]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: conntrack: use u8 for extension sizes again
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 31
9fb9cbb1 32/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 33 closely. They're more complex. --RR
9fb9cbb1
YK		 34
35 And so for me for SCTP :D -Kiran */
36
12c33aa2 37static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
86c0bf40
PM		 55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 65};
9fb9cbb1
YK		 66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519
MK		 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
119/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
135/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
a85406af 148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 149{
a85406af 150 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 151}
152
09f263cd 153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 154 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 155{
12c33aa2
JE		 156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
9fb9cbb1 158
e5e693ab
GF		 159 /* Actually only need first 4 bytes to get ports. */
160 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 161 if (hp == NULL)
09f263cd 162 return false;
9fb9cbb1
YK		 163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
09f263cd 166 return true;
9fb9cbb1
YK		 167}
168
09f263cd
JE		 169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
9fb9cbb1 171{
9fb9cbb1
YK		 172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 174 return true;
9fb9cbb1
YK		 175}
176
177/* Print out the per-protocol part of the tuple. */
824f1fbe
JP		 178static void sctp_print_tuple(struct seq_file *s,
179 const struct nf_conntrack_tuple *tuple)
9fb9cbb1 180{
824f1fbe
JP		 181 seq_printf(s, "sport=%hu dport=%hu ",
182 ntohs(tuple->src.u.sctp.port),
183 ntohs(tuple->dst.u.sctp.port));
9fb9cbb1
YK		 184}
185
186/* Print out the private part of the conntrack. */
37246a58 187static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 188{
a163f2cb 189 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 190}
191
192#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
e79ec50b
JE		 193for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
194 (offset) < (skb)->len && \
195 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
196 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 197
198/* Some validity checks to make sure the chunks are fine */
112f35c9 199static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 200 const struct sk_buff *skb,
201 unsigned int dataoff,
35c6d3cb 202 unsigned long *map)
9fb9cbb1
YK		 203{
204 u_int32_t offset, count;
205 sctp_chunkhdr_t _sch, *sch;
206 int flag;
207
9fb9cbb1
YK		 208 flag = 0;
209
210 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 211 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 212
5447d477
PM		 213 if (sch->type == SCTP_CID_INIT ||
214 sch->type == SCTP_CID_INIT_ACK ||
215 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 216 flag = 1;
9fb9cbb1 217
e17df688
PM		 218 /*
219 * Cookie Ack/Echo chunks not the first OR
220 * Init / Init Ack / Shutdown compl chunks not the only chunks
221 * OR zero-length.
222 */
5447d477
PM		 223 if (((sch->type == SCTP_CID_COOKIE_ACK ||
224 sch->type == SCTP_CID_COOKIE_ECHO ||
225 flag) &&
226 count != 0) || !sch->length) {
0d53778e 227 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 228 return 1;
229 }
230
5447d477 231 if (map)
35c6d3cb 232 set_bit(sch->type, map);
9fb9cbb1
YK		 233 }
234
0d53778e 235 pr_debug("Basic checks passed\n");
dd7271fe 236 return count == 0;
9fb9cbb1
YK		 237}
238
efe9f68a
PM		 239static int sctp_new_state(enum ip_conntrack_dir dir,
240 enum sctp_conntrack cur_state,
241 int chunk_type)
9fb9cbb1
YK		 242{
243 int i;
244
0d53778e 245 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 246
247 switch (chunk_type) {
5447d477
PM		 248 case SCTP_CID_INIT:
249 pr_debug("SCTP_CID_INIT\n");
250 i = 0;
251 break;
252 case SCTP_CID_INIT_ACK:
253 pr_debug("SCTP_CID_INIT_ACK\n");
254 i = 1;
255 break;
256 case SCTP_CID_ABORT:
257 pr_debug("SCTP_CID_ABORT\n");
258 i = 2;
259 break;
260 case SCTP_CID_SHUTDOWN:
261 pr_debug("SCTP_CID_SHUTDOWN\n");
262 i = 3;
263 break;
264 case SCTP_CID_SHUTDOWN_ACK:
265 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
266 i = 4;
267 break;
268 case SCTP_CID_ERROR:
269 pr_debug("SCTP_CID_ERROR\n");
270 i = 5;
271 break;
272 case SCTP_CID_COOKIE_ECHO:
273 pr_debug("SCTP_CID_COOKIE_ECHO\n");
274 i = 6;
275 break;
276 case SCTP_CID_COOKIE_ACK:
277 pr_debug("SCTP_CID_COOKIE_ACK\n");
278 i = 7;
279 break;
280 case SCTP_CID_SHUTDOWN_COMPLETE:
281 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
282 i = 8;
283 break;
d7ee3519
MK		 284 case SCTP_CID_HEARTBEAT:
285 pr_debug("SCTP_CID_HEARTBEAT");
286 i = 9;
287 break;
288 case SCTP_CID_HEARTBEAT_ACK:
289 pr_debug("SCTP_CID_HEARTBEAT_ACK");
290 i = 10;
291 break;
5447d477 292 default:
d7ee3519 293 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 294 pr_debug("Unknown chunk type, Will stay in %s\n",
295 sctp_conntrack_names[cur_state]);
296 return cur_state;
9fb9cbb1
YK		 297 }
298
0d53778e
PM		 299 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
300 dir, sctp_conntrack_names[cur_state], chunk_type,
301 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 302
303 return sctp_conntracks[dir][i][cur_state];
304}
305
2c8503f5
PNA		 306static unsigned int *sctp_get_timeouts(struct net *net)
307{
49d485a3 308 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 309}
310
b37e933a 311/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 312static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 313 const struct sk_buff *skb,
314 unsigned int dataoff,
315 enum ip_conntrack_info ctinfo,
76108cea 316 u_int8_t pf,
2c8503f5
PNA		 317 unsigned int hooknum,
318 unsigned int *timeouts)
9fb9cbb1 319{
efe9f68a 320 enum sctp_conntrack new_state, old_state;
8528819a 321 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 322 const struct sctphdr *sh;
323 struct sctphdr _sctph;
324 const struct sctp_chunkhdr *sch;
325 struct sctp_chunkhdr _sch;
9fb9cbb1 326 u_int32_t offset, count;
35c6d3cb 327 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 328
9fb9cbb1
YK		 329 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
330 if (sh == NULL)
b37e933a 331 goto out;
9fb9cbb1 332
112f35c9 333 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 334 goto out;
9fb9cbb1
YK		 335
336 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 337 if (!test_bit(SCTP_CID_INIT, map) &&
338 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
339 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
340 !test_bit(SCTP_CID_ABORT, map) &&
341 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 342 !test_bit(SCTP_CID_HEARTBEAT, map) &&
343 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 344 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 345 pr_debug("Verification tag check failed\n");
b37e933a 346 goto out;
9fb9cbb1
YK		 347 }
348
328bd899 349 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 350 spin_lock_bh(&ct->lock);
9fb9cbb1 351 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 352 /* Special cases of Verification tag check (Sec 8.5.1) */
353 if (sch->type == SCTP_CID_INIT) {
354 /* Sec 8.5.1 (A) */
b37e933a
PM		 355 if (sh->vtag != 0)
356 goto out_unlock;
9fb9cbb1
YK		 357 } else if (sch->type == SCTP_CID_ABORT) {
358 /* Sec 8.5.1 (B) */
8528819a 359 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 360 sh->vtag != ct->proto.sctp.vtag[!dir])
361 goto out_unlock;
9fb9cbb1
YK		 362 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
363 /* Sec 8.5.1 (C) */
8528819a
PM		 364 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
365 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 366 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 367 goto out_unlock;
9fb9cbb1
YK		 368 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
369 /* Sec 8.5.1 (D) */
b37e933a
PM		 370 if (sh->vtag != ct->proto.sctp.vtag[dir])
371 goto out_unlock;
d7ee3519
MK		 372 } else if (sch->type == SCTP_CID_HEARTBEAT ||
373 sch->type == SCTP_CID_HEARTBEAT_ACK) {
374 if (ct->proto.sctp.vtag[dir] == 0) {
375 pr_debug("Setting vtag %x for dir %d\n",
376 sh->vtag, dir);
377 ct->proto.sctp.vtag[dir] = sh->vtag;
378 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
379 pr_debug("Verification tag check failed\n");
380 goto out_unlock;
381 }
9fb9cbb1
YK		 382 }
383
efe9f68a
PM		 384 old_state = ct->proto.sctp.state;
385 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 386
387 /* Invalid */
efe9f68a 388 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 389 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
390 "conntrack=%u\n",
efe9f68a 391 dir, sch->type, old_state);
b37e933a 392 goto out_unlock;
9fb9cbb1
YK		 393 }
394
395 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 396 if (sch->type == SCTP_CID_INIT ||
397 sch->type == SCTP_CID_INIT_ACK) {
9fb9cbb1
YK		 398 sctp_inithdr_t _inithdr, *ih;
399
400 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 401 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 402 if (ih == NULL)
403 goto out_unlock;
0d53778e 404 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 405 ih->init_tag, !dir);
406 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 407 }
408
efe9f68a
PM		 409 ct->proto.sctp.state = new_state;
410 if (old_state != new_state)
a71996fc 411 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 412 }
440f0d58 413 spin_unlock_bh(&ct->lock);
9fb9cbb1 414
2c8503f5 415 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 416
efe9f68a 417 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 418 dir == IP_CT_DIR_REPLY &&
efe9f68a 419 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 420 pr_debug("Setting assured bit\n");
112f35c9 421 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 422 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 423 }
424
425 return NF_ACCEPT;
b37e933a
PM		 426
427out_unlock:
440f0d58 428 spin_unlock_bh(&ct->lock);
b37e933a
PM		 429out:
430 return -NF_ACCEPT;
9fb9cbb1
YK		 431}
432
433/* Called when a new connection for this protocol found. */
09f263cd 434static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 435 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 436{
efe9f68a 437 enum sctp_conntrack new_state;
12c33aa2
JE		 438 const struct sctphdr *sh;
439 struct sctphdr _sctph;
440 const struct sctp_chunkhdr *sch;
441 struct sctp_chunkhdr _sch;
9fb9cbb1 442 u_int32_t offset, count;
35c6d3cb 443 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 444
9fb9cbb1
YK		 445 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
446 if (sh == NULL)
09f263cd 447 return false;
9fb9cbb1 448
112f35c9 449 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 450 return false;
9fb9cbb1
YK		 451
452 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 453 if (test_bit(SCTP_CID_ABORT, map) ||
454 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
455 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 456 return false;
9fb9cbb1 457
e5fc9e7a 458 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 459 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 460 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
461 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 462 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
463 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 464
465 /* Invalid: delete conntrack */
efe9f68a
PM		 466 if (new_state == SCTP_CONNTRACK_NONE ||
467 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 468 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 469 return false;
9fb9cbb1
YK		 470 }
471
472 /* Copy the vtag into the state info */
473 if (sch->type == SCTP_CID_INIT) {
474 if (sh->vtag == 0) {
475 sctp_inithdr_t _inithdr, *ih;
476
477 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 478 sizeof(_inithdr), &_inithdr);
9fb9cbb1 479 if (ih == NULL)
09f263cd 480 return false;
9fb9cbb1 481
0d53778e
PM		 482 pr_debug("Setting vtag %x for new conn\n",
483 ih->init_tag);
9fb9cbb1 484
112f35c9 485 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
9fb9cbb1
YK		 486 ih->init_tag;
487 } else {
488 /* Sec 8.5.1 (A) */
09f263cd 489 return false;
9fb9cbb1 490 }
d7ee3519
MK		 491 } else if (sch->type == SCTP_CID_HEARTBEAT) {
492 pr_debug("Setting vtag %x for secondary conntrack\n",
493 sh->vtag);
494 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 495 }
496 /* If it is a shutdown ack OOTB packet, we expect a return
497 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
498 else {
0d53778e
PM		 499 pr_debug("Setting vtag %x for new conn OOTB\n",
500 sh->vtag);
112f35c9 501 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 502 }
503
efe9f68a 504 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 505 }
506
09f263cd 507 return true;
9fb9cbb1
YK		 508}
509
cf6e007e 510static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 511 unsigned int dataoff,
cf6e007e
DC		 512 u8 pf, unsigned int hooknum)
513{
514 const struct sctphdr *sh;
515 struct sctphdr _sctph;
516 const char *logmsg;
517
518 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
519 if (!sh) {
520 logmsg = "nf_ct_sctp: short packet ";
521 goto out_invalid;
522 }
523 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
524 skb->ip_summed == CHECKSUM_NONE) {
525 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
526 logmsg = "nf_ct_sctp: bad CRC ";
527 goto out_invalid;
528 }
529 skb->ip_summed = CHECKSUM_UNNECESSARY;
530 }
531 return NF_ACCEPT;
532out_invalid:
533 if (LOG_INVALID(net, IPPROTO_SCTP))
534 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", logmsg);
535 return -NF_ACCEPT;
536}
537
c0cd1156 538#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 539
540#include <linux/netfilter/nfnetlink.h>
541#include <linux/netfilter/nfnetlink_conntrack.h>
542
543static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 544 struct nf_conn *ct)
a258860e
PNA		 545{
546 struct nlattr *nest_parms;
547
440f0d58 548 spin_lock_bh(&ct->lock);
a258860e
PNA		 549 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
550 if (!nest_parms)
551 goto nla_put_failure;
552
5e8d1eb5
DM		 553 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
554 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
555 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
556 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
557 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
558 goto nla_put_failure;
a258860e 559
440f0d58 560 spin_unlock_bh(&ct->lock);
a258860e
PNA		 561
562 nla_nest_end(skb, nest_parms);
563
564 return 0;
565
566nla_put_failure:
440f0d58 567 spin_unlock_bh(&ct->lock);
a258860e
PNA		 568 return -1;
569}
570
571static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
572 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
573 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
574 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
575};
576
577static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
578{
579 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
580 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
581 int err;
582
583 /* updates may not contain the internal protocol info, skip parsing */
584 if (!attr)
585 return 0;
586
587 err = nla_parse_nested(tb,
588 CTA_PROTOINFO_SCTP_MAX,
589 attr,
590 sctp_nla_policy);
591 if (err < 0)
592 return err;
593
594 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
595 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
596 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
597 return -EINVAL;
598
440f0d58 599 spin_lock_bh(&ct->lock);
a258860e
PNA		 600 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
601 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 602 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 603 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 604 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 605 spin_unlock_bh(&ct->lock);
a258860e
PNA		 606
607 return 0;
608}
a400c30e
HE		 609
610static int sctp_nlattr_size(void)
611{
612 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
613 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
614}
a258860e
PNA		 615#endif
616
50978462
PNA		 617#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
618
619#include <linux/netfilter/nfnetlink.h>
620#include <linux/netfilter/nfnetlink_cttimeout.h>
621
8264deb8
G		 622static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
623 struct net *net, void *data)
50978462
PNA		 624{
625 unsigned int *timeouts = data;
a85406af 626 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 627 int i;
628
629 /* set default SCTP timeouts. */
630 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 631 timeouts[i] = sn->timeouts[i];
50978462
PNA		 632
633 /* there's a 1:1 mapping between attributes and protocol states. */
634 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
635 if (tb[i]) {
636 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
637 }
638 }
639 return 0;
640}
641
642static int
643sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
644{
645 const unsigned int *timeouts = data;
646 int i;
647
5e8d1eb5
DM		 648 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
649 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
650 goto nla_put_failure;
651 }
50978462
PNA		 652 return 0;
653
654nla_put_failure:
655 return -ENOSPC;
656}
657
658static const struct nla_policy
659sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
660 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
661 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
662 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
663 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
664 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
665 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
666 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 667 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
668 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 669};
670#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
671
672
9fb9cbb1 673#ifdef CONFIG_SYSCTL
933a41e7 674static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 675 {
9fb9cbb1 676 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 677 .maxlen = sizeof(unsigned int),
678 .mode = 0644,
6d9f239a 679 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 680 },
681 {
9fb9cbb1 682 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 683 .maxlen = sizeof(unsigned int),
684 .mode = 0644,
6d9f239a 685 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 686 },
687 {
9fb9cbb1 688 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 689 .maxlen = sizeof(unsigned int),
690 .mode = 0644,
6d9f239a 691 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 692 },
693 {
9fb9cbb1 694 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 695 .maxlen = sizeof(unsigned int),
696 .mode = 0644,
6d9f239a 697 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 698 },
699 {
9fb9cbb1 700 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 701 .maxlen = sizeof(unsigned int),
702 .mode = 0644,
6d9f239a 703 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 704 },
705 {
9fb9cbb1 706 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 707 .maxlen = sizeof(unsigned int),
708 .mode = 0644,
6d9f239a 709 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 710 },
711 {
9fb9cbb1 712 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 713 .maxlen = sizeof(unsigned int),
714 .mode = 0644,
6d9f239a 715 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 716 },
d7ee3519
MK		 717 {
718 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
719 .maxlen = sizeof(unsigned int),
720 .mode = 0644,
721 .proc_handler = proc_dointvec_jiffies,
722 },
723 {
724 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
725 .maxlen = sizeof(unsigned int),
726 .mode = 0644,
727 .proc_handler = proc_dointvec_jiffies,
728 },
f8572d8f 729 { }
9fb9cbb1 730};
933a41e7 731#endif
9fb9cbb1 732
f42c4183 733static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 734 struct nf_sctp_net *sn)
49d485a3
G		 735{
736#ifdef CONFIG_SYSCTL
49d485a3
G		 737 if (pn->ctl_table)
738 return 0;
739
740 pn->ctl_table = kmemdup(sctp_sysctl_table,
741 sizeof(sctp_sysctl_table),
742 GFP_KERNEL);
743 if (!pn->ctl_table)
744 return -ENOMEM;
745
746 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
747 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
748 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
749 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
750 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
751 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
752 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 753 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
754 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 755#endif
756 return 0;
757}
758
f42c4183 759static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 760{
a85406af 761 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 762 struct nf_proto_net *pn = &sn->pn;
49d485a3 763
f42c4183
G		 764 if (!pn->users) {
765 int i;
49d485a3 766
f42c4183
G		 767 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
768 sn->timeouts[i] = sctp_timeouts[i];
769 }
49d485a3 770
adf05168 771 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 772}
773
a85406af 774struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 775 .l3proto = PF_INET,
776 .l4proto = IPPROTO_SCTP,
777 .name = "sctp",
778 .pkt_to_tuple = sctp_pkt_to_tuple,
779 .invert_tuple = sctp_invert_tuple,
780 .print_tuple = sctp_print_tuple,
781 .print_conntrack = sctp_print_conntrack,
782 .packet = sctp_packet,
2c8503f5 783 .get_timeouts = sctp_get_timeouts,
933a41e7 784 .new = sctp_new,
cf6e007e 785 .error = sctp_error,
933a41e7 786 .me = THIS_MODULE,
c0cd1156 787#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 788 .to_nlattr = sctp_to_nlattr,
a400c30e 789 .nlattr_size = sctp_nlattr_size,
a258860e 790 .from_nlattr = nlattr_to_sctp,
c7212e9d 791 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 792 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 793 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
794 .nla_policy = nf_ct_port_nla_policy,
795#endif
50978462
PNA		 796#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
797 .ctnl_timeout = {
798 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
799 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
800 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
801 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
802 .nla_policy = sctp_timeout_nla_policy,
803 },
804#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 805 .init_net = sctp_init_net,
9fb9cbb1 806};
a85406af 807EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 808
a85406af 809struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 810 .l3proto = PF_INET6,
811 .l4proto = IPPROTO_SCTP,
812 .name = "sctp",
813 .pkt_to_tuple = sctp_pkt_to_tuple,
814 .invert_tuple = sctp_invert_tuple,
815 .print_tuple = sctp_print_tuple,
816 .print_conntrack = sctp_print_conntrack,
817 .packet = sctp_packet,
2c8503f5 818 .get_timeouts = sctp_get_timeouts,
933a41e7 819 .new = sctp_new,
cf6e007e 820 .error = sctp_error,
933a41e7 821 .me = THIS_MODULE,
c0cd1156 822#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 823 .to_nlattr = sctp_to_nlattr,
a400c30e 824 .nlattr_size = sctp_nlattr_size,
a258860e 825 .from_nlattr = nlattr_to_sctp,
c7212e9d 826 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 827 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 828 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
829 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 830#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
831 .ctnl_timeout = {
832 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
833 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
834 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
835 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
836 .nla_policy = sctp_timeout_nla_policy,
837 },
838#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 839#endif
f42c4183 840 .init_net = sctp_init_net,
933a41e7 841};
a85406af 842EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
ubuntu-bionic-kernel mirror