]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'iio-for-4.13b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23...
[mirror_ubuntu-artful-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 31
9fb9cbb1 32/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 33 closely. They're more complex. --RR
9fb9cbb1
YK		 34
35 And so for me for SCTP :D -Kiran */
36
12c33aa2 37static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
86c0bf40
PM		 55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 65};
9fb9cbb1
YK		 66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519
MK		 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
119/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
135/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
a85406af 148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 149{
a85406af 150 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 151}
152
09f263cd 153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 154 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 155{
12c33aa2
JE		 156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
9fb9cbb1 158
e5e693ab
GF		 159 /* Actually only need first 4 bytes to get ports. */
160 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 161 if (hp == NULL)
09f263cd 162 return false;
9fb9cbb1
YK		 163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
09f263cd 166 return true;
9fb9cbb1
YK		 167}
168
09f263cd
JE		 169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
9fb9cbb1 171{
9fb9cbb1
YK		 172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 174 return true;
9fb9cbb1
YK		 175}
176
177/* Print out the per-protocol part of the tuple. */
824f1fbe
JP		 178static void sctp_print_tuple(struct seq_file *s,
179 const struct nf_conntrack_tuple *tuple)
9fb9cbb1 180{
824f1fbe
JP		 181 seq_printf(s, "sport=%hu dport=%hu ",
182 ntohs(tuple->src.u.sctp.port),
183 ntohs(tuple->dst.u.sctp.port));
9fb9cbb1
YK		 184}
185
186/* Print out the private part of the conntrack. */
37246a58 187static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 188{
a163f2cb 189 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 190}
191
192#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
e79ec50b
JE		 193for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
194 (offset) < (skb)->len && \
195 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
196 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 197
198/* Some validity checks to make sure the chunks are fine */
112f35c9 199static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 200 const struct sk_buff *skb,
201 unsigned int dataoff,
35c6d3cb 202 unsigned long *map)
9fb9cbb1
YK		 203{
204 u_int32_t offset, count;
205 sctp_chunkhdr_t _sch, *sch;
206 int flag;
207
9fb9cbb1
YK		 208 flag = 0;
209
210 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 211 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 212
5447d477
PM		 213 if (sch->type == SCTP_CID_INIT ||
214 sch->type == SCTP_CID_INIT_ACK ||
215 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 216 flag = 1;
9fb9cbb1 217
e17df688
PM		 218 /*
219 * Cookie Ack/Echo chunks not the first OR
220 * Init / Init Ack / Shutdown compl chunks not the only chunks
221 * OR zero-length.
222 */
5447d477
PM		 223 if (((sch->type == SCTP_CID_COOKIE_ACK ||
224 sch->type == SCTP_CID_COOKIE_ECHO ||
225 flag) &&
226 count != 0) || !sch->length) {
0d53778e 227 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 228 return 1;
229 }
230
5447d477 231 if (map)
35c6d3cb 232 set_bit(sch->type, map);
9fb9cbb1
YK		 233 }
234
0d53778e 235 pr_debug("Basic checks passed\n");
dd7271fe 236 return count == 0;
9fb9cbb1
YK		 237}
238
efe9f68a
PM		 239static int sctp_new_state(enum ip_conntrack_dir dir,
240 enum sctp_conntrack cur_state,
241 int chunk_type)
9fb9cbb1
YK		 242{
243 int i;
244
0d53778e 245 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 246
247 switch (chunk_type) {
5447d477
PM		 248 case SCTP_CID_INIT:
249 pr_debug("SCTP_CID_INIT\n");
250 i = 0;
251 break;
252 case SCTP_CID_INIT_ACK:
253 pr_debug("SCTP_CID_INIT_ACK\n");
254 i = 1;
255 break;
256 case SCTP_CID_ABORT:
257 pr_debug("SCTP_CID_ABORT\n");
258 i = 2;
259 break;
260 case SCTP_CID_SHUTDOWN:
261 pr_debug("SCTP_CID_SHUTDOWN\n");
262 i = 3;
263 break;
264 case SCTP_CID_SHUTDOWN_ACK:
265 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
266 i = 4;
267 break;
268 case SCTP_CID_ERROR:
269 pr_debug("SCTP_CID_ERROR\n");
270 i = 5;
271 break;
272 case SCTP_CID_COOKIE_ECHO:
273 pr_debug("SCTP_CID_COOKIE_ECHO\n");
274 i = 6;
275 break;
276 case SCTP_CID_COOKIE_ACK:
277 pr_debug("SCTP_CID_COOKIE_ACK\n");
278 i = 7;
279 break;
280 case SCTP_CID_SHUTDOWN_COMPLETE:
281 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
282 i = 8;
283 break;
d7ee3519
MK		 284 case SCTP_CID_HEARTBEAT:
285 pr_debug("SCTP_CID_HEARTBEAT");
286 i = 9;
287 break;
288 case SCTP_CID_HEARTBEAT_ACK:
289 pr_debug("SCTP_CID_HEARTBEAT_ACK");
290 i = 10;
291 break;
5447d477 292 default:
d7ee3519 293 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 294 pr_debug("Unknown chunk type, Will stay in %s\n",
295 sctp_conntrack_names[cur_state]);
296 return cur_state;
9fb9cbb1
YK		 297 }
298
0d53778e
PM		 299 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
300 dir, sctp_conntrack_names[cur_state], chunk_type,
301 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 302
303 return sctp_conntracks[dir][i][cur_state];
304}
305
2c8503f5
PNA		 306static unsigned int *sctp_get_timeouts(struct net *net)
307{
49d485a3 308 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 309}
310
b37e933a 311/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 312static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 313 const struct sk_buff *skb,
314 unsigned int dataoff,
315 enum ip_conntrack_info ctinfo,
76108cea 316 u_int8_t pf,
2c8503f5
PNA		 317 unsigned int hooknum,
318 unsigned int *timeouts)
9fb9cbb1 319{
efe9f68a 320 enum sctp_conntrack new_state, old_state;
8528819a 321 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 322 const struct sctphdr *sh;
323 struct sctphdr _sctph;
324 const struct sctp_chunkhdr *sch;
325 struct sctp_chunkhdr _sch;
9fb9cbb1 326 u_int32_t offset, count;
35c6d3cb 327 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 328
9fb9cbb1
YK		 329 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
330 if (sh == NULL)
b37e933a 331 goto out;
9fb9cbb1 332
112f35c9 333 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 334 goto out;
9fb9cbb1
YK		 335
336 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 337 if (!test_bit(SCTP_CID_INIT, map) &&
338 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
339 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
340 !test_bit(SCTP_CID_ABORT, map) &&
341 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 342 !test_bit(SCTP_CID_HEARTBEAT, map) &&
343 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 344 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 345 pr_debug("Verification tag check failed\n");
b37e933a 346 goto out;
9fb9cbb1
YK		 347 }
348
328bd899 349 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 350 spin_lock_bh(&ct->lock);
9fb9cbb1 351 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 352 /* Special cases of Verification tag check (Sec 8.5.1) */
353 if (sch->type == SCTP_CID_INIT) {
354 /* Sec 8.5.1 (A) */
b37e933a
PM		 355 if (sh->vtag != 0)
356 goto out_unlock;
9fb9cbb1
YK		 357 } else if (sch->type == SCTP_CID_ABORT) {
358 /* Sec 8.5.1 (B) */
8528819a 359 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 360 sh->vtag != ct->proto.sctp.vtag[!dir])
361 goto out_unlock;
9fb9cbb1
YK		 362 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
363 /* Sec 8.5.1 (C) */
8528819a
PM		 364 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
365 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 366 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 367 goto out_unlock;
9fb9cbb1
YK		 368 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
369 /* Sec 8.5.1 (D) */
b37e933a
PM		 370 if (sh->vtag != ct->proto.sctp.vtag[dir])
371 goto out_unlock;
d7ee3519
MK		 372 } else if (sch->type == SCTP_CID_HEARTBEAT ||
373 sch->type == SCTP_CID_HEARTBEAT_ACK) {
374 if (ct->proto.sctp.vtag[dir] == 0) {
375 pr_debug("Setting vtag %x for dir %d\n",
376 sh->vtag, dir);
377 ct->proto.sctp.vtag[dir] = sh->vtag;
378 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
379 pr_debug("Verification tag check failed\n");
380 goto out_unlock;
381 }
9fb9cbb1
YK		 382 }
383
efe9f68a
PM		 384 old_state = ct->proto.sctp.state;
385 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 386
387 /* Invalid */
efe9f68a 388 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 389 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
390 "conntrack=%u\n",
efe9f68a 391 dir, sch->type, old_state);
b37e933a 392 goto out_unlock;
9fb9cbb1
YK		 393 }
394
395 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 396 if (sch->type == SCTP_CID_INIT ||
397 sch->type == SCTP_CID_INIT_ACK) {
9fb9cbb1
YK		 398 sctp_inithdr_t _inithdr, *ih;
399
400 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 401 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 402 if (ih == NULL)
403 goto out_unlock;
0d53778e 404 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 405 ih->init_tag, !dir);
406 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 407 }
408
efe9f68a
PM		 409 ct->proto.sctp.state = new_state;
410 if (old_state != new_state)
a71996fc 411 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 412 }
440f0d58 413 spin_unlock_bh(&ct->lock);
9fb9cbb1 414
2c8503f5 415 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 416
efe9f68a 417 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 418 dir == IP_CT_DIR_REPLY &&
efe9f68a 419 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 420 pr_debug("Setting assured bit\n");
112f35c9 421 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 422 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 423 }
424
425 return NF_ACCEPT;
b37e933a
PM		 426
427out_unlock:
440f0d58 428 spin_unlock_bh(&ct->lock);
b37e933a
PM		 429out:
430 return -NF_ACCEPT;
9fb9cbb1
YK		 431}
432
433/* Called when a new connection for this protocol found. */
09f263cd 434static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 435 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 436{
efe9f68a 437 enum sctp_conntrack new_state;
12c33aa2
JE		 438 const struct sctphdr *sh;
439 struct sctphdr _sctph;
440 const struct sctp_chunkhdr *sch;
441 struct sctp_chunkhdr _sch;
9fb9cbb1 442 u_int32_t offset, count;
35c6d3cb 443 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 444
9fb9cbb1
YK		 445 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
446 if (sh == NULL)
09f263cd 447 return false;
9fb9cbb1 448
112f35c9 449 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 450 return false;
9fb9cbb1
YK		 451
452 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 453 if (test_bit(SCTP_CID_ABORT, map) ||
454 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
455 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 456 return false;
9fb9cbb1 457
e5fc9e7a 458 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 459 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 460 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
461 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 462 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
463 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 464
465 /* Invalid: delete conntrack */
efe9f68a
PM		 466 if (new_state == SCTP_CONNTRACK_NONE ||
467 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 468 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 469 return false;
9fb9cbb1
YK		 470 }
471
472 /* Copy the vtag into the state info */
473 if (sch->type == SCTP_CID_INIT) {
474 if (sh->vtag == 0) {
475 sctp_inithdr_t _inithdr, *ih;
476
477 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 478 sizeof(_inithdr), &_inithdr);
9fb9cbb1 479 if (ih == NULL)
09f263cd 480 return false;
9fb9cbb1 481
0d53778e
PM		 482 pr_debug("Setting vtag %x for new conn\n",
483 ih->init_tag);
9fb9cbb1 484
112f35c9 485 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
9fb9cbb1
YK		 486 ih->init_tag;
487 } else {
488 /* Sec 8.5.1 (A) */
09f263cd 489 return false;
9fb9cbb1 490 }
d7ee3519
MK		 491 } else if (sch->type == SCTP_CID_HEARTBEAT) {
492 pr_debug("Setting vtag %x for secondary conntrack\n",
493 sh->vtag);
494 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 495 }
496 /* If it is a shutdown ack OOTB packet, we expect a return
497 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
498 else {
0d53778e
PM		 499 pr_debug("Setting vtag %x for new conn OOTB\n",
500 sh->vtag);
112f35c9 501 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 502 }
503
efe9f68a 504 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 505 }
506
09f263cd 507 return true;
9fb9cbb1
YK		 508}
509
cf6e007e 510static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 511 unsigned int dataoff,
cf6e007e
DC		 512 u8 pf, unsigned int hooknum)
513{
514 const struct sctphdr *sh;
cf6e007e
DC		 515 const char *logmsg;
516
f3c0eb05 517 if (skb->len < dataoff + sizeof(struct sctphdr)) {
cf6e007e
DC		 518 logmsg = "nf_ct_sctp: short packet ";
519 goto out_invalid;
520 }
521 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
522 skb->ip_summed == CHECKSUM_NONE) {
f3c0eb05
DC		 523 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
524 logmsg = "nf_ct_sctp: failed to read header ";
525 goto out_invalid;
526 }
527 sh = (const struct sctphdr *)(skb->data + dataoff);
cf6e007e
DC		 528 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
529 logmsg = "nf_ct_sctp: bad CRC ";
530 goto out_invalid;
531 }
532 skb->ip_summed = CHECKSUM_UNNECESSARY;
533 }
534 return NF_ACCEPT;
535out_invalid:
536 if (LOG_INVALID(net, IPPROTO_SCTP))
537 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", logmsg);
538 return -NF_ACCEPT;
539}
540
c6dd940b
FW		 541static bool sctp_can_early_drop(const struct nf_conn *ct)
542{
543 switch (ct->proto.sctp.state) {
544 case SCTP_CONNTRACK_SHUTDOWN_SENT:
545 case SCTP_CONNTRACK_SHUTDOWN_RECD:
546 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
547 return true;
548 default:
549 break;
550 }
551
552 return false;
553}
554
c0cd1156 555#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 556
557#include <linux/netfilter/nfnetlink.h>
558#include <linux/netfilter/nfnetlink_conntrack.h>
559
560static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 561 struct nf_conn *ct)
a258860e
PNA		 562{
563 struct nlattr *nest_parms;
564
440f0d58 565 spin_lock_bh(&ct->lock);
a258860e
PNA		 566 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
567 if (!nest_parms)
568 goto nla_put_failure;
569
5e8d1eb5
DM		 570 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
571 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
572 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
573 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
574 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
575 goto nla_put_failure;
a258860e 576
440f0d58 577 spin_unlock_bh(&ct->lock);
a258860e
PNA		 578
579 nla_nest_end(skb, nest_parms);
580
581 return 0;
582
583nla_put_failure:
440f0d58 584 spin_unlock_bh(&ct->lock);
a258860e
PNA		 585 return -1;
586}
587
588static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
589 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
590 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
591 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
592};
593
594static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
595{
596 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
597 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
598 int err;
599
600 /* updates may not contain the internal protocol info, skip parsing */
601 if (!attr)
602 return 0;
603
fceb6435
JB		 604 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
605 sctp_nla_policy, NULL);
a258860e
PNA		 606 if (err < 0)
607 return err;
608
609 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
610 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
611 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
612 return -EINVAL;
613
440f0d58 614 spin_lock_bh(&ct->lock);
a258860e
PNA		 615 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
616 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 617 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 618 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 619 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 620 spin_unlock_bh(&ct->lock);
a258860e
PNA		 621
622 return 0;
623}
a400c30e
HE		 624
625static int sctp_nlattr_size(void)
626{
627 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
628 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
629}
a258860e
PNA		 630#endif
631
50978462
PNA		 632#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
633
634#include <linux/netfilter/nfnetlink.h>
635#include <linux/netfilter/nfnetlink_cttimeout.h>
636
8264deb8
G		 637static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
638 struct net *net, void *data)
50978462
PNA		 639{
640 unsigned int *timeouts = data;
a85406af 641 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 642 int i;
643
644 /* set default SCTP timeouts. */
645 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 646 timeouts[i] = sn->timeouts[i];
50978462
PNA		 647
648 /* there's a 1:1 mapping between attributes and protocol states. */
649 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
650 if (tb[i]) {
651 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
652 }
653 }
654 return 0;
655}
656
657static int
658sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
659{
660 const unsigned int *timeouts = data;
661 int i;
662
5e8d1eb5
DM		 663 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
664 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
665 goto nla_put_failure;
666 }
50978462
PNA		 667 return 0;
668
669nla_put_failure:
670 return -ENOSPC;
671}
672
673static const struct nla_policy
674sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
675 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
676 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
677 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
678 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
679 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
680 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
681 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 682 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
683 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 684};
685#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
686
687
9fb9cbb1 688#ifdef CONFIG_SYSCTL
933a41e7 689static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 690 {
9fb9cbb1 691 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 692 .maxlen = sizeof(unsigned int),
693 .mode = 0644,
6d9f239a 694 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 695 },
696 {
9fb9cbb1 697 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 698 .maxlen = sizeof(unsigned int),
699 .mode = 0644,
6d9f239a 700 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 701 },
702 {
9fb9cbb1 703 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 704 .maxlen = sizeof(unsigned int),
705 .mode = 0644,
6d9f239a 706 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 707 },
708 {
9fb9cbb1 709 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 710 .maxlen = sizeof(unsigned int),
711 .mode = 0644,
6d9f239a 712 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 713 },
714 {
9fb9cbb1 715 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 716 .maxlen = sizeof(unsigned int),
717 .mode = 0644,
6d9f239a 718 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 719 },
720 {
9fb9cbb1 721 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 722 .maxlen = sizeof(unsigned int),
723 .mode = 0644,
6d9f239a 724 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 725 },
726 {
9fb9cbb1 727 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 728 .maxlen = sizeof(unsigned int),
729 .mode = 0644,
6d9f239a 730 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 731 },
d7ee3519
MK		 732 {
733 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
734 .maxlen = sizeof(unsigned int),
735 .mode = 0644,
736 .proc_handler = proc_dointvec_jiffies,
737 },
738 {
739 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
740 .maxlen = sizeof(unsigned int),
741 .mode = 0644,
742 .proc_handler = proc_dointvec_jiffies,
743 },
f8572d8f 744 { }
9fb9cbb1 745};
933a41e7 746#endif
9fb9cbb1 747
f42c4183 748static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 749 struct nf_sctp_net *sn)
49d485a3
G		 750{
751#ifdef CONFIG_SYSCTL
49d485a3
G		 752 if (pn->ctl_table)
753 return 0;
754
755 pn->ctl_table = kmemdup(sctp_sysctl_table,
756 sizeof(sctp_sysctl_table),
757 GFP_KERNEL);
758 if (!pn->ctl_table)
759 return -ENOMEM;
760
761 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
762 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
763 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
764 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
765 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
766 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
767 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 768 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
769 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 770#endif
771 return 0;
772}
773
f42c4183 774static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 775{
a85406af 776 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 777 struct nf_proto_net *pn = &sn->pn;
49d485a3 778
f42c4183
G		 779 if (!pn->users) {
780 int i;
49d485a3 781
f42c4183
G		 782 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
783 sn->timeouts[i] = sctp_timeouts[i];
784 }
49d485a3 785
adf05168 786 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 787}
788
a85406af 789struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 790 .l3proto = PF_INET,
791 .l4proto = IPPROTO_SCTP,
792 .name = "sctp",
793 .pkt_to_tuple = sctp_pkt_to_tuple,
794 .invert_tuple = sctp_invert_tuple,
795 .print_tuple = sctp_print_tuple,
796 .print_conntrack = sctp_print_conntrack,
797 .packet = sctp_packet,
2c8503f5 798 .get_timeouts = sctp_get_timeouts,
933a41e7 799 .new = sctp_new,
cf6e007e 800 .error = sctp_error,
c6dd940b 801 .can_early_drop = sctp_can_early_drop,
933a41e7 802 .me = THIS_MODULE,
c0cd1156 803#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 804 .to_nlattr = sctp_to_nlattr,
a400c30e 805 .nlattr_size = sctp_nlattr_size,
a258860e 806 .from_nlattr = nlattr_to_sctp,
c7212e9d 807 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 808 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 809 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
810 .nla_policy = nf_ct_port_nla_policy,
811#endif
50978462
PNA		 812#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
813 .ctnl_timeout = {
814 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
815 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
816 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
817 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
818 .nla_policy = sctp_timeout_nla_policy,
819 },
820#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
f42c4183 821 .init_net = sctp_init_net,
9fb9cbb1 822};
a85406af 823EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 824
a85406af 825struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 826 .l3proto = PF_INET6,
827 .l4proto = IPPROTO_SCTP,
828 .name = "sctp",
829 .pkt_to_tuple = sctp_pkt_to_tuple,
830 .invert_tuple = sctp_invert_tuple,
831 .print_tuple = sctp_print_tuple,
832 .print_conntrack = sctp_print_conntrack,
833 .packet = sctp_packet,
2c8503f5 834 .get_timeouts = sctp_get_timeouts,
933a41e7 835 .new = sctp_new,
cf6e007e 836 .error = sctp_error,
c6dd940b 837 .can_early_drop = sctp_can_early_drop,
933a41e7 838 .me = THIS_MODULE,
c0cd1156 839#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 840 .to_nlattr = sctp_to_nlattr,
a400c30e 841 .nlattr_size = sctp_nlattr_size,
a258860e 842 .from_nlattr = nlattr_to_sctp,
c7212e9d 843 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 844 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 845 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
846 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 847#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
848 .ctnl_timeout = {
849 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
850 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
851 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
852 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
853 .nla_policy = sctp_timeout_nla_policy,
854 },
855#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 856#endif
f42c4183 857 .init_net = sctp_init_net,
933a41e7 858};
a85406af 859EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
Ubuntu Artful kernel mirror