[mirror_ovs.git] / lib / conntrack-tcp.c

/*-
 * Copyright (c) 2001 Daniel Hartmeier
 * Copyright (c) 2002 - 2008 Henning Brauer
 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
 * Copyright (c) 2015, 2016 Nicira, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *    - Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *    - Redistributions in binary form must reproduce the above
 *      copyright notice, this list of conditions and the following
 *      disclaimer in the documentation and/or other materials provided
 *      with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Effort sponsored in part by the Defense Advanced Research Projects
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
 *
 *      $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $
 */

#include <config.h>

#include "conntrack-private.h"
#include "conntrack-tp.h"
#include "coverage.h"
#include "ct-dpif.h"
#include "dp-packet.h"
#include "util.h"

COVERAGE_DEFINE(conntrack_tcp_seq_chk_bypass);
COVERAGE_DEFINE(conntrack_tcp_seq_chk_failed);
COVERAGE_DEFINE(conntrack_invalid_tcp_flags);

struct tcp_peer {
    uint32_t               seqlo;          /* Max sequence number sent     */
    uint32_t               seqhi;          /* Max the other end ACKd + win */
    uint16_t               max_win;        /* largest window (pre scaling) */
    uint8_t                wscale;         /* window scaling factor        */
    enum ct_dpif_tcp_state state;
};

struct conn_tcp {
    struct conn up;
    struct tcp_peer peer[2]; /* 'conn' lock protected. */
};

enum {
    TCPOPT_EOL,
    TCPOPT_NOP,
    TCPOPT_WINDOW = 3,
};

/* TCP sequence numbers are 32 bit integers operated
 * on with modular arithmetic.  These macros can be
 * used to compare such integers. */
#define SEQ_LT(a,b)     INT_MOD_LT(a, b)
#define SEQ_LEQ(a,b)    INT_MOD_LEQ(a, b)
#define SEQ_GT(a,b)     INT_MOD_GT(a, b)
#define SEQ_GEQ(a,b)    INT_MOD_GEQ(a, b)

#define SEQ_MIN(a, b)   INT_MOD_MIN(a, b)
#define SEQ_MAX(a, b)   INT_MOD_MAX(a, b)

static struct conn_tcp*
conn_tcp_cast(const struct conn* conn)
{
    return CONTAINER_OF(conn, struct conn_tcp, up);
}

/* pf does this in in pf_normalize_tcp(), and it is called only if scrub
 * is enabled.  We're not scrubbing, but this check seems reasonable.  */
static bool
tcp_invalid_flags(uint16_t flags)
{

    if (flags & TCP_SYN) {
        if (flags & TCP_RST || flags & TCP_FIN) {
            return true;
        }
    } else {
        /* Illegal packet */
        if (!(flags & (TCP_ACK|TCP_RST))) {
            return true;
        }
    }

    if (!(flags & TCP_ACK)) {
        /* These flags are only valid if ACK is set */
        if ((flags & TCP_FIN) || (flags & TCP_PSH) || (flags & TCP_URG)) {
            return true;
        }
    }

    return false;
}

#define TCP_MAX_WSCALE 14
#define CT_WSCALE_FLAG 0x80
#define CT_WSCALE_UNKNOWN 0x40
#define CT_WSCALE_MASK 0xf

static uint8_t
tcp_get_wscale(const struct tcp_header *tcp)
{
    int len = TCP_OFFSET(tcp->tcp_ctl) * 4 - sizeof *tcp;
    const uint8_t *opt = (const uint8_t *)(tcp + 1);
    uint8_t wscale = 0;
    uint8_t optlen;

    while (len >= 3) {
        switch (*opt) {
        case TCPOPT_EOL:
            return wscale;
        case TCPOPT_NOP:
            opt++;
            len--;
            break;
        case TCPOPT_WINDOW:
            wscale = MIN(opt[2], TCP_MAX_WSCALE);
            wscale |= CT_WSCALE_FLAG;
            /* fall through */
        default:
            optlen = opt[1];
            if (optlen < 2) {
                optlen = 2;
            }
            len -= optlen;
            opt += optlen;
        }
    }

    return wscale;
}

static bool
tcp_bypass_seq_chk(struct conntrack *ct)
{
    if (!conntrack_get_tcp_seq_chk(ct)) {
        COVERAGE_INC(conntrack_tcp_seq_chk_bypass);
        return true;
    }
    return false;
}

static enum ct_update_res
tcp_conn_update(struct conntrack *ct, struct conn *conn_,
                struct dp_packet *pkt, bool reply, long long now)
{
    struct conn_tcp *conn = conn_tcp_cast(conn_);
    struct tcp_header *tcp = dp_packet_l4(pkt);
    /* The peer that sent 'pkt' */
    struct tcp_peer *src = &conn->peer[reply ? 1 : 0];
    /* The peer that should receive 'pkt' */
    struct tcp_peer *dst = &conn->peer[reply ? 0 : 1];
    uint8_t sws = 0, dws = 0;
    uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);

    uint16_t win = ntohs(tcp->tcp_winsz);
    uint32_t ack, end, seq, orig_seq;
    uint32_t p_len = tcp_payload_length(pkt);

    if (tcp_invalid_flags(tcp_flags)) {
        COVERAGE_INC(conntrack_invalid_tcp_flags);
        return CT_UPDATE_INVALID;
    }

    if ((tcp_flags & (TCP_SYN | TCP_ACK)) == TCP_SYN) {
        if (dst->state >= CT_DPIF_TCPS_FIN_WAIT_2
            && src->state >= CT_DPIF_TCPS_FIN_WAIT_2) {
            src->state = dst->state = CT_DPIF_TCPS_CLOSED;
            return CT_UPDATE_NEW;
        } else if (src->state <= CT_DPIF_TCPS_SYN_SENT) {
            src->state = CT_DPIF_TCPS_SYN_SENT;
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_FIRST_PACKET, now);
            return CT_UPDATE_VALID_NEW;
        }
    }

    if (src->wscale & CT_WSCALE_FLAG
        && dst->wscale & CT_WSCALE_FLAG
        && !(tcp_flags & TCP_SYN)) {

        sws = src->wscale & CT_WSCALE_MASK;
        dws = dst->wscale & CT_WSCALE_MASK;

    } else if (src->wscale & CT_WSCALE_UNKNOWN
               && dst->wscale & CT_WSCALE_UNKNOWN
               && !(tcp_flags & TCP_SYN)) {

        sws = TCP_MAX_WSCALE;
        dws = TCP_MAX_WSCALE;
    }

    /*
     * Sequence tracking algorithm from Guido van Rooij's paper:
     *   http://www.madison-gurkha.com/publications/tcp_filtering/
     *      tcp_filtering.ps
     */

    orig_seq = seq = ntohl(get_16aligned_be32(&tcp->tcp_seq));
    bool check_ackskew = true;
    if (src->state < CT_DPIF_TCPS_SYN_SENT) {
        /* First packet from this end. Set its state */

        ack = ntohl(get_16aligned_be32(&tcp->tcp_ack));

        end = seq + p_len;
        if (tcp_flags & TCP_SYN) {
            end++;
            if (dst->wscale & CT_WSCALE_FLAG) {
                src->wscale = tcp_get_wscale(tcp);
                if (src->wscale & CT_WSCALE_FLAG) {
                    /* Remove scale factor from initial window */
                    sws = src->wscale & CT_WSCALE_MASK;
                    win = DIV_ROUND_UP((uint32_t) win, 1 << sws);
                    dws = dst->wscale & CT_WSCALE_MASK;
                } else {
                    /* fixup other window */
                    dst->max_win <<= dst->wscale & CT_WSCALE_MASK;
                    /* in case of a retrans SYN|ACK */
                    dst->wscale = 0;
                }
            }
        }
        if (tcp_flags & TCP_FIN) {
            end++;
        }

        src->seqlo = seq;
        src->state = CT_DPIF_TCPS_SYN_SENT;
        /*
         * May need to slide the window (seqhi may have been set by
         * the crappy stack check or if we picked up the connection
         * after establishment)
         */
        if (src->seqhi == 1
                || SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) {
            src->seqhi = end + MAX(1, dst->max_win << dws);
            /* We are either picking up a new connection or a connection which
             * was already in place.  We are more permissive in terms of
             * ackskew checking in these cases.
             */
            check_ackskew = false;
        }
        if (win > src->max_win) {
            src->max_win = win;
        }

    } else {
        ack = ntohl(get_16aligned_be32(&tcp->tcp_ack));
        end = seq + p_len;
        if (tcp_flags & TCP_SYN) {
            end++;
        }
        if (tcp_flags & TCP_FIN) {
            end++;
        }
    }

    if ((tcp_flags & TCP_ACK) == 0) {
        /* Let it pass through the ack skew check */
        ack = dst->seqlo;
    } else if ((ack == 0
                && (tcp_flags & (TCP_ACK|TCP_RST)) == (TCP_ACK|TCP_RST))
               /* broken tcp stacks do not set ack */) {
        /* Many stacks (ours included) will set the ACK number in an
         * FIN|ACK if the SYN times out -- no sequence to ACK. */
        ack = dst->seqlo;
    }

    if (seq == end) {
        /* Ease sequencing restrictions on no data packets */
        seq = src->seqlo;
        end = seq;
    }

    int ackskew = check_ackskew ? dst->seqlo - ack : 0;
#define MAXACKWINDOW (0xffff + 1500)    /* 1500 is an arbitrary fudge factor */
    if ((SEQ_GEQ(src->seqhi, end)
        /* Last octet inside other's window space */
        && SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))
        /* Retrans: not more than one window back */
        && (ackskew >= -MAXACKWINDOW)
        /* Acking not more than one reassembled fragment backwards */
        && (ackskew <= (MAXACKWINDOW << sws))
        /* Acking not more than one window forward */
        && ((tcp_flags & TCP_RST) == 0 || orig_seq == src->seqlo
            || (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo)))
        || tcp_bypass_seq_chk(ct)) {
        /* Require an exact/+1 sequence match on resets when possible */

        /* update max window */
        if (src->max_win < win) {
            src->max_win = win;
        }
        /* synchronize sequencing */
        if (SEQ_GT(end, src->seqlo)) {
            src->seqlo = end;
        }
        /* slide the window of what the other end can send */
        if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) {
            dst->seqhi = ack + MAX((win << sws), 1);
        }

        /* update states */
        if (tcp_flags & TCP_SYN && src->state < CT_DPIF_TCPS_SYN_SENT) {
                src->state = CT_DPIF_TCPS_SYN_SENT;
        }
        if (tcp_flags & TCP_FIN && src->state < CT_DPIF_TCPS_CLOSING) {
                src->state = CT_DPIF_TCPS_CLOSING;
        }
        if (tcp_flags & TCP_ACK) {
            if (dst->state == CT_DPIF_TCPS_SYN_SENT) {
                dst->state = CT_DPIF_TCPS_ESTABLISHED;
            } else if (dst->state == CT_DPIF_TCPS_CLOSING) {
                dst->state = CT_DPIF_TCPS_FIN_WAIT_2;
            }
        }
        if (tcp_flags & TCP_RST) {
            src->state = dst->state = CT_DPIF_TCPS_TIME_WAIT;
        }

        if (src->state >= CT_DPIF_TCPS_FIN_WAIT_2
            && dst->state >= CT_DPIF_TCPS_FIN_WAIT_2) {
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_CLOSED, now);
        } else if (src->state >= CT_DPIF_TCPS_CLOSING
                   && dst->state >= CT_DPIF_TCPS_CLOSING) {
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_FIN_WAIT, now);
        } else if (src->state < CT_DPIF_TCPS_ESTABLISHED
                   || dst->state < CT_DPIF_TCPS_ESTABLISHED) {
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_OPENING, now);
        } else if (src->state >= CT_DPIF_TCPS_CLOSING
                   || dst->state >= CT_DPIF_TCPS_CLOSING) {
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_CLOSING, now);
        } else {
            conn_update_expiration(ct, &conn->up, CT_TM_TCP_ESTABLISHED, now);
        }
    } else if ((dst->state < CT_DPIF_TCPS_SYN_SENT
                || dst->state >= CT_DPIF_TCPS_FIN_WAIT_2
                || src->state >= CT_DPIF_TCPS_FIN_WAIT_2)
               && SEQ_GEQ(src->seqhi + MAXACKWINDOW, end)
               /* Within a window forward of the originating packet */
               && SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
               /* Within a window backward of the originating packet */

        /*
         * This currently handles three situations:
         *  1) Stupid stacks will shotgun SYNs before their peer
         *     replies.
         *  2) When PF catches an already established stream (the
         *     firewall rebooted, the state table was flushed, routes
         *     changed...)
         *  3) Packets get funky immediately after the connection
         *     closes (this should catch Solaris spurious ACK|FINs
         *     that web servers like to spew after a close)
         *
         * This must be a little more careful than the above code
         * since packet floods will also be caught here. We don't
         * update the TTL here to mitigate the damage of a packet
         * flood and so the same code can handle awkward establishment
         * and a loosened connection close.
         * In the establishment case, a correct peer response will
         * validate the connection, go through the normal state code
         * and keep updating the state TTL.
         */

        /* update max window */
        if (src->max_win < win) {
            src->max_win = win;
        }
        /* synchronize sequencing */
        if (SEQ_GT(end, src->seqlo)) {
            src->seqlo = end;
        }
        /* slide the window of what the other end can send */
        if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) {
            dst->seqhi = ack + MAX((win << sws), 1);
        }

        /*
         * Cannot set dst->seqhi here since this could be a shotgunned
         * SYN and not an already established connection.
         */

        if (tcp_flags & TCP_FIN && src->state < CT_DPIF_TCPS_CLOSING) {
            src->state = CT_DPIF_TCPS_CLOSING;
        }

        if (tcp_flags & TCP_RST) {
            src->state = dst->state = CT_DPIF_TCPS_TIME_WAIT;
        }
    } else {
        COVERAGE_INC(conntrack_tcp_seq_chk_failed);
        return CT_UPDATE_INVALID;
    }

    return CT_UPDATE_VALID;
}

static bool
tcp_valid_new(struct dp_packet *pkt)
{
    struct tcp_header *tcp = dp_packet_l4(pkt);
    uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);

    if (tcp_invalid_flags(tcp_flags)) {
        return false;
    }

    /* A syn+ack is not allowed to create a connection.  We want to allow
     * totally new connections (syn) or already established, not partially
     * open (syn+ack). */
    if ((tcp_flags & TCP_SYN) && (tcp_flags & TCP_ACK)) {
        return false;
    }

    return true;
}

static struct conn *
tcp_new_conn(struct conntrack *ct, struct dp_packet *pkt, long long now,
             uint32_t tp_id)
{
    struct conn_tcp* newconn = NULL;
    struct tcp_header *tcp = dp_packet_l4(pkt);
    struct tcp_peer *src, *dst;
    uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);

    newconn = xzalloc(sizeof *newconn);

    src = &newconn->peer[0];
    dst = &newconn->peer[1];

    src->seqlo = ntohl(get_16aligned_be32(&tcp->tcp_seq));
    src->seqhi = src->seqlo + tcp_payload_length(pkt) + 1;

    if (tcp_flags & TCP_SYN) {
        src->seqhi++;
        src->wscale = tcp_get_wscale(tcp);
    } else {
        src->wscale = CT_WSCALE_UNKNOWN;
        dst->wscale = CT_WSCALE_UNKNOWN;
    }
    src->max_win = MAX(ntohs(tcp->tcp_winsz), 1);
    if (src->wscale & CT_WSCALE_MASK) {
        /* Remove scale factor from initial window */
        uint8_t sws = src->wscale & CT_WSCALE_MASK;
        src->max_win = DIV_ROUND_UP((uint32_t) src->max_win, 1 << sws);
    }
    if (tcp_flags & TCP_FIN) {
        src->seqhi++;
    }
    dst->seqhi = 1;
    dst->max_win = 1;
    src->state = CT_DPIF_TCPS_SYN_SENT;
    dst->state = CT_DPIF_TCPS_CLOSED;

    newconn->up.tp_id = tp_id;
    conn_init_expiration(ct, &newconn->up, CT_TM_TCP_FIRST_PACKET, now);

    return &newconn->up;
}

static uint8_t
tcp_peer_to_protoinfo_flags(const struct tcp_peer *peer)
{
    uint8_t res = 0;

    if (peer->wscale & CT_WSCALE_FLAG) {
        res |= CT_DPIF_TCPF_WINDOW_SCALE;
    }

    if (peer->wscale & CT_WSCALE_UNKNOWN) {
        res |= CT_DPIF_TCPF_BE_LIBERAL;
    }

    return res;
}

static void
tcp_conn_get_protoinfo(const struct conn *conn_,
                       struct ct_dpif_protoinfo *protoinfo)
{
    const struct conn_tcp *conn = conn_tcp_cast(conn_);

    protoinfo->proto = IPPROTO_TCP;
    protoinfo->tcp.state_orig = conn->peer[0].state;
    protoinfo->tcp.state_reply = conn->peer[1].state;

    protoinfo->tcp.wscale_orig = conn->peer[0].wscale & CT_WSCALE_MASK;
    protoinfo->tcp.wscale_reply = conn->peer[1].wscale & CT_WSCALE_MASK;

    protoinfo->tcp.flags_orig = tcp_peer_to_protoinfo_flags(&conn->peer[0]);
    protoinfo->tcp.flags_reply = tcp_peer_to_protoinfo_flags(&conn->peer[1]);
}

struct ct_l4_proto ct_proto_tcp = {
    .new_conn = tcp_new_conn,
    .valid_new = tcp_valid_new,
    .conn_update = tcp_conn_update,
    .conn_get_protoinfo = tcp_conn_get_protoinfo,
};
Commit	Line	Data
a489b168 DDP	1	/*-
	2	* Copyright (c) 2001 Daniel Hartmeier
	3	* Copyright (c) 2002 - 2008 Henning Brauer
	4	* Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
	5	* Copyright (c) 2015, 2016 Nicira, Inc.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* - Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	* - Redistributions in binary form must reproduce the above
	15	* copyright notice, this list of conditions and the following
	16	* disclaimer in the documentation and/or other materials provided
	17	* with the distribution.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	20	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	21	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	22	* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	23	* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	24	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	25	* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	26	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	27	* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
	29	* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	30	* POSSIBILITY OF SUCH DAMAGE.
	31	*
	32	* Effort sponsored in part by the Defense Advanced Research Projects
	33	* Agency (DARPA) and Air Force Research Laboratory, Air Force
	34	* Materiel Command, USAF, under agreement number F30602-01-2-0537.
	35	*
	36	* $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $
	37	*/
	38
	39	#include <config.h>
	40
	41	#include "conntrack-private.h"
2078901a	42	#include "conntrack-tp.h"
64207120	43	#include "coverage.h"
a489b168 DDP	44	#include "ct-dpif.h"
	45	#include "dp-packet.h"
	46	#include "util.h"
	47
64207120 DB	48	COVERAGE_DEFINE(conntrack_tcp_seq_chk_bypass);
	49	COVERAGE_DEFINE(conntrack_tcp_seq_chk_failed);
	50	COVERAGE_DEFINE(conntrack_invalid_tcp_flags);
	51
a489b168	52	struct tcp_peer {
a489b168 DDP	53	uint32_t seqlo; /* Max sequence number sent */
	54	uint32_t seqhi; /* Max the other end ACKd + win */
	55	uint16_t max_win; /* largest window (pre scaling) */
	56	uint8_t wscale; /* window scaling factor */
967bb5c5	57	enum ct_dpif_tcp_state state;
a489b168 DDP	58	};
	59
	60	struct conn_tcp {
	61	struct conn up;
967bb5c5	62	struct tcp_peer peer[2]; /* 'conn' lock protected. */
a489b168 DDP	63	};
	64
	65	enum {
	66	TCPOPT_EOL,
	67	TCPOPT_NOP,
	68	TCPOPT_WINDOW = 3,
	69	};
	70
	71	/* TCP sequence numbers are 32 bit integers operated
	72	* on with modular arithmetic. These macros can be
	73	* used to compare such integers. */
	74	#define SEQ_LT(a,b) INT_MOD_LT(a, b)
	75	#define SEQ_LEQ(a,b) INT_MOD_LEQ(a, b)
	76	#define SEQ_GT(a,b) INT_MOD_GT(a, b)
	77	#define SEQ_GEQ(a,b) INT_MOD_GEQ(a, b)
	78
	79	#define SEQ_MIN(a, b) INT_MOD_MIN(a, b)
	80	#define SEQ_MAX(a, b) INT_MOD_MAX(a, b)
	81
	82	static struct conn_tcp*
	83	conn_tcp_cast(const struct conn* conn)
	84	{
	85	return CONTAINER_OF(conn, struct conn_tcp, up);
	86	}
	87
	88	/* pf does this in in pf_normalize_tcp(), and it is called only if scrub
	89	* is enabled. We're not scrubbing, but this check seems reasonable. */
	90	static bool
	91	tcp_invalid_flags(uint16_t flags)
	92	{
	93
	94	if (flags & TCP_SYN) {
	95	if (flags & TCP_RST \|\| flags & TCP_FIN) {
	96	return true;
	97	}
	98	} else {
	99	/* Illegal packet */
	100	if (!(flags & (TCP_ACK\|TCP_RST))) {
	101	return true;
	102	}
	103	}
	104
	105	if (!(flags & TCP_ACK)) {
	106	/* These flags are only valid if ACK is set */
	107	if ((flags & TCP_FIN) \|\| (flags & TCP_PSH) \|\| (flags & TCP_URG)) {
	108	return true;
	109	}
	110	}
	111
	112	return false;
	113	}
	114
	115	#define TCP_MAX_WSCALE 14
	116	#define CT_WSCALE_FLAG 0x80
	117	#define CT_WSCALE_UNKNOWN 0x40
	118	#define CT_WSCALE_MASK 0xf
	119
	120	static uint8_t
	121	tcp_get_wscale(const struct tcp_header *tcp)
	122	{
	123	int len = TCP_OFFSET(tcp->tcp_ctl) * 4 - sizeof *tcp;
	124	const uint8_t opt = (const uint8_t )(tcp + 1);
	125	uint8_t wscale = 0;
	126	uint8_t optlen;
127
128	while (len >= 3) {
129	switch (*opt) {
130	case TCPOPT_EOL:
131	return wscale;
132	case TCPOPT_NOP:
133	opt++;
134	len--;
135	break;
136	case TCPOPT_WINDOW:
137	wscale = MIN(opt[2], TCP_MAX_WSCALE);
138	wscale \|= CT_WSCALE_FLAG;
139	/* fall through */
140	default:
141	optlen = opt[1];
142	if (optlen < 2) {
143	optlen = 2;
144	}
145	len -= optlen;
146	opt += optlen;
147	}
148	}
149
150	return wscale;
151	}
152
64207120 DB	153	static bool
	154	tcp_bypass_seq_chk(struct conntrack *ct)
	155	{
	156	if (!conntrack_get_tcp_seq_chk(ct)) {
	157	COVERAGE_INC(conntrack_tcp_seq_chk_bypass);
	158	return true;
	159	}
	160	return false;
	161	}
	162
a489b168	163	static enum ct_update_res
967bb5c5	164	tcp_conn_update(struct conntrack ct, struct conn conn_,
e6ef6cc6	165	struct dp_packet *pkt, bool reply, long long now)
a489b168 DDP	166	{
	167	struct conn_tcp *conn = conn_tcp_cast(conn_);
	168	struct tcp_header *tcp = dp_packet_l4(pkt);
	169	/* The peer that sent 'pkt' */
	170	struct tcp_peer *src = &conn->peer[reply ? 1 : 0];
	171	/* The peer that should receive 'pkt' */
	172	struct tcp_peer *dst = &conn->peer[reply ? 0 : 1];
	173	uint8_t sws = 0, dws = 0;
	174	uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);
	175
	176	uint16_t win = ntohs(tcp->tcp_winsz);
	177	uint32_t ack, end, seq, orig_seq;
	178	uint32_t p_len = tcp_payload_length(pkt);
a489b168 DDP	179
a489b168 DDP	180	if (tcp_invalid_flags(tcp_flags)) {
64207120	181	COVERAGE_INC(conntrack_invalid_tcp_flags);
a489b168 DDP	182	return CT_UPDATE_INVALID;
	183	}
	184
a867c010 YHW	185	if ((tcp_flags & (TCP_SYN \| TCP_ACK)) == TCP_SYN) {
	186	if (dst->state >= CT_DPIF_TCPS_FIN_WAIT_2
	187	&& src->state >= CT_DPIF_TCPS_FIN_WAIT_2) {
	188	src->state = dst->state = CT_DPIF_TCPS_CLOSED;
	189	return CT_UPDATE_NEW;
	190	} else if (src->state <= CT_DPIF_TCPS_SYN_SENT) {
	191	src->state = CT_DPIF_TCPS_SYN_SENT;
	192	conn_update_expiration(ct, &conn->up, CT_TM_TCP_FIRST_PACKET, now);
ac23d20f	193	return CT_UPDATE_VALID_NEW;
a867c010	194	}
a489b168 DDP	195	}
	196
	197	if (src->wscale & CT_WSCALE_FLAG
	198	&& dst->wscale & CT_WSCALE_FLAG
	199	&& !(tcp_flags & TCP_SYN)) {
	200
	201	sws = src->wscale & CT_WSCALE_MASK;
	202	dws = dst->wscale & CT_WSCALE_MASK;
	203
	204	} else if (src->wscale & CT_WSCALE_UNKNOWN
	205	&& dst->wscale & CT_WSCALE_UNKNOWN
	206	&& !(tcp_flags & TCP_SYN)) {
	207
	208	sws = TCP_MAX_WSCALE;
	209	dws = TCP_MAX_WSCALE;
	210	}
	211
	212	/*
	213	* Sequence tracking algorithm from Guido van Rooij's paper:
	214	* http://www.madison-gurkha.com/publications/tcp_filtering/
	215	* tcp_filtering.ps
	216	*/
	217
	218	orig_seq = seq = ntohl(get_16aligned_be32(&tcp->tcp_seq));
7c0cb293	219	bool check_ackskew = true;
a489b168 DDP	220	if (src->state < CT_DPIF_TCPS_SYN_SENT) {
	221	/* First packet from this end. Set its state */
	222
	223	ack = ntohl(get_16aligned_be32(&tcp->tcp_ack));
	224
	225	end = seq + p_len;
	226	if (tcp_flags & TCP_SYN) {
	227	end++;
	228	if (dst->wscale & CT_WSCALE_FLAG) {
	229	src->wscale = tcp_get_wscale(tcp);
	230	if (src->wscale & CT_WSCALE_FLAG) {
	231	/* Remove scale factor from initial window */
	232	sws = src->wscale & CT_WSCALE_MASK;
	233	win = DIV_ROUND_UP((uint32_t) win, 1 << sws);
	234	dws = dst->wscale & CT_WSCALE_MASK;
	235	} else {
	236	/* fixup other window */
	237	dst->max_win <<= dst->wscale & CT_WSCALE_MASK;
	238	/* in case of a retrans SYN\|ACK */
	239	dst->wscale = 0;
	240	}
	241	}
	242	}
	243	if (tcp_flags & TCP_FIN) {
	244	end++;
	245	}
	246
	247	src->seqlo = seq;
	248	src->state = CT_DPIF_TCPS_SYN_SENT;
	249	/*
	250	* May need to slide the window (seqhi may have been set by
	251	* the crappy stack check or if we picked up the connection
	252	* after establishment)
	253	*/
	254	if (src->seqhi == 1
	255	\|\| SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) {
	256	src->seqhi = end + MAX(1, dst->max_win << dws);
7c0cb293 DB	257	/* We are either picking up a new connection or a connection which
	258	* was already in place. We are more permissive in terms of
	259	* ackskew checking in these cases.
	260	*/
	261	check_ackskew = false;
a489b168 DDP	262	}
	263	if (win > src->max_win) {
	264	src->max_win = win;
	265	}
	266
	267	} else {
	268	ack = ntohl(get_16aligned_be32(&tcp->tcp_ack));
	269	end = seq + p_len;
	270	if (tcp_flags & TCP_SYN) {
	271	end++;
	272	}
	273	if (tcp_flags & TCP_FIN) {
	274	end++;
	275	}
	276	}
	277
	278	if ((tcp_flags & TCP_ACK) == 0) {
	279	/* Let it pass through the ack skew check */
	280	ack = dst->seqlo;
	281	} else if ((ack == 0
	282	&& (tcp_flags & (TCP_ACK\|TCP_RST)) == (TCP_ACK\|TCP_RST))
	283	/* broken tcp stacks do not set ack */) {
	284	/* Many stacks (ours included) will set the ACK number in an
	285	* FIN\|ACK if the SYN times out -- no sequence to ACK. */
	286	ack = dst->seqlo;
	287	}
	288
	289	if (seq == end) {
	290	/* Ease sequencing restrictions on no data packets */
	291	seq = src->seqlo;
	292	end = seq;
	293	}
	294
7c0cb293	295	int ackskew = check_ackskew ? dst->seqlo - ack : 0;
a489b168	296	#define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
64207120	297	if ((SEQ_GEQ(src->seqhi, end)
a489b168 DDP	298	/* Last octet inside other's window space */
	299	&& SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))
	300	/* Retrans: not more than one window back */
	301	&& (ackskew >= -MAXACKWINDOW)
	302	/* Acking not more than one reassembled fragment backwards */
	303	&& (ackskew <= (MAXACKWINDOW << sws))
	304	/* Acking not more than one window forward */
	305	&& ((tcp_flags & TCP_RST) == 0 \|\| orig_seq == src->seqlo
64207120 DB	306	\|\| (orig_seq == src->seqlo + 1) \|\| (orig_seq + 1 == src->seqlo)))
64207120 DB	307	\|\| tcp_bypass_seq_chk(ct)) {
a489b168 DDP	308	/* Require an exact/+1 sequence match on resets when possible */
	309
	310	/* update max window */
	311	if (src->max_win < win) {
	312	src->max_win = win;
	313	}
	314	/* synchronize sequencing */
	315	if (SEQ_GT(end, src->seqlo)) {
	316	src->seqlo = end;
	317	}
	318	/* slide the window of what the other end can send */
	319	if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) {
	320	dst->seqhi = ack + MAX((win << sws), 1);
	321	}
	322
	323	/* update states */
	324	if (tcp_flags & TCP_SYN && src->state < CT_DPIF_TCPS_SYN_SENT) {
	325	src->state = CT_DPIF_TCPS_SYN_SENT;
	326	}
	327	if (tcp_flags & TCP_FIN && src->state < CT_DPIF_TCPS_CLOSING) {
	328	src->state = CT_DPIF_TCPS_CLOSING;
	329	}
	330	if (tcp_flags & TCP_ACK) {
	331	if (dst->state == CT_DPIF_TCPS_SYN_SENT) {
	332	dst->state = CT_DPIF_TCPS_ESTABLISHED;
	333	} else if (dst->state == CT_DPIF_TCPS_CLOSING) {
	334	dst->state = CT_DPIF_TCPS_FIN_WAIT_2;
	335	}
	336	}
	337	if (tcp_flags & TCP_RST) {
	338	src->state = dst->state = CT_DPIF_TCPS_TIME_WAIT;
	339	}
	340
	341	if (src->state >= CT_DPIF_TCPS_FIN_WAIT_2
	342	&& dst->state >= CT_DPIF_TCPS_FIN_WAIT_2) {
967bb5c5	343	conn_update_expiration(ct, &conn->up, CT_TM_TCP_CLOSED, now);
a489b168 DDP	344	} else if (src->state >= CT_DPIF_TCPS_CLOSING
a489b168 DDP	345	&& dst->state >= CT_DPIF_TCPS_CLOSING) {
967bb5c5	346	conn_update_expiration(ct, &conn->up, CT_TM_TCP_FIN_WAIT, now);
a489b168 DDP	347	} else if (src->state < CT_DPIF_TCPS_ESTABLISHED
a489b168 DDP	348	\|\| dst->state < CT_DPIF_TCPS_ESTABLISHED) {
967bb5c5	349	conn_update_expiration(ct, &conn->up, CT_TM_TCP_OPENING, now);
a489b168 DDP	350	} else if (src->state >= CT_DPIF_TCPS_CLOSING
a489b168 DDP	351	\|\| dst->state >= CT_DPIF_TCPS_CLOSING) {
967bb5c5	352	conn_update_expiration(ct, &conn->up, CT_TM_TCP_CLOSING, now);
a489b168	353	} else {
967bb5c5	354	conn_update_expiration(ct, &conn->up, CT_TM_TCP_ESTABLISHED, now);
a489b168 DDP	355	}
	356	} else if ((dst->state < CT_DPIF_TCPS_SYN_SENT
	357	\|\| dst->state >= CT_DPIF_TCPS_FIN_WAIT_2
	358	\|\| src->state >= CT_DPIF_TCPS_FIN_WAIT_2)
	359	&& SEQ_GEQ(src->seqhi + MAXACKWINDOW, end)
	360	/* Within a window forward of the originating packet */
	361	&& SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
	362	/* Within a window backward of the originating packet */
	363
	364	/*
	365	* This currently handles three situations:
	366	* 1) Stupid stacks will shotgun SYNs before their peer
	367	* replies.
	368	* 2) When PF catches an already established stream (the
	369	* firewall rebooted, the state table was flushed, routes
	370	* changed...)
	371	* 3) Packets get funky immediately after the connection
	372	* closes (this should catch Solaris spurious ACK\|FINs
	373	* that web servers like to spew after a close)
	374	*
	375	* This must be a little more careful than the above code
	376	* since packet floods will also be caught here. We don't
	377	* update the TTL here to mitigate the damage of a packet
	378	* flood and so the same code can handle awkward establishment
	379	* and a loosened connection close.
	380	* In the establishment case, a correct peer response will
	381	* validate the connection, go through the normal state code
	382	* and keep updating the state TTL.
	383	*/
	384
	385	/* update max window */
	386	if (src->max_win < win) {
	387	src->max_win = win;
	388	}
	389	/* synchronize sequencing */
	390	if (SEQ_GT(end, src->seqlo)) {
	391	src->seqlo = end;
	392	}
	393	/* slide the window of what the other end can send */
	394	if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) {
	395	dst->seqhi = ack + MAX((win << sws), 1);
	396	}
	397
	398	/*
	399	* Cannot set dst->seqhi here since this could be a shotgunned
	400	* SYN and not an already established connection.
	401	*/
	402
	403	if (tcp_flags & TCP_FIN && src->state < CT_DPIF_TCPS_CLOSING) {
	404	src->state = CT_DPIF_TCPS_CLOSING;
	405	}
	406
	407	if (tcp_flags & TCP_RST) {
	408	src->state = dst->state = CT_DPIF_TCPS_TIME_WAIT;
	409	}
	410	} else {
64207120	411	COVERAGE_INC(conntrack_tcp_seq_chk_failed);
a489b168 DDP	412	return CT_UPDATE_INVALID;
	413	}
	414
	415	return CT_UPDATE_VALID;
	416	}
	417
	418	static bool
	419	tcp_valid_new(struct dp_packet *pkt)
	420	{
	421	struct tcp_header *tcp = dp_packet_l4(pkt);
	422	uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);
	423
	424	if (tcp_invalid_flags(tcp_flags)) {
	425	return false;
	426	}
	427
	428	/* A syn+ack is not allowed to create a connection. We want to allow
	429	* totally new connections (syn) or already established, not partially
	430	* open (syn+ack). */
	431	if ((tcp_flags & TCP_SYN) && (tcp_flags & TCP_ACK)) {
	432	return false;
	433	}
	434
	435	return true;
	436	}
	437
	438	static struct conn *
2078901a WT	439	tcp_new_conn(struct conntrack ct, struct dp_packet pkt, long long now,
2078901a WT	440	uint32_t tp_id)
a489b168 DDP	441	{
	442	struct conn_tcp* newconn = NULL;
	443	struct tcp_header *tcp = dp_packet_l4(pkt);
	444	struct tcp_peer src, dst;
	445	uint16_t tcp_flags = TCP_FLAGS(tcp->tcp_ctl);
	446
	447	newconn = xzalloc(sizeof *newconn);
	448
	449	src = &newconn->peer[0];
	450	dst = &newconn->peer[1];
	451
	452	src->seqlo = ntohl(get_16aligned_be32(&tcp->tcp_seq));
	453	src->seqhi = src->seqlo + tcp_payload_length(pkt) + 1;
	454
	455	if (tcp_flags & TCP_SYN) {
	456	src->seqhi++;
	457	src->wscale = tcp_get_wscale(tcp);
	458	} else {
	459	src->wscale = CT_WSCALE_UNKNOWN;
	460	dst->wscale = CT_WSCALE_UNKNOWN;
	461	}
	462	src->max_win = MAX(ntohs(tcp->tcp_winsz), 1);
	463	if (src->wscale & CT_WSCALE_MASK) {
	464	/* Remove scale factor from initial window */
	465	uint8_t sws = src->wscale & CT_WSCALE_MASK;
	466	src->max_win = DIV_ROUND_UP((uint32_t) src->max_win, 1 << sws);
	467	}
	468	if (tcp_flags & TCP_FIN) {
	469	src->seqhi++;
	470	}
	471	dst->seqhi = 1;
	472	dst->max_win = 1;
	473	src->state = CT_DPIF_TCPS_SYN_SENT;
	474	dst->state = CT_DPIF_TCPS_CLOSED;
	475
2078901a	476	newconn->up.tp_id = tp_id;
967bb5c5	477	conn_init_expiration(ct, &newconn->up, CT_TM_TCP_FIRST_PACKET, now);
a489b168 DDP	478
	479	return &newconn->up;
	480	}
	481
4d4e68ed DDP	482	static uint8_t
	483	tcp_peer_to_protoinfo_flags(const struct tcp_peer *peer)
	484	{
	485	uint8_t res = 0;
	486
	487	if (peer->wscale & CT_WSCALE_FLAG) {
	488	res \|= CT_DPIF_TCPF_WINDOW_SCALE;
	489	}
	490
	491	if (peer->wscale & CT_WSCALE_UNKNOWN) {
	492	res \|= CT_DPIF_TCPF_BE_LIBERAL;
	493	}
	494
	495	return res;
	496	}
	497
	498	static void
	499	tcp_conn_get_protoinfo(const struct conn *conn_,
	500	struct ct_dpif_protoinfo *protoinfo)
	501	{
	502	const struct conn_tcp *conn = conn_tcp_cast(conn_);
	503
	504	protoinfo->proto = IPPROTO_TCP;
	505	protoinfo->tcp.state_orig = conn->peer[0].state;
	506	protoinfo->tcp.state_reply = conn->peer[1].state;
	507
	508	protoinfo->tcp.wscale_orig = conn->peer[0].wscale & CT_WSCALE_MASK;
	509	protoinfo->tcp.wscale_reply = conn->peer[1].wscale & CT_WSCALE_MASK;
	510
	511	protoinfo->tcp.flags_orig = tcp_peer_to_protoinfo_flags(&conn->peer[0]);
	512	protoinfo->tcp.flags_reply = tcp_peer_to_protoinfo_flags(&conn->peer[1]);
	513	}
	514
a489b168 DDP	515	struct ct_l4_proto ct_proto_tcp = {
	516	.new_conn = tcp_new_conn,
	517	.valid_new = tcp_valid_new,
	518	.conn_update = tcp_conn_update,
4d4e68ed	519	.conn_get_protoinfo = tcp_conn_get_protoinfo,
a489b168	520	};