netfilter: conntrack: prefer tcp_error_log to pr_debug

pr_debug doesn't provide any information other than that a packet
did not match existing state but also was found to not create a new
connection.

Replaces this with tcp_error_log, which will also dump packets'
content so one can see if this is a stray FIN or RST.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4018acb1d674e1d50fa370427070f6cc5c3de737..e573be5afde7a591e00e799aadeadcf455b31f05 100644 (file)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -835,7 +835,8 @@ static bool tcp_error(const struct tcphdr *th,
 
 static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
                             unsigned int dataoff,
-                            const struct tcphdr *th)
+                            const struct tcphdr *th,
+                            const struct nf_hook_state *state)
 {
        enum tcp_conntrack new_state;
        struct net *net = nf_ct_net(ct);
@@ -846,7 +847,7 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 
        /* Invalid: delete conntrack */
        if (new_state >= TCP_CONNTRACK_MAX) {
-               pr_debug("nf_ct_tcp: invalid new deleting.\n");
+               tcp_error_log(skb, state, "invalid new");
                return false;
        }
 
@@ -980,7 +981,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
        if (tcp_error(th, skb, dataoff, state))
                return -NF_ACCEPT;
 
-       if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th))
+       if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th, state))
                return -NF_ACCEPT;
 
        spin_lock_bh(&ct->lock);