projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: nat: remove unnecessary rcu_read_lock in nf_nat_redirect_ipv{4/6}
[linux-2.6-block.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1 3 *
f229f6ce
PM		 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6 *
601e68e1 7 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 8 * are to this RFC.
601e68e1 9 *
9fb9cbb1
YK		 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
9fb9cbb1
YK		 13 */
14
15#include <linux/types.h>
9fb9cbb1
YK		 16#include <linux/timer.h>
17#include <linux/netfilter.h>
9fb9cbb1
YK		 18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/sctp.h>
21#include <linux/string.h>
22#include <linux/seq_file.h>
40a839fd
YK		 23#include <linux/spinlock.h>
24#include <linux/interrupt.h>
cf6e007e 25#include <net/sctp/checksum.h>
9fb9cbb1 26
cf6e007e 27#include <net/netfilter/nf_log.h>
9fb9cbb1 28#include <net/netfilter/nf_conntrack.h>
605dcad6 29#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 30#include <net/netfilter/nf_conntrack_ecache.h>
c779e849 31#include <net/netfilter/nf_conntrack_timeout.h>
9fb9cbb1 32
9fb9cbb1 33/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 34 closely. They're more complex. --RR
9fb9cbb1
YK		 35
36 And so for me for SCTP :D -Kiran */
37
12c33aa2 38static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 39 "NONE",
40 "CLOSED",
41 "COOKIE_WAIT",
42 "COOKIE_ECHOED",
43 "ESTABLISHED",
44 "SHUTDOWN_SENT",
45 "SHUTDOWN_RECD",
46 "SHUTDOWN_ACK_SENT",
d7ee3519
MK		 47 "HEARTBEAT_SENT",
48 "HEARTBEAT_ACKED",
9fb9cbb1
YK		 49};
50
51#define SECS * HZ
52#define MINS * 60 SECS
53#define HOURS * 60 MINS
54#define DAYS * 24 HOURS
55
2c9e8637 56static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
86c0bf40
PM		 57 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
58 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
59 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
60 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
61 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
62 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
63 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
d7ee3519
MK		 64 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
65 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
86c0bf40 66};
9fb9cbb1
YK		 67
68#define sNO SCTP_CONNTRACK_NONE
69#define sCL SCTP_CONNTRACK_CLOSED
70#define sCW SCTP_CONNTRACK_COOKIE_WAIT
71#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
72#define sES SCTP_CONNTRACK_ESTABLISHED
73#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
74#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
75#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
d7ee3519
MK		 76#define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
77#define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
9fb9cbb1
YK		 78#define sIV SCTP_CONNTRACK_MAX
79
601e68e1 80/*
9fb9cbb1
YK		 81 These are the descriptions of the states:
82
601e68e1 83NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 84SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 85considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 86point. Please note the subtleties. -Kiran
87
88NONE - Nothing so far.
601e68e1
YH		 89COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
90 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 91COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
92ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
93SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
94SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
95SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 96 to that of the SHUTDOWN chunk.
97CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
98 the SHUTDOWN chunk. Connection is closed.
d7ee3519
MK		 99HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
100HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
101 that of the HEARTBEAT chunk. Secondary connection is
102 established.
9fb9cbb1
YK		 103*/
104
105/* TODO
601e68e1 106 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 107 This messes things when an INIT comes in the reply direction in CLOSED
108 state.
601e68e1 109 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 110cookie echoed to closed.
111 - Sec 5.2.4 of RFC 2960
d7ee3519 112 - Full Multi Homing support.
9fb9cbb1
YK		 113*/
114
115/* SCTP conntrack state transitions */
d7ee3519 116static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 117 {
118/* ORIGINAL */
d7ee3519
MK		 119/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
120/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
121/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
122/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
123/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
124/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
125/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
126/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
127/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
128/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
129/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
130/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
9fb9cbb1
YK		 131 },
132 {
133/* REPLY */
d7ee3519
MK		 134/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
135/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
136/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
137/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
138/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
139/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
140/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
141/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
142/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
143/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
144/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
145/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
9fb9cbb1
YK		 146 }
147};
148
a85406af 149static inline struct nf_sctp_net *sctp_pernet(struct net *net)
49d485a3 150{
a85406af 151 return &net->ct.nf_ct_proto.sctp;
49d485a3
G		 152}
153
ea48cc83 154#ifdef CONFIG_NF_CONNTRACK_PROCFS
9fb9cbb1 155/* Print out the private part of the conntrack. */
37246a58 156static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1 157{
a163f2cb 158 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
9fb9cbb1 159}
ea48cc83 160#endif
9fb9cbb1
YK		 161
162#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
ae146d9b 163for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
e79ec50b
JE		 164 (offset) < (skb)->len && \
165 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
166 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 167
168/* Some validity checks to make sure the chunks are fine */
112f35c9 169static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 170 const struct sk_buff *skb,
171 unsigned int dataoff,
35c6d3cb 172 unsigned long *map)
9fb9cbb1
YK		 173{
174 u_int32_t offset, count;
922dbc5b 175 struct sctp_chunkhdr _sch, *sch;
9fb9cbb1
YK		 176 int flag;
177
9fb9cbb1
YK		 178 flag = 0;
179
180 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 181 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 182
5447d477
PM		 183 if (sch->type == SCTP_CID_INIT ||
184 sch->type == SCTP_CID_INIT_ACK ||
185 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 186 flag = 1;
9fb9cbb1 187
e17df688
PM		 188 /*
189 * Cookie Ack/Echo chunks not the first OR
190 * Init / Init Ack / Shutdown compl chunks not the only chunks
191 * OR zero-length.
192 */
5447d477
PM		 193 if (((sch->type == SCTP_CID_COOKIE_ACK ||
194 sch->type == SCTP_CID_COOKIE_ECHO ||
195 flag) &&
196 count != 0) || !sch->length) {
0d53778e 197 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 198 return 1;
199 }
200
5447d477 201 if (map)
35c6d3cb 202 set_bit(sch->type, map);
9fb9cbb1
YK		 203 }
204
0d53778e 205 pr_debug("Basic checks passed\n");
dd7271fe 206 return count == 0;
9fb9cbb1
YK		 207}
208
efe9f68a
PM		 209static int sctp_new_state(enum ip_conntrack_dir dir,
210 enum sctp_conntrack cur_state,
211 int chunk_type)
9fb9cbb1
YK		 212{
213 int i;
214
0d53778e 215 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 216
217 switch (chunk_type) {
5447d477
PM		 218 case SCTP_CID_INIT:
219 pr_debug("SCTP_CID_INIT\n");
220 i = 0;
221 break;
222 case SCTP_CID_INIT_ACK:
223 pr_debug("SCTP_CID_INIT_ACK\n");
224 i = 1;
225 break;
226 case SCTP_CID_ABORT:
227 pr_debug("SCTP_CID_ABORT\n");
228 i = 2;
229 break;
230 case SCTP_CID_SHUTDOWN:
231 pr_debug("SCTP_CID_SHUTDOWN\n");
232 i = 3;
233 break;
234 case SCTP_CID_SHUTDOWN_ACK:
235 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
236 i = 4;
237 break;
238 case SCTP_CID_ERROR:
239 pr_debug("SCTP_CID_ERROR\n");
240 i = 5;
241 break;
242 case SCTP_CID_COOKIE_ECHO:
243 pr_debug("SCTP_CID_COOKIE_ECHO\n");
244 i = 6;
245 break;
246 case SCTP_CID_COOKIE_ACK:
247 pr_debug("SCTP_CID_COOKIE_ACK\n");
248 i = 7;
249 break;
250 case SCTP_CID_SHUTDOWN_COMPLETE:
251 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
252 i = 8;
253 break;
d7ee3519
MK		 254 case SCTP_CID_HEARTBEAT:
255 pr_debug("SCTP_CID_HEARTBEAT");
256 i = 9;
257 break;
258 case SCTP_CID_HEARTBEAT_ACK:
259 pr_debug("SCTP_CID_HEARTBEAT_ACK");
260 i = 10;
261 break;
5447d477 262 default:
d7ee3519 263 /* Other chunks like DATA or SACK do not change the state */
5447d477
PM		 264 pr_debug("Unknown chunk type, Will stay in %s\n",
265 sctp_conntrack_names[cur_state]);
266 return cur_state;
9fb9cbb1
YK		 267 }
268
0d53778e
PM		 269 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
270 dir, sctp_conntrack_names[cur_state], chunk_type,
271 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 272
273 return sctp_conntracks[dir][i][cur_state];
274}
275
b37e933a 276/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 277static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 278 const struct sk_buff *skb,
279 unsigned int dataoff,
c779e849 280 enum ip_conntrack_info ctinfo)
9fb9cbb1 281{
efe9f68a 282 enum sctp_conntrack new_state, old_state;
8528819a 283 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 284 const struct sctphdr *sh;
285 struct sctphdr _sctph;
286 const struct sctp_chunkhdr *sch;
287 struct sctp_chunkhdr _sch;
9fb9cbb1 288 u_int32_t offset, count;
c779e849 289 unsigned int *timeouts;
35c6d3cb 290 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 291
9fb9cbb1
YK		 292 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
293 if (sh == NULL)
b37e933a 294 goto out;
9fb9cbb1 295
112f35c9 296 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 297 goto out;
9fb9cbb1
YK		 298
299 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 300 if (!test_bit(SCTP_CID_INIT, map) &&
301 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
302 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
303 !test_bit(SCTP_CID_ABORT, map) &&
304 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
d7ee3519
MK		 305 !test_bit(SCTP_CID_HEARTBEAT, map) &&
306 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
8528819a 307 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 308 pr_debug("Verification tag check failed\n");
b37e933a 309 goto out;
9fb9cbb1
YK		 310 }
311
328bd899 312 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 313 spin_lock_bh(&ct->lock);
9fb9cbb1 314 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 315 /* Special cases of Verification tag check (Sec 8.5.1) */
316 if (sch->type == SCTP_CID_INIT) {
317 /* Sec 8.5.1 (A) */
b37e933a
PM		 318 if (sh->vtag != 0)
319 goto out_unlock;
9fb9cbb1
YK		 320 } else if (sch->type == SCTP_CID_ABORT) {
321 /* Sec 8.5.1 (B) */
8528819a 322 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 323 sh->vtag != ct->proto.sctp.vtag[!dir])
324 goto out_unlock;
9fb9cbb1
YK		 325 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
326 /* Sec 8.5.1 (C) */
8528819a
PM		 327 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
328 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 329 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 330 goto out_unlock;
9fb9cbb1
YK		 331 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
332 /* Sec 8.5.1 (D) */
b37e933a
PM		 333 if (sh->vtag != ct->proto.sctp.vtag[dir])
334 goto out_unlock;
d7ee3519
MK		 335 } else if (sch->type == SCTP_CID_HEARTBEAT ||
336 sch->type == SCTP_CID_HEARTBEAT_ACK) {
337 if (ct->proto.sctp.vtag[dir] == 0) {
338 pr_debug("Setting vtag %x for dir %d\n",
339 sh->vtag, dir);
340 ct->proto.sctp.vtag[dir] = sh->vtag;
341 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
342 pr_debug("Verification tag check failed\n");
343 goto out_unlock;
344 }
9fb9cbb1
YK		 345 }
346
efe9f68a
PM		 347 old_state = ct->proto.sctp.state;
348 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 349
350 /* Invalid */
efe9f68a 351 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 352 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
353 "conntrack=%u\n",
efe9f68a 354 dir, sch->type, old_state);
b37e933a 355 goto out_unlock;
9fb9cbb1
YK		 356 }
357
358 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 359 if (sch->type == SCTP_CID_INIT ||
360 sch->type == SCTP_CID_INIT_ACK) {
4ae70c08 361 struct sctp_inithdr _inithdr, *ih;
9fb9cbb1 362
922dbc5b 363 ih = skb_header_pointer(skb, offset + sizeof(_sch),
601e68e1 364 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 365 if (ih == NULL)
366 goto out_unlock;
0d53778e 367 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 368 ih->init_tag, !dir);
369 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 370 }
371
efe9f68a
PM		 372 ct->proto.sctp.state = new_state;
373 if (old_state != new_state)
a71996fc 374 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 375 }
440f0d58 376 spin_unlock_bh(&ct->lock);
9fb9cbb1 377
c779e849
FW		 378 timeouts = nf_ct_timeout_lookup(ct);
379 if (!timeouts)
380 timeouts = sctp_pernet(nf_ct_net(ct))->timeouts;
381
2c8503f5 382 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 383
efe9f68a 384 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 385 dir == IP_CT_DIR_REPLY &&
efe9f68a 386 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 387 pr_debug("Setting assured bit\n");
112f35c9 388 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 389 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 390 }
391
392 return NF_ACCEPT;
b37e933a
PM		 393
394out_unlock:
440f0d58 395 spin_unlock_bh(&ct->lock);
b37e933a
PM		 396out:
397 return -NF_ACCEPT;
9fb9cbb1
YK		 398}
399
400/* Called when a new connection for this protocol found. */
09f263cd 401static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
c779e849 402 unsigned int dataoff)
9fb9cbb1 403{
efe9f68a 404 enum sctp_conntrack new_state;
12c33aa2
JE		 405 const struct sctphdr *sh;
406 struct sctphdr _sctph;
407 const struct sctp_chunkhdr *sch;
408 struct sctp_chunkhdr _sch;
9fb9cbb1 409 u_int32_t offset, count;
35c6d3cb 410 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 411
9fb9cbb1
YK		 412 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
413 if (sh == NULL)
09f263cd 414 return false;
9fb9cbb1 415
112f35c9 416 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 417 return false;
9fb9cbb1
YK		 418
419 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 420 if (test_bit(SCTP_CID_ABORT, map) ||
421 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
422 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 423 return false;
9fb9cbb1 424
e5fc9e7a 425 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 426 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 427 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
428 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 429 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
430 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 431
432 /* Invalid: delete conntrack */
efe9f68a
PM		 433 if (new_state == SCTP_CONNTRACK_NONE ||
434 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 435 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 436 return false;
9fb9cbb1
YK		 437 }
438
439 /* Copy the vtag into the state info */
440 if (sch->type == SCTP_CID_INIT) {
4ae70c08 441 struct sctp_inithdr _inithdr, *ih;
922dbc5b
XL		 442 /* Sec 8.5.1 (A) */
443 if (sh->vtag)
444 return false;
9fb9cbb1 445
922dbc5b
XL		 446 ih = skb_header_pointer(skb, offset + sizeof(_sch),
447 sizeof(_inithdr), &_inithdr);
448 if (!ih)
449 return false;
9fb9cbb1 450
922dbc5b
XL		 451 pr_debug("Setting vtag %x for new conn\n",
452 ih->init_tag);
9fb9cbb1 453
922dbc5b 454 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
d7ee3519
MK		 455 } else if (sch->type == SCTP_CID_HEARTBEAT) {
456 pr_debug("Setting vtag %x for secondary conntrack\n",
457 sh->vtag);
458 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
9fb9cbb1
YK		 459 }
460 /* If it is a shutdown ack OOTB packet, we expect a return
461 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
462 else {
0d53778e
PM		 463 pr_debug("Setting vtag %x for new conn OOTB\n",
464 sh->vtag);
112f35c9 465 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 466 }
467
efe9f68a 468 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 469 }
470
09f263cd 471 return true;
9fb9cbb1
YK		 472}
473
cf6e007e 474static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
11df4b76 475 unsigned int dataoff,
cf6e007e
DC		 476 u8 pf, unsigned int hooknum)
477{
478 const struct sctphdr *sh;
cf6e007e
DC		 479 const char *logmsg;
480
f3c0eb05 481 if (skb->len < dataoff + sizeof(struct sctphdr)) {
cf6e007e
DC		 482 logmsg = "nf_ct_sctp: short packet ";
483 goto out_invalid;
484 }
485 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
486 skb->ip_summed == CHECKSUM_NONE) {
f3c0eb05
DC		 487 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
488 logmsg = "nf_ct_sctp: failed to read header ";
489 goto out_invalid;
490 }
491 sh = (const struct sctphdr *)(skb->data + dataoff);
cf6e007e
DC		 492 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
493 logmsg = "nf_ct_sctp: bad CRC ";
494 goto out_invalid;
495 }
496 skb->ip_summed = CHECKSUM_UNNECESSARY;
497 }
498 return NF_ACCEPT;
499out_invalid:
c4f3db15 500 nf_l4proto_log_invalid(skb, net, pf, IPPROTO_SCTP, "%s", logmsg);
cf6e007e
DC		 501 return -NF_ACCEPT;
502}
503
c6dd940b
FW		 504static bool sctp_can_early_drop(const struct nf_conn *ct)
505{
506 switch (ct->proto.sctp.state) {
507 case SCTP_CONNTRACK_SHUTDOWN_SENT:
508 case SCTP_CONNTRACK_SHUTDOWN_RECD:
509 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
510 return true;
511 default:
512 break;
513 }
514
515 return false;
516}
517
c0cd1156 518#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 519
520#include <linux/netfilter/nfnetlink.h>
521#include <linux/netfilter/nfnetlink_conntrack.h>
522
523static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 524 struct nf_conn *ct)
a258860e
PNA		 525{
526 struct nlattr *nest_parms;
527
440f0d58 528 spin_lock_bh(&ct->lock);
a258860e
PNA		 529 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
530 if (!nest_parms)
531 goto nla_put_failure;
532
5e8d1eb5
DM		 533 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
534 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
535 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
536 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
537 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
538 goto nla_put_failure;
a258860e 539
440f0d58 540 spin_unlock_bh(&ct->lock);
a258860e
PNA		 541
542 nla_nest_end(skb, nest_parms);
543
544 return 0;
545
546nla_put_failure:
440f0d58 547 spin_unlock_bh(&ct->lock);
a258860e
PNA		 548 return -1;
549}
550
551static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
552 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
553 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
554 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
555};
556
39215846
FW		 557#define SCTP_NLATTR_SIZE ( \
558 NLA_ALIGN(NLA_HDRLEN + 1) + \
559 NLA_ALIGN(NLA_HDRLEN + 4) + \
560 NLA_ALIGN(NLA_HDRLEN + 4))
561
a258860e
PNA		 562static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
563{
564 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
565 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
566 int err;
567
568 /* updates may not contain the internal protocol info, skip parsing */
569 if (!attr)
570 return 0;
571
fceb6435
JB		 572 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr,
573 sctp_nla_policy, NULL);
a258860e
PNA		 574 if (err < 0)
575 return err;
576
577 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
578 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
579 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
580 return -EINVAL;
581
440f0d58 582 spin_lock_bh(&ct->lock);
a258860e
PNA		 583 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
584 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 585 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 586 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 587 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 588 spin_unlock_bh(&ct->lock);
a258860e
PNA		 589
590 return 0;
591}
592#endif
593
a874752a 594#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 595
596#include <linux/netfilter/nfnetlink.h>
597#include <linux/netfilter/nfnetlink_cttimeout.h>
598
8264deb8
G		 599static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
600 struct net *net, void *data)
50978462
PNA		 601{
602 unsigned int *timeouts = data;
a85406af 603 struct nf_sctp_net *sn = sctp_pernet(net);
50978462
PNA		 604 int i;
605
606 /* set default SCTP timeouts. */
607 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 608 timeouts[i] = sn->timeouts[i];
50978462
PNA		 609
610 /* there's a 1:1 mapping between attributes and protocol states. */
611 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
612 if (tb[i]) {
613 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
614 }
615 }
ef39078d
FW		 616
617 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
50978462
PNA		 618 return 0;
619}
620
621static int
622sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
623{
624 const unsigned int *timeouts = data;
625 int i;
626
5e8d1eb5
DM		 627 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
628 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
629 goto nla_put_failure;
630 }
50978462
PNA		 631 return 0;
632
633nla_put_failure:
634 return -ENOSPC;
635}
636
637static const struct nla_policy
638sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
639 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
640 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
641 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
642 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
643 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
644 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
645 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
d7ee3519
MK		 646 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
647 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
50978462 648};
a874752a 649#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
50978462
PNA		 650
651
9fb9cbb1 652#ifdef CONFIG_SYSCTL
933a41e7 653static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 654 {
9fb9cbb1 655 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 656 .maxlen = sizeof(unsigned int),
657 .mode = 0644,
6d9f239a 658 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 659 },
660 {
9fb9cbb1 661 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 662 .maxlen = sizeof(unsigned int),
663 .mode = 0644,
6d9f239a 664 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 665 },
666 {
9fb9cbb1 667 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 668 .maxlen = sizeof(unsigned int),
669 .mode = 0644,
6d9f239a 670 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 671 },
672 {
9fb9cbb1 673 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 674 .maxlen = sizeof(unsigned int),
675 .mode = 0644,
6d9f239a 676 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 677 },
678 {
9fb9cbb1 679 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 680 .maxlen = sizeof(unsigned int),
681 .mode = 0644,
6d9f239a 682 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 683 },
684 {
9fb9cbb1 685 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 686 .maxlen = sizeof(unsigned int),
687 .mode = 0644,
6d9f239a 688 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 689 },
690 {
9fb9cbb1 691 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 692 .maxlen = sizeof(unsigned int),
693 .mode = 0644,
6d9f239a 694 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 695 },
d7ee3519
MK		 696 {
697 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
698 .maxlen = sizeof(unsigned int),
699 .mode = 0644,
700 .proc_handler = proc_dointvec_jiffies,
701 },
702 {
703 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
704 .maxlen = sizeof(unsigned int),
705 .mode = 0644,
706 .proc_handler = proc_dointvec_jiffies,
707 },
f8572d8f 708 { }
9fb9cbb1 709};
933a41e7 710#endif
9fb9cbb1 711
f42c4183 712static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
a85406af 713 struct nf_sctp_net *sn)
49d485a3
G		 714{
715#ifdef CONFIG_SYSCTL
49d485a3
G		 716 if (pn->ctl_table)
717 return 0;
718
719 pn->ctl_table = kmemdup(sctp_sysctl_table,
720 sizeof(sctp_sysctl_table),
721 GFP_KERNEL);
722 if (!pn->ctl_table)
723 return -ENOMEM;
724
725 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
726 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
727 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
728 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
729 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
730 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
731 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
d7ee3519
MK		 732 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
733 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
49d485a3
G		 734#endif
735 return 0;
736}
737
f42c4183 738static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3 739{
a85406af 740 struct nf_sctp_net *sn = sctp_pernet(net);
f42c4183 741 struct nf_proto_net *pn = &sn->pn;
49d485a3 742
f42c4183
G		 743 if (!pn->users) {
744 int i;
49d485a3 745
f42c4183
G		 746 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
747 sn->timeouts[i] = sctp_timeouts[i];
ef39078d
FW		 748
749 /* timeouts[0] is unused, init it so ->timeouts[0] contains
750 * 'new' timeout, like udp or icmp.
751 */
752 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
f42c4183 753 }
49d485a3 754
adf05168 755 return sctp_kmemdup_sysctl_table(pn, sn);
49d485a3
G		 756}
757
deaa0a97
LZ		 758static struct nf_proto_net *sctp_get_net_proto(struct net *net)
759{
760 return &net->ct.nf_ct_proto.sctp.pn;
761}
762
9dae47ab 763const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
933a41e7
PM		 764 .l3proto = PF_INET,
765 .l4proto = IPPROTO_SCTP,
ea48cc83 766#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 767 .print_conntrack = sctp_print_conntrack,
ea48cc83 768#endif
933a41e7
PM		 769 .packet = sctp_packet,
770 .new = sctp_new,
cf6e007e 771 .error = sctp_error,
c6dd940b 772 .can_early_drop = sctp_can_early_drop,
933a41e7 773 .me = THIS_MODULE,
c0cd1156 774#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
39215846 775 .nlattr_size = SCTP_NLATTR_SIZE,
a258860e
PNA		 776 .to_nlattr = sctp_to_nlattr,
777 .from_nlattr = nlattr_to_sctp,
c7212e9d 778 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 779 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 780 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
781 .nla_policy = nf_ct_port_nla_policy,
782#endif
a874752a 783#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 784 .ctnl_timeout = {
785 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
786 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
787 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
788 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
789 .nla_policy = sctp_timeout_nla_policy,
790 },
a874752a 791#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
f42c4183 792 .init_net = sctp_init_net,
deaa0a97 793 .get_net_proto = sctp_get_net_proto,
9fb9cbb1 794};
a85406af 795EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
9fb9cbb1 796
9dae47ab 797const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
933a41e7
PM		 798 .l3proto = PF_INET6,
799 .l4proto = IPPROTO_SCTP,
ea48cc83 800#ifdef CONFIG_NF_CONNTRACK_PROCFS
933a41e7 801 .print_conntrack = sctp_print_conntrack,
ea48cc83 802#endif
933a41e7
PM		 803 .packet = sctp_packet,
804 .new = sctp_new,
cf6e007e 805 .error = sctp_error,
c6dd940b 806 .can_early_drop = sctp_can_early_drop,
933a41e7 807 .me = THIS_MODULE,
c0cd1156 808#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
39215846 809 .nlattr_size = SCTP_NLATTR_SIZE,
a258860e
PNA		 810 .to_nlattr = sctp_to_nlattr,
811 .from_nlattr = nlattr_to_sctp,
c7212e9d 812 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 813 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 814 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
815 .nla_policy = nf_ct_port_nla_policy,
a874752a
PNA		 816#endif
817#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
50978462
PNA		 818 .ctnl_timeout = {
819 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
820 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
821 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
822 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
823 .nla_policy = sctp_timeout_nla_policy,
824 },
a874752a 825#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
f42c4183 826 .init_net = sctp_init_net,
deaa0a97 827 .get_net_proto = sctp_get_net_proto,
933a41e7 828};
a85406af 829EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
Linux 6.x block layer and io_uring tree(s)