1 /* 2 * DCCP connection tracking protocol helper 3 * 4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net> 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 * 10 */ 11 #include <linux/kernel.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sysctl.h> 15 #include <linux/spinlock.h> 16 #include <linux/skbuff.h> 17 #include <linux/dccp.h> 18 #include <linux/slab.h> 19 20 #include <net/net_namespace.h> 21 #include <net/netns/generic.h> 22 23 #include <linux/netfilter/nfnetlink_conntrack.h> 24 #include <net/netfilter/nf_conntrack.h> 25 #include <net/netfilter/nf_conntrack_l4proto.h> 26 #include <net/netfilter/nf_conntrack_ecache.h> 27 #include <net/netfilter/nf_log.h> 28 29 /* Timeouts are based on values from RFC4340: 30 * 31 * - REQUEST: 32 * 33 * 8.1.2. Client Request 34 * 35 * A client MAY give up on its DCCP-Requests after some time 36 * (3 minutes, for example). 37 * 38 * - RESPOND: 39 * 40 * 8.1.3. Server Response 41 * 42 * It MAY also leave the RESPOND state for CLOSED after a timeout of 43 * not less than 4MSL (8 minutes); 44 * 45 * - PARTOPEN: 46 * 47 * 8.1.5. Handshake Completion 48 * 49 * If the client remains in PARTOPEN for more than 4MSL (8 minutes), 50 * it SHOULD reset the connection with Reset Code 2, "Aborted". 51 * 52 * - OPEN: 53 * 54 * The DCCP timestamp overflows after 11.9 hours. If the connection 55 * stays idle this long the sequence number won't be recognized 56 * as valid anymore. 57 * 58 * - CLOSEREQ/CLOSING: 59 * 60 * 8.3. Termination 61 * 62 * The retransmission timer should initially be set to go off in two 63 * round-trip times and should back off to not less than once every 64 * 64 seconds ... 65 * 66 * - TIMEWAIT: 67 * 68 * 4.3. States 69 * 70 * A server or client socket remains in this state for 2MSL (4 minutes) 71 * after the connection has been town down, ... 72 */ 73 74 #define DCCP_MSL (2 * 60 * HZ) 75 76 static const char * const dccp_state_names[] = { 77 [CT_DCCP_NONE] = "NONE", 78 [CT_DCCP_REQUEST] = "REQUEST", 79 [CT_DCCP_RESPOND] = "RESPOND", 80 [CT_DCCP_PARTOPEN] = "PARTOPEN", 81 [CT_DCCP_OPEN] = "OPEN", 82 [CT_DCCP_CLOSEREQ] = "CLOSEREQ", 83 [CT_DCCP_CLOSING] = "CLOSING", 84 [CT_DCCP_TIMEWAIT] = "TIMEWAIT", 85 [CT_DCCP_IGNORE] = "IGNORE", 86 [CT_DCCP_INVALID] = "INVALID", 87 }; 88 89 #define sNO CT_DCCP_NONE 90 #define sRQ CT_DCCP_REQUEST 91 #define sRS CT_DCCP_RESPOND 92 #define sPO CT_DCCP_PARTOPEN 93 #define sOP CT_DCCP_OPEN 94 #define sCR CT_DCCP_CLOSEREQ 95 #define sCG CT_DCCP_CLOSING 96 #define sTW CT_DCCP_TIMEWAIT 97 #define sIG CT_DCCP_IGNORE 98 #define sIV CT_DCCP_INVALID 99 100 /* 101 * DCCP state transition table 102 * 103 * The assumption is the same as for TCP tracking: 104 * 105 * We are the man in the middle. All the packets go through us but might 106 * get lost in transit to the destination. It is assumed that the destination 107 * can't receive segments we haven't seen. 108 * 109 * The following states exist: 110 * 111 * NONE: Initial state, expecting Request 112 * REQUEST: Request seen, waiting for Response from server 113 * RESPOND: Response from server seen, waiting for Ack from client 114 * PARTOPEN: Ack after Response seen, waiting for packet other than Response, 115 * Reset or Sync from server 116 * OPEN: Packet other than Response, Reset or Sync seen 117 * CLOSEREQ: CloseReq from server seen, expecting Close from client 118 * CLOSING: Close seen, expecting Reset 119 * TIMEWAIT: Reset seen 120 * IGNORE: Not determinable whether packet is valid 121 * 122 * Some states exist only on one side of the connection: REQUEST, RESPOND, 123 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to 124 * the one it was in before. 125 * 126 * Packets are marked as ignored (sIG) if we don't know if they're valid 127 * (for example a reincarnation of a connection we didn't notice is dead 128 * already) and the server may send back a connection closing Reset or a 129 * Response. They're also used for Sync/SyncAck packets, which we don't 130 * care about. 131 */ 132 static const u_int8_t 133 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = { 134 [CT_DCCP_ROLE_CLIENT] = { 135 [DCCP_PKT_REQUEST] = { 136 /* 137 * sNO -> sRQ Regular Request 138 * sRQ -> sRQ Retransmitted Request or reincarnation 139 * sRS -> sRS Retransmitted Request (apparently Response 140 * got lost after we saw it) or reincarnation 141 * sPO -> sIG Ignore, conntrack might be out of sync 142 * sOP -> sIG Ignore, conntrack might be out of sync 143 * sCR -> sIG Ignore, conntrack might be out of sync 144 * sCG -> sIG Ignore, conntrack might be out of sync 145 * sTW -> sRQ Reincarnation 146 * 147 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */ 148 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ, 149 }, 150 [DCCP_PKT_RESPONSE] = { 151 /* 152 * sNO -> sIV Invalid 153 * sRQ -> sIG Ignore, might be response to ignored Request 154 * sRS -> sIG Ignore, might be response to ignored Request 155 * sPO -> sIG Ignore, might be response to ignored Request 156 * sOP -> sIG Ignore, might be response to ignored Request 157 * sCR -> sIG Ignore, might be response to ignored Request 158 * sCG -> sIG Ignore, might be response to ignored Request 159 * sTW -> sIV Invalid, reincarnation in reverse direction 160 * goes through sRQ 161 * 162 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 163 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV, 164 }, 165 [DCCP_PKT_ACK] = { 166 /* 167 * sNO -> sIV No connection 168 * sRQ -> sIV No connection 169 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 170 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN 171 * sOP -> sOP Regular ACK, remain in OPEN 172 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.) 173 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 174 * sTW -> sIV 175 * 176 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 177 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 178 }, 179 [DCCP_PKT_DATA] = { 180 /* 181 * sNO -> sIV No connection 182 * sRQ -> sIV No connection 183 * sRS -> sIV No connection 184 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.) 185 * sOP -> sOP Regular Data packet 186 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.) 187 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 188 * sTW -> sIV 189 * 190 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 191 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV, 192 }, 193 [DCCP_PKT_DATAACK] = { 194 /* 195 * sNO -> sIV No connection 196 * sRQ -> sIV No connection 197 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 198 * sPO -> sPO Remain in PARTOPEN state 199 * sOP -> sOP Regular DataAck packet in OPEN state 200 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.) 201 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.) 202 * sTW -> sIV 203 * 204 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 205 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 206 }, 207 [DCCP_PKT_CLOSEREQ] = { 208 /* 209 * CLOSEREQ may only be sent by the server. 210 * 211 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 212 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV 213 }, 214 [DCCP_PKT_CLOSE] = { 215 /* 216 * sNO -> sIV No connection 217 * sRQ -> sIV No connection 218 * sRS -> sIV No connection 219 * sPO -> sCG Client-initiated close 220 * sOP -> sCG Client-initiated close 221 * sCR -> sCG Close in response to CloseReq (8.3.) 222 * sCG -> sCG Retransmit 223 * sTW -> sIV Late retransmit, already in TIME_WAIT 224 * 225 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 226 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV 227 }, 228 [DCCP_PKT_RESET] = { 229 /* 230 * sNO -> sIV No connection 231 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.) 232 * sRS -> sTW Response received without Request 233 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.) 234 * sOP -> sTW Connection reset 235 * sCR -> sTW Connection reset 236 * sCG -> sTW Connection reset 237 * sTW -> sIG Ignore (don't refresh timer) 238 * 239 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 240 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG 241 }, 242 [DCCP_PKT_SYNC] = { 243 /* 244 * We currently ignore Sync packets 245 * 246 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 247 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 248 }, 249 [DCCP_PKT_SYNCACK] = { 250 /* 251 * We currently ignore SyncAck packets 252 * 253 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 254 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 255 }, 256 }, 257 [CT_DCCP_ROLE_SERVER] = { 258 [DCCP_PKT_REQUEST] = { 259 /* 260 * sNO -> sIV Invalid 261 * sRQ -> sIG Ignore, conntrack might be out of sync 262 * sRS -> sIG Ignore, conntrack might be out of sync 263 * sPO -> sIG Ignore, conntrack might be out of sync 264 * sOP -> sIG Ignore, conntrack might be out of sync 265 * sCR -> sIG Ignore, conntrack might be out of sync 266 * sCG -> sIG Ignore, conntrack might be out of sync 267 * sTW -> sRQ Reincarnation, must reverse roles 268 * 269 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 270 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ 271 }, 272 [DCCP_PKT_RESPONSE] = { 273 /* 274 * sNO -> sIV Response without Request 275 * sRQ -> sRS Response to clients Request 276 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT) 277 * sPO -> sIG Response to an ignored Request or late retransmit 278 * sOP -> sIG Ignore, might be response to ignored Request 279 * sCR -> sIG Ignore, might be response to ignored Request 280 * sCG -> sIG Ignore, might be response to ignored Request 281 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ 282 * 283 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 284 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV 285 }, 286 [DCCP_PKT_ACK] = { 287 /* 288 * sNO -> sIV No connection 289 * sRQ -> sIV No connection 290 * sRS -> sIV No connection 291 * sPO -> sOP Enter OPEN state (8.1.5.) 292 * sOP -> sOP Regular Ack in OPEN state 293 * sCR -> sIV Waiting for Close from client 294 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 295 * sTW -> sIV 296 * 297 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 298 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 299 }, 300 [DCCP_PKT_DATA] = { 301 /* 302 * sNO -> sIV No connection 303 * sRQ -> sIV No connection 304 * sRS -> sIV No connection 305 * sPO -> sOP Enter OPEN state (8.1.5.) 306 * sOP -> sOP Regular Data packet in OPEN state 307 * sCR -> sIV Waiting for Close from client 308 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 309 * sTW -> sIV 310 * 311 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 312 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 313 }, 314 [DCCP_PKT_DATAACK] = { 315 /* 316 * sNO -> sIV No connection 317 * sRQ -> sIV No connection 318 * sRS -> sIV No connection 319 * sPO -> sOP Enter OPEN state (8.1.5.) 320 * sOP -> sOP Regular DataAck in OPEN state 321 * sCR -> sIV Waiting for Close from client 322 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 323 * sTW -> sIV 324 * 325 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 326 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 327 }, 328 [DCCP_PKT_CLOSEREQ] = { 329 /* 330 * sNO -> sIV No connection 331 * sRQ -> sIV No connection 332 * sRS -> sIV No connection 333 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.) 334 * sOP -> sCR CloseReq in OPEN state 335 * sCR -> sCR Retransmit 336 * sCG -> sCR Simultaneous close, client sends another Close 337 * sTW -> sIV Already closed 338 * 339 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 340 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV 341 }, 342 [DCCP_PKT_CLOSE] = { 343 /* 344 * sNO -> sIV No connection 345 * sRQ -> sIV No connection 346 * sRS -> sIV No connection 347 * sPO -> sOP -> sCG Move direcly to CLOSING 348 * sOP -> sCG Move to CLOSING 349 * sCR -> sIV Close after CloseReq is invalid 350 * sCG -> sCG Retransmit 351 * sTW -> sIV Already closed 352 * 353 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 354 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV 355 }, 356 [DCCP_PKT_RESET] = { 357 /* 358 * sNO -> sIV No connection 359 * sRQ -> sTW Reset in response to Request 360 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.) 361 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.) 362 * sOP -> sTW 363 * sCR -> sTW 364 * sCG -> sTW 365 * sTW -> sIG Ignore (don't refresh timer) 366 * 367 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */ 368 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG 369 }, 370 [DCCP_PKT_SYNC] = { 371 /* 372 * We currently ignore Sync packets 373 * 374 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 375 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 376 }, 377 [DCCP_PKT_SYNCACK] = { 378 /* 379 * We currently ignore SyncAck packets 380 * 381 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 382 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 383 }, 384 }, 385 }; 386 387 /* this module per-net specifics */ 388 static int dccp_net_id __read_mostly; 389 struct dccp_net { 390 struct nf_proto_net pn; 391 int dccp_loose; 392 unsigned int dccp_timeout[CT_DCCP_MAX + 1]; 393 }; 394 395 static inline struct dccp_net *dccp_pernet(struct net *net) 396 { 397 return net_generic(net, dccp_net_id); 398 } 399 400 static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 401 struct net *net, struct nf_conntrack_tuple *tuple) 402 { 403 struct dccp_hdr _hdr, *dh; 404 405 dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 406 if (dh == NULL) 407 return false; 408 409 tuple->src.u.dccp.port = dh->dccph_sport; 410 tuple->dst.u.dccp.port = dh->dccph_dport; 411 return true; 412 } 413 414 static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv, 415 const struct nf_conntrack_tuple *tuple) 416 { 417 inv->src.u.dccp.port = tuple->dst.u.dccp.port; 418 inv->dst.u.dccp.port = tuple->src.u.dccp.port; 419 return true; 420 } 421 422 static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, 423 unsigned int dataoff, unsigned int *timeouts) 424 { 425 struct net *net = nf_ct_net(ct); 426 struct dccp_net *dn; 427 struct dccp_hdr _dh, *dh; 428 const char *msg; 429 u_int8_t state; 430 431 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); 432 BUG_ON(dh == NULL); 433 434 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; 435 switch (state) { 436 default: 437 dn = dccp_pernet(net); 438 if (dn->dccp_loose == 0) { 439 msg = "nf_ct_dccp: not picking up existing connection "; 440 goto out_invalid; 441 } 442 case CT_DCCP_REQUEST: 443 break; 444 case CT_DCCP_INVALID: 445 msg = "nf_ct_dccp: invalid state transition "; 446 goto out_invalid; 447 } 448 449 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT; 450 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER; 451 ct->proto.dccp.state = CT_DCCP_NONE; 452 ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST; 453 ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL; 454 ct->proto.dccp.handshake_seq = 0; 455 return true; 456 457 out_invalid: 458 if (LOG_INVALID(net, IPPROTO_DCCP)) 459 nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL, 460 NULL, "%s", msg); 461 return false; 462 } 463 464 static u64 dccp_ack_seq(const struct dccp_hdr *dh) 465 { 466 const struct dccp_hdr_ack_bits *dhack; 467 468 dhack = (void *)dh + __dccp_basic_hdr_len(dh); 469 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) + 470 ntohl(dhack->dccph_ack_nr_low); 471 } 472 473 static unsigned int *dccp_get_timeouts(struct net *net) 474 { 475 return dccp_pernet(net)->dccp_timeout; 476 } 477 478 static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, 479 unsigned int dataoff, enum ip_conntrack_info ctinfo, 480 u_int8_t pf, unsigned int hooknum, 481 unsigned int *timeouts) 482 { 483 struct net *net = nf_ct_net(ct); 484 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 485 struct dccp_hdr _dh, *dh; 486 u_int8_t type, old_state, new_state; 487 enum ct_dccp_roles role; 488 489 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); 490 BUG_ON(dh == NULL); 491 type = dh->dccph_type; 492 493 if (type == DCCP_PKT_RESET && 494 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 495 /* Tear down connection immediately if only reply is a RESET */ 496 nf_ct_kill_acct(ct, ctinfo, skb); 497 return NF_ACCEPT; 498 } 499 500 spin_lock_bh(&ct->lock); 501 502 role = ct->proto.dccp.role[dir]; 503 old_state = ct->proto.dccp.state; 504 new_state = dccp_state_table[role][type][old_state]; 505 506 switch (new_state) { 507 case CT_DCCP_REQUEST: 508 if (old_state == CT_DCCP_TIMEWAIT && 509 role == CT_DCCP_ROLE_SERVER) { 510 /* Reincarnation in the reverse direction: reopen and 511 * reverse client/server roles. */ 512 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT; 513 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER; 514 } 515 break; 516 case CT_DCCP_RESPOND: 517 if (old_state == CT_DCCP_REQUEST) 518 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 519 break; 520 case CT_DCCP_PARTOPEN: 521 if (old_state == CT_DCCP_RESPOND && 522 type == DCCP_PKT_ACK && 523 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq) 524 set_bit(IPS_ASSURED_BIT, &ct->status); 525 break; 526 case CT_DCCP_IGNORE: 527 /* 528 * Connection tracking might be out of sync, so we ignore 529 * packets that might establish a new connection and resync 530 * if the server responds with a valid Response. 531 */ 532 if (ct->proto.dccp.last_dir == !dir && 533 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST && 534 type == DCCP_PKT_RESPONSE) { 535 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT; 536 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER; 537 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 538 new_state = CT_DCCP_RESPOND; 539 break; 540 } 541 ct->proto.dccp.last_dir = dir; 542 ct->proto.dccp.last_pkt = type; 543 544 spin_unlock_bh(&ct->lock); 545 if (LOG_INVALID(net, IPPROTO_DCCP)) 546 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 547 "nf_ct_dccp: invalid packet ignored "); 548 return NF_ACCEPT; 549 case CT_DCCP_INVALID: 550 spin_unlock_bh(&ct->lock); 551 if (LOG_INVALID(net, IPPROTO_DCCP)) 552 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 553 "nf_ct_dccp: invalid state transition "); 554 return -NF_ACCEPT; 555 } 556 557 ct->proto.dccp.last_dir = dir; 558 ct->proto.dccp.last_pkt = type; 559 ct->proto.dccp.state = new_state; 560 spin_unlock_bh(&ct->lock); 561 562 if (new_state != old_state) 563 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 564 565 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 566 567 return NF_ACCEPT; 568 } 569 570 static int dccp_error(struct net *net, struct nf_conn *tmpl, 571 struct sk_buff *skb, unsigned int dataoff, 572 enum ip_conntrack_info *ctinfo, 573 u_int8_t pf, unsigned int hooknum) 574 { 575 struct dccp_hdr _dh, *dh; 576 unsigned int dccp_len = skb->len - dataoff; 577 unsigned int cscov; 578 const char *msg; 579 580 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); 581 if (dh == NULL) { 582 msg = "nf_ct_dccp: short packet "; 583 goto out_invalid; 584 } 585 586 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || 587 dh->dccph_doff * 4 > dccp_len) { 588 msg = "nf_ct_dccp: truncated/malformed packet "; 589 goto out_invalid; 590 } 591 592 cscov = dccp_len; 593 if (dh->dccph_cscov) { 594 cscov = (dh->dccph_cscov - 1) * 4; 595 if (cscov > dccp_len) { 596 msg = "nf_ct_dccp: bad checksum coverage "; 597 goto out_invalid; 598 } 599 } 600 601 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 602 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP, 603 pf)) { 604 msg = "nf_ct_dccp: bad checksum "; 605 goto out_invalid; 606 } 607 608 if (dh->dccph_type >= DCCP_PKT_INVALID) { 609 msg = "nf_ct_dccp: reserved packet type "; 610 goto out_invalid; 611 } 612 613 return NF_ACCEPT; 614 615 out_invalid: 616 if (LOG_INVALID(net, IPPROTO_DCCP)) 617 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", msg); 618 return -NF_ACCEPT; 619 } 620 621 static void dccp_print_tuple(struct seq_file *s, 622 const struct nf_conntrack_tuple *tuple) 623 { 624 seq_printf(s, "sport=%hu dport=%hu ", 625 ntohs(tuple->src.u.dccp.port), 626 ntohs(tuple->dst.u.dccp.port)); 627 } 628 629 static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 630 { 631 seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]); 632 } 633 634 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 635 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 636 struct nf_conn *ct) 637 { 638 struct nlattr *nest_parms; 639 640 spin_lock_bh(&ct->lock); 641 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED); 642 if (!nest_parms) 643 goto nla_put_failure; 644 if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state) || 645 nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE, 646 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) || 647 nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ, 648 cpu_to_be64(ct->proto.dccp.handshake_seq), 649 CTA_PROTOINFO_DCCP_PAD)) 650 goto nla_put_failure; 651 nla_nest_end(skb, nest_parms); 652 spin_unlock_bh(&ct->lock); 653 return 0; 654 655 nla_put_failure: 656 spin_unlock_bh(&ct->lock); 657 return -1; 658 } 659 660 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = { 661 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 }, 662 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 }, 663 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 }, 664 [CTA_PROTOINFO_DCCP_PAD] = { .type = NLA_UNSPEC }, 665 }; 666 667 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct) 668 { 669 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP]; 670 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1]; 671 int err; 672 673 if (!attr) 674 return 0; 675 676 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr, 677 dccp_nla_policy); 678 if (err < 0) 679 return err; 680 681 if (!tb[CTA_PROTOINFO_DCCP_STATE] || 682 !tb[CTA_PROTOINFO_DCCP_ROLE] || 683 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX || 684 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) { 685 return -EINVAL; 686 } 687 688 spin_lock_bh(&ct->lock); 689 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]); 690 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) { 691 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT; 692 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER; 693 } else { 694 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER; 695 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT; 696 } 697 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) { 698 ct->proto.dccp.handshake_seq = 699 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ])); 700 } 701 spin_unlock_bh(&ct->lock); 702 return 0; 703 } 704 705 static int dccp_nlattr_size(void) 706 { 707 return nla_total_size(0) /* CTA_PROTOINFO_DCCP */ 708 + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1); 709 } 710 711 #endif 712 713 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) 714 715 #include <linux/netfilter/nfnetlink.h> 716 #include <linux/netfilter/nfnetlink_cttimeout.h> 717 718 static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], 719 struct net *net, void *data) 720 { 721 struct dccp_net *dn = dccp_pernet(net); 722 unsigned int *timeouts = data; 723 int i; 724 725 /* set default DCCP timeouts. */ 726 for (i=0; i<CT_DCCP_MAX; i++) 727 timeouts[i] = dn->dccp_timeout[i]; 728 729 /* there's a 1:1 mapping between attributes and protocol states. */ 730 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) { 731 if (tb[i]) { 732 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 733 } 734 } 735 return 0; 736 } 737 738 static int 739 dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 740 { 741 const unsigned int *timeouts = data; 742 int i; 743 744 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) { 745 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 746 goto nla_put_failure; 747 } 748 return 0; 749 750 nla_put_failure: 751 return -ENOSPC; 752 } 753 754 static const struct nla_policy 755 dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = { 756 [CTA_TIMEOUT_DCCP_REQUEST] = { .type = NLA_U32 }, 757 [CTA_TIMEOUT_DCCP_RESPOND] = { .type = NLA_U32 }, 758 [CTA_TIMEOUT_DCCP_PARTOPEN] = { .type = NLA_U32 }, 759 [CTA_TIMEOUT_DCCP_OPEN] = { .type = NLA_U32 }, 760 [CTA_TIMEOUT_DCCP_CLOSEREQ] = { .type = NLA_U32 }, 761 [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 }, 762 [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 }, 763 }; 764 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ 765 766 #ifdef CONFIG_SYSCTL 767 /* template, data assigned later */ 768 static struct ctl_table dccp_sysctl_table[] = { 769 { 770 .procname = "nf_conntrack_dccp_timeout_request", 771 .maxlen = sizeof(unsigned int), 772 .mode = 0644, 773 .proc_handler = proc_dointvec_jiffies, 774 }, 775 { 776 .procname = "nf_conntrack_dccp_timeout_respond", 777 .maxlen = sizeof(unsigned int), 778 .mode = 0644, 779 .proc_handler = proc_dointvec_jiffies, 780 }, 781 { 782 .procname = "nf_conntrack_dccp_timeout_partopen", 783 .maxlen = sizeof(unsigned int), 784 .mode = 0644, 785 .proc_handler = proc_dointvec_jiffies, 786 }, 787 { 788 .procname = "nf_conntrack_dccp_timeout_open", 789 .maxlen = sizeof(unsigned int), 790 .mode = 0644, 791 .proc_handler = proc_dointvec_jiffies, 792 }, 793 { 794 .procname = "nf_conntrack_dccp_timeout_closereq", 795 .maxlen = sizeof(unsigned int), 796 .mode = 0644, 797 .proc_handler = proc_dointvec_jiffies, 798 }, 799 { 800 .procname = "nf_conntrack_dccp_timeout_closing", 801 .maxlen = sizeof(unsigned int), 802 .mode = 0644, 803 .proc_handler = proc_dointvec_jiffies, 804 }, 805 { 806 .procname = "nf_conntrack_dccp_timeout_timewait", 807 .maxlen = sizeof(unsigned int), 808 .mode = 0644, 809 .proc_handler = proc_dointvec_jiffies, 810 }, 811 { 812 .procname = "nf_conntrack_dccp_loose", 813 .maxlen = sizeof(int), 814 .mode = 0644, 815 .proc_handler = proc_dointvec, 816 }, 817 { } 818 }; 819 #endif /* CONFIG_SYSCTL */ 820 821 static int dccp_kmemdup_sysctl_table(struct net *net, struct nf_proto_net *pn, 822 struct dccp_net *dn) 823 { 824 #ifdef CONFIG_SYSCTL 825 if (pn->ctl_table) 826 return 0; 827 828 pn->ctl_table = kmemdup(dccp_sysctl_table, 829 sizeof(dccp_sysctl_table), 830 GFP_KERNEL); 831 if (!pn->ctl_table) 832 return -ENOMEM; 833 834 pn->ctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST]; 835 pn->ctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND]; 836 pn->ctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN]; 837 pn->ctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN]; 838 pn->ctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ]; 839 pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING]; 840 pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT]; 841 pn->ctl_table[7].data = &dn->dccp_loose; 842 843 /* Don't export sysctls to unprivileged users */ 844 if (net->user_ns != &init_user_ns) 845 pn->ctl_table[0].procname = NULL; 846 #endif 847 return 0; 848 } 849 850 static int dccp_init_net(struct net *net, u_int16_t proto) 851 { 852 struct dccp_net *dn = dccp_pernet(net); 853 struct nf_proto_net *pn = &dn->pn; 854 855 if (!pn->users) { 856 /* default values */ 857 dn->dccp_loose = 1; 858 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL; 859 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL; 860 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL; 861 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ; 862 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ; 863 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ; 864 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL; 865 } 866 867 return dccp_kmemdup_sysctl_table(net, pn, dn); 868 } 869 870 static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = { 871 .l3proto = AF_INET, 872 .l4proto = IPPROTO_DCCP, 873 .name = "dccp", 874 .pkt_to_tuple = dccp_pkt_to_tuple, 875 .invert_tuple = dccp_invert_tuple, 876 .new = dccp_new, 877 .packet = dccp_packet, 878 .get_timeouts = dccp_get_timeouts, 879 .error = dccp_error, 880 .print_tuple = dccp_print_tuple, 881 .print_conntrack = dccp_print_conntrack, 882 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 883 .to_nlattr = dccp_to_nlattr, 884 .nlattr_size = dccp_nlattr_size, 885 .from_nlattr = nlattr_to_dccp, 886 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 887 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 888 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 889 .nla_policy = nf_ct_port_nla_policy, 890 #endif 891 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) 892 .ctnl_timeout = { 893 .nlattr_to_obj = dccp_timeout_nlattr_to_obj, 894 .obj_to_nlattr = dccp_timeout_obj_to_nlattr, 895 .nlattr_max = CTA_TIMEOUT_DCCP_MAX, 896 .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, 897 .nla_policy = dccp_timeout_nla_policy, 898 }, 899 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ 900 .net_id = &dccp_net_id, 901 .init_net = dccp_init_net, 902 }; 903 904 static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = { 905 .l3proto = AF_INET6, 906 .l4proto = IPPROTO_DCCP, 907 .name = "dccp", 908 .pkt_to_tuple = dccp_pkt_to_tuple, 909 .invert_tuple = dccp_invert_tuple, 910 .new = dccp_new, 911 .packet = dccp_packet, 912 .get_timeouts = dccp_get_timeouts, 913 .error = dccp_error, 914 .print_tuple = dccp_print_tuple, 915 .print_conntrack = dccp_print_conntrack, 916 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 917 .to_nlattr = dccp_to_nlattr, 918 .nlattr_size = dccp_nlattr_size, 919 .from_nlattr = nlattr_to_dccp, 920 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 921 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 922 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 923 .nla_policy = nf_ct_port_nla_policy, 924 #endif 925 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) 926 .ctnl_timeout = { 927 .nlattr_to_obj = dccp_timeout_nlattr_to_obj, 928 .obj_to_nlattr = dccp_timeout_obj_to_nlattr, 929 .nlattr_max = CTA_TIMEOUT_DCCP_MAX, 930 .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, 931 .nla_policy = dccp_timeout_nla_policy, 932 }, 933 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ 934 .net_id = &dccp_net_id, 935 .init_net = dccp_init_net, 936 }; 937 938 static __net_init int dccp_net_init(struct net *net) 939 { 940 int ret = 0; 941 ret = nf_ct_l4proto_pernet_register(net, &dccp_proto4); 942 if (ret < 0) { 943 pr_err("nf_conntrack_dccp4: pernet registration failed.\n"); 944 goto out; 945 } 946 ret = nf_ct_l4proto_pernet_register(net, &dccp_proto6); 947 if (ret < 0) { 948 pr_err("nf_conntrack_dccp6: pernet registration failed.\n"); 949 goto cleanup_dccp4; 950 } 951 return 0; 952 cleanup_dccp4: 953 nf_ct_l4proto_pernet_unregister(net, &dccp_proto4); 954 out: 955 return ret; 956 } 957 958 static __net_exit void dccp_net_exit(struct net *net) 959 { 960 nf_ct_l4proto_pernet_unregister(net, &dccp_proto6); 961 nf_ct_l4proto_pernet_unregister(net, &dccp_proto4); 962 } 963 964 static struct pernet_operations dccp_net_ops = { 965 .init = dccp_net_init, 966 .exit = dccp_net_exit, 967 .id = &dccp_net_id, 968 .size = sizeof(struct dccp_net), 969 }; 970 971 static int __init nf_conntrack_proto_dccp_init(void) 972 { 973 int ret; 974 975 ret = register_pernet_subsys(&dccp_net_ops); 976 if (ret < 0) 977 goto out_pernet; 978 979 ret = nf_ct_l4proto_register(&dccp_proto4); 980 if (ret < 0) 981 goto out_dccp4; 982 983 ret = nf_ct_l4proto_register(&dccp_proto6); 984 if (ret < 0) 985 goto out_dccp6; 986 987 return 0; 988 out_dccp6: 989 nf_ct_l4proto_unregister(&dccp_proto4); 990 out_dccp4: 991 unregister_pernet_subsys(&dccp_net_ops); 992 out_pernet: 993 return ret; 994 } 995 996 static void __exit nf_conntrack_proto_dccp_fini(void) 997 { 998 nf_ct_l4proto_unregister(&dccp_proto6); 999 nf_ct_l4proto_unregister(&dccp_proto4); 1000 unregister_pernet_subsys(&dccp_net_ops); 1001 } 1002 1003 module_init(nf_conntrack_proto_dccp_init); 1004 module_exit(nf_conntrack_proto_dccp_fini); 1005 1006 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 1007 MODULE_DESCRIPTION("DCCP connection tracking protocol helper"); 1008 MODULE_LICENSE("GPL"); 1009