netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_log_invalid sysctl (c2a2c7e0) · Commits · e / devices / android_kernel_xiaomi_markw

include/net/netfilter/nf_conntrack_l4proto.h

+7 −8

Original line number	Diff line number	Diff line
		@@ -117,20 +117,19 @@ extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
		struct nf_conntrack_tuple *t);
		extern const struct nla_policy nf_ct_port_nla_policy[];

		/* Log invalid packets */
		extern unsigned int nf_ct_log_invalid;

		#ifdef CONFIG_SYSCTL
		#ifdef DEBUG_INVALID_PACKETS
		#define LOG_INVALID(proto) \
		(nf_ct_log_invalid == (proto) \|\| nf_ct_log_invalid == IPPROTO_RAW)
		#define LOG_INVALID(net, proto) \
		((net)->ct.sysctl_log_invalid == (proto) \|\| \
		(net)->ct.sysctl_log_invalid == IPPROTO_RAW)
		#else
		#define LOG_INVALID(proto) \
		((nf_ct_log_invalid == (proto) \|\| nf_ct_log_invalid == IPPROTO_RAW) \
		#define LOG_INVALID(net, proto) \
		(((net)->ct.sysctl_log_invalid == (proto) \|\| \
		(net)->ct.sysctl_log_invalid == IPPROTO_RAW) \
		&& net_ratelimit())
		#endif
		#else
		#define LOG_INVALID(proto) 0
		#define LOG_INVALID(net, proto) 0
		#endif /* CONFIG_SYSCTL */

		#endif /_NF_CONNTRACK_PROTOCOL_H/

+1 −0

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@ struct netns_ct {
		struct nf_conntrack_ecache *ecache;
		#endif
		int sysctl_checksum;
		unsigned int sysctl_log_invalid; /* Log invalid packets */
		#ifdef CONFIG_SYSCTL
		struct ctl_table_header *sysctl_header;
		#endif

+1 −1

Original line number	Diff line number	Diff line
		@@ -278,7 +278,7 @@ static ctl_table ip_ct_sysctl_table[] = {
		{
		.ctl_name = NET_IPV4_NF_CONNTRACK_LOG_INVALID,
		.procname = "ip_conntrack_log_invalid",
		.data = &nf_ct_log_invalid,
		.data = &init_net.ct.sysctl_log_invalid,
		.maxlen = sizeof(unsigned int),
		.mode = 0644,
		.proc_handler = &proc_dointvec_minmax,

+3 −3

Original line number	Diff line number	Diff line
		@@ -181,7 +181,7 @@ icmp_error(struct net net, struct sk_buff skb, unsigned int dataoff,
		/* Not enough header? */
		icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih);
		if (icmph == NULL) {
		if (LOG_INVALID(IPPROTO_ICMP))
		if (LOG_INVALID(net, IPPROTO_ICMP))
		nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
		"nf_ct_icmp: short packet ");
		return -NF_ACCEPT;
		@@ -190,7 +190,7 @@ icmp_error(struct net net, struct sk_buff skb, unsigned int dataoff,
		/* See ip_conntrack_proto_tcp.c */
		if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
		nf_ip_checksum(skb, hooknum, dataoff, 0)) {
		if (LOG_INVALID(IPPROTO_ICMP))
		if (LOG_INVALID(net, IPPROTO_ICMP))
		nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
		"nf_ct_icmp: bad HW ICMP checksum ");
		return -NF_ACCEPT;
		@@ -203,7 +203,7 @@ icmp_error(struct net net, struct sk_buff skb, unsigned int dataoff,
		* discarded.
		*/
		if (icmph->type > NR_ICMP_TYPES) {
		if (LOG_INVALID(IPPROTO_ICMP))
		if (LOG_INVALID(net, IPPROTO_ICMP))
		nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
		"nf_ct_icmp: invalid ICMP type ");
		return -NF_ACCEPT;

+1 −1

Original line number	Diff line number	Diff line
		@@ -181,7 +181,7 @@ icmpv6_error(struct net net, struct sk_buff skb, unsigned int dataoff,

		icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
		if (icmp6h == NULL) {
		if (LOG_INVALID(IPPROTO_ICMPV6))
		if (LOG_INVALID(net, IPPROTO_ICMPV6))
		nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
		"nf_ct_icmpv6: short packet ");
		return -NF_ACCEPT;