projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: nftables: add nft_pernet() helper function
[linux-block.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
9fb9cbb1
YK		 2/*
3 * Connection tracking protocol helper module for SCTP.
601e68e1 4 *
f229f6ce
PM		 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
7 *
601e68e1 8 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 9 * are to this RFC.
9fb9cbb1
YK		 10 */
11
12#include <linux/types.h>
9fb9cbb1
YK		 13#include <linux/timer.h>
14#include <linux/netfilter.h>
9fb9cbb1
YK		 15#include <linux/in.h>
16#include <linux/ip.h>
17#include <linux/sctp.h>
18#include <linux/string.h>
19#include <linux/seq_file.h>
40a839fd
YK		 20#include <linux/spinlock.h>
21#include <linux/interrupt.h>
cf6e007e 22#include <net/sctp/checksum.h>
9fb9cbb1 23
cf6e007e 24#include <net/netfilter/nf_log.h>
9fb9cbb1 25#include <net/netfilter/nf_conntrack.h>
605dcad6 26#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 27#include <net/netfilter/nf_conntrack_ecache.h>
c779e849 28#include <net/netfilter/nf_conntrack_timeout.h>
9fb9cbb1 29
9fb9cbb1 30/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 31 closely. They're more complex. --RR
9fb9cbb1
YK		 32
33 And so for me for SCTP :D -Kiran */
34
12c33aa2 35static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 36 "NONE",
37 "CLOSED",
38 "COOKIE_WAIT",
39 "COOKIE_ECHOED",
40 "ESTABLISHED",
41 "SHUTDOWN_SENT",
42 "SHUTDOWN_RECD",
43 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 44 "HEARTBEAT_SENT",
45 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 46};
47
48#define SECS * HZ
49#define MINS * 60 SECS
50#define HOURS * 60 MINS
51#define DAYS * 24 HOURS
52
2c9e8637 53static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
86c0bf40
PM		 54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 63};
9fb9cbb1 64
cc5453a5
FW		 65#define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1
66
9fb9cbb1
YK		 67#define sNO SCTP_CONNTRACK_NONE
68#define sCL SCTP_CONNTRACK_CLOSED
69#define sCW SCTP_CONNTRACK_COOKIE_WAIT
70#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
71#define sES SCTP_CONNTRACK_ESTABLISHED
72#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
73#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
74#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 75#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
76#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 77#define sIV SCTP_CONNTRACK_MAX
78
601e68e1 79/*
9fb9cbb1
YK		 80 These are the descriptions of the states:
81
601e68e1 82NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 83SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 84considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 85point. Please note the subtleties. -Kiran
86
87NONE - Nothing so far.
601e68e1
YH		 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
89 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 95 to that of the SHUTDOWN chunk.
96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
97 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 98HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
99HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
100 that of the HEARTBEAT chunk. Secondary connection is
101 established.
9fb9cbb1
YK		 102*/
103
104/* TODO
601e68e1 105 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 106 This messes things when an INIT comes in the reply direction in CLOSED
107 state.
601e68e1 108 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 109cookie echoed to closed.
110 - Sec 5.2.4 of RFC 2960
d7ee3519 111 - Full Multi Homing support.
9fb9cbb1
YK		 112*/
113
114/* SCTP conntrack state transitions */
d7ee3519 115static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 116 {
117/* ORIGINAL */
d7ee3519 118/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
ab658b9f 119/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
d7ee3519
MK		 120/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
121/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
122/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
123/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
124/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
125/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
126/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
127/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
128/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
129/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 130 },
131 {
132/* REPLY */
d7ee3519
MK		 133/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
134/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
ab658b9f 135/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
d7ee3519
MK		 136/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
137/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
138/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
139/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
140/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
141/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
142/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
143/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
144/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 145 }
146};
147
ea48cc83 148#ifdef CONFIG_NF_CONNTRACK_PROCFS
9fb9cbb1 149/* Print out the private part of the conntrack. */
37246a58 150static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 151{
a163f2cb 152 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1 153}
ea48cc83 154#endif
9fb9cbb1
YK		 155
156#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 157for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 158 (offset) < (skb)->len && \
159 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
160 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 161
162/* Some validity checks to make sure the chunks are fine */
112f35c9 163static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 164 const struct sk_buff *skb,
165 unsigned int dataoff,
35c6d3cb 166 unsigned long *map)
9fb9cbb1
YK		 167{
168 u_int32_t offset, count;
922dbc5b 169 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 170 int flag;
171
9fb9cbb1
YK		 172 flag = 0;
173
174 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 175 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 176
5447d477
PM		 177 if (sch->type == SCTP_CID_INIT ||
178 sch->type == SCTP_CID_INIT_ACK ||
179 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 180 flag = 1;
9fb9cbb1 181
e17df688
PM		 182 /*
183 * Cookie Ack/Echo chunks not the first OR
184 * Init / Init Ack / Shutdown compl chunks not the only chunks
185 * OR zero-length.
186 */
5447d477
PM		 187 if (((sch->type == SCTP_CID_COOKIE_ACK ||
188 sch->type == SCTP_CID_COOKIE_ECHO ||
189 flag) &&
190 count != 0) || !sch->length) {
0d53778e 191 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 192 return 1;
193 }
194
5447d477 195 if (map)
35c6d3cb 196 set_bit(sch->type, map);
9fb9cbb1
YK		 197 }
198
0d53778e 199 pr_debug("Basic checks passed\n");
dd7271fe 200 return count == 0;
9fb9cbb1
YK		 201}
202
efe9f68a
PM		 203static int sctp_new_state(enum ip_conntrack_dir dir,
204 enum sctp_conntrack cur_state,
205 int chunk_type)
9fb9cbb1
YK		 206{
207 int i;
208
0d53778e 209 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 210
211 switch (chunk_type) {
5447d477
PM		 212 case SCTP_CID_INIT:
213 pr_debug("SCTP_CID_INIT\n");
214 i = 0;
215 break;
216 case SCTP_CID_INIT_ACK:
217 pr_debug("SCTP_CID_INIT_ACK\n");
218 i = 1;
219 break;
220 case SCTP_CID_ABORT:
221 pr_debug("SCTP_CID_ABORT\n");
222 i = 2;
223 break;
224 case SCTP_CID_SHUTDOWN:
225 pr_debug("SCTP_CID_SHUTDOWN\n");
226 i = 3;
227 break;
228 case SCTP_CID_SHUTDOWN_ACK:
229 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
230 i = 4;
231 break;
232 case SCTP_CID_ERROR:
233 pr_debug("SCTP_CID_ERROR\n");
234 i = 5;
235 break;
236 case SCTP_CID_COOKIE_ECHO:
237 pr_debug("SCTP_CID_COOKIE_ECHO\n");
238 i = 6;
239 break;
240 case SCTP_CID_COOKIE_ACK:
241 pr_debug("SCTP_CID_COOKIE_ACK\n");
242 i = 7;
243 break;
244 case SCTP_CID_SHUTDOWN_COMPLETE:
245 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
246 i = 8;
247 break;
d7ee3519
MK		 248 case SCTP_CID_HEARTBEAT:
249 pr_debug("SCTP_CID_HEARTBEAT");
250 i = 9;
251 break;
252 case SCTP_CID_HEARTBEAT_ACK:
253 pr_debug("SCTP_CID_HEARTBEAT_ACK");
254 i = 10;
255 break;
5447d477 256 default:
d7ee3519 257 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 258 pr_debug("Unknown chunk type, Will stay in %s\n",
259 sctp_conntrack_names[cur_state]);
260 return cur_state;
9fb9cbb1
YK		 261 }
262
0d53778e
PM		 263 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
264 dir, sctp_conntrack_names[cur_state], chunk_type,
265 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 266
267 return sctp_conntracks[dir][i][cur_state];
268}
269
9976fc6e
FW		 270/* Don't need lock here: this conntrack not in circulation yet */
271static noinline bool
272sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
273 const struct sctphdr *sh, unsigned int dataoff)
274{
275 enum sctp_conntrack new_state;
276 const struct sctp_chunkhdr *sch;
277 struct sctp_chunkhdr _sch;
278 u32 offset, count;
279
280 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
281 new_state = SCTP_CONNTRACK_MAX;
282 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
283 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
284 SCTP_CONNTRACK_NONE, sch->type);
285
286 /* Invalid: delete conntrack */
287 if (new_state == SCTP_CONNTRACK_NONE ||
288 new_state == SCTP_CONNTRACK_MAX) {
289 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
290 return false;
291 }
292
293 /* Copy the vtag into the state info */
294 if (sch->type == SCTP_CID_INIT) {
295 struct sctp_inithdr _inithdr, *ih;
296 /* Sec 8.5.1 (A) */
297 if (sh->vtag)
298 return false;
299
300 ih = skb_header_pointer(skb, offset + sizeof(_sch),
301 sizeof(_inithdr), &_inithdr);
302 if (!ih)
303 return false;
304
305 pr_debug("Setting vtag %x for new conn\n",
306 ih->init_tag);
307
308 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
309 } else if (sch->type == SCTP_CID_HEARTBEAT) {
310 pr_debug("Setting vtag %x for secondary conntrack\n",
311 sh->vtag);
312 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
313 } else {
314 /* If it is a shutdown ack OOTB packet, we expect a return
315 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
316 pr_debug("Setting vtag %x for new conn OOTB\n",
317 sh->vtag);
318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
319 }
320
ab658b9f 321 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
9976fc6e
FW		 322 }
323
324 return true;
325}
326
0150ffba
FW		 327static bool sctp_error(struct sk_buff *skb,
328 unsigned int dataoff,
329 const struct nf_hook_state *state)
330{
331 const struct sctphdr *sh;
332 const char *logmsg;
333
334 if (skb->len < dataoff + sizeof(struct sctphdr)) {
335 logmsg = "nf_ct_sctp: short packet ";
336 goto out_invalid;
337 }
338 if (state->hook == NF_INET_PRE_ROUTING &&
339 state->net->ct.sysctl_checksum &&
340 skb->ip_summed == CHECKSUM_NONE) {
86f04538 341 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
0150ffba
FW		 342 logmsg = "nf_ct_sctp: failed to read header ";
343 goto out_invalid;
344 }
345 sh = (const struct sctphdr *)(skb->data + dataoff);
346 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
347 logmsg = "nf_ct_sctp: bad CRC ";
348 goto out_invalid;
349 }
350 skb->ip_summed = CHECKSUM_UNNECESSARY;
351 }
352 return false;
353out_invalid:
354 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
355 return true;
356}
357
b37e933a 358/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
a47c5404
FW		 359int nf_conntrack_sctp_packet(struct nf_conn *ct,
360 struct sk_buff *skb,
361 unsigned int dataoff,
362 enum ip_conntrack_info ctinfo,
363 const struct nf_hook_state *state)
9fb9cbb1 364{
efe9f68a 365 enum sctp_conntrack new_state, old_state;
8528819a 366 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 367 const struct sctphdr *sh;
368 struct sctphdr _sctph;
369 const struct sctp_chunkhdr *sch;
370 struct sctp_chunkhdr _sch;
9fb9cbb1 371 u_int32_t offset, count;
c779e849 372 unsigned int *timeouts;
35c6d3cb 373 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
cc5453a5 374 bool ignore = false;
9fb9cbb1 375
0150ffba
FW		 376 if (sctp_error(skb, dataoff, state))
377 return -NF_ACCEPT;
378
9fb9cbb1
YK		 379 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
380 if (sh == NULL)
b37e933a 381 goto out;
9fb9cbb1 382
112f35c9 383 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 384 goto out;
9fb9cbb1 385
9976fc6e
FW		 386 if (!nf_ct_is_confirmed(ct)) {
387 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
388 if (test_bit(SCTP_CID_ABORT, map) ||
389 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
390 test_bit(SCTP_CID_COOKIE_ACK, map))
391 return -NF_ACCEPT;
392
393 if (!sctp_new(ct, skb, sh, dataoff))
394 return -NF_ACCEPT;
395 }
396
9fb9cbb1 397 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 398 if (!test_bit(SCTP_CID_INIT, map) &&
399 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
400 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
401 !test_bit(SCTP_CID_ABORT, map) &&
402 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 403 !test_bit(SCTP_CID_HEARTBEAT, map) &&
404 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 405 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 406 pr_debug("Verification tag check failed\n");
b37e933a 407 goto out;
9fb9cbb1
YK		 408 }
409
328bd899 410 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 411 spin_lock_bh(&ct->lock);
9fb9cbb1 412 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 413 /* Special cases of Verification tag check (Sec 8.5.1) */
414 if (sch->type == SCTP_CID_INIT) {
415 /* Sec 8.5.1 (A) */
b37e933a
PM		 416 if (sh->vtag != 0)
417 goto out_unlock;
9fb9cbb1
YK		 418 } else if (sch->type == SCTP_CID_ABORT) {
419 /* Sec 8.5.1 (B) */
8528819a 420 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 421 sh->vtag != ct->proto.sctp.vtag[!dir])
422 goto out_unlock;
9fb9cbb1
YK		 423 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
424 /* Sec 8.5.1 (C) */
8528819a
PM		 425 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
426 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 427 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 428 goto out_unlock;
9fb9cbb1
YK		 429 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
430 /* Sec 8.5.1 (D) */
b37e933a
PM		 431 if (sh->vtag != ct->proto.sctp.vtag[dir])
432 goto out_unlock;
cc5453a5
FW		 433 } else if (sch->type == SCTP_CID_HEARTBEAT) {
434 if (ct->proto.sctp.vtag[dir] == 0) {
435 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
436 ct->proto.sctp.vtag[dir] = sh->vtag;
437 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
438 if (test_bit(SCTP_CID_DATA, map) || ignore)
439 goto out_unlock;
440
441 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
442 ct->proto.sctp.last_dir = dir;
443 ignore = true;
444 continue;
445 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
446 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
447 }
448 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {
d7ee3519
MK		 449 if (ct->proto.sctp.vtag[dir] == 0) {
450 pr_debug("Setting vtag %x for dir %d\n",
451 sh->vtag, dir);
452 ct->proto.sctp.vtag[dir] = sh->vtag;
453 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
cc5453a5
FW		 454 if (test_bit(SCTP_CID_DATA, map) || ignore)
455 goto out_unlock;
456
457 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 ||
458 ct->proto.sctp.last_dir == dir)
459 goto out_unlock;
460
461 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
462 ct->proto.sctp.vtag[dir] = sh->vtag;
463 ct->proto.sctp.vtag[!dir] = 0;
464 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
465 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
d7ee3519 466 }
9fb9cbb1
YK		 467 }
468
efe9f68a
PM		 469 old_state = ct->proto.sctp.state;
470 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 471
472 /* Invalid */
efe9f68a 473 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 474 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
475 "conntrack=%u\n",
efe9f68a 476 dir, sch->type, old_state);
b37e933a 477 goto out_unlock;
9fb9cbb1
YK		 478 }
479
480 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 481 if (sch->type == SCTP_CID_INIT ||
482 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 483 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 484
922dbc5b 485 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 486 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 487 if (ih == NULL)
488 goto out_unlock;
0d53778e 489 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 490 ih->init_tag, !dir);
491 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 492 }
493
efe9f68a
PM		 494 ct->proto.sctp.state = new_state;
495 if (old_state != new_state)
a71996fc 496 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 497 }
440f0d58 498 spin_unlock_bh(&ct->lock);
9fb9cbb1 499
cc5453a5
FW		 500 /* allow but do not refresh timeout */
501 if (ignore)
502 return NF_ACCEPT;
503
c779e849
FW		 504 timeouts = nf_ct_timeout_lookup(ct);
505 if (!timeouts)
a95a7774 506 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
c779e849 507
2c8503f5 508 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 509
efe9f68a 510 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 511 dir == IP_CT_DIR_REPLY &&
efe9f68a 512 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 513 pr_debug("Setting assured bit\n");
112f35c9 514 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 515 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 516 }
517
518 return NF_ACCEPT;
b37e933a
PM		 519
520out_unlock:
440f0d58 521 spin_unlock_bh(&ct->lock);
b37e933a
PM		 522out:
523 return -NF_ACCEPT;
9fb9cbb1
YK		 524}
525
c6dd940b
FW		 526static bool sctp_can_early_drop(const struct nf_conn *ct)
527{
528 switch (ct->proto.sctp.state) {
529 case SCTP_CONNTRACK_SHUTDOWN_SENT:
530 case SCTP_CONNTRACK_SHUTDOWN_RECD:
531 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
532 return true;
533 default:
534 break;
535 }
536
537 return false;
538}
539
c0cd1156 540#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 541
542#include <linux/netfilter/nfnetlink.h>
543#include <linux/netfilter/nfnetlink_conntrack.h>
544
545static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
86d21fc7 546 struct nf_conn *ct, bool destroy)
a258860e
PNA		 547{
548 struct nlattr *nest_parms;
549
440f0d58 550 spin_lock_bh(&ct->lock);
ae0be8de 551 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
a258860e
PNA		 552 if (!nest_parms)
553 goto nla_put_failure;
554
86d21fc7
FW		 555 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state))
556 goto nla_put_failure;
557
558 if (destroy)
559 goto skip_state;
560
561 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
5e8d1eb5
DM		 562 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
563 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
564 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
565 goto nla_put_failure;
a258860e 566
86d21fc7 567skip_state:
440f0d58 568 spin_unlock_bh(&ct->lock);
a258860e
PNA		 569 nla_nest_end(skb, nest_parms);
570
571 return 0;
572
573nla_put_failure:
440f0d58 574 spin_unlock_bh(&ct->lock);
a258860e
PNA		 575 return -1;
576}
577
578static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
579 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
580 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
581 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
582};
583
39215846
FW		 584#define SCTP_NLATTR_SIZE ( \
585 NLA_ALIGN(NLA_HDRLEN + 1) + \
586 NLA_ALIGN(NLA_HDRLEN + 4) + \
587 NLA_ALIGN(NLA_HDRLEN + 4))
588
a258860e
PNA		 589static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
590{
591 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
592 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
593 int err;
594
595 /* updates may not contain the internal protocol info, skip parsing */
596 if (!attr)
597 return 0;
598
8cb08174
JB		 599 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
600 sctp_nla_policy, NULL);
a258860e
PNA		 601 if (err < 0)
602 return err;
603
604 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
605 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
606 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
607 return -EINVAL;
608
440f0d58 609 spin_lock_bh(&ct->lock);
a258860e
PNA		 610 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
611 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 612 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 613 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 614 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 615 spin_unlock_bh(&ct->lock);
a258860e
PNA		 616
617 return 0;
618}
619#endif
620
a874752a 621#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 622
623#include <linux/netfilter/nfnetlink.h>
624#include <linux/netfilter/nfnetlink_cttimeout.h>
625
8264deb8
G		 626static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
627 struct net *net, void *data)
50978462
PNA		 628{
629 unsigned int *timeouts = data;
a95a7774 630 struct nf_sctp_net *sn = nf_sctp_pernet(net);
50978462
PNA		 631 int i;
632
1d9a7acd
FW		 633 if (!timeouts)
634 timeouts = sn->timeouts;
635
50978462
PNA		 636 /* set default SCTP timeouts. */
637 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 638 timeouts[i] = sn->timeouts[i];
50978462
PNA		 639
640 /* there's a 1:1 mapping between attributes and protocol states. */
641 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
642 if (tb[i]) {
643 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
644 }
645 }
ef39078d
FW		 646
647 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
50978462
PNA		 648 return 0;
649}
650
651static int
652sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
653{
654 const unsigned int *timeouts = data;
655 int i;
656
5e8d1eb5
DM		 657 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
658 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
659 goto nla_put_failure;
660 }
50978462
PNA		 661 return 0;
662
663nla_put_failure:
664 return -ENOSPC;
665}
666
667static const struct nla_policy
668sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
669 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
670 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
671 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
672 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
673 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
674 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
675 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 676 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
677 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462 678};
a874752a 679#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
50978462 680
2a389de8 681void nf_conntrack_sctp_init_net(struct net *net)
49d485a3 682{
a95a7774 683 struct nf_sctp_net *sn = nf_sctp_pernet(net);
2a389de8 684 int i;
49d485a3 685
2a389de8
FW		 686 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
687 sn->timeouts[i] = sctp_timeouts[i];
49d485a3 688
2a389de8
FW		 689 /* timeouts[0] is unused, init it so ->timeouts[0] contains
690 * 'new' timeout, like udp or icmp.
691 */
692 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
deaa0a97
LZ		 693}
694
dd2934a9 695const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
933a41e7 696 .l4proto = IPPROTO_SCTP,
ea48cc83 697#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 698 .print_conntrack = sctp_print_conntrack,
ea48cc83 699#endif
c6dd940b 700 .can_early_drop = sctp_can_early_drop,
c0cd1156 701#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
39215846 702 .nlattr_size = SCTP_NLATTR_SIZE,
a258860e
PNA		 703 .to_nlattr = sctp_to_nlattr,
704 .from_nlattr = nlattr_to_sctp,
c7212e9d 705 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 706 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 707 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
708 .nla_policy = nf_ct_port_nla_policy,
709#endif
a874752a 710#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 711 .ctnl_timeout = {
712 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
713 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
714 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
715 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
716 .nla_policy = sctp_timeout_nla_policy,
717 },
a874752a 718#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
9fb9cbb1 719};
Linux 6.x block layer and io_uring tree(s)