root/net/netfilter/nf_conntrack_proto_sctp.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. sctp_print_conntrack
  2. do_basic_checks
  3. sctp_new_state
  4. sctp_new
  5. sctp_error
  6. nf_conntrack_sctp_packet
  7. sctp_can_early_drop
  8. sctp_to_nlattr
  9. nlattr_to_sctp
  10. sctp_timeout_nlattr_to_obj
  11. sctp_timeout_obj_to_nlattr
  12. nf_conntrack_sctp_init_net

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Connection tracking protocol helper module for SCTP.
   4  *
   5  * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
   6  * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
   7  *
   8  * SCTP is defined in RFC 2960. References to various sections in this code
   9  * are to this RFC.
  10  */
  11 
  12 #include <linux/types.h>
  13 #include <linux/timer.h>
  14 #include <linux/netfilter.h>
  15 #include <linux/in.h>
  16 #include <linux/ip.h>
  17 #include <linux/sctp.h>
  18 #include <linux/string.h>
  19 #include <linux/seq_file.h>
  20 #include <linux/spinlock.h>
  21 #include <linux/interrupt.h>
  22 #include <net/sctp/checksum.h>
  23 
  24 #include <net/netfilter/nf_log.h>
  25 #include <net/netfilter/nf_conntrack.h>
  26 #include <net/netfilter/nf_conntrack_l4proto.h>
  27 #include <net/netfilter/nf_conntrack_ecache.h>
  28 #include <net/netfilter/nf_conntrack_timeout.h>
  29 
  30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  31    closely.  They're more complex. --RR
  32 
  33    And so for me for SCTP :D -Kiran */
  34 
  35 static const char *const sctp_conntrack_names[] = {
  36         "NONE",
  37         "CLOSED",
  38         "COOKIE_WAIT",
  39         "COOKIE_ECHOED",
  40         "ESTABLISHED",
  41         "SHUTDOWN_SENT",
  42         "SHUTDOWN_RECD",
  43         "SHUTDOWN_ACK_SENT",
  44         "HEARTBEAT_SENT",
  45         "HEARTBEAT_ACKED",
  46 };
  47 
  48 #define SECS  * HZ
  49 #define MINS  * 60 SECS
  50 #define HOURS * 60 MINS
  51 #define DAYS  * 24 HOURS
  52 
  53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
  54         [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  55         [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  56         [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  57         [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  58         [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  59         [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  60         [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  61         [SCTP_CONNTRACK_HEARTBEAT_SENT]         = 30 SECS,
  62         [SCTP_CONNTRACK_HEARTBEAT_ACKED]        = 210 SECS,
  63 };
  64 
  65 #define sNO SCTP_CONNTRACK_NONE
  66 #define sCL SCTP_CONNTRACK_CLOSED
  67 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
  68 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  69 #define sES SCTP_CONNTRACK_ESTABLISHED
  70 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  71 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  72 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  73 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
  74 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
  75 #define sIV SCTP_CONNTRACK_MAX
  76 
  77 /*
  78         These are the descriptions of the states:
  79 
  80 NOTE: These state names are tantalizingly similar to the states of an
  81 SCTP endpoint. But the interpretation of the states is a little different,
  82 considering that these are the states of the connection and not of an end
  83 point. Please note the subtleties. -Kiran
  84 
  85 NONE              - Nothing so far.
  86 COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  87                     an INIT_ACK chunk in the reply direction.
  88 COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  89 ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  90 SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  91 SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  92 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  93                     to that of the SHUTDOWN chunk.
  94 CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  95                     the SHUTDOWN chunk. Connection is closed.
  96 HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
  97 HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
  98                     that of the HEARTBEAT chunk. Secondary connection is
  99                     established.
 100 */
 101 
 102 /* TODO
 103  - I have assumed that the first INIT is in the original direction.
 104  This messes things when an INIT comes in the reply direction in CLOSED
 105  state.
 106  - Check the error type in the reply dir before transitioning from
 107 cookie echoed to closed.
 108  - Sec 5.2.4 of RFC 2960
 109  - Full Multi Homing support.
 110 */
 111 
 112 /* SCTP conntrack state transitions */
 113 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
 114         {
 115 /*      ORIGINAL        */
 116 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 117 /* init         */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
 118 /* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
 119 /* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 120 /* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
 121 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
 122 /* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
 123 /* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
 124 /* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
 125 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
 126 /* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 127 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
 128         },
 129         {
 130 /*      REPLY   */
 131 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 132 /* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
 133 /* init_ack     */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
 134 /* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
 135 /* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
 136 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
 137 /* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
 138 /* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
 139 /* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
 140 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
 141 /* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 142 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
 143         }
 144 };
 145 
 146 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 147 /* Print out the private part of the conntrack. */
 148 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 149 {
 150         seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
 151 }
 152 #endif
 153 
 154 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 155 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0;        \
 156         (offset) < (skb)->len &&                                        \
 157         ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 158         (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 159 
 160 /* Some validity checks to make sure the chunks are fine */
 161 static int do_basic_checks(struct nf_conn *ct,
 162                            const struct sk_buff *skb,
 163                            unsigned int dataoff,
 164                            unsigned long *map)
 165 {
 166         u_int32_t offset, count;
 167         struct sctp_chunkhdr _sch, *sch;
 168         int flag;
 169 
 170         flag = 0;
 171 
 172         for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 173                 pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 174 
 175                 if (sch->type == SCTP_CID_INIT ||
 176                     sch->type == SCTP_CID_INIT_ACK ||
 177                     sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 178                         flag = 1;
 179 
 180                 /*
 181                  * Cookie Ack/Echo chunks not the first OR
 182                  * Init / Init Ack / Shutdown compl chunks not the only chunks
 183                  * OR zero-length.
 184                  */
 185                 if (((sch->type == SCTP_CID_COOKIE_ACK ||
 186                       sch->type == SCTP_CID_COOKIE_ECHO ||
 187                       flag) &&
 188                      count != 0) || !sch->length) {
 189                         pr_debug("Basic checks failed\n");
 190                         return 1;
 191                 }
 192 
 193                 if (map)
 194                         set_bit(sch->type, map);
 195         }
 196 
 197         pr_debug("Basic checks passed\n");
 198         return count == 0;
 199 }
 200 
 201 static int sctp_new_state(enum ip_conntrack_dir dir,
 202                           enum sctp_conntrack cur_state,
 203                           int chunk_type)
 204 {
 205         int i;
 206 
 207         pr_debug("Chunk type: %d\n", chunk_type);
 208 
 209         switch (chunk_type) {
 210         case SCTP_CID_INIT:
 211                 pr_debug("SCTP_CID_INIT\n");
 212                 i = 0;
 213                 break;
 214         case SCTP_CID_INIT_ACK:
 215                 pr_debug("SCTP_CID_INIT_ACK\n");
 216                 i = 1;
 217                 break;
 218         case SCTP_CID_ABORT:
 219                 pr_debug("SCTP_CID_ABORT\n");
 220                 i = 2;
 221                 break;
 222         case SCTP_CID_SHUTDOWN:
 223                 pr_debug("SCTP_CID_SHUTDOWN\n");
 224                 i = 3;
 225                 break;
 226         case SCTP_CID_SHUTDOWN_ACK:
 227                 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 228                 i = 4;
 229                 break;
 230         case SCTP_CID_ERROR:
 231                 pr_debug("SCTP_CID_ERROR\n");
 232                 i = 5;
 233                 break;
 234         case SCTP_CID_COOKIE_ECHO:
 235                 pr_debug("SCTP_CID_COOKIE_ECHO\n");
 236                 i = 6;
 237                 break;
 238         case SCTP_CID_COOKIE_ACK:
 239                 pr_debug("SCTP_CID_COOKIE_ACK\n");
 240                 i = 7;
 241                 break;
 242         case SCTP_CID_SHUTDOWN_COMPLETE:
 243                 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 244                 i = 8;
 245                 break;
 246         case SCTP_CID_HEARTBEAT:
 247                 pr_debug("SCTP_CID_HEARTBEAT");
 248                 i = 9;
 249                 break;
 250         case SCTP_CID_HEARTBEAT_ACK:
 251                 pr_debug("SCTP_CID_HEARTBEAT_ACK");
 252                 i = 10;
 253                 break;
 254         default:
 255                 /* Other chunks like DATA or SACK do not change the state */
 256                 pr_debug("Unknown chunk type, Will stay in %s\n",
 257                          sctp_conntrack_names[cur_state]);
 258                 return cur_state;
 259         }
 260 
 261         pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 262                  dir, sctp_conntrack_names[cur_state], chunk_type,
 263                  sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 264 
 265         return sctp_conntracks[dir][i][cur_state];
 266 }
 267 
 268 /* Don't need lock here: this conntrack not in circulation yet */
 269 static noinline bool
 270 sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 271          const struct sctphdr *sh, unsigned int dataoff)
 272 {
 273         enum sctp_conntrack new_state;
 274         const struct sctp_chunkhdr *sch;
 275         struct sctp_chunkhdr _sch;
 276         u32 offset, count;
 277 
 278         memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
 279         new_state = SCTP_CONNTRACK_MAX;
 280         for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
 281                 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 282                                            SCTP_CONNTRACK_NONE, sch->type);
 283 
 284                 /* Invalid: delete conntrack */
 285                 if (new_state == SCTP_CONNTRACK_NONE ||
 286                     new_state == SCTP_CONNTRACK_MAX) {
 287                         pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 288                         return false;
 289                 }
 290 
 291                 /* Copy the vtag into the state info */
 292                 if (sch->type == SCTP_CID_INIT) {
 293                         struct sctp_inithdr _inithdr, *ih;
 294                         /* Sec 8.5.1 (A) */
 295                         if (sh->vtag)
 296                                 return false;
 297 
 298                         ih = skb_header_pointer(skb, offset + sizeof(_sch),
 299                                                 sizeof(_inithdr), &_inithdr);
 300                         if (!ih)
 301                                 return false;
 302 
 303                         pr_debug("Setting vtag %x for new conn\n",
 304                                  ih->init_tag);
 305 
 306                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
 307                 } else if (sch->type == SCTP_CID_HEARTBEAT) {
 308                         pr_debug("Setting vtag %x for secondary conntrack\n",
 309                                  sh->vtag);
 310                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
 311                 } else {
 312                 /* If it is a shutdown ack OOTB packet, we expect a return
 313                    shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 314                         pr_debug("Setting vtag %x for new conn OOTB\n",
 315                                  sh->vtag);
 316                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 317                 }
 318 
 319                 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
 320         }
 321 
 322         return true;
 323 }
 324 
 325 static bool sctp_error(struct sk_buff *skb,
 326                        unsigned int dataoff,
 327                        const struct nf_hook_state *state)
 328 {
 329         const struct sctphdr *sh;
 330         const char *logmsg;
 331 
 332         if (skb->len < dataoff + sizeof(struct sctphdr)) {
 333                 logmsg = "nf_ct_sctp: short packet ";
 334                 goto out_invalid;
 335         }
 336         if (state->hook == NF_INET_PRE_ROUTING &&
 337             state->net->ct.sysctl_checksum &&
 338             skb->ip_summed == CHECKSUM_NONE) {
 339                 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
 340                         logmsg = "nf_ct_sctp: failed to read header ";
 341                         goto out_invalid;
 342                 }
 343                 sh = (const struct sctphdr *)(skb->data + dataoff);
 344                 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
 345                         logmsg = "nf_ct_sctp: bad CRC ";
 346                         goto out_invalid;
 347                 }
 348                 skb->ip_summed = CHECKSUM_UNNECESSARY;
 349         }
 350         return false;
 351 out_invalid:
 352         nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
 353         return true;
 354 }
 355 
 356 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 357 int nf_conntrack_sctp_packet(struct nf_conn *ct,
 358                              struct sk_buff *skb,
 359                              unsigned int dataoff,
 360                              enum ip_conntrack_info ctinfo,
 361                              const struct nf_hook_state *state)
 362 {
 363         enum sctp_conntrack new_state, old_state;
 364         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 365         const struct sctphdr *sh;
 366         struct sctphdr _sctph;
 367         const struct sctp_chunkhdr *sch;
 368         struct sctp_chunkhdr _sch;
 369         u_int32_t offset, count;
 370         unsigned int *timeouts;
 371         unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 372 
 373         if (sctp_error(skb, dataoff, state))
 374                 return -NF_ACCEPT;
 375 
 376         sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 377         if (sh == NULL)
 378                 goto out;
 379 
 380         if (do_basic_checks(ct, skb, dataoff, map) != 0)
 381                 goto out;
 382 
 383         if (!nf_ct_is_confirmed(ct)) {
 384                 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 385                 if (test_bit(SCTP_CID_ABORT, map) ||
 386                     test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 387                     test_bit(SCTP_CID_COOKIE_ACK, map))
 388                         return -NF_ACCEPT;
 389 
 390                 if (!sctp_new(ct, skb, sh, dataoff))
 391                         return -NF_ACCEPT;
 392         }
 393 
 394         /* Check the verification tag (Sec 8.5) */
 395         if (!test_bit(SCTP_CID_INIT, map) &&
 396             !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 397             !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 398             !test_bit(SCTP_CID_ABORT, map) &&
 399             !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 400             !test_bit(SCTP_CID_HEARTBEAT, map) &&
 401             !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
 402             sh->vtag != ct->proto.sctp.vtag[dir]) {
 403                 pr_debug("Verification tag check failed\n");
 404                 goto out;
 405         }
 406 
 407         old_state = new_state = SCTP_CONNTRACK_NONE;
 408         spin_lock_bh(&ct->lock);
 409         for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 410                 /* Special cases of Verification tag check (Sec 8.5.1) */
 411                 if (sch->type == SCTP_CID_INIT) {
 412                         /* Sec 8.5.1 (A) */
 413                         if (sh->vtag != 0)
 414                                 goto out_unlock;
 415                 } else if (sch->type == SCTP_CID_ABORT) {
 416                         /* Sec 8.5.1 (B) */
 417                         if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 418                             sh->vtag != ct->proto.sctp.vtag[!dir])
 419                                 goto out_unlock;
 420                 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 421                         /* Sec 8.5.1 (C) */
 422                         if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 423                             sh->vtag != ct->proto.sctp.vtag[!dir] &&
 424                             sch->flags & SCTP_CHUNK_FLAG_T)
 425                                 goto out_unlock;
 426                 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 427                         /* Sec 8.5.1 (D) */
 428                         if (sh->vtag != ct->proto.sctp.vtag[dir])
 429                                 goto out_unlock;
 430                 } else if (sch->type == SCTP_CID_HEARTBEAT ||
 431                            sch->type == SCTP_CID_HEARTBEAT_ACK) {
 432                         if (ct->proto.sctp.vtag[dir] == 0) {
 433                                 pr_debug("Setting vtag %x for dir %d\n",
 434                                          sh->vtag, dir);
 435                                 ct->proto.sctp.vtag[dir] = sh->vtag;
 436                         } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
 437                                 pr_debug("Verification tag check failed\n");
 438                                 goto out_unlock;
 439                         }
 440                 }
 441 
 442                 old_state = ct->proto.sctp.state;
 443                 new_state = sctp_new_state(dir, old_state, sch->type);
 444 
 445                 /* Invalid */
 446                 if (new_state == SCTP_CONNTRACK_MAX) {
 447                         pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 448                                  "conntrack=%u\n",
 449                                  dir, sch->type, old_state);
 450                         goto out_unlock;
 451                 }
 452 
 453                 /* If it is an INIT or an INIT ACK note down the vtag */
 454                 if (sch->type == SCTP_CID_INIT ||
 455                     sch->type == SCTP_CID_INIT_ACK) {
 456                         struct sctp_inithdr _inithdr, *ih;
 457 
 458                         ih = skb_header_pointer(skb, offset + sizeof(_sch),
 459                                                 sizeof(_inithdr), &_inithdr);
 460                         if (ih == NULL)
 461                                 goto out_unlock;
 462                         pr_debug("Setting vtag %x for dir %d\n",
 463                                  ih->init_tag, !dir);
 464                         ct->proto.sctp.vtag[!dir] = ih->init_tag;
 465                 }
 466 
 467                 ct->proto.sctp.state = new_state;
 468                 if (old_state != new_state)
 469                         nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 470         }
 471         spin_unlock_bh(&ct->lock);
 472 
 473         timeouts = nf_ct_timeout_lookup(ct);
 474         if (!timeouts)
 475                 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
 476 
 477         nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 478 
 479         if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 480             dir == IP_CT_DIR_REPLY &&
 481             new_state == SCTP_CONNTRACK_ESTABLISHED) {
 482                 pr_debug("Setting assured bit\n");
 483                 set_bit(IPS_ASSURED_BIT, &ct->status);
 484                 nf_conntrack_event_cache(IPCT_ASSURED, ct);
 485         }
 486 
 487         return NF_ACCEPT;
 488 
 489 out_unlock:
 490         spin_unlock_bh(&ct->lock);
 491 out:
 492         return -NF_ACCEPT;
 493 }
 494 
 495 static bool sctp_can_early_drop(const struct nf_conn *ct)
 496 {
 497         switch (ct->proto.sctp.state) {
 498         case SCTP_CONNTRACK_SHUTDOWN_SENT:
 499         case SCTP_CONNTRACK_SHUTDOWN_RECD:
 500         case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
 501                 return true;
 502         default:
 503                 break;
 504         }
 505 
 506         return false;
 507 }
 508 
 509 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 510 
 511 #include <linux/netfilter/nfnetlink.h>
 512 #include <linux/netfilter/nfnetlink_conntrack.h>
 513 
 514 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 515                           struct nf_conn *ct)
 516 {
 517         struct nlattr *nest_parms;
 518 
 519         spin_lock_bh(&ct->lock);
 520         nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
 521         if (!nest_parms)
 522                 goto nla_put_failure;
 523 
 524         if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
 525             nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 526                          ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
 527             nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
 528                          ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
 529                 goto nla_put_failure;
 530 
 531         spin_unlock_bh(&ct->lock);
 532 
 533         nla_nest_end(skb, nest_parms);
 534 
 535         return 0;
 536 
 537 nla_put_failure:
 538         spin_unlock_bh(&ct->lock);
 539         return -1;
 540 }
 541 
 542 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 543         [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 544         [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 545         [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 546 };
 547 
 548 #define SCTP_NLATTR_SIZE ( \
 549                 NLA_ALIGN(NLA_HDRLEN + 1) + \
 550                 NLA_ALIGN(NLA_HDRLEN + 4) + \
 551                 NLA_ALIGN(NLA_HDRLEN + 4))
 552 
 553 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 554 {
 555         struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 556         struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 557         int err;
 558 
 559         /* updates may not contain the internal protocol info, skip parsing */
 560         if (!attr)
 561                 return 0;
 562 
 563         err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
 564                                           sctp_nla_policy, NULL);
 565         if (err < 0)
 566                 return err;
 567 
 568         if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 569             !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 570             !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 571                 return -EINVAL;
 572 
 573         spin_lock_bh(&ct->lock);
 574         ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 575         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 576                 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 577         ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 578                 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 579         spin_unlock_bh(&ct->lock);
 580 
 581         return 0;
 582 }
 583 #endif
 584 
 585 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 586 
 587 #include <linux/netfilter/nfnetlink.h>
 588 #include <linux/netfilter/nfnetlink_cttimeout.h>
 589 
 590 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
 591                                       struct net *net, void *data)
 592 {
 593         unsigned int *timeouts = data;
 594         struct nf_sctp_net *sn = nf_sctp_pernet(net);
 595         int i;
 596 
 597         if (!timeouts)
 598                 timeouts = sn->timeouts;
 599 
 600         /* set default SCTP timeouts. */
 601         for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 602                 timeouts[i] = sn->timeouts[i];
 603 
 604         /* there's a 1:1 mapping between attributes and protocol states. */
 605         for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 606                 if (tb[i]) {
 607                         timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 608                 }
 609         }
 610 
 611         timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
 612         return 0;
 613 }
 614 
 615 static int
 616 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 617 {
 618         const unsigned int *timeouts = data;
 619         int i;
 620 
 621         for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 622                 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 623                         goto nla_put_failure;
 624         }
 625         return 0;
 626 
 627 nla_put_failure:
 628         return -ENOSPC;
 629 }
 630 
 631 static const struct nla_policy
 632 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 633         [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
 634         [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
 635         [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
 636         [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
 637         [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
 638         [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
 639         [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
 640         [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
 641         [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 642 };
 643 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 644 
 645 void nf_conntrack_sctp_init_net(struct net *net)
 646 {
 647         struct nf_sctp_net *sn = nf_sctp_pernet(net);
 648         int i;
 649 
 650         for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
 651                 sn->timeouts[i] = sctp_timeouts[i];
 652 
 653         /* timeouts[0] is unused, init it so ->timeouts[0] contains
 654          * 'new' timeout, like udp or icmp.
 655          */
 656         sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
 657 }
 658 
 659 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
 660         .l4proto                = IPPROTO_SCTP,
 661 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 662         .print_conntrack        = sctp_print_conntrack,
 663 #endif
 664         .can_early_drop         = sctp_can_early_drop,
 665 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 666         .nlattr_size            = SCTP_NLATTR_SIZE,
 667         .to_nlattr              = sctp_to_nlattr,
 668         .from_nlattr            = nlattr_to_sctp,
 669         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 670         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 671         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 672         .nla_policy             = nf_ct_port_nla_policy,
 673 #endif
 674 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 675         .ctnl_timeout           = {
 676                 .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 677                 .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 678                 .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 679                 .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 680                 .nla_policy     = sctp_timeout_nla_policy,
 681         },
 682 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 683 };

/* [<][>][^][v][top][bottom][index][help] */