LXR linux/net/netfilter/nf_conntrack_proto

   1/* (C) 1999-2001 Paul `Rusty' Russell
   2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
   3 * (C) 2002-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
   5 *
   6 * This program is free software; you can redistribute it and/or modify
   7 * it under the terms of the GNU General Public License version 2 as
   8 * published by the Free Software Foundation.
   9 */
  10
  11#include <linux/types.h>
  12#include <linux/timer.h>
  13#include <linux/module.h>
  14#include <linux/in.h>
  15#include <linux/tcp.h>
  16#include <linux/spinlock.h>
  17#include <linux/skbuff.h>
  18#include <linux/ipv6.h>
  19#include <net/ip6_checksum.h>
  20#include <asm/unaligned.h>
  21
  22#include <net/tcp.h>
  23
  24#include <linux/netfilter.h>
  25#include <linux/netfilter_ipv4.h>
  26#include <linux/netfilter_ipv6.h>
  27#include <net/netfilter/nf_conntrack.h>
  28#include <net/netfilter/nf_conntrack_l4proto.h>
  29#include <net/netfilter/nf_conntrack_ecache.h>
  30#include <net/netfilter/nf_conntrack_seqadj.h>
  31#include <net/netfilter/nf_conntrack_synproxy.h>
  32#include <net/netfilter/nf_conntrack_timeout.h>
  33#include <net/netfilter/nf_log.h>
  34#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
  35#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
  36
  37/* "Be conservative in what you do,
  38    be liberal in what you accept from others."
  39    If it's non-zero, we mark only out of window RST segments as INVALID. */
  40static int nf_ct_tcp_be_liberal __read_mostly = 0;
  41
  42/* If it is set to zero, we disable picking up already established
  43   connections. */
  44static int nf_ct_tcp_loose __read_mostly = 1;
  45
  46/* Max number of the retransmitted packets without receiving an (acceptable)
  47   ACK from the destination. If this number is reached, a shorter timer
  48   will be started. */
  49static int nf_ct_tcp_max_retrans __read_mostly = 3;
  50
  51  /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  52     closely.  They're more complex. --RR */
  53
  54static const char *const tcp_conntrack_names[] = {
  55        "NONE",
  56        "SYN_SENT",
  57        "SYN_RECV",
  58        "ESTABLISHED",
  59        "FIN_WAIT",
  60        "CLOSE_WAIT",
  61        "LAST_ACK",
  62        "TIME_WAIT",
  63        "CLOSE",
  64        "SYN_SENT2",
  65};
  66
  67#define SECS * HZ
  68#define MINS * 60 SECS
  69#define HOURS * 60 MINS
  70#define DAYS * 24 HOURS
  71
  72static const unsigned int tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX] = {
  73        [TCP_CONNTRACK_SYN_SENT]        = 2 MINS,
  74        [TCP_CONNTRACK_SYN_RECV]        = 60 SECS,
  75        [TCP_CONNTRACK_ESTABLISHED]     = 5 DAYS,
  76        [TCP_CONNTRACK_FIN_WAIT]        = 2 MINS,
  77        [TCP_CONNTRACK_CLOSE_WAIT]      = 60 SECS,
  78        [TCP_CONNTRACK_LAST_ACK]        = 30 SECS,
  79        [TCP_CONNTRACK_TIME_WAIT]       = 2 MINS,
  80        [TCP_CONNTRACK_CLOSE]           = 10 SECS,
  81        [TCP_CONNTRACK_SYN_SENT2]       = 2 MINS,
  82/* RFC1122 says the R2 limit should be at least 100 seconds.
  83   Linux uses 15 packets as limit, which corresponds
  84   to ~13-30min depending on RTO. */
  85        [TCP_CONNTRACK_RETRANS]         = 5 MINS,
  86        [TCP_CONNTRACK_UNACK]           = 5 MINS,
  87};
  88
  89#define sNO TCP_CONNTRACK_NONE
  90#define sSS TCP_CONNTRACK_SYN_SENT
  91#define sSR TCP_CONNTRACK_SYN_RECV
  92#define sES TCP_CONNTRACK_ESTABLISHED
  93#define sFW TCP_CONNTRACK_FIN_WAIT
  94#define sCW TCP_CONNTRACK_CLOSE_WAIT
  95#define sLA TCP_CONNTRACK_LAST_ACK
  96#define sTW TCP_CONNTRACK_TIME_WAIT
  97#define sCL TCP_CONNTRACK_CLOSE
  98#define sS2 TCP_CONNTRACK_SYN_SENT2
  99#define sIV TCP_CONNTRACK_MAX
 100#define sIG TCP_CONNTRACK_IGNORE
 101
 102/* What TCP flags are set from RST/SYN/FIN/ACK. */
 103enum tcp_bit_set {
 104        TCP_SYN_SET,
 105        TCP_SYNACK_SET,
 106        TCP_FIN_SET,
 107        TCP_ACK_SET,
 108        TCP_RST_SET,
 109        TCP_NONE_SET,
 110};
 111
 112/*
 113 * The TCP state transition table needs a few words...
 114 *
 115 * We are the man in the middle. All the packets go through us
 116 * but might get lost in transit to the destination.
 117 * It is assumed that the destinations can't receive segments
 118 * we haven't seen.
 119 *
 120 * The checked segment is in window, but our windows are *not*
 121 * equivalent with the ones of the sender/receiver. We always
 122 * try to guess the state of the current sender.
 123 *
 124 * The meaning of the states are:
 125 *
 126 * NONE:        initial state
 127 * SYN_SENT:    SYN-only packet seen
 128 * SYN_SENT2:   SYN-only packet seen from reply dir, simultaneous open
 129 * SYN_RECV:    SYN-ACK packet seen
 130 * ESTABLISHED: ACK packet seen
 131 * FIN_WAIT:    FIN packet seen
 132 * CLOSE_WAIT:  ACK seen (after FIN)
 133 * LAST_ACK:    FIN seen (after FIN)
 134 * TIME_WAIT:   last ACK seen
 135 * CLOSE:       closed connection (RST)
 136 *
 137 * Packets marked as IGNORED (sIG):
 138 *      if they may be either invalid or valid
 139 *      and the receiver may send back a connection
 140 *      closing RST or a SYN/ACK.
 141 *
 142 * Packets marked as INVALID (sIV):
 143 *      if we regard them as truly invalid packets
 144 */
 145static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
 146        {
 147/* ORIGINAL */
 148/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 149/*syn*/    { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
 150/*
 151 *      sNO -> sSS      Initialize a new connection
 152 *      sSS -> sSS      Retransmitted SYN
 153 *      sS2 -> sS2      Late retransmitted SYN
 154 *      sSR -> sIG
 155 *      sES -> sIG      Error: SYNs in window outside the SYN_SENT state
 156 *                      are errors. Receiver will reply with RST
 157 *                      and close the connection.
 158 *                      Or we are not in sync and hold a dead connection.
 159 *      sFW -> sIG
 160 *      sCW -> sIG
 161 *      sLA -> sIG
 162 *      sTW -> sSS      Reopened connection (RFC 1122).
 163 *      sCL -> sSS
 164 */
 165/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 166/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
 167/*
 168 *      sNO -> sIV      Too late and no reason to do anything
 169 *      sSS -> sIV      Client can't send SYN and then SYN/ACK
 170 *      sS2 -> sSR      SYN/ACK sent to SYN2 in simultaneous open
 171 *      sSR -> sSR      Late retransmitted SYN/ACK in simultaneous open
 172 *      sES -> sIV      Invalid SYN/ACK packets sent by the client
 173 *      sFW -> sIV
 174 *      sCW -> sIV
 175 *      sLA -> sIV
 176 *      sTW -> sIV
 177 *      sCL -> sIV
 178 */
 179/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 180/*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
 181/*
 182 *      sNO -> sIV      Too late and no reason to do anything...
 183 *      sSS -> sIV      Client migth not send FIN in this state:
 184 *                      we enforce waiting for a SYN/ACK reply first.
 185 *      sS2 -> sIV
 186 *      sSR -> sFW      Close started.
 187 *      sES -> sFW
 188 *      sFW -> sLA      FIN seen in both directions, waiting for
 189 *                      the last ACK.
 190 *                      Migth be a retransmitted FIN as well...
 191 *      sCW -> sLA
 192 *      sLA -> sLA      Retransmitted FIN. Remain in the same state.
 193 *      sTW -> sTW
 194 *      sCL -> sCL
 195 */
 196/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 197/*ack*/    { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
 198/*
 199 *      sNO -> sES      Assumed.
 200 *      sSS -> sIV      ACK is invalid: we haven't seen a SYN/ACK yet.
 201 *      sS2 -> sIV
 202 *      sSR -> sES      Established state is reached.
 203 *      sES -> sES      :-)
 204 *      sFW -> sCW      Normal close request answered by ACK.
 205 *      sCW -> sCW
 206 *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
 207 *      sTW -> sTW      Retransmitted last ACK. Remain in the same state.
 208 *      sCL -> sCL
 209 */
 210/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 211/*rst*/    { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
 212/*none*/   { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
 213        },
 214        {
 215/* REPLY */
 216/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 217/*syn*/    { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sSS, sIV, sS2 },
 218/*
 219 *      sNO -> sIV      Never reached.
 220 *      sSS -> sS2      Simultaneous open
 221 *      sS2 -> sS2      Retransmitted simultaneous SYN
 222 *      sSR -> sIV      Invalid SYN packets sent by the server
 223 *      sES -> sIV
 224 *      sFW -> sIV
 225 *      sCW -> sIV
 226 *      sLA -> sIV
 227 *      sTW -> sSS      Reopened connection, but server may have switched role
 228 *      sCL -> sIV
 229 */
 230/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 231/*synack*/ { sIV, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
 232/*
 233 *      sSS -> sSR      Standard open.
 234 *      sS2 -> sSR      Simultaneous open
 235 *      sSR -> sIG      Retransmitted SYN/ACK, ignore it.
 236 *      sES -> sIG      Late retransmitted SYN/ACK?
 237 *      sFW -> sIG      Might be SYN/ACK answering ignored SYN
 238 *      sCW -> sIG
 239 *      sLA -> sIG
 240 *      sTW -> sIG
 241 *      sCL -> sIG
 242 */
 243/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 244/*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
 245/*
 246 *      sSS -> sIV      Server might not send FIN in this state.
 247 *      sS2 -> sIV
 248 *      sSR -> sFW      Close started.
 249 *      sES -> sFW
 250 *      sFW -> sLA      FIN seen in both directions.
 251 *      sCW -> sLA
 252 *      sLA -> sLA      Retransmitted FIN.
 253 *      sTW -> sTW
 254 *      sCL -> sCL
 255 */
 256/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 257/*ack*/    { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
 258/*
 259 *      sSS -> sIG      Might be a half-open connection.
 260 *      sS2 -> sIG
 261 *      sSR -> sSR      Might answer late resent SYN.
 262 *      sES -> sES      :-)
 263 *      sFW -> sCW      Normal close request answered by ACK.
 264 *      sCW -> sCW
 265 *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
 266 *      sTW -> sTW      Retransmitted last ACK.
 267 *      sCL -> sCL
 268 */
 269/*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 270/*rst*/    { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
 271/*none*/   { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
 272        }
 273};
 274
 275#ifdef CONFIG_NF_CONNTRACK_PROCFS
 276/* Print out the private part of the conntrack. */
 277static void tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 278{
 279        if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
 280                return;
 281
 282        seq_printf(s, "%s ", tcp_conntrack_names[ct->proto.tcp.state]);
 283}
 284#endif
 285
 286static unsigned int get_conntrack_index(const struct tcphdr *tcph)
 287{
 288        if (tcph->rst) return TCP_RST_SET;
 289        else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
 290        else if (tcph->fin) return TCP_FIN_SET;
 291        else if (tcph->ack) return TCP_ACK_SET;
 292        else return TCP_NONE_SET;
 293}
 294
 295/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
 296   in IP Filter' by Guido van Rooij.
 297
 298   http://www.sane.nl/events/sane2000/papers.html
 299   http://www.darkart.com/mirrors/www.obfuscation.org/ipf/
 300
 301   The boundaries and the conditions are changed according to RFC793:
 302   the packet must intersect the window (i.e. segments may be
 303   after the right or before the left edge) and thus receivers may ACK
 304   segments after the right edge of the window.
 305
 306        td_maxend = max(sack + max(win,1)) seen in reply packets
 307        td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
 308        td_maxwin += seq + len - sender.td_maxend
 309                        if seq + len > sender.td_maxend
 310        td_end    = max(seq + len) seen in sent packets
 311
 312   I.   Upper bound for valid data:     seq <= sender.td_maxend
 313   II.  Lower bound for valid data:     seq + len >= sender.td_end - receiver.td_maxwin
 314   III. Upper bound for valid (s)ack:   sack <= receiver.td_end
 315   IV.  Lower bound for valid (s)ack:   sack >= receiver.td_end - MAXACKWINDOW
 316
 317   where sack is the highest right edge of sack block found in the packet
 318   or ack in the case of packet without SACK option.
 319
 320   The upper bound limit for a valid (s)ack is not ignored -
 321   we doesn't have to deal with fragments.
 322*/
 323
 324static inline __u32 segment_seq_plus_len(__u32 seq,
 325                                         size_t len,
 326                                         unsigned int dataoff,
 327                                         const struct tcphdr *tcph)
 328{
 329        /* XXX Should I use payload length field in IP/IPv6 header ?
 330         * - YK */
 331        return (seq + len - dataoff - tcph->doff*4
 332                + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
 333}
 334
 335/* Fixme: what about big packets? */
 336#define MAXACKWINCONST                  66000
 337#define MAXACKWINDOW(sender)                                            \
 338        ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin     \
 339                                              : MAXACKWINCONST)
 340
 341/*
 342 * Simplified tcp_parse_options routine from tcp_input.c
 343 */
 344static void tcp_options(const struct sk_buff *skb,
 345                        unsigned int dataoff,
 346                        const struct tcphdr *tcph,
 347                        struct ip_ct_tcp_state *state)
 348{
 349        unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
 350        const unsigned char *ptr;
 351        int length = (tcph->doff*4) - sizeof(struct tcphdr);
 352
 353        if (!length)
 354                return;
 355
 356        ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
 357                                 length, buff);
 358        BUG_ON(ptr == NULL);
 359
 360        state->td_scale =
 361        state->flags = 0;
 362
 363        while (length > 0) {
 364                int opcode=*ptr++;
 365                int opsize;
 366
 367                switch (opcode) {
 368                case TCPOPT_EOL:
 369                        return;
 370                case TCPOPT_NOP:        /* Ref: RFC 793 section 3.1 */
 371                        length--;
 372                        continue;
 373                default:
 374                        if (length < 2)
 375                                return;
 376                        opsize=*ptr++;
 377                        if (opsize < 2) /* "silly options" */
 378                                return;
 379                        if (opsize > length)
 380                                return; /* don't parse partial options */
 381
 382                        if (opcode == TCPOPT_SACK_PERM
 383                            && opsize == TCPOLEN_SACK_PERM)
 384                                state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
 385                        else if (opcode == TCPOPT_WINDOW
 386                                 && opsize == TCPOLEN_WINDOW) {
 387                                state->td_scale = *(u_int8_t *)ptr;
 388
 389                                if (state->td_scale > TCP_MAX_WSCALE)
 390                                        state->td_scale = TCP_MAX_WSCALE;
 391
 392                                state->flags |=
 393                                        IP_CT_TCP_FLAG_WINDOW_SCALE;
 394                        }
 395                        ptr += opsize - 2;
 396                        length -= opsize;
 397                }
 398        }
 399}
 400
 401static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
 402                     const struct tcphdr *tcph, __u32 *sack)
 403{
 404        unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
 405        const unsigned char *ptr;
 406        int length = (tcph->doff*4) - sizeof(struct tcphdr);
 407        __u32 tmp;
 408
 409        if (!length)
 410                return;
 411
 412        ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
 413                                 length, buff);
 414        BUG_ON(ptr == NULL);
 415
 416        /* Fast path for timestamp-only option */
 417        if (length == TCPOLEN_TSTAMP_ALIGNED
 418            && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
 419                                       | (TCPOPT_NOP << 16)
 420                                       | (TCPOPT_TIMESTAMP << 8)
 421                                       | TCPOLEN_TIMESTAMP))
 422                return;
 423
 424        while (length > 0) {
 425                int opcode = *ptr++;
 426                int opsize, i;
 427
 428                switch (opcode) {
 429                case TCPOPT_EOL:
 430                        return;
 431                case TCPOPT_NOP:        /* Ref: RFC 793 section 3.1 */
 432                        length--;
 433                        continue;
 434                default:
 435                        if (length < 2)
 436                                return;
 437                        opsize = *ptr++;
 438                        if (opsize < 2) /* "silly options" */
 439                                return;
 440                        if (opsize > length)
 441                                return; /* don't parse partial options */
 442
 443                        if (opcode == TCPOPT_SACK
 444                            && opsize >= (TCPOLEN_SACK_BASE
 445                                          + TCPOLEN_SACK_PERBLOCK)
 446                            && !((opsize - TCPOLEN_SACK_BASE)
 447                                 % TCPOLEN_SACK_PERBLOCK)) {
 448                                for (i = 0;
 449                                     i < (opsize - TCPOLEN_SACK_BASE);
 450                                     i += TCPOLEN_SACK_PERBLOCK) {
 451                                        tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
 452
 453                                        if (after(tmp, *sack))
 454                                                *sack = tmp;
 455                                }
 456                                return;
 457                        }
 458                        ptr += opsize - 2;
 459                        length -= opsize;
 460                }
 461        }
 462}
 463
 464static bool tcp_in_window(const struct nf_conn *ct,
 465                          struct ip_ct_tcp *state,
 466                          enum ip_conntrack_dir dir,
 467                          unsigned int index,
 468                          const struct sk_buff *skb,
 469                          unsigned int dataoff,
 470                          const struct tcphdr *tcph)
 471{
 472        struct net *net = nf_ct_net(ct);
 473        struct nf_tcp_net *tn = nf_tcp_pernet(net);
 474        struct ip_ct_tcp_state *sender = &state->seen[dir];
 475        struct ip_ct_tcp_state *receiver = &state->seen[!dir];
 476        const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
 477        __u32 seq, ack, sack, end, win, swin;
 478        u16 win_raw;
 479        s32 receiver_offset;
 480        bool res, in_recv_win;
 481
 482        /*
 483         * Get the required data from the packet.
 484         */
 485        seq = ntohl(tcph->seq);
 486        ack = sack = ntohl(tcph->ack_seq);
 487        win_raw = ntohs(tcph->window);
 488        win = win_raw;
 489        end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
 490
 491        if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
 492                tcp_sack(skb, dataoff, tcph, &sack);
 493
 494        /* Take into account NAT sequence number mangling */
 495        receiver_offset = nf_ct_seq_offset(ct, !dir, ack - 1);
 496        ack -= receiver_offset;
 497        sack -= receiver_offset;
 498
 499        pr_debug("tcp_in_window: START\n");
 500        pr_debug("tcp_in_window: ");
 501        nf_ct_dump_tuple(tuple);
 502        pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
 503                 seq, ack, receiver_offset, sack, receiver_offset, win, end);
 504        pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
 505                 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 506                 sender->td_end, sender->td_maxend, sender->td_maxwin,
 507                 sender->td_scale,
 508                 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 509                 receiver->td_scale);
 510
 511        if (sender->td_maxwin == 0) {
 512                /*
 513                 * Initialize sender data.
 514                 */
 515                if (tcph->syn) {
 516                        /*
 517                         * SYN-ACK in reply to a SYN
 518                         * or SYN from reply direction in simultaneous open.
 519                         */
 520                        sender->td_end =
 521                        sender->td_maxend = end;
 522                        sender->td_maxwin = (win == 0 ? 1 : win);
 523
 524                        tcp_options(skb, dataoff, tcph, sender);
 525                        /*
 526                         * RFC 1323:
 527                         * Both sides must send the Window Scale option
 528                         * to enable window scaling in either direction.
 529                         */
 530                        if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
 531                              && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
 532                                sender->td_scale =
 533                                receiver->td_scale = 0;
 534                        if (!tcph->ack)
 535                                /* Simultaneous open */
 536                                return true;
 537                } else {
 538                        /*
 539                         * We are in the middle of a connection,
 540                         * its history is lost for us.
 541                         * Let's try to use the data from the packet.
 542                         */
 543                        sender->td_end = end;
 544                        swin = win << sender->td_scale;
 545                        sender->td_maxwin = (swin == 0 ? 1 : swin);
 546                        sender->td_maxend = end + sender->td_maxwin;
 547                        /*
 548                         * We haven't seen traffic in the other direction yet
 549                         * but we have to tweak window tracking to pass III
 550                         * and IV until that happens.
 551                         */
 552                        if (receiver->td_maxwin == 0)
 553                                receiver->td_end = receiver->td_maxend = sack;
 554                }
 555        } else if (((state->state == TCP_CONNTRACK_SYN_SENT
 556                     && dir == IP_CT_DIR_ORIGINAL)
 557                   || (state->state == TCP_CONNTRACK_SYN_RECV
 558                     && dir == IP_CT_DIR_REPLY))
 559                   && after(end, sender->td_end)) {
 560                /*
 561                 * RFC 793: "if a TCP is reinitialized ... then it need
 562                 * not wait at all; it must only be sure to use sequence
 563                 * numbers larger than those recently used."
 564                 */
 565                sender->td_end =
 566                sender->td_maxend = end;
 567                sender->td_maxwin = (win == 0 ? 1 : win);
 568
 569                tcp_options(skb, dataoff, tcph, sender);
 570        }
 571
 572        if (!(tcph->ack)) {
 573                /*
 574                 * If there is no ACK, just pretend it was set and OK.
 575                 */
 576                ack = sack = receiver->td_end;
 577        } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
 578                    (TCP_FLAG_ACK|TCP_FLAG_RST))
 579                   && (ack == 0)) {
 580                /*
 581                 * Broken TCP stacks, that set ACK in RST packets as well
 582                 * with zero ack value.
 583                 */
 584                ack = sack = receiver->td_end;
 585        }
 586
 587        if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
 588                /*
 589                 * RST sent answering SYN.
 590                 */
 591                seq = end = sender->td_end;
 592
 593        pr_debug("tcp_in_window: ");
 594        nf_ct_dump_tuple(tuple);
 595        pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
 596                 seq, ack, receiver_offset, sack, receiver_offset, win, end);
 597        pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
 598                 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 599                 sender->td_end, sender->td_maxend, sender->td_maxwin,
 600                 sender->td_scale,
 601                 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 602                 receiver->td_scale);
 603
 604        /* Is the ending sequence in the receive window (if available)? */
 605        in_recv_win = !receiver->td_maxwin ||
 606                      after(end, sender->td_end - receiver->td_maxwin - 1);
 607
 608        pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
 609                 before(seq, sender->td_maxend + 1),
 610                 (in_recv_win ? 1 : 0),
 611                 before(sack, receiver->td_end + 1),
 612                 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
 613
 614        if (before(seq, sender->td_maxend + 1) &&
 615            in_recv_win &&
 616            before(sack, receiver->td_end + 1) &&
 617            after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
 618                /*
 619                 * Take into account window scaling (RFC 1323).
 620                 */
 621                if (!tcph->syn)
 622                        win <<= sender->td_scale;
 623
 624                /*
 625                 * Update sender data.
 626                 */
 627                swin = win + (sack - ack);
 628                if (sender->td_maxwin < swin)
 629                        sender->td_maxwin = swin;
 630                if (after(end, sender->td_end)) {
 631                        sender->td_end = end;
 632                        sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
 633                }
 634                if (tcph->ack) {
 635                        if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
 636                                sender->td_maxack = ack;
 637                                sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
 638                        } else if (after(ack, sender->td_maxack))
 639                                sender->td_maxack = ack;
 640                }
 641
 642                /*
 643                 * Update receiver data.
 644                 */
 645                if (receiver->td_maxwin != 0 && after(end, sender->td_maxend))
 646                        receiver->td_maxwin += end - sender->td_maxend;
 647                if (after(sack + win, receiver->td_maxend - 1)) {
 648                        receiver->td_maxend = sack + win;
 649                        if (win == 0)
 650                                receiver->td_maxend++;
 651                }
 652                if (ack == receiver->td_end)
 653                        receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
 654
 655                /*
 656                 * Check retransmissions.
 657                 */
 658                if (index == TCP_ACK_SET) {
 659                        if (state->last_dir == dir
 660                            && state->last_seq == seq
 661                            && state->last_ack == ack
 662                            && state->last_end == end
 663                            && state->last_win == win_raw)
 664                                state->retrans++;
 665                        else {
 666                                state->last_dir = dir;
 667                                state->last_seq = seq;
 668                                state->last_ack = ack;
 669                                state->last_end = end;
 670                                state->last_win = win_raw;
 671                                state->retrans = 0;
 672                        }
 673                }
 674                res = true;
 675        } else {
 676                res = false;
 677                if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
 678                    tn->tcp_be_liberal)
 679                        res = true;
 680                if (!res) {
 681                        nf_ct_l4proto_log_invalid(skb, ct,
 682                        "%s",
 683                        before(seq, sender->td_maxend + 1) ?
 684                        in_recv_win ?
 685                        before(sack, receiver->td_end + 1) ?
 686                        after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
 687                        : "ACK is under the lower bound (possible overly delayed ACK)"
 688                        : "ACK is over the upper bound (ACKed data not seen yet)"
 689                        : "SEQ is under the lower bound (already ACKed data retransmitted)"
 690                        : "SEQ is over the upper bound (over the window of the receiver)");
 691                }
 692        }
 693
 694        pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
 695                 "receiver end=%u maxend=%u maxwin=%u\n",
 696                 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
 697                 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
 698
 699        return res;
 700}
 701
 702/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
 703static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
 704                                 TCPHDR_URG) + 1] =
 705{
 706        [TCPHDR_SYN]                            = 1,
 707        [TCPHDR_SYN|TCPHDR_URG]                 = 1,
 708        [TCPHDR_SYN|TCPHDR_ACK]                 = 1,
 709        [TCPHDR_RST]                            = 1,
 710        [TCPHDR_RST|TCPHDR_ACK]                 = 1,
 711        [TCPHDR_FIN|TCPHDR_ACK]                 = 1,
 712        [TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG]      = 1,
 713        [TCPHDR_ACK]                            = 1,
 714        [TCPHDR_ACK|TCPHDR_URG]                 = 1,
 715};
 716
 717static void tcp_error_log(const struct sk_buff *skb,
 718                          const struct nf_hook_state *state,
 719                          const char *msg)
 720{
 721        nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_TCP, "%s", msg);
 722}
 723
 724/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c.  */
 725static bool tcp_error(const struct tcphdr *th,
 726                      struct sk_buff *skb,
 727                      unsigned int dataoff,
 728                      const struct nf_hook_state *state)
 729{
 730        unsigned int tcplen = skb->len - dataoff;
 731        u8 tcpflags;
 732
 733        /* Not whole TCP header or malformed packet */
 734        if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
 735                tcp_error_log(skb, state, "truncated packet");
 736                return true;
 737        }
 738
 739        /* Checksum invalid? Ignore.
 740         * We skip checking packets on the outgoing path
 741         * because the checksum is assumed to be correct.
 742         */
 743        /* FIXME: Source route IP option packets --RR */
 744        if (state->net->ct.sysctl_checksum &&
 745            state->hook == NF_INET_PRE_ROUTING &&
 746            nf_checksum(skb, state->hook, dataoff, IPPROTO_TCP, state->pf)) {
 747                tcp_error_log(skb, state, "bad checksum");
 748                return true;
 749        }
 750
 751        /* Check TCP flags. */
 752        tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH));
 753        if (!tcp_valid_flags[tcpflags]) {
 754                tcp_error_log(skb, state, "invalid tcp flag combination");
 755                return true;
 756        }
 757
 758        return false;
 759}
 760
 761static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 762                             unsigned int dataoff,
 763                             const struct tcphdr *th)
 764{
 765        enum tcp_conntrack new_state;
 766        struct net *net = nf_ct_net(ct);
 767        const struct nf_tcp_net *tn = nf_tcp_pernet(net);
 768        const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
 769        const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
 770
 771        /* Don't need lock here: this conntrack not in circulation yet */
 772        new_state = tcp_conntracks[0][get_conntrack_index(th)][TCP_CONNTRACK_NONE];
 773
 774        /* Invalid: delete conntrack */
 775        if (new_state >= TCP_CONNTRACK_MAX) {
 776                pr_debug("nf_ct_tcp: invalid new deleting.\n");
 777                return false;
 778        }
 779
 780        if (new_state == TCP_CONNTRACK_SYN_SENT) {
 781                memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
 782                /* SYN packet */
 783                ct->proto.tcp.seen[0].td_end =
 784                        segment_seq_plus_len(ntohl(th->seq), skb->len,
 785                                             dataoff, th);
 786                ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
 787                if (ct->proto.tcp.seen[0].td_maxwin == 0)
 788                        ct->proto.tcp.seen[0].td_maxwin = 1;
 789                ct->proto.tcp.seen[0].td_maxend =
 790                        ct->proto.tcp.seen[0].td_end;
 791
 792                tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
 793        } else if (tn->tcp_loose == 0) {
 794                /* Don't try to pick up connections. */
 795                return false;
 796        } else {
 797                memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
 798                /*
 799                 * We are in the middle of a connection,
 800                 * its history is lost for us.
 801                 * Let's try to use the data from the packet.
 802                 */
 803                ct->proto.tcp.seen[0].td_end =
 804                        segment_seq_plus_len(ntohl(th->seq), skb->len,
 805                                             dataoff, th);
 806                ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
 807                if (ct->proto.tcp.seen[0].td_maxwin == 0)
 808                        ct->proto.tcp.seen[0].td_maxwin = 1;
 809                ct->proto.tcp.seen[0].td_maxend =
 810                        ct->proto.tcp.seen[0].td_end +
 811                        ct->proto.tcp.seen[0].td_maxwin;
 812
 813                /* We assume SACK and liberal window checking to handle
 814                 * window scaling */
 815                ct->proto.tcp.seen[0].flags =
 816                ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
 817                                              IP_CT_TCP_FLAG_BE_LIBERAL;
 818        }
 819
 820        /* tcp_packet will set them */
 821        ct->proto.tcp.last_index = TCP_NONE_SET;
 822
 823        pr_debug("%s: sender end=%u maxend=%u maxwin=%u scale=%i "
 824                 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 825                 __func__,
 826                 sender->td_end, sender->td_maxend, sender->td_maxwin,
 827                 sender->td_scale,
 828                 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 829                 receiver->td_scale);
 830        return true;
 831}
 832
 833/* Returns verdict for packet, or -1 for invalid. */
 834int nf_conntrack_tcp_packet(struct nf_conn *ct,
 835                            struct sk_buff *skb,
 836                            unsigned int dataoff,
 837                            enum ip_conntrack_info ctinfo,
 838                            const struct nf_hook_state *state)
 839{
 840        struct net *net = nf_ct_net(ct);
 841        struct nf_tcp_net *tn = nf_tcp_pernet(net);
 842        struct nf_conntrack_tuple *tuple;
 843        enum tcp_conntrack new_state, old_state;
 844        unsigned int index, *timeouts;
 845        enum ip_conntrack_dir dir;
 846        const struct tcphdr *th;
 847        struct tcphdr _tcph;
 848        unsigned long timeout;
 849
 850        th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
 851        if (th == NULL)
 852                return -NF_ACCEPT;
 853
 854        if (tcp_error(th, skb, dataoff, state))
 855                return -NF_ACCEPT;
 856
 857        if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th))
 858                return -NF_ACCEPT;
 859
 860        spin_lock_bh(&ct->lock);
 861        old_state = ct->proto.tcp.state;
 862        dir = CTINFO2DIR(ctinfo);
 863        index = get_conntrack_index(th);
 864        new_state = tcp_conntracks[dir][index][old_state];
 865        tuple = &ct->tuplehash[dir].tuple;
 866
 867        switch (new_state) {
 868        case TCP_CONNTRACK_SYN_SENT:
 869                if (old_state < TCP_CONNTRACK_TIME_WAIT)
 870                        break;
 871                /* RFC 1122: "When a connection is closed actively,
 872                 * it MUST linger in TIME-WAIT state for a time 2xMSL
 873                 * (Maximum Segment Lifetime). However, it MAY accept
 874                 * a new SYN from the remote TCP to reopen the connection
 875                 * directly from TIME-WAIT state, if..."
 876                 * We ignore the conditions because we are in the
 877                 * TIME-WAIT state anyway.
 878                 *
 879                 * Handle aborted connections: we and the server
 880                 * think there is an existing connection but the client
 881                 * aborts it and starts a new one.
 882                 */
 883                if (((ct->proto.tcp.seen[dir].flags
 884                      | ct->proto.tcp.seen[!dir].flags)
 885                     & IP_CT_TCP_FLAG_CLOSE_INIT)
 886                    || (ct->proto.tcp.last_dir == dir
 887                        && ct->proto.tcp.last_index == TCP_RST_SET)) {
 888                        /* Attempt to reopen a closed/aborted connection.
 889                         * Delete this connection and look up again. */
 890                        spin_unlock_bh(&ct->lock);
 891
 892                        /* Only repeat if we can actually remove the timer.
 893                         * Destruction may already be in progress in process
 894                         * context and we must give it a chance to terminate.
 895                         */
 896                        if (nf_ct_kill(ct))
 897                                return -NF_REPEAT;
 898                        return NF_DROP;
 899                }
 900                /* Fall through */
 901        case TCP_CONNTRACK_IGNORE:
 902                /* Ignored packets:
 903                 *
 904                 * Our connection entry may be out of sync, so ignore
 905                 * packets which may signal the real connection between
 906                 * the client and the server.
 907                 *
 908                 * a) SYN in ORIGINAL
 909                 * b) SYN/ACK in REPLY
 910                 * c) ACK in reply direction after initial SYN in original.
 911                 *
 912                 * If the ignored packet is invalid, the receiver will send
 913                 * a RST we'll catch below.
 914                 */
 915                if (index == TCP_SYNACK_SET
 916                    && ct->proto.tcp.last_index == TCP_SYN_SET
 917                    && ct->proto.tcp.last_dir != dir
 918                    && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
 919                        /* b) This SYN/ACK acknowledges a SYN that we earlier
 920                         * ignored as invalid. This means that the client and
 921                         * the server are both in sync, while the firewall is
 922                         * not. We get in sync from the previously annotated
 923                         * values.
 924                         */
 925                        old_state = TCP_CONNTRACK_SYN_SENT;
 926                        new_state = TCP_CONNTRACK_SYN_RECV;
 927                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
 928                                ct->proto.tcp.last_end;
 929                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
 930                                ct->proto.tcp.last_end;
 931                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
 932                                ct->proto.tcp.last_win == 0 ?
 933                                        1 : ct->proto.tcp.last_win;
 934                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
 935                                ct->proto.tcp.last_wscale;
 936                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
 937                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
 938                                ct->proto.tcp.last_flags;
 939                        memset(&ct->proto.tcp.seen[dir], 0,
 940                               sizeof(struct ip_ct_tcp_state));
 941                        break;
 942                }
 943                ct->proto.tcp.last_index = index;
 944                ct->proto.tcp.last_dir = dir;
 945                ct->proto.tcp.last_seq = ntohl(th->seq);
 946                ct->proto.tcp.last_end =
 947                    segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
 948                ct->proto.tcp.last_win = ntohs(th->window);
 949
 950                /* a) This is a SYN in ORIGINAL. The client and the server
 951                 * may be in sync but we are not. In that case, we annotate
 952                 * the TCP options and let the packet go through. If it is a
 953                 * valid SYN packet, the server will reply with a SYN/ACK, and
 954                 * then we'll get in sync. Otherwise, the server potentially
 955                 * responds with a challenge ACK if implementing RFC5961.
 956                 */
 957                if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
 958                        struct ip_ct_tcp_state seen = {};
 959
 960                        ct->proto.tcp.last_flags =
 961                        ct->proto.tcp.last_wscale = 0;
 962                        tcp_options(skb, dataoff, th, &seen);
 963                        if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
 964                                ct->proto.tcp.last_flags |=
 965                                        IP_CT_TCP_FLAG_WINDOW_SCALE;
 966                                ct->proto.tcp.last_wscale = seen.td_scale;
 967                        }
 968                        if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
 969                                ct->proto.tcp.last_flags |=
 970                                        IP_CT_TCP_FLAG_SACK_PERM;
 971                        }
 972                        /* Mark the potential for RFC5961 challenge ACK,
 973                         * this pose a special problem for LAST_ACK state
 974                         * as ACK is intrepretated as ACKing last FIN.
 975                         */
 976                        if (old_state == TCP_CONNTRACK_LAST_ACK)
 977                                ct->proto.tcp.last_flags |=
 978                                        IP_CT_EXP_CHALLENGE_ACK;
 979                }
 980                spin_unlock_bh(&ct->lock);
 981                nf_ct_l4proto_log_invalid(skb, ct, "invalid packet ignored in "
 982                                          "state %s ", tcp_conntrack_names[old_state]);
 983                return NF_ACCEPT;
 984        case TCP_CONNTRACK_MAX:
 985                /* Special case for SYN proxy: when the SYN to the server or
 986                 * the SYN/ACK from the server is lost, the client may transmit
 987                 * a keep-alive packet while in SYN_SENT state. This needs to
 988                 * be associated with the original conntrack entry in order to
 989                 * generate a new SYN with the correct sequence number.
 990                 */
 991                if (nfct_synproxy(ct) && old_state == TCP_CONNTRACK_SYN_SENT &&
 992                    index == TCP_ACK_SET && dir == IP_CT_DIR_ORIGINAL &&
 993                    ct->proto.tcp.last_dir == IP_CT_DIR_ORIGINAL &&
 994                    ct->proto.tcp.seen[dir].td_end - 1 == ntohl(th->seq)) {
 995                        pr_debug("nf_ct_tcp: SYN proxy client keep alive\n");
 996                        spin_unlock_bh(&ct->lock);
 997                        return NF_ACCEPT;
 998                }
 999
1000                /* Invalid packet */

1001                pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
1002                         dir, get_conntrack_index(th), old_state);
1003                spin_unlock_bh(&ct->lock);
1004                nf_ct_l4proto_log_invalid(skb, ct, "invalid state");
1005                return -NF_ACCEPT;
1006        case TCP_CONNTRACK_TIME_WAIT:
1007                /* RFC5961 compliance cause stack to send "challenge-ACK"
1008                 * e.g. in response to spurious SYNs.  Conntrack MUST
1009                 * not believe this ACK is acking last FIN.
1010                 */
1011                if (old_state == TCP_CONNTRACK_LAST_ACK &&
1012                    index == TCP_ACK_SET &&
1013                    ct->proto.tcp.last_dir != dir &&
1014                    ct->proto.tcp.last_index == TCP_SYN_SET &&
1015                    (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {
1016                        /* Detected RFC5961 challenge ACK */
1017                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
1018                        spin_unlock_bh(&ct->lock);
1019                        nf_ct_l4proto_log_invalid(skb, ct, "challenge-ack ignored");
1020                        return NF_ACCEPT; /* Don't change state */
1021                }
1022                break;
1023        case TCP_CONNTRACK_SYN_SENT2:
1024                /* tcp_conntracks table is not smart enough to handle
1025                 * simultaneous open.
1026                 */
1027                ct->proto.tcp.last_flags |= IP_CT_TCP_SIMULTANEOUS_OPEN;
1028                break;
1029        case TCP_CONNTRACK_SYN_RECV:
1030                if (dir == IP_CT_DIR_REPLY && index == TCP_ACK_SET &&
1031                    ct->proto.tcp.last_flags & IP_CT_TCP_SIMULTANEOUS_OPEN)
1032                        new_state = TCP_CONNTRACK_ESTABLISHED;
1033                break;
1034        case TCP_CONNTRACK_CLOSE:
1035                if (index == TCP_RST_SET
1036                    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
1037                    && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
1038                        /* Invalid RST  */
1039                        spin_unlock_bh(&ct->lock);
1040                        nf_ct_l4proto_log_invalid(skb, ct, "invalid rst");
1041                        return -NF_ACCEPT;
1042                }
1043                if (index == TCP_RST_SET
1044                    && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
1045                         && ct->proto.tcp.last_index == TCP_SYN_SET)
1046                        || (!test_bit(IPS_ASSURED_BIT, &ct->status)
1047                            && ct->proto.tcp.last_index == TCP_ACK_SET))
1048                    && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
1049                        /* RST sent to invalid SYN or ACK we had let through
1050                         * at a) and c) above:
1051                         *
1052                         * a) SYN was in window then
1053                         * c) we hold a half-open connection.
1054                         *
1055                         * Delete our connection entry.
1056                         * We skip window checking, because packet might ACK
1057                         * segments we ignored. */
1058                        goto in_window;
1059                }
1060                /* Just fall through */
1061        default:
1062                /* Keep compilers happy. */
1063                break;
1064        }
1065
1066        if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
1067                           skb, dataoff, th)) {
1068                spin_unlock_bh(&ct->lock);
1069                return -NF_ACCEPT;
1070        }
1071     in_window:
1072        /* From now on we have got in-window packets */
1073        ct->proto.tcp.last_index = index;
1074        ct->proto.tcp.last_dir = dir;
1075
1076        pr_debug("tcp_conntracks: ");
1077        nf_ct_dump_tuple(tuple);
1078        pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
1079                 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
1080                 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
1081                 old_state, new_state);
1082
1083        ct->proto.tcp.state = new_state;
1084        if (old_state != new_state
1085            && new_state == TCP_CONNTRACK_FIN_WAIT)
1086                ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
1087
1088        timeouts = nf_ct_timeout_lookup(ct);
1089        if (!timeouts)
1090                timeouts = tn->timeouts;
1091
1092        if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
1093            timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
1094                timeout = timeouts[TCP_CONNTRACK_RETRANS];
1095        else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
1096                 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
1097                 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
1098                timeout = timeouts[TCP_CONNTRACK_UNACK];
1099        else if (ct->proto.tcp.last_win == 0 &&
1100                 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
1101                timeout = timeouts[TCP_CONNTRACK_RETRANS];
1102        else
1103                timeout = timeouts[new_state];
1104        spin_unlock_bh(&ct->lock);
1105
1106        if (new_state != old_state)
1107                nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
1108
1109        if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
1110                /* If only reply is a RST, we can consider ourselves not to
1111                   have an established connection: this is a fairly common
1112                   problem case, so we can delete the conntrack
1113                   immediately.  --RR */
1114                if (th->rst) {
1115                        nf_ct_kill_acct(ct, ctinfo, skb);
1116                        return NF_ACCEPT;
1117                }
1118                /* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
1119                 * pickup with loose=1. Avoid large ESTABLISHED timeout.
1120                 */
1121                if (new_state == TCP_CONNTRACK_ESTABLISHED &&
1122                    timeout > timeouts[TCP_CONNTRACK_UNACK])
1123                        timeout = timeouts[TCP_CONNTRACK_UNACK];
1124        } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
1125                   && (old_state == TCP_CONNTRACK_SYN_RECV
1126                       || old_state == TCP_CONNTRACK_ESTABLISHED)
1127                   && new_state == TCP_CONNTRACK_ESTABLISHED) {
1128                /* Set ASSURED if we see see valid ack in ESTABLISHED
1129                   after SYN_RECV or a valid answer for a picked up
1130                   connection. */
1131                set_bit(IPS_ASSURED_BIT, &ct->status);
1132                nf_conntrack_event_cache(IPCT_ASSURED, ct);
1133        }
1134        nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
1135
1136        return NF_ACCEPT;
1137}
1138
1139static bool tcp_can_early_drop(const struct nf_conn *ct)
1140{
1141        switch (ct->proto.tcp.state) {
1142        case TCP_CONNTRACK_FIN_WAIT:
1143        case TCP_CONNTRACK_LAST_ACK:
1144        case TCP_CONNTRACK_TIME_WAIT:
1145        case TCP_CONNTRACK_CLOSE:
1146        case TCP_CONNTRACK_CLOSE_WAIT:
1147                return true;
1148        default:
1149                break;
1150        }
1151
1152        return false;
1153}
1154
1155#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1156
1157#include <linux/netfilter/nfnetlink.h>
1158#include <linux/netfilter/nfnetlink_conntrack.h>
1159
1160static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
1161                         struct nf_conn *ct)
1162{
1163        struct nlattr *nest_parms;
1164        struct nf_ct_tcp_flags tmp = {};
1165
1166        spin_lock_bh(&ct->lock);
1167        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP);
1168        if (!nest_parms)
1169                goto nla_put_failure;
1170
1171        if (nla_put_u8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state) ||
1172            nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
1173                       ct->proto.tcp.seen[0].td_scale) ||
1174            nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY,
1175                       ct->proto.tcp.seen[1].td_scale))
1176                goto nla_put_failure;
1177
1178        tmp.flags = ct->proto.tcp.seen[0].flags;
1179        if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
1180                    sizeof(struct nf_ct_tcp_flags), &tmp))
1181                goto nla_put_failure;
1182
1183        tmp.flags = ct->proto.tcp.seen[1].flags;
1184        if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
1185                    sizeof(struct nf_ct_tcp_flags), &tmp))
1186                goto nla_put_failure;
1187        spin_unlock_bh(&ct->lock);
1188
1189        nla_nest_end(skb, nest_parms);
1190
1191        return 0;
1192
1193nla_put_failure:
1194        spin_unlock_bh(&ct->lock);
1195        return -1;
1196}
1197
1198static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
1199        [CTA_PROTOINFO_TCP_STATE]           = { .type = NLA_U8 },
1200        [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1201        [CTA_PROTOINFO_TCP_WSCALE_REPLY]    = { .type = NLA_U8 },
1202        [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]  = { .len = sizeof(struct nf_ct_tcp_flags) },
1203        [CTA_PROTOINFO_TCP_FLAGS_REPLY]     = { .len =  sizeof(struct nf_ct_tcp_flags) },
1204};
1205
1206#define TCP_NLATTR_SIZE ( \
1207        NLA_ALIGN(NLA_HDRLEN + 1) + \
1208        NLA_ALIGN(NLA_HDRLEN + 1) + \
1209        NLA_ALIGN(NLA_HDRLEN + sizeof(struct nf_ct_tcp_flags)) + \
1210        NLA_ALIGN(NLA_HDRLEN + sizeof(struct nf_ct_tcp_flags)))
1211
1212static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
1213{
1214        struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
1215        struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
1216        int err;
1217
1218        /* updates could not contain anything about the private
1219         * protocol info, in that case skip the parsing */
1220        if (!pattr)
1221                return 0;
1222
1223        err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_TCP_MAX, pattr,
1224                                          tcp_nla_policy, NULL);
1225        if (err < 0)
1226                return err;
1227
1228        if (tb[CTA_PROTOINFO_TCP_STATE] &&
1229            nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
1230                return -EINVAL;
1231
1232        spin_lock_bh(&ct->lock);
1233        if (tb[CTA_PROTOINFO_TCP_STATE])
1234                ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
1235
1236        if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
1237                struct nf_ct_tcp_flags *attr =
1238                        nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
1239                ct->proto.tcp.seen[0].flags &= ~attr->mask;
1240                ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
1241        }
1242
1243        if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
1244                struct nf_ct_tcp_flags *attr =
1245                        nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
1246                ct->proto.tcp.seen[1].flags &= ~attr->mask;
1247                ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
1248        }
1249
1250        if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
1251            tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
1252            ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
1253            ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
1254                ct->proto.tcp.seen[0].td_scale =
1255                        nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
1256                ct->proto.tcp.seen[1].td_scale =
1257                        nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
1258        }
1259        spin_unlock_bh(&ct->lock);
1260
1261        return 0;
1262}
1263
1264static unsigned int tcp_nlattr_tuple_size(void)
1265{
1266        static unsigned int size __read_mostly;
1267
1268        if (!size)
1269                size = nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
1270
1271        return size;
1272}
1273#endif
1274
1275#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1276
1277#include <linux/netfilter/nfnetlink.h>
1278#include <linux/netfilter/nfnetlink_cttimeout.h>
1279
1280static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
1281                                     struct net *net, void *data)
1282{
1283        struct nf_tcp_net *tn = nf_tcp_pernet(net);
1284        unsigned int *timeouts = data;
1285        int i;
1286
1287        if (!timeouts)
1288                timeouts = tn->timeouts;
1289        /* set default TCP timeouts. */
1290        for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
1291                timeouts[i] = tn->timeouts[i];
1292
1293        if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
1294                timeouts[TCP_CONNTRACK_SYN_SENT] =
1295                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
1296        }
1297
1298        if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
1299                timeouts[TCP_CONNTRACK_SYN_RECV] =
1300                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
1301        }
1302        if (tb[CTA_TIMEOUT_TCP_ESTABLISHED]) {
1303                timeouts[TCP_CONNTRACK_ESTABLISHED] =
1304                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_ESTABLISHED]))*HZ;
1305        }
1306        if (tb[CTA_TIMEOUT_TCP_FIN_WAIT]) {
1307                timeouts[TCP_CONNTRACK_FIN_WAIT] =
1308                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_FIN_WAIT]))*HZ;
1309        }
1310        if (tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]) {
1311                timeouts[TCP_CONNTRACK_CLOSE_WAIT] =
1312                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]))*HZ;
1313        }
1314        if (tb[CTA_TIMEOUT_TCP_LAST_ACK]) {
1315                timeouts[TCP_CONNTRACK_LAST_ACK] =
1316                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_LAST_ACK]))*HZ;
1317        }
1318        if (tb[CTA_TIMEOUT_TCP_TIME_WAIT]) {
1319                timeouts[TCP_CONNTRACK_TIME_WAIT] =
1320                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_TIME_WAIT]))*HZ;
1321        }
1322        if (tb[CTA_TIMEOUT_TCP_CLOSE]) {
1323                timeouts[TCP_CONNTRACK_CLOSE] =
1324                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE]))*HZ;
1325        }
1326        if (tb[CTA_TIMEOUT_TCP_SYN_SENT2]) {
1327                timeouts[TCP_CONNTRACK_SYN_SENT2] =
1328                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT2]))*HZ;
1329        }
1330        if (tb[CTA_TIMEOUT_TCP_RETRANS]) {
1331                timeouts[TCP_CONNTRACK_RETRANS] =
1332                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_RETRANS]))*HZ;
1333        }
1334        if (tb[CTA_TIMEOUT_TCP_UNACK]) {
1335                timeouts[TCP_CONNTRACK_UNACK] =
1336                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
1337        }
1338
1339        timeouts[CTA_TIMEOUT_TCP_UNSPEC] = timeouts[CTA_TIMEOUT_TCP_SYN_SENT];
1340        return 0;
1341}
1342
1343static int
1344tcp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
1345{
1346        const unsigned int *timeouts = data;
1347
1348        if (nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT,
1349                        htonl(timeouts[TCP_CONNTRACK_SYN_SENT] / HZ)) ||
1350            nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_RECV,
1351                         htonl(timeouts[TCP_CONNTRACK_SYN_RECV] / HZ)) ||
1352            nla_put_be32(skb, CTA_TIMEOUT_TCP_ESTABLISHED,
1353                         htonl(timeouts[TCP_CONNTRACK_ESTABLISHED] / HZ)) ||
1354            nla_put_be32(skb, CTA_TIMEOUT_TCP_FIN_WAIT,
1355                         htonl(timeouts[TCP_CONNTRACK_FIN_WAIT] / HZ)) ||
1356            nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE_WAIT,
1357                         htonl(timeouts[TCP_CONNTRACK_CLOSE_WAIT] / HZ)) ||
1358            nla_put_be32(skb, CTA_TIMEOUT_TCP_LAST_ACK,
1359                         htonl(timeouts[TCP_CONNTRACK_LAST_ACK] / HZ)) ||
1360            nla_put_be32(skb, CTA_TIMEOUT_TCP_TIME_WAIT,
1361                         htonl(timeouts[TCP_CONNTRACK_TIME_WAIT] / HZ)) ||
1362            nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE,
1363                         htonl(timeouts[TCP_CONNTRACK_CLOSE] / HZ)) ||
1364            nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT2,
1365                         htonl(timeouts[TCP_CONNTRACK_SYN_SENT2] / HZ)) ||
1366            nla_put_be32(skb, CTA_TIMEOUT_TCP_RETRANS,
1367                         htonl(timeouts[TCP_CONNTRACK_RETRANS] / HZ)) ||
1368            nla_put_be32(skb, CTA_TIMEOUT_TCP_UNACK,
1369                         htonl(timeouts[TCP_CONNTRACK_UNACK] / HZ)))
1370                goto nla_put_failure;
1371        return 0;
1372
1373nla_put_failure:
1374        return -ENOSPC;
1375}
1376
1377static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
1378        [CTA_TIMEOUT_TCP_SYN_SENT]      = { .type = NLA_U32 },
1379        [CTA_TIMEOUT_TCP_SYN_RECV]      = { .type = NLA_U32 },
1380        [CTA_TIMEOUT_TCP_ESTABLISHED]   = { .type = NLA_U32 },
1381        [CTA_TIMEOUT_TCP_FIN_WAIT]      = { .type = NLA_U32 },
1382        [CTA_TIMEOUT_TCP_CLOSE_WAIT]    = { .type = NLA_U32 },
1383        [CTA_TIMEOUT_TCP_LAST_ACK]      = { .type = NLA_U32 },
1384        [CTA_TIMEOUT_TCP_TIME_WAIT]     = { .type = NLA_U32 },
1385        [CTA_TIMEOUT_TCP_CLOSE]         = { .type = NLA_U32 },
1386        [CTA_TIMEOUT_TCP_SYN_SENT2]     = { .type = NLA_U32 },
1387        [CTA_TIMEOUT_TCP_RETRANS]       = { .type = NLA_U32 },
1388        [CTA_TIMEOUT_TCP_UNACK]         = { .type = NLA_U32 },
1389};
1390#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
1391
1392#ifdef CONFIG_SYSCTL
1393static struct ctl_table tcp_sysctl_table[] = {
1394        {
1395                .procname       = "nf_conntrack_tcp_timeout_syn_sent",
1396                .maxlen         = sizeof(unsigned int),
1397                .mode           = 0644,
1398                .proc_handler   = proc_dointvec_jiffies,
1399        },
1400        {
1401                .procname       = "nf_conntrack_tcp_timeout_syn_recv",
1402                .maxlen         = sizeof(unsigned int),
1403                .mode           = 0644,
1404                .proc_handler   = proc_dointvec_jiffies,
1405        },
1406        {
1407                .procname       = "nf_conntrack_tcp_timeout_established",
1408                .maxlen         = sizeof(unsigned int),
1409                .mode           = 0644,
1410                .proc_handler   = proc_dointvec_jiffies,
1411        },
1412        {
1413                .procname       = "nf_conntrack_tcp_timeout_fin_wait",
1414                .maxlen         = sizeof(unsigned int),
1415                .mode           = 0644,
1416                .proc_handler   = proc_dointvec_jiffies,
1417        },
1418        {
1419                .procname       = "nf_conntrack_tcp_timeout_close_wait",
1420                .maxlen         = sizeof(unsigned int),
1421                .mode           = 0644,
1422                .proc_handler   = proc_dointvec_jiffies,
1423        },
1424        {
1425                .procname       = "nf_conntrack_tcp_timeout_last_ack",
1426                .maxlen         = sizeof(unsigned int),
1427                .mode           = 0644,
1428                .proc_handler   = proc_dointvec_jiffies,
1429        },
1430        {
1431                .procname       = "nf_conntrack_tcp_timeout_time_wait",
1432                .maxlen         = sizeof(unsigned int),
1433                .mode           = 0644,
1434                .proc_handler   = proc_dointvec_jiffies,
1435        },
1436        {
1437                .procname       = "nf_conntrack_tcp_timeout_close",
1438                .maxlen         = sizeof(unsigned int),
1439                .mode           = 0644,
1440                .proc_handler   = proc_dointvec_jiffies,
1441        },
1442        {
1443                .procname       = "nf_conntrack_tcp_timeout_max_retrans",
1444                .maxlen         = sizeof(unsigned int),
1445                .mode           = 0644,
1446                .proc_handler   = proc_dointvec_jiffies,
1447        },
1448        {
1449                .procname       = "nf_conntrack_tcp_timeout_unacknowledged",
1450                .maxlen         = sizeof(unsigned int),
1451                .mode           = 0644,
1452                .proc_handler   = proc_dointvec_jiffies,
1453        },
1454        {
1455                .procname       = "nf_conntrack_tcp_loose",
1456                .maxlen         = sizeof(unsigned int),
1457                .mode           = 0644,
1458                .proc_handler   = proc_dointvec,
1459        },
1460        {
1461                .procname       = "nf_conntrack_tcp_be_liberal",
1462                .maxlen         = sizeof(unsigned int),
1463                .mode           = 0644,
1464                .proc_handler   = proc_dointvec,
1465        },
1466        {
1467                .procname       = "nf_conntrack_tcp_max_retrans",
1468                .maxlen         = sizeof(unsigned int),
1469                .mode           = 0644,
1470                .proc_handler   = proc_dointvec,
1471        },
1472        { }
1473};
1474#endif /* CONFIG_SYSCTL */
1475
1476static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn,
1477                                    struct nf_tcp_net *tn)
1478{
1479#ifdef CONFIG_SYSCTL
1480        if (pn->ctl_table)
1481                return 0;
1482
1483        pn->ctl_table = kmemdup(tcp_sysctl_table,
1484                                sizeof(tcp_sysctl_table),
1485                                GFP_KERNEL);
1486        if (!pn->ctl_table)
1487                return -ENOMEM;
1488
1489        pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
1490        pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
1491        pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
1492        pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
1493        pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
1494        pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
1495        pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
1496        pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
1497        pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
1498        pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
1499        pn->ctl_table[10].data = &tn->tcp_loose;
1500        pn->ctl_table[11].data = &tn->tcp_be_liberal;
1501        pn->ctl_table[12].data = &tn->tcp_max_retrans;
1502#endif
1503        return 0;
1504}
1505
1506static int tcp_init_net(struct net *net)
1507{
1508        struct nf_tcp_net *tn = nf_tcp_pernet(net);
1509        struct nf_proto_net *pn = &tn->pn;
1510
1511        if (!pn->users) {
1512                int i;
1513
1514                for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
1515                        tn->timeouts[i] = tcp_timeouts[i];
1516
1517                /* timeouts[0] is unused, make it same as SYN_SENT so
1518                 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
1519                 */
1520                tn->timeouts[0] = tcp_timeouts[TCP_CONNTRACK_SYN_SENT];
1521                tn->tcp_loose = nf_ct_tcp_loose;
1522                tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
1523                tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
1524        }
1525
1526        return tcp_kmemdup_sysctl_table(pn, tn);
1527}
1528
1529static struct nf_proto_net *tcp_get_net_proto(struct net *net)
1530{
1531        return &net->ct.nf_ct_proto.tcp.pn;
1532}
1533
1534const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp =
1535{
1536        .l4proto                = IPPROTO_TCP,
1537#ifdef CONFIG_NF_CONNTRACK_PROCFS
1538        .print_conntrack        = tcp_print_conntrack,
1539#endif
1540        .can_early_drop         = tcp_can_early_drop,
1541#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1542        .to_nlattr              = tcp_to_nlattr,
1543        .from_nlattr            = nlattr_to_tcp,
1544        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
1545        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
1546        .nlattr_tuple_size      = tcp_nlattr_tuple_size,
1547        .nlattr_size            = TCP_NLATTR_SIZE,
1548        .nla_policy             = nf_ct_port_nla_policy,
1549#endif
1550#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1551        .ctnl_timeout           = {
1552                .nlattr_to_obj  = tcp_timeout_nlattr_to_obj,
1553                .obj_to_nlattr  = tcp_timeout_obj_to_nlattr,
1554                .nlattr_max     = CTA_TIMEOUT_TCP_MAX,
1555                .obj_size       = sizeof(unsigned int) *
1556                                        TCP_CONNTRACK_TIMEOUT_MAX,
1557                .nla_policy     = tcp_timeout_nla_policy,
1558        },
1559#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
1560        .init_net               = tcp_init_net,
1561        .get_net_proto          = tcp_get_net_proto,
1562};
1563