1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 #include <linux/types.h>
11 #include <linux/timer.h>
12 #include <linux/module.h>
13 #include <linux/udp.h>
14 #include <linux/seq_file.h>
15 #include <linux/skbuff.h>
16 #include <linux/ipv6.h>
17 #include <net/ip6_checksum.h>
18 #include <net/checksum.h>
20 #include <linux/netfilter.h>
21 #include <linux/netfilter_ipv4.h>
22 #include <linux/netfilter_ipv6.h>
23 #include <net/netfilter/nf_conntrack_l4proto.h>
24 #include <net/netfilter/nf_conntrack_ecache.h>
25 #include <net/netfilter/nf_conntrack_timeout.h>
26 #include <net/netfilter/nf_log.h>
27 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
28 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
30 static const unsigned int udp_timeouts[UDP_CT_MAX] = {
31 [UDP_CT_UNREPLIED] = 30*HZ,
32 [UDP_CT_REPLIED] = 180*HZ,
35 static inline struct nf_udp_net *udp_pernet(struct net *net)
37 return &net->ct.nf_ct_proto.udp;
40 static unsigned int *udp_get_timeouts(struct net *net)
42 return udp_pernet(net)->timeouts;
45 static void udp_error_log(const struct sk_buff *skb,
46 const struct nf_hook_state *state,
49 nf_l4proto_log_invalid(skb, state->net, state->pf,
50 IPPROTO_UDP, "%s", msg);
53 static bool udp_error(struct sk_buff *skb,
55 const struct nf_hook_state *state)
57 unsigned int udplen = skb->len - dataoff;
58 const struct udphdr *hdr;
61 /* Header is too small? */
62 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
64 udp_error_log(skb, state, "short packet");
68 /* Truncated/malformed packets */
69 if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
70 udp_error_log(skb, state, "truncated/malformed packet");
74 /* Packet with no checksum */
78 /* Checksum invalid? Ignore.
79 * We skip checking packets on the outgoing path
80 * because the checksum is assumed to be correct.
81 * FIXME: Source route IP option packets --RR */
82 if (state->hook == NF_INET_PRE_ROUTING &&
83 state->net->ct.sysctl_checksum &&
84 nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) {
85 udp_error_log(skb, state, "bad checksum");
92 /* Returns verdict for packet, and may modify conntracktype */
93 static int udp_packet(struct nf_conn *ct,
96 enum ip_conntrack_info ctinfo,
97 const struct nf_hook_state *state)
99 unsigned int *timeouts;
101 if (udp_error(skb, dataoff, state))
104 timeouts = nf_ct_timeout_lookup(ct);
106 timeouts = udp_get_timeouts(nf_ct_net(ct));
108 /* If we've seen traffic both ways, this is some kind of UDP
109 stream. Extend timeout. */
110 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
111 nf_ct_refresh_acct(ct, ctinfo, skb,
112 timeouts[UDP_CT_REPLIED]);
113 /* Also, more likely to be important, and not a probe */
114 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
115 nf_conntrack_event_cache(IPCT_ASSURED, ct);
117 nf_ct_refresh_acct(ct, ctinfo, skb,
118 timeouts[UDP_CT_UNREPLIED]);
123 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
124 static void udplite_error_log(const struct sk_buff *skb,
125 const struct nf_hook_state *state,
128 nf_l4proto_log_invalid(skb, state->net, state->pf,
129 IPPROTO_UDPLITE, "%s", msg);
132 static bool udplite_error(struct sk_buff *skb,
133 unsigned int dataoff,
134 const struct nf_hook_state *state)
136 unsigned int udplen = skb->len - dataoff;
137 const struct udphdr *hdr;
141 /* Header is too small? */
142 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
144 udplite_error_log(skb, state, "short packet");
148 cscov = ntohs(hdr->len);
151 } else if (cscov < sizeof(*hdr) || cscov > udplen) {
152 udplite_error_log(skb, state, "invalid checksum coverage");
156 /* UDPLITE mandates checksums */
158 udplite_error_log(skb, state, "checksum missing");
162 /* Checksum invalid? Ignore. */
163 if (state->hook == NF_INET_PRE_ROUTING &&
164 state->net->ct.sysctl_checksum &&
165 nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP,
167 udplite_error_log(skb, state, "bad checksum");
174 /* Returns verdict for packet, and may modify conntracktype */
175 static int udplite_packet(struct nf_conn *ct,
177 unsigned int dataoff,
178 enum ip_conntrack_info ctinfo,
179 const struct nf_hook_state *state)
181 unsigned int *timeouts;
183 if (udplite_error(skb, dataoff, state))
186 timeouts = nf_ct_timeout_lookup(ct);
188 timeouts = udp_get_timeouts(nf_ct_net(ct));
190 /* If we've seen traffic both ways, this is some kind of UDP
191 stream. Extend timeout. */
192 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
193 nf_ct_refresh_acct(ct, ctinfo, skb,
194 timeouts[UDP_CT_REPLIED]);
195 /* Also, more likely to be important, and not a probe */
196 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
197 nf_conntrack_event_cache(IPCT_ASSURED, ct);
199 nf_ct_refresh_acct(ct, ctinfo, skb,
200 timeouts[UDP_CT_UNREPLIED]);
206 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
208 #include <linux/netfilter/nfnetlink.h>
209 #include <linux/netfilter/nfnetlink_cttimeout.h>
211 static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
212 struct net *net, void *data)
214 unsigned int *timeouts = data;
215 struct nf_udp_net *un = udp_pernet(net);
218 timeouts = un->timeouts;
220 /* set default timeouts for UDP. */
221 timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
222 timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
224 if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
225 timeouts[UDP_CT_UNREPLIED] =
226 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
228 if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
229 timeouts[UDP_CT_REPLIED] =
230 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
236 udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
238 const unsigned int *timeouts = data;
240 if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
241 htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) ||
242 nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED,
243 htonl(timeouts[UDP_CT_REPLIED] / HZ)))
244 goto nla_put_failure;
251 static const struct nla_policy
252 udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
253 [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 },
254 [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 },
256 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
259 static struct ctl_table udp_sysctl_table[] = {
261 .procname = "nf_conntrack_udp_timeout",
262 .maxlen = sizeof(unsigned int),
264 .proc_handler = proc_dointvec_jiffies,
267 .procname = "nf_conntrack_udp_timeout_stream",
268 .maxlen = sizeof(unsigned int),
270 .proc_handler = proc_dointvec_jiffies,
274 #endif /* CONFIG_SYSCTL */
276 static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
277 struct nf_udp_net *un)
282 pn->ctl_table = kmemdup(udp_sysctl_table,
283 sizeof(udp_sysctl_table),
287 pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
288 pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
293 static int udp_init_net(struct net *net)
295 struct nf_udp_net *un = udp_pernet(net);
296 struct nf_proto_net *pn = &un->pn;
301 for (i = 0; i < UDP_CT_MAX; i++)
302 un->timeouts[i] = udp_timeouts[i];
305 return udp_kmemdup_sysctl_table(pn, un);
308 static struct nf_proto_net *udp_get_net_proto(struct net *net)
310 return &net->ct.nf_ct_proto.udp.pn;
313 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp =
315 .l4proto = IPPROTO_UDP,
317 .packet = udp_packet,
318 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
319 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
320 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
321 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
322 .nla_policy = nf_ct_port_nla_policy,
324 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
326 .nlattr_to_obj = udp_timeout_nlattr_to_obj,
327 .obj_to_nlattr = udp_timeout_obj_to_nlattr,
328 .nlattr_max = CTA_TIMEOUT_UDP_MAX,
329 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
330 .nla_policy = udp_timeout_nla_policy,
332 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
333 .init_net = udp_init_net,
334 .get_net_proto = udp_get_net_proto,
337 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
338 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite =
340 .l4proto = IPPROTO_UDPLITE,
342 .packet = udplite_packet,
343 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
344 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
345 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
346 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
347 .nla_policy = nf_ct_port_nla_policy,
349 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
351 .nlattr_to_obj = udp_timeout_nlattr_to_obj,
352 .obj_to_nlattr = udp_timeout_obj_to_nlattr,
353 .nlattr_max = CTA_TIMEOUT_UDP_MAX,
354 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
355 .nla_policy = udp_timeout_nla_policy,
357 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
358 .init_net = udp_init_net,
359 .get_net_proto = udp_get_net_proto,