1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Connection tracking protocol helper module for SCTP. 4 * 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * SCTP is defined in RFC 2960. References to various sections in this code 9 * are to this RFC. 10 */ 11 12 #include <linux/types.h> 13 #include <linux/timer.h> 14 #include <linux/netfilter.h> 15 #include <linux/in.h> 16 #include <linux/ip.h> 17 #include <linux/sctp.h> 18 #include <linux/string.h> 19 #include <linux/seq_file.h> 20 #include <linux/spinlock.h> 21 #include <linux/interrupt.h> 22 #include <net/sctp/checksum.h> 23 24 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_conntrack.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h> 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 #include <net/netfilter/nf_conntrack_timeout.h> 29 30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 31 closely. They're more complex. --RR 32 33 And so for me for SCTP :D -Kiran */ 34 35 static const char *const sctp_conntrack_names[] = { 36 "NONE", 37 "CLOSED", 38 "COOKIE_WAIT", 39 "COOKIE_ECHOED", 40 "ESTABLISHED", 41 "SHUTDOWN_SENT", 42 "SHUTDOWN_RECD", 43 "SHUTDOWN_ACK_SENT", 44 "HEARTBEAT_SENT", 45 "HEARTBEAT_ACKED", 46 }; 47 48 #define SECS * HZ 49 #define MINS * 60 SECS 50 #define HOURS * 60 MINS 51 #define DAYS * 24 HOURS 52 53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 54 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, 63 }; 64 65 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 66 67 #define sNO SCTP_CONNTRACK_NONE 68 #define sCL SCTP_CONNTRACK_CLOSED 69 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 70 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 71 #define sES SCTP_CONNTRACK_ESTABLISHED 72 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 73 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 74 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 75 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 76 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED 77 #define sIV SCTP_CONNTRACK_MAX 78 79 /* 80 These are the descriptions of the states: 81 82 NOTE: These state names are tantalizingly similar to the states of an 83 SCTP endpoint. But the interpretation of the states is a little different, 84 considering that these are the states of the connection and not of an end 85 point. Please note the subtleties. -Kiran 86 87 NONE - Nothing so far. 88 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 89 an INIT_ACK chunk in the reply direction. 90 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 91 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 92 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 93 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 94 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 95 to that of the SHUTDOWN chunk. 96 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 97 the SHUTDOWN chunk. Connection is closed. 98 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 99 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to 100 that of the HEARTBEAT chunk. Secondary connection is 101 established. 102 */ 103 104 /* TODO 105 - I have assumed that the first INIT is in the original direction. 106 This messes things when an INIT comes in the reply direction in CLOSED 107 state. 108 - Check the error type in the reply dir before transitioning from 109 cookie echoed to closed. 110 - Sec 5.2.4 of RFC 2960 111 - Full Multi Homing support. 112 */ 113 114 /* SCTP conntrack state transitions */ 115 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 116 { 117 /* ORIGINAL */ 118 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 119 /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, 120 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, 121 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 122 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, 123 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA}, 124 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/ 125 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */ 126 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */ 127 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA}, 128 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 129 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA} 130 }, 131 { 132 /* REPLY */ 133 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 134 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ 135 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, 136 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, 137 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, 138 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, 139 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA}, 140 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */ 141 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA}, 142 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA}, 143 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 144 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA} 145 } 146 }; 147 148 #ifdef CONFIG_NF_CONNTRACK_PROCFS 149 /* Print out the private part of the conntrack. */ 150 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 151 { 152 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 153 } 154 #endif 155 156 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 157 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 158 (offset) < (skb)->len && \ 159 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 160 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 161 162 /* Some validity checks to make sure the chunks are fine */ 163 static int do_basic_checks(struct nf_conn *ct, 164 const struct sk_buff *skb, 165 unsigned int dataoff, 166 unsigned long *map) 167 { 168 u_int32_t offset, count; 169 struct sctp_chunkhdr _sch, *sch; 170 int flag; 171 172 flag = 0; 173 174 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 175 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 176 177 if (sch->type == SCTP_CID_INIT || 178 sch->type == SCTP_CID_INIT_ACK || 179 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 180 flag = 1; 181 182 /* 183 * Cookie Ack/Echo chunks not the first OR 184 * Init / Init Ack / Shutdown compl chunks not the only chunks 185 * OR zero-length. 186 */ 187 if (((sch->type == SCTP_CID_COOKIE_ACK || 188 sch->type == SCTP_CID_COOKIE_ECHO || 189 flag) && 190 count != 0) || !sch->length) { 191 pr_debug("Basic checks failed\n"); 192 return 1; 193 } 194 195 if (map) 196 set_bit(sch->type, map); 197 } 198 199 pr_debug("Basic checks passed\n"); 200 return count == 0; 201 } 202 203 static int sctp_new_state(enum ip_conntrack_dir dir, 204 enum sctp_conntrack cur_state, 205 int chunk_type) 206 { 207 int i; 208 209 pr_debug("Chunk type: %d\n", chunk_type); 210 211 switch (chunk_type) { 212 case SCTP_CID_INIT: 213 pr_debug("SCTP_CID_INIT\n"); 214 i = 0; 215 break; 216 case SCTP_CID_INIT_ACK: 217 pr_debug("SCTP_CID_INIT_ACK\n"); 218 i = 1; 219 break; 220 case SCTP_CID_ABORT: 221 pr_debug("SCTP_CID_ABORT\n"); 222 i = 2; 223 break; 224 case SCTP_CID_SHUTDOWN: 225 pr_debug("SCTP_CID_SHUTDOWN\n"); 226 i = 3; 227 break; 228 case SCTP_CID_SHUTDOWN_ACK: 229 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 230 i = 4; 231 break; 232 case SCTP_CID_ERROR: 233 pr_debug("SCTP_CID_ERROR\n"); 234 i = 5; 235 break; 236 case SCTP_CID_COOKIE_ECHO: 237 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 238 i = 6; 239 break; 240 case SCTP_CID_COOKIE_ACK: 241 pr_debug("SCTP_CID_COOKIE_ACK\n"); 242 i = 7; 243 break; 244 case SCTP_CID_SHUTDOWN_COMPLETE: 245 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 246 i = 8; 247 break; 248 case SCTP_CID_HEARTBEAT: 249 pr_debug("SCTP_CID_HEARTBEAT"); 250 i = 9; 251 break; 252 case SCTP_CID_HEARTBEAT_ACK: 253 pr_debug("SCTP_CID_HEARTBEAT_ACK"); 254 i = 10; 255 break; 256 default: 257 /* Other chunks like DATA or SACK do not change the state */ 258 pr_debug("Unknown chunk type, Will stay in %s\n", 259 sctp_conntrack_names[cur_state]); 260 return cur_state; 261 } 262 263 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 264 dir, sctp_conntrack_names[cur_state], chunk_type, 265 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 266 267 return sctp_conntracks[dir][i][cur_state]; 268 } 269 270 /* Don't need lock here: this conntrack not in circulation yet */ 271 static noinline bool 272 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 273 const struct sctphdr *sh, unsigned int dataoff) 274 { 275 enum sctp_conntrack new_state; 276 const struct sctp_chunkhdr *sch; 277 struct sctp_chunkhdr _sch; 278 u32 offset, count; 279 280 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 281 new_state = SCTP_CONNTRACK_MAX; 282 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 283 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 284 SCTP_CONNTRACK_NONE, sch->type); 285 286 /* Invalid: delete conntrack */ 287 if (new_state == SCTP_CONNTRACK_NONE || 288 new_state == SCTP_CONNTRACK_MAX) { 289 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 290 return false; 291 } 292 293 /* Copy the vtag into the state info */ 294 if (sch->type == SCTP_CID_INIT) { 295 struct sctp_inithdr _inithdr, *ih; 296 /* Sec 8.5.1 (A) */ 297 if (sh->vtag) 298 return false; 299 300 ih = skb_header_pointer(skb, offset + sizeof(_sch), 301 sizeof(_inithdr), &_inithdr); 302 if (!ih) 303 return false; 304 305 pr_debug("Setting vtag %x for new conn\n", 306 ih->init_tag); 307 308 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 309 } else if (sch->type == SCTP_CID_HEARTBEAT) { 310 pr_debug("Setting vtag %x for secondary conntrack\n", 311 sh->vtag); 312 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 313 } else { 314 /* If it is a shutdown ack OOTB packet, we expect a return 315 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 316 pr_debug("Setting vtag %x for new conn OOTB\n", 317 sh->vtag); 318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 319 } 320 321 ct->proto.sctp.state = SCTP_CONNTRACK_NONE; 322 } 323 324 return true; 325 } 326 327 static bool sctp_error(struct sk_buff *skb, 328 unsigned int dataoff, 329 const struct nf_hook_state *state) 330 { 331 const struct sctphdr *sh; 332 const char *logmsg; 333 334 if (skb->len < dataoff + sizeof(struct sctphdr)) { 335 logmsg = "nf_ct_sctp: short packet "; 336 goto out_invalid; 337 } 338 if (state->hook == NF_INET_PRE_ROUTING && 339 state->net->ct.sysctl_checksum && 340 skb->ip_summed == CHECKSUM_NONE) { 341 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { 342 logmsg = "nf_ct_sctp: failed to read header "; 343 goto out_invalid; 344 } 345 sh = (const struct sctphdr *)(skb->data + dataoff); 346 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 347 logmsg = "nf_ct_sctp: bad CRC "; 348 goto out_invalid; 349 } 350 skb->ip_summed = CHECKSUM_UNNECESSARY; 351 } 352 return false; 353 out_invalid: 354 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg); 355 return true; 356 } 357 358 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 359 int nf_conntrack_sctp_packet(struct nf_conn *ct, 360 struct sk_buff *skb, 361 unsigned int dataoff, 362 enum ip_conntrack_info ctinfo, 363 const struct nf_hook_state *state) 364 { 365 enum sctp_conntrack new_state, old_state; 366 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 367 const struct sctphdr *sh; 368 struct sctphdr _sctph; 369 const struct sctp_chunkhdr *sch; 370 struct sctp_chunkhdr _sch; 371 u_int32_t offset, count; 372 unsigned int *timeouts; 373 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 374 bool ignore = false; 375 376 if (sctp_error(skb, dataoff, state)) 377 return -NF_ACCEPT; 378 379 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 380 if (sh == NULL) 381 goto out; 382 383 if (do_basic_checks(ct, skb, dataoff, map) != 0) 384 goto out; 385 386 if (!nf_ct_is_confirmed(ct)) { 387 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 388 if (test_bit(SCTP_CID_ABORT, map) || 389 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 390 test_bit(SCTP_CID_COOKIE_ACK, map)) 391 return -NF_ACCEPT; 392 393 if (!sctp_new(ct, skb, sh, dataoff)) 394 return -NF_ACCEPT; 395 } 396 397 /* Check the verification tag (Sec 8.5) */ 398 if (!test_bit(SCTP_CID_INIT, map) && 399 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 400 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 401 !test_bit(SCTP_CID_ABORT, map) && 402 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 403 !test_bit(SCTP_CID_HEARTBEAT, map) && 404 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 405 sh->vtag != ct->proto.sctp.vtag[dir]) { 406 pr_debug("Verification tag check failed\n"); 407 goto out; 408 } 409 410 old_state = new_state = SCTP_CONNTRACK_NONE; 411 spin_lock_bh(&ct->lock); 412 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 413 /* Special cases of Verification tag check (Sec 8.5.1) */ 414 if (sch->type == SCTP_CID_INIT) { 415 /* Sec 8.5.1 (A) */ 416 if (sh->vtag != 0) 417 goto out_unlock; 418 } else if (sch->type == SCTP_CID_ABORT) { 419 /* Sec 8.5.1 (B) */ 420 if (sh->vtag != ct->proto.sctp.vtag[dir] && 421 sh->vtag != ct->proto.sctp.vtag[!dir]) 422 goto out_unlock; 423 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 424 /* Sec 8.5.1 (C) */ 425 if (sh->vtag != ct->proto.sctp.vtag[dir] && 426 sh->vtag != ct->proto.sctp.vtag[!dir] && 427 sch->flags & SCTP_CHUNK_FLAG_T) 428 goto out_unlock; 429 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 430 /* Sec 8.5.1 (D) */ 431 if (sh->vtag != ct->proto.sctp.vtag[dir]) 432 goto out_unlock; 433 } else if (sch->type == SCTP_CID_HEARTBEAT) { 434 if (ct->proto.sctp.vtag[dir] == 0) { 435 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); 436 ct->proto.sctp.vtag[dir] = sh->vtag; 437 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 438 if (test_bit(SCTP_CID_DATA, map) || ignore) 439 goto out_unlock; 440 441 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 442 ct->proto.sctp.last_dir = dir; 443 ignore = true; 444 continue; 445 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 446 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 447 } 448 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { 449 if (ct->proto.sctp.vtag[dir] == 0) { 450 pr_debug("Setting vtag %x for dir %d\n", 451 sh->vtag, dir); 452 ct->proto.sctp.vtag[dir] = sh->vtag; 453 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 454 if (test_bit(SCTP_CID_DATA, map) || ignore) 455 goto out_unlock; 456 457 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || 458 ct->proto.sctp.last_dir == dir) 459 goto out_unlock; 460 461 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 462 ct->proto.sctp.vtag[dir] = sh->vtag; 463 ct->proto.sctp.vtag[!dir] = 0; 464 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 465 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 466 } 467 } 468 469 old_state = ct->proto.sctp.state; 470 new_state = sctp_new_state(dir, old_state, sch->type); 471 472 /* Invalid */ 473 if (new_state == SCTP_CONNTRACK_MAX) { 474 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 475 "conntrack=%u\n", 476 dir, sch->type, old_state); 477 goto out_unlock; 478 } 479 480 /* If it is an INIT or an INIT ACK note down the vtag */ 481 if (sch->type == SCTP_CID_INIT || 482 sch->type == SCTP_CID_INIT_ACK) { 483 struct sctp_inithdr _inithdr, *ih; 484 485 ih = skb_header_pointer(skb, offset + sizeof(_sch), 486 sizeof(_inithdr), &_inithdr); 487 if (ih == NULL) 488 goto out_unlock; 489 pr_debug("Setting vtag %x for dir %d\n", 490 ih->init_tag, !dir); 491 ct->proto.sctp.vtag[!dir] = ih->init_tag; 492 } 493 494 ct->proto.sctp.state = new_state; 495 if (old_state != new_state) 496 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 497 } 498 spin_unlock_bh(&ct->lock); 499 500 /* allow but do not refresh timeout */ 501 if (ignore) 502 return NF_ACCEPT; 503 504 timeouts = nf_ct_timeout_lookup(ct); 505 if (!timeouts) 506 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 507 508 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 509 510 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 511 dir == IP_CT_DIR_REPLY && 512 new_state == SCTP_CONNTRACK_ESTABLISHED) { 513 pr_debug("Setting assured bit\n"); 514 set_bit(IPS_ASSURED_BIT, &ct->status); 515 nf_conntrack_event_cache(IPCT_ASSURED, ct); 516 } 517 518 return NF_ACCEPT; 519 520 out_unlock: 521 spin_unlock_bh(&ct->lock); 522 out: 523 return -NF_ACCEPT; 524 } 525 526 static bool sctp_can_early_drop(const struct nf_conn *ct) 527 { 528 switch (ct->proto.sctp.state) { 529 case SCTP_CONNTRACK_SHUTDOWN_SENT: 530 case SCTP_CONNTRACK_SHUTDOWN_RECD: 531 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 532 return true; 533 default: 534 break; 535 } 536 537 return false; 538 } 539 540 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 541 542 #include <linux/netfilter/nfnetlink.h> 543 #include <linux/netfilter/nfnetlink_conntrack.h> 544 545 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 546 struct nf_conn *ct, bool destroy) 547 { 548 struct nlattr *nest_parms; 549 550 spin_lock_bh(&ct->lock); 551 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); 552 if (!nest_parms) 553 goto nla_put_failure; 554 555 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) 556 goto nla_put_failure; 557 558 if (destroy) 559 goto skip_state; 560 561 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 562 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 563 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 564 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 565 goto nla_put_failure; 566 567 skip_state: 568 spin_unlock_bh(&ct->lock); 569 nla_nest_end(skb, nest_parms); 570 571 return 0; 572 573 nla_put_failure: 574 spin_unlock_bh(&ct->lock); 575 return -1; 576 } 577 578 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 579 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 580 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 581 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 582 }; 583 584 #define SCTP_NLATTR_SIZE ( \ 585 NLA_ALIGN(NLA_HDRLEN + 1) + \ 586 NLA_ALIGN(NLA_HDRLEN + 4) + \ 587 NLA_ALIGN(NLA_HDRLEN + 4)) 588 589 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 590 { 591 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 592 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 593 int err; 594 595 /* updates may not contain the internal protocol info, skip parsing */ 596 if (!attr) 597 return 0; 598 599 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, 600 sctp_nla_policy, NULL); 601 if (err < 0) 602 return err; 603 604 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 605 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 606 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 607 return -EINVAL; 608 609 spin_lock_bh(&ct->lock); 610 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 611 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 612 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 613 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 614 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 615 spin_unlock_bh(&ct->lock); 616 617 return 0; 618 } 619 #endif 620 621 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 622 623 #include <linux/netfilter/nfnetlink.h> 624 #include <linux/netfilter/nfnetlink_cttimeout.h> 625 626 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 627 struct net *net, void *data) 628 { 629 unsigned int *timeouts = data; 630 struct nf_sctp_net *sn = nf_sctp_pernet(net); 631 int i; 632 633 if (!timeouts) 634 timeouts = sn->timeouts; 635 636 /* set default SCTP timeouts. */ 637 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 638 timeouts[i] = sn->timeouts[i]; 639 640 /* there's a 1:1 mapping between attributes and protocol states. */ 641 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 642 if (tb[i]) { 643 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 644 } 645 } 646 647 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 648 return 0; 649 } 650 651 static int 652 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 653 { 654 const unsigned int *timeouts = data; 655 int i; 656 657 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 658 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 659 goto nla_put_failure; 660 } 661 return 0; 662 663 nla_put_failure: 664 return -ENOSPC; 665 } 666 667 static const struct nla_policy 668 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 669 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 670 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 671 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 672 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 673 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 674 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 675 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 676 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 677 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 678 }; 679 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 680 681 void nf_conntrack_sctp_init_net(struct net *net) 682 { 683 struct nf_sctp_net *sn = nf_sctp_pernet(net); 684 int i; 685 686 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 687 sn->timeouts[i] = sctp_timeouts[i]; 688 689 /* timeouts[0] is unused, init it so ->timeouts[0] contains 690 * 'new' timeout, like udp or icmp. 691 */ 692 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 693 } 694 695 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 696 .l4proto = IPPROTO_SCTP, 697 #ifdef CONFIG_NF_CONNTRACK_PROCFS 698 .print_conntrack = sctp_print_conntrack, 699 #endif 700 .can_early_drop = sctp_can_early_drop, 701 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 702 .nlattr_size = SCTP_NLATTR_SIZE, 703 .to_nlattr = sctp_to_nlattr, 704 .from_nlattr = nlattr_to_sctp, 705 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 706 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 707 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 708 .nla_policy = nf_ct_port_nla_policy, 709 #endif 710 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 711 .ctnl_timeout = { 712 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 713 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 714 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 715 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 716 .nla_policy = sctp_timeout_nla_policy, 717 }, 718 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 719 }; 720