1
2
3
4
5
6
7
8
9
10
11
12
13
14
15#include <linux/types.h>
16#include <linux/timer.h>
17#include <linux/netfilter.h>
18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
25#include <net/sctp/checksum.h>
26
27#include <net/netfilter/nf_log.h>
28#include <net/netfilter/nf_conntrack.h>
29#include <net/netfilter/nf_conntrack_l4proto.h>
30#include <net/netfilter/nf_conntrack_ecache.h>
31
32
33
34
35
36
37static const char *const sctp_conntrack_names[] = {
38 "NONE",
39 "CLOSED",
40 "COOKIE_WAIT",
41 "COOKIE_ECHOED",
42 "ESTABLISHED",
43 "SHUTDOWN_SENT",
44 "SHUTDOWN_RECD",
45 "SHUTDOWN_ACK_SENT",
46 "HEARTBEAT_SENT",
47 "HEARTBEAT_ACKED",
48};
49
50#define SECS * HZ
51#define MINS * 60 SECS
52#define HOURS * 60 MINS
53#define DAYS * 24 HOURS
54
55static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
56 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
57 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
58 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
59 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
60 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
63 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
64 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
65};
66
67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
77#define sIV SCTP_CONNTRACK_MAX
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
116 {
117
118
119 {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
120 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121 {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122 {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123 {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
125 {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},
126 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
127 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128 {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
130 },
131 {
132
133
134 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
135 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
136 {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137 {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138 {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139 {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
141 {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
145 }
146};
147
148static inline struct nf_sctp_net *sctp_pernet(struct net *net)
149{
150 return &net->ct_sctp;
151}
152
153static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
154 struct nf_conntrack_tuple *tuple)
155{
156 const struct sctphdr *hp;
157 struct sctphdr _hdr;
158
159
160 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
161 if (hp == NULL)
162 return false;
163
164 tuple->src.u.sctp.port = hp->source;
165 tuple->dst.u.sctp.port = hp->dest;
166 return true;
167}
168
169static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
170 const struct nf_conntrack_tuple *orig)
171{
172 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
173 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
174 return true;
175}
176
177
178static int sctp_print_tuple(struct seq_file *s,
179 const struct nf_conntrack_tuple *tuple)
180{
181 return seq_printf(s, "sport=%hu dport=%hu ",
182 ntohs(tuple->src.u.sctp.port),
183 ntohs(tuple->dst.u.sctp.port));
184}
185
186
187static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
188{
189 enum sctp_conntrack state;
190
191 spin_lock_bh(&ct->lock);
192 state = ct->proto.sctp.state;
193 spin_unlock_bh(&ct->lock);
194
195 return seq_printf(s, "%s ", sctp_conntrack_names[state]);
196}
197
198#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
199for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
200 (offset) < (skb)->len && \
201 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
202 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
203
204
205static int do_basic_checks(struct nf_conn *ct,
206 const struct sk_buff *skb,
207 unsigned int dataoff,
208 unsigned long *map)
209{
210 u_int32_t offset, count;
211 sctp_chunkhdr_t _sch, *sch;
212 int flag;
213
214 flag = 0;
215
216 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
217 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
218
219 if (sch->type == SCTP_CID_INIT ||
220 sch->type == SCTP_CID_INIT_ACK ||
221 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
222 flag = 1;
223
224
225
226
227
228
229 if (((sch->type == SCTP_CID_COOKIE_ACK ||
230 sch->type == SCTP_CID_COOKIE_ECHO ||
231 flag) &&
232 count != 0) || !sch->length) {
233 pr_debug("Basic checks failed\n");
234 return 1;
235 }
236
237 if (map)
238 set_bit(sch->type, map);
239 }
240
241 pr_debug("Basic checks passed\n");
242 return count == 0;
243}
244
245static int sctp_new_state(enum ip_conntrack_dir dir,
246 enum sctp_conntrack cur_state,
247 int chunk_type)
248{
249 int i;
250
251 pr_debug("Chunk type: %d\n", chunk_type);
252
253 switch (chunk_type) {
254 case SCTP_CID_INIT:
255 pr_debug("SCTP_CID_INIT\n");
256 i = 0;
257 break;
258 case SCTP_CID_INIT_ACK:
259 pr_debug("SCTP_CID_INIT_ACK\n");
260 i = 1;
261 break;
262 case SCTP_CID_ABORT:
263 pr_debug("SCTP_CID_ABORT\n");
264 i = 2;
265 break;
266 case SCTP_CID_SHUTDOWN:
267 pr_debug("SCTP_CID_SHUTDOWN\n");
268 i = 3;
269 break;
270 case SCTP_CID_SHUTDOWN_ACK:
271 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
272 i = 4;
273 break;
274 case SCTP_CID_ERROR:
275 pr_debug("SCTP_CID_ERROR\n");
276 i = 5;
277 break;
278 case SCTP_CID_COOKIE_ECHO:
279 pr_debug("SCTP_CID_COOKIE_ECHO\n");
280 i = 6;
281 break;
282 case SCTP_CID_COOKIE_ACK:
283 pr_debug("SCTP_CID_COOKIE_ACK\n");
284 i = 7;
285 break;
286 case SCTP_CID_SHUTDOWN_COMPLETE:
287 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
288 i = 8;
289 break;
290 case SCTP_CID_HEARTBEAT:
291 pr_debug("SCTP_CID_HEARTBEAT");
292 i = 9;
293 break;
294 case SCTP_CID_HEARTBEAT_ACK:
295 pr_debug("SCTP_CID_HEARTBEAT_ACK");
296 i = 10;
297 break;
298 default:
299
300 pr_debug("Unknown chunk type, Will stay in %s\n",
301 sctp_conntrack_names[cur_state]);
302 return cur_state;
303 }
304
305 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
306 dir, sctp_conntrack_names[cur_state], chunk_type,
307 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
308
309 return sctp_conntracks[dir][i][cur_state];
310}
311
312static unsigned int *sctp_get_timeouts(struct net *net)
313{
314 return sctp_pernet(net)->timeouts;
315}
316
317
318static int sctp_packet(struct nf_conn *ct,
319 const struct sk_buff *skb,
320 unsigned int dataoff,
321 enum ip_conntrack_info ctinfo,
322 u_int8_t pf,
323 unsigned int hooknum,
324 unsigned int *timeouts)
325{
326 enum sctp_conntrack new_state, old_state;
327 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
328 const struct sctphdr *sh;
329 struct sctphdr _sctph;
330 const struct sctp_chunkhdr *sch;
331 struct sctp_chunkhdr _sch;
332 u_int32_t offset, count;
333 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
334
335 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
336 if (sh == NULL)
337 goto out;
338
339 if (do_basic_checks(ct, skb, dataoff, map) != 0)
340 goto out;
341
342
343 if (!test_bit(SCTP_CID_INIT, map) &&
344 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
345 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
346 !test_bit(SCTP_CID_ABORT, map) &&
347 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
348 !test_bit(SCTP_CID_HEARTBEAT, map) &&
349 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
350 sh->vtag != ct->proto.sctp.vtag[dir]) {
351 pr_debug("Verification tag check failed\n");
352 goto out;
353 }
354
355 old_state = new_state = SCTP_CONNTRACK_NONE;
356 spin_lock_bh(&ct->lock);
357 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
358
359 if (sch->type == SCTP_CID_INIT) {
360
361 if (sh->vtag != 0)
362 goto out_unlock;
363 } else if (sch->type == SCTP_CID_ABORT) {
364
365 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
366 sh->vtag != ct->proto.sctp.vtag[!dir])
367 goto out_unlock;
368 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
369
370 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
371 sh->vtag != ct->proto.sctp.vtag[!dir] &&
372 sch->flags & SCTP_CHUNK_FLAG_T)
373 goto out_unlock;
374 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
375
376 if (sh->vtag != ct->proto.sctp.vtag[dir])
377 goto out_unlock;
378 } else if (sch->type == SCTP_CID_HEARTBEAT ||
379 sch->type == SCTP_CID_HEARTBEAT_ACK) {
380 if (ct->proto.sctp.vtag[dir] == 0) {
381 pr_debug("Setting vtag %x for dir %d\n",
382 sh->vtag, dir);
383 ct->proto.sctp.vtag[dir] = sh->vtag;
384 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
385 pr_debug("Verification tag check failed\n");
386 goto out_unlock;
387 }
388 }
389
390 old_state = ct->proto.sctp.state;
391 new_state = sctp_new_state(dir, old_state, sch->type);
392
393
394 if (new_state == SCTP_CONNTRACK_MAX) {
395 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
396 "conntrack=%u\n",
397 dir, sch->type, old_state);
398 goto out_unlock;
399 }
400
401
402 if (sch->type == SCTP_CID_INIT ||
403 sch->type == SCTP_CID_INIT_ACK) {
404 sctp_inithdr_t _inithdr, *ih;
405
406 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
407 sizeof(_inithdr), &_inithdr);
408 if (ih == NULL)
409 goto out_unlock;
410 pr_debug("Setting vtag %x for dir %d\n",
411 ih->init_tag, !dir);
412 ct->proto.sctp.vtag[!dir] = ih->init_tag;
413 }
414
415 ct->proto.sctp.state = new_state;
416 if (old_state != new_state)
417 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
418 }
419 spin_unlock_bh(&ct->lock);
420
421 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
422
423 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
424 dir == IP_CT_DIR_REPLY &&
425 new_state == SCTP_CONNTRACK_ESTABLISHED) {
426 pr_debug("Setting assured bit\n");
427 set_bit(IPS_ASSURED_BIT, &ct->status);
428 nf_conntrack_event_cache(IPCT_ASSURED, ct);
429 }
430
431 return NF_ACCEPT;
432
433out_unlock:
434 spin_unlock_bh(&ct->lock);
435out:
436 return -NF_ACCEPT;
437}
438
439
440static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
441 unsigned int dataoff, unsigned int *timeouts)
442{
443 enum sctp_conntrack new_state;
444 const struct sctphdr *sh;
445 struct sctphdr _sctph;
446 const struct sctp_chunkhdr *sch;
447 struct sctp_chunkhdr _sch;
448 u_int32_t offset, count;
449 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
450
451 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
452 if (sh == NULL)
453 return false;
454
455 if (do_basic_checks(ct, skb, dataoff, map) != 0)
456 return false;
457
458
459 if (test_bit(SCTP_CID_ABORT, map) ||
460 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
461 test_bit(SCTP_CID_COOKIE_ACK, map))
462 return false;
463
464 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
465 new_state = SCTP_CONNTRACK_MAX;
466 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
467
468 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
469 SCTP_CONNTRACK_NONE, sch->type);
470
471
472 if (new_state == SCTP_CONNTRACK_NONE ||
473 new_state == SCTP_CONNTRACK_MAX) {
474 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
475 return false;
476 }
477
478
479 if (sch->type == SCTP_CID_INIT) {
480 if (sh->vtag == 0) {
481 sctp_inithdr_t _inithdr, *ih;
482
483 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
484 sizeof(_inithdr), &_inithdr);
485 if (ih == NULL)
486 return false;
487
488 pr_debug("Setting vtag %x for new conn\n",
489 ih->init_tag);
490
491 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
492 ih->init_tag;
493 } else {
494
495 return false;
496 }
497 } else if (sch->type == SCTP_CID_HEARTBEAT) {
498 pr_debug("Setting vtag %x for secondary conntrack\n",
499 sh->vtag);
500 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
501 }
502
503
504 else {
505 pr_debug("Setting vtag %x for new conn OOTB\n",
506 sh->vtag);
507 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
508 }
509
510 ct->proto.sctp.state = new_state;
511 }
512
513 return true;
514}
515
516static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
517 unsigned int dataoff,
518 u8 pf, unsigned int hooknum)
519{
520 const struct sctphdr *sh;
521 const char *logmsg;
522
523 if (skb->len < dataoff + sizeof(struct sctphdr)) {
524 logmsg = "nf_ct_sctp: short packet ";
525 goto out_invalid;
526 }
527 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
528 skb->ip_summed == CHECKSUM_NONE) {
529 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
530 logmsg = "nf_ct_sctp: failed to read header ";
531 goto out_invalid;
532 }
533 sh = (const struct sctphdr *)(skb->data + dataoff);
534 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
535 logmsg = "nf_ct_sctp: bad CRC ";
536 goto out_invalid;
537 }
538 skb->ip_summed = CHECKSUM_UNNECESSARY;
539 }
540 return NF_ACCEPT;
541out_invalid:
542 if (LOG_INVALID(net, IPPROTO_SCTP))
543 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", logmsg);
544 return -NF_ACCEPT;
545}
546
547#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
548
549#include <linux/netfilter/nfnetlink.h>
550#include <linux/netfilter/nfnetlink_conntrack.h>
551
552static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
553 struct nf_conn *ct)
554{
555 struct nlattr *nest_parms;
556
557 spin_lock_bh(&ct->lock);
558 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
559 if (!nest_parms)
560 goto nla_put_failure;
561
562 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
563 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
564 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
565 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
566 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
567 goto nla_put_failure;
568
569 spin_unlock_bh(&ct->lock);
570
571 nla_nest_end(skb, nest_parms);
572
573 return 0;
574
575nla_put_failure:
576 spin_unlock_bh(&ct->lock);
577 return -1;
578}
579
580static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
581 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
582 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
583 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
584};
585
586static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
587{
588 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
589 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
590 int err;
591
592
593 if (!attr)
594 return 0;
595
596 err = nla_parse_nested(tb,
597 CTA_PROTOINFO_SCTP_MAX,
598 attr,
599 sctp_nla_policy);
600 if (err < 0)
601 return err;
602
603 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
604 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
605 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
606 return -EINVAL;
607
608 spin_lock_bh(&ct->lock);
609 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
610 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
611 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
612 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
613 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
614 spin_unlock_bh(&ct->lock);
615
616 return 0;
617}
618
619static int sctp_nlattr_size(void)
620{
621 return nla_total_size(0)
622 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
623}
624#endif
625
626#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
627
628#include <linux/netfilter/nfnetlink.h>
629#include <linux/netfilter/nfnetlink_cttimeout.h>
630
631static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
632 struct net *net, void *data)
633{
634 unsigned int *timeouts = data;
635 struct nf_sctp_net *sn = sctp_pernet(net);
636 int i;
637
638
639 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
640 timeouts[i] = sn->timeouts[i];
641
642
643 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
644 if (tb[i]) {
645 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
646 }
647 }
648 return 0;
649}
650
651static int
652sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
653{
654 const unsigned int *timeouts = data;
655 int i;
656
657 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
658 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
659 goto nla_put_failure;
660 }
661 return 0;
662
663nla_put_failure:
664 return -ENOSPC;
665}
666
667static const struct nla_policy
668sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
669 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
670 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
671 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
672 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
673 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
674 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
675 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
676 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
677 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
678};
679#endif
680
681
682#ifdef CONFIG_SYSCTL
683static struct ctl_table sctp_sysctl_table[] = {
684 {
685 .procname = "nf_conntrack_sctp_timeout_closed",
686 .maxlen = sizeof(unsigned int),
687 .mode = 0644,
688 .proc_handler = proc_dointvec_jiffies,
689 },
690 {
691 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
692 .maxlen = sizeof(unsigned int),
693 .mode = 0644,
694 .proc_handler = proc_dointvec_jiffies,
695 },
696 {
697 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
698 .maxlen = sizeof(unsigned int),
699 .mode = 0644,
700 .proc_handler = proc_dointvec_jiffies,
701 },
702 {
703 .procname = "nf_conntrack_sctp_timeout_established",
704 .maxlen = sizeof(unsigned int),
705 .mode = 0644,
706 .proc_handler = proc_dointvec_jiffies,
707 },
708 {
709 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
710 .maxlen = sizeof(unsigned int),
711 .mode = 0644,
712 .proc_handler = proc_dointvec_jiffies,
713 },
714 {
715 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
716 .maxlen = sizeof(unsigned int),
717 .mode = 0644,
718 .proc_handler = proc_dointvec_jiffies,
719 },
720 {
721 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
722 .maxlen = sizeof(unsigned int),
723 .mode = 0644,
724 .proc_handler = proc_dointvec_jiffies,
725 },
726 {
727 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
728 .maxlen = sizeof(unsigned int),
729 .mode = 0644,
730 .proc_handler = proc_dointvec_jiffies,
731 },
732 {
733 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
734 .maxlen = sizeof(unsigned int),
735 .mode = 0644,
736 .proc_handler = proc_dointvec_jiffies,
737 },
738 { }
739};
740
741#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
742static struct ctl_table sctp_compat_sysctl_table[] = {
743 {
744 .procname = "ip_conntrack_sctp_timeout_closed",
745 .maxlen = sizeof(unsigned int),
746 .mode = 0644,
747 .proc_handler = proc_dointvec_jiffies,
748 },
749 {
750 .procname = "ip_conntrack_sctp_timeout_cookie_wait",
751 .maxlen = sizeof(unsigned int),
752 .mode = 0644,
753 .proc_handler = proc_dointvec_jiffies,
754 },
755 {
756 .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
757 .maxlen = sizeof(unsigned int),
758 .mode = 0644,
759 .proc_handler = proc_dointvec_jiffies,
760 },
761 {
762 .procname = "ip_conntrack_sctp_timeout_established",
763 .maxlen = sizeof(unsigned int),
764 .mode = 0644,
765 .proc_handler = proc_dointvec_jiffies,
766 },
767 {
768 .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
769 .maxlen = sizeof(unsigned int),
770 .mode = 0644,
771 .proc_handler = proc_dointvec_jiffies,
772 },
773 {
774 .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
775 .maxlen = sizeof(unsigned int),
776 .mode = 0644,
777 .proc_handler = proc_dointvec_jiffies,
778 },
779 {
780 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
781 .maxlen = sizeof(unsigned int),
782 .mode = 0644,
783 .proc_handler = proc_dointvec_jiffies,
784 },
785 { }
786};
787#endif
788#endif
789
790static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
791 struct nf_sctp_net *sn)
792{
793#ifdef CONFIG_SYSCTL
794 if (pn->ctl_table)
795 return 0;
796
797 pn->ctl_table = kmemdup(sctp_sysctl_table,
798 sizeof(sctp_sysctl_table),
799 GFP_KERNEL);
800 if (!pn->ctl_table)
801 return -ENOMEM;
802
803 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
804 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
805 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
806 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
807 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
808 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
809 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
810 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
811 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
812#endif
813 return 0;
814}
815
816static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
817 struct nf_sctp_net *sn)
818{
819#ifdef CONFIG_SYSCTL
820#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
821 pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
822 sizeof(sctp_compat_sysctl_table),
823 GFP_KERNEL);
824 if (!pn->ctl_compat_table)
825 return -ENOMEM;
826
827 pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
828 pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
829 pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
830 pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
831 pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
832 pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
833 pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
834#endif
835#endif
836 return 0;
837}
838
839static int sctp_init_net(struct net *net, u_int16_t proto)
840{
841 int ret;
842 struct nf_sctp_net *sn = sctp_pernet(net);
843 struct nf_proto_net *pn = &sn->pn;
844
845 if (!pn->users) {
846 int i;
847
848 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
849 sn->timeouts[i] = sctp_timeouts[i];
850 }
851
852 if (proto == AF_INET) {
853 ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
854 if (ret < 0)
855 return ret;
856
857 ret = sctp_kmemdup_sysctl_table(pn, sn);
858 if (ret < 0)
859 nf_ct_kfree_compat_sysctl_table(pn);
860 } else
861 ret = sctp_kmemdup_sysctl_table(pn, sn);
862
863 return ret;
864}
865
866static struct nf_proto_net *sctp_get_net_proto(struct net *net)
867{
868 return &net->ct_sctp.pn;
869}
870
871struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
872 .l3proto = PF_INET,
873 .l4proto = IPPROTO_SCTP,
874 .name = "sctp",
875 .pkt_to_tuple = sctp_pkt_to_tuple,
876 .invert_tuple = sctp_invert_tuple,
877 .print_tuple = sctp_print_tuple,
878 .print_conntrack = sctp_print_conntrack,
879 .packet = sctp_packet,
880 .get_timeouts = sctp_get_timeouts,
881 .new = sctp_new,
882 .error = sctp_error,
883 .me = THIS_MODULE,
884#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
885 .to_nlattr = sctp_to_nlattr,
886 .nlattr_size = sctp_nlattr_size,
887 .from_nlattr = nlattr_to_sctp,
888 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
889 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
890 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
891 .nla_policy = nf_ct_port_nla_policy,
892#endif
893#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
894 .ctnl_timeout = {
895 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
896 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
897 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
898 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
899 .nla_policy = sctp_timeout_nla_policy,
900 },
901#endif
902 .init_net = sctp_init_net,
903 .get_net_proto = sctp_get_net_proto,
904};
905EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
906
907struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
908 .l3proto = PF_INET6,
909 .l4proto = IPPROTO_SCTP,
910 .name = "sctp",
911 .pkt_to_tuple = sctp_pkt_to_tuple,
912 .invert_tuple = sctp_invert_tuple,
913 .print_tuple = sctp_print_tuple,
914 .print_conntrack = sctp_print_conntrack,
915 .packet = sctp_packet,
916 .get_timeouts = sctp_get_timeouts,
917 .new = sctp_new,
918 .error = sctp_error,
919 .me = THIS_MODULE,
920#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
921 .to_nlattr = sctp_to_nlattr,
922 .nlattr_size = sctp_nlattr_size,
923 .from_nlattr = nlattr_to_sctp,
924 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
925 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
926 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
927 .nla_policy = nf_ct_port_nla_policy,
928#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
929 .ctnl_timeout = {
930 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
931 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
932 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
933 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
934 .nla_policy = sctp_timeout_nla_policy,
935 },
936#endif
937#endif
938 .init_net = sctp_init_net,
939 .get_net_proto = sctp_get_net_proto,
940};
941EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
942