]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - net/netfilter/nf_conntrack_proto_sctp.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm...
[mirror_ubuntu-zesty-kernel.git] / net / netfilter / nf_conntrack_proto_sctp.c
1 /*
2 * Connection tracking protocol helper module for SCTP.
3 *
4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
7 * SCTP is defined in RFC 2960. References to various sections in this code
8 * are to this RFC.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
13 */
14
15 #include <linux/types.h>
16 #include <linux/timer.h>
17 #include <linux/netfilter.h>
18 #include <linux/in.h>
19 #include <linux/ip.h>
20 #include <linux/sctp.h>
21 #include <linux/string.h>
22 #include <linux/seq_file.h>
23 #include <linux/spinlock.h>
24 #include <linux/interrupt.h>
25
26 #include <net/netfilter/nf_conntrack.h>
27 #include <net/netfilter/nf_conntrack_l4proto.h>
28 #include <net/netfilter/nf_conntrack_ecache.h>
29
30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
31 closely. They're more complex. --RR
32
33 And so for me for SCTP :D -Kiran */
34
35 static const char *const sctp_conntrack_names[] = {
36 "NONE",
37 "CLOSED",
38 "COOKIE_WAIT",
39 "COOKIE_ECHOED",
40 "ESTABLISHED",
41 "SHUTDOWN_SENT",
42 "SHUTDOWN_RECD",
43 "SHUTDOWN_ACK_SENT",
44 "HEARTBEAT_SENT",
45 "HEARTBEAT_ACKED",
46 };
47
48 #define SECS * HZ
49 #define MINS * 60 SECS
50 #define HOURS * 60 MINS
51 #define DAYS * 24 HOURS
52
53 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
63 };
64
65 #define sNO SCTP_CONNTRACK_NONE
66 #define sCL SCTP_CONNTRACK_CLOSED
67 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
68 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
69 #define sES SCTP_CONNTRACK_ESTABLISHED
70 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
71 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
72 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
73 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
74 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
75 #define sIV SCTP_CONNTRACK_MAX
76
77 /*
78 These are the descriptions of the states:
79
80 NOTE: These state names are tantalizingly similar to the states of an
81 SCTP endpoint. But the interpretation of the states is a little different,
82 considering that these are the states of the connection and not of an end
83 point. Please note the subtleties. -Kiran
84
85 NONE - Nothing so far.
86 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
87 an INIT_ACK chunk in the reply direction.
88 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
89 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
90 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
91 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
92 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
93 to that of the SHUTDOWN chunk.
94 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
95 the SHUTDOWN chunk. Connection is closed.
96 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
97 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
98 that of the HEARTBEAT chunk. Secondary connection is
99 established.
100 */
101
102 /* TODO
103 - I have assumed that the first INIT is in the original direction.
104 This messes things when an INIT comes in the reply direction in CLOSED
105 state.
106 - Check the error type in the reply dir before transitioning from
107 cookie echoed to closed.
108 - Sec 5.2.4 of RFC 2960
109 - Full Multi Homing support.
110 */
111
112 /* SCTP conntrack state transitions */
113 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
114 {
115 /* ORIGINAL */
116 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
117 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
121 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
122 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
123 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
124 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
125 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
126 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
127 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
128 },
129 {
130 /* REPLY */
131 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
132 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
133 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
137 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
138 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
139 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
140 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
141 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
142 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
143 }
144 };
145
146 static inline struct nf_sctp_net *sctp_pernet(struct net *net)
147 {
148 return &net->ct.nf_ct_proto.sctp;
149 }
150
151 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
152 struct net *net, struct nf_conntrack_tuple *tuple)
153 {
154 const struct sctphdr *hp;
155 struct sctphdr _hdr;
156
157 /* Actually only need first 4 bytes to get ports. */
158 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
159 if (hp == NULL)
160 return false;
161
162 tuple->src.u.sctp.port = hp->source;
163 tuple->dst.u.sctp.port = hp->dest;
164 return true;
165 }
166
167 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
168 const struct nf_conntrack_tuple *orig)
169 {
170 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
171 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
172 return true;
173 }
174
175 /* Print out the per-protocol part of the tuple. */
176 static void sctp_print_tuple(struct seq_file *s,
177 const struct nf_conntrack_tuple *tuple)
178 {
179 seq_printf(s, "sport=%hu dport=%hu ",
180 ntohs(tuple->src.u.sctp.port),
181 ntohs(tuple->dst.u.sctp.port));
182 }
183
184 /* Print out the private part of the conntrack. */
185 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
186 {
187 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
188 }
189
190 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
191 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
192 (offset) < (skb)->len && \
193 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
194 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
195
196 /* Some validity checks to make sure the chunks are fine */
197 static int do_basic_checks(struct nf_conn *ct,
198 const struct sk_buff *skb,
199 unsigned int dataoff,
200 unsigned long *map)
201 {
202 u_int32_t offset, count;
203 sctp_chunkhdr_t _sch, *sch;
204 int flag;
205
206 flag = 0;
207
208 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
209 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
210
211 if (sch->type == SCTP_CID_INIT ||
212 sch->type == SCTP_CID_INIT_ACK ||
213 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
214 flag = 1;
215
216 /*
217 * Cookie Ack/Echo chunks not the first OR
218 * Init / Init Ack / Shutdown compl chunks not the only chunks
219 * OR zero-length.
220 */
221 if (((sch->type == SCTP_CID_COOKIE_ACK ||
222 sch->type == SCTP_CID_COOKIE_ECHO ||
223 flag) &&
224 count != 0) || !sch->length) {
225 pr_debug("Basic checks failed\n");
226 return 1;
227 }
228
229 if (map)
230 set_bit(sch->type, map);
231 }
232
233 pr_debug("Basic checks passed\n");
234 return count == 0;
235 }
236
237 static int sctp_new_state(enum ip_conntrack_dir dir,
238 enum sctp_conntrack cur_state,
239 int chunk_type)
240 {
241 int i;
242
243 pr_debug("Chunk type: %d\n", chunk_type);
244
245 switch (chunk_type) {
246 case SCTP_CID_INIT:
247 pr_debug("SCTP_CID_INIT\n");
248 i = 0;
249 break;
250 case SCTP_CID_INIT_ACK:
251 pr_debug("SCTP_CID_INIT_ACK\n");
252 i = 1;
253 break;
254 case SCTP_CID_ABORT:
255 pr_debug("SCTP_CID_ABORT\n");
256 i = 2;
257 break;
258 case SCTP_CID_SHUTDOWN:
259 pr_debug("SCTP_CID_SHUTDOWN\n");
260 i = 3;
261 break;
262 case SCTP_CID_SHUTDOWN_ACK:
263 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
264 i = 4;
265 break;
266 case SCTP_CID_ERROR:
267 pr_debug("SCTP_CID_ERROR\n");
268 i = 5;
269 break;
270 case SCTP_CID_COOKIE_ECHO:
271 pr_debug("SCTP_CID_COOKIE_ECHO\n");
272 i = 6;
273 break;
274 case SCTP_CID_COOKIE_ACK:
275 pr_debug("SCTP_CID_COOKIE_ACK\n");
276 i = 7;
277 break;
278 case SCTP_CID_SHUTDOWN_COMPLETE:
279 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
280 i = 8;
281 break;
282 case SCTP_CID_HEARTBEAT:
283 pr_debug("SCTP_CID_HEARTBEAT");
284 i = 9;
285 break;
286 case SCTP_CID_HEARTBEAT_ACK:
287 pr_debug("SCTP_CID_HEARTBEAT_ACK");
288 i = 10;
289 break;
290 default:
291 /* Other chunks like DATA or SACK do not change the state */
292 pr_debug("Unknown chunk type, Will stay in %s\n",
293 sctp_conntrack_names[cur_state]);
294 return cur_state;
295 }
296
297 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
298 dir, sctp_conntrack_names[cur_state], chunk_type,
299 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
300
301 return sctp_conntracks[dir][i][cur_state];
302 }
303
304 static unsigned int *sctp_get_timeouts(struct net *net)
305 {
306 return sctp_pernet(net)->timeouts;
307 }
308
309 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
310 static int sctp_packet(struct nf_conn *ct,
311 const struct sk_buff *skb,
312 unsigned int dataoff,
313 enum ip_conntrack_info ctinfo,
314 u_int8_t pf,
315 unsigned int hooknum,
316 unsigned int *timeouts)
317 {
318 enum sctp_conntrack new_state, old_state;
319 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
320 const struct sctphdr *sh;
321 struct sctphdr _sctph;
322 const struct sctp_chunkhdr *sch;
323 struct sctp_chunkhdr _sch;
324 u_int32_t offset, count;
325 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
326
327 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
328 if (sh == NULL)
329 goto out;
330
331 if (do_basic_checks(ct, skb, dataoff, map) != 0)
332 goto out;
333
334 /* Check the verification tag (Sec 8.5) */
335 if (!test_bit(SCTP_CID_INIT, map) &&
336 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
337 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
338 !test_bit(SCTP_CID_ABORT, map) &&
339 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
340 !test_bit(SCTP_CID_HEARTBEAT, map) &&
341 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
342 sh->vtag != ct->proto.sctp.vtag[dir]) {
343 pr_debug("Verification tag check failed\n");
344 goto out;
345 }
346
347 old_state = new_state = SCTP_CONNTRACK_NONE;
348 spin_lock_bh(&ct->lock);
349 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
350 /* Special cases of Verification tag check (Sec 8.5.1) */
351 if (sch->type == SCTP_CID_INIT) {
352 /* Sec 8.5.1 (A) */
353 if (sh->vtag != 0)
354 goto out_unlock;
355 } else if (sch->type == SCTP_CID_ABORT) {
356 /* Sec 8.5.1 (B) */
357 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
358 sh->vtag != ct->proto.sctp.vtag[!dir])
359 goto out_unlock;
360 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
361 /* Sec 8.5.1 (C) */
362 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
363 sh->vtag != ct->proto.sctp.vtag[!dir] &&
364 sch->flags & SCTP_CHUNK_FLAG_T)
365 goto out_unlock;
366 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
367 /* Sec 8.5.1 (D) */
368 if (sh->vtag != ct->proto.sctp.vtag[dir])
369 goto out_unlock;
370 } else if (sch->type == SCTP_CID_HEARTBEAT ||
371 sch->type == SCTP_CID_HEARTBEAT_ACK) {
372 if (ct->proto.sctp.vtag[dir] == 0) {
373 pr_debug("Setting vtag %x for dir %d\n",
374 sh->vtag, dir);
375 ct->proto.sctp.vtag[dir] = sh->vtag;
376 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
377 pr_debug("Verification tag check failed\n");
378 goto out_unlock;
379 }
380 }
381
382 old_state = ct->proto.sctp.state;
383 new_state = sctp_new_state(dir, old_state, sch->type);
384
385 /* Invalid */
386 if (new_state == SCTP_CONNTRACK_MAX) {
387 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
388 "conntrack=%u\n",
389 dir, sch->type, old_state);
390 goto out_unlock;
391 }
392
393 /* If it is an INIT or an INIT ACK note down the vtag */
394 if (sch->type == SCTP_CID_INIT ||
395 sch->type == SCTP_CID_INIT_ACK) {
396 sctp_inithdr_t _inithdr, *ih;
397
398 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
399 sizeof(_inithdr), &_inithdr);
400 if (ih == NULL)
401 goto out_unlock;
402 pr_debug("Setting vtag %x for dir %d\n",
403 ih->init_tag, !dir);
404 ct->proto.sctp.vtag[!dir] = ih->init_tag;
405 }
406
407 ct->proto.sctp.state = new_state;
408 if (old_state != new_state)
409 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
410 }
411 spin_unlock_bh(&ct->lock);
412
413 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
414
415 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
416 dir == IP_CT_DIR_REPLY &&
417 new_state == SCTP_CONNTRACK_ESTABLISHED) {
418 pr_debug("Setting assured bit\n");
419 set_bit(IPS_ASSURED_BIT, &ct->status);
420 nf_conntrack_event_cache(IPCT_ASSURED, ct);
421 }
422
423 return NF_ACCEPT;
424
425 out_unlock:
426 spin_unlock_bh(&ct->lock);
427 out:
428 return -NF_ACCEPT;
429 }
430
431 /* Called when a new connection for this protocol found. */
432 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
433 unsigned int dataoff, unsigned int *timeouts)
434 {
435 enum sctp_conntrack new_state;
436 const struct sctphdr *sh;
437 struct sctphdr _sctph;
438 const struct sctp_chunkhdr *sch;
439 struct sctp_chunkhdr _sch;
440 u_int32_t offset, count;
441 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
442
443 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
444 if (sh == NULL)
445 return false;
446
447 if (do_basic_checks(ct, skb, dataoff, map) != 0)
448 return false;
449
450 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
451 if (test_bit(SCTP_CID_ABORT, map) ||
452 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
453 test_bit(SCTP_CID_COOKIE_ACK, map))
454 return false;
455
456 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
457 new_state = SCTP_CONNTRACK_MAX;
458 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
459 /* Don't need lock here: this conntrack not in circulation yet */
460 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
461 SCTP_CONNTRACK_NONE, sch->type);
462
463 /* Invalid: delete conntrack */
464 if (new_state == SCTP_CONNTRACK_NONE ||
465 new_state == SCTP_CONNTRACK_MAX) {
466 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
467 return false;
468 }
469
470 /* Copy the vtag into the state info */
471 if (sch->type == SCTP_CID_INIT) {
472 if (sh->vtag == 0) {
473 sctp_inithdr_t _inithdr, *ih;
474
475 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
476 sizeof(_inithdr), &_inithdr);
477 if (ih == NULL)
478 return false;
479
480 pr_debug("Setting vtag %x for new conn\n",
481 ih->init_tag);
482
483 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
484 ih->init_tag;
485 } else {
486 /* Sec 8.5.1 (A) */
487 return false;
488 }
489 } else if (sch->type == SCTP_CID_HEARTBEAT) {
490 pr_debug("Setting vtag %x for secondary conntrack\n",
491 sh->vtag);
492 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
493 }
494 /* If it is a shutdown ack OOTB packet, we expect a return
495 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
496 else {
497 pr_debug("Setting vtag %x for new conn OOTB\n",
498 sh->vtag);
499 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
500 }
501
502 ct->proto.sctp.state = new_state;
503 }
504
505 return true;
506 }
507
508 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
509
510 #include <linux/netfilter/nfnetlink.h>
511 #include <linux/netfilter/nfnetlink_conntrack.h>
512
513 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
514 struct nf_conn *ct)
515 {
516 struct nlattr *nest_parms;
517
518 spin_lock_bh(&ct->lock);
519 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
520 if (!nest_parms)
521 goto nla_put_failure;
522
523 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
524 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
525 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
526 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
527 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
528 goto nla_put_failure;
529
530 spin_unlock_bh(&ct->lock);
531
532 nla_nest_end(skb, nest_parms);
533
534 return 0;
535
536 nla_put_failure:
537 spin_unlock_bh(&ct->lock);
538 return -1;
539 }
540
541 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
542 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
543 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
544 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
545 };
546
547 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
548 {
549 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
550 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
551 int err;
552
553 /* updates may not contain the internal protocol info, skip parsing */
554 if (!attr)
555 return 0;
556
557 err = nla_parse_nested(tb,
558 CTA_PROTOINFO_SCTP_MAX,
559 attr,
560 sctp_nla_policy);
561 if (err < 0)
562 return err;
563
564 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
565 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
566 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
567 return -EINVAL;
568
569 spin_lock_bh(&ct->lock);
570 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
571 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
572 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
573 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
574 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
575 spin_unlock_bh(&ct->lock);
576
577 return 0;
578 }
579
580 static int sctp_nlattr_size(void)
581 {
582 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
583 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
584 }
585 #endif
586
587 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
588
589 #include <linux/netfilter/nfnetlink.h>
590 #include <linux/netfilter/nfnetlink_cttimeout.h>
591
592 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
593 struct net *net, void *data)
594 {
595 unsigned int *timeouts = data;
596 struct nf_sctp_net *sn = sctp_pernet(net);
597 int i;
598
599 /* set default SCTP timeouts. */
600 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
601 timeouts[i] = sn->timeouts[i];
602
603 /* there's a 1:1 mapping between attributes and protocol states. */
604 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
605 if (tb[i]) {
606 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
607 }
608 }
609 return 0;
610 }
611
612 static int
613 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
614 {
615 const unsigned int *timeouts = data;
616 int i;
617
618 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
619 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
620 goto nla_put_failure;
621 }
622 return 0;
623
624 nla_put_failure:
625 return -ENOSPC;
626 }
627
628 static const struct nla_policy
629 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
630 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
631 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
632 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
633 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
634 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
635 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
636 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
637 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
639 };
640 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
641
642
643 #ifdef CONFIG_SYSCTL
644 static struct ctl_table sctp_sysctl_table[] = {
645 {
646 .procname = "nf_conntrack_sctp_timeout_closed",
647 .maxlen = sizeof(unsigned int),
648 .mode = 0644,
649 .proc_handler = proc_dointvec_jiffies,
650 },
651 {
652 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
653 .maxlen = sizeof(unsigned int),
654 .mode = 0644,
655 .proc_handler = proc_dointvec_jiffies,
656 },
657 {
658 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
659 .maxlen = sizeof(unsigned int),
660 .mode = 0644,
661 .proc_handler = proc_dointvec_jiffies,
662 },
663 {
664 .procname = "nf_conntrack_sctp_timeout_established",
665 .maxlen = sizeof(unsigned int),
666 .mode = 0644,
667 .proc_handler = proc_dointvec_jiffies,
668 },
669 {
670 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
671 .maxlen = sizeof(unsigned int),
672 .mode = 0644,
673 .proc_handler = proc_dointvec_jiffies,
674 },
675 {
676 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
677 .maxlen = sizeof(unsigned int),
678 .mode = 0644,
679 .proc_handler = proc_dointvec_jiffies,
680 },
681 {
682 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
683 .maxlen = sizeof(unsigned int),
684 .mode = 0644,
685 .proc_handler = proc_dointvec_jiffies,
686 },
687 {
688 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
689 .maxlen = sizeof(unsigned int),
690 .mode = 0644,
691 .proc_handler = proc_dointvec_jiffies,
692 },
693 {
694 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
695 .maxlen = sizeof(unsigned int),
696 .mode = 0644,
697 .proc_handler = proc_dointvec_jiffies,
698 },
699 { }
700 };
701 #endif
702
703 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
704 struct nf_sctp_net *sn)
705 {
706 #ifdef CONFIG_SYSCTL
707 if (pn->ctl_table)
708 return 0;
709
710 pn->ctl_table = kmemdup(sctp_sysctl_table,
711 sizeof(sctp_sysctl_table),
712 GFP_KERNEL);
713 if (!pn->ctl_table)
714 return -ENOMEM;
715
716 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
717 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
718 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
719 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
720 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
721 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
722 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
723 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
724 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
725 #endif
726 return 0;
727 }
728
729 static int sctp_init_net(struct net *net, u_int16_t proto)
730 {
731 struct nf_sctp_net *sn = sctp_pernet(net);
732 struct nf_proto_net *pn = &sn->pn;
733
734 if (!pn->users) {
735 int i;
736
737 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
738 sn->timeouts[i] = sctp_timeouts[i];
739 }
740
741 return sctp_kmemdup_sysctl_table(pn, sn);
742 }
743
744 struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
745 .l3proto = PF_INET,
746 .l4proto = IPPROTO_SCTP,
747 .name = "sctp",
748 .pkt_to_tuple = sctp_pkt_to_tuple,
749 .invert_tuple = sctp_invert_tuple,
750 .print_tuple = sctp_print_tuple,
751 .print_conntrack = sctp_print_conntrack,
752 .packet = sctp_packet,
753 .get_timeouts = sctp_get_timeouts,
754 .new = sctp_new,
755 .me = THIS_MODULE,
756 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
757 .to_nlattr = sctp_to_nlattr,
758 .nlattr_size = sctp_nlattr_size,
759 .from_nlattr = nlattr_to_sctp,
760 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
761 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
762 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
763 .nla_policy = nf_ct_port_nla_policy,
764 #endif
765 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
766 .ctnl_timeout = {
767 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
768 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
769 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
770 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
771 .nla_policy = sctp_timeout_nla_policy,
772 },
773 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
774 .init_net = sctp_init_net,
775 };
776 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
777
778 struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
779 .l3proto = PF_INET6,
780 .l4proto = IPPROTO_SCTP,
781 .name = "sctp",
782 .pkt_to_tuple = sctp_pkt_to_tuple,
783 .invert_tuple = sctp_invert_tuple,
784 .print_tuple = sctp_print_tuple,
785 .print_conntrack = sctp_print_conntrack,
786 .packet = sctp_packet,
787 .get_timeouts = sctp_get_timeouts,
788 .new = sctp_new,
789 .me = THIS_MODULE,
790 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
791 .to_nlattr = sctp_to_nlattr,
792 .nlattr_size = sctp_nlattr_size,
793 .from_nlattr = nlattr_to_sctp,
794 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
795 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
796 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
797 .nla_policy = nf_ct_port_nla_policy,
798 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
799 .ctnl_timeout = {
800 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
801 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
802 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
803 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
804 .nla_policy = sctp_timeout_nla_policy,
805 },
806 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
807 #endif
808 .init_net = sctp_init_net,
809 };
810 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
ubuntu-zesty-kernel mirror