LXR linux/net/netfilter/nf_conntrack_proto

   1/*
   2 * Connection tracking protocol helper module for SCTP.
   3 *
   4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
   5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
   6 *
   7 * SCTP is defined in RFC 2960. References to various sections in this code
   8 * are to this RFC.
   9 *
  10 * This program is free software; you can redistribute it and/or modify
  11 * it under the terms of the GNU General Public License version 2 as
  12 * published by the Free Software Foundation.
  13 */
  14
  15#include <linux/types.h>
  16#include <linux/timer.h>
  17#include <linux/netfilter.h>
  18#include <linux/in.h>
  19#include <linux/ip.h>
  20#include <linux/sctp.h>
  21#include <linux/string.h>
  22#include <linux/seq_file.h>
  23#include <linux/spinlock.h>
  24#include <linux/interrupt.h>
  25
  26#include <net/netfilter/nf_conntrack.h>
  27#include <net/netfilter/nf_conntrack_l4proto.h>
  28#include <net/netfilter/nf_conntrack_ecache.h>
  29
  30/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  31   closely.  They're more complex. --RR
  32
  33   And so for me for SCTP :D -Kiran */
  34
  35static const char *const sctp_conntrack_names[] = {
  36        "NONE",
  37        "CLOSED",
  38        "COOKIE_WAIT",
  39        "COOKIE_ECHOED",
  40        "ESTABLISHED",
  41        "SHUTDOWN_SENT",
  42        "SHUTDOWN_RECD",
  43        "SHUTDOWN_ACK_SENT",
  44        "HEARTBEAT_SENT",
  45        "HEARTBEAT_ACKED",
  46};
  47
  48#define SECS  * HZ
  49#define MINS  * 60 SECS
  50#define HOURS * 60 MINS
  51#define DAYS  * 24 HOURS
  52
  53static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
  54        [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  55        [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  56        [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  57        [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  58        [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  59        [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  60        [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  61        [SCTP_CONNTRACK_HEARTBEAT_SENT]         = 30 SECS,
  62        [SCTP_CONNTRACK_HEARTBEAT_ACKED]        = 210 SECS,
  63};
  64
  65#define sNO SCTP_CONNTRACK_NONE
  66#define sCL SCTP_CONNTRACK_CLOSED
  67#define sCW SCTP_CONNTRACK_COOKIE_WAIT
  68#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  69#define sES SCTP_CONNTRACK_ESTABLISHED
  70#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  71#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  72#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  73#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
  74#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
  75#define sIV SCTP_CONNTRACK_MAX
  76
  77/*
  78        These are the descriptions of the states:
  79
  80NOTE: These state names are tantalizingly similar to the states of an
  81SCTP endpoint. But the interpretation of the states is a little different,
  82considering that these are the states of the connection and not of an end
  83point. Please note the subtleties. -Kiran
  84
  85NONE              - Nothing so far.
  86COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  87                    an INIT_ACK chunk in the reply direction.
  88COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  89ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  90SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  91SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  92SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  93                    to that of the SHUTDOWN chunk.
  94CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  95                    the SHUTDOWN chunk. Connection is closed.
  96HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
  97HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
  98                    that of the HEARTBEAT chunk. Secondary connection is
  99                    established.
 100*/
 101
 102/* TODO
 103 - I have assumed that the first INIT is in the original direction.
 104 This messes things when an INIT comes in the reply direction in CLOSED
 105 state.
 106 - Check the error type in the reply dir before transitioning from
 107cookie echoed to closed.
 108 - Sec 5.2.4 of RFC 2960
 109 - Full Multi Homing support.
 110*/
 111
 112/* SCTP conntrack state transitions */
 113static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
 114        {
 115/*      ORIGINAL        */
 116/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 117/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
 118/* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
 119/* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 120/* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
 121/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
 122/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
 123/* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
 124/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
 125/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
 126/* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 127/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
 128        },
 129        {
 130/*      REPLY   */
 131/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 132/* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
 133/* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
 134/* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
 135/* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
 136/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
 137/* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
 138/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
 139/* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
 140/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
 141/* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 142/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
 143        }
 144};
 145
 146static inline struct nf_sctp_net *sctp_pernet(struct net *net)
 147{
 148        return &net->ct.nf_ct_proto.sctp;
 149}
 150
 151static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 152                              struct net *net, struct nf_conntrack_tuple *tuple)
 153{
 154        const struct sctphdr *hp;
 155        struct sctphdr _hdr;
 156
 157        /* Actually only need first 4 bytes to get ports. */
 158        hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
 159        if (hp == NULL)
 160                return false;
 161
 162        tuple->src.u.sctp.port = hp->source;
 163        tuple->dst.u.sctp.port = hp->dest;
 164        return true;
 165}
 166
 167static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
 168                              const struct nf_conntrack_tuple *orig)
 169{
 170        tuple->src.u.sctp.port = orig->dst.u.sctp.port;
 171        tuple->dst.u.sctp.port = orig->src.u.sctp.port;
 172        return true;
 173}
 174
 175/* Print out the per-protocol part of the tuple. */
 176static void sctp_print_tuple(struct seq_file *s,
 177                             const struct nf_conntrack_tuple *tuple)
 178{
 179        seq_printf(s, "sport=%hu dport=%hu ",
 180                   ntohs(tuple->src.u.sctp.port),
 181                   ntohs(tuple->dst.u.sctp.port));
 182}
 183
 184/* Print out the private part of the conntrack. */
 185static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 186{
 187        seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
 188}
 189
 190#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 191for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;        \
 192        (offset) < (skb)->len &&                                        \
 193        ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 194        (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 195
 196/* Some validity checks to make sure the chunks are fine */
 197static int do_basic_checks(struct nf_conn *ct,
 198                           const struct sk_buff *skb,
 199                           unsigned int dataoff,
 200                           unsigned long *map)
 201{
 202        u_int32_t offset, count;
 203        sctp_chunkhdr_t _sch, *sch;
 204        int flag;
 205
 206        flag = 0;
 207
 208        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 209                pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 210
 211                if (sch->type == SCTP_CID_INIT ||
 212                    sch->type == SCTP_CID_INIT_ACK ||
 213                    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 214                        flag = 1;
 215
 216                /*
 217                 * Cookie Ack/Echo chunks not the first OR
 218                 * Init / Init Ack / Shutdown compl chunks not the only chunks
 219                 * OR zero-length.
 220                 */
 221                if (((sch->type == SCTP_CID_COOKIE_ACK ||
 222                      sch->type == SCTP_CID_COOKIE_ECHO ||
 223                      flag) &&
 224                     count != 0) || !sch->length) {
 225                        pr_debug("Basic checks failed\n");
 226                        return 1;
 227                }
 228
 229                if (map)
 230                        set_bit(sch->type, map);
 231        }
 232
 233        pr_debug("Basic checks passed\n");
 234        return count == 0;
 235}
 236
 237static int sctp_new_state(enum ip_conntrack_dir dir,
 238                          enum sctp_conntrack cur_state,
 239                          int chunk_type)
 240{
 241        int i;
 242
 243        pr_debug("Chunk type: %d\n", chunk_type);
 244
 245        switch (chunk_type) {
 246        case SCTP_CID_INIT:
 247                pr_debug("SCTP_CID_INIT\n");
 248                i = 0;
 249                break;
 250        case SCTP_CID_INIT_ACK:
 251                pr_debug("SCTP_CID_INIT_ACK\n");
 252                i = 1;
 253                break;
 254        case SCTP_CID_ABORT:
 255                pr_debug("SCTP_CID_ABORT\n");
 256                i = 2;
 257                break;
 258        case SCTP_CID_SHUTDOWN:
 259                pr_debug("SCTP_CID_SHUTDOWN\n");
 260                i = 3;
 261                break;
 262        case SCTP_CID_SHUTDOWN_ACK:
 263                pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 264                i = 4;
 265                break;
 266        case SCTP_CID_ERROR:
 267                pr_debug("SCTP_CID_ERROR\n");
 268                i = 5;
 269                break;
 270        case SCTP_CID_COOKIE_ECHO:
 271                pr_debug("SCTP_CID_COOKIE_ECHO\n");
 272                i = 6;
 273                break;
 274        case SCTP_CID_COOKIE_ACK:
 275                pr_debug("SCTP_CID_COOKIE_ACK\n");
 276                i = 7;
 277                break;
 278        case SCTP_CID_SHUTDOWN_COMPLETE:
 279                pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 280                i = 8;
 281                break;
 282        case SCTP_CID_HEARTBEAT:
 283                pr_debug("SCTP_CID_HEARTBEAT");
 284                i = 9;
 285                break;
 286        case SCTP_CID_HEARTBEAT_ACK:
 287                pr_debug("SCTP_CID_HEARTBEAT_ACK");
 288                i = 10;
 289                break;
 290        default:
 291                /* Other chunks like DATA or SACK do not change the state */
 292                pr_debug("Unknown chunk type, Will stay in %s\n",
 293                         sctp_conntrack_names[cur_state]);
 294                return cur_state;
 295        }
 296
 297        pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 298                 dir, sctp_conntrack_names[cur_state], chunk_type,
 299                 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 300
 301        return sctp_conntracks[dir][i][cur_state];
 302}
 303
 304static unsigned int *sctp_get_timeouts(struct net *net)
 305{
 306        return sctp_pernet(net)->timeouts;
 307}
 308
 309/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 310static int sctp_packet(struct nf_conn *ct,
 311                       const struct sk_buff *skb,
 312                       unsigned int dataoff,
 313                       enum ip_conntrack_info ctinfo,
 314                       u_int8_t pf,
 315                       unsigned int hooknum,
 316                       unsigned int *timeouts)
 317{
 318        enum sctp_conntrack new_state, old_state;
 319        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 320        const struct sctphdr *sh;
 321        struct sctphdr _sctph;
 322        const struct sctp_chunkhdr *sch;
 323        struct sctp_chunkhdr _sch;
 324        u_int32_t offset, count;
 325        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 326
 327        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 328        if (sh == NULL)
 329                goto out;
 330
 331        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 332                goto out;
 333
 334        /* Check the verification tag (Sec 8.5) */
 335        if (!test_bit(SCTP_CID_INIT, map) &&
 336            !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 337            !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 338            !test_bit(SCTP_CID_ABORT, map) &&
 339            !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 340            !test_bit(SCTP_CID_HEARTBEAT, map) &&
 341            !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
 342            sh->vtag != ct->proto.sctp.vtag[dir]) {
 343                pr_debug("Verification tag check failed\n");
 344                goto out;
 345        }
 346
 347        old_state = new_state = SCTP_CONNTRACK_NONE;
 348        spin_lock_bh(&ct->lock);
 349        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 350                /* Special cases of Verification tag check (Sec 8.5.1) */
 351                if (sch->type == SCTP_CID_INIT) {
 352                        /* Sec 8.5.1 (A) */
 353                        if (sh->vtag != 0)
 354                                goto out_unlock;
 355                } else if (sch->type == SCTP_CID_ABORT) {
 356                        /* Sec 8.5.1 (B) */
 357                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 358                            sh->vtag != ct->proto.sctp.vtag[!dir])
 359                                goto out_unlock;
 360                } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 361                        /* Sec 8.5.1 (C) */
 362                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 363                            sh->vtag != ct->proto.sctp.vtag[!dir] &&
 364                            sch->flags & SCTP_CHUNK_FLAG_T)
 365                                goto out_unlock;
 366                } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 367                        /* Sec 8.5.1 (D) */
 368                        if (sh->vtag != ct->proto.sctp.vtag[dir])
 369                                goto out_unlock;
 370                } else if (sch->type == SCTP_CID_HEARTBEAT ||
 371                           sch->type == SCTP_CID_HEARTBEAT_ACK) {
 372                        if (ct->proto.sctp.vtag[dir] == 0) {
 373                                pr_debug("Setting vtag %x for dir %d\n",
 374                                         sh->vtag, dir);
 375                                ct->proto.sctp.vtag[dir] = sh->vtag;
 376                        } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
 377                                pr_debug("Verification tag check failed\n");
 378                                goto out_unlock;
 379                        }
 380                }
 381
 382                old_state = ct->proto.sctp.state;
 383                new_state = sctp_new_state(dir, old_state, sch->type);
 384
 385                /* Invalid */
 386                if (new_state == SCTP_CONNTRACK_MAX) {
 387                        pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 388                                 "conntrack=%u\n",
 389                                 dir, sch->type, old_state);
 390                        goto out_unlock;
 391                }
 392
 393                /* If it is an INIT or an INIT ACK note down the vtag */
 394                if (sch->type == SCTP_CID_INIT ||
 395                    sch->type == SCTP_CID_INIT_ACK) {
 396                        sctp_inithdr_t _inithdr, *ih;
 397
 398                        ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 399                                                sizeof(_inithdr), &_inithdr);
 400                        if (ih == NULL)
 401                                goto out_unlock;
 402                        pr_debug("Setting vtag %x for dir %d\n",
 403                                 ih->init_tag, !dir);
 404                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
 405                }
 406
 407                ct->proto.sctp.state = new_state;
 408                if (old_state != new_state)
 409                        nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 410        }
 411        spin_unlock_bh(&ct->lock);
 412
 413        nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 414
 415        if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 416            dir == IP_CT_DIR_REPLY &&
 417            new_state == SCTP_CONNTRACK_ESTABLISHED) {
 418                pr_debug("Setting assured bit\n");
 419                set_bit(IPS_ASSURED_BIT, &ct->status);
 420                nf_conntrack_event_cache(IPCT_ASSURED, ct);
 421        }
 422
 423        return NF_ACCEPT;
 424
 425out_unlock:
 426        spin_unlock_bh(&ct->lock);
 427out:
 428        return -NF_ACCEPT;
 429}
 430
 431/* Called when a new connection for this protocol found. */
 432static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 433                     unsigned int dataoff, unsigned int *timeouts)
 434{
 435        enum sctp_conntrack new_state;
 436        const struct sctphdr *sh;
 437        struct sctphdr _sctph;
 438        const struct sctp_chunkhdr *sch;
 439        struct sctp_chunkhdr _sch;
 440        u_int32_t offset, count;
 441        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 442
 443        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 444        if (sh == NULL)
 445                return false;
 446
 447        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 448                return false;
 449
 450        /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 451        if (test_bit(SCTP_CID_ABORT, map) ||
 452            test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 453            test_bit(SCTP_CID_COOKIE_ACK, map))
 454                return false;
 455
 456        memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
 457        new_state = SCTP_CONNTRACK_MAX;
 458        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 459                /* Don't need lock here: this conntrack not in circulation yet */
 460                new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 461                                           SCTP_CONNTRACK_NONE, sch->type);
 462
 463                /* Invalid: delete conntrack */
 464                if (new_state == SCTP_CONNTRACK_NONE ||
 465                    new_state == SCTP_CONNTRACK_MAX) {
 466                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 467                        return false;
 468                }
 469
 470                /* Copy the vtag into the state info */
 471                if (sch->type == SCTP_CID_INIT) {
 472                        if (sh->vtag == 0) {
 473                                sctp_inithdr_t _inithdr, *ih;
 474
 475                                ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 476                                                        sizeof(_inithdr), &_inithdr);
 477                                if (ih == NULL)
 478                                        return false;
 479
 480                                pr_debug("Setting vtag %x for new conn\n",
 481                                         ih->init_tag);
 482
 483                                ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 484                                                                ih->init_tag;
 485                        } else {
 486                                /* Sec 8.5.1 (A) */
 487                                return false;
 488                        }
 489                } else if (sch->type == SCTP_CID_HEARTBEAT) {
 490                        pr_debug("Setting vtag %x for secondary conntrack\n",
 491                                 sh->vtag);
 492                        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
 493                }
 494                /* If it is a shutdown ack OOTB packet, we expect a return
 495                   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 496                else {
 497                        pr_debug("Setting vtag %x for new conn OOTB\n",
 498                                 sh->vtag);
 499                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 500                }
 501
 502                ct->proto.sctp.state = new_state;
 503        }
 504
 505        return true;
 506}
 507
 508#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 509
 510#include <linux/netfilter/nfnetlink.h>
 511#include <linux/netfilter/nfnetlink_conntrack.h>
 512
 513static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 514                          struct nf_conn *ct)
 515{
 516        struct nlattr *nest_parms;
 517
 518        spin_lock_bh(&ct->lock);
 519        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
 520        if (!nest_parms)
 521                goto nla_put_failure;
 522
 523        if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
 524            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 525                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
 526            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
 527                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
 528                goto nla_put_failure;
 529
 530        spin_unlock_bh(&ct->lock);
 531
 532        nla_nest_end(skb, nest_parms);
 533
 534        return 0;
 535
 536nla_put_failure:
 537        spin_unlock_bh(&ct->lock);
 538        return -1;
 539}
 540
 541static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 542        [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 543        [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 544        [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 545};
 546
 547static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 548{
 549        struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 550        struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 551        int err;
 552
 553        /* updates may not contain the internal protocol info, skip parsing */
 554        if (!attr)
 555                return 0;
 556
 557        err = nla_parse_nested(tb,
 558                               CTA_PROTOINFO_SCTP_MAX,
 559                               attr,
 560                               sctp_nla_policy);
 561        if (err < 0)
 562                return err;
 563
 564        if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 565            !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 566            !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 567                return -EINVAL;
 568
 569        spin_lock_bh(&ct->lock);
 570        ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 571        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 572                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 573        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 574                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 575        spin_unlock_bh(&ct->lock);
 576
 577        return 0;
 578}
 579
 580static int sctp_nlattr_size(void)
 581{
 582        return nla_total_size(0)        /* CTA_PROTOINFO_SCTP */
 583                + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
 584}
 585#endif
 586
 587#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 588
 589#include <linux/netfilter/nfnetlink.h>
 590#include <linux/netfilter/nfnetlink_cttimeout.h>
 591
 592static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
 593                                      struct net *net, void *data)
 594{
 595        unsigned int *timeouts = data;
 596        struct nf_sctp_net *sn = sctp_pernet(net);
 597        int i;
 598
 599        /* set default SCTP timeouts. */
 600        for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 601                timeouts[i] = sn->timeouts[i];
 602
 603        /* there's a 1:1 mapping between attributes and protocol states. */
 604        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 605                if (tb[i]) {
 606                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 607                }
 608        }
 609        return 0;
 610}
 611
 612static int
 613sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 614{
 615        const unsigned int *timeouts = data;
 616        int i;
 617
 618        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 619                if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 620                        goto nla_put_failure;
 621        }
 622        return 0;
 623
 624nla_put_failure:
 625        return -ENOSPC;
 626}
 627
 628static const struct nla_policy
 629sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 630        [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
 631        [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
 632        [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
 633        [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
 634        [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
 635        [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
 636        [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
 637        [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
 638        [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 639};
 640#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 641
 642
 643#ifdef CONFIG_SYSCTL
 644static struct ctl_table sctp_sysctl_table[] = {
 645        {
 646                .procname       = "nf_conntrack_sctp_timeout_closed",
 647                .maxlen         = sizeof(unsigned int),
 648                .mode           = 0644,
 649                .proc_handler   = proc_dointvec_jiffies,
 650        },
 651        {
 652                .procname       = "nf_conntrack_sctp_timeout_cookie_wait",
 653                .maxlen         = sizeof(unsigned int),
 654                .mode           = 0644,
 655                .proc_handler   = proc_dointvec_jiffies,
 656        },
 657        {
 658                .procname       = "nf_conntrack_sctp_timeout_cookie_echoed",
 659                .maxlen         = sizeof(unsigned int),
 660                .mode           = 0644,
 661                .proc_handler   = proc_dointvec_jiffies,
 662        },
 663        {
 664                .procname       = "nf_conntrack_sctp_timeout_established",
 665                .maxlen         = sizeof(unsigned int),
 666                .mode           = 0644,
 667                .proc_handler   = proc_dointvec_jiffies,
 668        },
 669        {
 670                .procname       = "nf_conntrack_sctp_timeout_shutdown_sent",
 671                .maxlen         = sizeof(unsigned int),
 672                .mode           = 0644,
 673                .proc_handler   = proc_dointvec_jiffies,
 674        },
 675        {
 676                .procname       = "nf_conntrack_sctp_timeout_shutdown_recd",
 677                .maxlen         = sizeof(unsigned int),
 678                .mode           = 0644,
 679                .proc_handler   = proc_dointvec_jiffies,
 680        },
 681        {
 682                .procname       = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
 683                .maxlen         = sizeof(unsigned int),
 684                .mode           = 0644,
 685                .proc_handler   = proc_dointvec_jiffies,
 686        },
 687        {
 688                .procname       = "nf_conntrack_sctp_timeout_heartbeat_sent",
 689                .maxlen         = sizeof(unsigned int),
 690                .mode           = 0644,
 691                .proc_handler   = proc_dointvec_jiffies,
 692        },
 693        {
 694                .procname       = "nf_conntrack_sctp_timeout_heartbeat_acked",
 695                .maxlen         = sizeof(unsigned int),
 696                .mode           = 0644,
 697                .proc_handler   = proc_dointvec_jiffies,
 698        },
 699        { }
 700};
 701#endif
 702
 703static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
 704                                     struct nf_sctp_net *sn)
 705{
 706#ifdef CONFIG_SYSCTL
 707        if (pn->ctl_table)
 708                return 0;
 709
 710        pn->ctl_table = kmemdup(sctp_sysctl_table,
 711                                sizeof(sctp_sysctl_table),
 712                                GFP_KERNEL);
 713        if (!pn->ctl_table)
 714                return -ENOMEM;
 715
 716        pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
 717        pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
 718        pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
 719        pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
 720        pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
 721        pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
 722        pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
 723        pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
 724        pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
 725#endif
 726        return 0;
 727}
 728
 729static int sctp_init_net(struct net *net, u_int16_t proto)
 730{
 731        struct nf_sctp_net *sn = sctp_pernet(net);
 732        struct nf_proto_net *pn = &sn->pn;
 733
 734        if (!pn->users) {
 735                int i;
 736
 737                for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
 738                        sn->timeouts[i] = sctp_timeouts[i];
 739        }
 740
 741        return sctp_kmemdup_sysctl_table(pn, sn);
 742}
 743
 744struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
 745        .l3proto                = PF_INET,
 746        .l4proto                = IPPROTO_SCTP,
 747        .name                   = "sctp",
 748        .pkt_to_tuple           = sctp_pkt_to_tuple,
 749        .invert_tuple           = sctp_invert_tuple,
 750        .print_tuple            = sctp_print_tuple,
 751        .print_conntrack        = sctp_print_conntrack,
 752        .packet                 = sctp_packet,
 753        .get_timeouts           = sctp_get_timeouts,
 754        .new                    = sctp_new,
 755        .me                     = THIS_MODULE,
 756#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 757        .to_nlattr              = sctp_to_nlattr,
 758        .nlattr_size            = sctp_nlattr_size,
 759        .from_nlattr            = nlattr_to_sctp,
 760        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 761        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 762        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 763        .nla_policy             = nf_ct_port_nla_policy,
 764#endif
 765#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 766        .ctnl_timeout           = {
 767                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 768                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 769                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 770                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 771                .nla_policy     = sctp_timeout_nla_policy,
 772        },
 773#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 774        .init_net               = sctp_init_net,
 775};
 776EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
 777
 778struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
 779        .l3proto                = PF_INET6,
 780        .l4proto                = IPPROTO_SCTP,
 781        .name                   = "sctp",
 782        .pkt_to_tuple           = sctp_pkt_to_tuple,
 783        .invert_tuple           = sctp_invert_tuple,
 784        .print_tuple            = sctp_print_tuple,
 785        .print_conntrack        = sctp_print_conntrack,
 786        .packet                 = sctp_packet,
 787        .get_timeouts           = sctp_get_timeouts,
 788        .new                    = sctp_new,
 789        .me                     = THIS_MODULE,
 790#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 791        .to_nlattr              = sctp_to_nlattr,
 792        .nlattr_size            = sctp_nlattr_size,
 793        .from_nlattr            = nlattr_to_sctp,
 794        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 795        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 796        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 797        .nla_policy             = nf_ct_port_nla_policy,
 798#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 799        .ctnl_timeout           = {
 800                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 801                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 802                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 803                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 804                .nla_policy     = sctp_timeout_nla_policy,
 805        },
 806#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 807#endif
 808        .init_net               = sctp_init_net,
 809};
 810EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
 811