1 /* 2 * Connection tracking protocol helper module for SCTP. 3 * 4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 6 * 7 * SCTP is defined in RFC 2960. References to various sections in this code 8 * are to this RFC. 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 as 12 * published by the Free Software Foundation. 13 */ 14 15 #include <linux/types.h> 16 #include <linux/timer.h> 17 #include <linux/netfilter.h> 18 #include <linux/in.h> 19 #include <linux/ip.h> 20 #include <linux/sctp.h> 21 #include <linux/string.h> 22 #include <linux/seq_file.h> 23 #include <linux/spinlock.h> 24 #include <linux/interrupt.h> 25 #include <net/sctp/checksum.h> 26 27 #include <net/netfilter/nf_log.h> 28 #include <net/netfilter/nf_conntrack.h> 29 #include <net/netfilter/nf_conntrack_l4proto.h> 30 #include <net/netfilter/nf_conntrack_ecache.h> 31 #include <net/netfilter/nf_conntrack_timeout.h> 32 33 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 34 closely. They're more complex. --RR 35 36 And so for me for SCTP :D -Kiran */ 37 38 static const char *const sctp_conntrack_names[] = { 39 "NONE", 40 "CLOSED", 41 "COOKIE_WAIT", 42 "COOKIE_ECHOED", 43 "ESTABLISHED", 44 "SHUTDOWN_SENT", 45 "SHUTDOWN_RECD", 46 "SHUTDOWN_ACK_SENT", 47 "HEARTBEAT_SENT", 48 "HEARTBEAT_ACKED", 49 }; 50 51 #define SECS * HZ 52 #define MINS * 60 SECS 53 #define HOURS * 60 MINS 54 #define DAYS * 24 HOURS 55 56 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 57 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 58 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 59 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 60 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 61 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 62 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 63 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 64 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 65 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, 66 }; 67 68 #define sNO SCTP_CONNTRACK_NONE 69 #define sCL SCTP_CONNTRACK_CLOSED 70 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 71 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 72 #define sES SCTP_CONNTRACK_ESTABLISHED 73 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 74 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 75 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 76 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 77 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED 78 #define sIV SCTP_CONNTRACK_MAX 79 80 /* 81 These are the descriptions of the states: 82 83 NOTE: These state names are tantalizingly similar to the states of an 84 SCTP endpoint. But the interpretation of the states is a little different, 85 considering that these are the states of the connection and not of an end 86 point. Please note the subtleties. -Kiran 87 88 NONE - Nothing so far. 89 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 90 an INIT_ACK chunk in the reply direction. 91 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 92 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 93 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 94 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 95 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 96 to that of the SHUTDOWN chunk. 97 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 98 the SHUTDOWN chunk. Connection is closed. 99 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 100 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to 101 that of the HEARTBEAT chunk. Secondary connection is 102 established. 103 */ 104 105 /* TODO 106 - I have assumed that the first INIT is in the original direction. 107 This messes things when an INIT comes in the reply direction in CLOSED 108 state. 109 - Check the error type in the reply dir before transitioning from 110 cookie echoed to closed. 111 - Sec 5.2.4 of RFC 2960 112 - Full Multi Homing support. 113 */ 114 115 /* SCTP conntrack state transitions */ 116 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 117 { 118 /* ORIGINAL */ 119 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 120 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, 121 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, 122 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 123 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, 124 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA}, 125 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/ 126 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */ 127 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */ 128 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA}, 129 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 130 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA} 131 }, 132 { 133 /* REPLY */ 134 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 135 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ 136 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, 137 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, 138 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, 139 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, 140 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA}, 141 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */ 142 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA}, 143 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA}, 144 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 145 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA} 146 } 147 }; 148 149 #ifdef CONFIG_NF_CONNTRACK_PROCFS 150 /* Print out the private part of the conntrack. */ 151 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 152 { 153 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 154 } 155 #endif 156 157 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 158 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 159 (offset) < (skb)->len && \ 160 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 161 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 162 163 /* Some validity checks to make sure the chunks are fine */ 164 static int do_basic_checks(struct nf_conn *ct, 165 const struct sk_buff *skb, 166 unsigned int dataoff, 167 unsigned long *map) 168 { 169 u_int32_t offset, count; 170 struct sctp_chunkhdr _sch, *sch; 171 int flag; 172 173 flag = 0; 174 175 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 176 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 177 178 if (sch->type == SCTP_CID_INIT || 179 sch->type == SCTP_CID_INIT_ACK || 180 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 181 flag = 1; 182 183 /* 184 * Cookie Ack/Echo chunks not the first OR 185 * Init / Init Ack / Shutdown compl chunks not the only chunks 186 * OR zero-length. 187 */ 188 if (((sch->type == SCTP_CID_COOKIE_ACK || 189 sch->type == SCTP_CID_COOKIE_ECHO || 190 flag) && 191 count != 0) || !sch->length) { 192 pr_debug("Basic checks failed\n"); 193 return 1; 194 } 195 196 if (map) 197 set_bit(sch->type, map); 198 } 199 200 pr_debug("Basic checks passed\n"); 201 return count == 0; 202 } 203 204 static int sctp_new_state(enum ip_conntrack_dir dir, 205 enum sctp_conntrack cur_state, 206 int chunk_type) 207 { 208 int i; 209 210 pr_debug("Chunk type: %d\n", chunk_type); 211 212 switch (chunk_type) { 213 case SCTP_CID_INIT: 214 pr_debug("SCTP_CID_INIT\n"); 215 i = 0; 216 break; 217 case SCTP_CID_INIT_ACK: 218 pr_debug("SCTP_CID_INIT_ACK\n"); 219 i = 1; 220 break; 221 case SCTP_CID_ABORT: 222 pr_debug("SCTP_CID_ABORT\n"); 223 i = 2; 224 break; 225 case SCTP_CID_SHUTDOWN: 226 pr_debug("SCTP_CID_SHUTDOWN\n"); 227 i = 3; 228 break; 229 case SCTP_CID_SHUTDOWN_ACK: 230 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 231 i = 4; 232 break; 233 case SCTP_CID_ERROR: 234 pr_debug("SCTP_CID_ERROR\n"); 235 i = 5; 236 break; 237 case SCTP_CID_COOKIE_ECHO: 238 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 239 i = 6; 240 break; 241 case SCTP_CID_COOKIE_ACK: 242 pr_debug("SCTP_CID_COOKIE_ACK\n"); 243 i = 7; 244 break; 245 case SCTP_CID_SHUTDOWN_COMPLETE: 246 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 247 i = 8; 248 break; 249 case SCTP_CID_HEARTBEAT: 250 pr_debug("SCTP_CID_HEARTBEAT"); 251 i = 9; 252 break; 253 case SCTP_CID_HEARTBEAT_ACK: 254 pr_debug("SCTP_CID_HEARTBEAT_ACK"); 255 i = 10; 256 break; 257 default: 258 /* Other chunks like DATA or SACK do not change the state */ 259 pr_debug("Unknown chunk type, Will stay in %s\n", 260 sctp_conntrack_names[cur_state]); 261 return cur_state; 262 } 263 264 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 265 dir, sctp_conntrack_names[cur_state], chunk_type, 266 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 267 268 return sctp_conntracks[dir][i][cur_state]; 269 } 270 271 /* Don't need lock here: this conntrack not in circulation yet */ 272 static noinline bool 273 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 274 const struct sctphdr *sh, unsigned int dataoff) 275 { 276 enum sctp_conntrack new_state; 277 const struct sctp_chunkhdr *sch; 278 struct sctp_chunkhdr _sch; 279 u32 offset, count; 280 281 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 282 new_state = SCTP_CONNTRACK_MAX; 283 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 284 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 285 SCTP_CONNTRACK_NONE, sch->type); 286 287 /* Invalid: delete conntrack */ 288 if (new_state == SCTP_CONNTRACK_NONE || 289 new_state == SCTP_CONNTRACK_MAX) { 290 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 291 return false; 292 } 293 294 /* Copy the vtag into the state info */ 295 if (sch->type == SCTP_CID_INIT) { 296 struct sctp_inithdr _inithdr, *ih; 297 /* Sec 8.5.1 (A) */ 298 if (sh->vtag) 299 return false; 300 301 ih = skb_header_pointer(skb, offset + sizeof(_sch), 302 sizeof(_inithdr), &_inithdr); 303 if (!ih) 304 return false; 305 306 pr_debug("Setting vtag %x for new conn\n", 307 ih->init_tag); 308 309 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 310 } else if (sch->type == SCTP_CID_HEARTBEAT) { 311 pr_debug("Setting vtag %x for secondary conntrack\n", 312 sh->vtag); 313 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 314 } else { 315 /* If it is a shutdown ack OOTB packet, we expect a return 316 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 317 pr_debug("Setting vtag %x for new conn OOTB\n", 318 sh->vtag); 319 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 320 } 321 322 ct->proto.sctp.state = new_state; 323 } 324 325 return true; 326 } 327 328 static bool sctp_error(struct sk_buff *skb, 329 unsigned int dataoff, 330 const struct nf_hook_state *state) 331 { 332 const struct sctphdr *sh; 333 const char *logmsg; 334 335 if (skb->len < dataoff + sizeof(struct sctphdr)) { 336 logmsg = "nf_ct_sctp: short packet "; 337 goto out_invalid; 338 } 339 if (state->hook == NF_INET_PRE_ROUTING && 340 state->net->ct.sysctl_checksum && 341 skb->ip_summed == CHECKSUM_NONE) { 342 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) { 343 logmsg = "nf_ct_sctp: failed to read header "; 344 goto out_invalid; 345 } 346 sh = (const struct sctphdr *)(skb->data + dataoff); 347 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 348 logmsg = "nf_ct_sctp: bad CRC "; 349 goto out_invalid; 350 } 351 skb->ip_summed = CHECKSUM_UNNECESSARY; 352 } 353 return false; 354 out_invalid: 355 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg); 356 return true; 357 } 358 359 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 360 int nf_conntrack_sctp_packet(struct nf_conn *ct, 361 struct sk_buff *skb, 362 unsigned int dataoff, 363 enum ip_conntrack_info ctinfo, 364 const struct nf_hook_state *state) 365 { 366 enum sctp_conntrack new_state, old_state; 367 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 368 const struct sctphdr *sh; 369 struct sctphdr _sctph; 370 const struct sctp_chunkhdr *sch; 371 struct sctp_chunkhdr _sch; 372 u_int32_t offset, count; 373 unsigned int *timeouts; 374 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 375 376 if (sctp_error(skb, dataoff, state)) 377 return -NF_ACCEPT; 378 379 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 380 if (sh == NULL) 381 goto out; 382 383 if (do_basic_checks(ct, skb, dataoff, map) != 0) 384 goto out; 385 386 if (!nf_ct_is_confirmed(ct)) { 387 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 388 if (test_bit(SCTP_CID_ABORT, map) || 389 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 390 test_bit(SCTP_CID_COOKIE_ACK, map)) 391 return -NF_ACCEPT; 392 393 if (!sctp_new(ct, skb, sh, dataoff)) 394 return -NF_ACCEPT; 395 } 396 397 /* Check the verification tag (Sec 8.5) */ 398 if (!test_bit(SCTP_CID_INIT, map) && 399 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 400 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 401 !test_bit(SCTP_CID_ABORT, map) && 402 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 403 !test_bit(SCTP_CID_HEARTBEAT, map) && 404 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 405 sh->vtag != ct->proto.sctp.vtag[dir]) { 406 pr_debug("Verification tag check failed\n"); 407 goto out; 408 } 409 410 old_state = new_state = SCTP_CONNTRACK_NONE; 411 spin_lock_bh(&ct->lock); 412 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 413 /* Special cases of Verification tag check (Sec 8.5.1) */ 414 if (sch->type == SCTP_CID_INIT) { 415 /* Sec 8.5.1 (A) */ 416 if (sh->vtag != 0) 417 goto out_unlock; 418 } else if (sch->type == SCTP_CID_ABORT) { 419 /* Sec 8.5.1 (B) */ 420 if (sh->vtag != ct->proto.sctp.vtag[dir] && 421 sh->vtag != ct->proto.sctp.vtag[!dir]) 422 goto out_unlock; 423 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 424 /* Sec 8.5.1 (C) */ 425 if (sh->vtag != ct->proto.sctp.vtag[dir] && 426 sh->vtag != ct->proto.sctp.vtag[!dir] && 427 sch->flags & SCTP_CHUNK_FLAG_T) 428 goto out_unlock; 429 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 430 /* Sec 8.5.1 (D) */ 431 if (sh->vtag != ct->proto.sctp.vtag[dir]) 432 goto out_unlock; 433 } else if (sch->type == SCTP_CID_HEARTBEAT || 434 sch->type == SCTP_CID_HEARTBEAT_ACK) { 435 if (ct->proto.sctp.vtag[dir] == 0) { 436 pr_debug("Setting vtag %x for dir %d\n", 437 sh->vtag, dir); 438 ct->proto.sctp.vtag[dir] = sh->vtag; 439 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 440 pr_debug("Verification tag check failed\n"); 441 goto out_unlock; 442 } 443 } 444 445 old_state = ct->proto.sctp.state; 446 new_state = sctp_new_state(dir, old_state, sch->type); 447 448 /* Invalid */ 449 if (new_state == SCTP_CONNTRACK_MAX) { 450 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 451 "conntrack=%u\n", 452 dir, sch->type, old_state); 453 goto out_unlock; 454 } 455 456 /* If it is an INIT or an INIT ACK note down the vtag */ 457 if (sch->type == SCTP_CID_INIT || 458 sch->type == SCTP_CID_INIT_ACK) { 459 struct sctp_inithdr _inithdr, *ih; 460 461 ih = skb_header_pointer(skb, offset + sizeof(_sch), 462 sizeof(_inithdr), &_inithdr); 463 if (ih == NULL) 464 goto out_unlock; 465 pr_debug("Setting vtag %x for dir %d\n", 466 ih->init_tag, !dir); 467 ct->proto.sctp.vtag[!dir] = ih->init_tag; 468 } 469 470 ct->proto.sctp.state = new_state; 471 if (old_state != new_state) 472 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 473 } 474 spin_unlock_bh(&ct->lock); 475 476 timeouts = nf_ct_timeout_lookup(ct); 477 if (!timeouts) 478 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 479 480 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 481 482 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 483 dir == IP_CT_DIR_REPLY && 484 new_state == SCTP_CONNTRACK_ESTABLISHED) { 485 pr_debug("Setting assured bit\n"); 486 set_bit(IPS_ASSURED_BIT, &ct->status); 487 nf_conntrack_event_cache(IPCT_ASSURED, ct); 488 } 489 490 return NF_ACCEPT; 491 492 out_unlock: 493 spin_unlock_bh(&ct->lock); 494 out: 495 return -NF_ACCEPT; 496 } 497 498 static bool sctp_can_early_drop(const struct nf_conn *ct) 499 { 500 switch (ct->proto.sctp.state) { 501 case SCTP_CONNTRACK_SHUTDOWN_SENT: 502 case SCTP_CONNTRACK_SHUTDOWN_RECD: 503 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 504 return true; 505 default: 506 break; 507 } 508 509 return false; 510 } 511 512 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 513 514 #include <linux/netfilter/nfnetlink.h> 515 #include <linux/netfilter/nfnetlink_conntrack.h> 516 517 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 518 struct nf_conn *ct) 519 { 520 struct nlattr *nest_parms; 521 522 spin_lock_bh(&ct->lock); 523 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED); 524 if (!nest_parms) 525 goto nla_put_failure; 526 527 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) || 528 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 529 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 530 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 531 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 532 goto nla_put_failure; 533 534 spin_unlock_bh(&ct->lock); 535 536 nla_nest_end(skb, nest_parms); 537 538 return 0; 539 540 nla_put_failure: 541 spin_unlock_bh(&ct->lock); 542 return -1; 543 } 544 545 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 546 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 547 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 548 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 549 }; 550 551 #define SCTP_NLATTR_SIZE ( \ 552 NLA_ALIGN(NLA_HDRLEN + 1) + \ 553 NLA_ALIGN(NLA_HDRLEN + 4) + \ 554 NLA_ALIGN(NLA_HDRLEN + 4)) 555 556 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 557 { 558 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 559 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 560 int err; 561 562 /* updates may not contain the internal protocol info, skip parsing */ 563 if (!attr) 564 return 0; 565 566 err = nla_parse_nested(tb, CTA_PROTOINFO_SCTP_MAX, attr, 567 sctp_nla_policy, NULL); 568 if (err < 0) 569 return err; 570 571 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 572 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 573 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 574 return -EINVAL; 575 576 spin_lock_bh(&ct->lock); 577 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 578 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 579 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 580 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 581 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 582 spin_unlock_bh(&ct->lock); 583 584 return 0; 585 } 586 #endif 587 588 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 589 590 #include <linux/netfilter/nfnetlink.h> 591 #include <linux/netfilter/nfnetlink_cttimeout.h> 592 593 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 594 struct net *net, void *data) 595 { 596 unsigned int *timeouts = data; 597 struct nf_sctp_net *sn = nf_sctp_pernet(net); 598 int i; 599 600 /* set default SCTP timeouts. */ 601 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 602 timeouts[i] = sn->timeouts[i]; 603 604 /* there's a 1:1 mapping between attributes and protocol states. */ 605 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 606 if (tb[i]) { 607 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 608 } 609 } 610 611 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 612 return 0; 613 } 614 615 static int 616 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 617 { 618 const unsigned int *timeouts = data; 619 int i; 620 621 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 622 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 623 goto nla_put_failure; 624 } 625 return 0; 626 627 nla_put_failure: 628 return -ENOSPC; 629 } 630 631 static const struct nla_policy 632 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 633 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 634 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 635 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 636 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 637 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 638 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 639 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 640 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 641 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 642 }; 643 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 644 645 void nf_conntrack_sctp_init_net(struct net *net) 646 { 647 struct nf_sctp_net *sn = nf_sctp_pernet(net); 648 int i; 649 650 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 651 sn->timeouts[i] = sctp_timeouts[i]; 652 653 /* timeouts[0] is unused, init it so ->timeouts[0] contains 654 * 'new' timeout, like udp or icmp. 655 */ 656 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 657 } 658 659 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 660 .l4proto = IPPROTO_SCTP, 661 #ifdef CONFIG_NF_CONNTRACK_PROCFS 662 .print_conntrack = sctp_print_conntrack, 663 #endif 664 .can_early_drop = sctp_can_early_drop, 665 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 666 .nlattr_size = SCTP_NLATTR_SIZE, 667 .to_nlattr = sctp_to_nlattr, 668 .from_nlattr = nlattr_to_sctp, 669 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 670 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 671 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 672 .nla_policy = nf_ct_port_nla_policy, 673 #endif 674 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 675 .ctnl_timeout = { 676 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 677 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 678 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 679 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 680 .nla_policy = sctp_timeout_nla_policy, 681 }, 682 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 683 }; 684