LXR linux/net/netfilter/nf_conntrack_proto

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Connection tracking protocol helper module for SCTP.
   4 *
   5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
   6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
   7 *
   8 * SCTP is defined in RFC 2960. References to various sections in this code
   9 * are to this RFC.
  10 */
  11
  12#include <linux/types.h>
  13#include <linux/timer.h>
  14#include <linux/netfilter.h>
  15#include <linux/in.h>
  16#include <linux/ip.h>
  17#include <linux/sctp.h>
  18#include <linux/string.h>
  19#include <linux/seq_file.h>
  20#include <linux/spinlock.h>
  21#include <linux/interrupt.h>
  22#include <net/sctp/checksum.h>
  23
  24#include <net/netfilter/nf_log.h>
  25#include <net/netfilter/nf_conntrack.h>
  26#include <net/netfilter/nf_conntrack_l4proto.h>
  27#include <net/netfilter/nf_conntrack_ecache.h>
  28#include <net/netfilter/nf_conntrack_timeout.h>
  29
  30/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  31   closely.  They're more complex. --RR
  32
  33   And so for me for SCTP :D -Kiran */
  34
  35static const char *const sctp_conntrack_names[] = {
  36        "NONE",
  37        "CLOSED",
  38        "COOKIE_WAIT",
  39        "COOKIE_ECHOED",
  40        "ESTABLISHED",
  41        "SHUTDOWN_SENT",
  42        "SHUTDOWN_RECD",
  43        "SHUTDOWN_ACK_SENT",
  44        "HEARTBEAT_SENT",
  45        "HEARTBEAT_ACKED",
  46};
  47
  48#define SECS  * HZ
  49#define MINS  * 60 SECS
  50#define HOURS * 60 MINS
  51#define DAYS  * 24 HOURS
  52
  53static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
  54        [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  55        [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  56        [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  57        [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  58        [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  59        [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  60        [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  61        [SCTP_CONNTRACK_HEARTBEAT_SENT]         = 30 SECS,
  62        [SCTP_CONNTRACK_HEARTBEAT_ACKED]        = 210 SECS,
  63};
  64
  65#define sNO SCTP_CONNTRACK_NONE
  66#define sCL SCTP_CONNTRACK_CLOSED
  67#define sCW SCTP_CONNTRACK_COOKIE_WAIT
  68#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  69#define sES SCTP_CONNTRACK_ESTABLISHED
  70#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  71#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  72#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  73#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
  74#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
  75#define sIV SCTP_CONNTRACK_MAX
  76
  77/*
  78        These are the descriptions of the states:
  79
  80NOTE: These state names are tantalizingly similar to the states of an
  81SCTP endpoint. But the interpretation of the states is a little different,
  82considering that these are the states of the connection and not of an end
  83point. Please note the subtleties. -Kiran
  84
  85NONE              - Nothing so far.
  86COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  87                    an INIT_ACK chunk in the reply direction.
  88COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  89ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  90SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  91SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  92SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  93                    to that of the SHUTDOWN chunk.
  94CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  95                    the SHUTDOWN chunk. Connection is closed.
  96HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
  97HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
  98                    that of the HEARTBEAT chunk. Secondary connection is
  99                    established.
 100*/
 101
 102/* TODO
 103 - I have assumed that the first INIT is in the original direction.
 104 This messes things when an INIT comes in the reply direction in CLOSED
 105 state.
 106 - Check the error type in the reply dir before transitioning from
 107cookie echoed to closed.
 108 - Sec 5.2.4 of RFC 2960
 109 - Full Multi Homing support.
 110*/
 111
 112/* SCTP conntrack state transitions */
 113static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
 114        {
 115/*      ORIGINAL        */
 116/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 117/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
 118/* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
 119/* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 120/* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
 121/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
 122/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
 123/* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
 124/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
 125/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
 126/* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 127/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
 128        },
 129        {
 130/*      REPLY   */
 131/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 132/* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
 133/* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
 134/* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
 135/* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
 136/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
 137/* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
 138/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
 139/* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
 140/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
 141/* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 142/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
 143        }
 144};
 145
 146#ifdef CONFIG_NF_CONNTRACK_PROCFS
 147/* Print out the private part of the conntrack. */
 148static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 149{
 150        seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
 151}
 152#endif
 153
 154#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 155for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0;        \
 156        (offset) < (skb)->len &&                                        \
 157        ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 158        (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 159
 160/* Some validity checks to make sure the chunks are fine */
 161static int do_basic_checks(struct nf_conn *ct,
 162                           const struct sk_buff *skb,
 163                           unsigned int dataoff,
 164                           unsigned long *map)
 165{
 166        u_int32_t offset, count;
 167        struct sctp_chunkhdr _sch, *sch;
 168        int flag;
 169
 170        flag = 0;
 171
 172        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 173                pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 174
 175                if (sch->type == SCTP_CID_INIT ||
 176                    sch->type == SCTP_CID_INIT_ACK ||
 177                    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 178                        flag = 1;
 179
 180                /*
 181                 * Cookie Ack/Echo chunks not the first OR
 182                 * Init / Init Ack / Shutdown compl chunks not the only chunks
 183                 * OR zero-length.
 184                 */
 185                if (((sch->type == SCTP_CID_COOKIE_ACK ||
 186                      sch->type == SCTP_CID_COOKIE_ECHO ||
 187                      flag) &&
 188                     count != 0) || !sch->length) {
 189                        pr_debug("Basic checks failed\n");
 190                        return 1;
 191                }
 192
 193                if (map)
 194                        set_bit(sch->type, map);
 195        }
 196
 197        pr_debug("Basic checks passed\n");
 198        return count == 0;
 199}
 200
 201static int sctp_new_state(enum ip_conntrack_dir dir,
 202                          enum sctp_conntrack cur_state,
 203                          int chunk_type)
 204{
 205        int i;
 206
 207        pr_debug("Chunk type: %d\n", chunk_type);
 208
 209        switch (chunk_type) {
 210        case SCTP_CID_INIT:
 211                pr_debug("SCTP_CID_INIT\n");
 212                i = 0;
 213                break;
 214        case SCTP_CID_INIT_ACK:
 215                pr_debug("SCTP_CID_INIT_ACK\n");
 216                i = 1;
 217                break;
 218        case SCTP_CID_ABORT:
 219                pr_debug("SCTP_CID_ABORT\n");
 220                i = 2;
 221                break;
 222        case SCTP_CID_SHUTDOWN:
 223                pr_debug("SCTP_CID_SHUTDOWN\n");
 224                i = 3;
 225                break;
 226        case SCTP_CID_SHUTDOWN_ACK:
 227                pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 228                i = 4;
 229                break;
 230        case SCTP_CID_ERROR:
 231                pr_debug("SCTP_CID_ERROR\n");
 232                i = 5;
 233                break;
 234        case SCTP_CID_COOKIE_ECHO:
 235                pr_debug("SCTP_CID_COOKIE_ECHO\n");
 236                i = 6;
 237                break;
 238        case SCTP_CID_COOKIE_ACK:
 239                pr_debug("SCTP_CID_COOKIE_ACK\n");
 240                i = 7;
 241                break;
 242        case SCTP_CID_SHUTDOWN_COMPLETE:
 243                pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 244                i = 8;
 245                break;
 246        case SCTP_CID_HEARTBEAT:
 247                pr_debug("SCTP_CID_HEARTBEAT");
 248                i = 9;
 249                break;
 250        case SCTP_CID_HEARTBEAT_ACK:
 251                pr_debug("SCTP_CID_HEARTBEAT_ACK");
 252                i = 10;
 253                break;
 254        default:
 255                /* Other chunks like DATA or SACK do not change the state */
 256                pr_debug("Unknown chunk type, Will stay in %s\n",
 257                         sctp_conntrack_names[cur_state]);
 258                return cur_state;
 259        }
 260
 261        pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 262                 dir, sctp_conntrack_names[cur_state], chunk_type,
 263                 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 264
 265        return sctp_conntracks[dir][i][cur_state];
 266}
 267
 268/* Don't need lock here: this conntrack not in circulation yet */
 269static noinline bool
 270sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 271         const struct sctphdr *sh, unsigned int dataoff)
 272{
 273        enum sctp_conntrack new_state;
 274        const struct sctp_chunkhdr *sch;
 275        struct sctp_chunkhdr _sch;
 276        u32 offset, count;
 277
 278        memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
 279        new_state = SCTP_CONNTRACK_MAX;
 280        for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
 281                new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 282                                           SCTP_CONNTRACK_NONE, sch->type);
 283
 284                /* Invalid: delete conntrack */
 285                if (new_state == SCTP_CONNTRACK_NONE ||
 286                    new_state == SCTP_CONNTRACK_MAX) {
 287                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 288                        return false;
 289                }
 290
 291                /* Copy the vtag into the state info */
 292                if (sch->type == SCTP_CID_INIT) {
 293                        struct sctp_inithdr _inithdr, *ih;
 294                        /* Sec 8.5.1 (A) */
 295                        if (sh->vtag)
 296                                return false;
 297
 298                        ih = skb_header_pointer(skb, offset + sizeof(_sch),
 299                                                sizeof(_inithdr), &_inithdr);
 300                        if (!ih)
 301                                return false;
 302
 303                        pr_debug("Setting vtag %x for new conn\n",
 304                                 ih->init_tag);
 305
 306                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
 307                } else if (sch->type == SCTP_CID_HEARTBEAT) {
 308                        pr_debug("Setting vtag %x for secondary conntrack\n",
 309                                 sh->vtag);
 310                        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
 311                } else {
 312                /* If it is a shutdown ack OOTB packet, we expect a return
 313                   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 314                        pr_debug("Setting vtag %x for new conn OOTB\n",
 315                                 sh->vtag);
 316                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 317                }
 318
 319                ct->proto.sctp.state = new_state;
 320        }
 321
 322        return true;
 323}
 324
 325static bool sctp_error(struct sk_buff *skb,
 326                       unsigned int dataoff,
 327                       const struct nf_hook_state *state)
 328{
 329        const struct sctphdr *sh;
 330        const char *logmsg;
 331
 332        if (skb->len < dataoff + sizeof(struct sctphdr)) {
 333                logmsg = "nf_ct_sctp: short packet ";
 334                goto out_invalid;
 335        }
 336        if (state->hook == NF_INET_PRE_ROUTING &&
 337            state->net->ct.sysctl_checksum &&
 338            skb->ip_summed == CHECKSUM_NONE) {
 339                if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
 340                        logmsg = "nf_ct_sctp: failed to read header ";
 341                        goto out_invalid;
 342                }
 343                sh = (const struct sctphdr *)(skb->data + dataoff);
 344                if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
 345                        logmsg = "nf_ct_sctp: bad CRC ";
 346                        goto out_invalid;
 347                }
 348                skb->ip_summed = CHECKSUM_UNNECESSARY;
 349        }
 350        return false;
 351out_invalid:
 352        nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
 353        return true;
 354}
 355
 356/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 357int nf_conntrack_sctp_packet(struct nf_conn *ct,
 358                             struct sk_buff *skb,
 359                             unsigned int dataoff,
 360                             enum ip_conntrack_info ctinfo,
 361                             const struct nf_hook_state *state)
 362{
 363        enum sctp_conntrack new_state, old_state;
 364        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 365        const struct sctphdr *sh;
 366        struct sctphdr _sctph;
 367        const struct sctp_chunkhdr *sch;
 368        struct sctp_chunkhdr _sch;
 369        u_int32_t offset, count;
 370        unsigned int *timeouts;
 371        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 372
 373        if (sctp_error(skb, dataoff, state))
 374                return -NF_ACCEPT;
 375
 376        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 377        if (sh == NULL)
 378                goto out;
 379
 380        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 381                goto out;
 382
 383        if (!nf_ct_is_confirmed(ct)) {
 384                /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 385                if (test_bit(SCTP_CID_ABORT, map) ||
 386                    test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 387                    test_bit(SCTP_CID_COOKIE_ACK, map))
 388                        return -NF_ACCEPT;
 389
 390                if (!sctp_new(ct, skb, sh, dataoff))
 391                        return -NF_ACCEPT;
 392        }
 393
 394        /* Check the verification tag (Sec 8.5) */
 395        if (!test_bit(SCTP_CID_INIT, map) &&
 396            !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 397            !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 398            !test_bit(SCTP_CID_ABORT, map) &&
 399            !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 400            !test_bit(SCTP_CID_HEARTBEAT, map) &&
 401            !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
 402            sh->vtag != ct->proto.sctp.vtag[dir]) {
 403                pr_debug("Verification tag check failed\n");
 404                goto out;
 405        }
 406
 407        old_state = new_state = SCTP_CONNTRACK_NONE;
 408        spin_lock_bh(&ct->lock);
 409        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 410                /* Special cases of Verification tag check (Sec 8.5.1) */
 411                if (sch->type == SCTP_CID_INIT) {
 412                        /* Sec 8.5.1 (A) */
 413                        if (sh->vtag != 0)
 414                                goto out_unlock;
 415                } else if (sch->type == SCTP_CID_ABORT) {
 416                        /* Sec 8.5.1 (B) */
 417                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 418                            sh->vtag != ct->proto.sctp.vtag[!dir])
 419                                goto out_unlock;
 420                } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 421                        /* Sec 8.5.1 (C) */
 422                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 423                            sh->vtag != ct->proto.sctp.vtag[!dir] &&
 424                            sch->flags & SCTP_CHUNK_FLAG_T)
 425                                goto out_unlock;
 426                } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 427                        /* Sec 8.5.1 (D) */
 428                        if (sh->vtag != ct->proto.sctp.vtag[dir])
 429                                goto out_unlock;
 430                } else if (sch->type == SCTP_CID_HEARTBEAT ||
 431                           sch->type == SCTP_CID_HEARTBEAT_ACK) {
 432                        if (ct->proto.sctp.vtag[dir] == 0) {
 433                                pr_debug("Setting vtag %x for dir %d\n",
 434                                         sh->vtag, dir);
 435                                ct->proto.sctp.vtag[dir] = sh->vtag;
 436                        } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
 437                                pr_debug("Verification tag check failed\n");
 438                                goto out_unlock;
 439                        }
 440                }
 441
 442                old_state = ct->proto.sctp.state;
 443                new_state = sctp_new_state(dir, old_state, sch->type);
 444
 445                /* Invalid */
 446                if (new_state == SCTP_CONNTRACK_MAX) {
 447                        pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 448                                 "conntrack=%u\n",
 449                                 dir, sch->type, old_state);
 450                        goto out_unlock;
 451                }
 452
 453                /* If it is an INIT or an INIT ACK note down the vtag */
 454                if (sch->type == SCTP_CID_INIT ||
 455                    sch->type == SCTP_CID_INIT_ACK) {
 456                        struct sctp_inithdr _inithdr, *ih;
 457
 458                        ih = skb_header_pointer(skb, offset + sizeof(_sch),
 459                                                sizeof(_inithdr), &_inithdr);
 460                        if (ih == NULL)
 461                                goto out_unlock;
 462                        pr_debug("Setting vtag %x for dir %d\n",
 463                                 ih->init_tag, !dir);
 464                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
 465                }
 466
 467                ct->proto.sctp.state = new_state;
 468                if (old_state != new_state)
 469                        nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 470        }
 471        spin_unlock_bh(&ct->lock);
 472
 473        timeouts = nf_ct_timeout_lookup(ct);
 474        if (!timeouts)
 475                timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
 476
 477        nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 478
 479        if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 480            dir == IP_CT_DIR_REPLY &&
 481            new_state == SCTP_CONNTRACK_ESTABLISHED) {
 482                pr_debug("Setting assured bit\n");
 483                set_bit(IPS_ASSURED_BIT, &ct->status);
 484                nf_conntrack_event_cache(IPCT_ASSURED, ct);
 485        }
 486
 487        return NF_ACCEPT;
 488
 489out_unlock:
 490        spin_unlock_bh(&ct->lock);
 491out:
 492        return -NF_ACCEPT;
 493}
 494
 495static bool sctp_can_early_drop(const struct nf_conn *ct)
 496{
 497        switch (ct->proto.sctp.state) {
 498        case SCTP_CONNTRACK_SHUTDOWN_SENT:
 499        case SCTP_CONNTRACK_SHUTDOWN_RECD:
 500        case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
 501                return true;
 502        default:
 503                break;
 504        }
 505
 506        return false;
 507}
 508
 509#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 510
 511#include <linux/netfilter/nfnetlink.h>
 512#include <linux/netfilter/nfnetlink_conntrack.h>
 513
 514static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 515                          struct nf_conn *ct)
 516{
 517        struct nlattr *nest_parms;
 518
 519        spin_lock_bh(&ct->lock);
 520        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
 521        if (!nest_parms)
 522                goto nla_put_failure;
 523
 524        if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
 525            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 526                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
 527            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
 528                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
 529                goto nla_put_failure;
 530
 531        spin_unlock_bh(&ct->lock);
 532
 533        nla_nest_end(skb, nest_parms);
 534
 535        return 0;
 536
 537nla_put_failure:
 538        spin_unlock_bh(&ct->lock);
 539        return -1;
 540}
 541
 542static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 543        [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 544        [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 545        [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 546};
 547
 548#define SCTP_NLATTR_SIZE ( \
 549                NLA_ALIGN(NLA_HDRLEN + 1) + \
 550                NLA_ALIGN(NLA_HDRLEN + 4) + \
 551                NLA_ALIGN(NLA_HDRLEN + 4))
 552
 553static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 554{
 555        struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 556        struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 557        int err;
 558
 559        /* updates may not contain the internal protocol info, skip parsing */
 560        if (!attr)
 561                return 0;
 562
 563        err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
 564                                          sctp_nla_policy, NULL);
 565        if (err < 0)
 566                return err;
 567
 568        if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 569            !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 570            !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 571                return -EINVAL;
 572
 573        spin_lock_bh(&ct->lock);
 574        ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 575        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 576                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 577        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 578                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 579        spin_unlock_bh(&ct->lock);
 580
 581        return 0;
 582}
 583#endif
 584
 585#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 586
 587#include <linux/netfilter/nfnetlink.h>
 588#include <linux/netfilter/nfnetlink_cttimeout.h>
 589
 590static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
 591                                      struct net *net, void *data)
 592{
 593        unsigned int *timeouts = data;
 594        struct nf_sctp_net *sn = nf_sctp_pernet(net);
 595        int i;
 596
 597        /* set default SCTP timeouts. */
 598        for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 599                timeouts[i] = sn->timeouts[i];
 600
 601        /* there's a 1:1 mapping between attributes and protocol states. */
 602        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 603                if (tb[i]) {
 604                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 605                }
 606        }
 607
 608        timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
 609        return 0;
 610}
 611
 612static int
 613sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 614{
 615        const unsigned int *timeouts = data;
 616        int i;
 617
 618        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 619                if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 620                        goto nla_put_failure;
 621        }
 622        return 0;
 623
 624nla_put_failure:
 625        return -ENOSPC;
 626}
 627
 628static const struct nla_policy
 629sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 630        [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
 631        [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
 632        [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
 633        [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
 634        [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
 635        [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
 636        [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
 637        [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
 638        [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 639};
 640#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 641
 642void nf_conntrack_sctp_init_net(struct net *net)
 643{
 644        struct nf_sctp_net *sn = nf_sctp_pernet(net);
 645        int i;
 646
 647        for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
 648                sn->timeouts[i] = sctp_timeouts[i];
 649
 650        /* timeouts[0] is unused, init it so ->timeouts[0] contains
 651         * 'new' timeout, like udp or icmp.
 652         */
 653        sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
 654}
 655
 656const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
 657        .l4proto                = IPPROTO_SCTP,
 658#ifdef CONFIG_NF_CONNTRACK_PROCFS
 659        .print_conntrack        = sctp_print_conntrack,
 660#endif
 661        .can_early_drop         = sctp_can_early_drop,
 662#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 663        .nlattr_size            = SCTP_NLATTR_SIZE,
 664        .to_nlattr              = sctp_to_nlattr,
 665        .from_nlattr            = nlattr_to_sctp,
 666        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 667        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 668        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 669        .nla_policy             = nf_ct_port_nla_policy,
 670#endif
 671#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 672        .ctnl_timeout           = {
 673                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 674                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 675                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 676                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 677                .nla_policy     = sctp_timeout_nla_policy,
 678        },
 679#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 680};
 681