1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * DCCP connection tracking protocol helper
4  *
5  * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
6  */
7 #include <linux/kernel.h>
8 #include <linux/init.h>
9 #include <linux/sysctl.h>
10 #include <linux/spinlock.h>
11 #include <linux/skbuff.h>
12 #include <linux/dccp.h>
13 #include <linux/slab.h>
14 
15 #include <net/net_namespace.h>
16 #include <net/netns/generic.h>
17 
18 #include <linux/netfilter/nfnetlink_conntrack.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_l4proto.h>
21 #include <net/netfilter/nf_conntrack_ecache.h>
22 #include <net/netfilter/nf_conntrack_timeout.h>
23 #include <net/netfilter/nf_log.h>
24 
25 /* Timeouts are based on values from RFC4340:
26  *
27  * - REQUEST:
28  *
29  *   8.1.2. Client Request
30  *
31  *   A client MAY give up on its DCCP-Requests after some time
32  *   (3 minutes, for example).
33  *
34  * - RESPOND:
35  *
36  *   8.1.3. Server Response
37  *
38  *   It MAY also leave the RESPOND state for CLOSED after a timeout of
39  *   not less than 4MSL (8 minutes);
40  *
41  * - PARTOPEN:
42  *
43  *   8.1.5. Handshake Completion
44  *
45  *   If the client remains in PARTOPEN for more than 4MSL (8 minutes),
46  *   it SHOULD reset the connection with Reset Code 2, "Aborted".
47  *
48  * - OPEN:
49  *
50  *   The DCCP timestamp overflows after 11.9 hours. If the connection
51  *   stays idle this long the sequence number won't be recognized
52  *   as valid anymore.
53  *
54  * - CLOSEREQ/CLOSING:
55  *
56  *   8.3. Termination
57  *
58  *   The retransmission timer should initially be set to go off in two
59  *   round-trip times and should back off to not less than once every
60  *   64 seconds ...
61  *
62  * - TIMEWAIT:
63  *
64  *   4.3. States
65  *
66  *   A server or client socket remains in this state for 2MSL (4 minutes)
67  *   after the connection has been town down, ...
68  */
69 
70 #define DCCP_MSL (2 * 60 * HZ)
71 
72 #ifdef CONFIG_NF_CONNTRACK_PROCFS
73 static const char * const dccp_state_names[] = {
74 	[CT_DCCP_NONE]		= "NONE",
75 	[CT_DCCP_REQUEST]	= "REQUEST",
76 	[CT_DCCP_RESPOND]	= "RESPOND",
77 	[CT_DCCP_PARTOPEN]	= "PARTOPEN",
78 	[CT_DCCP_OPEN]		= "OPEN",
79 	[CT_DCCP_CLOSEREQ]	= "CLOSEREQ",
80 	[CT_DCCP_CLOSING]	= "CLOSING",
81 	[CT_DCCP_TIMEWAIT]	= "TIMEWAIT",
82 	[CT_DCCP_IGNORE]	= "IGNORE",
83 	[CT_DCCP_INVALID]	= "INVALID",
84 };
85 #endif
86 
87 #define sNO	CT_DCCP_NONE
88 #define sRQ	CT_DCCP_REQUEST
89 #define sRS	CT_DCCP_RESPOND
90 #define sPO	CT_DCCP_PARTOPEN
91 #define sOP	CT_DCCP_OPEN
92 #define sCR	CT_DCCP_CLOSEREQ
93 #define sCG	CT_DCCP_CLOSING
94 #define sTW	CT_DCCP_TIMEWAIT
95 #define sIG	CT_DCCP_IGNORE
96 #define sIV	CT_DCCP_INVALID
97 
98 /*
99  * DCCP state transition table
100  *
101  * The assumption is the same as for TCP tracking:
102  *
103  * We are the man in the middle. All the packets go through us but might
104  * get lost in transit to the destination. It is assumed that the destination
105  * can't receive segments we haven't seen.
106  *
107  * The following states exist:
108  *
109  * NONE:	Initial state, expecting Request
110  * REQUEST:	Request seen, waiting for Response from server
111  * RESPOND:	Response from server seen, waiting for Ack from client
112  * PARTOPEN:	Ack after Response seen, waiting for packet other than Response,
113  * 		Reset or Sync from server
114  * OPEN:	Packet other than Response, Reset or Sync seen
115  * CLOSEREQ:	CloseReq from server seen, expecting Close from client
116  * CLOSING:	Close seen, expecting Reset
117  * TIMEWAIT:	Reset seen
118  * IGNORE:	Not determinable whether packet is valid
119  *
120  * Some states exist only on one side of the connection: REQUEST, RESPOND,
121  * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
122  * the one it was in before.
123  *
124  * Packets are marked as ignored (sIG) if we don't know if they're valid
125  * (for example a reincarnation of a connection we didn't notice is dead
126  * already) and the server may send back a connection closing Reset or a
127  * Response. They're also used for Sync/SyncAck packets, which we don't
128  * care about.
129  */
130 static const u_int8_t
131 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
132 	[CT_DCCP_ROLE_CLIENT] = {
133 		[DCCP_PKT_REQUEST] = {
134 		/*
135 		 * sNO -> sRQ		Regular Request
136 		 * sRQ -> sRQ		Retransmitted Request or reincarnation
137 		 * sRS -> sRS		Retransmitted Request (apparently Response
138 		 * 			got lost after we saw it) or reincarnation
139 		 * sPO -> sIG		Ignore, conntrack might be out of sync
140 		 * sOP -> sIG		Ignore, conntrack might be out of sync
141 		 * sCR -> sIG		Ignore, conntrack might be out of sync
142 		 * sCG -> sIG		Ignore, conntrack might be out of sync
143 		 * sTW -> sRQ		Reincarnation
144 		 *
145 		 *	sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
146 			sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
147 		},
148 		[DCCP_PKT_RESPONSE] = {
149 		/*
150 		 * sNO -> sIV		Invalid
151 		 * sRQ -> sIG		Ignore, might be response to ignored Request
152 		 * sRS -> sIG		Ignore, might be response to ignored Request
153 		 * sPO -> sIG		Ignore, might be response to ignored Request
154 		 * sOP -> sIG		Ignore, might be response to ignored Request
155 		 * sCR -> sIG		Ignore, might be response to ignored Request
156 		 * sCG -> sIG		Ignore, might be response to ignored Request
157 		 * sTW -> sIV		Invalid, reincarnation in reverse direction
158 		 *			goes through sRQ
159 		 *
160 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
161 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
162 		},
163 		[DCCP_PKT_ACK] = {
164 		/*
165 		 * sNO -> sIV		No connection
166 		 * sRQ -> sIV		No connection
167 		 * sRS -> sPO		Ack for Response, move to PARTOPEN (8.1.5.)
168 		 * sPO -> sPO		Retransmitted Ack for Response, remain in PARTOPEN
169 		 * sOP -> sOP		Regular ACK, remain in OPEN
170 		 * sCR -> sCR		Ack in CLOSEREQ MAY be processed (8.3.)
171 		 * sCG -> sCG		Ack in CLOSING MAY be processed (8.3.)
172 		 * sTW -> sIV
173 		 *
174 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
175 			sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
176 		},
177 		[DCCP_PKT_DATA] = {
178 		/*
179 		 * sNO -> sIV		No connection
180 		 * sRQ -> sIV		No connection
181 		 * sRS -> sIV		No connection
182 		 * sPO -> sIV		MUST use DataAck in PARTOPEN state (8.1.5.)
183 		 * sOP -> sOP		Regular Data packet
184 		 * sCR -> sCR		Data in CLOSEREQ MAY be processed (8.3.)
185 		 * sCG -> sCG		Data in CLOSING MAY be processed (8.3.)
186 		 * sTW -> sIV
187 		 *
188 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
189 			sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
190 		},
191 		[DCCP_PKT_DATAACK] = {
192 		/*
193 		 * sNO -> sIV		No connection
194 		 * sRQ -> sIV		No connection
195 		 * sRS -> sPO		Ack for Response, move to PARTOPEN (8.1.5.)
196 		 * sPO -> sPO		Remain in PARTOPEN state
197 		 * sOP -> sOP		Regular DataAck packet in OPEN state
198 		 * sCR -> sCR		DataAck in CLOSEREQ MAY be processed (8.3.)
199 		 * sCG -> sCG		DataAck in CLOSING MAY be processed (8.3.)
200 		 * sTW -> sIV
201 		 *
202 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
203 			sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
204 		},
205 		[DCCP_PKT_CLOSEREQ] = {
206 		/*
207 		 * CLOSEREQ may only be sent by the server.
208 		 *
209 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
210 			sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
211 		},
212 		[DCCP_PKT_CLOSE] = {
213 		/*
214 		 * sNO -> sIV		No connection
215 		 * sRQ -> sIV		No connection
216 		 * sRS -> sIV		No connection
217 		 * sPO -> sCG		Client-initiated close
218 		 * sOP -> sCG		Client-initiated close
219 		 * sCR -> sCG		Close in response to CloseReq (8.3.)
220 		 * sCG -> sCG		Retransmit
221 		 * sTW -> sIV		Late retransmit, already in TIME_WAIT
222 		 *
223 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
224 			sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
225 		},
226 		[DCCP_PKT_RESET] = {
227 		/*
228 		 * sNO -> sIV		No connection
229 		 * sRQ -> sTW		Sync received or timeout, SHOULD send Reset (8.1.1.)
230 		 * sRS -> sTW		Response received without Request
231 		 * sPO -> sTW		Timeout, SHOULD send Reset (8.1.5.)
232 		 * sOP -> sTW		Connection reset
233 		 * sCR -> sTW		Connection reset
234 		 * sCG -> sTW		Connection reset
235 		 * sTW -> sIG		Ignore (don't refresh timer)
236 		 *
237 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
238 			sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
239 		},
240 		[DCCP_PKT_SYNC] = {
241 		/*
242 		 * We currently ignore Sync packets
243 		 *
244 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
245 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
246 		},
247 		[DCCP_PKT_SYNCACK] = {
248 		/*
249 		 * We currently ignore SyncAck packets
250 		 *
251 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
252 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
253 		},
254 	},
255 	[CT_DCCP_ROLE_SERVER] = {
256 		[DCCP_PKT_REQUEST] = {
257 		/*
258 		 * sNO -> sIV		Invalid
259 		 * sRQ -> sIG		Ignore, conntrack might be out of sync
260 		 * sRS -> sIG		Ignore, conntrack might be out of sync
261 		 * sPO -> sIG		Ignore, conntrack might be out of sync
262 		 * sOP -> sIG		Ignore, conntrack might be out of sync
263 		 * sCR -> sIG		Ignore, conntrack might be out of sync
264 		 * sCG -> sIG		Ignore, conntrack might be out of sync
265 		 * sTW -> sRQ		Reincarnation, must reverse roles
266 		 *
267 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
268 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
269 		},
270 		[DCCP_PKT_RESPONSE] = {
271 		/*
272 		 * sNO -> sIV		Response without Request
273 		 * sRQ -> sRS		Response to clients Request
274 		 * sRS -> sRS		Retransmitted Response (8.1.3. SHOULD NOT)
275 		 * sPO -> sIG		Response to an ignored Request or late retransmit
276 		 * sOP -> sIG		Ignore, might be response to ignored Request
277 		 * sCR -> sIG		Ignore, might be response to ignored Request
278 		 * sCG -> sIG		Ignore, might be response to ignored Request
279 		 * sTW -> sIV		Invalid, Request from client in sTW moves to sRQ
280 		 *
281 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
282 			sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
283 		},
284 		[DCCP_PKT_ACK] = {
285 		/*
286 		 * sNO -> sIV		No connection
287 		 * sRQ -> sIV		No connection
288 		 * sRS -> sIV		No connection
289 		 * sPO -> sOP		Enter OPEN state (8.1.5.)
290 		 * sOP -> sOP		Regular Ack in OPEN state
291 		 * sCR -> sIV		Waiting for Close from client
292 		 * sCG -> sCG		Ack in CLOSING MAY be processed (8.3.)
293 		 * sTW -> sIV
294 		 *
295 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
296 			sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
297 		},
298 		[DCCP_PKT_DATA] = {
299 		/*
300 		 * sNO -> sIV		No connection
301 		 * sRQ -> sIV		No connection
302 		 * sRS -> sIV		No connection
303 		 * sPO -> sOP		Enter OPEN state (8.1.5.)
304 		 * sOP -> sOP		Regular Data packet in OPEN state
305 		 * sCR -> sIV		Waiting for Close from client
306 		 * sCG -> sCG		Data in CLOSING MAY be processed (8.3.)
307 		 * sTW -> sIV
308 		 *
309 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
310 			sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
311 		},
312 		[DCCP_PKT_DATAACK] = {
313 		/*
314 		 * sNO -> sIV		No connection
315 		 * sRQ -> sIV		No connection
316 		 * sRS -> sIV		No connection
317 		 * sPO -> sOP		Enter OPEN state (8.1.5.)
318 		 * sOP -> sOP		Regular DataAck in OPEN state
319 		 * sCR -> sIV		Waiting for Close from client
320 		 * sCG -> sCG		Data in CLOSING MAY be processed (8.3.)
321 		 * sTW -> sIV
322 		 *
323 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
324 			sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
325 		},
326 		[DCCP_PKT_CLOSEREQ] = {
327 		/*
328 		 * sNO -> sIV		No connection
329 		 * sRQ -> sIV		No connection
330 		 * sRS -> sIV		No connection
331 		 * sPO -> sOP -> sCR	Move directly to CLOSEREQ (8.1.5.)
332 		 * sOP -> sCR		CloseReq in OPEN state
333 		 * sCR -> sCR		Retransmit
334 		 * sCG -> sCR		Simultaneous close, client sends another Close
335 		 * sTW -> sIV		Already closed
336 		 *
337 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
338 			sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
339 		},
340 		[DCCP_PKT_CLOSE] = {
341 		/*
342 		 * sNO -> sIV		No connection
343 		 * sRQ -> sIV		No connection
344 		 * sRS -> sIV		No connection
345 		 * sPO -> sOP -> sCG	Move direcly to CLOSING
346 		 * sOP -> sCG		Move to CLOSING
347 		 * sCR -> sIV		Close after CloseReq is invalid
348 		 * sCG -> sCG		Retransmit
349 		 * sTW -> sIV		Already closed
350 		 *
351 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
352 			sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
353 		},
354 		[DCCP_PKT_RESET] = {
355 		/*
356 		 * sNO -> sIV		No connection
357 		 * sRQ -> sTW		Reset in response to Request
358 		 * sRS -> sTW		Timeout, SHOULD send Reset (8.1.3.)
359 		 * sPO -> sTW		Timeout, SHOULD send Reset (8.1.3.)
360 		 * sOP -> sTW
361 		 * sCR -> sTW
362 		 * sCG -> sTW
363 		 * sTW -> sIG		Ignore (don't refresh timer)
364 		 *
365 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
366 			sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
367 		},
368 		[DCCP_PKT_SYNC] = {
369 		/*
370 		 * We currently ignore Sync packets
371 		 *
372 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
373 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
374 		},
375 		[DCCP_PKT_SYNCACK] = {
376 		/*
377 		 * We currently ignore SyncAck packets
378 		 *
379 		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
380 			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
381 		},
382 	},
383 };
384 
385 static noinline bool
dccp_new(struct nf_conn * ct,const struct sk_buff * skb,const struct dccp_hdr * dh,const struct nf_hook_state * hook_state)386 dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
387 	 const struct dccp_hdr *dh,
388 	 const struct nf_hook_state *hook_state)
389 {
390 	struct net *net = nf_ct_net(ct);
391 	struct nf_dccp_net *dn;
392 	const char *msg;
393 	u_int8_t state;
394 
395 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
396 	switch (state) {
397 	default:
398 		dn = nf_dccp_pernet(net);
399 		if (dn->dccp_loose == 0) {
400 			msg = "not picking up existing connection ";
401 			goto out_invalid;
402 		}
403 		break;
404 	case CT_DCCP_REQUEST:
405 		break;
406 	case CT_DCCP_INVALID:
407 		msg = "invalid state transition ";
408 		goto out_invalid;
409 	}
410 
411 	ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
412 	ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
413 	ct->proto.dccp.state = CT_DCCP_NONE;
414 	ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
415 	ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
416 	ct->proto.dccp.handshake_seq = 0;
417 	return true;
418 
419 out_invalid:
420 	nf_ct_l4proto_log_invalid(skb, ct, hook_state, "%s", msg);
421 	return false;
422 }
423 
dccp_ack_seq(const struct dccp_hdr * dh)424 static u64 dccp_ack_seq(const struct dccp_hdr *dh)
425 {
426 	const struct dccp_hdr_ack_bits *dhack;
427 
428 	dhack = (void *)dh + __dccp_basic_hdr_len(dh);
429 	return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
430 		     ntohl(dhack->dccph_ack_nr_low);
431 }
432 
dccp_error(const struct dccp_hdr * dh,struct sk_buff * skb,unsigned int dataoff,const struct nf_hook_state * state)433 static bool dccp_error(const struct dccp_hdr *dh,
434 		       struct sk_buff *skb, unsigned int dataoff,
435 		       const struct nf_hook_state *state)
436 {
437 	static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST |
438 						   1 << DCCP_PKT_RESPONSE |
439 						   1 << DCCP_PKT_CLOSEREQ |
440 						   1 << DCCP_PKT_CLOSE |
441 						   1 << DCCP_PKT_RESET |
442 						   1 << DCCP_PKT_SYNC |
443 						   1 << DCCP_PKT_SYNCACK;
444 	unsigned int dccp_len = skb->len - dataoff;
445 	unsigned int cscov;
446 	const char *msg;
447 	u8 type;
448 
449 	BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG);
450 
451 	if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
452 	    dh->dccph_doff * 4 > dccp_len) {
453 		msg = "nf_ct_dccp: truncated/malformed packet ";
454 		goto out_invalid;
455 	}
456 
457 	cscov = dccp_len;
458 	if (dh->dccph_cscov) {
459 		cscov = (dh->dccph_cscov - 1) * 4;
460 		if (cscov > dccp_len) {
461 			msg = "nf_ct_dccp: bad checksum coverage ";
462 			goto out_invalid;
463 		}
464 	}
465 
466 	if (state->hook == NF_INET_PRE_ROUTING &&
467 	    state->net->ct.sysctl_checksum &&
468 	    nf_checksum_partial(skb, state->hook, dataoff, cscov,
469 				IPPROTO_DCCP, state->pf)) {
470 		msg = "nf_ct_dccp: bad checksum ";
471 		goto out_invalid;
472 	}
473 
474 	type = dh->dccph_type;
475 	if (type >= DCCP_PKT_INVALID) {
476 		msg = "nf_ct_dccp: reserved packet type ";
477 		goto out_invalid;
478 	}
479 
480 	if (test_bit(type, &require_seq48) && !dh->dccph_x) {
481 		msg = "nf_ct_dccp: type lacks 48bit sequence numbers";
482 		goto out_invalid;
483 	}
484 
485 	return false;
486 out_invalid:
487 	nf_l4proto_log_invalid(skb, state, IPPROTO_DCCP, "%s", msg);
488 	return true;
489 }
490 
491 struct nf_conntrack_dccp_buf {
492 	struct dccp_hdr dh;	 /* generic header part */
493 	struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */
494 	union {			 /* depends on header type */
495 		struct dccp_hdr_ack_bits ack;
496 		struct dccp_hdr_request req;
497 		struct dccp_hdr_response response;
498 		struct dccp_hdr_reset rst;
499 	} u;
500 };
501 
502 static struct dccp_hdr *
dccp_header_pointer(const struct sk_buff * skb,int offset,const struct dccp_hdr * dh,struct nf_conntrack_dccp_buf * buf)503 dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh,
504 		    struct nf_conntrack_dccp_buf *buf)
505 {
506 	unsigned int hdrlen = __dccp_hdr_len(dh);
507 
508 	if (hdrlen > sizeof(*buf))
509 		return NULL;
510 
511 	return skb_header_pointer(skb, offset, hdrlen, buf);
512 }
513 
nf_conntrack_dccp_packet(struct nf_conn * ct,struct sk_buff * skb,unsigned int dataoff,enum ip_conntrack_info ctinfo,const struct nf_hook_state * state)514 int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
515 			     unsigned int dataoff,
516 			     enum ip_conntrack_info ctinfo,
517 			     const struct nf_hook_state *state)
518 {
519 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
520 	struct nf_conntrack_dccp_buf _dh;
521 	u_int8_t type, old_state, new_state;
522 	enum ct_dccp_roles role;
523 	unsigned int *timeouts;
524 	struct dccp_hdr *dh;
525 
526 	dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh);
527 	if (!dh)
528 		return NF_DROP;
529 
530 	if (dccp_error(dh, skb, dataoff, state))
531 		return -NF_ACCEPT;
532 
533 	/* pull again, including possible 48 bit sequences and subtype header */
534 	dh = dccp_header_pointer(skb, dataoff, dh, &_dh);
535 	if (!dh)
536 		return NF_DROP;
537 
538 	type = dh->dccph_type;
539 	if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh, state))
540 		return -NF_ACCEPT;
541 
542 	if (type == DCCP_PKT_RESET &&
543 	    !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
544 		/* Tear down connection immediately if only reply is a RESET */
545 		nf_ct_kill_acct(ct, ctinfo, skb);
546 		return NF_ACCEPT;
547 	}
548 
549 	spin_lock_bh(&ct->lock);
550 
551 	role = ct->proto.dccp.role[dir];
552 	old_state = ct->proto.dccp.state;
553 	new_state = dccp_state_table[role][type][old_state];
554 
555 	switch (new_state) {
556 	case CT_DCCP_REQUEST:
557 		if (old_state == CT_DCCP_TIMEWAIT &&
558 		    role == CT_DCCP_ROLE_SERVER) {
559 			/* Reincarnation in the reverse direction: reopen and
560 			 * reverse client/server roles. */
561 			ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
562 			ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
563 		}
564 		break;
565 	case CT_DCCP_RESPOND:
566 		if (old_state == CT_DCCP_REQUEST)
567 			ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
568 		break;
569 	case CT_DCCP_PARTOPEN:
570 		if (old_state == CT_DCCP_RESPOND &&
571 		    type == DCCP_PKT_ACK &&
572 		    dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
573 			set_bit(IPS_ASSURED_BIT, &ct->status);
574 		break;
575 	case CT_DCCP_IGNORE:
576 		/*
577 		 * Connection tracking might be out of sync, so we ignore
578 		 * packets that might establish a new connection and resync
579 		 * if the server responds with a valid Response.
580 		 */
581 		if (ct->proto.dccp.last_dir == !dir &&
582 		    ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
583 		    type == DCCP_PKT_RESPONSE) {
584 			ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
585 			ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
586 			ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
587 			new_state = CT_DCCP_RESPOND;
588 			break;
589 		}
590 		ct->proto.dccp.last_dir = dir;
591 		ct->proto.dccp.last_pkt = type;
592 
593 		spin_unlock_bh(&ct->lock);
594 		nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid packet");
595 		return NF_ACCEPT;
596 	case CT_DCCP_INVALID:
597 		spin_unlock_bh(&ct->lock);
598 		nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid state transition");
599 		return -NF_ACCEPT;
600 	}
601 
602 	ct->proto.dccp.last_dir = dir;
603 	ct->proto.dccp.last_pkt = type;
604 	ct->proto.dccp.state = new_state;
605 	spin_unlock_bh(&ct->lock);
606 
607 	if (new_state != old_state)
608 		nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
609 
610 	timeouts = nf_ct_timeout_lookup(ct);
611 	if (!timeouts)
612 		timeouts = nf_dccp_pernet(nf_ct_net(ct))->dccp_timeout;
613 	nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
614 
615 	return NF_ACCEPT;
616 }
617 
dccp_can_early_drop(const struct nf_conn * ct)618 static bool dccp_can_early_drop(const struct nf_conn *ct)
619 {
620 	switch (ct->proto.dccp.state) {
621 	case CT_DCCP_CLOSEREQ:
622 	case CT_DCCP_CLOSING:
623 	case CT_DCCP_TIMEWAIT:
624 		return true;
625 	default:
626 		break;
627 	}
628 
629 	return false;
630 }
631 
632 #ifdef CONFIG_NF_CONNTRACK_PROCFS
dccp_print_conntrack(struct seq_file * s,struct nf_conn * ct)633 static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
634 {
635 	seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
636 }
637 #endif
638 
639 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
dccp_to_nlattr(struct sk_buff * skb,struct nlattr * nla,struct nf_conn * ct,bool destroy)640 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
641 			  struct nf_conn *ct, bool destroy)
642 {
643 	struct nlattr *nest_parms;
644 
645 	spin_lock_bh(&ct->lock);
646 	nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP);
647 	if (!nest_parms)
648 		goto nla_put_failure;
649 	if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state))
650 		goto nla_put_failure;
651 
652 	if (destroy)
653 		goto skip_state;
654 
655 	if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE,
656 		       ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) ||
657 	    nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
658 			 cpu_to_be64(ct->proto.dccp.handshake_seq),
659 			 CTA_PROTOINFO_DCCP_PAD))
660 		goto nla_put_failure;
661 skip_state:
662 	nla_nest_end(skb, nest_parms);
663 	spin_unlock_bh(&ct->lock);
664 
665 	return 0;
666 
667 nla_put_failure:
668 	spin_unlock_bh(&ct->lock);
669 	return -1;
670 }
671 
672 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
673 	[CTA_PROTOINFO_DCCP_STATE]	= { .type = NLA_U8 },
674 	[CTA_PROTOINFO_DCCP_ROLE]	= { .type = NLA_U8 },
675 	[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
676 	[CTA_PROTOINFO_DCCP_PAD]	= { .type = NLA_UNSPEC },
677 };
678 
679 #define DCCP_NLATTR_SIZE ( \
680 	NLA_ALIGN(NLA_HDRLEN + 1) + \
681 	NLA_ALIGN(NLA_HDRLEN + 1) + \
682 	NLA_ALIGN(NLA_HDRLEN + sizeof(u64)) + \
683 	NLA_ALIGN(NLA_HDRLEN + 0))
684 
nlattr_to_dccp(struct nlattr * cda[],struct nf_conn * ct)685 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
686 {
687 	struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
688 	struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
689 	int err;
690 
691 	if (!attr)
692 		return 0;
693 
694 	err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_DCCP_MAX, attr,
695 					  dccp_nla_policy, NULL);
696 	if (err < 0)
697 		return err;
698 
699 	if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
700 	    !tb[CTA_PROTOINFO_DCCP_ROLE] ||
701 	    nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
702 	    nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
703 		return -EINVAL;
704 	}
705 
706 	spin_lock_bh(&ct->lock);
707 	ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
708 	if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
709 		ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
710 		ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
711 	} else {
712 		ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
713 		ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
714 	}
715 	if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
716 		ct->proto.dccp.handshake_seq =
717 		be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
718 	}
719 	spin_unlock_bh(&ct->lock);
720 	return 0;
721 }
722 #endif
723 
724 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
725 
726 #include <linux/netfilter/nfnetlink.h>
727 #include <linux/netfilter/nfnetlink_cttimeout.h>
728 
dccp_timeout_nlattr_to_obj(struct nlattr * tb[],struct net * net,void * data)729 static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
730 				      struct net *net, void *data)
731 {
732 	struct nf_dccp_net *dn = nf_dccp_pernet(net);
733 	unsigned int *timeouts = data;
734 	int i;
735 
736 	if (!timeouts)
737 		 timeouts = dn->dccp_timeout;
738 
739 	/* set default DCCP timeouts. */
740 	for (i=0; i<CT_DCCP_MAX; i++)
741 		timeouts[i] = dn->dccp_timeout[i];
742 
743 	/* there's a 1:1 mapping between attributes and protocol states. */
744 	for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
745 		if (tb[i]) {
746 			timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
747 		}
748 	}
749 
750 	timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
751 	return 0;
752 }
753 
754 static int
dccp_timeout_obj_to_nlattr(struct sk_buff * skb,const void * data)755 dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
756 {
757         const unsigned int *timeouts = data;
758 	int i;
759 
760 	for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
761 		if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
762 			goto nla_put_failure;
763 	}
764 	return 0;
765 
766 nla_put_failure:
767 	return -ENOSPC;
768 }
769 
770 static const struct nla_policy
771 dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
772 	[CTA_TIMEOUT_DCCP_REQUEST]	= { .type = NLA_U32 },
773 	[CTA_TIMEOUT_DCCP_RESPOND]	= { .type = NLA_U32 },
774 	[CTA_TIMEOUT_DCCP_PARTOPEN]	= { .type = NLA_U32 },
775 	[CTA_TIMEOUT_DCCP_OPEN]		= { .type = NLA_U32 },
776 	[CTA_TIMEOUT_DCCP_CLOSEREQ]	= { .type = NLA_U32 },
777 	[CTA_TIMEOUT_DCCP_CLOSING]	= { .type = NLA_U32 },
778 	[CTA_TIMEOUT_DCCP_TIMEWAIT]	= { .type = NLA_U32 },
779 };
780 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
781 
nf_conntrack_dccp_init_net(struct net * net)782 void nf_conntrack_dccp_init_net(struct net *net)
783 {
784 	struct nf_dccp_net *dn = nf_dccp_pernet(net);
785 
786 	/* default values */
787 	dn->dccp_loose = 1;
788 	dn->dccp_timeout[CT_DCCP_REQUEST]	= 2 * DCCP_MSL;
789 	dn->dccp_timeout[CT_DCCP_RESPOND]	= 4 * DCCP_MSL;
790 	dn->dccp_timeout[CT_DCCP_PARTOPEN]	= 4 * DCCP_MSL;
791 	dn->dccp_timeout[CT_DCCP_OPEN]		= 12 * 3600 * HZ;
792 	dn->dccp_timeout[CT_DCCP_CLOSEREQ]	= 64 * HZ;
793 	dn->dccp_timeout[CT_DCCP_CLOSING]	= 64 * HZ;
794 	dn->dccp_timeout[CT_DCCP_TIMEWAIT]	= 2 * DCCP_MSL;
795 
796 	/* timeouts[0] is unused, make it same as SYN_SENT so
797 	 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
798 	 */
799 	dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
800 }
801 
802 const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp = {
803 	.l4proto		= IPPROTO_DCCP,
804 	.can_early_drop		= dccp_can_early_drop,
805 #ifdef CONFIG_NF_CONNTRACK_PROCFS
806 	.print_conntrack	= dccp_print_conntrack,
807 #endif
808 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
809 	.nlattr_size		= DCCP_NLATTR_SIZE,
810 	.to_nlattr		= dccp_to_nlattr,
811 	.from_nlattr		= nlattr_to_dccp,
812 	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
813 	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
814 	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
815 	.nla_policy		= nf_ct_port_nla_policy,
816 #endif
817 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
818 	.ctnl_timeout		= {
819 		.nlattr_to_obj	= dccp_timeout_nlattr_to_obj,
820 		.obj_to_nlattr	= dccp_timeout_obj_to_nlattr,
821 		.nlattr_max	= CTA_TIMEOUT_DCCP_MAX,
822 		.obj_size	= sizeof(unsigned int) * CT_DCCP_MAX,
823 		.nla_policy	= dccp_timeout_nla_policy,
824 	},
825 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
826 };
827