]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
x86/msr-index: Cleanup bit defines
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 31
9fb9cbb1 32/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 33 closely. They're more complex. --RR
9fb9cbb1
YK		 34
35 And so for me for SCTP :D -Kiran */
36
12c33aa2 37static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
86c0bf40
PM		 55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 65};
9fb9cbb1
YK		 66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519
MK		 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
119/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
135/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
a85406af 148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 149{
a85406af 150 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 151}
152
09f263cd 153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 154 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 155{
12c33aa2
JE		 156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
9fb9cbb1 158
e5e693ab
GF		 159 /* Actually only need first 4 bytes to get ports. */
160 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 161 if (hp == NULL)
09f263cd 162 return false;
9fb9cbb1
YK		 163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
09f263cd 166 return true;
9fb9cbb1
YK		 167}
168
09f263cd
JE		 169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
9fb9cbb1 171{
9fb9cbb1
YK		 172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 174 return true;
9fb9cbb1
YK		 175}
176
ea48cc83 177#ifdef CONFIG_NF_CONNTRACK_PROCFS
9fb9cbb1 178/* Print out the private part of the conntrack. */
37246a58 179static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 180{
a163f2cb 181 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1 182}
ea48cc83 183#endif
9fb9cbb1
YK		 184
185#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 186for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 187 (offset) < (skb)->len && \
188 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
189 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 190
191/* Some validity checks to make sure the chunks are fine */
112f35c9 192static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 193 const struct sk_buff *skb,
194 unsigned int dataoff,
35c6d3cb 195 unsigned long *map)
9fb9cbb1
YK		 196{
197 u_int32_t offset, count;
922dbc5b 198 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 199 int flag;
200
9fb9cbb1
YK		 201 flag = 0;
202
203 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 204 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 205
5447d477
PM		 206 if (sch->type == SCTP_CID_INIT ||
207 sch->type == SCTP_CID_INIT_ACK ||
208 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 209 flag = 1;
9fb9cbb1 210
e17df688
PM		 211 /*
212 * Cookie Ack/Echo chunks not the first OR
213 * Init / Init Ack / Shutdown compl chunks not the only chunks
214 * OR zero-length.
215 */
5447d477
PM		 216 if (((sch->type == SCTP_CID_COOKIE_ACK ||
217 sch->type == SCTP_CID_COOKIE_ECHO ||
218 flag) &&
219 count != 0) || !sch->length) {
0d53778e 220 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 221 return 1;
222 }
223
5447d477 224 if (map)
35c6d3cb 225 set_bit(sch->type, map);
9fb9cbb1
YK		 226 }
227
0d53778e 228 pr_debug("Basic checks passed\n");
dd7271fe 229 return count == 0;
9fb9cbb1
YK		 230}
231
efe9f68a
PM		 232static int sctp_new_state(enum ip_conntrack_dir dir,
233 enum sctp_conntrack cur_state,
234 int chunk_type)
9fb9cbb1
YK		 235{
236 int i;
237
0d53778e 238 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 239
240 switch (chunk_type) {
5447d477
PM		 241 case SCTP_CID_INIT:
242 pr_debug("SCTP_CID_INIT\n");
243 i = 0;
244 break;
245 case SCTP_CID_INIT_ACK:
246 pr_debug("SCTP_CID_INIT_ACK\n");
247 i = 1;
248 break;
249 case SCTP_CID_ABORT:
250 pr_debug("SCTP_CID_ABORT\n");
251 i = 2;
252 break;
253 case SCTP_CID_SHUTDOWN:
254 pr_debug("SCTP_CID_SHUTDOWN\n");
255 i = 3;
256 break;
257 case SCTP_CID_SHUTDOWN_ACK:
258 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
259 i = 4;
260 break;
261 case SCTP_CID_ERROR:
262 pr_debug("SCTP_CID_ERROR\n");
263 i = 5;
264 break;
265 case SCTP_CID_COOKIE_ECHO:
266 pr_debug("SCTP_CID_COOKIE_ECHO\n");
267 i = 6;
268 break;
269 case SCTP_CID_COOKIE_ACK:
270 pr_debug("SCTP_CID_COOKIE_ACK\n");
271 i = 7;
272 break;
273 case SCTP_CID_SHUTDOWN_COMPLETE:
274 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
275 i = 8;
276 break;
d7ee3519
MK		 277 case SCTP_CID_HEARTBEAT:
278 pr_debug("SCTP_CID_HEARTBEAT");
279 i = 9;
280 break;
281 case SCTP_CID_HEARTBEAT_ACK:
282 pr_debug("SCTP_CID_HEARTBEAT_ACK");
283 i = 10;
284 break;
5447d477 285 default:
d7ee3519 286 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 287 pr_debug("Unknown chunk type, Will stay in %s\n",
288 sctp_conntrack_names[cur_state]);
289 return cur_state;
9fb9cbb1
YK		 290 }
291
0d53778e
PM		 292 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
293 dir, sctp_conntrack_names[cur_state], chunk_type,
294 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 295
296 return sctp_conntracks[dir][i][cur_state];
297}
298
2c8503f5
PNA		 299static unsigned int *sctp_get_timeouts(struct net *net)
300{
49d485a3 301 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 302}
303
b37e933a 304/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 305static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 306 const struct sk_buff *skb,
307 unsigned int dataoff,
308 enum ip_conntrack_info ctinfo,
2c8503f5 309 unsigned int *timeouts)
9fb9cbb1 310{
efe9f68a 311 enum sctp_conntrack new_state, old_state;
8528819a 312 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 313 const struct sctphdr *sh;
314 struct sctphdr _sctph;
315 const struct sctp_chunkhdr *sch;
316 struct sctp_chunkhdr _sch;
9fb9cbb1 317 u_int32_t offset, count;
35c6d3cb 318 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 319
9fb9cbb1
YK		 320 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
321 if (sh == NULL)
b37e933a 322 goto out;
9fb9cbb1 323
112f35c9 324 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 325 goto out;
9fb9cbb1
YK		 326
327 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 328 if (!test_bit(SCTP_CID_INIT, map) &&
329 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
330 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
331 !test_bit(SCTP_CID_ABORT, map) &&
332 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 333 !test_bit(SCTP_CID_HEARTBEAT, map) &&
334 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 335 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 336 pr_debug("Verification tag check failed\n");
b37e933a 337 goto out;
9fb9cbb1
YK		 338 }
339
328bd899 340 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 341 spin_lock_bh(&ct->lock);
9fb9cbb1 342 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 343 /* Special cases of Verification tag check (Sec 8.5.1) */
344 if (sch->type == SCTP_CID_INIT) {
345 /* Sec 8.5.1 (A) */
b37e933a
PM		 346 if (sh->vtag != 0)
347 goto out_unlock;
9fb9cbb1
YK		 348 } else if (sch->type == SCTP_CID_ABORT) {
349 /* Sec 8.5.1 (B) */
8528819a 350 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 351 sh->vtag != ct->proto.sctp.vtag[!dir])
352 goto out_unlock;
9fb9cbb1
YK		 353 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
354 /* Sec 8.5.1 (C) */
8528819a
PM		 355 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
356 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 357 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 358 goto out_unlock;
9fb9cbb1
YK		 359 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
360 /* Sec 8.5.1 (D) */
b37e933a
PM		 361 if (sh->vtag != ct->proto.sctp.vtag[dir])
362 goto out_unlock;
d7ee3519
MK		 363 } else if (sch->type == SCTP_CID_HEARTBEAT ||
364 sch->type == SCTP_CID_HEARTBEAT_ACK) {
365 if (ct->proto.sctp.vtag[dir] == 0) {
366 pr_debug("Setting vtag %x for dir %d\n",
367 sh->vtag, dir);
368 ct->proto.sctp.vtag[dir] = sh->vtag;
369 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
370 pr_debug("Verification tag check failed\n");
371 goto out_unlock;
372 }
9fb9cbb1
YK		 373 }
374
efe9f68a
PM		 375 old_state = ct->proto.sctp.state;
376 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 377
378 /* Invalid */
efe9f68a 379 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 380 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
381 "conntrack=%u\n",
efe9f68a 382 dir, sch->type, old_state);
b37e933a 383 goto out_unlock;
9fb9cbb1
YK		 384 }
385
386 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 387 if (sch->type == SCTP_CID_INIT ||
388 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 389 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 390
922dbc5b 391 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 392 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 393 if (ih == NULL)
394 goto out_unlock;
0d53778e 395 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 396 ih->init_tag, !dir);
397 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 398 }
399
efe9f68a
PM		 400 ct->proto.sctp.state = new_state;
401 if (old_state != new_state)
a71996fc 402 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 403 }
440f0d58 404 spin_unlock_bh(&ct->lock);
9fb9cbb1 405
2c8503f5 406 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 407
efe9f68a 408 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 409 dir == IP_CT_DIR_REPLY &&
efe9f68a 410 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 411 pr_debug("Setting assured bit\n");
112f35c9 412 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 413 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 414 }
415
416 return NF_ACCEPT;
b37e933a
PM		 417
418out_unlock:
440f0d58 419 spin_unlock_bh(&ct->lock);
b37e933a
PM		 420out:
421 return -NF_ACCEPT;
9fb9cbb1
YK		 422}
423
424/* Called when a new connection for this protocol found. */
09f263cd 425static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 426 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 427{
efe9f68a 428 enum sctp_conntrack new_state;
12c33aa2
JE		 429 const struct sctphdr *sh;
430 struct sctphdr _sctph;
431 const struct sctp_chunkhdr *sch;
432 struct sctp_chunkhdr _sch;
9fb9cbb1 433 u_int32_t offset, count;
35c6d3cb 434 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 435
9fb9cbb1
YK		 436 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
437 if (sh == NULL)
09f263cd 438 return false;
9fb9cbb1 439
112f35c9 440 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 441 return false;
9fb9cbb1
YK		 442
443 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 444 if (test_bit(SCTP_CID_ABORT, map) ||
445 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
446 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 447 return false;
9fb9cbb1 448
e5fc9e7a 449 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 450 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 451 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
452 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 453 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
454 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 455
456 /* Invalid: delete conntrack */
efe9f68a
PM		 457 if (new_state == SCTP_CONNTRACK_NONE ||
458 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 459 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 460 return false;
9fb9cbb1
YK		 461 }
462
463 /* Copy the vtag into the state info */
464 if (sch->type == SCTP_CID_INIT) {
4ae70c08 465 struct sctp_inithdr _inithdr, *ih;
922dbc5b
XL		 466 /* Sec 8.5.1 (A) */
467 if (sh->vtag)
468 return false;
9fb9cbb1 469
922dbc5b
XL		 470 ih = skb_header_pointer(skb, offset + sizeof(_sch),
471 sizeof(_inithdr), &_inithdr);
472 if (!ih)
473 return false;
9fb9cbb1 474
922dbc5b
XL		 475 pr_debug("Setting vtag %x for new conn\n",
476 ih->init_tag);
9fb9cbb1 477
922dbc5b 478 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
d7ee3519
MK		 479 } else if (sch->type == SCTP_CID_HEARTBEAT) {
480 pr_debug("Setting vtag %x for secondary conntrack\n",
481 sh->vtag);
482 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 483 }
484 /* If it is a shutdown ack OOTB packet, we expect a return
485 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
486 else {
0d53778e
PM		 487 pr_debug("Setting vtag %x for new conn OOTB\n",
488 sh->vtag);
112f35c9 489 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 490 }
491
efe9f68a 492 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 493 }
494
09f263cd 495 return true;
9fb9cbb1
YK		 496}
497
cf6e007e 498static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 499 unsigned int dataoff,
cf6e007e
DC		 500 u8 pf, unsigned int hooknum)
501{
502 const struct sctphdr *sh;
cf6e007e
DC		 503 const char *logmsg;
504
f3c0eb05 505 if (skb->len < dataoff + sizeof(struct sctphdr)) {
cf6e007e
DC		 506 logmsg = "nf_ct_sctp: short packet ";
507 goto out_invalid;
508 }
509 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
510 skb->ip_summed == CHECKSUM_NONE) {
f3c0eb05
DC		 511 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
512 logmsg = "nf_ct_sctp: failed to read header ";
513 goto out_invalid;
514 }
515 sh = (const struct sctphdr *)(skb->data + dataoff);
cf6e007e
DC		 516 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
517 logmsg = "nf_ct_sctp: bad CRC ";
518 goto out_invalid;
519 }
520 skb->ip_summed = CHECKSUM_UNNECESSARY;
521 }
522 return NF_ACCEPT;
523out_invalid:
c4f3db15 524 nf_l4proto_log_invalid(skb, net, pf, IPPROTO_SCTP, "%s", logmsg);
cf6e007e
DC		 525 return -NF_ACCEPT;
526}
527
c6dd940b
FW		 528static bool sctp_can_early_drop(const struct nf_conn *ct)
529{
530 switch (ct->proto.sctp.state) {
531 case SCTP_CONNTRACK_SHUTDOWN_SENT:
532 case SCTP_CONNTRACK_SHUTDOWN_RECD:
533 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
534 return true;
535 default:
536 break;
537 }
538
539 return false;
540}
541
c0cd1156 542#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 543
544#include <linux/netfilter/nfnetlink.h>
545#include <linux/netfilter/nfnetlink_conntrack.h>
546
547static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 548 struct nf_conn *ct)
a258860e
PNA		 549{
550 struct nlattr *nest_parms;
551
440f0d58 552 spin_lock_bh(&ct->lock);
a258860e
PNA		 553 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
554 if (!nest_parms)
555 goto nla_put_failure;
556
5e8d1eb5
DM		 557 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
558 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
559 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
560 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
561 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
562 goto nla_put_failure;
a258860e 563
440f0d58 564 spin_unlock_bh(&ct->lock);
a258860e
PNA		 565
566 nla_nest_end(skb, nest_parms);
567
568 return 0;
569
570nla_put_failure:
440f0d58 571 spin_unlock_bh(&ct->lock);
a258860e
PNA		 572 return -1;
573}
574
575static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
576 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
577 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
578 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
579};
580
581static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
582{
583 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
584 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
585 int err;
586
587 /* updates may not contain the internal protocol info, skip parsing */
588 if (!attr)
589 return 0;
590
fceb6435
JB		 591 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
592 sctp_nla_policy, NULL);
a258860e
PNA		 593 if (err < 0)
594 return err;
595
596 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
597 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
598 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
599 return -EINVAL;
600
440f0d58 601 spin_lock_bh(&ct->lock);
a258860e
PNA		 602 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
603 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 604 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 605 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 606 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 607 spin_unlock_bh(&ct->lock);
a258860e
PNA		 608
609 return 0;
610}
a400c30e
HE		 611
612static int sctp_nlattr_size(void)
613{
614 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
615 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
616}
a258860e
PNA		 617#endif
618
50978462
PNA		 619#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
620
621#include <linux/netfilter/nfnetlink.h>
622#include <linux/netfilter/nfnetlink_cttimeout.h>
623
8264deb8
G		 624static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
625 struct net *net, void *data)
50978462
PNA		 626{
627 unsigned int *timeouts = data;
a85406af 628 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 629 int i;
630
631 /* set default SCTP timeouts. */
632 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 633 timeouts[i] = sn->timeouts[i];
50978462
PNA		 634
635 /* there's a 1:1 mapping between attributes and protocol states. */
636 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
637 if (tb[i]) {
638 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
639 }
640 }
641 return 0;
642}
643
644static int
645sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
646{
647 const unsigned int *timeouts = data;
648 int i;
649
5e8d1eb5
DM		 650 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
651 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
652 goto nla_put_failure;
653 }
50978462
PNA		 654 return 0;
655
656nla_put_failure:
657 return -ENOSPC;
658}
659
660static const struct nla_policy
661sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
662 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
663 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
664 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
665 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
666 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
667 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
668 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 669 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
670 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 671};
672#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
673
674
9fb9cbb1 675#ifdef CONFIG_SYSCTL
933a41e7 676static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 677 {
9fb9cbb1 678 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 679 .maxlen = sizeof(unsigned int),
680 .mode = 0644,
6d9f239a 681 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 682 },
683 {
9fb9cbb1 684 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 685 .maxlen = sizeof(unsigned int),
686 .mode = 0644,
6d9f239a 687 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 688 },
689 {
9fb9cbb1 690 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 691 .maxlen = sizeof(unsigned int),
692 .mode = 0644,
6d9f239a 693 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 694 },
695 {
9fb9cbb1 696 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 697 .maxlen = sizeof(unsigned int),
698 .mode = 0644,
6d9f239a 699 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 700 },
701 {
9fb9cbb1 702 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 703 .maxlen = sizeof(unsigned int),
704 .mode = 0644,
6d9f239a 705 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 706 },
707 {
9fb9cbb1 708 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 709 .maxlen = sizeof(unsigned int),
710 .mode = 0644,
6d9f239a 711 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 712 },
713 {
9fb9cbb1 714 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 715 .maxlen = sizeof(unsigned int),
716 .mode = 0644,
6d9f239a 717 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 718 },
d7ee3519
MK		 719 {
720 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
721 .maxlen = sizeof(unsigned int),
722 .mode = 0644,
723 .proc_handler = proc_dointvec_jiffies,
724 },
725 {
726 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
727 .maxlen = sizeof(unsigned int),
728 .mode = 0644,
729 .proc_handler = proc_dointvec_jiffies,
730 },
f8572d8f 731 { }
9fb9cbb1 732};
933a41e7 733#endif
9fb9cbb1 734
f42c4183 735static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 736 struct nf_sctp_net *sn)
49d485a3
G		 737{
738#ifdef CONFIG_SYSCTL
49d485a3
G		 739 if (pn->ctl_table)
740 return 0;
741
742 pn->ctl_table = kmemdup(sctp_sysctl_table,
743 sizeof(sctp_sysctl_table),
744 GFP_KERNEL);
745 if (!pn->ctl_table)
746 return -ENOMEM;
747
748 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
749 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
750 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
751 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
752 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
753 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
754 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 755 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
756 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 757#endif
758 return 0;
759}
760
f42c4183 761static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 762{
a85406af 763 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 764 struct nf_proto_net *pn = &sn->pn;
49d485a3 765
f42c4183
G		 766 if (!pn->users) {
767 int i;
49d485a3 768
f42c4183
G		 769 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
770 sn->timeouts[i] = sctp_timeouts[i];
771 }
49d485a3 772
adf05168 773 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 774}
775
deaa0a97
LZ		 776static struct nf_proto_net *sctp_get_net_proto(struct net *net)
777{
778 return &net->ct.nf_ct_proto.sctp.pn;
779}
780
a85406af 781struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 782 .l3proto = PF_INET,
783 .l4proto = IPPROTO_SCTP,
933a41e7
PM		 784 .pkt_to_tuple = sctp_pkt_to_tuple,
785 .invert_tuple = sctp_invert_tuple,
ea48cc83 786#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 787 .print_conntrack = sctp_print_conntrack,
ea48cc83 788#endif
933a41e7 789 .packet = sctp_packet,
2c8503f5 790 .get_timeouts = sctp_get_timeouts,
933a41e7 791 .new = sctp_new,
cf6e007e 792 .error = sctp_error,
c6dd940b 793 .can_early_drop = sctp_can_early_drop,
933a41e7 794 .me = THIS_MODULE,
c0cd1156 795#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 796 .to_nlattr = sctp_to_nlattr,
a400c30e 797 .nlattr_size = sctp_nlattr_size,
a258860e 798 .from_nlattr = nlattr_to_sctp,
c7212e9d 799 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 800 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 801 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
802 .nla_policy = nf_ct_port_nla_policy,
803#endif
50978462
PNA		 804#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
805 .ctnl_timeout = {
806 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
807 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
808 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
809 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
810 .nla_policy = sctp_timeout_nla_policy,
811 },
812#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 813 .init_net = sctp_init_net,
deaa0a97 814 .get_net_proto = sctp_get_net_proto,
9fb9cbb1 815};
a85406af 816EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 817
a85406af 818struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 819 .l3proto = PF_INET6,
820 .l4proto = IPPROTO_SCTP,
933a41e7
PM		 821 .pkt_to_tuple = sctp_pkt_to_tuple,
822 .invert_tuple = sctp_invert_tuple,
ea48cc83 823#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 824 .print_conntrack = sctp_print_conntrack,
ea48cc83 825#endif
933a41e7 826 .packet = sctp_packet,
2c8503f5 827 .get_timeouts = sctp_get_timeouts,
933a41e7 828 .new = sctp_new,
cf6e007e 829 .error = sctp_error,
c6dd940b 830 .can_early_drop = sctp_can_early_drop,
933a41e7 831 .me = THIS_MODULE,
c0cd1156 832#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 833 .to_nlattr = sctp_to_nlattr,
a400c30e 834 .nlattr_size = sctp_nlattr_size,
a258860e 835 .from_nlattr = nlattr_to_sctp,
c7212e9d 836 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 837 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 838 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
839 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 840#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
841 .ctnl_timeout = {
842 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
843 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
844 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
845 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
846 .nla_policy = sctp_timeout_nla_policy,
847 },
848#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 849#endif
f42c4183 850 .init_net = sctp_init_net,
deaa0a97 851 .get_net_proto = sctp_get_net_proto,
933a41e7 852};
a85406af 853EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
ubuntu-bionic-kernel mirror