]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'for-linus-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mason...
[mirror_ubuntu-zesty-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
9fb9cbb1
YK		 25
26#include <net/netfilter/nf_conntrack.h>
605dcad6 27#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 28#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 29
9fb9cbb1 30/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 31 closely. They're more complex. --RR
9fb9cbb1
YK		 32
33 And so for me for SCTP :D -Kiran */
34
12c33aa2 35static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 36 "NONE",
37 "CLOSED",
38 "COOKIE_WAIT",
39 "COOKIE_ECHOED",
40 "ESTABLISHED",
41 "SHUTDOWN_SENT",
42 "SHUTDOWN_RECD",
43 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 44 "HEARTBEAT_SENT",
45 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 46};
47
48#define SECS * HZ
49#define MINS * 60 SECS
50#define HOURS * 60 MINS
51#define DAYS * 24 HOURS
52
86c0bf40
PM		 53static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 63};
9fb9cbb1
YK		 64
65#define sNO SCTP_CONNTRACK_NONE
66#define sCL SCTP_CONNTRACK_CLOSED
67#define sCW SCTP_CONNTRACK_COOKIE_WAIT
68#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
69#define sES SCTP_CONNTRACK_ESTABLISHED
70#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
71#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
72#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 73#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
74#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 75#define sIV SCTP_CONNTRACK_MAX
76
601e68e1 77/*
9fb9cbb1
YK		 78 These are the descriptions of the states:
79
601e68e1 80NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 81SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 82considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 83point. Please note the subtleties. -Kiran
84
85NONE - Nothing so far.
601e68e1
YH		 86COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
87 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 88COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
89ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
90SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
91SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
92SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 93 to that of the SHUTDOWN chunk.
94CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
95 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 96HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
97HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
98 that of the HEARTBEAT chunk. Secondary connection is
99 established.
9fb9cbb1
YK		 100*/
101
102/* TODO
601e68e1 103 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 104 This messes things when an INIT comes in the reply direction in CLOSED
105 state.
601e68e1 106 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 107cookie echoed to closed.
108 - Sec 5.2.4 of RFC 2960
d7ee3519 109 - Full Multi Homing support.
9fb9cbb1
YK		 110*/
111
112/* SCTP conntrack state transitions */
d7ee3519 113static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 114 {
115/* ORIGINAL */
d7ee3519
MK		 116/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
117/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
121/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
122/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
123/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
124/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
125/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
126/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
127/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 128 },
129 {
130/* REPLY */
d7ee3519
MK		 131/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
132/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
133/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
137/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
138/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
139/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
140/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
141/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
142/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 143 }
144};
145
a85406af 146static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 147{
a85406af 148 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 149}
150
09f263cd 151static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 152 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 153{
12c33aa2
JE		 154 const struct sctphdr *hp;
155 struct sctphdr _hdr;
9fb9cbb1 156
e5e693ab
GF		 157 /* Actually only need first 4 bytes to get ports. */
158 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 159 if (hp == NULL)
09f263cd 160 return false;
9fb9cbb1
YK		 161
162 tuple->src.u.sctp.port = hp->source;
163 tuple->dst.u.sctp.port = hp->dest;
09f263cd 164 return true;
9fb9cbb1
YK		 165}
166
09f263cd
JE		 167static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
168 const struct nf_conntrack_tuple *orig)
9fb9cbb1 169{
9fb9cbb1
YK		 170 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
171 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 172 return true;
9fb9cbb1
YK		 173}
174
175/* Print out the per-protocol part of the tuple. */
824f1fbe
JP		 176static void sctp_print_tuple(struct seq_file *s,
177 const struct nf_conntrack_tuple *tuple)
9fb9cbb1 178{
824f1fbe
JP		 179 seq_printf(s, "sport=%hu dport=%hu ",
180 ntohs(tuple->src.u.sctp.port),
181 ntohs(tuple->dst.u.sctp.port));
9fb9cbb1
YK		 182}
183
184/* Print out the private part of the conntrack. */
37246a58 185static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 186{
a163f2cb 187 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 188}
189
190#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
e79ec50b
JE		 191for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
192 (offset) < (skb)->len && \
193 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
194 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 195
196/* Some validity checks to make sure the chunks are fine */
112f35c9 197static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 198 const struct sk_buff *skb,
199 unsigned int dataoff,
35c6d3cb 200 unsigned long *map)
9fb9cbb1
YK		 201{
202 u_int32_t offset, count;
203 sctp_chunkhdr_t _sch, *sch;
204 int flag;
205
9fb9cbb1
YK		 206 flag = 0;
207
208 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 209 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 210
5447d477
PM		 211 if (sch->type == SCTP_CID_INIT ||
212 sch->type == SCTP_CID_INIT_ACK ||
213 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 214 flag = 1;
9fb9cbb1 215
e17df688
PM		 216 /*
217 * Cookie Ack/Echo chunks not the first OR
218 * Init / Init Ack / Shutdown compl chunks not the only chunks
219 * OR zero-length.
220 */
5447d477
PM		 221 if (((sch->type == SCTP_CID_COOKIE_ACK ||
222 sch->type == SCTP_CID_COOKIE_ECHO ||
223 flag) &&
224 count != 0) || !sch->length) {
0d53778e 225 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 226 return 1;
227 }
228
5447d477 229 if (map)
35c6d3cb 230 set_bit(sch->type, map);
9fb9cbb1
YK		 231 }
232
0d53778e 233 pr_debug("Basic checks passed\n");
dd7271fe 234 return count == 0;
9fb9cbb1
YK		 235}
236
efe9f68a
PM		 237static int sctp_new_state(enum ip_conntrack_dir dir,
238 enum sctp_conntrack cur_state,
239 int chunk_type)
9fb9cbb1
YK		 240{
241 int i;
242
0d53778e 243 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 244
245 switch (chunk_type) {
5447d477
PM		 246 case SCTP_CID_INIT:
247 pr_debug("SCTP_CID_INIT\n");
248 i = 0;
249 break;
250 case SCTP_CID_INIT_ACK:
251 pr_debug("SCTP_CID_INIT_ACK\n");
252 i = 1;
253 break;
254 case SCTP_CID_ABORT:
255 pr_debug("SCTP_CID_ABORT\n");
256 i = 2;
257 break;
258 case SCTP_CID_SHUTDOWN:
259 pr_debug("SCTP_CID_SHUTDOWN\n");
260 i = 3;
261 break;
262 case SCTP_CID_SHUTDOWN_ACK:
263 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
264 i = 4;
265 break;
266 case SCTP_CID_ERROR:
267 pr_debug("SCTP_CID_ERROR\n");
268 i = 5;
269 break;
270 case SCTP_CID_COOKIE_ECHO:
271 pr_debug("SCTP_CID_COOKIE_ECHO\n");
272 i = 6;
273 break;
274 case SCTP_CID_COOKIE_ACK:
275 pr_debug("SCTP_CID_COOKIE_ACK\n");
276 i = 7;
277 break;
278 case SCTP_CID_SHUTDOWN_COMPLETE:
279 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
280 i = 8;
281 break;
d7ee3519
MK		 282 case SCTP_CID_HEARTBEAT:
283 pr_debug("SCTP_CID_HEARTBEAT");
284 i = 9;
285 break;
286 case SCTP_CID_HEARTBEAT_ACK:
287 pr_debug("SCTP_CID_HEARTBEAT_ACK");
288 i = 10;
289 break;
5447d477 290 default:
d7ee3519 291 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 292 pr_debug("Unknown chunk type, Will stay in %s\n",
293 sctp_conntrack_names[cur_state]);
294 return cur_state;
9fb9cbb1
YK		 295 }
296
0d53778e
PM		 297 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
298 dir, sctp_conntrack_names[cur_state], chunk_type,
299 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 300
301 return sctp_conntracks[dir][i][cur_state];
302}
303
2c8503f5
PNA		 304static unsigned int *sctp_get_timeouts(struct net *net)
305{
49d485a3 306 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 307}
308
b37e933a 309/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 310static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 311 const struct sk_buff *skb,
312 unsigned int dataoff,
313 enum ip_conntrack_info ctinfo,
76108cea 314 u_int8_t pf,
2c8503f5
PNA		 315 unsigned int hooknum,
316 unsigned int *timeouts)
9fb9cbb1 317{
efe9f68a 318 enum sctp_conntrack new_state, old_state;
8528819a 319 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 320 const struct sctphdr *sh;
321 struct sctphdr _sctph;
322 const struct sctp_chunkhdr *sch;
323 struct sctp_chunkhdr _sch;
9fb9cbb1 324 u_int32_t offset, count;
35c6d3cb 325 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 326
9fb9cbb1
YK		 327 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
328 if (sh == NULL)
b37e933a 329 goto out;
9fb9cbb1 330
112f35c9 331 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 332 goto out;
9fb9cbb1
YK		 333
334 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 335 if (!test_bit(SCTP_CID_INIT, map) &&
336 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
337 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
338 !test_bit(SCTP_CID_ABORT, map) &&
339 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 340 !test_bit(SCTP_CID_HEARTBEAT, map) &&
341 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 342 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 343 pr_debug("Verification tag check failed\n");
b37e933a 344 goto out;
9fb9cbb1
YK		 345 }
346
328bd899 347 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 348 spin_lock_bh(&ct->lock);
9fb9cbb1 349 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 350 /* Special cases of Verification tag check (Sec 8.5.1) */
351 if (sch->type == SCTP_CID_INIT) {
352 /* Sec 8.5.1 (A) */
b37e933a
PM		 353 if (sh->vtag != 0)
354 goto out_unlock;
9fb9cbb1
YK		 355 } else if (sch->type == SCTP_CID_ABORT) {
356 /* Sec 8.5.1 (B) */
8528819a 357 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 358 sh->vtag != ct->proto.sctp.vtag[!dir])
359 goto out_unlock;
9fb9cbb1
YK		 360 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
361 /* Sec 8.5.1 (C) */
8528819a
PM		 362 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
363 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 364 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 365 goto out_unlock;
9fb9cbb1
YK		 366 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
367 /* Sec 8.5.1 (D) */
b37e933a
PM		 368 if (sh->vtag != ct->proto.sctp.vtag[dir])
369 goto out_unlock;
d7ee3519
MK		 370 } else if (sch->type == SCTP_CID_HEARTBEAT ||
371 sch->type == SCTP_CID_HEARTBEAT_ACK) {
372 if (ct->proto.sctp.vtag[dir] == 0) {
373 pr_debug("Setting vtag %x for dir %d\n",
374 sh->vtag, dir);
375 ct->proto.sctp.vtag[dir] = sh->vtag;
376 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
377 pr_debug("Verification tag check failed\n");
378 goto out_unlock;
379 }
9fb9cbb1
YK		 380 }
381
efe9f68a
PM		 382 old_state = ct->proto.sctp.state;
383 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 384
385 /* Invalid */
efe9f68a 386 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 387 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
388 "conntrack=%u\n",
efe9f68a 389 dir, sch->type, old_state);
b37e933a 390 goto out_unlock;
9fb9cbb1
YK		 391 }
392
393 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 394 if (sch->type == SCTP_CID_INIT ||
395 sch->type == SCTP_CID_INIT_ACK) {
9fb9cbb1
YK		 396 sctp_inithdr_t _inithdr, *ih;
397
398 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 399 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 400 if (ih == NULL)
401 goto out_unlock;
0d53778e 402 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 403 ih->init_tag, !dir);
404 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 405 }
406
efe9f68a
PM		 407 ct->proto.sctp.state = new_state;
408 if (old_state != new_state)
a71996fc 409 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 410 }
440f0d58 411 spin_unlock_bh(&ct->lock);
9fb9cbb1 412
2c8503f5 413 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 414
efe9f68a 415 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 416 dir == IP_CT_DIR_REPLY &&
efe9f68a 417 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 418 pr_debug("Setting assured bit\n");
112f35c9 419 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 420 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 421 }
422
423 return NF_ACCEPT;
b37e933a
PM		 424
425out_unlock:
440f0d58 426 spin_unlock_bh(&ct->lock);
b37e933a
PM		 427out:
428 return -NF_ACCEPT;
9fb9cbb1
YK		 429}
430
431/* Called when a new connection for this protocol found. */
09f263cd 432static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 433 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 434{
efe9f68a 435 enum sctp_conntrack new_state;
12c33aa2
JE		 436 const struct sctphdr *sh;
437 struct sctphdr _sctph;
438 const struct sctp_chunkhdr *sch;
439 struct sctp_chunkhdr _sch;
9fb9cbb1 440 u_int32_t offset, count;
35c6d3cb 441 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 442
9fb9cbb1
YK		 443 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
444 if (sh == NULL)
09f263cd 445 return false;
9fb9cbb1 446
112f35c9 447 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 448 return false;
9fb9cbb1
YK		 449
450 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 451 if (test_bit(SCTP_CID_ABORT, map) ||
452 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
453 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 454 return false;
9fb9cbb1 455
e5fc9e7a 456 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 457 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 458 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
459 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 460 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
461 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 462
463 /* Invalid: delete conntrack */
efe9f68a
PM		 464 if (new_state == SCTP_CONNTRACK_NONE ||
465 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 466 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 467 return false;
9fb9cbb1
YK		 468 }
469
470 /* Copy the vtag into the state info */
471 if (sch->type == SCTP_CID_INIT) {
472 if (sh->vtag == 0) {
473 sctp_inithdr_t _inithdr, *ih;
474
475 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 476 sizeof(_inithdr), &_inithdr);
9fb9cbb1 477 if (ih == NULL)
09f263cd 478 return false;
9fb9cbb1 479
0d53778e
PM		 480 pr_debug("Setting vtag %x for new conn\n",
481 ih->init_tag);
9fb9cbb1 482
112f35c9 483 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
9fb9cbb1
YK		 484 ih->init_tag;
485 } else {
486 /* Sec 8.5.1 (A) */
09f263cd 487 return false;
9fb9cbb1 488 }
d7ee3519
MK		 489 } else if (sch->type == SCTP_CID_HEARTBEAT) {
490 pr_debug("Setting vtag %x for secondary conntrack\n",
491 sh->vtag);
492 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 493 }
494 /* If it is a shutdown ack OOTB packet, we expect a return
495 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
496 else {
0d53778e
PM		 497 pr_debug("Setting vtag %x for new conn OOTB\n",
498 sh->vtag);
112f35c9 499 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 500 }
501
efe9f68a 502 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 503 }
504
09f263cd 505 return true;
9fb9cbb1
YK		 506}
507
c0cd1156 508#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 509
510#include <linux/netfilter/nfnetlink.h>
511#include <linux/netfilter/nfnetlink_conntrack.h>
512
513static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 514 struct nf_conn *ct)
a258860e
PNA		 515{
516 struct nlattr *nest_parms;
517
440f0d58 518 spin_lock_bh(&ct->lock);
a258860e
PNA		 519 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
520 if (!nest_parms)
521 goto nla_put_failure;
522
5e8d1eb5
DM		 523 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
524 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
525 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
526 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
527 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
528 goto nla_put_failure;
a258860e 529
440f0d58 530 spin_unlock_bh(&ct->lock);
a258860e
PNA		 531
532 nla_nest_end(skb, nest_parms);
533
534 return 0;
535
536nla_put_failure:
440f0d58 537 spin_unlock_bh(&ct->lock);
a258860e
PNA		 538 return -1;
539}
540
541static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
542 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
543 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
544 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
545};
546
547static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
548{
549 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
550 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
551 int err;
552
553 /* updates may not contain the internal protocol info, skip parsing */
554 if (!attr)
555 return 0;
556
557 err = nla_parse_nested(tb,
558 CTA_PROTOINFO_SCTP_MAX,
559 attr,
560 sctp_nla_policy);
561 if (err < 0)
562 return err;
563
564 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
565 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
566 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
567 return -EINVAL;
568
440f0d58 569 spin_lock_bh(&ct->lock);
a258860e
PNA		 570 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
571 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 572 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 573 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 574 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 575 spin_unlock_bh(&ct->lock);
a258860e
PNA		 576
577 return 0;
578}
a400c30e
HE		 579
580static int sctp_nlattr_size(void)
581{
582 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
583 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
584}
a258860e
PNA		 585#endif
586
50978462
PNA		 587#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
588
589#include <linux/netfilter/nfnetlink.h>
590#include <linux/netfilter/nfnetlink_cttimeout.h>
591
8264deb8
G		 592static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
593 struct net *net, void *data)
50978462
PNA		 594{
595 unsigned int *timeouts = data;
a85406af 596 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 597 int i;
598
599 /* set default SCTP timeouts. */
600 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 601 timeouts[i] = sn->timeouts[i];
50978462
PNA		 602
603 /* there's a 1:1 mapping between attributes and protocol states. */
604 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
605 if (tb[i]) {
606 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
607 }
608 }
609 return 0;
610}
611
612static int
613sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
614{
615 const unsigned int *timeouts = data;
616 int i;
617
5e8d1eb5
DM		 618 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
619 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
620 goto nla_put_failure;
621 }
50978462
PNA		 622 return 0;
623
624nla_put_failure:
625 return -ENOSPC;
626}
627
628static const struct nla_policy
629sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
630 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
631 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
632 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
633 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
634 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
635 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
636 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 637 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 639};
640#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
641
642
9fb9cbb1 643#ifdef CONFIG_SYSCTL
933a41e7 644static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 645 {
9fb9cbb1 646 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 647 .maxlen = sizeof(unsigned int),
648 .mode = 0644,
6d9f239a 649 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 650 },
651 {
9fb9cbb1 652 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 653 .maxlen = sizeof(unsigned int),
654 .mode = 0644,
6d9f239a 655 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 656 },
657 {
9fb9cbb1 658 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 659 .maxlen = sizeof(unsigned int),
660 .mode = 0644,
6d9f239a 661 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 662 },
663 {
9fb9cbb1 664 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 665 .maxlen = sizeof(unsigned int),
666 .mode = 0644,
6d9f239a 667 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 668 },
669 {
9fb9cbb1 670 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 671 .maxlen = sizeof(unsigned int),
672 .mode = 0644,
6d9f239a 673 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 674 },
675 {
9fb9cbb1 676 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 677 .maxlen = sizeof(unsigned int),
678 .mode = 0644,
6d9f239a 679 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 680 },
681 {
9fb9cbb1 682 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 683 .maxlen = sizeof(unsigned int),
684 .mode = 0644,
6d9f239a 685 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 686 },
d7ee3519
MK		 687 {
688 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
689 .maxlen = sizeof(unsigned int),
690 .mode = 0644,
691 .proc_handler = proc_dointvec_jiffies,
692 },
693 {
694 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
695 .maxlen = sizeof(unsigned int),
696 .mode = 0644,
697 .proc_handler = proc_dointvec_jiffies,
698 },
f8572d8f 699 { }
9fb9cbb1 700};
933a41e7 701#endif
9fb9cbb1 702
f42c4183 703static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 704 struct nf_sctp_net *sn)
49d485a3
G		 705{
706#ifdef CONFIG_SYSCTL
49d485a3
G		 707 if (pn->ctl_table)
708 return 0;
709
710 pn->ctl_table = kmemdup(sctp_sysctl_table,
711 sizeof(sctp_sysctl_table),
712 GFP_KERNEL);
713 if (!pn->ctl_table)
714 return -ENOMEM;
715
716 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
717 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
718 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
719 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
720 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
721 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
722 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 723 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
724 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 725#endif
726 return 0;
727}
728
f42c4183 729static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 730{
a85406af 731 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 732 struct nf_proto_net *pn = &sn->pn;
49d485a3 733
f42c4183
G		 734 if (!pn->users) {
735 int i;
49d485a3 736
f42c4183
G		 737 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
738 sn->timeouts[i] = sctp_timeouts[i];
739 }
49d485a3 740
adf05168 741 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 742}
743
a85406af 744struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 745 .l3proto = PF_INET,
746 .l4proto = IPPROTO_SCTP,
747 .name = "sctp",
748 .pkt_to_tuple = sctp_pkt_to_tuple,
749 .invert_tuple = sctp_invert_tuple,
750 .print_tuple = sctp_print_tuple,
751 .print_conntrack = sctp_print_conntrack,
752 .packet = sctp_packet,
2c8503f5 753 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 754 .new = sctp_new,
755 .me = THIS_MODULE,
c0cd1156 756#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 757 .to_nlattr = sctp_to_nlattr,
a400c30e 758 .nlattr_size = sctp_nlattr_size,
a258860e 759 .from_nlattr = nlattr_to_sctp,
c7212e9d 760 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 761 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 762 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
763 .nla_policy = nf_ct_port_nla_policy,
764#endif
50978462
PNA		 765#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
766 .ctnl_timeout = {
767 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
768 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
769 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
770 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
771 .nla_policy = sctp_timeout_nla_policy,
772 },
773#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 774 .init_net = sctp_init_net,
9fb9cbb1 775};
a85406af 776EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 777
a85406af 778struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 779 .l3proto = PF_INET6,
780 .l4proto = IPPROTO_SCTP,
781 .name = "sctp",
782 .pkt_to_tuple = sctp_pkt_to_tuple,
783 .invert_tuple = sctp_invert_tuple,
784 .print_tuple = sctp_print_tuple,
785 .print_conntrack = sctp_print_conntrack,
786 .packet = sctp_packet,
2c8503f5 787 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 788 .new = sctp_new,
789 .me = THIS_MODULE,
c0cd1156 790#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 791 .to_nlattr = sctp_to_nlattr,
a400c30e 792 .nlattr_size = sctp_nlattr_size,
a258860e 793 .from_nlattr = nlattr_to_sctp,
c7212e9d 794 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 795 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 796 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
797 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 798#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
799 .ctnl_timeout = {
800 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
801 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
802 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
803 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
804 .nla_policy = sctp_timeout_nla_policy,
805 },
806#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 807#endif
f42c4183 808 .init_net = sctp_init_net,
933a41e7 809};
a85406af 810EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
ubuntu-zesty-kernel mirror