root/net/netfilter/nf_conntrack_proto_dccp.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. dccp_new
  2. dccp_ack_seq
  3. dccp_error
  4. nf_conntrack_dccp_packet
  5. dccp_can_early_drop
  6. dccp_print_conntrack
  7. dccp_to_nlattr
  8. nlattr_to_dccp
  9. dccp_timeout_nlattr_to_obj
  10. dccp_timeout_obj_to_nlattr
  11. nf_conntrack_dccp_init_net

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * DCCP connection tracking protocol helper
   4  *
   5  * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
   6  */
   7 #include <linux/kernel.h>
   8 #include <linux/init.h>
   9 #include <linux/sysctl.h>
  10 #include <linux/spinlock.h>
  11 #include <linux/skbuff.h>
  12 #include <linux/dccp.h>
  13 #include <linux/slab.h>
  14 
  15 #include <net/net_namespace.h>
  16 #include <net/netns/generic.h>
  17 
  18 #include <linux/netfilter/nfnetlink_conntrack.h>
  19 #include <net/netfilter/nf_conntrack.h>
  20 #include <net/netfilter/nf_conntrack_l4proto.h>
  21 #include <net/netfilter/nf_conntrack_ecache.h>
  22 #include <net/netfilter/nf_conntrack_timeout.h>
  23 #include <net/netfilter/nf_log.h>
  24 
  25 /* Timeouts are based on values from RFC4340:
  26  *
  27  * - REQUEST:
  28  *
  29  *   8.1.2. Client Request
  30  *
  31  *   A client MAY give up on its DCCP-Requests after some time
  32  *   (3 minutes, for example).
  33  *
  34  * - RESPOND:
  35  *
  36  *   8.1.3. Server Response
  37  *
  38  *   It MAY also leave the RESPOND state for CLOSED after a timeout of
  39  *   not less than 4MSL (8 minutes);
  40  *
  41  * - PARTOPEN:
  42  *
  43  *   8.1.5. Handshake Completion
  44  *
  45  *   If the client remains in PARTOPEN for more than 4MSL (8 minutes),
  46  *   it SHOULD reset the connection with Reset Code 2, "Aborted".
  47  *
  48  * - OPEN:
  49  *
  50  *   The DCCP timestamp overflows after 11.9 hours. If the connection
  51  *   stays idle this long the sequence number won't be recognized
  52  *   as valid anymore.
  53  *
  54  * - CLOSEREQ/CLOSING:
  55  *
  56  *   8.3. Termination
  57  *
  58  *   The retransmission timer should initially be set to go off in two
  59  *   round-trip times and should back off to not less than once every
  60  *   64 seconds ...
  61  *
  62  * - TIMEWAIT:
  63  *
  64  *   4.3. States
  65  *
  66  *   A server or client socket remains in this state for 2MSL (4 minutes)
  67  *   after the connection has been town down, ...
  68  */
  69 
  70 #define DCCP_MSL (2 * 60 * HZ)
  71 
  72 static const char * const dccp_state_names[] = {
  73         [CT_DCCP_NONE]          = "NONE",
  74         [CT_DCCP_REQUEST]       = "REQUEST",
  75         [CT_DCCP_RESPOND]       = "RESPOND",
  76         [CT_DCCP_PARTOPEN]      = "PARTOPEN",
  77         [CT_DCCP_OPEN]          = "OPEN",
  78         [CT_DCCP_CLOSEREQ]      = "CLOSEREQ",
  79         [CT_DCCP_CLOSING]       = "CLOSING",
  80         [CT_DCCP_TIMEWAIT]      = "TIMEWAIT",
  81         [CT_DCCP_IGNORE]        = "IGNORE",
  82         [CT_DCCP_INVALID]       = "INVALID",
  83 };
  84 
  85 #define sNO     CT_DCCP_NONE
  86 #define sRQ     CT_DCCP_REQUEST
  87 #define sRS     CT_DCCP_RESPOND
  88 #define sPO     CT_DCCP_PARTOPEN
  89 #define sOP     CT_DCCP_OPEN
  90 #define sCR     CT_DCCP_CLOSEREQ
  91 #define sCG     CT_DCCP_CLOSING
  92 #define sTW     CT_DCCP_TIMEWAIT
  93 #define sIG     CT_DCCP_IGNORE
  94 #define sIV     CT_DCCP_INVALID
  95 
  96 /*
  97  * DCCP state transition table
  98  *
  99  * The assumption is the same as for TCP tracking:
 100  *
 101  * We are the man in the middle. All the packets go through us but might
 102  * get lost in transit to the destination. It is assumed that the destination
 103  * can't receive segments we haven't seen.
 104  *
 105  * The following states exist:
 106  *
 107  * NONE:        Initial state, expecting Request
 108  * REQUEST:     Request seen, waiting for Response from server
 109  * RESPOND:     Response from server seen, waiting for Ack from client
 110  * PARTOPEN:    Ack after Response seen, waiting for packet other than Response,
 111  *              Reset or Sync from server
 112  * OPEN:        Packet other than Response, Reset or Sync seen
 113  * CLOSEREQ:    CloseReq from server seen, expecting Close from client
 114  * CLOSING:     Close seen, expecting Reset
 115  * TIMEWAIT:    Reset seen
 116  * IGNORE:      Not determinable whether packet is valid
 117  *
 118  * Some states exist only on one side of the connection: REQUEST, RESPOND,
 119  * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
 120  * the one it was in before.
 121  *
 122  * Packets are marked as ignored (sIG) if we don't know if they're valid
 123  * (for example a reincarnation of a connection we didn't notice is dead
 124  * already) and the server may send back a connection closing Reset or a
 125  * Response. They're also used for Sync/SyncAck packets, which we don't
 126  * care about.
 127  */
 128 static const u_int8_t
 129 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
 130         [CT_DCCP_ROLE_CLIENT] = {
 131                 [DCCP_PKT_REQUEST] = {
 132                 /*
 133                  * sNO -> sRQ           Regular Request
 134                  * sRQ -> sRQ           Retransmitted Request or reincarnation
 135                  * sRS -> sRS           Retransmitted Request (apparently Response
 136                  *                      got lost after we saw it) or reincarnation
 137                  * sPO -> sIG           Ignore, conntrack might be out of sync
 138                  * sOP -> sIG           Ignore, conntrack might be out of sync
 139                  * sCR -> sIG           Ignore, conntrack might be out of sync
 140                  * sCG -> sIG           Ignore, conntrack might be out of sync
 141                  * sTW -> sRQ           Reincarnation
 142                  *
 143                  *      sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
 144                         sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
 145                 },
 146                 [DCCP_PKT_RESPONSE] = {
 147                 /*
 148                  * sNO -> sIV           Invalid
 149                  * sRQ -> sIG           Ignore, might be response to ignored Request
 150                  * sRS -> sIG           Ignore, might be response to ignored Request
 151                  * sPO -> sIG           Ignore, might be response to ignored Request
 152                  * sOP -> sIG           Ignore, might be response to ignored Request
 153                  * sCR -> sIG           Ignore, might be response to ignored Request
 154                  * sCG -> sIG           Ignore, might be response to ignored Request
 155                  * sTW -> sIV           Invalid, reincarnation in reverse direction
 156                  *                      goes through sRQ
 157                  *
 158                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 159                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
 160                 },
 161                 [DCCP_PKT_ACK] = {
 162                 /*
 163                  * sNO -> sIV           No connection
 164                  * sRQ -> sIV           No connection
 165                  * sRS -> sPO           Ack for Response, move to PARTOPEN (8.1.5.)
 166                  * sPO -> sPO           Retransmitted Ack for Response, remain in PARTOPEN
 167                  * sOP -> sOP           Regular ACK, remain in OPEN
 168                  * sCR -> sCR           Ack in CLOSEREQ MAY be processed (8.3.)
 169                  * sCG -> sCG           Ack in CLOSING MAY be processed (8.3.)
 170                  * sTW -> sIV
 171                  *
 172                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 173                         sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
 174                 },
 175                 [DCCP_PKT_DATA] = {
 176                 /*
 177                  * sNO -> sIV           No connection
 178                  * sRQ -> sIV           No connection
 179                  * sRS -> sIV           No connection
 180                  * sPO -> sIV           MUST use DataAck in PARTOPEN state (8.1.5.)
 181                  * sOP -> sOP           Regular Data packet
 182                  * sCR -> sCR           Data in CLOSEREQ MAY be processed (8.3.)
 183                  * sCG -> sCG           Data in CLOSING MAY be processed (8.3.)
 184                  * sTW -> sIV
 185                  *
 186                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 187                         sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
 188                 },
 189                 [DCCP_PKT_DATAACK] = {
 190                 /*
 191                  * sNO -> sIV           No connection
 192                  * sRQ -> sIV           No connection
 193                  * sRS -> sPO           Ack for Response, move to PARTOPEN (8.1.5.)
 194                  * sPO -> sPO           Remain in PARTOPEN state
 195                  * sOP -> sOP           Regular DataAck packet in OPEN state
 196                  * sCR -> sCR           DataAck in CLOSEREQ MAY be processed (8.3.)
 197                  * sCG -> sCG           DataAck in CLOSING MAY be processed (8.3.)
 198                  * sTW -> sIV
 199                  *
 200                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 201                         sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
 202                 },
 203                 [DCCP_PKT_CLOSEREQ] = {
 204                 /*
 205                  * CLOSEREQ may only be sent by the server.
 206                  *
 207                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 208                         sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
 209                 },
 210                 [DCCP_PKT_CLOSE] = {
 211                 /*
 212                  * sNO -> sIV           No connection
 213                  * sRQ -> sIV           No connection
 214                  * sRS -> sIV           No connection
 215                  * sPO -> sCG           Client-initiated close
 216                  * sOP -> sCG           Client-initiated close
 217                  * sCR -> sCG           Close in response to CloseReq (8.3.)
 218                  * sCG -> sCG           Retransmit
 219                  * sTW -> sIV           Late retransmit, already in TIME_WAIT
 220                  *
 221                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 222                         sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
 223                 },
 224                 [DCCP_PKT_RESET] = {
 225                 /*
 226                  * sNO -> sIV           No connection
 227                  * sRQ -> sTW           Sync received or timeout, SHOULD send Reset (8.1.1.)
 228                  * sRS -> sTW           Response received without Request
 229                  * sPO -> sTW           Timeout, SHOULD send Reset (8.1.5.)
 230                  * sOP -> sTW           Connection reset
 231                  * sCR -> sTW           Connection reset
 232                  * sCG -> sTW           Connection reset
 233                  * sTW -> sIG           Ignore (don't refresh timer)
 234                  *
 235                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 236                         sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
 237                 },
 238                 [DCCP_PKT_SYNC] = {
 239                 /*
 240                  * We currently ignore Sync packets
 241                  *
 242                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 243                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 244                 },
 245                 [DCCP_PKT_SYNCACK] = {
 246                 /*
 247                  * We currently ignore SyncAck packets
 248                  *
 249                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 250                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 251                 },
 252         },
 253         [CT_DCCP_ROLE_SERVER] = {
 254                 [DCCP_PKT_REQUEST] = {
 255                 /*
 256                  * sNO -> sIV           Invalid
 257                  * sRQ -> sIG           Ignore, conntrack might be out of sync
 258                  * sRS -> sIG           Ignore, conntrack might be out of sync
 259                  * sPO -> sIG           Ignore, conntrack might be out of sync
 260                  * sOP -> sIG           Ignore, conntrack might be out of sync
 261                  * sCR -> sIG           Ignore, conntrack might be out of sync
 262                  * sCG -> sIG           Ignore, conntrack might be out of sync
 263                  * sTW -> sRQ           Reincarnation, must reverse roles
 264                  *
 265                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 266                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
 267                 },
 268                 [DCCP_PKT_RESPONSE] = {
 269                 /*
 270                  * sNO -> sIV           Response without Request
 271                  * sRQ -> sRS           Response to clients Request
 272                  * sRS -> sRS           Retransmitted Response (8.1.3. SHOULD NOT)
 273                  * sPO -> sIG           Response to an ignored Request or late retransmit
 274                  * sOP -> sIG           Ignore, might be response to ignored Request
 275                  * sCR -> sIG           Ignore, might be response to ignored Request
 276                  * sCG -> sIG           Ignore, might be response to ignored Request
 277                  * sTW -> sIV           Invalid, Request from client in sTW moves to sRQ
 278                  *
 279                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 280                         sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
 281                 },
 282                 [DCCP_PKT_ACK] = {
 283                 /*
 284                  * sNO -> sIV           No connection
 285                  * sRQ -> sIV           No connection
 286                  * sRS -> sIV           No connection
 287                  * sPO -> sOP           Enter OPEN state (8.1.5.)
 288                  * sOP -> sOP           Regular Ack in OPEN state
 289                  * sCR -> sIV           Waiting for Close from client
 290                  * sCG -> sCG           Ack in CLOSING MAY be processed (8.3.)
 291                  * sTW -> sIV
 292                  *
 293                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 294                         sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
 295                 },
 296                 [DCCP_PKT_DATA] = {
 297                 /*
 298                  * sNO -> sIV           No connection
 299                  * sRQ -> sIV           No connection
 300                  * sRS -> sIV           No connection
 301                  * sPO -> sOP           Enter OPEN state (8.1.5.)
 302                  * sOP -> sOP           Regular Data packet in OPEN state
 303                  * sCR -> sIV           Waiting for Close from client
 304                  * sCG -> sCG           Data in CLOSING MAY be processed (8.3.)
 305                  * sTW -> sIV
 306                  *
 307                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 308                         sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
 309                 },
 310                 [DCCP_PKT_DATAACK] = {
 311                 /*
 312                  * sNO -> sIV           No connection
 313                  * sRQ -> sIV           No connection
 314                  * sRS -> sIV           No connection
 315                  * sPO -> sOP           Enter OPEN state (8.1.5.)
 316                  * sOP -> sOP           Regular DataAck in OPEN state
 317                  * sCR -> sIV           Waiting for Close from client
 318                  * sCG -> sCG           Data in CLOSING MAY be processed (8.3.)
 319                  * sTW -> sIV
 320                  *
 321                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 322                         sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
 323                 },
 324                 [DCCP_PKT_CLOSEREQ] = {
 325                 /*
 326                  * sNO -> sIV           No connection
 327                  * sRQ -> sIV           No connection
 328                  * sRS -> sIV           No connection
 329                  * sPO -> sOP -> sCR    Move directly to CLOSEREQ (8.1.5.)
 330                  * sOP -> sCR           CloseReq in OPEN state
 331                  * sCR -> sCR           Retransmit
 332                  * sCG -> sCR           Simultaneous close, client sends another Close
 333                  * sTW -> sIV           Already closed
 334                  *
 335                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 336                         sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
 337                 },
 338                 [DCCP_PKT_CLOSE] = {
 339                 /*
 340                  * sNO -> sIV           No connection
 341                  * sRQ -> sIV           No connection
 342                  * sRS -> sIV           No connection
 343                  * sPO -> sOP -> sCG    Move direcly to CLOSING
 344                  * sOP -> sCG           Move to CLOSING
 345                  * sCR -> sIV           Close after CloseReq is invalid
 346                  * sCG -> sCG           Retransmit
 347                  * sTW -> sIV           Already closed
 348                  *
 349                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 350                         sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
 351                 },
 352                 [DCCP_PKT_RESET] = {
 353                 /*
 354                  * sNO -> sIV           No connection
 355                  * sRQ -> sTW           Reset in response to Request
 356                  * sRS -> sTW           Timeout, SHOULD send Reset (8.1.3.)
 357                  * sPO -> sTW           Timeout, SHOULD send Reset (8.1.3.)
 358                  * sOP -> sTW
 359                  * sCR -> sTW
 360                  * sCG -> sTW
 361                  * sTW -> sIG           Ignore (don't refresh timer)
 362                  *
 363                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
 364                         sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
 365                 },
 366                 [DCCP_PKT_SYNC] = {
 367                 /*
 368                  * We currently ignore Sync packets
 369                  *
 370                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 371                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 372                 },
 373                 [DCCP_PKT_SYNCACK] = {
 374                 /*
 375                  * We currently ignore SyncAck packets
 376                  *
 377                  *      sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 378                         sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 379                 },
 380         },
 381 };
 382 
 383 static noinline bool
 384 dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
 385          const struct dccp_hdr *dh)
 386 {
 387         struct net *net = nf_ct_net(ct);
 388         struct nf_dccp_net *dn;
 389         const char *msg;
 390         u_int8_t state;
 391 
 392         state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
 393         switch (state) {
 394         default:
 395                 dn = nf_dccp_pernet(net);
 396                 if (dn->dccp_loose == 0) {
 397                         msg = "not picking up existing connection ";
 398                         goto out_invalid;
 399                 }
 400         case CT_DCCP_REQUEST:
 401                 break;
 402         case CT_DCCP_INVALID:
 403                 msg = "invalid state transition ";
 404                 goto out_invalid;
 405         }
 406 
 407         ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
 408         ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
 409         ct->proto.dccp.state = CT_DCCP_NONE;
 410         ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
 411         ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
 412         ct->proto.dccp.handshake_seq = 0;
 413         return true;
 414 
 415 out_invalid:
 416         nf_ct_l4proto_log_invalid(skb, ct, "%s", msg);
 417         return false;
 418 }
 419 
 420 static u64 dccp_ack_seq(const struct dccp_hdr *dh)
 421 {
 422         const struct dccp_hdr_ack_bits *dhack;
 423 
 424         dhack = (void *)dh + __dccp_basic_hdr_len(dh);
 425         return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
 426                      ntohl(dhack->dccph_ack_nr_low);
 427 }
 428 
 429 static bool dccp_error(const struct dccp_hdr *dh,
 430                        struct sk_buff *skb, unsigned int dataoff,
 431                        const struct nf_hook_state *state)
 432 {
 433         unsigned int dccp_len = skb->len - dataoff;
 434         unsigned int cscov;
 435         const char *msg;
 436 
 437         if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
 438             dh->dccph_doff * 4 > dccp_len) {
 439                 msg = "nf_ct_dccp: truncated/malformed packet ";
 440                 goto out_invalid;
 441         }
 442 
 443         cscov = dccp_len;
 444         if (dh->dccph_cscov) {
 445                 cscov = (dh->dccph_cscov - 1) * 4;
 446                 if (cscov > dccp_len) {
 447                         msg = "nf_ct_dccp: bad checksum coverage ";
 448                         goto out_invalid;
 449                 }
 450         }
 451 
 452         if (state->hook == NF_INET_PRE_ROUTING &&
 453             state->net->ct.sysctl_checksum &&
 454             nf_checksum_partial(skb, state->hook, dataoff, cscov,
 455                                 IPPROTO_DCCP, state->pf)) {
 456                 msg = "nf_ct_dccp: bad checksum ";
 457                 goto out_invalid;
 458         }
 459 
 460         if (dh->dccph_type >= DCCP_PKT_INVALID) {
 461                 msg = "nf_ct_dccp: reserved packet type ";
 462                 goto out_invalid;
 463         }
 464         return false;
 465 out_invalid:
 466         nf_l4proto_log_invalid(skb, state->net, state->pf,
 467                                IPPROTO_DCCP, "%s", msg);
 468         return true;
 469 }
 470 
 471 int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
 472                              unsigned int dataoff,
 473                              enum ip_conntrack_info ctinfo,
 474                              const struct nf_hook_state *state)
 475 {
 476         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 477         struct dccp_hdr _dh, *dh;
 478         u_int8_t type, old_state, new_state;
 479         enum ct_dccp_roles role;
 480         unsigned int *timeouts;
 481 
 482         dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
 483         if (!dh)
 484                 return NF_DROP;
 485 
 486         if (dccp_error(dh, skb, dataoff, state))
 487                 return -NF_ACCEPT;
 488 
 489         type = dh->dccph_type;
 490         if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh))
 491                 return -NF_ACCEPT;
 492 
 493         if (type == DCCP_PKT_RESET &&
 494             !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
 495                 /* Tear down connection immediately if only reply is a RESET */
 496                 nf_ct_kill_acct(ct, ctinfo, skb);
 497                 return NF_ACCEPT;
 498         }
 499 
 500         spin_lock_bh(&ct->lock);
 501 
 502         role = ct->proto.dccp.role[dir];
 503         old_state = ct->proto.dccp.state;
 504         new_state = dccp_state_table[role][type][old_state];
 505 
 506         switch (new_state) {
 507         case CT_DCCP_REQUEST:
 508                 if (old_state == CT_DCCP_TIMEWAIT &&
 509                     role == CT_DCCP_ROLE_SERVER) {
 510                         /* Reincarnation in the reverse direction: reopen and
 511                          * reverse client/server roles. */
 512                         ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
 513                         ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
 514                 }
 515                 break;
 516         case CT_DCCP_RESPOND:
 517                 if (old_state == CT_DCCP_REQUEST)
 518                         ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
 519                 break;
 520         case CT_DCCP_PARTOPEN:
 521                 if (old_state == CT_DCCP_RESPOND &&
 522                     type == DCCP_PKT_ACK &&
 523                     dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
 524                         set_bit(IPS_ASSURED_BIT, &ct->status);
 525                 break;
 526         case CT_DCCP_IGNORE:
 527                 /*
 528                  * Connection tracking might be out of sync, so we ignore
 529                  * packets that might establish a new connection and resync
 530                  * if the server responds with a valid Response.
 531                  */
 532                 if (ct->proto.dccp.last_dir == !dir &&
 533                     ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
 534                     type == DCCP_PKT_RESPONSE) {
 535                         ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
 536                         ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
 537                         ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
 538                         new_state = CT_DCCP_RESPOND;
 539                         break;
 540                 }
 541                 ct->proto.dccp.last_dir = dir;
 542                 ct->proto.dccp.last_pkt = type;
 543 
 544                 spin_unlock_bh(&ct->lock);
 545                 nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid packet");
 546                 return NF_ACCEPT;
 547         case CT_DCCP_INVALID:
 548                 spin_unlock_bh(&ct->lock);
 549                 nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid state transition");
 550                 return -NF_ACCEPT;
 551         }
 552 
 553         ct->proto.dccp.last_dir = dir;
 554         ct->proto.dccp.last_pkt = type;
 555         ct->proto.dccp.state = new_state;
 556         spin_unlock_bh(&ct->lock);
 557 
 558         if (new_state != old_state)
 559                 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 560 
 561         timeouts = nf_ct_timeout_lookup(ct);
 562         if (!timeouts)
 563                 timeouts = nf_dccp_pernet(nf_ct_net(ct))->dccp_timeout;
 564         nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 565 
 566         return NF_ACCEPT;
 567 }
 568 
 569 static bool dccp_can_early_drop(const struct nf_conn *ct)
 570 {
 571         switch (ct->proto.dccp.state) {
 572         case CT_DCCP_CLOSEREQ:
 573         case CT_DCCP_CLOSING:
 574         case CT_DCCP_TIMEWAIT:
 575                 return true;
 576         default:
 577                 break;
 578         }
 579 
 580         return false;
 581 }
 582 
 583 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 584 static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 585 {
 586         seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
 587 }
 588 #endif
 589 
 590 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 591 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 592                           struct nf_conn *ct)
 593 {
 594         struct nlattr *nest_parms;
 595 
 596         spin_lock_bh(&ct->lock);
 597         nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP);
 598         if (!nest_parms)
 599                 goto nla_put_failure;
 600         if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state) ||
 601             nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE,
 602                        ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) ||
 603             nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
 604                          cpu_to_be64(ct->proto.dccp.handshake_seq),
 605                          CTA_PROTOINFO_DCCP_PAD))
 606                 goto nla_put_failure;
 607         nla_nest_end(skb, nest_parms);
 608         spin_unlock_bh(&ct->lock);
 609         return 0;
 610 
 611 nla_put_failure:
 612         spin_unlock_bh(&ct->lock);
 613         return -1;
 614 }
 615 
 616 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
 617         [CTA_PROTOINFO_DCCP_STATE]      = { .type = NLA_U8 },
 618         [CTA_PROTOINFO_DCCP_ROLE]       = { .type = NLA_U8 },
 619         [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
 620         [CTA_PROTOINFO_DCCP_PAD]        = { .type = NLA_UNSPEC },
 621 };
 622 
 623 #define DCCP_NLATTR_SIZE ( \
 624         NLA_ALIGN(NLA_HDRLEN + 1) + \
 625         NLA_ALIGN(NLA_HDRLEN + 1) + \
 626         NLA_ALIGN(NLA_HDRLEN + sizeof(u64)) + \
 627         NLA_ALIGN(NLA_HDRLEN + 0))
 628 
 629 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
 630 {
 631         struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
 632         struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
 633         int err;
 634 
 635         if (!attr)
 636                 return 0;
 637 
 638         err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_DCCP_MAX, attr,
 639                                           dccp_nla_policy, NULL);
 640         if (err < 0)
 641                 return err;
 642 
 643         if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
 644             !tb[CTA_PROTOINFO_DCCP_ROLE] ||
 645             nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
 646             nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
 647                 return -EINVAL;
 648         }
 649 
 650         spin_lock_bh(&ct->lock);
 651         ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
 652         if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
 653                 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
 654                 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
 655         } else {
 656                 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
 657                 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
 658         }
 659         if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
 660                 ct->proto.dccp.handshake_seq =
 661                 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
 662         }
 663         spin_unlock_bh(&ct->lock);
 664         return 0;
 665 }
 666 #endif
 667 
 668 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 669 
 670 #include <linux/netfilter/nfnetlink.h>
 671 #include <linux/netfilter/nfnetlink_cttimeout.h>
 672 
 673 static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
 674                                       struct net *net, void *data)
 675 {
 676         struct nf_dccp_net *dn = nf_dccp_pernet(net);
 677         unsigned int *timeouts = data;
 678         int i;
 679 
 680         if (!timeouts)
 681                  timeouts = dn->dccp_timeout;
 682 
 683         /* set default DCCP timeouts. */
 684         for (i=0; i<CT_DCCP_MAX; i++)
 685                 timeouts[i] = dn->dccp_timeout[i];
 686 
 687         /* there's a 1:1 mapping between attributes and protocol states. */
 688         for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
 689                 if (tb[i]) {
 690                         timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 691                 }
 692         }
 693 
 694         timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
 695         return 0;
 696 }
 697 
 698 static int
 699 dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 700 {
 701         const unsigned int *timeouts = data;
 702         int i;
 703 
 704         for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
 705                 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 706                         goto nla_put_failure;
 707         }
 708         return 0;
 709 
 710 nla_put_failure:
 711         return -ENOSPC;
 712 }
 713 
 714 static const struct nla_policy
 715 dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
 716         [CTA_TIMEOUT_DCCP_REQUEST]      = { .type = NLA_U32 },
 717         [CTA_TIMEOUT_DCCP_RESPOND]      = { .type = NLA_U32 },
 718         [CTA_TIMEOUT_DCCP_PARTOPEN]     = { .type = NLA_U32 },
 719         [CTA_TIMEOUT_DCCP_OPEN]         = { .type = NLA_U32 },
 720         [CTA_TIMEOUT_DCCP_CLOSEREQ]     = { .type = NLA_U32 },
 721         [CTA_TIMEOUT_DCCP_CLOSING]      = { .type = NLA_U32 },
 722         [CTA_TIMEOUT_DCCP_TIMEWAIT]     = { .type = NLA_U32 },
 723 };
 724 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 725 
 726 void nf_conntrack_dccp_init_net(struct net *net)
 727 {
 728         struct nf_dccp_net *dn = nf_dccp_pernet(net);
 729 
 730         /* default values */
 731         dn->dccp_loose = 1;
 732         dn->dccp_timeout[CT_DCCP_REQUEST]       = 2 * DCCP_MSL;
 733         dn->dccp_timeout[CT_DCCP_RESPOND]       = 4 * DCCP_MSL;
 734         dn->dccp_timeout[CT_DCCP_PARTOPEN]      = 4 * DCCP_MSL;
 735         dn->dccp_timeout[CT_DCCP_OPEN]          = 12 * 3600 * HZ;
 736         dn->dccp_timeout[CT_DCCP_CLOSEREQ]      = 64 * HZ;
 737         dn->dccp_timeout[CT_DCCP_CLOSING]       = 64 * HZ;
 738         dn->dccp_timeout[CT_DCCP_TIMEWAIT]      = 2 * DCCP_MSL;
 739 
 740         /* timeouts[0] is unused, make it same as SYN_SENT so
 741          * ->timeouts[0] contains 'new' timeout, like udp or icmp.
 742          */
 743         dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
 744 }
 745 
 746 const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp = {
 747         .l4proto                = IPPROTO_DCCP,
 748         .can_early_drop         = dccp_can_early_drop,
 749 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 750         .print_conntrack        = dccp_print_conntrack,
 751 #endif
 752 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 753         .nlattr_size            = DCCP_NLATTR_SIZE,
 754         .to_nlattr              = dccp_to_nlattr,
 755         .from_nlattr            = nlattr_to_dccp,
 756         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 757         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 758         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 759         .nla_policy             = nf_ct_port_nla_policy,
 760 #endif
 761 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 762         .ctnl_timeout           = {
 763                 .nlattr_to_obj  = dccp_timeout_nlattr_to_obj,
 764                 .obj_to_nlattr  = dccp_timeout_obj_to_nlattr,
 765                 .nlattr_max     = CTA_TIMEOUT_DCCP_MAX,
 766                 .obj_size       = sizeof(unsigned int) * CT_DCCP_MAX,
 767                 .nla_policy     = dccp_timeout_nla_policy,
 768         },
 769 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 770 };

/* [<][>][^][v][top][bottom][index][help] */