Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
9fb9cbb1 YK |
2 | /* |
3 | * Connection tracking protocol helper module for SCTP. | |
601e68e1 | 4 | * |
f229f6ce PM |
5 | * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> |
6 | * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> | |
7 | * | |
601e68e1 | 8 | * SCTP is defined in RFC 2960. References to various sections in this code |
9fb9cbb1 | 9 | * are to this RFC. |
9fb9cbb1 YK |
10 | */ |
11 | ||
12 | #include <linux/types.h> | |
9fb9cbb1 YK |
13 | #include <linux/timer.h> |
14 | #include <linux/netfilter.h> | |
9fb9cbb1 YK |
15 | #include <linux/in.h> |
16 | #include <linux/ip.h> | |
17 | #include <linux/sctp.h> | |
18 | #include <linux/string.h> | |
19 | #include <linux/seq_file.h> | |
40a839fd YK |
20 | #include <linux/spinlock.h> |
21 | #include <linux/interrupt.h> | |
cf6e007e | 22 | #include <net/sctp/checksum.h> |
9fb9cbb1 | 23 | |
cf6e007e | 24 | #include <net/netfilter/nf_log.h> |
9fb9cbb1 | 25 | #include <net/netfilter/nf_conntrack.h> |
605dcad6 | 26 | #include <net/netfilter/nf_conntrack_l4proto.h> |
f6180121 | 27 | #include <net/netfilter/nf_conntrack_ecache.h> |
c779e849 | 28 | #include <net/netfilter/nf_conntrack_timeout.h> |
9fb9cbb1 | 29 | |
12c33aa2 | 30 | static const char *const sctp_conntrack_names[] = { |
a44b7651 SY |
31 | [SCTP_CONNTRACK_NONE] = "NONE", |
32 | [SCTP_CONNTRACK_CLOSED] = "CLOSED", | |
33 | [SCTP_CONNTRACK_COOKIE_WAIT] = "COOKIE_WAIT", | |
34 | [SCTP_CONNTRACK_COOKIE_ECHOED] = "COOKIE_ECHOED", | |
35 | [SCTP_CONNTRACK_ESTABLISHED] = "ESTABLISHED", | |
36 | [SCTP_CONNTRACK_SHUTDOWN_SENT] = "SHUTDOWN_SENT", | |
37 | [SCTP_CONNTRACK_SHUTDOWN_RECD] = "SHUTDOWN_RECD", | |
38 | [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = "SHUTDOWN_ACK_SENT", | |
39 | [SCTP_CONNTRACK_HEARTBEAT_SENT] = "HEARTBEAT_SENT", | |
9fb9cbb1 YK |
40 | }; |
41 | ||
42 | #define SECS * HZ | |
43 | #define MINS * 60 SECS | |
44 | #define HOURS * 60 MINS | |
45 | #define DAYS * 24 HOURS | |
46 | ||
2c9e8637 | 47 | static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { |
86c0bf40 PM |
48 | [SCTP_CONNTRACK_CLOSED] = 10 SECS, |
49 | [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, | |
50 | [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, | |
a44b7651 | 51 | [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS, |
86c0bf40 PM |
52 | [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, |
53 | [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, | |
54 | [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, | |
d7ee3519 | 55 | [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, |
86c0bf40 | 56 | }; |
9fb9cbb1 | 57 | |
cc5453a5 FW |
58 | #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 |
59 | ||
9fb9cbb1 YK |
60 | #define sNO SCTP_CONNTRACK_NONE |
61 | #define sCL SCTP_CONNTRACK_CLOSED | |
62 | #define sCW SCTP_CONNTRACK_COOKIE_WAIT | |
63 | #define sCE SCTP_CONNTRACK_COOKIE_ECHOED | |
64 | #define sES SCTP_CONNTRACK_ESTABLISHED | |
65 | #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT | |
66 | #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD | |
67 | #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT | |
d7ee3519 | 68 | #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT |
9fb9cbb1 YK |
69 | #define sIV SCTP_CONNTRACK_MAX |
70 | ||
601e68e1 | 71 | /* |
9fb9cbb1 YK |
72 | These are the descriptions of the states: |
73 | ||
601e68e1 | 74 | NOTE: These state names are tantalizingly similar to the states of an |
9fb9cbb1 | 75 | SCTP endpoint. But the interpretation of the states is a little different, |
601e68e1 | 76 | considering that these are the states of the connection and not of an end |
9fb9cbb1 YK |
77 | point. Please note the subtleties. -Kiran |
78 | ||
79 | NONE - Nothing so far. | |
601e68e1 YH |
80 | COOKIE WAIT - We have seen an INIT chunk in the original direction, or also |
81 | an INIT_ACK chunk in the reply direction. | |
9fb9cbb1 YK |
82 | COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. |
83 | ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. | |
84 | SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. | |
bff3d053 | 85 | SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction. |
9fb9cbb1 | 86 | SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite |
601e68e1 YH |
87 | to that of the SHUTDOWN chunk. |
88 | CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of | |
89 | the SHUTDOWN chunk. Connection is closed. | |
d7ee3519 | 90 | HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. |
9fb9cbb1 YK |
91 | */ |
92 | ||
93 | /* TODO | |
601e68e1 | 94 | - I have assumed that the first INIT is in the original direction. |
9fb9cbb1 YK |
95 | This messes things when an INIT comes in the reply direction in CLOSED |
96 | state. | |
601e68e1 | 97 | - Check the error type in the reply dir before transitioning from |
9fb9cbb1 YK |
98 | cookie echoed to closed. |
99 | - Sec 5.2.4 of RFC 2960 | |
d7ee3519 | 100 | - Full Multi Homing support. |
9fb9cbb1 YK |
101 | */ |
102 | ||
103 | /* SCTP conntrack state transitions */ | |
13bd9b31 | 104 | static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { |
9fb9cbb1 YK |
105 | { |
106 | /* ORIGINAL */ | |
a44b7651 SY |
107 | /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ |
108 | /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW}, | |
109 | /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL}, | |
110 | /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, | |
111 | /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL}, | |
112 | /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA}, | |
113 | /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/ | |
114 | /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */ | |
115 | /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */ | |
116 | /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL}, | |
117 | /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, | |
118 | /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, | |
9fb9cbb1 YK |
119 | }, |
120 | { | |
121 | /* REPLY */ | |
a44b7651 SY |
122 | /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ |
123 | /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* INIT in sCL Big TODO */ | |
124 | /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV}, | |
125 | /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV}, | |
126 | /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV}, | |
127 | /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV}, | |
128 | /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV}, | |
129 | /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */ | |
130 | /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV}, | |
131 | /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV}, | |
132 | /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, | |
133 | /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sES}, | |
9fb9cbb1 YK |
134 | } |
135 | }; | |
136 | ||
ea48cc83 | 137 | #ifdef CONFIG_NF_CONNTRACK_PROCFS |
9fb9cbb1 | 138 | /* Print out the private part of the conntrack. */ |
37246a58 | 139 | static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) |
9fb9cbb1 | 140 | { |
a163f2cb | 141 | seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); |
9fb9cbb1 | 142 | } |
ea48cc83 | 143 | #endif |
9fb9cbb1 | 144 | |
bd0e06f0 | 145 | /* do_basic_checks ensures sch->length > 0, do not use before */ |
9fb9cbb1 | 146 | #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ |
ae146d9b | 147 | for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ |
bd0e06f0 FW |
148 | (offset) < (skb)->len && \ |
149 | ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ | |
e79ec50b | 150 | (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) |
9fb9cbb1 YK |
151 | |
152 | /* Some validity checks to make sure the chunks are fine */ | |
112f35c9 | 153 | static int do_basic_checks(struct nf_conn *ct, |
9fb9cbb1 YK |
154 | const struct sk_buff *skb, |
155 | unsigned int dataoff, | |
f71cb8f4 FW |
156 | unsigned long *map, |
157 | const struct nf_hook_state *state) | |
9fb9cbb1 YK |
158 | { |
159 | u_int32_t offset, count; | |
922dbc5b | 160 | struct sctp_chunkhdr _sch, *sch; |
9fb9cbb1 YK |
161 | int flag; |
162 | ||
9fb9cbb1 YK |
163 | flag = 0; |
164 | ||
165 | for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { | |
5447d477 PM |
166 | if (sch->type == SCTP_CID_INIT || |
167 | sch->type == SCTP_CID_INIT_ACK || | |
168 | sch->type == SCTP_CID_SHUTDOWN_COMPLETE) | |
9fb9cbb1 | 169 | flag = 1; |
9fb9cbb1 | 170 | |
e17df688 PM |
171 | /* |
172 | * Cookie Ack/Echo chunks not the first OR | |
173 | * Init / Init Ack / Shutdown compl chunks not the only chunks | |
174 | * OR zero-length. | |
175 | */ | |
5447d477 PM |
176 | if (((sch->type == SCTP_CID_COOKIE_ACK || |
177 | sch->type == SCTP_CID_COOKIE_ECHO || | |
178 | flag) && | |
179 | count != 0) || !sch->length) { | |
f71cb8f4 FW |
180 | nf_ct_l4proto_log_invalid(skb, ct, state, |
181 | "%s failed. chunk num %d, type %d, len %d flag %d\n", | |
182 | __func__, count, sch->type, sch->length, flag); | |
9fb9cbb1 YK |
183 | return 1; |
184 | } | |
185 | ||
5447d477 | 186 | if (map) |
35c6d3cb | 187 | set_bit(sch->type, map); |
9fb9cbb1 YK |
188 | } |
189 | ||
dd7271fe | 190 | return count == 0; |
9fb9cbb1 YK |
191 | } |
192 | ||
efe9f68a PM |
193 | static int sctp_new_state(enum ip_conntrack_dir dir, |
194 | enum sctp_conntrack cur_state, | |
195 | int chunk_type) | |
9fb9cbb1 YK |
196 | { |
197 | int i; | |
198 | ||
9fb9cbb1 | 199 | switch (chunk_type) { |
5447d477 | 200 | case SCTP_CID_INIT: |
5447d477 PM |
201 | i = 0; |
202 | break; | |
203 | case SCTP_CID_INIT_ACK: | |
5447d477 PM |
204 | i = 1; |
205 | break; | |
206 | case SCTP_CID_ABORT: | |
5447d477 PM |
207 | i = 2; |
208 | break; | |
209 | case SCTP_CID_SHUTDOWN: | |
5447d477 PM |
210 | i = 3; |
211 | break; | |
212 | case SCTP_CID_SHUTDOWN_ACK: | |
5447d477 PM |
213 | i = 4; |
214 | break; | |
215 | case SCTP_CID_ERROR: | |
5447d477 PM |
216 | i = 5; |
217 | break; | |
218 | case SCTP_CID_COOKIE_ECHO: | |
5447d477 PM |
219 | i = 6; |
220 | break; | |
221 | case SCTP_CID_COOKIE_ACK: | |
5447d477 PM |
222 | i = 7; |
223 | break; | |
224 | case SCTP_CID_SHUTDOWN_COMPLETE: | |
5447d477 PM |
225 | i = 8; |
226 | break; | |
d7ee3519 | 227 | case SCTP_CID_HEARTBEAT: |
d7ee3519 MK |
228 | i = 9; |
229 | break; | |
230 | case SCTP_CID_HEARTBEAT_ACK: | |
d7ee3519 MK |
231 | i = 10; |
232 | break; | |
5447d477 | 233 | default: |
d7ee3519 | 234 | /* Other chunks like DATA or SACK do not change the state */ |
f71cb8f4 FW |
235 | pr_debug("Unknown chunk type %d, Will stay in %s\n", |
236 | chunk_type, sctp_conntrack_names[cur_state]); | |
5447d477 | 237 | return cur_state; |
9fb9cbb1 YK |
238 | } |
239 | ||
9fb9cbb1 YK |
240 | return sctp_conntracks[dir][i][cur_state]; |
241 | } | |
242 | ||
9976fc6e FW |
243 | /* Don't need lock here: this conntrack not in circulation yet */ |
244 | static noinline bool | |
245 | sctp_new(struct nf_conn *ct, const struct sk_buff *skb, | |
246 | const struct sctphdr *sh, unsigned int dataoff) | |
247 | { | |
248 | enum sctp_conntrack new_state; | |
249 | const struct sctp_chunkhdr *sch; | |
250 | struct sctp_chunkhdr _sch; | |
251 | u32 offset, count; | |
252 | ||
253 | memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); | |
254 | new_state = SCTP_CONNTRACK_MAX; | |
255 | for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { | |
256 | new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, | |
257 | SCTP_CONNTRACK_NONE, sch->type); | |
258 | ||
259 | /* Invalid: delete conntrack */ | |
260 | if (new_state == SCTP_CONNTRACK_NONE || | |
261 | new_state == SCTP_CONNTRACK_MAX) { | |
262 | pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); | |
263 | return false; | |
264 | } | |
265 | ||
266 | /* Copy the vtag into the state info */ | |
267 | if (sch->type == SCTP_CID_INIT) { | |
268 | struct sctp_inithdr _inithdr, *ih; | |
269 | /* Sec 8.5.1 (A) */ | |
270 | if (sh->vtag) | |
271 | return false; | |
272 | ||
273 | ih = skb_header_pointer(skb, offset + sizeof(_sch), | |
274 | sizeof(_inithdr), &_inithdr); | |
275 | if (!ih) | |
276 | return false; | |
277 | ||
278 | pr_debug("Setting vtag %x for new conn\n", | |
279 | ih->init_tag); | |
280 | ||
281 | ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; | |
13bd9b31 | 282 | } else if (sch->type == SCTP_CID_HEARTBEAT) { |
9976fc6e FW |
283 | pr_debug("Setting vtag %x for secondary conntrack\n", |
284 | sh->vtag); | |
285 | ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; | |
286 | } else { | |
287 | /* If it is a shutdown ack OOTB packet, we expect a return | |
288 | shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ | |
289 | pr_debug("Setting vtag %x for new conn OOTB\n", | |
290 | sh->vtag); | |
291 | ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; | |
292 | } | |
293 | ||
ab658b9f | 294 | ct->proto.sctp.state = SCTP_CONNTRACK_NONE; |
9976fc6e FW |
295 | } |
296 | ||
297 | return true; | |
298 | } | |
299 | ||
0150ffba FW |
300 | static bool sctp_error(struct sk_buff *skb, |
301 | unsigned int dataoff, | |
302 | const struct nf_hook_state *state) | |
303 | { | |
304 | const struct sctphdr *sh; | |
305 | const char *logmsg; | |
306 | ||
307 | if (skb->len < dataoff + sizeof(struct sctphdr)) { | |
308 | logmsg = "nf_ct_sctp: short packet "; | |
309 | goto out_invalid; | |
310 | } | |
311 | if (state->hook == NF_INET_PRE_ROUTING && | |
312 | state->net->ct.sysctl_checksum && | |
313 | skb->ip_summed == CHECKSUM_NONE) { | |
86f04538 | 314 | if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { |
0150ffba FW |
315 | logmsg = "nf_ct_sctp: failed to read header "; |
316 | goto out_invalid; | |
317 | } | |
318 | sh = (const struct sctphdr *)(skb->data + dataoff); | |
319 | if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { | |
320 | logmsg = "nf_ct_sctp: bad CRC "; | |
321 | goto out_invalid; | |
322 | } | |
323 | skb->ip_summed = CHECKSUM_UNNECESSARY; | |
324 | } | |
325 | return false; | |
326 | out_invalid: | |
62eec0d7 | 327 | nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg); |
0150ffba FW |
328 | return true; |
329 | } | |
330 | ||
b37e933a | 331 | /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ |
a47c5404 FW |
332 | int nf_conntrack_sctp_packet(struct nf_conn *ct, |
333 | struct sk_buff *skb, | |
334 | unsigned int dataoff, | |
335 | enum ip_conntrack_info ctinfo, | |
336 | const struct nf_hook_state *state) | |
9fb9cbb1 | 337 | { |
efe9f68a | 338 | enum sctp_conntrack new_state, old_state; |
8528819a | 339 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
12c33aa2 JE |
340 | const struct sctphdr *sh; |
341 | struct sctphdr _sctph; | |
342 | const struct sctp_chunkhdr *sch; | |
343 | struct sctp_chunkhdr _sch; | |
9fb9cbb1 | 344 | u_int32_t offset, count; |
c779e849 | 345 | unsigned int *timeouts; |
35c6d3cb | 346 | unsigned long map[256 / sizeof(unsigned long)] = { 0 }; |
cc5453a5 | 347 | bool ignore = false; |
9fb9cbb1 | 348 | |
0150ffba FW |
349 | if (sctp_error(skb, dataoff, state)) |
350 | return -NF_ACCEPT; | |
351 | ||
9fb9cbb1 YK |
352 | sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); |
353 | if (sh == NULL) | |
b37e933a | 354 | goto out; |
9fb9cbb1 | 355 | |
f71cb8f4 | 356 | if (do_basic_checks(ct, skb, dataoff, map, state) != 0) |
b37e933a | 357 | goto out; |
9fb9cbb1 | 358 | |
9976fc6e FW |
359 | if (!nf_ct_is_confirmed(ct)) { |
360 | /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ | |
361 | if (test_bit(SCTP_CID_ABORT, map) || | |
362 | test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || | |
363 | test_bit(SCTP_CID_COOKIE_ACK, map)) | |
364 | return -NF_ACCEPT; | |
365 | ||
366 | if (!sctp_new(ct, skb, sh, dataoff)) | |
367 | return -NF_ACCEPT; | |
13bd9b31 SY |
368 | } |
369 | ||
370 | /* Check the verification tag (Sec 8.5) */ | |
371 | if (!test_bit(SCTP_CID_INIT, map) && | |
372 | !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && | |
373 | !test_bit(SCTP_CID_COOKIE_ECHO, map) && | |
374 | !test_bit(SCTP_CID_ABORT, map) && | |
375 | !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && | |
376 | !test_bit(SCTP_CID_HEARTBEAT, map) && | |
377 | !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && | |
378 | sh->vtag != ct->proto.sctp.vtag[dir]) { | |
b568d307 JK |
379 | nf_ct_l4proto_log_invalid(skb, ct, state, |
380 | "verification tag check failed %x vs %x for dir %d", | |
381 | sh->vtag, ct->proto.sctp.vtag[dir], dir); | |
13bd9b31 | 382 | goto out; |
9fb9cbb1 YK |
383 | } |
384 | ||
328bd899 | 385 | old_state = new_state = SCTP_CONNTRACK_NONE; |
440f0d58 | 386 | spin_lock_bh(&ct->lock); |
9fb9cbb1 | 387 | for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { |
9fb9cbb1 YK |
388 | /* Special cases of Verification tag check (Sec 8.5.1) */ |
389 | if (sch->type == SCTP_CID_INIT) { | |
a9993591 | 390 | /* (A) vtag MUST be zero */ |
b37e933a PM |
391 | if (sh->vtag != 0) |
392 | goto out_unlock; | |
9fb9cbb1 | 393 | } else if (sch->type == SCTP_CID_ABORT) { |
a9993591 SY |
394 | /* (B) vtag MUST match own vtag if T flag is unset OR |
395 | * MUST match peer's vtag if T flag is set | |
396 | */ | |
397 | if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && | |
398 | sh->vtag != ct->proto.sctp.vtag[dir]) || | |
399 | ((sch->flags & SCTP_CHUNK_FLAG_T) && | |
400 | sh->vtag != ct->proto.sctp.vtag[!dir])) | |
b37e933a | 401 | goto out_unlock; |
9fb9cbb1 | 402 | } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { |
a9993591 SY |
403 | /* (C) vtag MUST match own vtag if T flag is unset OR |
404 | * MUST match peer's vtag if T flag is set | |
405 | */ | |
406 | if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && | |
407 | sh->vtag != ct->proto.sctp.vtag[dir]) || | |
408 | ((sch->flags & SCTP_CHUNK_FLAG_T) && | |
409 | sh->vtag != ct->proto.sctp.vtag[!dir])) | |
b37e933a | 410 | goto out_unlock; |
9fb9cbb1 | 411 | } else if (sch->type == SCTP_CID_COOKIE_ECHO) { |
a9993591 | 412 | /* (D) vtag must be same as init_vtag as found in INIT_ACK */ |
b37e933a PM |
413 | if (sh->vtag != ct->proto.sctp.vtag[dir]) |
414 | goto out_unlock; | |
cc5453a5 FW |
415 | } else if (sch->type == SCTP_CID_HEARTBEAT) { |
416 | if (ct->proto.sctp.vtag[dir] == 0) { | |
417 | pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); | |
418 | ct->proto.sctp.vtag[dir] = sh->vtag; | |
419 | } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { | |
420 | if (test_bit(SCTP_CID_DATA, map) || ignore) | |
421 | goto out_unlock; | |
422 | ||
423 | ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; | |
424 | ct->proto.sctp.last_dir = dir; | |
425 | ignore = true; | |
426 | continue; | |
427 | } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { | |
428 | ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; | |
429 | } | |
430 | } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { | |
d7ee3519 MK |
431 | if (ct->proto.sctp.vtag[dir] == 0) { |
432 | pr_debug("Setting vtag %x for dir %d\n", | |
433 | sh->vtag, dir); | |
434 | ct->proto.sctp.vtag[dir] = sh->vtag; | |
435 | } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { | |
cc5453a5 FW |
436 | if (test_bit(SCTP_CID_DATA, map) || ignore) |
437 | goto out_unlock; | |
438 | ||
439 | if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || | |
440 | ct->proto.sctp.last_dir == dir) | |
441 | goto out_unlock; | |
442 | ||
443 | ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; | |
444 | ct->proto.sctp.vtag[dir] = sh->vtag; | |
445 | ct->proto.sctp.vtag[!dir] = 0; | |
446 | } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { | |
447 | ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; | |
d7ee3519 | 448 | } |
9fb9cbb1 YK |
449 | } |
450 | ||
efe9f68a PM |
451 | old_state = ct->proto.sctp.state; |
452 | new_state = sctp_new_state(dir, old_state, sch->type); | |
9fb9cbb1 YK |
453 | |
454 | /* Invalid */ | |
efe9f68a | 455 | if (new_state == SCTP_CONNTRACK_MAX) { |
f71cb8f4 FW |
456 | nf_ct_l4proto_log_invalid(skb, ct, state, |
457 | "Invalid, old_state %d, dir %d, type %d", | |
458 | old_state, dir, sch->type); | |
459 | ||
b37e933a | 460 | goto out_unlock; |
9fb9cbb1 YK |
461 | } |
462 | ||
463 | /* If it is an INIT or an INIT ACK note down the vtag */ | |
5447d477 PM |
464 | if (sch->type == SCTP_CID_INIT || |
465 | sch->type == SCTP_CID_INIT_ACK) { | |
4ae70c08 | 466 | struct sctp_inithdr _inithdr, *ih; |
9fb9cbb1 | 467 | |
922dbc5b | 468 | ih = skb_header_pointer(skb, offset + sizeof(_sch), |
601e68e1 | 469 | sizeof(_inithdr), &_inithdr); |
b37e933a PM |
470 | if (ih == NULL) |
471 | goto out_unlock; | |
0d53778e | 472 | pr_debug("Setting vtag %x for dir %d\n", |
8528819a PM |
473 | ih->init_tag, !dir); |
474 | ct->proto.sctp.vtag[!dir] = ih->init_tag; | |
77b33719 FW |
475 | |
476 | /* don't renew timeout on init retransmit so | |
477 | * port reuse by client or NAT middlebox cannot | |
478 | * keep entry alive indefinitely (incl. nat info). | |
479 | */ | |
480 | if (new_state == SCTP_CONNTRACK_CLOSED && | |
481 | old_state == SCTP_CONNTRACK_CLOSED && | |
482 | nf_ct_is_confirmed(ct)) | |
483 | ignore = true; | |
9fb9cbb1 YK |
484 | } |
485 | ||
efe9f68a | 486 | ct->proto.sctp.state = new_state; |
a44b7651 | 487 | if (old_state != new_state) { |
a71996fc | 488 | nf_conntrack_event_cache(IPCT_PROTOINFO, ct); |
a44b7651 SY |
489 | if (new_state == SCTP_CONNTRACK_ESTABLISHED && |
490 | !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) | |
491 | nf_conntrack_event_cache(IPCT_ASSURED, ct); | |
492 | } | |
9fb9cbb1 | 493 | } |
440f0d58 | 494 | spin_unlock_bh(&ct->lock); |
9fb9cbb1 | 495 | |
cc5453a5 FW |
496 | /* allow but do not refresh timeout */ |
497 | if (ignore) | |
498 | return NF_ACCEPT; | |
499 | ||
c779e849 FW |
500 | timeouts = nf_ct_timeout_lookup(ct); |
501 | if (!timeouts) | |
a95a7774 | 502 | timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; |
c779e849 | 503 | |
2c8503f5 | 504 | nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); |
9fb9cbb1 | 505 | |
9fb9cbb1 | 506 | return NF_ACCEPT; |
b37e933a PM |
507 | |
508 | out_unlock: | |
440f0d58 | 509 | spin_unlock_bh(&ct->lock); |
b37e933a PM |
510 | out: |
511 | return -NF_ACCEPT; | |
9fb9cbb1 YK |
512 | } |
513 | ||
c6dd940b FW |
514 | static bool sctp_can_early_drop(const struct nf_conn *ct) |
515 | { | |
516 | switch (ct->proto.sctp.state) { | |
517 | case SCTP_CONNTRACK_SHUTDOWN_SENT: | |
518 | case SCTP_CONNTRACK_SHUTDOWN_RECD: | |
519 | case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: | |
520 | return true; | |
521 | default: | |
522 | break; | |
523 | } | |
524 | ||
525 | return false; | |
526 | } | |
527 | ||
c0cd1156 | 528 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK) |
a258860e PNA |
529 | |
530 | #include <linux/netfilter/nfnetlink.h> | |
531 | #include <linux/netfilter/nfnetlink_conntrack.h> | |
532 | ||
533 | static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, | |
86d21fc7 | 534 | struct nf_conn *ct, bool destroy) |
a258860e PNA |
535 | { |
536 | struct nlattr *nest_parms; | |
537 | ||
440f0d58 | 538 | spin_lock_bh(&ct->lock); |
ae0be8de | 539 | nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); |
a258860e PNA |
540 | if (!nest_parms) |
541 | goto nla_put_failure; | |
542 | ||
86d21fc7 FW |
543 | if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) |
544 | goto nla_put_failure; | |
545 | ||
546 | if (destroy) | |
547 | goto skip_state; | |
548 | ||
549 | if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, | |
5e8d1eb5 DM |
550 | ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || |
551 | nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, | |
552 | ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) | |
553 | goto nla_put_failure; | |
a258860e | 554 | |
86d21fc7 | 555 | skip_state: |
440f0d58 | 556 | spin_unlock_bh(&ct->lock); |
a258860e PNA |
557 | nla_nest_end(skb, nest_parms); |
558 | ||
559 | return 0; | |
560 | ||
561 | nla_put_failure: | |
440f0d58 | 562 | spin_unlock_bh(&ct->lock); |
a258860e PNA |
563 | return -1; |
564 | } | |
565 | ||
566 | static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { | |
567 | [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, | |
568 | [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, | |
569 | [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, | |
570 | }; | |
571 | ||
39215846 FW |
572 | #define SCTP_NLATTR_SIZE ( \ |
573 | NLA_ALIGN(NLA_HDRLEN + 1) + \ | |
574 | NLA_ALIGN(NLA_HDRLEN + 4) + \ | |
575 | NLA_ALIGN(NLA_HDRLEN + 4)) | |
576 | ||
a258860e PNA |
577 | static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) |
578 | { | |
579 | struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; | |
580 | struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; | |
581 | int err; | |
582 | ||
583 | /* updates may not contain the internal protocol info, skip parsing */ | |
584 | if (!attr) | |
585 | return 0; | |
586 | ||
8cb08174 JB |
587 | err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, |
588 | sctp_nla_policy, NULL); | |
a258860e PNA |
589 | if (err < 0) |
590 | return err; | |
591 | ||
592 | if (!tb[CTA_PROTOINFO_SCTP_STATE] || | |
593 | !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || | |
594 | !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) | |
595 | return -EINVAL; | |
596 | ||
440f0d58 | 597 | spin_lock_bh(&ct->lock); |
a258860e PNA |
598 | ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); |
599 | ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = | |
5547cd0a | 600 | nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); |
a258860e | 601 | ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = |
5547cd0a | 602 | nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); |
440f0d58 | 603 | spin_unlock_bh(&ct->lock); |
a258860e PNA |
604 | |
605 | return 0; | |
606 | } | |
607 | #endif | |
608 | ||
a874752a | 609 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
50978462 PNA |
610 | |
611 | #include <linux/netfilter/nfnetlink.h> | |
612 | #include <linux/netfilter/nfnetlink_cttimeout.h> | |
613 | ||
8264deb8 G |
614 | static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], |
615 | struct net *net, void *data) | |
50978462 PNA |
616 | { |
617 | unsigned int *timeouts = data; | |
a95a7774 | 618 | struct nf_sctp_net *sn = nf_sctp_pernet(net); |
50978462 PNA |
619 | int i; |
620 | ||
1d9a7acd FW |
621 | if (!timeouts) |
622 | timeouts = sn->timeouts; | |
623 | ||
50978462 PNA |
624 | /* set default SCTP timeouts. */ |
625 | for (i=0; i<SCTP_CONNTRACK_MAX; i++) | |
8264deb8 | 626 | timeouts[i] = sn->timeouts[i]; |
50978462 PNA |
627 | |
628 | /* there's a 1:1 mapping between attributes and protocol states. */ | |
629 | for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { | |
630 | if (tb[i]) { | |
631 | timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; | |
632 | } | |
633 | } | |
ef39078d FW |
634 | |
635 | timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; | |
50978462 PNA |
636 | return 0; |
637 | } | |
638 | ||
639 | static int | |
640 | sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) | |
641 | { | |
642 | const unsigned int *timeouts = data; | |
643 | int i; | |
644 | ||
5e8d1eb5 DM |
645 | for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { |
646 | if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) | |
647 | goto nla_put_failure; | |
648 | } | |
50978462 PNA |
649 | return 0; |
650 | ||
651 | nla_put_failure: | |
652 | return -ENOSPC; | |
653 | } | |
654 | ||
655 | static const struct nla_policy | |
656 | sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { | |
657 | [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, | |
658 | [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, | |
659 | [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, | |
660 | [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, | |
661 | [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, | |
662 | [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, | |
663 | [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, | |
d7ee3519 MK |
664 | [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, |
665 | [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, | |
50978462 | 666 | }; |
a874752a | 667 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
50978462 | 668 | |
2a389de8 | 669 | void nf_conntrack_sctp_init_net(struct net *net) |
49d485a3 | 670 | { |
a95a7774 | 671 | struct nf_sctp_net *sn = nf_sctp_pernet(net); |
2a389de8 | 672 | int i; |
49d485a3 | 673 | |
2a389de8 FW |
674 | for (i = 0; i < SCTP_CONNTRACK_MAX; i++) |
675 | sn->timeouts[i] = sctp_timeouts[i]; | |
49d485a3 | 676 | |
2a389de8 FW |
677 | /* timeouts[0] is unused, init it so ->timeouts[0] contains |
678 | * 'new' timeout, like udp or icmp. | |
679 | */ | |
680 | sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; | |
deaa0a97 LZ |
681 | } |
682 | ||
dd2934a9 | 683 | const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { |
933a41e7 | 684 | .l4proto = IPPROTO_SCTP, |
ea48cc83 | 685 | #ifdef CONFIG_NF_CONNTRACK_PROCFS |
933a41e7 | 686 | .print_conntrack = sctp_print_conntrack, |
ea48cc83 | 687 | #endif |
c6dd940b | 688 | .can_early_drop = sctp_can_early_drop, |
c0cd1156 | 689 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK) |
39215846 | 690 | .nlattr_size = SCTP_NLATTR_SIZE, |
a258860e PNA |
691 | .to_nlattr = sctp_to_nlattr, |
692 | .from_nlattr = nlattr_to_sctp, | |
c7212e9d | 693 | .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, |
a400c30e | 694 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
c7212e9d PNA |
695 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
696 | .nla_policy = nf_ct_port_nla_policy, | |
697 | #endif | |
a874752a | 698 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
50978462 PNA |
699 | .ctnl_timeout = { |
700 | .nlattr_to_obj = sctp_timeout_nlattr_to_obj, | |
701 | .obj_to_nlattr = sctp_timeout_obj_to_nlattr, | |
702 | .nlattr_max = CTA_TIMEOUT_SCTP_MAX, | |
703 | .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, | |
704 | .nla_policy = sctp_timeout_nla_policy, | |
705 | }, | |
a874752a | 706 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
9fb9cbb1 | 707 | }; |