projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge remote-tracking branch 'selinux/next'
[deliverable/linux.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
18#include <linux/module.h>
19#include <linux/in.h>
20#include <linux/ip.h>
21#include <linux/sctp.h>
22#include <linux/string.h>
23#include <linux/seq_file.h>
40a839fd
YK		 24#include <linux/spinlock.h>
25#include <linux/interrupt.h>
9fb9cbb1
YK		 26
27#include <net/netfilter/nf_conntrack.h>
605dcad6 28#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 29#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 30
9fb9cbb1 31/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 32 closely. They're more complex. --RR
9fb9cbb1
YK		 33
34 And so for me for SCTP :D -Kiran */
35
12c33aa2 36static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 37 "NONE",
38 "CLOSED",
39 "COOKIE_WAIT",
40 "COOKIE_ECHOED",
41 "ESTABLISHED",
42 "SHUTDOWN_SENT",
43 "SHUTDOWN_RECD",
44 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 45 "HEARTBEAT_SENT",
46 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 47};
48
49#define SECS * HZ
50#define MINS * 60 SECS
51#define HOURS * 60 MINS
52#define DAYS * 24 HOURS
53
86c0bf40
PM		 54static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
55 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
56 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
57 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
58 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
59 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 62 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
63 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 64};
9fb9cbb1
YK		 65
66#define sNO SCTP_CONNTRACK_NONE
67#define sCL SCTP_CONNTRACK_CLOSED
68#define sCW SCTP_CONNTRACK_COOKIE_WAIT
69#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
70#define sES SCTP_CONNTRACK_ESTABLISHED
71#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
72#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
73#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 74#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
75#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 76#define sIV SCTP_CONNTRACK_MAX
77
601e68e1 78/*
9fb9cbb1
YK		 79 These are the descriptions of the states:
80
601e68e1 81NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 82SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 83considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 84point. Please note the subtleties. -Kiran
85
86NONE - Nothing so far.
601e68e1
YH		 87COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
88 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 89COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
90ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
91SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
92SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
93SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 94 to that of the SHUTDOWN chunk.
95CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
96 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 97HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
98HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
99 that of the HEARTBEAT chunk. Secondary connection is
100 established.
9fb9cbb1
YK		 101*/
102
103/* TODO
601e68e1 104 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 105 This messes things when an INIT comes in the reply direction in CLOSED
106 state.
601e68e1 107 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 108cookie echoed to closed.
109 - Sec 5.2.4 of RFC 2960
d7ee3519 110 - Full Multi Homing support.
9fb9cbb1
YK		 111*/
112
113/* SCTP conntrack state transitions */
d7ee3519 114static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 115 {
116/* ORIGINAL */
d7ee3519
MK		 117/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
118/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
119/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
120/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
121/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
122/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
123/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
124/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
125/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
126/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
127/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
128/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 129 },
130 {
131/* REPLY */
d7ee3519
MK		 132/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
133/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
134/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
135/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
136/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
137/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
138/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
139/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
140/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
141/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
142/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
143/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 144 }
145};
146
49d485a3
G		 147static int sctp_net_id __read_mostly;
148struct sctp_net {
149 struct nf_proto_net pn;
150 unsigned int timeouts[SCTP_CONNTRACK_MAX];
151};
152
153static inline struct sctp_net *sctp_pernet(struct net *net)
154{
155 return net_generic(net, sctp_net_id);
156}
157
09f263cd 158static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
a31f1adc 159 struct net *net, struct nf_conntrack_tuple *tuple)
9fb9cbb1 160{
12c33aa2
JE		 161 const struct sctphdr *hp;
162 struct sctphdr _hdr;
9fb9cbb1 163
e5e693ab
GF		 164 /* Actually only need first 4 bytes to get ports. */
165 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
9fb9cbb1 166 if (hp == NULL)
09f263cd 167 return false;
9fb9cbb1
YK		 168
169 tuple->src.u.sctp.port = hp->source;
170 tuple->dst.u.sctp.port = hp->dest;
09f263cd 171 return true;
9fb9cbb1
YK		 172}
173
09f263cd
JE		 174static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
175 const struct nf_conntrack_tuple *orig)
9fb9cbb1 176{
9fb9cbb1
YK		 177 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
178 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 179 return true;
9fb9cbb1
YK		 180}
181
182/* Print out the per-protocol part of the tuple. */
824f1fbe
JP		 183static void sctp_print_tuple(struct seq_file *s,
184 const struct nf_conntrack_tuple *tuple)
9fb9cbb1 185{
824f1fbe
JP		 186 seq_printf(s, "sport=%hu dport=%hu ",
187 ntohs(tuple->src.u.sctp.port),
188 ntohs(tuple->dst.u.sctp.port));
9fb9cbb1
YK		 189}
190
191/* Print out the private part of the conntrack. */
37246a58 192static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 193{
a163f2cb 194 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1
YK		 195}
196
197#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
e79ec50b
JE		 198for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
199 (offset) < (skb)->len && \
200 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
201 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 202
203/* Some validity checks to make sure the chunks are fine */
112f35c9 204static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 205 const struct sk_buff *skb,
206 unsigned int dataoff,
35c6d3cb 207 unsigned long *map)
9fb9cbb1
YK		 208{
209 u_int32_t offset, count;
210 sctp_chunkhdr_t _sch, *sch;
211 int flag;
212
9fb9cbb1
YK		 213 flag = 0;
214
215 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 216 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 217
5447d477
PM		 218 if (sch->type == SCTP_CID_INIT ||
219 sch->type == SCTP_CID_INIT_ACK ||
220 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 221 flag = 1;
9fb9cbb1 222
e17df688
PM		 223 /*
224 * Cookie Ack/Echo chunks not the first OR
225 * Init / Init Ack / Shutdown compl chunks not the only chunks
226 * OR zero-length.
227 */
5447d477
PM		 228 if (((sch->type == SCTP_CID_COOKIE_ACK ||
229 sch->type == SCTP_CID_COOKIE_ECHO ||
230 flag) &&
231 count != 0) || !sch->length) {
0d53778e 232 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 233 return 1;
234 }
235
5447d477 236 if (map)
35c6d3cb 237 set_bit(sch->type, map);
9fb9cbb1
YK		 238 }
239
0d53778e 240 pr_debug("Basic checks passed\n");
dd7271fe 241 return count == 0;
9fb9cbb1
YK		 242}
243
efe9f68a
PM		 244static int sctp_new_state(enum ip_conntrack_dir dir,
245 enum sctp_conntrack cur_state,
246 int chunk_type)
9fb9cbb1
YK		 247{
248 int i;
249
0d53778e 250 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 251
252 switch (chunk_type) {
5447d477
PM		 253 case SCTP_CID_INIT:
254 pr_debug("SCTP_CID_INIT\n");
255 i = 0;
256 break;
257 case SCTP_CID_INIT_ACK:
258 pr_debug("SCTP_CID_INIT_ACK\n");
259 i = 1;
260 break;
261 case SCTP_CID_ABORT:
262 pr_debug("SCTP_CID_ABORT\n");
263 i = 2;
264 break;
265 case SCTP_CID_SHUTDOWN:
266 pr_debug("SCTP_CID_SHUTDOWN\n");
267 i = 3;
268 break;
269 case SCTP_CID_SHUTDOWN_ACK:
270 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
271 i = 4;
272 break;
273 case SCTP_CID_ERROR:
274 pr_debug("SCTP_CID_ERROR\n");
275 i = 5;
276 break;
277 case SCTP_CID_COOKIE_ECHO:
278 pr_debug("SCTP_CID_COOKIE_ECHO\n");
279 i = 6;
280 break;
281 case SCTP_CID_COOKIE_ACK:
282 pr_debug("SCTP_CID_COOKIE_ACK\n");
283 i = 7;
284 break;
285 case SCTP_CID_SHUTDOWN_COMPLETE:
286 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
287 i = 8;
288 break;
d7ee3519
MK		 289 case SCTP_CID_HEARTBEAT:
290 pr_debug("SCTP_CID_HEARTBEAT");
291 i = 9;
292 break;
293 case SCTP_CID_HEARTBEAT_ACK:
294 pr_debug("SCTP_CID_HEARTBEAT_ACK");
295 i = 10;
296 break;
5447d477 297 default:
d7ee3519 298 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 299 pr_debug("Unknown chunk type, Will stay in %s\n",
300 sctp_conntrack_names[cur_state]);
301 return cur_state;
9fb9cbb1
YK		 302 }
303
0d53778e
PM		 304 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
305 dir, sctp_conntrack_names[cur_state], chunk_type,
306 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 307
308 return sctp_conntracks[dir][i][cur_state];
309}
310
2c8503f5
PNA		 311static unsigned int *sctp_get_timeouts(struct net *net)
312{
49d485a3 313 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 314}
315
b37e933a 316/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 317static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 318 const struct sk_buff *skb,
319 unsigned int dataoff,
320 enum ip_conntrack_info ctinfo,
76108cea 321 u_int8_t pf,
2c8503f5
PNA		 322 unsigned int hooknum,
323 unsigned int *timeouts)
9fb9cbb1 324{
efe9f68a 325 enum sctp_conntrack new_state, old_state;
8528819a 326 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 327 const struct sctphdr *sh;
328 struct sctphdr _sctph;
329 const struct sctp_chunkhdr *sch;
330 struct sctp_chunkhdr _sch;
9fb9cbb1 331 u_int32_t offset, count;
35c6d3cb 332 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 333
9fb9cbb1
YK		 334 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
335 if (sh == NULL)
b37e933a 336 goto out;
9fb9cbb1 337
112f35c9 338 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 339 goto out;
9fb9cbb1
YK		 340
341 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 342 if (!test_bit(SCTP_CID_INIT, map) &&
343 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
344 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
345 !test_bit(SCTP_CID_ABORT, map) &&
346 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 347 !test_bit(SCTP_CID_HEARTBEAT, map) &&
348 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 349 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 350 pr_debug("Verification tag check failed\n");
b37e933a 351 goto out;
9fb9cbb1
YK		 352 }
353
328bd899 354 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 355 spin_lock_bh(&ct->lock);
9fb9cbb1 356 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 357 /* Special cases of Verification tag check (Sec 8.5.1) */
358 if (sch->type == SCTP_CID_INIT) {
359 /* Sec 8.5.1 (A) */
b37e933a
PM		 360 if (sh->vtag != 0)
361 goto out_unlock;
9fb9cbb1
YK		 362 } else if (sch->type == SCTP_CID_ABORT) {
363 /* Sec 8.5.1 (B) */
8528819a 364 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 365 sh->vtag != ct->proto.sctp.vtag[!dir])
366 goto out_unlock;
9fb9cbb1
YK		 367 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
368 /* Sec 8.5.1 (C) */
8528819a
PM		 369 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
370 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 371 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 372 goto out_unlock;
9fb9cbb1
YK		 373 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
374 /* Sec 8.5.1 (D) */
b37e933a
PM		 375 if (sh->vtag != ct->proto.sctp.vtag[dir])
376 goto out_unlock;
d7ee3519
MK		 377 } else if (sch->type == SCTP_CID_HEARTBEAT ||
378 sch->type == SCTP_CID_HEARTBEAT_ACK) {
379 if (ct->proto.sctp.vtag[dir] == 0) {
380 pr_debug("Setting vtag %x for dir %d\n",
381 sh->vtag, dir);
382 ct->proto.sctp.vtag[dir] = sh->vtag;
383 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
384 pr_debug("Verification tag check failed\n");
385 goto out_unlock;
386 }
9fb9cbb1
YK		 387 }
388
efe9f68a
PM		 389 old_state = ct->proto.sctp.state;
390 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 391
392 /* Invalid */
efe9f68a 393 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 394 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
395 "conntrack=%u\n",
efe9f68a 396 dir, sch->type, old_state);
b37e933a 397 goto out_unlock;
9fb9cbb1
YK		 398 }
399
400 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 401 if (sch->type == SCTP_CID_INIT ||
402 sch->type == SCTP_CID_INIT_ACK) {
9fb9cbb1
YK		 403 sctp_inithdr_t _inithdr, *ih;
404
405 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 406 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 407 if (ih == NULL)
408 goto out_unlock;
0d53778e 409 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 410 ih->init_tag, !dir);
411 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 412 }
413
efe9f68a
PM		 414 ct->proto.sctp.state = new_state;
415 if (old_state != new_state)
a71996fc 416 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 417 }
440f0d58 418 spin_unlock_bh(&ct->lock);
9fb9cbb1 419
2c8503f5 420 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 421
efe9f68a 422 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 423 dir == IP_CT_DIR_REPLY &&
efe9f68a 424 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 425 pr_debug("Setting assured bit\n");
112f35c9 426 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 427 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 428 }
429
430 return NF_ACCEPT;
b37e933a
PM		 431
432out_unlock:
440f0d58 433 spin_unlock_bh(&ct->lock);
b37e933a
PM		 434out:
435 return -NF_ACCEPT;
9fb9cbb1
YK		 436}
437
438/* Called when a new connection for this protocol found. */
09f263cd 439static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 440 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 441{
efe9f68a 442 enum sctp_conntrack new_state;
12c33aa2
JE		 443 const struct sctphdr *sh;
444 struct sctphdr _sctph;
445 const struct sctp_chunkhdr *sch;
446 struct sctp_chunkhdr _sch;
9fb9cbb1 447 u_int32_t offset, count;
35c6d3cb 448 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 449
9fb9cbb1
YK		 450 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
451 if (sh == NULL)
09f263cd 452 return false;
9fb9cbb1 453
112f35c9 454 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 455 return false;
9fb9cbb1
YK		 456
457 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 458 if (test_bit(SCTP_CID_ABORT, map) ||
459 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
460 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 461 return false;
9fb9cbb1 462
e5fc9e7a 463 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 464 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 465 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
466 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 467 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
468 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 469
470 /* Invalid: delete conntrack */
efe9f68a
PM		 471 if (new_state == SCTP_CONNTRACK_NONE ||
472 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 473 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 474 return false;
9fb9cbb1
YK		 475 }
476
477 /* Copy the vtag into the state info */
478 if (sch->type == SCTP_CID_INIT) {
479 if (sh->vtag == 0) {
480 sctp_inithdr_t _inithdr, *ih;
481
482 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 483 sizeof(_inithdr), &_inithdr);
9fb9cbb1 484 if (ih == NULL)
09f263cd 485 return false;
9fb9cbb1 486
0d53778e
PM		 487 pr_debug("Setting vtag %x for new conn\n",
488 ih->init_tag);
9fb9cbb1 489
112f35c9 490 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
9fb9cbb1
YK		 491 ih->init_tag;
492 } else {
493 /* Sec 8.5.1 (A) */
09f263cd 494 return false;
9fb9cbb1 495 }
d7ee3519
MK		 496 } else if (sch->type == SCTP_CID_HEARTBEAT) {
497 pr_debug("Setting vtag %x for secondary conntrack\n",
498 sh->vtag);
499 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 500 }
501 /* If it is a shutdown ack OOTB packet, we expect a return
502 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
503 else {
0d53778e
PM		 504 pr_debug("Setting vtag %x for new conn OOTB\n",
505 sh->vtag);
112f35c9 506 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 507 }
508
efe9f68a 509 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 510 }
511
09f263cd 512 return true;
9fb9cbb1
YK		 513}
514
c0cd1156 515#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 516
517#include <linux/netfilter/nfnetlink.h>
518#include <linux/netfilter/nfnetlink_conntrack.h>
519
520static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 521 struct nf_conn *ct)
a258860e
PNA		 522{
523 struct nlattr *nest_parms;
524
440f0d58 525 spin_lock_bh(&ct->lock);
a258860e
PNA		 526 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
527 if (!nest_parms)
528 goto nla_put_failure;
529
5e8d1eb5
DM		 530 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
531 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
532 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
533 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
534 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
535 goto nla_put_failure;
a258860e 536
440f0d58 537 spin_unlock_bh(&ct->lock);
a258860e
PNA		 538
539 nla_nest_end(skb, nest_parms);
540
541 return 0;
542
543nla_put_failure:
440f0d58 544 spin_unlock_bh(&ct->lock);
a258860e
PNA		 545 return -1;
546}
547
548static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
549 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
550 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
551 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
552};
553
554static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
555{
556 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
557 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
558 int err;
559
560 /* updates may not contain the internal protocol info, skip parsing */
561 if (!attr)
562 return 0;
563
564 err = nla_parse_nested(tb,
565 CTA_PROTOINFO_SCTP_MAX,
566 attr,
567 sctp_nla_policy);
568 if (err < 0)
569 return err;
570
571 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
572 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
573 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
574 return -EINVAL;
575
440f0d58 576 spin_lock_bh(&ct->lock);
a258860e
PNA		 577 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
578 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 579 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 580 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 581 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 582 spin_unlock_bh(&ct->lock);
a258860e
PNA		 583
584 return 0;
585}
a400c30e
HE		 586
587static int sctp_nlattr_size(void)
588{
589 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
590 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
591}
a258860e
PNA		 592#endif
593
50978462
PNA		 594#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
595
596#include <linux/netfilter/nfnetlink.h>
597#include <linux/netfilter/nfnetlink_cttimeout.h>
598
8264deb8
G		 599static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
600 struct net *net, void *data)
50978462
PNA		 601{
602 unsigned int *timeouts = data;
8264deb8 603 struct sctp_net *sn = sctp_pernet(net);
50978462
PNA		 604 int i;
605
606 /* set default SCTP timeouts. */
607 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 608 timeouts[i] = sn->timeouts[i];
50978462
PNA		 609
610 /* there's a 1:1 mapping between attributes and protocol states. */
611 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
612 if (tb[i]) {
613 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
614 }
615 }
616 return 0;
617}
618
619static int
620sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
621{
622 const unsigned int *timeouts = data;
623 int i;
624
5e8d1eb5
DM		 625 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
626 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
627 goto nla_put_failure;
628 }
50978462
PNA		 629 return 0;
630
631nla_put_failure:
632 return -ENOSPC;
633}
634
635static const struct nla_policy
636sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
637 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
639 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
640 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
641 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
642 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
643 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 644 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
645 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462
PNA		 646};
647#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
648
649
9fb9cbb1 650#ifdef CONFIG_SYSCTL
933a41e7 651static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 652 {
9fb9cbb1 653 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 654 .maxlen = sizeof(unsigned int),
655 .mode = 0644,
6d9f239a 656 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 657 },
658 {
9fb9cbb1 659 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 660 .maxlen = sizeof(unsigned int),
661 .mode = 0644,
6d9f239a 662 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 663 },
664 {
9fb9cbb1 665 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 666 .maxlen = sizeof(unsigned int),
667 .mode = 0644,
6d9f239a 668 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 669 },
670 {
9fb9cbb1 671 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 672 .maxlen = sizeof(unsigned int),
673 .mode = 0644,
6d9f239a 674 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 675 },
676 {
9fb9cbb1 677 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 678 .maxlen = sizeof(unsigned int),
679 .mode = 0644,
6d9f239a 680 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 681 },
682 {
9fb9cbb1 683 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 684 .maxlen = sizeof(unsigned int),
685 .mode = 0644,
6d9f239a 686 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 687 },
688 {
9fb9cbb1 689 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 690 .maxlen = sizeof(unsigned int),
691 .mode = 0644,
6d9f239a 692 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 693 },
d7ee3519
MK		 694 {
695 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
696 .maxlen = sizeof(unsigned int),
697 .mode = 0644,
698 .proc_handler = proc_dointvec_jiffies,
699 },
700 {
701 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
702 .maxlen = sizeof(unsigned int),
703 .mode = 0644,
704 .proc_handler = proc_dointvec_jiffies,
705 },
f8572d8f 706 { }
9fb9cbb1 707};
933a41e7 708#endif
9fb9cbb1 709
f42c4183
G		 710static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
711 struct sctp_net *sn)
49d485a3
G		 712{
713#ifdef CONFIG_SYSCTL
49d485a3
G		 714 if (pn->ctl_table)
715 return 0;
716
717 pn->ctl_table = kmemdup(sctp_sysctl_table,
718 sizeof(sctp_sysctl_table),
719 GFP_KERNEL);
720 if (!pn->ctl_table)
721 return -ENOMEM;
722
723 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
724 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
725 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
726 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
727 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
728 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
729 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 730 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
731 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 732#endif
733 return 0;
734}
735
f42c4183 736static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 737{
49d485a3 738 struct sctp_net *sn = sctp_pernet(net);
f42c4183 739 struct nf_proto_net *pn = &sn->pn;
49d485a3 740
f42c4183
G		 741 if (!pn->users) {
742 int i;
49d485a3 743
f42c4183
G		 744 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
745 sn->timeouts[i] = sctp_timeouts[i];
746 }
49d485a3 747
adf05168 748 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 749}
750
61075af5 751static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 752 .l3proto = PF_INET,
753 .l4proto = IPPROTO_SCTP,
754 .name = "sctp",
755 .pkt_to_tuple = sctp_pkt_to_tuple,
756 .invert_tuple = sctp_invert_tuple,
757 .print_tuple = sctp_print_tuple,
758 .print_conntrack = sctp_print_conntrack,
759 .packet = sctp_packet,
2c8503f5 760 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 761 .new = sctp_new,
762 .me = THIS_MODULE,
c0cd1156 763#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 764 .to_nlattr = sctp_to_nlattr,
a400c30e 765 .nlattr_size = sctp_nlattr_size,
a258860e 766 .from_nlattr = nlattr_to_sctp,
c7212e9d 767 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 768 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 769 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
770 .nla_policy = nf_ct_port_nla_policy,
771#endif
50978462
PNA		 772#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
773 .ctnl_timeout = {
774 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
775 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
776 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
777 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
778 .nla_policy = sctp_timeout_nla_policy,
779 },
780#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
49d485a3 781 .net_id = &sctp_net_id,
f42c4183 782 .init_net = sctp_init_net,
9fb9cbb1
YK		 783};
784
61075af5 785static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 786 .l3proto = PF_INET6,
787 .l4proto = IPPROTO_SCTP,
788 .name = "sctp",
789 .pkt_to_tuple = sctp_pkt_to_tuple,
790 .invert_tuple = sctp_invert_tuple,
791 .print_tuple = sctp_print_tuple,
792 .print_conntrack = sctp_print_conntrack,
793 .packet = sctp_packet,
2c8503f5 794 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 795 .new = sctp_new,
796 .me = THIS_MODULE,
c0cd1156 797#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 798 .to_nlattr = sctp_to_nlattr,
a400c30e 799 .nlattr_size = sctp_nlattr_size,
a258860e 800 .from_nlattr = nlattr_to_sctp,
c7212e9d 801 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 802 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 803 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
804 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 805#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
806 .ctnl_timeout = {
807 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
808 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
809 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
810 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
811 .nla_policy = sctp_timeout_nla_policy,
812 },
813#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 814#endif
49d485a3 815 .net_id = &sctp_net_id,
f42c4183 816 .init_net = sctp_init_net,
933a41e7 817};
9fb9cbb1 818
49d485a3 819static int sctp_net_init(struct net *net)
9fb9cbb1 820{
49d485a3 821 int ret = 0;
9fb9cbb1 822
c296bb4d 823 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4);
49d485a3 824 if (ret < 0) {
c296bb4d 825 pr_err("nf_conntrack_sctp4: pernet registration failed.\n");
9fb9cbb1
YK		 826 goto out;
827 }
c296bb4d 828 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6);
49d485a3 829 if (ret < 0) {
c296bb4d 830 pr_err("nf_conntrack_sctp6: pernet registration failed.\n");
9fb9cbb1
YK		 831 goto cleanup_sctp4;
832 }
49d485a3 833 return 0;
9fb9cbb1 834
49d485a3 835cleanup_sctp4:
c296bb4d 836 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
49d485a3 837out:
9fb9cbb1 838 return ret;
49d485a3 839}
9fb9cbb1 840
49d485a3
G		 841static void sctp_net_exit(struct net *net)
842{
c296bb4d
G		 843 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6);
844 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
49d485a3
G		 845}
846
847static struct pernet_operations sctp_net_ops = {
848 .init = sctp_net_init,
849 .exit = sctp_net_exit,
850 .id = &sctp_net_id,
851 .size = sizeof(struct sctp_net),
852};
853
854static int __init nf_conntrack_proto_sctp_init(void)
855{
c296bb4d
G		 856 int ret;
857
0d98da5d
G		 858 ret = register_pernet_subsys(&sctp_net_ops);
859 if (ret < 0)
860 goto out_pernet;
861
c296bb4d
G		 862 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
863 if (ret < 0)
864 goto out_sctp4;
865
866 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6);
867 if (ret < 0)
868 goto out_sctp6;
869
c296bb4d 870 return 0;
c296bb4d
G		 871out_sctp6:
872 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
873out_sctp4:
0d98da5d
G		 874 unregister_pernet_subsys(&sctp_net_ops);
875out_pernet:
c296bb4d 876 return ret;
9fb9cbb1
YK		 877}
878
2f0d2f10 879static void __exit nf_conntrack_proto_sctp_fini(void)
9fb9cbb1 880{
c296bb4d
G		 881 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
882 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
49d485a3 883 unregister_pernet_subsys(&sctp_net_ops);
9fb9cbb1
YK		 884}
885
65b4b4e8
AM		 886module_init(nf_conntrack_proto_sctp_init);
887module_exit(nf_conntrack_proto_sctp_fini);
9fb9cbb1
YK		 888
889MODULE_LICENSE("GPL");
890MODULE_AUTHOR("Kiran Kumar Immidi");
891MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
d2483dde 892MODULE_ALIAS("ip_conntrack_proto_sctp");
Linux kernel - Deliverables
This page took 0.869759 seconds and 5 git commands to generate.