]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'kvm-s390-master-4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git...
[mirror_ubuntu-artful-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 31
9fb9cbb1 32/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 33 closely. They're more complex. --RR
9fb9cbb1
YK		 34
35 And so for me for SCTP :D -Kiran */
36
12c33aa2 37static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
86c0bf40
PM		 55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 65};
9fb9cbb1
YK		 66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519
MK		 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
119/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
135/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
a85406af 148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 149{
a85406af 150 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 151}
152
09f263cd 153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 154 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 155{
12c33aa2
JE		 156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
9fb9cbb1 158
e5e693ab
GF		 159 /* Actually only need first 4 bytes to get ports. */
160 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 161 if (hp == NULL)
09f263cd 162 return false;
9fb9cbb1
YK		 163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
09f263cd 166 return true;
9fb9cbb1
YK		 167}
168
09f263cd
JE		 169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
9fb9cbb1 171{
9fb9cbb1
YK		 172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 174 return true;
9fb9cbb1
YK		 175}
176
177/* Print out the per-protocol part of the tuple. */
824f1fbe
JP		 178static void sctp_print_tuple(struct seq_file *s,
179 const struct nf_conntrack_tuple *tuple)
9fb9cbb1 180{
824f1fbe
JP		 181 seq_printf(s, "sport=%hu dport=%hu ",
182 ntohs(tuple->src.u.sctp.port),
183 ntohs(tuple->dst.u.sctp.port));
9fb9cbb1
YK		 184}
185
186/* Print out the private part of the conntrack. */
37246a58 187static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 188{
a163f2cb 189 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 190}
191
192#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 193for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 194 (offset) < (skb)->len && \
195 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
196 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 197
198/* Some validity checks to make sure the chunks are fine */
112f35c9 199static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 200 const struct sk_buff *skb,
201 unsigned int dataoff,
35c6d3cb 202 unsigned long *map)
9fb9cbb1
YK		 203{
204 u_int32_t offset, count;
922dbc5b 205 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 206 int flag;
207
9fb9cbb1
YK		 208 flag = 0;
209
210 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 211 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 212
5447d477
PM		 213 if (sch->type == SCTP_CID_INIT ||
214 sch->type == SCTP_CID_INIT_ACK ||
215 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 216 flag = 1;
9fb9cbb1 217
e17df688
PM		 218 /*
219 * Cookie Ack/Echo chunks not the first OR
220 * Init / Init Ack / Shutdown compl chunks not the only chunks
221 * OR zero-length.
222 */
5447d477
PM		 223 if (((sch->type == SCTP_CID_COOKIE_ACK ||
224 sch->type == SCTP_CID_COOKIE_ECHO ||
225 flag) &&
226 count != 0) || !sch->length) {
0d53778e 227 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 228 return 1;
229 }
230
5447d477 231 if (map)
35c6d3cb 232 set_bit(sch->type, map);
9fb9cbb1
YK		 233 }
234
0d53778e 235 pr_debug("Basic checks passed\n");
dd7271fe 236 return count == 0;
9fb9cbb1
YK		 237}
238
efe9f68a
PM		 239static int sctp_new_state(enum ip_conntrack_dir dir,
240 enum sctp_conntrack cur_state,
241 int chunk_type)
9fb9cbb1
YK		 242{
243 int i;
244
0d53778e 245 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 246
247 switch (chunk_type) {
5447d477
PM		 248 case SCTP_CID_INIT:
249 pr_debug("SCTP_CID_INIT\n");
250 i = 0;
251 break;
252 case SCTP_CID_INIT_ACK:
253 pr_debug("SCTP_CID_INIT_ACK\n");
254 i = 1;
255 break;
256 case SCTP_CID_ABORT:
257 pr_debug("SCTP_CID_ABORT\n");
258 i = 2;
259 break;
260 case SCTP_CID_SHUTDOWN:
261 pr_debug("SCTP_CID_SHUTDOWN\n");
262 i = 3;
263 break;
264 case SCTP_CID_SHUTDOWN_ACK:
265 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
266 i = 4;
267 break;
268 case SCTP_CID_ERROR:
269 pr_debug("SCTP_CID_ERROR\n");
270 i = 5;
271 break;
272 case SCTP_CID_COOKIE_ECHO:
273 pr_debug("SCTP_CID_COOKIE_ECHO\n");
274 i = 6;
275 break;
276 case SCTP_CID_COOKIE_ACK:
277 pr_debug("SCTP_CID_COOKIE_ACK\n");
278 i = 7;
279 break;
280 case SCTP_CID_SHUTDOWN_COMPLETE:
281 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
282 i = 8;
283 break;
d7ee3519
MK		 284 case SCTP_CID_HEARTBEAT:
285 pr_debug("SCTP_CID_HEARTBEAT");
286 i = 9;
287 break;
288 case SCTP_CID_HEARTBEAT_ACK:
289 pr_debug("SCTP_CID_HEARTBEAT_ACK");
290 i = 10;
291 break;
5447d477 292 default:
d7ee3519 293 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 294 pr_debug("Unknown chunk type, Will stay in %s\n",
295 sctp_conntrack_names[cur_state]);
296 return cur_state;
9fb9cbb1
YK		 297 }
298
0d53778e
PM		 299 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
300 dir, sctp_conntrack_names[cur_state], chunk_type,
301 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 302
303 return sctp_conntracks[dir][i][cur_state];
304}
305
2c8503f5
PNA		 306static unsigned int *sctp_get_timeouts(struct net *net)
307{
49d485a3 308 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 309}
310
b37e933a 311/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 312static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 313 const struct sk_buff *skb,
314 unsigned int dataoff,
315 enum ip_conntrack_info ctinfo,
76108cea 316 u_int8_t pf,
2c8503f5
PNA		 317 unsigned int hooknum,
318 unsigned int *timeouts)
9fb9cbb1 319{
efe9f68a 320 enum sctp_conntrack new_state, old_state;
8528819a 321 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 322 const struct sctphdr *sh;
323 struct sctphdr _sctph;
324 const struct sctp_chunkhdr *sch;
325 struct sctp_chunkhdr _sch;
9fb9cbb1 326 u_int32_t offset, count;
35c6d3cb 327 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 328
9fb9cbb1
YK		 329 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
330 if (sh == NULL)
b37e933a 331 goto out;
9fb9cbb1 332
112f35c9 333 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 334 goto out;
9fb9cbb1
YK		 335
336 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 337 if (!test_bit(SCTP_CID_INIT, map) &&
338 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
339 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
340 !test_bit(SCTP_CID_ABORT, map) &&
341 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 342 !test_bit(SCTP_CID_HEARTBEAT, map) &&
343 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 344 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 345 pr_debug("Verification tag check failed\n");
b37e933a 346 goto out;
9fb9cbb1
YK		 347 }
348
328bd899 349 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 350 spin_lock_bh(&ct->lock);
9fb9cbb1 351 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 352 /* Special cases of Verification tag check (Sec 8.5.1) */
353 if (sch->type == SCTP_CID_INIT) {
354 /* Sec 8.5.1 (A) */
b37e933a
PM		 355 if (sh->vtag != 0)
356 goto out_unlock;
9fb9cbb1
YK		 357 } else if (sch->type == SCTP_CID_ABORT) {
358 /* Sec 8.5.1 (B) */
8528819a 359 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 360 sh->vtag != ct->proto.sctp.vtag[!dir])
361 goto out_unlock;
9fb9cbb1
YK		 362 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
363 /* Sec 8.5.1 (C) */
8528819a
PM		 364 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
365 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 366 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 367 goto out_unlock;
9fb9cbb1
YK		 368 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
369 /* Sec 8.5.1 (D) */
b37e933a
PM		 370 if (sh->vtag != ct->proto.sctp.vtag[dir])
371 goto out_unlock;
d7ee3519
MK		 372 } else if (sch->type == SCTP_CID_HEARTBEAT ||
373 sch->type == SCTP_CID_HEARTBEAT_ACK) {
374 if (ct->proto.sctp.vtag[dir] == 0) {
375 pr_debug("Setting vtag %x for dir %d\n",
376 sh->vtag, dir);
377 ct->proto.sctp.vtag[dir] = sh->vtag;
378 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
379 pr_debug("Verification tag check failed\n");
380 goto out_unlock;
381 }
9fb9cbb1
YK		 382 }
383
efe9f68a
PM		 384 old_state = ct->proto.sctp.state;
385 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 386
387 /* Invalid */
efe9f68a 388 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 389 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
390 "conntrack=%u\n",
efe9f68a 391 dir, sch->type, old_state);
b37e933a 392 goto out_unlock;
9fb9cbb1
YK		 393 }
394
395 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 396 if (sch->type == SCTP_CID_INIT ||
397 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 398 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 399
922dbc5b 400 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 401 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 402 if (ih == NULL)
403 goto out_unlock;
0d53778e 404 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 405 ih->init_tag, !dir);
406 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 407 }
408
efe9f68a
PM		 409 ct->proto.sctp.state = new_state;
410 if (old_state != new_state)
a71996fc 411 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 412 }
440f0d58 413 spin_unlock_bh(&ct->lock);
9fb9cbb1 414
2c8503f5 415 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 416
efe9f68a 417 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 418 dir == IP_CT_DIR_REPLY &&
efe9f68a 419 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 420 pr_debug("Setting assured bit\n");
112f35c9 421 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 422 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 423 }
424
425 return NF_ACCEPT;
b37e933a
PM		 426
427out_unlock:
440f0d58 428 spin_unlock_bh(&ct->lock);
b37e933a
PM		 429out:
430 return -NF_ACCEPT;
9fb9cbb1
YK		 431}
432
433/* Called when a new connection for this protocol found. */
09f263cd 434static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 435 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 436{
efe9f68a 437 enum sctp_conntrack new_state;
12c33aa2
JE		 438 const struct sctphdr *sh;
439 struct sctphdr _sctph;
440 const struct sctp_chunkhdr *sch;
441 struct sctp_chunkhdr _sch;
9fb9cbb1 442 u_int32_t offset, count;
35c6d3cb 443 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 444
9fb9cbb1
YK		 445 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
446 if (sh == NULL)
09f263cd 447 return false;
9fb9cbb1 448
112f35c9 449 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 450 return false;
9fb9cbb1
YK		 451
452 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 453 if (test_bit(SCTP_CID_ABORT, map) ||
454 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
455 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 456 return false;
9fb9cbb1 457
e5fc9e7a 458 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 459 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 460 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
461 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 462 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
463 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 464
465 /* Invalid: delete conntrack */
efe9f68a
PM		 466 if (new_state == SCTP_CONNTRACK_NONE ||
467 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 468 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 469 return false;
9fb9cbb1
YK		 470 }
471
472 /* Copy the vtag into the state info */
473 if (sch->type == SCTP_CID_INIT) {
4ae70c08 474 struct sctp_inithdr _inithdr, *ih;
922dbc5b
XL		 475 /* Sec 8.5.1 (A) */
476 if (sh->vtag)
477 return false;
9fb9cbb1 478
922dbc5b
XL		 479 ih = skb_header_pointer(skb, offset + sizeof(_sch),
480 sizeof(_inithdr), &_inithdr);
481 if (!ih)
482 return false;
9fb9cbb1 483
922dbc5b
XL		 484 pr_debug("Setting vtag %x for new conn\n",
485 ih->init_tag);
9fb9cbb1 486
922dbc5b 487 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
d7ee3519
MK		 488 } else if (sch->type == SCTP_CID_HEARTBEAT) {
489 pr_debug("Setting vtag %x for secondary conntrack\n",
490 sh->vtag);
491 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 492 }
493 /* If it is a shutdown ack OOTB packet, we expect a return
494 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
495 else {
0d53778e
PM		 496 pr_debug("Setting vtag %x for new conn OOTB\n",
497 sh->vtag);
112f35c9 498 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 499 }
500
efe9f68a 501 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 502 }
503
09f263cd 504 return true;
9fb9cbb1
YK		 505}
506
cf6e007e 507static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 508 unsigned int dataoff,
cf6e007e
DC		 509 u8 pf, unsigned int hooknum)
510{
511 const struct sctphdr *sh;
cf6e007e
DC		 512 const char *logmsg;
513
f3c0eb05 514 if (skb->len < dataoff + sizeof(struct sctphdr)) {
cf6e007e
DC		 515 logmsg = "nf_ct_sctp: short packet ";
516 goto out_invalid;
517 }
518 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
519 skb->ip_summed == CHECKSUM_NONE) {
f3c0eb05
DC		 520 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
521 logmsg = "nf_ct_sctp: failed to read header ";
522 goto out_invalid;
523 }
524 sh = (const struct sctphdr *)(skb->data + dataoff);
cf6e007e
DC		 525 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
526 logmsg = "nf_ct_sctp: bad CRC ";
527 goto out_invalid;
528 }
529 skb->ip_summed = CHECKSUM_UNNECESSARY;
530 }
531 return NF_ACCEPT;
532out_invalid:
533 if (LOG_INVALID(net, IPPROTO_SCTP))
534 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", logmsg);
535 return -NF_ACCEPT;
536}
537
c6dd940b
FW		 538static bool sctp_can_early_drop(const struct nf_conn *ct)
539{
540 switch (ct->proto.sctp.state) {
541 case SCTP_CONNTRACK_SHUTDOWN_SENT:
542 case SCTP_CONNTRACK_SHUTDOWN_RECD:
543 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
544 return true;
545 default:
546 break;
547 }
548
549 return false;
550}
551
c0cd1156 552#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 553
554#include <linux/netfilter/nfnetlink.h>
555#include <linux/netfilter/nfnetlink_conntrack.h>
556
557static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 558 struct nf_conn *ct)
a258860e
PNA		 559{
560 struct nlattr *nest_parms;
561
440f0d58 562 spin_lock_bh(&ct->lock);
a258860e
PNA		 563 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
564 if (!nest_parms)
565 goto nla_put_failure;
566
5e8d1eb5
DM		 567 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
568 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
569 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
570 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
571 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
572 goto nla_put_failure;
a258860e 573
440f0d58 574 spin_unlock_bh(&ct->lock);
a258860e
PNA		 575
576 nla_nest_end(skb, nest_parms);
577
578 return 0;
579
580nla_put_failure:
440f0d58 581 spin_unlock_bh(&ct->lock);
a258860e
PNA		 582 return -1;
583}
584
585static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
586 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
587 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
588 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
589};
590
591static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
592{
593 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
594 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
595 int err;
596
597 /* updates may not contain the internal protocol info, skip parsing */
598 if (!attr)
599 return 0;
600
fceb6435
JB		 601 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
602 sctp_nla_policy, NULL);
a258860e
PNA		 603 if (err < 0)
604 return err;
605
606 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
607 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
608 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
609 return -EINVAL;
610
440f0d58 611 spin_lock_bh(&ct->lock);
a258860e
PNA		 612 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
613 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 614 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 615 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 616 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 617 spin_unlock_bh(&ct->lock);
a258860e
PNA		 618
619 return 0;
620}
a400c30e
HE		 621
622static int sctp_nlattr_size(void)
623{
624 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
625 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
626}
a258860e
PNA		 627#endif
628
50978462
PNA		 629#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
630
631#include <linux/netfilter/nfnetlink.h>
632#include <linux/netfilter/nfnetlink_cttimeout.h>
633
8264deb8
G		 634static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
635 struct net *net, void *data)
50978462
PNA		 636{
637 unsigned int *timeouts = data;
a85406af 638 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 639 int i;
640
641 /* set default SCTP timeouts. */
642 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 643 timeouts[i] = sn->timeouts[i];
50978462
PNA		 644
645 /* there's a 1:1 mapping between attributes and protocol states. */
646 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
647 if (tb[i]) {
648 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
649 }
650 }
651 return 0;
652}
653
654static int
655sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
656{
657 const unsigned int *timeouts = data;
658 int i;
659
5e8d1eb5
DM		 660 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
661 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
662 goto nla_put_failure;
663 }
50978462
PNA		 664 return 0;
665
666nla_put_failure:
667 return -ENOSPC;
668}
669
670static const struct nla_policy
671sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
672 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
673 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
674 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
675 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
676 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
677 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
678 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 679 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
680 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 681};
682#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
683
684
9fb9cbb1 685#ifdef CONFIG_SYSCTL
933a41e7 686static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 687 {
9fb9cbb1 688 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 689 .maxlen = sizeof(unsigned int),
690 .mode = 0644,
6d9f239a 691 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 692 },
693 {
9fb9cbb1 694 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 695 .maxlen = sizeof(unsigned int),
696 .mode = 0644,
6d9f239a 697 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 698 },
699 {
9fb9cbb1 700 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 701 .maxlen = sizeof(unsigned int),
702 .mode = 0644,
6d9f239a 703 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 704 },
705 {
9fb9cbb1 706 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 707 .maxlen = sizeof(unsigned int),
708 .mode = 0644,
6d9f239a 709 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 710 },
711 {
9fb9cbb1 712 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 713 .maxlen = sizeof(unsigned int),
714 .mode = 0644,
6d9f239a 715 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 716 },
717 {
9fb9cbb1 718 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 719 .maxlen = sizeof(unsigned int),
720 .mode = 0644,
6d9f239a 721 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 722 },
723 {
9fb9cbb1 724 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 725 .maxlen = sizeof(unsigned int),
726 .mode = 0644,
6d9f239a 727 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 728 },
d7ee3519
MK		 729 {
730 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
731 .maxlen = sizeof(unsigned int),
732 .mode = 0644,
733 .proc_handler = proc_dointvec_jiffies,
734 },
735 {
736 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
737 .maxlen = sizeof(unsigned int),
738 .mode = 0644,
739 .proc_handler = proc_dointvec_jiffies,
740 },
f8572d8f 741 { }
9fb9cbb1 742};
933a41e7 743#endif
9fb9cbb1 744
f42c4183 745static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 746 struct nf_sctp_net *sn)
49d485a3
G		 747{
748#ifdef CONFIG_SYSCTL
49d485a3
G		 749 if (pn->ctl_table)
750 return 0;
751
752 pn->ctl_table = kmemdup(sctp_sysctl_table,
753 sizeof(sctp_sysctl_table),
754 GFP_KERNEL);
755 if (!pn->ctl_table)
756 return -ENOMEM;
757
758 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
759 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
760 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
761 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
762 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
763 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
764 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 765 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
766 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 767#endif
768 return 0;
769}
770
f42c4183 771static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 772{
a85406af 773 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 774 struct nf_proto_net *pn = &sn->pn;
49d485a3 775
f42c4183
G		 776 if (!pn->users) {
777 int i;
49d485a3 778
f42c4183
G		 779 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
780 sn->timeouts[i] = sctp_timeouts[i];
781 }
49d485a3 782
adf05168 783 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 784}
785
deaa0a97
LZ		 786static struct nf_proto_net *sctp_get_net_proto(struct net *net)
787{
788 return &net->ct.nf_ct_proto.sctp.pn;
789}
790
a85406af 791struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 792 .l3proto = PF_INET,
793 .l4proto = IPPROTO_SCTP,
794 .name = "sctp",
795 .pkt_to_tuple = sctp_pkt_to_tuple,
796 .invert_tuple = sctp_invert_tuple,
797 .print_tuple = sctp_print_tuple,
798 .print_conntrack = sctp_print_conntrack,
799 .packet = sctp_packet,
2c8503f5 800 .get_timeouts = sctp_get_timeouts,
933a41e7 801 .new = sctp_new,
cf6e007e 802 .error = sctp_error,
c6dd940b 803 .can_early_drop = sctp_can_early_drop,
933a41e7 804 .me = THIS_MODULE,
c0cd1156 805#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 806 .to_nlattr = sctp_to_nlattr,
a400c30e 807 .nlattr_size = sctp_nlattr_size,
a258860e 808 .from_nlattr = nlattr_to_sctp,
c7212e9d 809 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 810 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 811 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
812 .nla_policy = nf_ct_port_nla_policy,
813#endif
50978462
PNA		 814#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
815 .ctnl_timeout = {
816 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
817 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
818 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
819 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
820 .nla_policy = sctp_timeout_nla_policy,
821 },
822#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 823 .init_net = sctp_init_net,
deaa0a97 824 .get_net_proto = sctp_get_net_proto,
9fb9cbb1 825};
a85406af 826EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 827
a85406af 828struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 829 .l3proto = PF_INET6,
830 .l4proto = IPPROTO_SCTP,
831 .name = "sctp",
832 .pkt_to_tuple = sctp_pkt_to_tuple,
833 .invert_tuple = sctp_invert_tuple,
834 .print_tuple = sctp_print_tuple,
835 .print_conntrack = sctp_print_conntrack,
836 .packet = sctp_packet,
2c8503f5 837 .get_timeouts = sctp_get_timeouts,
933a41e7 838 .new = sctp_new,
cf6e007e 839 .error = sctp_error,
c6dd940b 840 .can_early_drop = sctp_can_early_drop,
933a41e7 841 .me = THIS_MODULE,
c0cd1156 842#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 843 .to_nlattr = sctp_to_nlattr,
a400c30e 844 .nlattr_size = sctp_nlattr_size,
a258860e 845 .from_nlattr = nlattr_to_sctp,
c7212e9d 846 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 847 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 848 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
849 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 850#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
851 .ctnl_timeout = {
852 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
853 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
854 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
855 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
856 .nla_policy = sctp_timeout_nla_policy,
857 },
858#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 859#endif
f42c4183 860 .init_net = sctp_init_net,
deaa0a97 861 .get_net_proto = sctp_get_net_proto,
933a41e7 862};
a85406af 863EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
Ubuntu Artful kernel mirror