1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * DCCP connection tracking protocol helper
4 *
5 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
6 */
7 #include <linux/kernel.h>
8 #include <linux/init.h>
9 #include <linux/sysctl.h>
10 #include <linux/spinlock.h>
11 #include <linux/skbuff.h>
12 #include <linux/dccp.h>
13 #include <linux/slab.h>
14
15 #include <net/net_namespace.h>
16 #include <net/netns/generic.h>
17
18 #include <linux/netfilter/nfnetlink_conntrack.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_l4proto.h>
21 #include <net/netfilter/nf_conntrack_ecache.h>
22 #include <net/netfilter/nf_conntrack_timeout.h>
23 #include <net/netfilter/nf_log.h>
24
25 /* Timeouts are based on values from RFC4340:
26 *
27 * - REQUEST:
28 *
29 * 8.1.2. Client Request
30 *
31 * A client MAY give up on its DCCP-Requests after some time
32 * (3 minutes, for example).
33 *
34 * - RESPOND:
35 *
36 * 8.1.3. Server Response
37 *
38 * It MAY also leave the RESPOND state for CLOSED after a timeout of
39 * not less than 4MSL (8 minutes);
40 *
41 * - PARTOPEN:
42 *
43 * 8.1.5. Handshake Completion
44 *
45 * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
46 * it SHOULD reset the connection with Reset Code 2, "Aborted".
47 *
48 * - OPEN:
49 *
50 * The DCCP timestamp overflows after 11.9 hours. If the connection
51 * stays idle this long the sequence number won't be recognized
52 * as valid anymore.
53 *
54 * - CLOSEREQ/CLOSING:
55 *
56 * 8.3. Termination
57 *
58 * The retransmission timer should initially be set to go off in two
59 * round-trip times and should back off to not less than once every
60 * 64 seconds ...
61 *
62 * - TIMEWAIT:
63 *
64 * 4.3. States
65 *
66 * A server or client socket remains in this state for 2MSL (4 minutes)
67 * after the connection has been town down, ...
68 */
69
70 #define DCCP_MSL (2 * 60 * HZ)
71
72 static const char * const dccp_state_names[] = {
73 [CT_DCCP_NONE] = "NONE",
74 [CT_DCCP_REQUEST] = "REQUEST",
75 [CT_DCCP_RESPOND] = "RESPOND",
76 [CT_DCCP_PARTOPEN] = "PARTOPEN",
77 [CT_DCCP_OPEN] = "OPEN",
78 [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
79 [CT_DCCP_CLOSING] = "CLOSING",
80 [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
81 [CT_DCCP_IGNORE] = "IGNORE",
82 [CT_DCCP_INVALID] = "INVALID",
83 };
84
85 #define sNO CT_DCCP_NONE
86 #define sRQ CT_DCCP_REQUEST
87 #define sRS CT_DCCP_RESPOND
88 #define sPO CT_DCCP_PARTOPEN
89 #define sOP CT_DCCP_OPEN
90 #define sCR CT_DCCP_CLOSEREQ
91 #define sCG CT_DCCP_CLOSING
92 #define sTW CT_DCCP_TIMEWAIT
93 #define sIG CT_DCCP_IGNORE
94 #define sIV CT_DCCP_INVALID
95
96 /*
97 * DCCP state transition table
98 *
99 * The assumption is the same as for TCP tracking:
100 *
101 * We are the man in the middle. All the packets go through us but might
102 * get lost in transit to the destination. It is assumed that the destination
103 * can't receive segments we haven't seen.
104 *
105 * The following states exist:
106 *
107 * NONE: Initial state, expecting Request
108 * REQUEST: Request seen, waiting for Response from server
109 * RESPOND: Response from server seen, waiting for Ack from client
110 * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
111 * Reset or Sync from server
112 * OPEN: Packet other than Response, Reset or Sync seen
113 * CLOSEREQ: CloseReq from server seen, expecting Close from client
114 * CLOSING: Close seen, expecting Reset
115 * TIMEWAIT: Reset seen
116 * IGNORE: Not determinable whether packet is valid
117 *
118 * Some states exist only on one side of the connection: REQUEST, RESPOND,
119 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
120 * the one it was in before.
121 *
122 * Packets are marked as ignored (sIG) if we don't know if they're valid
123 * (for example a reincarnation of a connection we didn't notice is dead
124 * already) and the server may send back a connection closing Reset or a
125 * Response. They're also used for Sync/SyncAck packets, which we don't
126 * care about.
127 */
128 static const u_int8_t
129 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
130 [CT_DCCP_ROLE_CLIENT] = {
131 [DCCP_PKT_REQUEST] = {
132 /*
133 * sNO -> sRQ Regular Request
134 * sRQ -> sRQ Retransmitted Request or reincarnation
135 * sRS -> sRS Retransmitted Request (apparently Response
136 * got lost after we saw it) or reincarnation
137 * sPO -> sIG Ignore, conntrack might be out of sync
138 * sOP -> sIG Ignore, conntrack might be out of sync
139 * sCR -> sIG Ignore, conntrack might be out of sync
140 * sCG -> sIG Ignore, conntrack might be out of sync
141 * sTW -> sRQ Reincarnation
142 *
143 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
144 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
145 },
146 [DCCP_PKT_RESPONSE] = {
147 /*
148 * sNO -> sIV Invalid
149 * sRQ -> sIG Ignore, might be response to ignored Request
150 * sRS -> sIG Ignore, might be response to ignored Request
151 * sPO -> sIG Ignore, might be response to ignored Request
152 * sOP -> sIG Ignore, might be response to ignored Request
153 * sCR -> sIG Ignore, might be response to ignored Request
154 * sCG -> sIG Ignore, might be response to ignored Request
155 * sTW -> sIV Invalid, reincarnation in reverse direction
156 * goes through sRQ
157 *
158 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
159 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
160 },
161 [DCCP_PKT_ACK] = {
162 /*
163 * sNO -> sIV No connection
164 * sRQ -> sIV No connection
165 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
166 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
167 * sOP -> sOP Regular ACK, remain in OPEN
168 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
169 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
170 * sTW -> sIV
171 *
172 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
173 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
174 },
175 [DCCP_PKT_DATA] = {
176 /*
177 * sNO -> sIV No connection
178 * sRQ -> sIV No connection
179 * sRS -> sIV No connection
180 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
181 * sOP -> sOP Regular Data packet
182 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
183 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
184 * sTW -> sIV
185 *
186 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
187 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
188 },
189 [DCCP_PKT_DATAACK] = {
190 /*
191 * sNO -> sIV No connection
192 * sRQ -> sIV No connection
193 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
194 * sPO -> sPO Remain in PARTOPEN state
195 * sOP -> sOP Regular DataAck packet in OPEN state
196 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
197 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
198 * sTW -> sIV
199 *
200 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
201 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
202 },
203 [DCCP_PKT_CLOSEREQ] = {
204 /*
205 * CLOSEREQ may only be sent by the server.
206 *
207 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
208 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
209 },
210 [DCCP_PKT_CLOSE] = {
211 /*
212 * sNO -> sIV No connection
213 * sRQ -> sIV No connection
214 * sRS -> sIV No connection
215 * sPO -> sCG Client-initiated close
216 * sOP -> sCG Client-initiated close
217 * sCR -> sCG Close in response to CloseReq (8.3.)
218 * sCG -> sCG Retransmit
219 * sTW -> sIV Late retransmit, already in TIME_WAIT
220 *
221 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
222 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
223 },
224 [DCCP_PKT_RESET] = {
225 /*
226 * sNO -> sIV No connection
227 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
228 * sRS -> sTW Response received without Request
229 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
230 * sOP -> sTW Connection reset
231 * sCR -> sTW Connection reset
232 * sCG -> sTW Connection reset
233 * sTW -> sIG Ignore (don't refresh timer)
234 *
235 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
236 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
237 },
238 [DCCP_PKT_SYNC] = {
239 /*
240 * We currently ignore Sync packets
241 *
242 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
243 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
244 },
245 [DCCP_PKT_SYNCACK] = {
246 /*
247 * We currently ignore SyncAck packets
248 *
249 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
250 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
251 },
252 },
253 [CT_DCCP_ROLE_SERVER] = {
254 [DCCP_PKT_REQUEST] = {
255 /*
256 * sNO -> sIV Invalid
257 * sRQ -> sIG Ignore, conntrack might be out of sync
258 * sRS -> sIG Ignore, conntrack might be out of sync
259 * sPO -> sIG Ignore, conntrack might be out of sync
260 * sOP -> sIG Ignore, conntrack might be out of sync
261 * sCR -> sIG Ignore, conntrack might be out of sync
262 * sCG -> sIG Ignore, conntrack might be out of sync
263 * sTW -> sRQ Reincarnation, must reverse roles
264 *
265 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
266 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
267 },
268 [DCCP_PKT_RESPONSE] = {
269 /*
270 * sNO -> sIV Response without Request
271 * sRQ -> sRS Response to clients Request
272 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
273 * sPO -> sIG Response to an ignored Request or late retransmit
274 * sOP -> sIG Ignore, might be response to ignored Request
275 * sCR -> sIG Ignore, might be response to ignored Request
276 * sCG -> sIG Ignore, might be response to ignored Request
277 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
278 *
279 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
280 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
281 },
282 [DCCP_PKT_ACK] = {
283 /*
284 * sNO -> sIV No connection
285 * sRQ -> sIV No connection
286 * sRS -> sIV No connection
287 * sPO -> sOP Enter OPEN state (8.1.5.)
288 * sOP -> sOP Regular Ack in OPEN state
289 * sCR -> sIV Waiting for Close from client
290 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
291 * sTW -> sIV
292 *
293 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
294 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
295 },
296 [DCCP_PKT_DATA] = {
297 /*
298 * sNO -> sIV No connection
299 * sRQ -> sIV No connection
300 * sRS -> sIV No connection
301 * sPO -> sOP Enter OPEN state (8.1.5.)
302 * sOP -> sOP Regular Data packet in OPEN state
303 * sCR -> sIV Waiting for Close from client
304 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
305 * sTW -> sIV
306 *
307 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
308 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
309 },
310 [DCCP_PKT_DATAACK] = {
311 /*
312 * sNO -> sIV No connection
313 * sRQ -> sIV No connection
314 * sRS -> sIV No connection
315 * sPO -> sOP Enter OPEN state (8.1.5.)
316 * sOP -> sOP Regular DataAck in OPEN state
317 * sCR -> sIV Waiting for Close from client
318 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
319 * sTW -> sIV
320 *
321 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
322 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
323 },
324 [DCCP_PKT_CLOSEREQ] = {
325 /*
326 * sNO -> sIV No connection
327 * sRQ -> sIV No connection
328 * sRS -> sIV No connection
329 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
330 * sOP -> sCR CloseReq in OPEN state
331 * sCR -> sCR Retransmit
332 * sCG -> sCR Simultaneous close, client sends another Close
333 * sTW -> sIV Already closed
334 *
335 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
336 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
337 },
338 [DCCP_PKT_CLOSE] = {
339 /*
340 * sNO -> sIV No connection
341 * sRQ -> sIV No connection
342 * sRS -> sIV No connection
343 * sPO -> sOP -> sCG Move direcly to CLOSING
344 * sOP -> sCG Move to CLOSING
345 * sCR -> sIV Close after CloseReq is invalid
346 * sCG -> sCG Retransmit
347 * sTW -> sIV Already closed
348 *
349 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
350 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
351 },
352 [DCCP_PKT_RESET] = {
353 /*
354 * sNO -> sIV No connection
355 * sRQ -> sTW Reset in response to Request
356 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
357 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
358 * sOP -> sTW
359 * sCR -> sTW
360 * sCG -> sTW
361 * sTW -> sIG Ignore (don't refresh timer)
362 *
363 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
364 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
365 },
366 [DCCP_PKT_SYNC] = {
367 /*
368 * We currently ignore Sync packets
369 *
370 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
371 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
372 },
373 [DCCP_PKT_SYNCACK] = {
374 /*
375 * We currently ignore SyncAck packets
376 *
377 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
378 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
379 },
380 },
381 };
382
383 static noinline bool
384 dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
385 const struct dccp_hdr *dh)
386 {
387 struct net *net = nf_ct_net(ct);
388 struct nf_dccp_net *dn;
389 const char *msg;
390 u_int8_t state;
391
392 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
393 switch (state) {
394 default:
395 dn = nf_dccp_pernet(net);
396 if (dn->dccp_loose == 0) {
397 msg = "not picking up existing connection ";
398 goto out_invalid;
399 }
400 case CT_DCCP_REQUEST:
401 break;
402 case CT_DCCP_INVALID:
403 msg = "invalid state transition ";
404 goto out_invalid;
405 }
406
407 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
408 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
409 ct->proto.dccp.state = CT_DCCP_NONE;
410 ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
411 ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
412 ct->proto.dccp.handshake_seq = 0;
413 return true;
414
415 out_invalid:
416 nf_ct_l4proto_log_invalid(skb, ct, "%s", msg);
417 return false;
418 }
419
420 static u64 dccp_ack_seq(const struct dccp_hdr *dh)
421 {
422 const struct dccp_hdr_ack_bits *dhack;
423
424 dhack = (void *)dh + __dccp_basic_hdr_len(dh);
425 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
426 ntohl(dhack->dccph_ack_nr_low);
427 }
428
429 static bool dccp_error(const struct dccp_hdr *dh,
430 struct sk_buff *skb, unsigned int dataoff,
431 const struct nf_hook_state *state)
432 {
433 unsigned int dccp_len = skb->len - dataoff;
434 unsigned int cscov;
435 const char *msg;
436
437 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
438 dh->dccph_doff * 4 > dccp_len) {
439 msg = "nf_ct_dccp: truncated/malformed packet ";
440 goto out_invalid;
441 }
442
443 cscov = dccp_len;
444 if (dh->dccph_cscov) {
445 cscov = (dh->dccph_cscov - 1) * 4;
446 if (cscov > dccp_len) {
447 msg = "nf_ct_dccp: bad checksum coverage ";
448 goto out_invalid;
449 }
450 }
451
452 if (state->hook == NF_INET_PRE_ROUTING &&
453 state->net->ct.sysctl_checksum &&
454 nf_checksum_partial(skb, state->hook, dataoff, cscov,
455 IPPROTO_DCCP, state->pf)) {
456 msg = "nf_ct_dccp: bad checksum ";
457 goto out_invalid;
458 }
459
460 if (dh->dccph_type >= DCCP_PKT_INVALID) {
461 msg = "nf_ct_dccp: reserved packet type ";
462 goto out_invalid;
463 }
464 return false;
465 out_invalid:
466 nf_l4proto_log_invalid(skb, state->net, state->pf,
467 IPPROTO_DCCP, "%s", msg);
468 return true;
469 }
470
471 int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
472 unsigned int dataoff,
473 enum ip_conntrack_info ctinfo,
474 const struct nf_hook_state *state)
475 {
476 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
477 struct dccp_hdr _dh, *dh;
478 u_int8_t type, old_state, new_state;
479 enum ct_dccp_roles role;
480 unsigned int *timeouts;
481
482 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
483 if (!dh)
484 return NF_DROP;
485
486 if (dccp_error(dh, skb, dataoff, state))
487 return -NF_ACCEPT;
488
489 type = dh->dccph_type;
490 if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh))
491 return -NF_ACCEPT;
492
493 if (type == DCCP_PKT_RESET &&
494 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
495 /* Tear down connection immediately if only reply is a RESET */
496 nf_ct_kill_acct(ct, ctinfo, skb);
497 return NF_ACCEPT;
498 }
499
500 spin_lock_bh(&ct->lock);
501
502 role = ct->proto.dccp.role[dir];
503 old_state = ct->proto.dccp.state;
504 new_state = dccp_state_table[role][type][old_state];
505
506 switch (new_state) {
507 case CT_DCCP_REQUEST:
508 if (old_state == CT_DCCP_TIMEWAIT &&
509 role == CT_DCCP_ROLE_SERVER) {
510 /* Reincarnation in the reverse direction: reopen and
511 * reverse client/server roles. */
512 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
513 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
514 }
515 break;
516 case CT_DCCP_RESPOND:
517 if (old_state == CT_DCCP_REQUEST)
518 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
519 break;
520 case CT_DCCP_PARTOPEN:
521 if (old_state == CT_DCCP_RESPOND &&
522 type == DCCP_PKT_ACK &&
523 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
524 set_bit(IPS_ASSURED_BIT, &ct->status);
525 break;
526 case CT_DCCP_IGNORE:
527 /*
528 * Connection tracking might be out of sync, so we ignore
529 * packets that might establish a new connection and resync
530 * if the server responds with a valid Response.
531 */
532 if (ct->proto.dccp.last_dir == !dir &&
533 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
534 type == DCCP_PKT_RESPONSE) {
535 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
536 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
537 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
538 new_state = CT_DCCP_RESPOND;
539 break;
540 }
541 ct->proto.dccp.last_dir = dir;
542 ct->proto.dccp.last_pkt = type;
543
544 spin_unlock_bh(&ct->lock);
545 nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid packet");
546 return NF_ACCEPT;
547 case CT_DCCP_INVALID:
548 spin_unlock_bh(&ct->lock);
549 nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid state transition");
550 return -NF_ACCEPT;
551 }
552
553 ct->proto.dccp.last_dir = dir;
554 ct->proto.dccp.last_pkt = type;
555 ct->proto.dccp.state = new_state;
556 spin_unlock_bh(&ct->lock);
557
558 if (new_state != old_state)
559 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
560
561 timeouts = nf_ct_timeout_lookup(ct);
562 if (!timeouts)
563 timeouts = nf_dccp_pernet(nf_ct_net(ct))->dccp_timeout;
564 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
565
566 return NF_ACCEPT;
567 }
568
569 static bool dccp_can_early_drop(const struct nf_conn *ct)
570 {
571 switch (ct->proto.dccp.state) {
572 case CT_DCCP_CLOSEREQ:
573 case CT_DCCP_CLOSING:
574 case CT_DCCP_TIMEWAIT:
575 return true;
576 default:
577 break;
578 }
579
580 return false;
581 }
582
583 #ifdef CONFIG_NF_CONNTRACK_PROCFS
584 static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
585 {
586 seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
587 }
588 #endif
589
590 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
591 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
592 struct nf_conn *ct)
593 {
594 struct nlattr *nest_parms;
595
596 spin_lock_bh(&ct->lock);
597 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP);
598 if (!nest_parms)
599 goto nla_put_failure;
600 if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state) ||
601 nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE,
602 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) ||
603 nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
604 cpu_to_be64(ct->proto.dccp.handshake_seq),
605 CTA_PROTOINFO_DCCP_PAD))
606 goto nla_put_failure;
607 nla_nest_end(skb, nest_parms);
608 spin_unlock_bh(&ct->lock);
609 return 0;
610
611 nla_put_failure:
612 spin_unlock_bh(&ct->lock);
613 return -1;
614 }
615
616 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
617 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
618 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
619 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
620 [CTA_PROTOINFO_DCCP_PAD] = { .type = NLA_UNSPEC },
621 };
622
623 #define DCCP_NLATTR_SIZE ( \
624 NLA_ALIGN(NLA_HDRLEN + 1) + \
625 NLA_ALIGN(NLA_HDRLEN + 1) + \
626 NLA_ALIGN(NLA_HDRLEN + sizeof(u64)) + \
627 NLA_ALIGN(NLA_HDRLEN + 0))
628
629 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
630 {
631 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
632 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
633 int err;
634
635 if (!attr)
636 return 0;
637
638 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_DCCP_MAX, attr,
639 dccp_nla_policy, NULL);
640 if (err < 0)
641 return err;
642
643 if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
644 !tb[CTA_PROTOINFO_DCCP_ROLE] ||
645 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
646 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
647 return -EINVAL;
648 }
649
650 spin_lock_bh(&ct->lock);
651 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
652 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
653 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
654 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
655 } else {
656 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
657 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
658 }
659 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
660 ct->proto.dccp.handshake_seq =
661 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
662 }
663 spin_unlock_bh(&ct->lock);
664 return 0;
665 }
666 #endif
667
668 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
669
670 #include <linux/netfilter/nfnetlink.h>
671 #include <linux/netfilter/nfnetlink_cttimeout.h>
672
673 static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
674 struct net *net, void *data)
675 {
676 struct nf_dccp_net *dn = nf_dccp_pernet(net);
677 unsigned int *timeouts = data;
678 int i;
679
680 if (!timeouts)
681 timeouts = dn->dccp_timeout;
682
683 /* set default DCCP timeouts. */
684 for (i=0; i<CT_DCCP_MAX; i++)
685 timeouts[i] = dn->dccp_timeout[i];
686
687 /* there's a 1:1 mapping between attributes and protocol states. */
688 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
689 if (tb[i]) {
690 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
691 }
692 }
693
694 timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
695 return 0;
696 }
697
698 static int
699 dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
700 {
701 const unsigned int *timeouts = data;
702 int i;
703
704 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
705 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
706 goto nla_put_failure;
707 }
708 return 0;
709
710 nla_put_failure:
711 return -ENOSPC;
712 }
713
714 static const struct nla_policy
715 dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
716 [CTA_TIMEOUT_DCCP_REQUEST] = { .type = NLA_U32 },
717 [CTA_TIMEOUT_DCCP_RESPOND] = { .type = NLA_U32 },
718 [CTA_TIMEOUT_DCCP_PARTOPEN] = { .type = NLA_U32 },
719 [CTA_TIMEOUT_DCCP_OPEN] = { .type = NLA_U32 },
720 [CTA_TIMEOUT_DCCP_CLOSEREQ] = { .type = NLA_U32 },
721 [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 },
722 [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 },
723 };
724 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
725
726 void nf_conntrack_dccp_init_net(struct net *net)
727 {
728 struct nf_dccp_net *dn = nf_dccp_pernet(net);
729
730 /* default values */
731 dn->dccp_loose = 1;
732 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
733 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
734 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
735 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
736 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
737 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
738 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
739
740 /* timeouts[0] is unused, make it same as SYN_SENT so
741 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
742 */
743 dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
744 }
745
746 const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp = {
747 .l4proto = IPPROTO_DCCP,
748 .can_early_drop = dccp_can_early_drop,
749 #ifdef CONFIG_NF_CONNTRACK_PROCFS
750 .print_conntrack = dccp_print_conntrack,
751 #endif
752 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
753 .nlattr_size = DCCP_NLATTR_SIZE,
754 .to_nlattr = dccp_to_nlattr,
755 .from_nlattr = nlattr_to_dccp,
756 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
757 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
758 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
759 .nla_policy = nf_ct_port_nla_policy,
760 #endif
761 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
762 .ctnl_timeout = {
763 .nlattr_to_obj = dccp_timeout_nlattr_to_obj,
764 .obj_to_nlattr = dccp_timeout_obj_to_nlattr,
765 .nlattr_max = CTA_TIMEOUT_DCCP_MAX,
766 .obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
767 .nla_policy = dccp_timeout_nla_policy,
768 },
769 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
770 };