]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: conntrack: place print_tuple in procfs part
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 31
9fb9cbb1 32/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 33 closely. They're more complex. --RR
9fb9cbb1
YK		 34
35 And so for me for SCTP :D -Kiran */
36
12c33aa2 37static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
86c0bf40
PM		 55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 65};
9fb9cbb1
YK		 66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519
MK		 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
119/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
135/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
a85406af 148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 149{
a85406af 150 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 151}
152
09f263cd 153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 154 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 155{
12c33aa2
JE		 156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
9fb9cbb1 158
e5e693ab
GF		 159 /* Actually only need first 4 bytes to get ports. */
160 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 161 if (hp == NULL)
09f263cd 162 return false;
9fb9cbb1
YK		 163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
09f263cd 166 return true;
9fb9cbb1
YK		 167}
168
09f263cd
JE		 169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
9fb9cbb1 171{
9fb9cbb1
YK		 172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 174 return true;
9fb9cbb1
YK		 175}
176
9fb9cbb1 177/* Print out the private part of the conntrack. */
37246a58 178static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 179{
a163f2cb 180 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 181}
182
183#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 184for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 185 (offset) < (skb)->len && \
186 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
187 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 188
189/* Some validity checks to make sure the chunks are fine */
112f35c9 190static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 191 const struct sk_buff *skb,
192 unsigned int dataoff,
35c6d3cb 193 unsigned long *map)
9fb9cbb1
YK		 194{
195 u_int32_t offset, count;
922dbc5b 196 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 197 int flag;
198
9fb9cbb1
YK		 199 flag = 0;
200
201 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 202 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 203
5447d477
PM		 204 if (sch->type == SCTP_CID_INIT ||
205 sch->type == SCTP_CID_INIT_ACK ||
206 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 207 flag = 1;
9fb9cbb1 208
e17df688
PM		 209 /*
210 * Cookie Ack/Echo chunks not the first OR
211 * Init / Init Ack / Shutdown compl chunks not the only chunks
212 * OR zero-length.
213 */
5447d477
PM		 214 if (((sch->type == SCTP_CID_COOKIE_ACK ||
215 sch->type == SCTP_CID_COOKIE_ECHO ||
216 flag) &&
217 count != 0) || !sch->length) {
0d53778e 218 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 219 return 1;
220 }
221
5447d477 222 if (map)
35c6d3cb 223 set_bit(sch->type, map);
9fb9cbb1
YK		 224 }
225
0d53778e 226 pr_debug("Basic checks passed\n");
dd7271fe 227 return count == 0;
9fb9cbb1
YK		 228}
229
efe9f68a
PM		 230static int sctp_new_state(enum ip_conntrack_dir dir,
231 enum sctp_conntrack cur_state,
232 int chunk_type)
9fb9cbb1
YK		 233{
234 int i;
235
0d53778e 236 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 237
238 switch (chunk_type) {
5447d477
PM		 239 case SCTP_CID_INIT:
240 pr_debug("SCTP_CID_INIT\n");
241 i = 0;
242 break;
243 case SCTP_CID_INIT_ACK:
244 pr_debug("SCTP_CID_INIT_ACK\n");
245 i = 1;
246 break;
247 case SCTP_CID_ABORT:
248 pr_debug("SCTP_CID_ABORT\n");
249 i = 2;
250 break;
251 case SCTP_CID_SHUTDOWN:
252 pr_debug("SCTP_CID_SHUTDOWN\n");
253 i = 3;
254 break;
255 case SCTP_CID_SHUTDOWN_ACK:
256 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
257 i = 4;
258 break;
259 case SCTP_CID_ERROR:
260 pr_debug("SCTP_CID_ERROR\n");
261 i = 5;
262 break;
263 case SCTP_CID_COOKIE_ECHO:
264 pr_debug("SCTP_CID_COOKIE_ECHO\n");
265 i = 6;
266 break;
267 case SCTP_CID_COOKIE_ACK:
268 pr_debug("SCTP_CID_COOKIE_ACK\n");
269 i = 7;
270 break;
271 case SCTP_CID_SHUTDOWN_COMPLETE:
272 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
273 i = 8;
274 break;
d7ee3519
MK		 275 case SCTP_CID_HEARTBEAT:
276 pr_debug("SCTP_CID_HEARTBEAT");
277 i = 9;
278 break;
279 case SCTP_CID_HEARTBEAT_ACK:
280 pr_debug("SCTP_CID_HEARTBEAT_ACK");
281 i = 10;
282 break;
5447d477 283 default:
d7ee3519 284 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 285 pr_debug("Unknown chunk type, Will stay in %s\n",
286 sctp_conntrack_names[cur_state]);
287 return cur_state;
9fb9cbb1
YK		 288 }
289
0d53778e
PM		 290 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
291 dir, sctp_conntrack_names[cur_state], chunk_type,
292 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 293
294 return sctp_conntracks[dir][i][cur_state];
295}
296
2c8503f5
PNA		 297static unsigned int *sctp_get_timeouts(struct net *net)
298{
49d485a3 299 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 300}
301
b37e933a 302/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 303static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 304 const struct sk_buff *skb,
305 unsigned int dataoff,
306 enum ip_conntrack_info ctinfo,
76108cea 307 u_int8_t pf,
2c8503f5
PNA		 308 unsigned int hooknum,
309 unsigned int *timeouts)
9fb9cbb1 310{
efe9f68a 311 enum sctp_conntrack new_state, old_state;
8528819a 312 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 313 const struct sctphdr *sh;
314 struct sctphdr _sctph;
315 const struct sctp_chunkhdr *sch;
316 struct sctp_chunkhdr _sch;
9fb9cbb1 317 u_int32_t offset, count;
35c6d3cb 318 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 319
9fb9cbb1
YK		 320 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
321 if (sh == NULL)
b37e933a 322 goto out;
9fb9cbb1 323
112f35c9 324 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 325 goto out;
9fb9cbb1
YK		 326
327 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 328 if (!test_bit(SCTP_CID_INIT, map) &&
329 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
330 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
331 !test_bit(SCTP_CID_ABORT, map) &&
332 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 333 !test_bit(SCTP_CID_HEARTBEAT, map) &&
334 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 335 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 336 pr_debug("Verification tag check failed\n");
b37e933a 337 goto out;
9fb9cbb1
YK		 338 }
339
328bd899 340 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 341 spin_lock_bh(&ct->lock);
9fb9cbb1 342 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 343 /* Special cases of Verification tag check (Sec 8.5.1) */
344 if (sch->type == SCTP_CID_INIT) {
345 /* Sec 8.5.1 (A) */
b37e933a
PM		 346 if (sh->vtag != 0)
347 goto out_unlock;
9fb9cbb1
YK		 348 } else if (sch->type == SCTP_CID_ABORT) {
349 /* Sec 8.5.1 (B) */
8528819a 350 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 351 sh->vtag != ct->proto.sctp.vtag[!dir])
352 goto out_unlock;
9fb9cbb1
YK		 353 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
354 /* Sec 8.5.1 (C) */
8528819a
PM		 355 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
356 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 357 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 358 goto out_unlock;
9fb9cbb1
YK		 359 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
360 /* Sec 8.5.1 (D) */
b37e933a
PM		 361 if (sh->vtag != ct->proto.sctp.vtag[dir])
362 goto out_unlock;
d7ee3519
MK		 363 } else if (sch->type == SCTP_CID_HEARTBEAT ||
364 sch->type == SCTP_CID_HEARTBEAT_ACK) {
365 if (ct->proto.sctp.vtag[dir] == 0) {
366 pr_debug("Setting vtag %x for dir %d\n",
367 sh->vtag, dir);
368 ct->proto.sctp.vtag[dir] = sh->vtag;
369 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
370 pr_debug("Verification tag check failed\n");
371 goto out_unlock;
372 }
9fb9cbb1
YK		 373 }
374
efe9f68a
PM		 375 old_state = ct->proto.sctp.state;
376 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 377
378 /* Invalid */
efe9f68a 379 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 380 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
381 "conntrack=%u\n",
efe9f68a 382 dir, sch->type, old_state);
b37e933a 383 goto out_unlock;
9fb9cbb1
YK		 384 }
385
386 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 387 if (sch->type == SCTP_CID_INIT ||
388 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 389 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 390
922dbc5b 391 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 392 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 393 if (ih == NULL)
394 goto out_unlock;
0d53778e 395 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 396 ih->init_tag, !dir);
397 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 398 }
399
efe9f68a
PM		 400 ct->proto.sctp.state = new_state;
401 if (old_state != new_state)
a71996fc 402 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 403 }
440f0d58 404 spin_unlock_bh(&ct->lock);
9fb9cbb1 405
2c8503f5 406 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 407
efe9f68a 408 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 409 dir == IP_CT_DIR_REPLY &&
efe9f68a 410 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 411 pr_debug("Setting assured bit\n");
112f35c9 412 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 413 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 414 }
415
416 return NF_ACCEPT;
b37e933a
PM		 417
418out_unlock:
440f0d58 419 spin_unlock_bh(&ct->lock);
b37e933a
PM		 420out:
421 return -NF_ACCEPT;
9fb9cbb1
YK		 422}
423
424/* Called when a new connection for this protocol found. */
09f263cd 425static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 426 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 427{
efe9f68a 428 enum sctp_conntrack new_state;
12c33aa2
JE		 429 const struct sctphdr *sh;
430 struct sctphdr _sctph;
431 const struct sctp_chunkhdr *sch;
432 struct sctp_chunkhdr _sch;
9fb9cbb1 433 u_int32_t offset, count;
35c6d3cb 434 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 435
9fb9cbb1
YK		 436 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
437 if (sh == NULL)
09f263cd 438 return false;
9fb9cbb1 439
112f35c9 440 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 441 return false;
9fb9cbb1
YK		 442
443 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 444 if (test_bit(SCTP_CID_ABORT, map) ||
445 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
446 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 447 return false;
9fb9cbb1 448
e5fc9e7a 449 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 450 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 451 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
452 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 453 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
454 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 455
456 /* Invalid: delete conntrack */
efe9f68a
PM		 457 if (new_state == SCTP_CONNTRACK_NONE ||
458 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 459 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 460 return false;
9fb9cbb1
YK		 461 }
462
463 /* Copy the vtag into the state info */
464 if (sch->type == SCTP_CID_INIT) {
4ae70c08 465 struct sctp_inithdr _inithdr, *ih;
922dbc5b
XL		 466 /* Sec 8.5.1 (A) */
467 if (sh->vtag)
468 return false;
9fb9cbb1 469
922dbc5b
XL		 470 ih = skb_header_pointer(skb, offset + sizeof(_sch),
471 sizeof(_inithdr), &_inithdr);
472 if (!ih)
473 return false;
9fb9cbb1 474
922dbc5b
XL		 475 pr_debug("Setting vtag %x for new conn\n",
476 ih->init_tag);
9fb9cbb1 477
922dbc5b 478 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
d7ee3519
MK		 479 } else if (sch->type == SCTP_CID_HEARTBEAT) {
480 pr_debug("Setting vtag %x for secondary conntrack\n",
481 sh->vtag);
482 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 483 }
484 /* If it is a shutdown ack OOTB packet, we expect a return
485 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
486 else {
0d53778e
PM		 487 pr_debug("Setting vtag %x for new conn OOTB\n",
488 sh->vtag);
112f35c9 489 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 490 }
491
efe9f68a 492 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 493 }
494
09f263cd 495 return true;
9fb9cbb1
YK		 496}
497
cf6e007e 498static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 499 unsigned int dataoff,
cf6e007e
DC		 500 u8 pf, unsigned int hooknum)
501{
502 const struct sctphdr *sh;
cf6e007e
DC		 503 const char *logmsg;
504
f3c0eb05 505 if (skb->len < dataoff + sizeof(struct sctphdr)) {
cf6e007e
DC		 506 logmsg = "nf_ct_sctp: short packet ";
507 goto out_invalid;
508 }
509 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
510 skb->ip_summed == CHECKSUM_NONE) {
f3c0eb05
DC		 511 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
512 logmsg = "nf_ct_sctp: failed to read header ";
513 goto out_invalid;
514 }
515 sh = (const struct sctphdr *)(skb->data + dataoff);
cf6e007e
DC		 516 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
517 logmsg = "nf_ct_sctp: bad CRC ";
518 goto out_invalid;
519 }
520 skb->ip_summed = CHECKSUM_UNNECESSARY;
521 }
522 return NF_ACCEPT;
523out_invalid:
524 if (LOG_INVALID(net, IPPROTO_SCTP))
525 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", logmsg);
526 return -NF_ACCEPT;
527}
528
c6dd940b
FW		 529static bool sctp_can_early_drop(const struct nf_conn *ct)
530{
531 switch (ct->proto.sctp.state) {
532 case SCTP_CONNTRACK_SHUTDOWN_SENT:
533 case SCTP_CONNTRACK_SHUTDOWN_RECD:
534 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
535 return true;
536 default:
537 break;
538 }
539
540 return false;
541}
542
c0cd1156 543#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 544
545#include <linux/netfilter/nfnetlink.h>
546#include <linux/netfilter/nfnetlink_conntrack.h>
547
548static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 549 struct nf_conn *ct)
a258860e
PNA		 550{
551 struct nlattr *nest_parms;
552
440f0d58 553 spin_lock_bh(&ct->lock);
a258860e
PNA		 554 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
555 if (!nest_parms)
556 goto nla_put_failure;
557
5e8d1eb5
DM		 558 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
559 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
560 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
561 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
562 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
563 goto nla_put_failure;
a258860e 564
440f0d58 565 spin_unlock_bh(&ct->lock);
a258860e
PNA		 566
567 nla_nest_end(skb, nest_parms);
568
569 return 0;
570
571nla_put_failure:
440f0d58 572 spin_unlock_bh(&ct->lock);
a258860e
PNA		 573 return -1;
574}
575
576static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
577 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
578 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
579 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
580};
581
582static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
583{
584 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
585 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
586 int err;
587
588 /* updates may not contain the internal protocol info, skip parsing */
589 if (!attr)
590 return 0;
591
fceb6435
JB		 592 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
593 sctp_nla_policy, NULL);
a258860e
PNA		 594 if (err < 0)
595 return err;
596
597 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
598 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
599 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
600 return -EINVAL;
601
440f0d58 602 spin_lock_bh(&ct->lock);
a258860e
PNA		 603 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
604 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 605 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 606 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 607 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 608 spin_unlock_bh(&ct->lock);
a258860e
PNA		 609
610 return 0;
611}
a400c30e
HE		 612
613static int sctp_nlattr_size(void)
614{
615 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
616 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
617}
a258860e
PNA		 618#endif
619
50978462
PNA		 620#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
621
622#include <linux/netfilter/nfnetlink.h>
623#include <linux/netfilter/nfnetlink_cttimeout.h>
624
8264deb8
G		 625static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
626 struct net *net, void *data)
50978462
PNA		 627{
628 unsigned int *timeouts = data;
a85406af 629 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 630 int i;
631
632 /* set default SCTP timeouts. */
633 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 634 timeouts[i] = sn->timeouts[i];
50978462
PNA		 635
636 /* there's a 1:1 mapping between attributes and protocol states. */
637 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
638 if (tb[i]) {
639 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
640 }
641 }
642 return 0;
643}
644
645static int
646sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
647{
648 const unsigned int *timeouts = data;
649 int i;
650
5e8d1eb5
DM		 651 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
652 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
653 goto nla_put_failure;
654 }
50978462
PNA		 655 return 0;
656
657nla_put_failure:
658 return -ENOSPC;
659}
660
661static const struct nla_policy
662sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
663 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
664 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
665 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
666 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
667 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
668 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
669 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 670 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
671 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 672};
673#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
674
675
9fb9cbb1 676#ifdef CONFIG_SYSCTL
933a41e7 677static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 678 {
9fb9cbb1 679 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 680 .maxlen = sizeof(unsigned int),
681 .mode = 0644,
6d9f239a 682 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 683 },
684 {
9fb9cbb1 685 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 686 .maxlen = sizeof(unsigned int),
687 .mode = 0644,
6d9f239a 688 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 689 },
690 {
9fb9cbb1 691 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 692 .maxlen = sizeof(unsigned int),
693 .mode = 0644,
6d9f239a 694 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 695 },
696 {
9fb9cbb1 697 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 698 .maxlen = sizeof(unsigned int),
699 .mode = 0644,
6d9f239a 700 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 701 },
702 {
9fb9cbb1 703 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 704 .maxlen = sizeof(unsigned int),
705 .mode = 0644,
6d9f239a 706 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 707 },
708 {
9fb9cbb1 709 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 710 .maxlen = sizeof(unsigned int),
711 .mode = 0644,
6d9f239a 712 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 713 },
714 {
9fb9cbb1 715 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 716 .maxlen = sizeof(unsigned int),
717 .mode = 0644,
6d9f239a 718 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 719 },
d7ee3519
MK		 720 {
721 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
722 .maxlen = sizeof(unsigned int),
723 .mode = 0644,
724 .proc_handler = proc_dointvec_jiffies,
725 },
726 {
727 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
728 .maxlen = sizeof(unsigned int),
729 .mode = 0644,
730 .proc_handler = proc_dointvec_jiffies,
731 },
f8572d8f 732 { }
9fb9cbb1 733};
933a41e7 734#endif
9fb9cbb1 735
f42c4183 736static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 737 struct nf_sctp_net *sn)
49d485a3
G		 738{
739#ifdef CONFIG_SYSCTL
49d485a3
G		 740 if (pn->ctl_table)
741 return 0;
742
743 pn->ctl_table = kmemdup(sctp_sysctl_table,
744 sizeof(sctp_sysctl_table),
745 GFP_KERNEL);
746 if (!pn->ctl_table)
747 return -ENOMEM;
748
749 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
750 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
751 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
752 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
753 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
754 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
755 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 756 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
757 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 758#endif
759 return 0;
760}
761
f42c4183 762static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 763{
a85406af 764 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 765 struct nf_proto_net *pn = &sn->pn;
49d485a3 766
f42c4183
G		 767 if (!pn->users) {
768 int i;
49d485a3 769
f42c4183
G		 770 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
771 sn->timeouts[i] = sctp_timeouts[i];
772 }
49d485a3 773
adf05168 774 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 775}
776
deaa0a97
LZ		 777static struct nf_proto_net *sctp_get_net_proto(struct net *net)
778{
779 return &net->ct.nf_ct_proto.sctp.pn;
780}
781
a85406af 782struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 783 .l3proto = PF_INET,
784 .l4proto = IPPROTO_SCTP,
933a41e7
PM		 785 .pkt_to_tuple = sctp_pkt_to_tuple,
786 .invert_tuple = sctp_invert_tuple,
933a41e7
PM		 787 .print_conntrack = sctp_print_conntrack,
788 .packet = sctp_packet,
2c8503f5 789 .get_timeouts = sctp_get_timeouts,
933a41e7 790 .new = sctp_new,
cf6e007e 791 .error = sctp_error,
c6dd940b 792 .can_early_drop = sctp_can_early_drop,
933a41e7 793 .me = THIS_MODULE,
c0cd1156 794#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 795 .to_nlattr = sctp_to_nlattr,
a400c30e 796 .nlattr_size = sctp_nlattr_size,
a258860e 797 .from_nlattr = nlattr_to_sctp,
c7212e9d 798 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 799 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 800 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
801 .nla_policy = nf_ct_port_nla_policy,
802#endif
50978462
PNA		 803#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
804 .ctnl_timeout = {
805 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
806 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
807 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
808 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
809 .nla_policy = sctp_timeout_nla_policy,
810 },
811#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 812 .init_net = sctp_init_net,
deaa0a97 813 .get_net_proto = sctp_get_net_proto,
9fb9cbb1 814};
a85406af 815EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 816
a85406af 817struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 818 .l3proto = PF_INET6,
819 .l4proto = IPPROTO_SCTP,
933a41e7
PM		 820 .pkt_to_tuple = sctp_pkt_to_tuple,
821 .invert_tuple = sctp_invert_tuple,
933a41e7
PM		 822 .print_conntrack = sctp_print_conntrack,
823 .packet = sctp_packet,
2c8503f5 824 .get_timeouts = sctp_get_timeouts,
933a41e7 825 .new = sctp_new,
cf6e007e 826 .error = sctp_error,
c6dd940b 827 .can_early_drop = sctp_can_early_drop,
933a41e7 828 .me = THIS_MODULE,
c0cd1156 829#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 830 .to_nlattr = sctp_to_nlattr,
a400c30e 831 .nlattr_size = sctp_nlattr_size,
a258860e 832 .from_nlattr = nlattr_to_sctp,
c7212e9d 833 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 834 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 835 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
836 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 837#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
838 .ctnl_timeout = {
839 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
840 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
841 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
842 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
843 .nla_policy = sctp_timeout_nla_policy,
844 },
845#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 846#endif
f42c4183 847 .init_net = sctp_init_net,
deaa0a97 848 .get_net_proto = sctp_get_net_proto,
933a41e7 849};
a85406af 850EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
ubuntu-bionic-kernel mirror