1 // SPDX-License-Identifier: GPL-2.0-only
3 * Connection tracking protocol helper module for SCTP.
5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
8 * SCTP is defined in RFC 2960. References to various sections in this code
12 #include <linux/types.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
17 #include <linux/sctp.h>
18 #include <linux/string.h>
19 #include <linux/seq_file.h>
20 #include <linux/spinlock.h>
21 #include <linux/interrupt.h>
22 #include <net/sctp/checksum.h>
24 #include <net/netfilter/nf_log.h>
25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_ecache.h>
28 #include <net/netfilter/nf_conntrack_timeout.h>
30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
31 closely. They're more complex. --RR
33 And so for me for SCTP :D -Kiran */
35 static const char *const sctp_conntrack_names[] = {
49 #define MINS * 60 SECS
50 #define HOURS * 60 MINS
51 #define DAYS * 24 HOURS
53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
63 [SCTP_CONNTRACK_DATA_SENT] = 30 SECS,
66 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1
68 #define sNO SCTP_CONNTRACK_NONE
69 #define sCL SCTP_CONNTRACK_CLOSED
70 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
71 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
72 #define sES SCTP_CONNTRACK_ESTABLISHED
73 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
74 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
75 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
76 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
77 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
78 #define sDS SCTP_CONNTRACK_DATA_SENT
79 #define sIV SCTP_CONNTRACK_MAX
82 These are the descriptions of the states:
84 NOTE: These state names are tantalizingly similar to the states of an
85 SCTP endpoint. But the interpretation of the states is a little different,
86 considering that these are the states of the connection and not of an end
87 point. Please note the subtleties. -Kiran
89 NONE - Nothing so far.
90 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
91 an INIT_ACK chunk in the reply direction.
92 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
93 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
94 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
95 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction.
96 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
97 to that of the SHUTDOWN chunk.
98 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
99 the SHUTDOWN chunk. Connection is closed.
100 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
101 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK/DATA/SACK in the direction
102 opposite to that of the HEARTBEAT/DATA chunk. Secondary connection
104 DATA_SENT - We have seen a DATA/SACK in a new flow.
108 - I have assumed that the first INIT is in the original direction.
109 This messes things when an INIT comes in the reply direction in CLOSED
111 - Check the error type in the reply dir before transitioning from
112 cookie echoed to closed.
113 - Sec 5.2.4 of RFC 2960
114 - Full Multi Homing support.
117 /* SCTP conntrack state transitions */
118 static const u8 sctp_conntracks[2][12][SCTP_CONNTRACK_MAX] = {
121 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */
122 /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA, sCW},
123 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},
124 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
125 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS, sCL},
126 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA, sSA},
127 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't have Stale cookie*/
128 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* 5.2.4 - Big TODO */
129 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't come in orig dir */
130 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA, sCL},
131 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS},
132 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS},
133 /* data/sack */ {sDS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}
137 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */
138 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* INIT in sCL Big TODO */
139 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},
140 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL, sIV},
141 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR, sIV},
142 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA, sIV},
143 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA, sIV},
144 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* Can't come in reply dir */
145 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA, sIV},
146 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA, sIV},
147 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sHA},
148 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA},
149 /* data/sack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA},
153 #ifdef CONFIG_NF_CONNTRACK_PROCFS
154 /* Print out the private part of the conntrack. */
155 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
157 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
161 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
162 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
163 (offset) < (skb)->len && \
164 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
165 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
167 /* Some validity checks to make sure the chunks are fine */
168 static int do_basic_checks(struct nf_conn *ct,
169 const struct sk_buff *skb,
170 unsigned int dataoff,
173 u_int32_t offset, count;
174 struct sctp_chunkhdr _sch, *sch;
179 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
180 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
182 if (sch->type == SCTP_CID_INIT ||
183 sch->type == SCTP_CID_INIT_ACK ||
184 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
188 * Cookie Ack/Echo chunks not the first OR
189 * Init / Init Ack / Shutdown compl chunks not the only chunks
192 if (((sch->type == SCTP_CID_COOKIE_ACK ||
193 sch->type == SCTP_CID_COOKIE_ECHO ||
195 count != 0) || !sch->length) {
196 pr_debug("Basic checks failed\n");
201 set_bit(sch->type, map);
204 pr_debug("Basic checks passed\n");
208 static int sctp_new_state(enum ip_conntrack_dir dir,
209 enum sctp_conntrack cur_state,
214 pr_debug("Chunk type: %d\n", chunk_type);
216 switch (chunk_type) {
218 pr_debug("SCTP_CID_INIT\n");
221 case SCTP_CID_INIT_ACK:
222 pr_debug("SCTP_CID_INIT_ACK\n");
226 pr_debug("SCTP_CID_ABORT\n");
229 case SCTP_CID_SHUTDOWN:
230 pr_debug("SCTP_CID_SHUTDOWN\n");
233 case SCTP_CID_SHUTDOWN_ACK:
234 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
238 pr_debug("SCTP_CID_ERROR\n");
241 case SCTP_CID_COOKIE_ECHO:
242 pr_debug("SCTP_CID_COOKIE_ECHO\n");
245 case SCTP_CID_COOKIE_ACK:
246 pr_debug("SCTP_CID_COOKIE_ACK\n");
249 case SCTP_CID_SHUTDOWN_COMPLETE:
250 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
253 case SCTP_CID_HEARTBEAT:
254 pr_debug("SCTP_CID_HEARTBEAT");
257 case SCTP_CID_HEARTBEAT_ACK:
258 pr_debug("SCTP_CID_HEARTBEAT_ACK");
263 pr_debug("SCTP_CID_DATA/SACK");
267 /* Other chunks like DATA or SACK do not change the state */
268 pr_debug("Unknown chunk type, Will stay in %s\n",
269 sctp_conntrack_names[cur_state]);
273 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
274 dir, sctp_conntrack_names[cur_state], chunk_type,
275 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
277 return sctp_conntracks[dir][i][cur_state];
280 /* Don't need lock here: this conntrack not in circulation yet */
282 sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
283 const struct sctphdr *sh, unsigned int dataoff)
285 enum sctp_conntrack new_state;
286 const struct sctp_chunkhdr *sch;
287 struct sctp_chunkhdr _sch;
290 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
291 new_state = SCTP_CONNTRACK_MAX;
292 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
293 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
294 SCTP_CONNTRACK_NONE, sch->type);
296 /* Invalid: delete conntrack */
297 if (new_state == SCTP_CONNTRACK_NONE ||
298 new_state == SCTP_CONNTRACK_MAX) {
299 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
303 /* Copy the vtag into the state info */
304 if (sch->type == SCTP_CID_INIT) {
305 struct sctp_inithdr _inithdr, *ih;
310 ih = skb_header_pointer(skb, offset + sizeof(_sch),
311 sizeof(_inithdr), &_inithdr);
315 pr_debug("Setting vtag %x for new conn\n",
318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
319 } else if (sch->type == SCTP_CID_HEARTBEAT ||
320 sch->type == SCTP_CID_DATA ||
321 sch->type == SCTP_CID_SACK) {
322 pr_debug("Setting vtag %x for secondary conntrack\n",
324 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
326 /* If it is a shutdown ack OOTB packet, we expect a return
327 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
328 pr_debug("Setting vtag %x for new conn OOTB\n",
330 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
333 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
339 static bool sctp_error(struct sk_buff *skb,
340 unsigned int dataoff,
341 const struct nf_hook_state *state)
343 const struct sctphdr *sh;
346 if (skb->len < dataoff + sizeof(struct sctphdr)) {
347 logmsg = "nf_ct_sctp: short packet ";
350 if (state->hook == NF_INET_PRE_ROUTING &&
351 state->net->ct.sysctl_checksum &&
352 skb->ip_summed == CHECKSUM_NONE) {
353 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
354 logmsg = "nf_ct_sctp: failed to read header ";
357 sh = (const struct sctphdr *)(skb->data + dataoff);
358 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
359 logmsg = "nf_ct_sctp: bad CRC ";
362 skb->ip_summed = CHECKSUM_UNNECESSARY;
366 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg);
370 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
371 int nf_conntrack_sctp_packet(struct nf_conn *ct,
373 unsigned int dataoff,
374 enum ip_conntrack_info ctinfo,
375 const struct nf_hook_state *state)
377 enum sctp_conntrack new_state, old_state;
378 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
379 const struct sctphdr *sh;
380 struct sctphdr _sctph;
381 const struct sctp_chunkhdr *sch;
382 struct sctp_chunkhdr _sch;
383 u_int32_t offset, count;
384 unsigned int *timeouts;
385 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
388 if (sctp_error(skb, dataoff, state))
391 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
395 if (do_basic_checks(ct, skb, dataoff, map) != 0)
398 if (!nf_ct_is_confirmed(ct)) {
399 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
400 if (test_bit(SCTP_CID_ABORT, map) ||
401 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
402 test_bit(SCTP_CID_COOKIE_ACK, map))
405 if (!sctp_new(ct, skb, sh, dataoff))
408 /* Check the verification tag (Sec 8.5) */
409 if (!test_bit(SCTP_CID_INIT, map) &&
410 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
411 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
412 !test_bit(SCTP_CID_ABORT, map) &&
413 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
414 !test_bit(SCTP_CID_HEARTBEAT, map) &&
415 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
416 sh->vtag != ct->proto.sctp.vtag[dir]) {
417 pr_debug("Verification tag check failed\n");
422 old_state = new_state = SCTP_CONNTRACK_NONE;
423 spin_lock_bh(&ct->lock);
424 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
425 /* Special cases of Verification tag check (Sec 8.5.1) */
426 if (sch->type == SCTP_CID_INIT) {
430 } else if (sch->type == SCTP_CID_ABORT) {
432 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
433 sh->vtag != ct->proto.sctp.vtag[!dir])
435 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
437 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
438 sh->vtag != ct->proto.sctp.vtag[!dir] &&
439 sch->flags & SCTP_CHUNK_FLAG_T)
441 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
443 if (sh->vtag != ct->proto.sctp.vtag[dir])
445 } else if (sch->type == SCTP_CID_HEARTBEAT) {
446 if (ct->proto.sctp.vtag[dir] == 0) {
447 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
448 ct->proto.sctp.vtag[dir] = sh->vtag;
449 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
450 if (test_bit(SCTP_CID_DATA, map) || ignore)
453 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
454 ct->proto.sctp.last_dir = dir;
457 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
458 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
460 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {
461 if (ct->proto.sctp.vtag[dir] == 0) {
462 pr_debug("Setting vtag %x for dir %d\n",
464 ct->proto.sctp.vtag[dir] = sh->vtag;
465 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
466 if (test_bit(SCTP_CID_DATA, map) || ignore)
469 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 ||
470 ct->proto.sctp.last_dir == dir)
473 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
474 ct->proto.sctp.vtag[dir] = sh->vtag;
475 ct->proto.sctp.vtag[!dir] = 0;
476 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
477 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
479 } else if (sch->type == SCTP_CID_DATA || sch->type == SCTP_CID_SACK) {
480 if (ct->proto.sctp.vtag[dir] == 0) {
481 pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir);
482 ct->proto.sctp.vtag[dir] = sh->vtag;
486 old_state = ct->proto.sctp.state;
487 new_state = sctp_new_state(dir, old_state, sch->type);
490 if (new_state == SCTP_CONNTRACK_MAX) {
491 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
493 dir, sch->type, old_state);
497 /* If it is an INIT or an INIT ACK note down the vtag */
498 if (sch->type == SCTP_CID_INIT ||
499 sch->type == SCTP_CID_INIT_ACK) {
500 struct sctp_inithdr _inithdr, *ih;
502 ih = skb_header_pointer(skb, offset + sizeof(_sch),
503 sizeof(_inithdr), &_inithdr);
506 pr_debug("Setting vtag %x for dir %d\n",
508 ct->proto.sctp.vtag[!dir] = ih->init_tag;
510 /* don't renew timeout on init retransmit so
511 * port reuse by client or NAT middlebox cannot
512 * keep entry alive indefinitely (incl. nat info).
514 if (new_state == SCTP_CONNTRACK_CLOSED &&
515 old_state == SCTP_CONNTRACK_CLOSED &&
516 nf_ct_is_confirmed(ct))
520 ct->proto.sctp.state = new_state;
521 if (old_state != new_state)
522 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
524 spin_unlock_bh(&ct->lock);
526 /* allow but do not refresh timeout */
530 timeouts = nf_ct_timeout_lookup(ct);
532 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
534 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
536 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
537 dir == IP_CT_DIR_REPLY &&
538 new_state == SCTP_CONNTRACK_ESTABLISHED) {
539 pr_debug("Setting assured bit\n");
540 set_bit(IPS_ASSURED_BIT, &ct->status);
541 nf_conntrack_event_cache(IPCT_ASSURED, ct);
547 spin_unlock_bh(&ct->lock);
552 static bool sctp_can_early_drop(const struct nf_conn *ct)
554 switch (ct->proto.sctp.state) {
555 case SCTP_CONNTRACK_SHUTDOWN_SENT:
556 case SCTP_CONNTRACK_SHUTDOWN_RECD:
557 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
566 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
568 #include <linux/netfilter/nfnetlink.h>
569 #include <linux/netfilter/nfnetlink_conntrack.h>
571 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
572 struct nf_conn *ct, bool destroy)
574 struct nlattr *nest_parms;
576 spin_lock_bh(&ct->lock);
577 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
579 goto nla_put_failure;
581 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state))
582 goto nla_put_failure;
587 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
588 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
589 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
590 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
591 goto nla_put_failure;
594 spin_unlock_bh(&ct->lock);
595 nla_nest_end(skb, nest_parms);
600 spin_unlock_bh(&ct->lock);
604 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
605 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
606 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
607 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
610 #define SCTP_NLATTR_SIZE ( \
611 NLA_ALIGN(NLA_HDRLEN + 1) + \
612 NLA_ALIGN(NLA_HDRLEN + 4) + \
613 NLA_ALIGN(NLA_HDRLEN + 4))
615 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
617 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
618 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
621 /* updates may not contain the internal protocol info, skip parsing */
625 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
626 sctp_nla_policy, NULL);
630 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
631 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
632 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
635 spin_lock_bh(&ct->lock);
636 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
637 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
638 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
639 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
640 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
641 spin_unlock_bh(&ct->lock);
647 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
649 #include <linux/netfilter/nfnetlink.h>
650 #include <linux/netfilter/nfnetlink_cttimeout.h>
652 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
653 struct net *net, void *data)
655 unsigned int *timeouts = data;
656 struct nf_sctp_net *sn = nf_sctp_pernet(net);
660 timeouts = sn->timeouts;
662 /* set default SCTP timeouts. */
663 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
664 timeouts[i] = sn->timeouts[i];
666 /* there's a 1:1 mapping between attributes and protocol states. */
667 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
669 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
673 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
678 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
680 const unsigned int *timeouts = data;
683 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
684 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
685 goto nla_put_failure;
693 static const struct nla_policy
694 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
695 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
696 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
697 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
698 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
699 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
700 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
701 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
702 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
703 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
704 [CTA_TIMEOUT_SCTP_DATA_SENT] = { .type = NLA_U32 },
706 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
708 void nf_conntrack_sctp_init_net(struct net *net)
710 struct nf_sctp_net *sn = nf_sctp_pernet(net);
713 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
714 sn->timeouts[i] = sctp_timeouts[i];
716 /* timeouts[0] is unused, init it so ->timeouts[0] contains
717 * 'new' timeout, like udp or icmp.
719 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
722 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
723 .l4proto = IPPROTO_SCTP,
724 #ifdef CONFIG_NF_CONNTRACK_PROCFS
725 .print_conntrack = sctp_print_conntrack,
727 .can_early_drop = sctp_can_early_drop,
728 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
729 .nlattr_size = SCTP_NLATTR_SIZE,
730 .to_nlattr = sctp_to_nlattr,
731 .from_nlattr = nlattr_to_sctp,
732 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
733 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
734 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
735 .nla_policy = nf_ct_port_nla_policy,
737 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
739 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
740 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
741 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
742 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
743 .nla_policy = sctp_timeout_nla_policy,
745 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */