net/netfilter/nf_conntrack_proto_udp.c

   1 /* (C) 1999-2001 Paul `Rusty' Russell
   2  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
   3  * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  */
   9
  10 #include <linux/types.h>
  11 #include <linux/timer.h>
  12 #include <linux/module.h>
  13 #include <linux/udp.h>
  14 #include <linux/seq_file.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/ipv6.h>
  17 #include <net/ip6_checksum.h>
  18 #include <net/checksum.h>
  19
  20 #include <linux/netfilter.h>
  21 #include <linux/netfilter_ipv4.h>
  22 #include <linux/netfilter_ipv6.h>
  23 #include <net/netfilter/nf_conntrack_l4proto.h>
  24 #include <net/netfilter/nf_conntrack_ecache.h>
  25 #include <net/netfilter/nf_conntrack_timeout.h>
  26 #include <net/netfilter/nf_log.h>
  27 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
  28 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
  29
  30 static const unsigned int udp_timeouts[UDP_CT_MAX] = {
  31         [UDP_CT_UNREPLIED]      = 30*HZ,
  32         [UDP_CT_REPLIED]        = 180*HZ,
  33 };
  34
  35 static inline struct nf_udp_net *udp_pernet(struct net *net)
  36 {
  37         return &net->ct.nf_ct_proto.udp;
  38 }
  39
  40 static unsigned int *udp_get_timeouts(struct net *net)
  41 {
  42         return udp_pernet(net)->timeouts;
  43 }
  44
  45 static void udp_error_log(const struct sk_buff *skb,
  46                           const struct nf_hook_state *state,
  47                           const char *msg)
  48 {
  49         nf_l4proto_log_invalid(skb, state->net, state->pf,
  50                                IPPROTO_UDP, "%s", msg);
  51 }
  52
  53 static bool udp_error(struct sk_buff *skb,
  54                       unsigned int dataoff,
  55                       const struct nf_hook_state *state)
  56 {
  57         unsigned int udplen = skb->len - dataoff;
  58         const struct udphdr *hdr;
  59         struct udphdr _hdr;
  60
  61         /* Header is too small? */
  62         hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
  63         if (!hdr) {
  64                 udp_error_log(skb, state, "short packet");
  65                 return true;
  66         }
  67
  68         /* Truncated/malformed packets */
  69         if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
  70                 udp_error_log(skb, state, "truncated/malformed packet");
  71                 return true;
  72         }
  73
  74         /* Packet with no checksum */
  75         if (!hdr->check)
  76                 return false;
  77
  78         /* Checksum invalid? Ignore.
  79          * We skip checking packets on the outgoing path
  80          * because the checksum is assumed to be correct.
  81          * FIXME: Source route IP option packets --RR */
  82         if (state->hook == NF_INET_PRE_ROUTING &&
  83             state->net->ct.sysctl_checksum &&
  84             nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) {
  85                 udp_error_log(skb, state, "bad checksum");
  86                 return true;
  87         }
  88
  89         return false;
  90 }
  91
  92 /* Returns verdict for packet, and may modify conntracktype */
  93 static int udp_packet(struct nf_conn *ct,
  94                       struct sk_buff *skb,
  95                       unsigned int dataoff,
  96                       enum ip_conntrack_info ctinfo,
  97                       const struct nf_hook_state *state)
  98 {
  99         unsigned int *timeouts;
 100
 101         if (udp_error(skb, dataoff, state))
 102                 return -NF_ACCEPT;
 103
 104         timeouts = nf_ct_timeout_lookup(ct);
 105         if (!timeouts)
 106                 timeouts = udp_get_timeouts(nf_ct_net(ct));
 107
 108         /* If we've seen traffic both ways, this is some kind of UDP
 109            stream.  Extend timeout. */
 110         if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
 111                 nf_ct_refresh_acct(ct, ctinfo, skb,
 112                                    timeouts[UDP_CT_REPLIED]);
 113                 /* Also, more likely to be important, and not a probe */
 114                 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
 115                         nf_conntrack_event_cache(IPCT_ASSURED, ct);
 116         } else {
 117                 nf_ct_refresh_acct(ct, ctinfo, skb,
 118                                    timeouts[UDP_CT_UNREPLIED]);
 119         }
 120         return NF_ACCEPT;
 121 }
 122
 123 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
 124 static void udplite_error_log(const struct sk_buff *skb,
 125                               const struct nf_hook_state *state,
 126                               const char *msg)
 127 {
 128         nf_l4proto_log_invalid(skb, state->net, state->pf,
 129                                IPPROTO_UDPLITE, "%s", msg);
 130 }
 131
 132 static bool udplite_error(struct sk_buff *skb,
 133                           unsigned int dataoff,
 134                           const struct nf_hook_state *state)
 135 {
 136         unsigned int udplen = skb->len - dataoff;
 137         const struct udphdr *hdr;
 138         struct udphdr _hdr;
 139         unsigned int cscov;
 140
 141         /* Header is too small? */
 142         hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
 143         if (!hdr) {
 144                 udplite_error_log(skb, state, "short packet");
 145                 return true;
 146         }
 147
 148         cscov = ntohs(hdr->len);
 149         if (cscov == 0) {
 150                 cscov = udplen;
 151         } else if (cscov < sizeof(*hdr) || cscov > udplen) {
 152                 udplite_error_log(skb, state, "invalid checksum coverage");
 153                 return true;
 154         }
 155
 156         /* UDPLITE mandates checksums */
 157         if (!hdr->check) {
 158                 udplite_error_log(skb, state, "checksum missing");
 159                 return true;
 160         }
 161
 162         /* Checksum invalid? Ignore. */
 163         if (state->hook == NF_INET_PRE_ROUTING &&
 164             state->net->ct.sysctl_checksum &&
 165             nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP,
 166                                 state->pf)) {
 167                 udplite_error_log(skb, state, "bad checksum");
 168                 return true;
 169         }
 170
 171         return false;
 172 }
 173
 174 /* Returns verdict for packet, and may modify conntracktype */
 175 static int udplite_packet(struct nf_conn *ct,
 176                           struct sk_buff *skb,
 177                           unsigned int dataoff,
 178                           enum ip_conntrack_info ctinfo,
 179                           const struct nf_hook_state *state)
 180 {
 181         unsigned int *timeouts;
 182
 183         if (udplite_error(skb, dataoff, state))
 184                 return -NF_ACCEPT;
 185
 186         timeouts = nf_ct_timeout_lookup(ct);
 187         if (!timeouts)
 188                 timeouts = udp_get_timeouts(nf_ct_net(ct));
 189
 190         /* If we've seen traffic both ways, this is some kind of UDP
 191            stream.  Extend timeout. */
 192         if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
 193                 nf_ct_refresh_acct(ct, ctinfo, skb,
 194                                    timeouts[UDP_CT_REPLIED]);
 195                 /* Also, more likely to be important, and not a probe */
 196                 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
 197                         nf_conntrack_event_cache(IPCT_ASSURED, ct);
 198         } else {
 199                 nf_ct_refresh_acct(ct, ctinfo, skb,
 200                                    timeouts[UDP_CT_UNREPLIED]);
 201         }
 202         return NF_ACCEPT;
 203 }
 204 #endif
 205
 206 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 207
 208 #include <linux/netfilter/nfnetlink.h>
 209 #include <linux/netfilter/nfnetlink_cttimeout.h>
 210
 211 static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
 212                                      struct net *net, void *data)
 213 {
 214         unsigned int *timeouts = data;
 215         struct nf_udp_net *un = udp_pernet(net);
 216
 217         if (!timeouts)
 218                 timeouts = un->timeouts;
 219
 220         /* set default timeouts for UDP. */
 221         timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
 222         timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
 223
 224         if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
 225                 timeouts[UDP_CT_UNREPLIED] =
 226                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
 227         }
 228         if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
 229                 timeouts[UDP_CT_REPLIED] =
 230                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
 231         }
 232         return 0;
 233 }
 234
 235 static int
 236 udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 237 {
 238         const unsigned int *timeouts = data;
 239
 240         if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
 241                          htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) ||
 242             nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED,
 243                          htonl(timeouts[UDP_CT_REPLIED] / HZ)))
 244                 goto nla_put_failure;
 245         return 0;
 246
 247 nla_put_failure:
 248         return -ENOSPC;
 249 }
 250
 251 static const struct nla_policy
 252 udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
 253        [CTA_TIMEOUT_UDP_UNREPLIED]      = { .type = NLA_U32 },
 254        [CTA_TIMEOUT_UDP_REPLIED]        = { .type = NLA_U32 },
 255 };
 256 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 257
 258 #ifdef CONFIG_SYSCTL
 259 static struct ctl_table udp_sysctl_table[] = {
 260         {
 261                 .procname       = "nf_conntrack_udp_timeout",
 262                 .maxlen         = sizeof(unsigned int),
 263                 .mode           = 0644,
 264                 .proc_handler   = proc_dointvec_jiffies,
 265         },
 266         {
 267                 .procname       = "nf_conntrack_udp_timeout_stream",
 268                 .maxlen         = sizeof(unsigned int),
 269                 .mode           = 0644,
 270                 .proc_handler   = proc_dointvec_jiffies,
 271         },
 272         { }
 273 };
 274 #endif /* CONFIG_SYSCTL */
 275
 276 static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
 277                                     struct nf_udp_net *un)
 278 {
 279 #ifdef CONFIG_SYSCTL
 280         if (pn->ctl_table)
 281                 return 0;
 282         pn->ctl_table = kmemdup(udp_sysctl_table,
 283                                 sizeof(udp_sysctl_table),
 284                                 GFP_KERNEL);
 285         if (!pn->ctl_table)
 286                 return -ENOMEM;
 287         pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
 288         pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
 289 #endif
 290         return 0;
 291 }
 292
 293 static int udp_init_net(struct net *net)
 294 {
 295         struct nf_udp_net *un = udp_pernet(net);
 296         struct nf_proto_net *pn = &un->pn;
 297
 298         if (!pn->users) {
 299                 int i;
 300
 301                 for (i = 0; i < UDP_CT_MAX; i++)
 302                         un->timeouts[i] = udp_timeouts[i];
 303         }
 304
 305         return udp_kmemdup_sysctl_table(pn, un);
 306 }
 307
 308 static struct nf_proto_net *udp_get_net_proto(struct net *net)
 309 {
 310         return &net->ct.nf_ct_proto.udp.pn;
 311 }
 312
 313 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp =
 314 {
 315         .l4proto                = IPPROTO_UDP,
 316         .allow_clash            = true,
 317         .packet                 = udp_packet,
 318 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 319         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 320         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 321         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 322         .nla_policy             = nf_ct_port_nla_policy,
 323 #endif
 324 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 325         .ctnl_timeout           = {
 326                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 327                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 328                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 329                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 330                 .nla_policy     = udp_timeout_nla_policy,
 331         },
 332 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 333         .init_net               = udp_init_net,
 334         .get_net_proto          = udp_get_net_proto,
 335 };
 336
 337 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
 338 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite =
 339 {
 340         .l4proto                = IPPROTO_UDPLITE,
 341         .allow_clash            = true,
 342         .packet                 = udplite_packet,
 343 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 344         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 345         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 346         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 347         .nla_policy             = nf_ct_port_nla_policy,
 348 #endif
 349 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 350         .ctnl_timeout           = {
 351                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 352                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 353                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 354                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 355                 .nla_policy     = udp_timeout_nla_policy,
 356         },
 357 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 358         .init_net               = udp_init_net,
 359         .get_net_proto          = udp_get_net_proto,
 360 };
 361 #endif