1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Connection tracking protocol helper module for SCTP. 4 * 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * SCTP is defined in RFC 2960. References to various sections in this code 9 * are to this RFC. 10 */ 11 12 #include <linux/types.h> 13 #include <linux/timer.h> 14 #include <linux/netfilter.h> 15 #include <linux/in.h> 16 #include <linux/ip.h> 17 #include <linux/sctp.h> 18 #include <linux/string.h> 19 #include <linux/seq_file.h> 20 #include <linux/spinlock.h> 21 #include <linux/interrupt.h> 22 #include <net/sctp/checksum.h> 23 24 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_conntrack.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h> 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 #include <net/netfilter/nf_conntrack_timeout.h> 29 30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 31 closely. They're more complex. --RR 32 33 And so for me for SCTP :D -Kiran */ 34 35 static const char *const sctp_conntrack_names[] = { 36 "NONE", 37 "CLOSED", 38 "COOKIE_WAIT", 39 "COOKIE_ECHOED", 40 "ESTABLISHED", 41 "SHUTDOWN_SENT", 42 "SHUTDOWN_RECD", 43 "SHUTDOWN_ACK_SENT", 44 "HEARTBEAT_SENT", 45 "HEARTBEAT_ACKED", 46 }; 47 48 #define SECS * HZ 49 #define MINS * 60 SECS 50 #define HOURS * 60 MINS 51 #define DAYS * 24 HOURS 52 53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 54 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, 63 [SCTP_CONNTRACK_DATA_SENT] = 30 SECS, 64 }; 65 66 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 67 68 #define sNO SCTP_CONNTRACK_NONE 69 #define sCL SCTP_CONNTRACK_CLOSED 70 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 71 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 72 #define sES SCTP_CONNTRACK_ESTABLISHED 73 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 74 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 75 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 76 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 77 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED 78 #define sDS SCTP_CONNTRACK_DATA_SENT 79 #define sIV SCTP_CONNTRACK_MAX 80 81 /* 82 These are the descriptions of the states: 83 84 NOTE: These state names are tantalizingly similar to the states of an 85 SCTP endpoint. But the interpretation of the states is a little different, 86 considering that these are the states of the connection and not of an end 87 point. Please note the subtleties. -Kiran 88 89 NONE - Nothing so far. 90 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 91 an INIT_ACK chunk in the reply direction. 92 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 93 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 94 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 95 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction. 96 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 97 to that of the SHUTDOWN chunk. 98 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 99 the SHUTDOWN chunk. Connection is closed. 100 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 101 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK/DATA/SACK in the direction 102 opposite to that of the HEARTBEAT/DATA chunk. Secondary connection 103 is established. 104 DATA_SENT - We have seen a DATA/SACK in a new flow. 105 */ 106 107 /* TODO 108 - I have assumed that the first INIT is in the original direction. 109 This messes things when an INIT comes in the reply direction in CLOSED 110 state. 111 - Check the error type in the reply dir before transitioning from 112 cookie echoed to closed. 113 - Sec 5.2.4 of RFC 2960 114 - Full Multi Homing support. 115 */ 116 117 /* SCTP conntrack state transitions */ 118 static const u8 sctp_conntracks[2][12][SCTP_CONNTRACK_MAX] = { 119 { 120 /* ORIGINAL */ 121 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ 122 /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA, sCW}, 123 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL}, 124 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 125 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS, sCL}, 126 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA, sSA}, 127 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't have Stale cookie*/ 128 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* 5.2.4 - Big TODO */ 129 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't come in orig dir */ 130 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA, sCL}, 131 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, 132 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, 133 /* data/sack */ {sDS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS} 134 }, 135 { 136 /* REPLY */ 137 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ 138 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* INIT in sCL Big TODO */ 139 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 140 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL, sIV}, 141 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR, sIV}, 142 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA, sIV}, 143 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 144 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* Can't come in reply dir */ 145 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 146 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA, sIV}, 147 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sHA}, 148 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, 149 /* data/sack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, 150 } 151 }; 152 153 #ifdef CONFIG_NF_CONNTRACK_PROCFS 154 /* Print out the private part of the conntrack. */ 155 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 156 { 157 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 158 } 159 #endif 160 161 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 162 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 163 (offset) < (skb)->len && \ 164 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 165 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 166 167 /* Some validity checks to make sure the chunks are fine */ 168 static int do_basic_checks(struct nf_conn *ct, 169 const struct sk_buff *skb, 170 unsigned int dataoff, 171 unsigned long *map) 172 { 173 u_int32_t offset, count; 174 struct sctp_chunkhdr _sch, *sch; 175 int flag; 176 177 flag = 0; 178 179 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 180 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 181 182 if (sch->type == SCTP_CID_INIT || 183 sch->type == SCTP_CID_INIT_ACK || 184 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 185 flag = 1; 186 187 /* 188 * Cookie Ack/Echo chunks not the first OR 189 * Init / Init Ack / Shutdown compl chunks not the only chunks 190 * OR zero-length. 191 */ 192 if (((sch->type == SCTP_CID_COOKIE_ACK || 193 sch->type == SCTP_CID_COOKIE_ECHO || 194 flag) && 195 count != 0) || !sch->length) { 196 pr_debug("Basic checks failed\n"); 197 return 1; 198 } 199 200 if (map) 201 set_bit(sch->type, map); 202 } 203 204 pr_debug("Basic checks passed\n"); 205 return count == 0; 206 } 207 208 static int sctp_new_state(enum ip_conntrack_dir dir, 209 enum sctp_conntrack cur_state, 210 int chunk_type) 211 { 212 int i; 213 214 pr_debug("Chunk type: %d\n", chunk_type); 215 216 switch (chunk_type) { 217 case SCTP_CID_INIT: 218 pr_debug("SCTP_CID_INIT\n"); 219 i = 0; 220 break; 221 case SCTP_CID_INIT_ACK: 222 pr_debug("SCTP_CID_INIT_ACK\n"); 223 i = 1; 224 break; 225 case SCTP_CID_ABORT: 226 pr_debug("SCTP_CID_ABORT\n"); 227 i = 2; 228 break; 229 case SCTP_CID_SHUTDOWN: 230 pr_debug("SCTP_CID_SHUTDOWN\n"); 231 i = 3; 232 break; 233 case SCTP_CID_SHUTDOWN_ACK: 234 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 235 i = 4; 236 break; 237 case SCTP_CID_ERROR: 238 pr_debug("SCTP_CID_ERROR\n"); 239 i = 5; 240 break; 241 case SCTP_CID_COOKIE_ECHO: 242 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 243 i = 6; 244 break; 245 case SCTP_CID_COOKIE_ACK: 246 pr_debug("SCTP_CID_COOKIE_ACK\n"); 247 i = 7; 248 break; 249 case SCTP_CID_SHUTDOWN_COMPLETE: 250 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 251 i = 8; 252 break; 253 case SCTP_CID_HEARTBEAT: 254 pr_debug("SCTP_CID_HEARTBEAT"); 255 i = 9; 256 break; 257 case SCTP_CID_HEARTBEAT_ACK: 258 pr_debug("SCTP_CID_HEARTBEAT_ACK"); 259 i = 10; 260 break; 261 case SCTP_CID_DATA: 262 case SCTP_CID_SACK: 263 pr_debug("SCTP_CID_DATA/SACK"); 264 i = 11; 265 break; 266 default: 267 /* Other chunks like DATA or SACK do not change the state */ 268 pr_debug("Unknown chunk type, Will stay in %s\n", 269 sctp_conntrack_names[cur_state]); 270 return cur_state; 271 } 272 273 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 274 dir, sctp_conntrack_names[cur_state], chunk_type, 275 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 276 277 return sctp_conntracks[dir][i][cur_state]; 278 } 279 280 /* Don't need lock here: this conntrack not in circulation yet */ 281 static noinline bool 282 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 283 const struct sctphdr *sh, unsigned int dataoff) 284 { 285 enum sctp_conntrack new_state; 286 const struct sctp_chunkhdr *sch; 287 struct sctp_chunkhdr _sch; 288 u32 offset, count; 289 290 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 291 new_state = SCTP_CONNTRACK_MAX; 292 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 293 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 294 SCTP_CONNTRACK_NONE, sch->type); 295 296 /* Invalid: delete conntrack */ 297 if (new_state == SCTP_CONNTRACK_NONE || 298 new_state == SCTP_CONNTRACK_MAX) { 299 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 300 return false; 301 } 302 303 /* Copy the vtag into the state info */ 304 if (sch->type == SCTP_CID_INIT) { 305 struct sctp_inithdr _inithdr, *ih; 306 /* Sec 8.5.1 (A) */ 307 if (sh->vtag) 308 return false; 309 310 ih = skb_header_pointer(skb, offset + sizeof(_sch), 311 sizeof(_inithdr), &_inithdr); 312 if (!ih) 313 return false; 314 315 pr_debug("Setting vtag %x for new conn\n", 316 ih->init_tag); 317 318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 319 } else if (sch->type == SCTP_CID_HEARTBEAT || 320 sch->type == SCTP_CID_DATA || 321 sch->type == SCTP_CID_SACK) { 322 pr_debug("Setting vtag %x for secondary conntrack\n", 323 sh->vtag); 324 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 325 } else { 326 /* If it is a shutdown ack OOTB packet, we expect a return 327 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 328 pr_debug("Setting vtag %x for new conn OOTB\n", 329 sh->vtag); 330 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 331 } 332 333 ct->proto.sctp.state = SCTP_CONNTRACK_NONE; 334 } 335 336 return true; 337 } 338 339 static bool sctp_error(struct sk_buff *skb, 340 unsigned int dataoff, 341 const struct nf_hook_state *state) 342 { 343 const struct sctphdr *sh; 344 const char *logmsg; 345 346 if (skb->len < dataoff + sizeof(struct sctphdr)) { 347 logmsg = "nf_ct_sctp: short packet "; 348 goto out_invalid; 349 } 350 if (state->hook == NF_INET_PRE_ROUTING && 351 state->net->ct.sysctl_checksum && 352 skb->ip_summed == CHECKSUM_NONE) { 353 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { 354 logmsg = "nf_ct_sctp: failed to read header "; 355 goto out_invalid; 356 } 357 sh = (const struct sctphdr *)(skb->data + dataoff); 358 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 359 logmsg = "nf_ct_sctp: bad CRC "; 360 goto out_invalid; 361 } 362 skb->ip_summed = CHECKSUM_UNNECESSARY; 363 } 364 return false; 365 out_invalid: 366 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg); 367 return true; 368 } 369 370 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 371 int nf_conntrack_sctp_packet(struct nf_conn *ct, 372 struct sk_buff *skb, 373 unsigned int dataoff, 374 enum ip_conntrack_info ctinfo, 375 const struct nf_hook_state *state) 376 { 377 enum sctp_conntrack new_state, old_state; 378 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 379 const struct sctphdr *sh; 380 struct sctphdr _sctph; 381 const struct sctp_chunkhdr *sch; 382 struct sctp_chunkhdr _sch; 383 u_int32_t offset, count; 384 unsigned int *timeouts; 385 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 386 bool ignore = false; 387 388 if (sctp_error(skb, dataoff, state)) 389 return -NF_ACCEPT; 390 391 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 392 if (sh == NULL) 393 goto out; 394 395 if (do_basic_checks(ct, skb, dataoff, map) != 0) 396 goto out; 397 398 if (!nf_ct_is_confirmed(ct)) { 399 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 400 if (test_bit(SCTP_CID_ABORT, map) || 401 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 402 test_bit(SCTP_CID_COOKIE_ACK, map)) 403 return -NF_ACCEPT; 404 405 if (!sctp_new(ct, skb, sh, dataoff)) 406 return -NF_ACCEPT; 407 } else { 408 /* Check the verification tag (Sec 8.5) */ 409 if (!test_bit(SCTP_CID_INIT, map) && 410 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 411 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 412 !test_bit(SCTP_CID_ABORT, map) && 413 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 414 !test_bit(SCTP_CID_HEARTBEAT, map) && 415 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 416 sh->vtag != ct->proto.sctp.vtag[dir]) { 417 pr_debug("Verification tag check failed\n"); 418 goto out; 419 } 420 } 421 422 old_state = new_state = SCTP_CONNTRACK_NONE; 423 spin_lock_bh(&ct->lock); 424 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 425 /* Special cases of Verification tag check (Sec 8.5.1) */ 426 if (sch->type == SCTP_CID_INIT) { 427 /* Sec 8.5.1 (A) */ 428 if (sh->vtag != 0) 429 goto out_unlock; 430 } else if (sch->type == SCTP_CID_ABORT) { 431 /* Sec 8.5.1 (B) */ 432 if (sh->vtag != ct->proto.sctp.vtag[dir] && 433 sh->vtag != ct->proto.sctp.vtag[!dir]) 434 goto out_unlock; 435 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 436 /* Sec 8.5.1 (C) */ 437 if (sh->vtag != ct->proto.sctp.vtag[dir] && 438 sh->vtag != ct->proto.sctp.vtag[!dir] && 439 sch->flags & SCTP_CHUNK_FLAG_T) 440 goto out_unlock; 441 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 442 /* Sec 8.5.1 (D) */ 443 if (sh->vtag != ct->proto.sctp.vtag[dir]) 444 goto out_unlock; 445 } else if (sch->type == SCTP_CID_HEARTBEAT) { 446 if (ct->proto.sctp.vtag[dir] == 0) { 447 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); 448 ct->proto.sctp.vtag[dir] = sh->vtag; 449 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 450 if (test_bit(SCTP_CID_DATA, map) || ignore) 451 goto out_unlock; 452 453 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 454 ct->proto.sctp.last_dir = dir; 455 ignore = true; 456 continue; 457 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 458 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 459 } 460 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { 461 if (ct->proto.sctp.vtag[dir] == 0) { 462 pr_debug("Setting vtag %x for dir %d\n", 463 sh->vtag, dir); 464 ct->proto.sctp.vtag[dir] = sh->vtag; 465 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 466 if (test_bit(SCTP_CID_DATA, map) || ignore) 467 goto out_unlock; 468 469 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || 470 ct->proto.sctp.last_dir == dir) 471 goto out_unlock; 472 473 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 474 ct->proto.sctp.vtag[dir] = sh->vtag; 475 ct->proto.sctp.vtag[!dir] = 0; 476 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 477 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 478 } 479 } else if (sch->type == SCTP_CID_DATA || sch->type == SCTP_CID_SACK) { 480 if (ct->proto.sctp.vtag[dir] == 0) { 481 pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir); 482 ct->proto.sctp.vtag[dir] = sh->vtag; 483 } 484 } 485 486 old_state = ct->proto.sctp.state; 487 new_state = sctp_new_state(dir, old_state, sch->type); 488 489 /* Invalid */ 490 if (new_state == SCTP_CONNTRACK_MAX) { 491 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 492 "conntrack=%u\n", 493 dir, sch->type, old_state); 494 goto out_unlock; 495 } 496 497 /* If it is an INIT or an INIT ACK note down the vtag */ 498 if (sch->type == SCTP_CID_INIT || 499 sch->type == SCTP_CID_INIT_ACK) { 500 struct sctp_inithdr _inithdr, *ih; 501 502 ih = skb_header_pointer(skb, offset + sizeof(_sch), 503 sizeof(_inithdr), &_inithdr); 504 if (ih == NULL) 505 goto out_unlock; 506 pr_debug("Setting vtag %x for dir %d\n", 507 ih->init_tag, !dir); 508 ct->proto.sctp.vtag[!dir] = ih->init_tag; 509 510 /* don't renew timeout on init retransmit so 511 * port reuse by client or NAT middlebox cannot 512 * keep entry alive indefinitely (incl. nat info). 513 */ 514 if (new_state == SCTP_CONNTRACK_CLOSED && 515 old_state == SCTP_CONNTRACK_CLOSED && 516 nf_ct_is_confirmed(ct)) 517 ignore = true; 518 } 519 520 ct->proto.sctp.state = new_state; 521 if (old_state != new_state) 522 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 523 } 524 spin_unlock_bh(&ct->lock); 525 526 /* allow but do not refresh timeout */ 527 if (ignore) 528 return NF_ACCEPT; 529 530 timeouts = nf_ct_timeout_lookup(ct); 531 if (!timeouts) 532 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 533 534 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 535 536 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 537 dir == IP_CT_DIR_REPLY && 538 new_state == SCTP_CONNTRACK_ESTABLISHED) { 539 pr_debug("Setting assured bit\n"); 540 set_bit(IPS_ASSURED_BIT, &ct->status); 541 nf_conntrack_event_cache(IPCT_ASSURED, ct); 542 } 543 544 return NF_ACCEPT; 545 546 out_unlock: 547 spin_unlock_bh(&ct->lock); 548 out: 549 return -NF_ACCEPT; 550 } 551 552 static bool sctp_can_early_drop(const struct nf_conn *ct) 553 { 554 switch (ct->proto.sctp.state) { 555 case SCTP_CONNTRACK_SHUTDOWN_SENT: 556 case SCTP_CONNTRACK_SHUTDOWN_RECD: 557 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 558 return true; 559 default: 560 break; 561 } 562 563 return false; 564 } 565 566 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 567 568 #include <linux/netfilter/nfnetlink.h> 569 #include <linux/netfilter/nfnetlink_conntrack.h> 570 571 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 572 struct nf_conn *ct, bool destroy) 573 { 574 struct nlattr *nest_parms; 575 576 spin_lock_bh(&ct->lock); 577 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); 578 if (!nest_parms) 579 goto nla_put_failure; 580 581 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) 582 goto nla_put_failure; 583 584 if (destroy) 585 goto skip_state; 586 587 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 588 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 589 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 590 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 591 goto nla_put_failure; 592 593 skip_state: 594 spin_unlock_bh(&ct->lock); 595 nla_nest_end(skb, nest_parms); 596 597 return 0; 598 599 nla_put_failure: 600 spin_unlock_bh(&ct->lock); 601 return -1; 602 } 603 604 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 605 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 606 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 607 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 608 }; 609 610 #define SCTP_NLATTR_SIZE ( \ 611 NLA_ALIGN(NLA_HDRLEN + 1) + \ 612 NLA_ALIGN(NLA_HDRLEN + 4) + \ 613 NLA_ALIGN(NLA_HDRLEN + 4)) 614 615 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 616 { 617 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 618 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 619 int err; 620 621 /* updates may not contain the internal protocol info, skip parsing */ 622 if (!attr) 623 return 0; 624 625 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, 626 sctp_nla_policy, NULL); 627 if (err < 0) 628 return err; 629 630 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 631 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 632 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 633 return -EINVAL; 634 635 spin_lock_bh(&ct->lock); 636 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 637 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 638 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 639 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 640 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 641 spin_unlock_bh(&ct->lock); 642 643 return 0; 644 } 645 #endif 646 647 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 648 649 #include <linux/netfilter/nfnetlink.h> 650 #include <linux/netfilter/nfnetlink_cttimeout.h> 651 652 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 653 struct net *net, void *data) 654 { 655 unsigned int *timeouts = data; 656 struct nf_sctp_net *sn = nf_sctp_pernet(net); 657 int i; 658 659 if (!timeouts) 660 timeouts = sn->timeouts; 661 662 /* set default SCTP timeouts. */ 663 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 664 timeouts[i] = sn->timeouts[i]; 665 666 /* there's a 1:1 mapping between attributes and protocol states. */ 667 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 668 if (tb[i]) { 669 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 670 } 671 } 672 673 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 674 return 0; 675 } 676 677 static int 678 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 679 { 680 const unsigned int *timeouts = data; 681 int i; 682 683 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 684 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 685 goto nla_put_failure; 686 } 687 return 0; 688 689 nla_put_failure: 690 return -ENOSPC; 691 } 692 693 static const struct nla_policy 694 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 695 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 696 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 697 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 698 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 699 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 700 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 701 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 702 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 703 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 704 [CTA_TIMEOUT_SCTP_DATA_SENT] = { .type = NLA_U32 }, 705 }; 706 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 707 708 void nf_conntrack_sctp_init_net(struct net *net) 709 { 710 struct nf_sctp_net *sn = nf_sctp_pernet(net); 711 int i; 712 713 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 714 sn->timeouts[i] = sctp_timeouts[i]; 715 716 /* timeouts[0] is unused, init it so ->timeouts[0] contains 717 * 'new' timeout, like udp or icmp. 718 */ 719 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 720 } 721 722 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 723 .l4proto = IPPROTO_SCTP, 724 #ifdef CONFIG_NF_CONNTRACK_PROCFS 725 .print_conntrack = sctp_print_conntrack, 726 #endif 727 .can_early_drop = sctp_can_early_drop, 728 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 729 .nlattr_size = SCTP_NLATTR_SIZE, 730 .to_nlattr = sctp_to_nlattr, 731 .from_nlattr = nlattr_to_sctp, 732 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 733 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 734 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 735 .nla_policy = nf_ct_port_nla_policy, 736 #endif 737 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 738 .ctnl_timeout = { 739 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 740 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 741 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 742 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 743 .nla_policy = sctp_timeout_nla_policy, 744 }, 745 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 746 }; 747