LXR linux/net/netfilter/nf_conntrack_proto

   1/*
   2 * Connection tracking protocol helper module for SCTP.
   3 *
   4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
   5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
   6 *
   7 * SCTP is defined in RFC 2960. References to various sections in this code
   8 * are to this RFC.
   9 *
  10 * This program is free software; you can redistribute it and/or modify
  11 * it under the terms of the GNU General Public License version 2 as
  12 * published by the Free Software Foundation.
  13 */
  14
  15#include <linux/types.h>
  16#include <linux/timer.h>
  17#include <linux/netfilter.h>
  18#include <linux/module.h>
  19#include <linux/in.h>
  20#include <linux/ip.h>
  21#include <linux/sctp.h>
  22#include <linux/string.h>
  23#include <linux/seq_file.h>
  24#include <linux/spinlock.h>
  25#include <linux/interrupt.h>
  26
  27#include <net/netfilter/nf_conntrack.h>
  28#include <net/netfilter/nf_conntrack_l4proto.h>
  29#include <net/netfilter/nf_conntrack_ecache.h>
  30
  31/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  32   closely.  They're more complex. --RR
  33
  34   And so for me for SCTP :D -Kiran */
  35
  36static const char *const sctp_conntrack_names[] = {
  37        "NONE",
  38        "CLOSED",
  39        "COOKIE_WAIT",
  40        "COOKIE_ECHOED",
  41        "ESTABLISHED",
  42        "SHUTDOWN_SENT",
  43        "SHUTDOWN_RECD",
  44        "SHUTDOWN_ACK_SENT",
  45        "HEARTBEAT_SENT",
  46        "HEARTBEAT_ACKED",
  47};
  48
  49#define SECS  * HZ
  50#define MINS  * 60 SECS
  51#define HOURS * 60 MINS
  52#define DAYS  * 24 HOURS
  53
  54static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
  55        [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  56        [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  57        [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  58        [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  59        [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  60        [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  61        [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  62        [SCTP_CONNTRACK_HEARTBEAT_SENT]         = 30 SECS,
  63        [SCTP_CONNTRACK_HEARTBEAT_ACKED]        = 210 SECS,
  64};
  65
  66#define sNO SCTP_CONNTRACK_NONE
  67#define sCL SCTP_CONNTRACK_CLOSED
  68#define sCW SCTP_CONNTRACK_COOKIE_WAIT
  69#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  70#define sES SCTP_CONNTRACK_ESTABLISHED
  71#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  72#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  73#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  74#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
  75#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
  76#define sIV SCTP_CONNTRACK_MAX
  77
  78/*
  79        These are the descriptions of the states:
  80
  81NOTE: These state names are tantalizingly similar to the states of an
  82SCTP endpoint. But the interpretation of the states is a little different,
  83considering that these are the states of the connection and not of an end
  84point. Please note the subtleties. -Kiran
  85
  86NONE              - Nothing so far.
  87COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  88                    an INIT_ACK chunk in the reply direction.
  89COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  90ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  91SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  92SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  93SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  94                    to that of the SHUTDOWN chunk.
  95CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  96                    the SHUTDOWN chunk. Connection is closed.
  97HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
  98HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
  99                    that of the HEARTBEAT chunk. Secondary connection is
 100                    established.
 101*/
 102
 103/* TODO
 104 - I have assumed that the first INIT is in the original direction.
 105 This messes things when an INIT comes in the reply direction in CLOSED
 106 state.
 107 - Check the error type in the reply dir before transitioning from
 108cookie echoed to closed.
 109 - Sec 5.2.4 of RFC 2960
 110 - Full Multi Homing support.
 111*/
 112
 113/* SCTP conntrack state transitions */
 114static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
 115        {
 116/*      ORIGINAL        */
 117/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 118/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
 119/* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
 120/* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 121/* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
 122/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
 123/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
 124/* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
 125/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
 126/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
 127/* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 128/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
 129        },
 130        {
 131/*      REPLY   */
 132/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
 133/* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
 134/* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
 135/* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
 136/* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
 137/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
 138/* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
 139/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
 140/* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
 141/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
 142/* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
 143/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
 144        }
 145};
 146
 147static int sctp_net_id  __read_mostly;
 148struct sctp_net {
 149        struct nf_proto_net pn;
 150        unsigned int timeouts[SCTP_CONNTRACK_MAX];
 151};
 152
 153static inline struct sctp_net *sctp_pernet(struct net *net)
 154{
 155        return net_generic(net, sctp_net_id);
 156}
 157
 158static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 159                              struct net *net, struct nf_conntrack_tuple *tuple)
 160{
 161        const struct sctphdr *hp;
 162        struct sctphdr _hdr;
 163
 164        /* Actually only need first 4 bytes to get ports. */
 165        hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
 166        if (hp == NULL)
 167                return false;
 168
 169        tuple->src.u.sctp.port = hp->source;
 170        tuple->dst.u.sctp.port = hp->dest;
 171        return true;
 172}
 173
 174static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
 175                              const struct nf_conntrack_tuple *orig)
 176{
 177        tuple->src.u.sctp.port = orig->dst.u.sctp.port;
 178        tuple->dst.u.sctp.port = orig->src.u.sctp.port;
 179        return true;
 180}
 181
 182/* Print out the per-protocol part of the tuple. */
 183static void sctp_print_tuple(struct seq_file *s,
 184                             const struct nf_conntrack_tuple *tuple)
 185{
 186        seq_printf(s, "sport=%hu dport=%hu ",
 187                   ntohs(tuple->src.u.sctp.port),
 188                   ntohs(tuple->dst.u.sctp.port));
 189}
 190
 191/* Print out the private part of the conntrack. */
 192static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 193{
 194        seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
 195}
 196
 197#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 198for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;        \
 199        (offset) < (skb)->len &&                                        \
 200        ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 201        (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 202
 203/* Some validity checks to make sure the chunks are fine */
 204static int do_basic_checks(struct nf_conn *ct,
 205                           const struct sk_buff *skb,
 206                           unsigned int dataoff,
 207                           unsigned long *map)
 208{
 209        u_int32_t offset, count;
 210        sctp_chunkhdr_t _sch, *sch;
 211        int flag;
 212
 213        flag = 0;
 214
 215        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 216                pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 217
 218                if (sch->type == SCTP_CID_INIT ||
 219                    sch->type == SCTP_CID_INIT_ACK ||
 220                    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 221                        flag = 1;
 222
 223                /*
 224                 * Cookie Ack/Echo chunks not the first OR
 225                 * Init / Init Ack / Shutdown compl chunks not the only chunks
 226                 * OR zero-length.
 227                 */
 228                if (((sch->type == SCTP_CID_COOKIE_ACK ||
 229                      sch->type == SCTP_CID_COOKIE_ECHO ||
 230                      flag) &&
 231                     count != 0) || !sch->length) {
 232                        pr_debug("Basic checks failed\n");
 233                        return 1;
 234                }
 235
 236                if (map)
 237                        set_bit(sch->type, map);
 238        }
 239
 240        pr_debug("Basic checks passed\n");
 241        return count == 0;
 242}
 243
 244static int sctp_new_state(enum ip_conntrack_dir dir,
 245                          enum sctp_conntrack cur_state,
 246                          int chunk_type)
 247{
 248        int i;
 249
 250        pr_debug("Chunk type: %d\n", chunk_type);
 251
 252        switch (chunk_type) {
 253        case SCTP_CID_INIT:
 254                pr_debug("SCTP_CID_INIT\n");
 255                i = 0;
 256                break;
 257        case SCTP_CID_INIT_ACK:
 258                pr_debug("SCTP_CID_INIT_ACK\n");
 259                i = 1;
 260                break;
 261        case SCTP_CID_ABORT:
 262                pr_debug("SCTP_CID_ABORT\n");
 263                i = 2;
 264                break;
 265        case SCTP_CID_SHUTDOWN:
 266                pr_debug("SCTP_CID_SHUTDOWN\n");
 267                i = 3;
 268                break;
 269        case SCTP_CID_SHUTDOWN_ACK:
 270                pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 271                i = 4;
 272                break;
 273        case SCTP_CID_ERROR:
 274                pr_debug("SCTP_CID_ERROR\n");
 275                i = 5;
 276                break;
 277        case SCTP_CID_COOKIE_ECHO:
 278                pr_debug("SCTP_CID_COOKIE_ECHO\n");
 279                i = 6;
 280                break;
 281        case SCTP_CID_COOKIE_ACK:
 282                pr_debug("SCTP_CID_COOKIE_ACK\n");
 283                i = 7;
 284                break;
 285        case SCTP_CID_SHUTDOWN_COMPLETE:
 286                pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 287                i = 8;
 288                break;
 289        case SCTP_CID_HEARTBEAT:
 290                pr_debug("SCTP_CID_HEARTBEAT");
 291                i = 9;
 292                break;
 293        case SCTP_CID_HEARTBEAT_ACK:
 294                pr_debug("SCTP_CID_HEARTBEAT_ACK");
 295                i = 10;
 296                break;
 297        default:
 298                /* Other chunks like DATA or SACK do not change the state */
 299                pr_debug("Unknown chunk type, Will stay in %s\n",
 300                         sctp_conntrack_names[cur_state]);
 301                return cur_state;
 302        }
 303
 304        pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 305                 dir, sctp_conntrack_names[cur_state], chunk_type,
 306                 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 307
 308        return sctp_conntracks[dir][i][cur_state];
 309}
 310
 311static unsigned int *sctp_get_timeouts(struct net *net)
 312{
 313        return sctp_pernet(net)->timeouts;
 314}
 315
 316/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 317static int sctp_packet(struct nf_conn *ct,
 318                       const struct sk_buff *skb,
 319                       unsigned int dataoff,
 320                       enum ip_conntrack_info ctinfo,
 321                       u_int8_t pf,
 322                       unsigned int hooknum,
 323                       unsigned int *timeouts)
 324{
 325        enum sctp_conntrack new_state, old_state;
 326        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 327        const struct sctphdr *sh;
 328        struct sctphdr _sctph;
 329        const struct sctp_chunkhdr *sch;
 330        struct sctp_chunkhdr _sch;
 331        u_int32_t offset, count;
 332        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 333
 334        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 335        if (sh == NULL)
 336                goto out;
 337
 338        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 339                goto out;
 340
 341        /* Check the verification tag (Sec 8.5) */
 342        if (!test_bit(SCTP_CID_INIT, map) &&
 343            !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 344            !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 345            !test_bit(SCTP_CID_ABORT, map) &&
 346            !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 347            !test_bit(SCTP_CID_HEARTBEAT, map) &&
 348            !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
 349            sh->vtag != ct->proto.sctp.vtag[dir]) {
 350                pr_debug("Verification tag check failed\n");
 351                goto out;
 352        }
 353
 354        old_state = new_state = SCTP_CONNTRACK_NONE;
 355        spin_lock_bh(&ct->lock);
 356        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 357                /* Special cases of Verification tag check (Sec 8.5.1) */
 358                if (sch->type == SCTP_CID_INIT) {
 359                        /* Sec 8.5.1 (A) */
 360                        if (sh->vtag != 0)
 361                                goto out_unlock;
 362                } else if (sch->type == SCTP_CID_ABORT) {
 363                        /* Sec 8.5.1 (B) */
 364                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 365                            sh->vtag != ct->proto.sctp.vtag[!dir])
 366                                goto out_unlock;
 367                } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 368                        /* Sec 8.5.1 (C) */
 369                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 370                            sh->vtag != ct->proto.sctp.vtag[!dir] &&
 371                            sch->flags & SCTP_CHUNK_FLAG_T)
 372                                goto out_unlock;
 373                } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 374                        /* Sec 8.5.1 (D) */
 375                        if (sh->vtag != ct->proto.sctp.vtag[dir])
 376                                goto out_unlock;
 377                } else if (sch->type == SCTP_CID_HEARTBEAT ||
 378                           sch->type == SCTP_CID_HEARTBEAT_ACK) {
 379                        if (ct->proto.sctp.vtag[dir] == 0) {
 380                                pr_debug("Setting vtag %x for dir %d\n",
 381                                         sh->vtag, dir);
 382                                ct->proto.sctp.vtag[dir] = sh->vtag;
 383                        } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
 384                                pr_debug("Verification tag check failed\n");
 385                                goto out_unlock;
 386                        }
 387                }
 388
 389                old_state = ct->proto.sctp.state;
 390                new_state = sctp_new_state(dir, old_state, sch->type);
 391
 392                /* Invalid */
 393                if (new_state == SCTP_CONNTRACK_MAX) {
 394                        pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 395                                 "conntrack=%u\n",
 396                                 dir, sch->type, old_state);
 397                        goto out_unlock;
 398                }
 399
 400                /* If it is an INIT or an INIT ACK note down the vtag */
 401                if (sch->type == SCTP_CID_INIT ||
 402                    sch->type == SCTP_CID_INIT_ACK) {
 403                        sctp_inithdr_t _inithdr, *ih;
 404
 405                        ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 406                                                sizeof(_inithdr), &_inithdr);
 407                        if (ih == NULL)
 408                                goto out_unlock;
 409                        pr_debug("Setting vtag %x for dir %d\n",
 410                                 ih->init_tag, !dir);
 411                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
 412                }
 413
 414                ct->proto.sctp.state = new_state;
 415                if (old_state != new_state)
 416                        nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 417        }
 418        spin_unlock_bh(&ct->lock);
 419
 420        nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 421
 422        if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 423            dir == IP_CT_DIR_REPLY &&
 424            new_state == SCTP_CONNTRACK_ESTABLISHED) {
 425                pr_debug("Setting assured bit\n");
 426                set_bit(IPS_ASSURED_BIT, &ct->status);
 427                nf_conntrack_event_cache(IPCT_ASSURED, ct);
 428        }
 429
 430        return NF_ACCEPT;
 431
 432out_unlock:
 433        spin_unlock_bh(&ct->lock);
 434out:
 435        return -NF_ACCEPT;
 436}
 437
 438/* Called when a new connection for this protocol found. */
 439static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 440                     unsigned int dataoff, unsigned int *timeouts)
 441{
 442        enum sctp_conntrack new_state;
 443        const struct sctphdr *sh;
 444        struct sctphdr _sctph;
 445        const struct sctp_chunkhdr *sch;
 446        struct sctp_chunkhdr _sch;
 447        u_int32_t offset, count;
 448        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 449
 450        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 451        if (sh == NULL)
 452                return false;
 453
 454        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 455                return false;
 456
 457        /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 458        if (test_bit(SCTP_CID_ABORT, map) ||
 459            test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 460            test_bit(SCTP_CID_COOKIE_ACK, map))
 461                return false;
 462
 463        memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
 464        new_state = SCTP_CONNTRACK_MAX;
 465        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 466                /* Don't need lock here: this conntrack not in circulation yet */
 467                new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 468                                           SCTP_CONNTRACK_NONE, sch->type);
 469
 470                /* Invalid: delete conntrack */
 471                if (new_state == SCTP_CONNTRACK_NONE ||
 472                    new_state == SCTP_CONNTRACK_MAX) {
 473                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 474                        return false;
 475                }
 476
 477                /* Copy the vtag into the state info */
 478                if (sch->type == SCTP_CID_INIT) {
 479                        if (sh->vtag == 0) {
 480                                sctp_inithdr_t _inithdr, *ih;
 481
 482                                ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 483                                                        sizeof(_inithdr), &_inithdr);
 484                                if (ih == NULL)
 485                                        return false;
 486
 487                                pr_debug("Setting vtag %x for new conn\n",
 488                                         ih->init_tag);
 489
 490                                ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 491                                                                ih->init_tag;
 492                        } else {
 493                                /* Sec 8.5.1 (A) */
 494                                return false;
 495                        }
 496                } else if (sch->type == SCTP_CID_HEARTBEAT) {
 497                        pr_debug("Setting vtag %x for secondary conntrack\n",
 498                                 sh->vtag);
 499                        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
 500                }
 501                /* If it is a shutdown ack OOTB packet, we expect a return
 502                   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 503                else {
 504                        pr_debug("Setting vtag %x for new conn OOTB\n",
 505                                 sh->vtag);
 506                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 507                }
 508
 509                ct->proto.sctp.state = new_state;
 510        }
 511
 512        return true;
 513}
 514
 515#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 516
 517#include <linux/netfilter/nfnetlink.h>
 518#include <linux/netfilter/nfnetlink_conntrack.h>
 519
 520static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 521                          struct nf_conn *ct)
 522{
 523        struct nlattr *nest_parms;
 524
 525        spin_lock_bh(&ct->lock);
 526        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
 527        if (!nest_parms)
 528                goto nla_put_failure;
 529
 530        if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
 531            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 532                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
 533            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
 534                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
 535                goto nla_put_failure;
 536
 537        spin_unlock_bh(&ct->lock);
 538
 539        nla_nest_end(skb, nest_parms);
 540
 541        return 0;
 542
 543nla_put_failure:
 544        spin_unlock_bh(&ct->lock);
 545        return -1;
 546}
 547
 548static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 549        [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 550        [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 551        [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 552};
 553
 554static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 555{
 556        struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 557        struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 558        int err;
 559
 560        /* updates may not contain the internal protocol info, skip parsing */
 561        if (!attr)
 562                return 0;
 563
 564        err = nla_parse_nested(tb,
 565                               CTA_PROTOINFO_SCTP_MAX,
 566                               attr,
 567                               sctp_nla_policy);
 568        if (err < 0)
 569                return err;
 570
 571        if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 572            !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 573            !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 574                return -EINVAL;
 575
 576        spin_lock_bh(&ct->lock);
 577        ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 578        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 579                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 580        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 581                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 582        spin_unlock_bh(&ct->lock);
 583
 584        return 0;
 585}
 586
 587static int sctp_nlattr_size(void)
 588{
 589        return nla_total_size(0)        /* CTA_PROTOINFO_SCTP */
 590                + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
 591}
 592#endif
 593
 594#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 595
 596#include <linux/netfilter/nfnetlink.h>
 597#include <linux/netfilter/nfnetlink_cttimeout.h>
 598
 599static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
 600                                      struct net *net, void *data)
 601{
 602        unsigned int *timeouts = data;
 603        struct sctp_net *sn = sctp_pernet(net);
 604        int i;
 605
 606        /* set default SCTP timeouts. */
 607        for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 608                timeouts[i] = sn->timeouts[i];
 609
 610        /* there's a 1:1 mapping between attributes and protocol states. */
 611        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 612                if (tb[i]) {
 613                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 614                }
 615        }
 616        return 0;
 617}
 618
 619static int
 620sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 621{
 622        const unsigned int *timeouts = data;
 623        int i;
 624
 625        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 626                if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 627                        goto nla_put_failure;
 628        }
 629        return 0;
 630
 631nla_put_failure:
 632        return -ENOSPC;
 633}
 634
 635static const struct nla_policy
 636sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 637        [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
 638        [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
 639        [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
 640        [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
 641        [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
 642        [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
 643        [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
 644        [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
 645        [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 646};
 647#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 648
 649
 650#ifdef CONFIG_SYSCTL
 651static struct ctl_table sctp_sysctl_table[] = {
 652        {
 653                .procname       = "nf_conntrack_sctp_timeout_closed",
 654                .maxlen         = sizeof(unsigned int),
 655                .mode           = 0644,
 656                .proc_handler   = proc_dointvec_jiffies,
 657        },
 658        {
 659                .procname       = "nf_conntrack_sctp_timeout_cookie_wait",
 660                .maxlen         = sizeof(unsigned int),
 661                .mode           = 0644,
 662                .proc_handler   = proc_dointvec_jiffies,
 663        },
 664        {
 665                .procname       = "nf_conntrack_sctp_timeout_cookie_echoed",
 666                .maxlen         = sizeof(unsigned int),
 667                .mode           = 0644,
 668                .proc_handler   = proc_dointvec_jiffies,
 669        },
 670        {
 671                .procname       = "nf_conntrack_sctp_timeout_established",
 672                .maxlen         = sizeof(unsigned int),
 673                .mode           = 0644,
 674                .proc_handler   = proc_dointvec_jiffies,
 675        },
 676        {
 677                .procname       = "nf_conntrack_sctp_timeout_shutdown_sent",
 678                .maxlen         = sizeof(unsigned int),
 679                .mode           = 0644,
 680                .proc_handler   = proc_dointvec_jiffies,
 681        },
 682        {
 683                .procname       = "nf_conntrack_sctp_timeout_shutdown_recd",
 684                .maxlen         = sizeof(unsigned int),
 685                .mode           = 0644,
 686                .proc_handler   = proc_dointvec_jiffies,
 687        },
 688        {
 689                .procname       = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
 690                .maxlen         = sizeof(unsigned int),
 691                .mode           = 0644,
 692                .proc_handler   = proc_dointvec_jiffies,
 693        },
 694        {
 695                .procname       = "nf_conntrack_sctp_timeout_heartbeat_sent",
 696                .maxlen         = sizeof(unsigned int),
 697                .mode           = 0644,
 698                .proc_handler   = proc_dointvec_jiffies,
 699        },
 700        {
 701                .procname       = "nf_conntrack_sctp_timeout_heartbeat_acked",
 702                .maxlen         = sizeof(unsigned int),
 703                .mode           = 0644,
 704                .proc_handler   = proc_dointvec_jiffies,
 705        },
 706        { }
 707};
 708#endif
 709
 710static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
 711                                     struct sctp_net *sn)
 712{
 713#ifdef CONFIG_SYSCTL
 714        if (pn->ctl_table)
 715                return 0;
 716
 717        pn->ctl_table = kmemdup(sctp_sysctl_table,
 718                                sizeof(sctp_sysctl_table),
 719                                GFP_KERNEL);
 720        if (!pn->ctl_table)
 721                return -ENOMEM;
 722
 723        pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
 724        pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
 725        pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
 726        pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
 727        pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
 728        pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
 729        pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
 730        pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
 731        pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
 732#endif
 733        return 0;
 734}
 735
 736static int sctp_init_net(struct net *net, u_int16_t proto)
 737{
 738        struct sctp_net *sn = sctp_pernet(net);
 739        struct nf_proto_net *pn = &sn->pn;
 740
 741        if (!pn->users) {
 742                int i;
 743
 744                for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
 745                        sn->timeouts[i] = sctp_timeouts[i];
 746        }
 747
 748        return sctp_kmemdup_sysctl_table(pn, sn);
 749}
 750
 751static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
 752        .l3proto                = PF_INET,
 753        .l4proto                = IPPROTO_SCTP,
 754        .name                   = "sctp",
 755        .pkt_to_tuple           = sctp_pkt_to_tuple,
 756        .invert_tuple           = sctp_invert_tuple,
 757        .print_tuple            = sctp_print_tuple,
 758        .print_conntrack        = sctp_print_conntrack,
 759        .packet                 = sctp_packet,
 760        .get_timeouts           = sctp_get_timeouts,
 761        .new                    = sctp_new,
 762        .me                     = THIS_MODULE,
 763#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 764        .to_nlattr              = sctp_to_nlattr,
 765        .nlattr_size            = sctp_nlattr_size,
 766        .from_nlattr            = nlattr_to_sctp,
 767        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 768        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 769        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 770        .nla_policy             = nf_ct_port_nla_policy,
 771#endif
 772#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 773        .ctnl_timeout           = {
 774                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 775                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 776                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 777                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 778                .nla_policy     = sctp_timeout_nla_policy,
 779        },
 780#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 781        .net_id                 = &sctp_net_id,
 782        .init_net               = sctp_init_net,
 783};
 784
 785static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
 786        .l3proto                = PF_INET6,
 787        .l4proto                = IPPROTO_SCTP,
 788        .name                   = "sctp",
 789        .pkt_to_tuple           = sctp_pkt_to_tuple,
 790        .invert_tuple           = sctp_invert_tuple,
 791        .print_tuple            = sctp_print_tuple,
 792        .print_conntrack        = sctp_print_conntrack,
 793        .packet                 = sctp_packet,
 794        .get_timeouts           = sctp_get_timeouts,
 795        .new                    = sctp_new,
 796        .me                     = THIS_MODULE,
 797#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 798        .to_nlattr              = sctp_to_nlattr,
 799        .nlattr_size            = sctp_nlattr_size,
 800        .from_nlattr            = nlattr_to_sctp,
 801        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 802        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 803        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 804        .nla_policy             = nf_ct_port_nla_policy,
 805#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 806        .ctnl_timeout           = {
 807                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 808                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 809                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 810                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 811                .nla_policy     = sctp_timeout_nla_policy,
 812        },
 813#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 814#endif
 815        .net_id                 = &sctp_net_id,
 816        .init_net               = sctp_init_net,
 817};
 818
 819static int sctp_net_init(struct net *net)
 820{
 821        int ret = 0;
 822
 823        ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4);
 824        if (ret < 0) {
 825                pr_err("nf_conntrack_sctp4: pernet registration failed.\n");
 826                goto out;
 827        }
 828        ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6);
 829        if (ret < 0) {
 830                pr_err("nf_conntrack_sctp6: pernet registration failed.\n");
 831                goto cleanup_sctp4;
 832        }
 833        return 0;
 834
 835cleanup_sctp4:
 836        nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
 837out:
 838        return ret;
 839}
 840
 841static void sctp_net_exit(struct net *net)
 842{
 843        nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6);
 844        nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
 845}
 846
 847static struct pernet_operations sctp_net_ops = {
 848        .init = sctp_net_init,
 849        .exit = sctp_net_exit,
 850        .id   = &sctp_net_id,
 851        .size = sizeof(struct sctp_net),
 852};
 853
 854static int __init nf_conntrack_proto_sctp_init(void)
 855{
 856        int ret;
 857
 858        ret = register_pernet_subsys(&sctp_net_ops);
 859        if (ret < 0)
 860                goto out_pernet;
 861
 862        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
 863        if (ret < 0)
 864                goto out_sctp4;
 865
 866        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6);
 867        if (ret < 0)
 868                goto out_sctp6;
 869
 870        return 0;
 871out_sctp6:
 872        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 873out_sctp4:
 874        unregister_pernet_subsys(&sctp_net_ops);
 875out_pernet:
 876        return ret;
 877}
 878
 879static void __exit nf_conntrack_proto_sctp_fini(void)
 880{
 881        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
 882        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 883        unregister_pernet_subsys(&sctp_net_ops);
 884}
 885
 886module_init(nf_conntrack_proto_sctp_init);
 887module_exit(nf_conntrack_proto_sctp_fini);
 888
 889MODULE_LICENSE("GPL");
 890MODULE_AUTHOR("Kiran Kumar Immidi");
 891MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
 892MODULE_ALIAS("ip_conntrack_proto_sctp");
 893