projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: nat: remove nf_nat_l4proto struct
[linux-2.6-block.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
c779e849 31#include <net/netfilter/nf_conntrack_timeout.h>
9fb9cbb1 32
9fb9cbb1 33/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 34 closely. They're more complex. --RR
9fb9cbb1
YK		 35
36 And so for me for SCTP :D -Kiran */
37
12c33aa2 38static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 39 "NONE",
40 "CLOSED",
41 "COOKIE_WAIT",
42 "COOKIE_ECHOED",
43 "ESTABLISHED",
44 "SHUTDOWN_SENT",
45 "SHUTDOWN_RECD",
46 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 47 "HEARTBEAT_SENT",
48 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 49};
50
51#define SECS * HZ
52#define MINS * 60 SECS
53#define HOURS * 60 MINS
54#define DAYS * 24 HOURS
55
2c9e8637 56static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
86c0bf40
PM		 57 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
58 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
59 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
60 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
61 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
63 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 64 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
65 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 66};
9fb9cbb1
YK		 67
68#define sNO SCTP_CONNTRACK_NONE
69#define sCL SCTP_CONNTRACK_CLOSED
70#define sCW SCTP_CONNTRACK_COOKIE_WAIT
71#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
72#define sES SCTP_CONNTRACK_ESTABLISHED
73#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
74#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
75#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 76#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
77#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 78#define sIV SCTP_CONNTRACK_MAX
79
601e68e1 80/*
9fb9cbb1
YK		 81 These are the descriptions of the states:
82
601e68e1 83NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 84SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 85considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 86point. Please note the subtleties. -Kiran
87
88NONE - Nothing so far.
601e68e1
YH		 89COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
90 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 91COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
92ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
93SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
94SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
95SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 96 to that of the SHUTDOWN chunk.
97CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
98 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 99HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
100HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
101 that of the HEARTBEAT chunk. Secondary connection is
102 established.
9fb9cbb1
YK		 103*/
104
105/* TODO
601e68e1 106 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 107 This messes things when an INIT comes in the reply direction in CLOSED
108 state.
601e68e1 109 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 110cookie echoed to closed.
111 - Sec 5.2.4 of RFC 2960
d7ee3519 112 - Full Multi Homing support.
9fb9cbb1
YK		 113*/
114
115/* SCTP conntrack state transitions */
d7ee3519 116static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 117 {
118/* ORIGINAL */
d7ee3519
MK		 119/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
120/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
121/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
122/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
123/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
124/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
125/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
126/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
127/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
128/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
129/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
130/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 131 },
132 {
133/* REPLY */
d7ee3519
MK		 134/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
135/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
136/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
137/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
138/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
139/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
140/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
141/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
142/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
143/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
144/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
145/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 146 }
147};
148
ea48cc83 149#ifdef CONFIG_NF_CONNTRACK_PROCFS
9fb9cbb1 150/* Print out the private part of the conntrack. */
37246a58 151static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 152{
a163f2cb 153 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1 154}
ea48cc83 155#endif
9fb9cbb1
YK		 156
157#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 158for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 159 (offset) < (skb)->len && \
160 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
161 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 162
163/* Some validity checks to make sure the chunks are fine */
112f35c9 164static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 165 const struct sk_buff *skb,
166 unsigned int dataoff,
35c6d3cb 167 unsigned long *map)
9fb9cbb1
YK		 168{
169 u_int32_t offset, count;
922dbc5b 170 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 171 int flag;
172
9fb9cbb1
YK		 173 flag = 0;
174
175 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 176 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 177
5447d477
PM		 178 if (sch->type == SCTP_CID_INIT ||
179 sch->type == SCTP_CID_INIT_ACK ||
180 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 181 flag = 1;
9fb9cbb1 182
e17df688
PM		 183 /*
184 * Cookie Ack/Echo chunks not the first OR
185 * Init / Init Ack / Shutdown compl chunks not the only chunks
186 * OR zero-length.
187 */
5447d477
PM		 188 if (((sch->type == SCTP_CID_COOKIE_ACK ||
189 sch->type == SCTP_CID_COOKIE_ECHO ||
190 flag) &&
191 count != 0) || !sch->length) {
0d53778e 192 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 193 return 1;
194 }
195
5447d477 196 if (map)
35c6d3cb 197 set_bit(sch->type, map);
9fb9cbb1
YK		 198 }
199
0d53778e 200 pr_debug("Basic checks passed\n");
dd7271fe 201 return count == 0;
9fb9cbb1
YK		 202}
203
efe9f68a
PM		 204static int sctp_new_state(enum ip_conntrack_dir dir,
205 enum sctp_conntrack cur_state,
206 int chunk_type)
9fb9cbb1
YK		 207{
208 int i;
209
0d53778e 210 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 211
212 switch (chunk_type) {
5447d477
PM		 213 case SCTP_CID_INIT:
214 pr_debug("SCTP_CID_INIT\n");
215 i = 0;
216 break;
217 case SCTP_CID_INIT_ACK:
218 pr_debug("SCTP_CID_INIT_ACK\n");
219 i = 1;
220 break;
221 case SCTP_CID_ABORT:
222 pr_debug("SCTP_CID_ABORT\n");
223 i = 2;
224 break;
225 case SCTP_CID_SHUTDOWN:
226 pr_debug("SCTP_CID_SHUTDOWN\n");
227 i = 3;
228 break;
229 case SCTP_CID_SHUTDOWN_ACK:
230 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
231 i = 4;
232 break;
233 case SCTP_CID_ERROR:
234 pr_debug("SCTP_CID_ERROR\n");
235 i = 5;
236 break;
237 case SCTP_CID_COOKIE_ECHO:
238 pr_debug("SCTP_CID_COOKIE_ECHO\n");
239 i = 6;
240 break;
241 case SCTP_CID_COOKIE_ACK:
242 pr_debug("SCTP_CID_COOKIE_ACK\n");
243 i = 7;
244 break;
245 case SCTP_CID_SHUTDOWN_COMPLETE:
246 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
247 i = 8;
248 break;
d7ee3519
MK		 249 case SCTP_CID_HEARTBEAT:
250 pr_debug("SCTP_CID_HEARTBEAT");
251 i = 9;
252 break;
253 case SCTP_CID_HEARTBEAT_ACK:
254 pr_debug("SCTP_CID_HEARTBEAT_ACK");
255 i = 10;
256 break;
5447d477 257 default:
d7ee3519 258 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 259 pr_debug("Unknown chunk type, Will stay in %s\n",
260 sctp_conntrack_names[cur_state]);
261 return cur_state;
9fb9cbb1
YK		 262 }
263
0d53778e
PM		 264 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
265 dir, sctp_conntrack_names[cur_state], chunk_type,
266 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 267
268 return sctp_conntracks[dir][i][cur_state];
269}
270
9976fc6e
FW		 271/* Don't need lock here: this conntrack not in circulation yet */
272static noinline bool
273sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
274 const struct sctphdr *sh, unsigned int dataoff)
275{
276 enum sctp_conntrack new_state;
277 const struct sctp_chunkhdr *sch;
278 struct sctp_chunkhdr _sch;
279 u32 offset, count;
280
281 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
282 new_state = SCTP_CONNTRACK_MAX;
283 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
284 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
285 SCTP_CONNTRACK_NONE, sch->type);
286
287 /* Invalid: delete conntrack */
288 if (new_state == SCTP_CONNTRACK_NONE ||
289 new_state == SCTP_CONNTRACK_MAX) {
290 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
291 return false;
292 }
293
294 /* Copy the vtag into the state info */
295 if (sch->type == SCTP_CID_INIT) {
296 struct sctp_inithdr _inithdr, *ih;
297 /* Sec 8.5.1 (A) */
298 if (sh->vtag)
299 return false;
300
301 ih = skb_header_pointer(skb, offset + sizeof(_sch),
302 sizeof(_inithdr), &_inithdr);
303 if (!ih)
304 return false;
305
306 pr_debug("Setting vtag %x for new conn\n",
307 ih->init_tag);
308
309 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
310 } else if (sch->type == SCTP_CID_HEARTBEAT) {
311 pr_debug("Setting vtag %x for secondary conntrack\n",
312 sh->vtag);
313 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
314 } else {
315 /* If it is a shutdown ack OOTB packet, we expect a return
316 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
317 pr_debug("Setting vtag %x for new conn OOTB\n",
318 sh->vtag);
319 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
320 }
321
322 ct->proto.sctp.state = new_state;
323 }
324
325 return true;
326}
327
0150ffba
FW		 328static bool sctp_error(struct sk_buff *skb,
329 unsigned int dataoff,
330 const struct nf_hook_state *state)
331{
332 const struct sctphdr *sh;
333 const char *logmsg;
334
335 if (skb->len < dataoff + sizeof(struct sctphdr)) {
336 logmsg = "nf_ct_sctp: short packet ";
337 goto out_invalid;
338 }
339 if (state->hook == NF_INET_PRE_ROUTING &&
340 state->net->ct.sysctl_checksum &&
341 skb->ip_summed == CHECKSUM_NONE) {
342 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
343 logmsg = "nf_ct_sctp: failed to read header ";
344 goto out_invalid;
345 }
346 sh = (const struct sctphdr *)(skb->data + dataoff);
347 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
348 logmsg = "nf_ct_sctp: bad CRC ";
349 goto out_invalid;
350 }
351 skb->ip_summed = CHECKSUM_UNNECESSARY;
352 }
353 return false;
354out_invalid:
355 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
356 return true;
357}
358
b37e933a 359/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 360static int sctp_packet(struct nf_conn *ct,
83d213fd 361 struct sk_buff *skb,
9fb9cbb1 362 unsigned int dataoff,
93e66024
FW		 363 enum ip_conntrack_info ctinfo,
364 const struct nf_hook_state *state)
9fb9cbb1 365{
efe9f68a 366 enum sctp_conntrack new_state, old_state;
8528819a 367 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 368 const struct sctphdr *sh;
369 struct sctphdr _sctph;
370 const struct sctp_chunkhdr *sch;
371 struct sctp_chunkhdr _sch;
9fb9cbb1 372 u_int32_t offset, count;
c779e849 373 unsigned int *timeouts;
35c6d3cb 374 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 375
0150ffba
FW		 376 if (sctp_error(skb, dataoff, state))
377 return -NF_ACCEPT;
378
9fb9cbb1
YK		 379 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
380 if (sh == NULL)
b37e933a 381 goto out;
9fb9cbb1 382
112f35c9 383 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 384 goto out;
9fb9cbb1 385
9976fc6e
FW		 386 if (!nf_ct_is_confirmed(ct)) {
387 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
388 if (test_bit(SCTP_CID_ABORT, map) ||
389 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
390 test_bit(SCTP_CID_COOKIE_ACK, map))
391 return -NF_ACCEPT;
392
393 if (!sctp_new(ct, skb, sh, dataoff))
394 return -NF_ACCEPT;
395 }
396
9fb9cbb1 397 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 398 if (!test_bit(SCTP_CID_INIT, map) &&
399 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
400 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
401 !test_bit(SCTP_CID_ABORT, map) &&
402 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 403 !test_bit(SCTP_CID_HEARTBEAT, map) &&
404 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 405 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 406 pr_debug("Verification tag check failed\n");
b37e933a 407 goto out;
9fb9cbb1
YK		 408 }
409
328bd899 410 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 411 spin_lock_bh(&ct->lock);
9fb9cbb1 412 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 413 /* Special cases of Verification tag check (Sec 8.5.1) */
414 if (sch->type == SCTP_CID_INIT) {
415 /* Sec 8.5.1 (A) */
b37e933a
PM		 416 if (sh->vtag != 0)
417 goto out_unlock;
9fb9cbb1
YK		 418 } else if (sch->type == SCTP_CID_ABORT) {
419 /* Sec 8.5.1 (B) */
8528819a 420 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 421 sh->vtag != ct->proto.sctp.vtag[!dir])
422 goto out_unlock;
9fb9cbb1
YK		 423 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
424 /* Sec 8.5.1 (C) */
8528819a
PM		 425 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
426 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 427 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 428 goto out_unlock;
9fb9cbb1
YK		 429 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
430 /* Sec 8.5.1 (D) */
b37e933a
PM		 431 if (sh->vtag != ct->proto.sctp.vtag[dir])
432 goto out_unlock;
d7ee3519
MK		 433 } else if (sch->type == SCTP_CID_HEARTBEAT ||
434 sch->type == SCTP_CID_HEARTBEAT_ACK) {
435 if (ct->proto.sctp.vtag[dir] == 0) {
436 pr_debug("Setting vtag %x for dir %d\n",
437 sh->vtag, dir);
438 ct->proto.sctp.vtag[dir] = sh->vtag;
439 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
440 pr_debug("Verification tag check failed\n");
441 goto out_unlock;
442 }
9fb9cbb1
YK		 443 }
444
efe9f68a
PM		 445 old_state = ct->proto.sctp.state;
446 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 447
448 /* Invalid */
efe9f68a 449 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 450 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
451 "conntrack=%u\n",
efe9f68a 452 dir, sch->type, old_state);
b37e933a 453 goto out_unlock;
9fb9cbb1
YK		 454 }
455
456 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 457 if (sch->type == SCTP_CID_INIT ||
458 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 459 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 460
922dbc5b 461 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 462 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 463 if (ih == NULL)
464 goto out_unlock;
0d53778e 465 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 466 ih->init_tag, !dir);
467 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 468 }
469
efe9f68a
PM		 470 ct->proto.sctp.state = new_state;
471 if (old_state != new_state)
a71996fc 472 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 473 }
440f0d58 474 spin_unlock_bh(&ct->lock);
9fb9cbb1 475
c779e849
FW		 476 timeouts = nf_ct_timeout_lookup(ct);
477 if (!timeouts)
a95a7774 478 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
c779e849 479
2c8503f5 480 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 481
efe9f68a 482 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 483 dir == IP_CT_DIR_REPLY &&
efe9f68a 484 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 485 pr_debug("Setting assured bit\n");
112f35c9 486 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 487 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 488 }
489
490 return NF_ACCEPT;
b37e933a
PM		 491
492out_unlock:
440f0d58 493 spin_unlock_bh(&ct->lock);
b37e933a
PM		 494out:
495 return -NF_ACCEPT;
9fb9cbb1
YK		 496}
497
c6dd940b
FW		 498static bool sctp_can_early_drop(const struct nf_conn *ct)
499{
500 switch (ct->proto.sctp.state) {
501 case SCTP_CONNTRACK_SHUTDOWN_SENT:
502 case SCTP_CONNTRACK_SHUTDOWN_RECD:
503 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
504 return true;
505 default:
506 break;
507 }
508
509 return false;
510}
511
c0cd1156 512#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 513
514#include <linux/netfilter/nfnetlink.h>
515#include <linux/netfilter/nfnetlink_conntrack.h>
516
517static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 518 struct nf_conn *ct)
a258860e
PNA		 519{
520 struct nlattr *nest_parms;
521
440f0d58 522 spin_lock_bh(&ct->lock);
a258860e
PNA		 523 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
524 if (!nest_parms)
525 goto nla_put_failure;
526
5e8d1eb5
DM		 527 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
528 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
529 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
530 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
531 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
532 goto nla_put_failure;
a258860e 533
440f0d58 534 spin_unlock_bh(&ct->lock);
a258860e
PNA		 535
536 nla_nest_end(skb, nest_parms);
537
538 return 0;
539
540nla_put_failure:
440f0d58 541 spin_unlock_bh(&ct->lock);
a258860e
PNA		 542 return -1;
543}
544
545static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
546 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
547 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
548 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
549};
550
39215846
FW		 551#define SCTP_NLATTR_SIZE ( \
552 NLA_ALIGN(NLA_HDRLEN + 1) + \
553 NLA_ALIGN(NLA_HDRLEN + 4) + \
554 NLA_ALIGN(NLA_HDRLEN + 4))
555
a258860e
PNA		 556static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
557{
558 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
559 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
560 int err;
561
562 /* updates may not contain the internal protocol info, skip parsing */
563 if (!attr)
564 return 0;
565
fceb6435
JB		 566 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
567 sctp_nla_policy, NULL);
a258860e
PNA		 568 if (err < 0)
569 return err;
570
571 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
572 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
573 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
574 return -EINVAL;
575
440f0d58 576 spin_lock_bh(&ct->lock);
a258860e
PNA		 577 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
578 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 579 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 580 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 581 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 582 spin_unlock_bh(&ct->lock);
a258860e
PNA		 583
584 return 0;
585}
586#endif
587
a874752a 588#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 589
590#include <linux/netfilter/nfnetlink.h>
591#include <linux/netfilter/nfnetlink_cttimeout.h>
592
8264deb8
G		 593static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
594 struct net *net, void *data)
50978462
PNA		 595{
596 unsigned int *timeouts = data;
a95a7774 597 struct nf_sctp_net *sn = nf_sctp_pernet(net);
50978462
PNA		 598 int i;
599
600 /* set default SCTP timeouts. */
601 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 602 timeouts[i] = sn->timeouts[i];
50978462
PNA		 603
604 /* there's a 1:1 mapping between attributes and protocol states. */
605 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
606 if (tb[i]) {
607 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
608 }
609 }
ef39078d
FW		 610
611 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
50978462
PNA		 612 return 0;
613}
614
615static int
616sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
617{
618 const unsigned int *timeouts = data;
619 int i;
620
5e8d1eb5
DM		 621 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
622 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
623 goto nla_put_failure;
624 }
50978462
PNA		 625 return 0;
626
627nla_put_failure:
628 return -ENOSPC;
629}
630
631static const struct nla_policy
632sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
633 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
634 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
635 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
636 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
637 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
639 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 640 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
641 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462 642};
a874752a 643#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
50978462
PNA		 644
645
9fb9cbb1 646#ifdef CONFIG_SYSCTL
933a41e7 647static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 648 {
9fb9cbb1 649 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 650 .maxlen = sizeof(unsigned int),
651 .mode = 0644,
6d9f239a 652 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 653 },
654 {
9fb9cbb1 655 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 656 .maxlen = sizeof(unsigned int),
657 .mode = 0644,
6d9f239a 658 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 659 },
660 {
9fb9cbb1 661 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 662 .maxlen = sizeof(unsigned int),
663 .mode = 0644,
6d9f239a 664 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 665 },
666 {
9fb9cbb1 667 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 668 .maxlen = sizeof(unsigned int),
669 .mode = 0644,
6d9f239a 670 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 671 },
672 {
9fb9cbb1 673 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 674 .maxlen = sizeof(unsigned int),
675 .mode = 0644,
6d9f239a 676 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 677 },
678 {
9fb9cbb1 679 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 680 .maxlen = sizeof(unsigned int),
681 .mode = 0644,
6d9f239a 682 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 683 },
684 {
9fb9cbb1 685 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 686 .maxlen = sizeof(unsigned int),
687 .mode = 0644,
6d9f239a 688 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 689 },
d7ee3519
MK		 690 {
691 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
692 .maxlen = sizeof(unsigned int),
693 .mode = 0644,
694 .proc_handler = proc_dointvec_jiffies,
695 },
696 {
697 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
698 .maxlen = sizeof(unsigned int),
699 .mode = 0644,
700 .proc_handler = proc_dointvec_jiffies,
701 },
f8572d8f 702 { }
9fb9cbb1 703};
933a41e7 704#endif
9fb9cbb1 705
f42c4183 706static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 707 struct nf_sctp_net *sn)
49d485a3
G		 708{
709#ifdef CONFIG_SYSCTL
49d485a3
G		 710 if (pn->ctl_table)
711 return 0;
712
713 pn->ctl_table = kmemdup(sctp_sysctl_table,
714 sizeof(sctp_sysctl_table),
715 GFP_KERNEL);
716 if (!pn->ctl_table)
717 return -ENOMEM;
718
719 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
720 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
721 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
722 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
723 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
724 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
725 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 726 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
727 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 728#endif
729 return 0;
730}
731
ca2ca6e1 732static int sctp_init_net(struct net *net)
49d485a3 733{
a95a7774 734 struct nf_sctp_net *sn = nf_sctp_pernet(net);
f42c4183 735 struct nf_proto_net *pn = &sn->pn;
49d485a3 736
f42c4183
G		 737 if (!pn->users) {
738 int i;
49d485a3 739
f42c4183
G		 740 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
741 sn->timeouts[i] = sctp_timeouts[i];
ef39078d
FW		 742
743 /* timeouts[0] is unused, init it so ->timeouts[0] contains
744 * 'new' timeout, like udp or icmp.
745 */
746 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
f42c4183 747 }
49d485a3 748
adf05168 749 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 750}
751
deaa0a97
LZ		 752static struct nf_proto_net *sctp_get_net_proto(struct net *net)
753{
754 return &net->ct.nf_ct_proto.sctp.pn;
755}
756
dd2934a9 757const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
933a41e7 758 .l4proto = IPPROTO_SCTP,
ea48cc83 759#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 760 .print_conntrack = sctp_print_conntrack,
ea48cc83 761#endif
933a41e7 762 .packet = sctp_packet,
c6dd940b 763 .can_early_drop = sctp_can_early_drop,
933a41e7 764 .me = THIS_MODULE,
c0cd1156 765#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
39215846 766 .nlattr_size = SCTP_NLATTR_SIZE,
a258860e
PNA		 767 .to_nlattr = sctp_to_nlattr,
768 .from_nlattr = nlattr_to_sctp,
c7212e9d 769 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 770 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 771 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
772 .nla_policy = nf_ct_port_nla_policy,
773#endif
a874752a 774#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 775 .ctnl_timeout = {
776 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
777 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
778 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
779 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
780 .nla_policy = sctp_timeout_nla_policy,
781 },
a874752a 782#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
f42c4183 783 .init_net = sctp_init_net,
deaa0a97 784 .get_net_proto = sctp_get_net_proto,
9fb9cbb1 785};
Linux 6.x block layer and io_uring tree(s)