projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
dm-crypt: use __bio_add_page to add single page to clone bio
[linux-block.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
9fb9cbb1
YK		 2/*
3 * Connection tracking protocol helper module for SCTP.
601e68e1 4 *
f229f6ce
PM		 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
7 *
601e68e1 8 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 9 * are to this RFC.
9fb9cbb1
YK		 10 */
11
12#include <linux/types.h>
9fb9cbb1
YK		 13#include <linux/timer.h>
14#include <linux/netfilter.h>
9fb9cbb1
YK		 15#include <linux/in.h>
16#include <linux/ip.h>
17#include <linux/sctp.h>
18#include <linux/string.h>
19#include <linux/seq_file.h>
40a839fd
YK		 20#include <linux/spinlock.h>
21#include <linux/interrupt.h>
cf6e007e 22#include <net/sctp/checksum.h>
9fb9cbb1 23
cf6e007e 24#include <net/netfilter/nf_log.h>
9fb9cbb1 25#include <net/netfilter/nf_conntrack.h>
605dcad6 26#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 27#include <net/netfilter/nf_conntrack_ecache.h>
c779e849 28#include <net/netfilter/nf_conntrack_timeout.h>
9fb9cbb1 29
12c33aa2 30static const char *const sctp_conntrack_names[] = {
a44b7651
SY		 31 [SCTP_CONNTRACK_NONE] = "NONE",
32 [SCTP_CONNTRACK_CLOSED] = "CLOSED",
33 [SCTP_CONNTRACK_COOKIE_WAIT] = "COOKIE_WAIT",
34 [SCTP_CONNTRACK_COOKIE_ECHOED] = "COOKIE_ECHOED",
35 [SCTP_CONNTRACK_ESTABLISHED] = "ESTABLISHED",
36 [SCTP_CONNTRACK_SHUTDOWN_SENT] = "SHUTDOWN_SENT",
37 [SCTP_CONNTRACK_SHUTDOWN_RECD] = "SHUTDOWN_RECD",
38 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = "SHUTDOWN_ACK_SENT",
39 [SCTP_CONNTRACK_HEARTBEAT_SENT] = "HEARTBEAT_SENT",
9fb9cbb1
YK		 40};
41
42#define SECS * HZ
43#define MINS * 60 SECS
44#define HOURS * 60 MINS
45#define DAYS * 24 HOURS
46
2c9e8637 47static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
86c0bf40
PM		 48 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
49 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
50 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
a44b7651 51 [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS,
86c0bf40
PM		 52 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
53 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
54 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519 55 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
86c0bf40 56};
9fb9cbb1 57
cc5453a5
FW		 58#define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1
59
9fb9cbb1
YK		 60#define sNO SCTP_CONNTRACK_NONE
61#define sCL SCTP_CONNTRACK_CLOSED
62#define sCW SCTP_CONNTRACK_COOKIE_WAIT
63#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
64#define sES SCTP_CONNTRACK_ESTABLISHED
65#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
66#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
67#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519 68#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
9fb9cbb1
YK		 69#define sIV SCTP_CONNTRACK_MAX
70
601e68e1 71/*
9fb9cbb1
YK		 72 These are the descriptions of the states:
73
601e68e1 74NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 75SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 76considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 77point. Please note the subtleties. -Kiran
78
79NONE - Nothing so far.
601e68e1
YH		 80COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
81 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 82COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
83ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
84SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
bff3d053 85SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction.
9fb9cbb1 86SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 87 to that of the SHUTDOWN chunk.
88CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
89 the SHUTDOWN chunk. Connection is closed.
d7ee3519 90HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
9fb9cbb1
YK		 91*/
92
93/* TODO
601e68e1 94 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 95 This messes things when an INIT comes in the reply direction in CLOSED
96 state.
601e68e1 97 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 98cookie echoed to closed.
99 - Sec 5.2.4 of RFC 2960
d7ee3519 100 - Full Multi Homing support.
9fb9cbb1
YK		 101*/
102
103/* SCTP conntrack state transitions */
13bd9b31 104static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 105 {
106/* ORIGINAL */
a44b7651
SY		 107/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */
108/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW},
109/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},
110/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
111/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL},
112/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA},
113/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/
114/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */
115/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */
116/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL},
117/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
118/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
9fb9cbb1
YK		 119 },
120 {
121/* REPLY */
a44b7651
SY		 122/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */
123/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* INIT in sCL Big TODO */
124/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV},
125/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV},
126/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV},
127/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV},
128/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV},
129/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */
130/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV},
131/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV},
132/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
133/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sES},
9fb9cbb1
YK		 134 }
135};
136
ea48cc83 137#ifdef CONFIG_NF_CONNTRACK_PROCFS
9fb9cbb1 138/* Print out the private part of the conntrack. */
37246a58 139static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 140{
a163f2cb 141 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1 142}
ea48cc83 143#endif
9fb9cbb1 144
bd0e06f0 145/* do_basic_checks ensures sch->length > 0, do not use before */
9fb9cbb1 146#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 147for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
bd0e06f0
FW		 148 (offset) < (skb)->len && \
149 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
e79ec50b 150 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 151
152/* Some validity checks to make sure the chunks are fine */
112f35c9 153static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 154 const struct sk_buff *skb,
155 unsigned int dataoff,
f71cb8f4
FW		 156 unsigned long *map,
157 const struct nf_hook_state *state)
9fb9cbb1
YK		 158{
159 u_int32_t offset, count;
922dbc5b 160 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 161 int flag;
162
9fb9cbb1
YK		 163 flag = 0;
164
165 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
5447d477
PM		 166 if (sch->type == SCTP_CID_INIT ||
167 sch->type == SCTP_CID_INIT_ACK ||
168 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 169 flag = 1;
9fb9cbb1 170
e17df688
PM		 171 /*
172 * Cookie Ack/Echo chunks not the first OR
173 * Init / Init Ack / Shutdown compl chunks not the only chunks
174 * OR zero-length.
175 */
5447d477
PM		 176 if (((sch->type == SCTP_CID_COOKIE_ACK ||
177 sch->type == SCTP_CID_COOKIE_ECHO ||
178 flag) &&
179 count != 0) || !sch->length) {
f71cb8f4
FW		 180 nf_ct_l4proto_log_invalid(skb, ct, state,
181 "%s failed. chunk num %d, type %d, len %d flag %d\n",
182 __func__, count, sch->type, sch->length, flag);
9fb9cbb1
YK		 183 return 1;
184 }
185
5447d477 186 if (map)
35c6d3cb 187 set_bit(sch->type, map);
9fb9cbb1
YK		 188 }
189
dd7271fe 190 return count == 0;
9fb9cbb1
YK		 191}
192
efe9f68a
PM		 193static int sctp_new_state(enum ip_conntrack_dir dir,
194 enum sctp_conntrack cur_state,
195 int chunk_type)
9fb9cbb1
YK		 196{
197 int i;
198
9fb9cbb1 199 switch (chunk_type) {
5447d477 200 case SCTP_CID_INIT:
5447d477
PM		 201 i = 0;
202 break;
203 case SCTP_CID_INIT_ACK:
5447d477
PM		 204 i = 1;
205 break;
206 case SCTP_CID_ABORT:
5447d477
PM		 207 i = 2;
208 break;
209 case SCTP_CID_SHUTDOWN:
5447d477
PM		 210 i = 3;
211 break;
212 case SCTP_CID_SHUTDOWN_ACK:
5447d477
PM		 213 i = 4;
214 break;
215 case SCTP_CID_ERROR:
5447d477
PM		 216 i = 5;
217 break;
218 case SCTP_CID_COOKIE_ECHO:
5447d477
PM		 219 i = 6;
220 break;
221 case SCTP_CID_COOKIE_ACK:
5447d477
PM		 222 i = 7;
223 break;
224 case SCTP_CID_SHUTDOWN_COMPLETE:
5447d477
PM		 225 i = 8;
226 break;
d7ee3519 227 case SCTP_CID_HEARTBEAT:
d7ee3519
MK		 228 i = 9;
229 break;
230 case SCTP_CID_HEARTBEAT_ACK:
d7ee3519
MK		 231 i = 10;
232 break;
5447d477 233 default:
d7ee3519 234 /* Other chunks like DATA or SACK do not change the state */
f71cb8f4
FW		 235 pr_debug("Unknown chunk type %d, Will stay in %s\n",
236 chunk_type, sctp_conntrack_names[cur_state]);
5447d477 237 return cur_state;
9fb9cbb1
YK		 238 }
239
9fb9cbb1
YK		 240 return sctp_conntracks[dir][i][cur_state];
241}
242
9976fc6e
FW		 243/* Don't need lock here: this conntrack not in circulation yet */
244static noinline bool
245sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
246 const struct sctphdr *sh, unsigned int dataoff)
247{
248 enum sctp_conntrack new_state;
249 const struct sctp_chunkhdr *sch;
250 struct sctp_chunkhdr _sch;
251 u32 offset, count;
252
253 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
254 new_state = SCTP_CONNTRACK_MAX;
255 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
256 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
257 SCTP_CONNTRACK_NONE, sch->type);
258
259 /* Invalid: delete conntrack */
260 if (new_state == SCTP_CONNTRACK_NONE ||
261 new_state == SCTP_CONNTRACK_MAX) {
262 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
263 return false;
264 }
265
266 /* Copy the vtag into the state info */
267 if (sch->type == SCTP_CID_INIT) {
268 struct sctp_inithdr _inithdr, *ih;
269 /* Sec 8.5.1 (A) */
270 if (sh->vtag)
271 return false;
272
273 ih = skb_header_pointer(skb, offset + sizeof(_sch),
274 sizeof(_inithdr), &_inithdr);
275 if (!ih)
276 return false;
277
278 pr_debug("Setting vtag %x for new conn\n",
279 ih->init_tag);
280
281 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
13bd9b31 282 } else if (sch->type == SCTP_CID_HEARTBEAT) {
9976fc6e
FW		 283 pr_debug("Setting vtag %x for secondary conntrack\n",
284 sh->vtag);
285 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
286 } else {
287 /* If it is a shutdown ack OOTB packet, we expect a return
288 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
289 pr_debug("Setting vtag %x for new conn OOTB\n",
290 sh->vtag);
291 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
292 }
293
ab658b9f 294 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
9976fc6e
FW		 295 }
296
297 return true;
298}
299
0150ffba
FW		 300static bool sctp_error(struct sk_buff *skb,
301 unsigned int dataoff,
302 const struct nf_hook_state *state)
303{
304 const struct sctphdr *sh;
305 const char *logmsg;
306
307 if (skb->len < dataoff + sizeof(struct sctphdr)) {
308 logmsg = "nf_ct_sctp: short packet ";
309 goto out_invalid;
310 }
311 if (state->hook == NF_INET_PRE_ROUTING &&
312 state->net->ct.sysctl_checksum &&
313 skb->ip_summed == CHECKSUM_NONE) {
86f04538 314 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
0150ffba
FW		 315 logmsg = "nf_ct_sctp: failed to read header ";
316 goto out_invalid;
317 }
318 sh = (const struct sctphdr *)(skb->data + dataoff);
319 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
320 logmsg = "nf_ct_sctp: bad CRC ";
321 goto out_invalid;
322 }
323 skb->ip_summed = CHECKSUM_UNNECESSARY;
324 }
325 return false;
326out_invalid:
62eec0d7 327 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg);
0150ffba
FW		 328 return true;
329}
330
b37e933a 331/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
a47c5404
FW		 332int nf_conntrack_sctp_packet(struct nf_conn *ct,
333 struct sk_buff *skb,
334 unsigned int dataoff,
335 enum ip_conntrack_info ctinfo,
336 const struct nf_hook_state *state)
9fb9cbb1 337{
efe9f68a 338 enum sctp_conntrack new_state, old_state;
8528819a 339 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 340 const struct sctphdr *sh;
341 struct sctphdr _sctph;
342 const struct sctp_chunkhdr *sch;
343 struct sctp_chunkhdr _sch;
9fb9cbb1 344 u_int32_t offset, count;
c779e849 345 unsigned int *timeouts;
35c6d3cb 346 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
cc5453a5 347 bool ignore = false;
9fb9cbb1 348
0150ffba
FW		 349 if (sctp_error(skb, dataoff, state))
350 return -NF_ACCEPT;
351
9fb9cbb1
YK		 352 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
353 if (sh == NULL)
b37e933a 354 goto out;
9fb9cbb1 355
f71cb8f4 356 if (do_basic_checks(ct, skb, dataoff, map, state) != 0)
b37e933a 357 goto out;
9fb9cbb1 358
9976fc6e
FW		 359 if (!nf_ct_is_confirmed(ct)) {
360 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
361 if (test_bit(SCTP_CID_ABORT, map) ||
362 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
363 test_bit(SCTP_CID_COOKIE_ACK, map))
364 return -NF_ACCEPT;
365
366 if (!sctp_new(ct, skb, sh, dataoff))
367 return -NF_ACCEPT;
13bd9b31
SY		 368 }
369
370 /* Check the verification tag (Sec 8.5) */
371 if (!test_bit(SCTP_CID_INIT, map) &&
372 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
373 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
374 !test_bit(SCTP_CID_ABORT, map) &&
375 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
376 !test_bit(SCTP_CID_HEARTBEAT, map) &&
377 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
378 sh->vtag != ct->proto.sctp.vtag[dir]) {
b568d307
JK		 379 nf_ct_l4proto_log_invalid(skb, ct, state,
380 "verification tag check failed %x vs %x for dir %d",
381 sh->vtag, ct->proto.sctp.vtag[dir], dir);
13bd9b31 382 goto out;
9fb9cbb1
YK		 383 }
384
328bd899 385 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 386 spin_lock_bh(&ct->lock);
9fb9cbb1 387 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 388 /* Special cases of Verification tag check (Sec 8.5.1) */
389 if (sch->type == SCTP_CID_INIT) {
a9993591 390 /* (A) vtag MUST be zero */
b37e933a
PM		 391 if (sh->vtag != 0)
392 goto out_unlock;
9fb9cbb1 393 } else if (sch->type == SCTP_CID_ABORT) {
a9993591
SY		 394 /* (B) vtag MUST match own vtag if T flag is unset OR
395 * MUST match peer's vtag if T flag is set
396 */
397 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
398 sh->vtag != ct->proto.sctp.vtag[dir]) ||
399 ((sch->flags & SCTP_CHUNK_FLAG_T) &&
400 sh->vtag != ct->proto.sctp.vtag[!dir]))
b37e933a 401 goto out_unlock;
9fb9cbb1 402 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
a9993591
SY		 403 /* (C) vtag MUST match own vtag if T flag is unset OR
404 * MUST match peer's vtag if T flag is set
405 */
406 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
407 sh->vtag != ct->proto.sctp.vtag[dir]) ||
408 ((sch->flags & SCTP_CHUNK_FLAG_T) &&
409 sh->vtag != ct->proto.sctp.vtag[!dir]))
b37e933a 410 goto out_unlock;
9fb9cbb1 411 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
a9993591 412 /* (D) vtag must be same as init_vtag as found in INIT_ACK */
b37e933a
PM		 413 if (sh->vtag != ct->proto.sctp.vtag[dir])
414 goto out_unlock;
cc5453a5
FW		 415 } else if (sch->type == SCTP_CID_HEARTBEAT) {
416 if (ct->proto.sctp.vtag[dir] == 0) {
417 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
418 ct->proto.sctp.vtag[dir] = sh->vtag;
419 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
420 if (test_bit(SCTP_CID_DATA, map) || ignore)
421 goto out_unlock;
422
423 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
424 ct->proto.sctp.last_dir = dir;
425 ignore = true;
426 continue;
427 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
428 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
429 }
430 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {
d7ee3519
MK		 431 if (ct->proto.sctp.vtag[dir] == 0) {
432 pr_debug("Setting vtag %x for dir %d\n",
433 sh->vtag, dir);
434 ct->proto.sctp.vtag[dir] = sh->vtag;
435 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
cc5453a5
FW		 436 if (test_bit(SCTP_CID_DATA, map) || ignore)
437 goto out_unlock;
438
439 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 ||
440 ct->proto.sctp.last_dir == dir)
441 goto out_unlock;
442
443 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
444 ct->proto.sctp.vtag[dir] = sh->vtag;
445 ct->proto.sctp.vtag[!dir] = 0;
446 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
447 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
d7ee3519 448 }
9fb9cbb1
YK		 449 }
450
efe9f68a
PM		 451 old_state = ct->proto.sctp.state;
452 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 453
454 /* Invalid */
efe9f68a 455 if (new_state == SCTP_CONNTRACK_MAX) {
f71cb8f4
FW		 456 nf_ct_l4proto_log_invalid(skb, ct, state,
457 "Invalid, old_state %d, dir %d, type %d",
458 old_state, dir, sch->type);
459
b37e933a 460 goto out_unlock;
9fb9cbb1
YK		 461 }
462
463 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 464 if (sch->type == SCTP_CID_INIT ||
465 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 466 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 467
922dbc5b 468 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 469 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 470 if (ih == NULL)
471 goto out_unlock;
0d53778e 472 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 473 ih->init_tag, !dir);
474 ct->proto.sctp.vtag[!dir] = ih->init_tag;
77b33719
FW		 475
476 /* don't renew timeout on init retransmit so
477 * port reuse by client or NAT middlebox cannot
478 * keep entry alive indefinitely (incl. nat info).
479 */
480 if (new_state == SCTP_CONNTRACK_CLOSED &&
481 old_state == SCTP_CONNTRACK_CLOSED &&
482 nf_ct_is_confirmed(ct))
483 ignore = true;
9fb9cbb1
YK		 484 }
485
efe9f68a 486 ct->proto.sctp.state = new_state;
a44b7651 487 if (old_state != new_state) {
a71996fc 488 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
a44b7651
SY		 489 if (new_state == SCTP_CONNTRACK_ESTABLISHED &&
490 !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
491 nf_conntrack_event_cache(IPCT_ASSURED, ct);
492 }
9fb9cbb1 493 }
440f0d58 494 spin_unlock_bh(&ct->lock);
9fb9cbb1 495
cc5453a5
FW		 496 /* allow but do not refresh timeout */
497 if (ignore)
498 return NF_ACCEPT;
499
c779e849
FW		 500 timeouts = nf_ct_timeout_lookup(ct);
501 if (!timeouts)
a95a7774 502 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
c779e849 503
2c8503f5 504 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 505
9fb9cbb1 506 return NF_ACCEPT;
b37e933a
PM		 507
508out_unlock:
440f0d58 509 spin_unlock_bh(&ct->lock);
b37e933a
PM		 510out:
511 return -NF_ACCEPT;
9fb9cbb1
YK		 512}
513
c6dd940b
FW		 514static bool sctp_can_early_drop(const struct nf_conn *ct)
515{
516 switch (ct->proto.sctp.state) {
517 case SCTP_CONNTRACK_SHUTDOWN_SENT:
518 case SCTP_CONNTRACK_SHUTDOWN_RECD:
519 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
520 return true;
521 default:
522 break;
523 }
524
525 return false;
526}
527
c0cd1156 528#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 529
530#include <linux/netfilter/nfnetlink.h>
531#include <linux/netfilter/nfnetlink_conntrack.h>
532
533static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
86d21fc7 534 struct nf_conn *ct, bool destroy)
a258860e
PNA		 535{
536 struct nlattr *nest_parms;
537
440f0d58 538 spin_lock_bh(&ct->lock);
ae0be8de 539 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
a258860e
PNA		 540 if (!nest_parms)
541 goto nla_put_failure;
542
86d21fc7
FW		 543 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state))
544 goto nla_put_failure;
545
546 if (destroy)
547 goto skip_state;
548
549 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
5e8d1eb5
DM		 550 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
551 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
552 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
553 goto nla_put_failure;
a258860e 554
86d21fc7 555skip_state:
440f0d58 556 spin_unlock_bh(&ct->lock);
a258860e
PNA		 557 nla_nest_end(skb, nest_parms);
558
559 return 0;
560
561nla_put_failure:
440f0d58 562 spin_unlock_bh(&ct->lock);
a258860e
PNA		 563 return -1;
564}
565
566static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
567 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
568 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
569 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
570};
571
39215846
FW		 572#define SCTP_NLATTR_SIZE ( \
573 NLA_ALIGN(NLA_HDRLEN + 1) + \
574 NLA_ALIGN(NLA_HDRLEN + 4) + \
575 NLA_ALIGN(NLA_HDRLEN + 4))
576
a258860e
PNA		 577static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
578{
579 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
580 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
581 int err;
582
583 /* updates may not contain the internal protocol info, skip parsing */
584 if (!attr)
585 return 0;
586
8cb08174
JB		 587 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
588 sctp_nla_policy, NULL);
a258860e
PNA		 589 if (err < 0)
590 return err;
591
592 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
593 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
594 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
595 return -EINVAL;
596
440f0d58 597 spin_lock_bh(&ct->lock);
a258860e
PNA		 598 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
599 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 600 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 601 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 602 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 603 spin_unlock_bh(&ct->lock);
a258860e
PNA		 604
605 return 0;
606}
607#endif
608
a874752a 609#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 610
611#include <linux/netfilter/nfnetlink.h>
612#include <linux/netfilter/nfnetlink_cttimeout.h>
613
8264deb8
G		 614static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
615 struct net *net, void *data)
50978462
PNA		 616{
617 unsigned int *timeouts = data;
a95a7774 618 struct nf_sctp_net *sn = nf_sctp_pernet(net);
50978462
PNA		 619 int i;
620
1d9a7acd
FW		 621 if (!timeouts)
622 timeouts = sn->timeouts;
623
50978462
PNA		 624 /* set default SCTP timeouts. */
625 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 626 timeouts[i] = sn->timeouts[i];
50978462
PNA		 627
628 /* there's a 1:1 mapping between attributes and protocol states. */
629 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
630 if (tb[i]) {
631 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
632 }
633 }
ef39078d
FW		 634
635 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
50978462
PNA		 636 return 0;
637}
638
639static int
640sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
641{
642 const unsigned int *timeouts = data;
643 int i;
644
5e8d1eb5
DM		 645 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
646 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
647 goto nla_put_failure;
648 }
50978462
PNA		 649 return 0;
650
651nla_put_failure:
652 return -ENOSPC;
653}
654
655static const struct nla_policy
656sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
657 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
658 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
659 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
660 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
661 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
662 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
663 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 664 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
665 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462 666};
a874752a 667#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
50978462 668
2a389de8 669void nf_conntrack_sctp_init_net(struct net *net)
49d485a3 670{
a95a7774 671 struct nf_sctp_net *sn = nf_sctp_pernet(net);
2a389de8 672 int i;
49d485a3 673
2a389de8
FW		 674 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
675 sn->timeouts[i] = sctp_timeouts[i];
49d485a3 676
2a389de8
FW		 677 /* timeouts[0] is unused, init it so ->timeouts[0] contains
678 * 'new' timeout, like udp or icmp.
679 */
680 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
deaa0a97
LZ		 681}
682
dd2934a9 683const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
933a41e7 684 .l4proto = IPPROTO_SCTP,
ea48cc83 685#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 686 .print_conntrack = sctp_print_conntrack,
ea48cc83 687#endif
c6dd940b 688 .can_early_drop = sctp_can_early_drop,
c0cd1156 689#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
39215846 690 .nlattr_size = SCTP_NLATTR_SIZE,
a258860e
PNA		 691 .to_nlattr = sctp_to_nlattr,
692 .from_nlattr = nlattr_to_sctp,
c7212e9d 693 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 694 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 695 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
696 .nla_policy = nf_ct_port_nla_policy,
697#endif
a874752a 698#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 699 .ctnl_timeout = {
700 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
701 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
702 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
703 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
704 .nla_policy = sctp_timeout_nla_policy,
705 },
a874752a 706#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
9fb9cbb1 707};
Linux 6.x block layer and io_uring tree(s)