2097-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).