2 * Copyright (c) 2001 Daniel Hartmeier
3 * Copyright (c) 2002 - 2008 Henning Brauer
4 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
5 * Copyright (c) 2015, 2016 Nicira, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
36 * $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $
41 #include "conntrack-private.h"
44 #include "dp-packet.h"
47 COVERAGE_DEFINE(conntrack_tcp_seq_chk_bypass
);
48 COVERAGE_DEFINE(conntrack_tcp_seq_chk_failed
);
49 COVERAGE_DEFINE(conntrack_invalid_tcp_flags
);
52 uint32_t seqlo
; /* Max sequence number sent */
53 uint32_t seqhi
; /* Max the other end ACKd + win */
54 uint16_t max_win
; /* largest window (pre scaling) */
55 uint8_t wscale
; /* window scaling factor */
56 enum ct_dpif_tcp_state state
;
61 struct tcp_peer peer
[2]; /* 'conn' lock protected. */
70 /* TCP sequence numbers are 32 bit integers operated
71 * on with modular arithmetic. These macros can be
72 * used to compare such integers. */
73 #define SEQ_LT(a,b) INT_MOD_LT(a, b)
74 #define SEQ_LEQ(a,b) INT_MOD_LEQ(a, b)
75 #define SEQ_GT(a,b) INT_MOD_GT(a, b)
76 #define SEQ_GEQ(a,b) INT_MOD_GEQ(a, b)
78 #define SEQ_MIN(a, b) INT_MOD_MIN(a, b)
79 #define SEQ_MAX(a, b) INT_MOD_MAX(a, b)
81 static struct conn_tcp
*
82 conn_tcp_cast(const struct conn
* conn
)
84 return CONTAINER_OF(conn
, struct conn_tcp
, up
);
87 /* pf does this in in pf_normalize_tcp(), and it is called only if scrub
88 * is enabled. We're not scrubbing, but this check seems reasonable. */
90 tcp_invalid_flags(uint16_t flags
)
93 if (flags
& TCP_SYN
) {
94 if (flags
& TCP_RST
|| flags
& TCP_FIN
) {
99 if (!(flags
& (TCP_ACK
|TCP_RST
))) {
104 if (!(flags
& TCP_ACK
)) {
105 /* These flags are only valid if ACK is set */
106 if ((flags
& TCP_FIN
) || (flags
& TCP_PSH
) || (flags
& TCP_URG
)) {
114 #define TCP_MAX_WSCALE 14
115 #define CT_WSCALE_FLAG 0x80
116 #define CT_WSCALE_UNKNOWN 0x40
117 #define CT_WSCALE_MASK 0xf
120 tcp_get_wscale(const struct tcp_header
*tcp
)
122 int len
= TCP_OFFSET(tcp
->tcp_ctl
) * 4 - sizeof *tcp
;
123 const uint8_t *opt
= (const uint8_t *)(tcp
+ 1);
136 wscale
= MIN(opt
[2], TCP_MAX_WSCALE
);
137 wscale
|= CT_WSCALE_FLAG
;
153 tcp_bypass_seq_chk(struct conntrack
*ct
)
155 if (!conntrack_get_tcp_seq_chk(ct
)) {
156 COVERAGE_INC(conntrack_tcp_seq_chk_bypass
);
162 static enum ct_update_res
163 tcp_conn_update(struct conntrack
*ct
, struct conn
*conn_
,
164 struct dp_packet
*pkt
, bool reply
, long long now
)
166 struct conn_tcp
*conn
= conn_tcp_cast(conn_
);
167 struct tcp_header
*tcp
= dp_packet_l4(pkt
);
168 /* The peer that sent 'pkt' */
169 struct tcp_peer
*src
= &conn
->peer
[reply
? 1 : 0];
170 /* The peer that should receive 'pkt' */
171 struct tcp_peer
*dst
= &conn
->peer
[reply
? 0 : 1];
172 uint8_t sws
= 0, dws
= 0;
173 uint16_t tcp_flags
= TCP_FLAGS(tcp
->tcp_ctl
);
175 uint16_t win
= ntohs(tcp
->tcp_winsz
);
176 uint32_t ack
, end
, seq
, orig_seq
;
177 uint32_t p_len
= tcp_payload_length(pkt
);
179 if (tcp_invalid_flags(tcp_flags
)) {
180 COVERAGE_INC(conntrack_invalid_tcp_flags
);
181 return CT_UPDATE_INVALID
;
184 if ((tcp_flags
& (TCP_SYN
| TCP_ACK
)) == TCP_SYN
) {
185 if (dst
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
186 && src
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
) {
187 src
->state
= dst
->state
= CT_DPIF_TCPS_CLOSED
;
188 return CT_UPDATE_NEW
;
189 } else if (src
->state
<= CT_DPIF_TCPS_SYN_SENT
) {
190 src
->state
= CT_DPIF_TCPS_SYN_SENT
;
191 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_FIRST_PACKET
, now
);
192 return CT_UPDATE_NEW
;
196 if (src
->wscale
& CT_WSCALE_FLAG
197 && dst
->wscale
& CT_WSCALE_FLAG
198 && !(tcp_flags
& TCP_SYN
)) {
200 sws
= src
->wscale
& CT_WSCALE_MASK
;
201 dws
= dst
->wscale
& CT_WSCALE_MASK
;
203 } else if (src
->wscale
& CT_WSCALE_UNKNOWN
204 && dst
->wscale
& CT_WSCALE_UNKNOWN
205 && !(tcp_flags
& TCP_SYN
)) {
207 sws
= TCP_MAX_WSCALE
;
208 dws
= TCP_MAX_WSCALE
;
212 * Sequence tracking algorithm from Guido van Rooij's paper:
213 * http://www.madison-gurkha.com/publications/tcp_filtering/
217 orig_seq
= seq
= ntohl(get_16aligned_be32(&tcp
->tcp_seq
));
218 bool check_ackskew
= true;
219 if (src
->state
< CT_DPIF_TCPS_SYN_SENT
) {
220 /* First packet from this end. Set its state */
222 ack
= ntohl(get_16aligned_be32(&tcp
->tcp_ack
));
225 if (tcp_flags
& TCP_SYN
) {
227 if (dst
->wscale
& CT_WSCALE_FLAG
) {
228 src
->wscale
= tcp_get_wscale(tcp
);
229 if (src
->wscale
& CT_WSCALE_FLAG
) {
230 /* Remove scale factor from initial window */
231 sws
= src
->wscale
& CT_WSCALE_MASK
;
232 win
= DIV_ROUND_UP((uint32_t) win
, 1 << sws
);
233 dws
= dst
->wscale
& CT_WSCALE_MASK
;
235 /* fixup other window */
236 dst
->max_win
<<= dst
->wscale
& CT_WSCALE_MASK
;
237 /* in case of a retrans SYN|ACK */
242 if (tcp_flags
& TCP_FIN
) {
247 src
->state
= CT_DPIF_TCPS_SYN_SENT
;
249 * May need to slide the window (seqhi may have been set by
250 * the crappy stack check or if we picked up the connection
251 * after establishment)
254 || SEQ_GEQ(end
+ MAX(1, dst
->max_win
<< dws
), src
->seqhi
)) {
255 src
->seqhi
= end
+ MAX(1, dst
->max_win
<< dws
);
256 /* We are either picking up a new connection or a connection which
257 * was already in place. We are more permissive in terms of
258 * ackskew checking in these cases.
260 check_ackskew
= false;
262 if (win
> src
->max_win
) {
267 ack
= ntohl(get_16aligned_be32(&tcp
->tcp_ack
));
269 if (tcp_flags
& TCP_SYN
) {
272 if (tcp_flags
& TCP_FIN
) {
277 if ((tcp_flags
& TCP_ACK
) == 0) {
278 /* Let it pass through the ack skew check */
281 && (tcp_flags
& (TCP_ACK
|TCP_RST
)) == (TCP_ACK
|TCP_RST
))
282 /* broken tcp stacks do not set ack */) {
283 /* Many stacks (ours included) will set the ACK number in an
284 * FIN|ACK if the SYN times out -- no sequence to ACK. */
289 /* Ease sequencing restrictions on no data packets */
294 int ackskew
= check_ackskew
? dst
->seqlo
- ack
: 0;
295 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
296 if ((SEQ_GEQ(src
->seqhi
, end
)
297 /* Last octet inside other's window space */
298 && SEQ_GEQ(seq
, src
->seqlo
- (dst
->max_win
<< dws
))
299 /* Retrans: not more than one window back */
300 && (ackskew
>= -MAXACKWINDOW
)
301 /* Acking not more than one reassembled fragment backwards */
302 && (ackskew
<= (MAXACKWINDOW
<< sws
))
303 /* Acking not more than one window forward */
304 && ((tcp_flags
& TCP_RST
) == 0 || orig_seq
== src
->seqlo
305 || (orig_seq
== src
->seqlo
+ 1) || (orig_seq
+ 1 == src
->seqlo
)))
306 || tcp_bypass_seq_chk(ct
)) {
307 /* Require an exact/+1 sequence match on resets when possible */
309 /* update max window */
310 if (src
->max_win
< win
) {
313 /* synchronize sequencing */
314 if (SEQ_GT(end
, src
->seqlo
)) {
317 /* slide the window of what the other end can send */
318 if (SEQ_GEQ(ack
+ (win
<< sws
), dst
->seqhi
)) {
319 dst
->seqhi
= ack
+ MAX((win
<< sws
), 1);
323 if (tcp_flags
& TCP_SYN
&& src
->state
< CT_DPIF_TCPS_SYN_SENT
) {
324 src
->state
= CT_DPIF_TCPS_SYN_SENT
;
326 if (tcp_flags
& TCP_FIN
&& src
->state
< CT_DPIF_TCPS_CLOSING
) {
327 src
->state
= CT_DPIF_TCPS_CLOSING
;
329 if (tcp_flags
& TCP_ACK
) {
330 if (dst
->state
== CT_DPIF_TCPS_SYN_SENT
) {
331 dst
->state
= CT_DPIF_TCPS_ESTABLISHED
;
332 } else if (dst
->state
== CT_DPIF_TCPS_CLOSING
) {
333 dst
->state
= CT_DPIF_TCPS_FIN_WAIT_2
;
336 if (tcp_flags
& TCP_RST
) {
337 src
->state
= dst
->state
= CT_DPIF_TCPS_TIME_WAIT
;
340 if (src
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
341 && dst
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
) {
342 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_CLOSED
, now
);
343 } else if (src
->state
>= CT_DPIF_TCPS_CLOSING
344 && dst
->state
>= CT_DPIF_TCPS_CLOSING
) {
345 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_FIN_WAIT
, now
);
346 } else if (src
->state
< CT_DPIF_TCPS_ESTABLISHED
347 || dst
->state
< CT_DPIF_TCPS_ESTABLISHED
) {
348 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_OPENING
, now
);
349 } else if (src
->state
>= CT_DPIF_TCPS_CLOSING
350 || dst
->state
>= CT_DPIF_TCPS_CLOSING
) {
351 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_CLOSING
, now
);
353 conn_update_expiration(ct
, &conn
->up
, CT_TM_TCP_ESTABLISHED
, now
);
355 } else if ((dst
->state
< CT_DPIF_TCPS_SYN_SENT
356 || dst
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
357 || src
->state
>= CT_DPIF_TCPS_FIN_WAIT_2
)
358 && SEQ_GEQ(src
->seqhi
+ MAXACKWINDOW
, end
)
359 /* Within a window forward of the originating packet */
360 && SEQ_GEQ(seq
, src
->seqlo
- MAXACKWINDOW
)) {
361 /* Within a window backward of the originating packet */
364 * This currently handles three situations:
365 * 1) Stupid stacks will shotgun SYNs before their peer
367 * 2) When PF catches an already established stream (the
368 * firewall rebooted, the state table was flushed, routes
370 * 3) Packets get funky immediately after the connection
371 * closes (this should catch Solaris spurious ACK|FINs
372 * that web servers like to spew after a close)
374 * This must be a little more careful than the above code
375 * since packet floods will also be caught here. We don't
376 * update the TTL here to mitigate the damage of a packet
377 * flood and so the same code can handle awkward establishment
378 * and a loosened connection close.
379 * In the establishment case, a correct peer response will
380 * validate the connection, go through the normal state code
381 * and keep updating the state TTL.
384 /* update max window */
385 if (src
->max_win
< win
) {
388 /* synchronize sequencing */
389 if (SEQ_GT(end
, src
->seqlo
)) {
392 /* slide the window of what the other end can send */
393 if (SEQ_GEQ(ack
+ (win
<< sws
), dst
->seqhi
)) {
394 dst
->seqhi
= ack
+ MAX((win
<< sws
), 1);
398 * Cannot set dst->seqhi here since this could be a shotgunned
399 * SYN and not an already established connection.
402 if (tcp_flags
& TCP_FIN
&& src
->state
< CT_DPIF_TCPS_CLOSING
) {
403 src
->state
= CT_DPIF_TCPS_CLOSING
;
406 if (tcp_flags
& TCP_RST
) {
407 src
->state
= dst
->state
= CT_DPIF_TCPS_TIME_WAIT
;
410 COVERAGE_INC(conntrack_tcp_seq_chk_failed
);
411 return CT_UPDATE_INVALID
;
414 return CT_UPDATE_VALID
;
418 tcp_valid_new(struct dp_packet
*pkt
)
420 struct tcp_header
*tcp
= dp_packet_l4(pkt
);
421 uint16_t tcp_flags
= TCP_FLAGS(tcp
->tcp_ctl
);
423 if (tcp_invalid_flags(tcp_flags
)) {
427 /* A syn+ack is not allowed to create a connection. We want to allow
428 * totally new connections (syn) or already established, not partially
430 if ((tcp_flags
& TCP_SYN
) && (tcp_flags
& TCP_ACK
)) {
438 tcp_new_conn(struct conntrack
*ct
, struct dp_packet
*pkt
, long long now
)
440 struct conn_tcp
* newconn
= NULL
;
441 struct tcp_header
*tcp
= dp_packet_l4(pkt
);
442 struct tcp_peer
*src
, *dst
;
443 uint16_t tcp_flags
= TCP_FLAGS(tcp
->tcp_ctl
);
445 newconn
= xzalloc(sizeof *newconn
);
447 src
= &newconn
->peer
[0];
448 dst
= &newconn
->peer
[1];
450 src
->seqlo
= ntohl(get_16aligned_be32(&tcp
->tcp_seq
));
451 src
->seqhi
= src
->seqlo
+ tcp_payload_length(pkt
) + 1;
453 if (tcp_flags
& TCP_SYN
) {
455 src
->wscale
= tcp_get_wscale(tcp
);
457 src
->wscale
= CT_WSCALE_UNKNOWN
;
458 dst
->wscale
= CT_WSCALE_UNKNOWN
;
460 src
->max_win
= MAX(ntohs(tcp
->tcp_winsz
), 1);
461 if (src
->wscale
& CT_WSCALE_MASK
) {
462 /* Remove scale factor from initial window */
463 uint8_t sws
= src
->wscale
& CT_WSCALE_MASK
;
464 src
->max_win
= DIV_ROUND_UP((uint32_t) src
->max_win
, 1 << sws
);
466 if (tcp_flags
& TCP_FIN
) {
471 src
->state
= CT_DPIF_TCPS_SYN_SENT
;
472 dst
->state
= CT_DPIF_TCPS_CLOSED
;
474 conn_init_expiration(ct
, &newconn
->up
, CT_TM_TCP_FIRST_PACKET
, now
);
480 tcp_peer_to_protoinfo_flags(const struct tcp_peer
*peer
)
484 if (peer
->wscale
& CT_WSCALE_FLAG
) {
485 res
|= CT_DPIF_TCPF_WINDOW_SCALE
;
488 if (peer
->wscale
& CT_WSCALE_UNKNOWN
) {
489 res
|= CT_DPIF_TCPF_BE_LIBERAL
;
496 tcp_conn_get_protoinfo(const struct conn
*conn_
,
497 struct ct_dpif_protoinfo
*protoinfo
)
499 const struct conn_tcp
*conn
= conn_tcp_cast(conn_
);
501 protoinfo
->proto
= IPPROTO_TCP
;
502 protoinfo
->tcp
.state_orig
= conn
->peer
[0].state
;
503 protoinfo
->tcp
.state_reply
= conn
->peer
[1].state
;
505 protoinfo
->tcp
.wscale_orig
= conn
->peer
[0].wscale
& CT_WSCALE_MASK
;
506 protoinfo
->tcp
.wscale_reply
= conn
->peer
[1].wscale
& CT_WSCALE_MASK
;
508 protoinfo
->tcp
.flags_orig
= tcp_peer_to_protoinfo_flags(&conn
->peer
[0]);
509 protoinfo
->tcp
.flags_reply
= tcp_peer_to_protoinfo_flags(&conn
->peer
[1]);
512 struct ct_l4_proto ct_proto_tcp
= {
513 .new_conn
= tcp_new_conn
,
514 .valid_new
= tcp_valid_new
,
515 .conn_update
= tcp_conn_update
,
516 .conn_get_protoinfo
= tcp_conn_get_protoinfo
,