1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Connection tracking protocol helper module for SCTP. 4 * 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * SCTP is defined in RFC 2960. References to various sections in this code 9 * are to this RFC. 10 */ 11 12 #include <linux/types.h> 13 #include <linux/timer.h> 14 #include <linux/netfilter.h> 15 #include <linux/in.h> 16 #include <linux/ip.h> 17 #include <linux/sctp.h> 18 #include <linux/string.h> 19 #include <linux/seq_file.h> 20 #include <linux/spinlock.h> 21 #include <linux/interrupt.h> 22 #include <net/sctp/checksum.h> 23 24 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_conntrack.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h> 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 #include <net/netfilter/nf_conntrack_timeout.h> 29 30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 31 closely. They're more complex. --RR 32 33 And so for me for SCTP :D -Kiran */ 34 35 static const char *const sctp_conntrack_names[] = { 36 "NONE", 37 "CLOSED", 38 "COOKIE_WAIT", 39 "COOKIE_ECHOED", 40 "ESTABLISHED", 41 "SHUTDOWN_SENT", 42 "SHUTDOWN_RECD", 43 "SHUTDOWN_ACK_SENT", 44 "HEARTBEAT_SENT", 45 "HEARTBEAT_ACKED", 46 }; 47 48 #define SECS * HZ 49 #define MINS * 60 SECS 50 #define HOURS * 60 MINS 51 #define DAYS * 24 HOURS 52 53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 54 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, 63 }; 64 65 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 66 67 #define sNO SCTP_CONNTRACK_NONE 68 #define sCL SCTP_CONNTRACK_CLOSED 69 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 70 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 71 #define sES SCTP_CONNTRACK_ESTABLISHED 72 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 73 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 74 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 75 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 76 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED 77 #define sIV SCTP_CONNTRACK_MAX 78 79 /* 80 These are the descriptions of the states: 81 82 NOTE: These state names are tantalizingly similar to the states of an 83 SCTP endpoint. But the interpretation of the states is a little different, 84 considering that these are the states of the connection and not of an end 85 point. Please note the subtleties. -Kiran 86 87 NONE - Nothing so far. 88 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 89 an INIT_ACK chunk in the reply direction. 90 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 91 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 92 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 93 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 94 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 95 to that of the SHUTDOWN chunk. 96 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 97 the SHUTDOWN chunk. Connection is closed. 98 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 99 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to 100 that of the HEARTBEAT chunk. Secondary connection is 101 established. 102 */ 103 104 /* TODO 105 - I have assumed that the first INIT is in the original direction. 106 This messes things when an INIT comes in the reply direction in CLOSED 107 state. 108 - Check the error type in the reply dir before transitioning from 109 cookie echoed to closed. 110 - Sec 5.2.4 of RFC 2960 111 - Full Multi Homing support. 112 */ 113 114 /* SCTP conntrack state transitions */ 115 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 116 { 117 /* ORIGINAL */ 118 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 119 /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, 120 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, 121 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 122 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, 123 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA}, 124 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/ 125 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */ 126 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */ 127 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA}, 128 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 129 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA} 130 }, 131 { 132 /* REPLY */ 133 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 134 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ 135 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, 136 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, 137 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, 138 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, 139 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA}, 140 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */ 141 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA}, 142 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA}, 143 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 144 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA} 145 } 146 }; 147 148 #ifdef CONFIG_NF_CONNTRACK_PROCFS 149 /* Print out the private part of the conntrack. */ 150 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 151 { 152 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 153 } 154 #endif 155 156 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 157 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 158 (offset) < (skb)->len && \ 159 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 160 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 161 162 /* Some validity checks to make sure the chunks are fine */ 163 static int do_basic_checks(struct nf_conn *ct, 164 const struct sk_buff *skb, 165 unsigned int dataoff, 166 unsigned long *map) 167 { 168 u_int32_t offset, count; 169 struct sctp_chunkhdr _sch, *sch; 170 int flag; 171 172 flag = 0; 173 174 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 175 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 176 177 if (sch->type == SCTP_CID_INIT || 178 sch->type == SCTP_CID_INIT_ACK || 179 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 180 flag = 1; 181 182 /* 183 * Cookie Ack/Echo chunks not the first OR 184 * Init / Init Ack / Shutdown compl chunks not the only chunks 185 * OR zero-length. 186 */ 187 if (((sch->type == SCTP_CID_COOKIE_ACK || 188 sch->type == SCTP_CID_COOKIE_ECHO || 189 flag) && 190 count != 0) || !sch->length) { 191 pr_debug("Basic checks failed\n"); 192 return 1; 193 } 194 195 if (map) 196 set_bit(sch->type, map); 197 } 198 199 pr_debug("Basic checks passed\n"); 200 return count == 0; 201 } 202 203 static int sctp_new_state(enum ip_conntrack_dir dir, 204 enum sctp_conntrack cur_state, 205 int chunk_type) 206 { 207 int i; 208 209 pr_debug("Chunk type: %d\n", chunk_type); 210 211 switch (chunk_type) { 212 case SCTP_CID_INIT: 213 pr_debug("SCTP_CID_INIT\n"); 214 i = 0; 215 break; 216 case SCTP_CID_INIT_ACK: 217 pr_debug("SCTP_CID_INIT_ACK\n"); 218 i = 1; 219 break; 220 case SCTP_CID_ABORT: 221 pr_debug("SCTP_CID_ABORT\n"); 222 i = 2; 223 break; 224 case SCTP_CID_SHUTDOWN: 225 pr_debug("SCTP_CID_SHUTDOWN\n"); 226 i = 3; 227 break; 228 case SCTP_CID_SHUTDOWN_ACK: 229 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 230 i = 4; 231 break; 232 case SCTP_CID_ERROR: 233 pr_debug("SCTP_CID_ERROR\n"); 234 i = 5; 235 break; 236 case SCTP_CID_COOKIE_ECHO: 237 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 238 i = 6; 239 break; 240 case SCTP_CID_COOKIE_ACK: 241 pr_debug("SCTP_CID_COOKIE_ACK\n"); 242 i = 7; 243 break; 244 case SCTP_CID_SHUTDOWN_COMPLETE: 245 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 246 i = 8; 247 break; 248 case SCTP_CID_HEARTBEAT: 249 pr_debug("SCTP_CID_HEARTBEAT"); 250 i = 9; 251 break; 252 case SCTP_CID_HEARTBEAT_ACK: 253 pr_debug("SCTP_CID_HEARTBEAT_ACK"); 254 i = 10; 255 break; 256 default: 257 /* Other chunks like DATA or SACK do not change the state */ 258 pr_debug("Unknown chunk type, Will stay in %s\n", 259 sctp_conntrack_names[cur_state]); 260 return cur_state; 261 } 262 263 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 264 dir, sctp_conntrack_names[cur_state], chunk_type, 265 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 266 267 return sctp_conntracks[dir][i][cur_state]; 268 } 269 270 /* Don't need lock here: this conntrack not in circulation yet */ 271 static noinline bool 272 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 273 const struct sctphdr *sh, unsigned int dataoff) 274 { 275 enum sctp_conntrack new_state; 276 const struct sctp_chunkhdr *sch; 277 struct sctp_chunkhdr _sch; 278 u32 offset, count; 279 280 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 281 new_state = SCTP_CONNTRACK_MAX; 282 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 283 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 284 SCTP_CONNTRACK_NONE, sch->type); 285 286 /* Invalid: delete conntrack */ 287 if (new_state == SCTP_CONNTRACK_NONE || 288 new_state == SCTP_CONNTRACK_MAX) { 289 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 290 return false; 291 } 292 293 /* Copy the vtag into the state info */ 294 if (sch->type == SCTP_CID_INIT) { 295 struct sctp_inithdr _inithdr, *ih; 296 /* Sec 8.5.1 (A) */ 297 if (sh->vtag) 298 return false; 299 300 ih = skb_header_pointer(skb, offset + sizeof(_sch), 301 sizeof(_inithdr), &_inithdr); 302 if (!ih) 303 return false; 304 305 pr_debug("Setting vtag %x for new conn\n", 306 ih->init_tag); 307 308 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 309 } else if (sch->type == SCTP_CID_HEARTBEAT) { 310 pr_debug("Setting vtag %x for secondary conntrack\n", 311 sh->vtag); 312 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 313 } else { 314 /* If it is a shutdown ack OOTB packet, we expect a return 315 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 316 pr_debug("Setting vtag %x for new conn OOTB\n", 317 sh->vtag); 318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 319 } 320 321 ct->proto.sctp.state = SCTP_CONNTRACK_NONE; 322 } 323 324 return true; 325 } 326 327 static bool sctp_error(struct sk_buff *skb, 328 unsigned int dataoff, 329 const struct nf_hook_state *state) 330 { 331 const struct sctphdr *sh; 332 const char *logmsg; 333 334 if (skb->len < dataoff + sizeof(struct sctphdr)) { 335 logmsg = "nf_ct_sctp: short packet "; 336 goto out_invalid; 337 } 338 if (state->hook == NF_INET_PRE_ROUTING && 339 state->net->ct.sysctl_checksum && 340 skb->ip_summed == CHECKSUM_NONE) { 341 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { 342 logmsg = "nf_ct_sctp: failed to read header "; 343 goto out_invalid; 344 } 345 sh = (const struct sctphdr *)(skb->data + dataoff); 346 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 347 logmsg = "nf_ct_sctp: bad CRC "; 348 goto out_invalid; 349 } 350 skb->ip_summed = CHECKSUM_UNNECESSARY; 351 } 352 return false; 353 out_invalid: 354 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg); 355 return true; 356 } 357 358 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 359 int nf_conntrack_sctp_packet(struct nf_conn *ct, 360 struct sk_buff *skb, 361 unsigned int dataoff, 362 enum ip_conntrack_info ctinfo, 363 const struct nf_hook_state *state) 364 { 365 enum sctp_conntrack new_state, old_state; 366 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 367 const struct sctphdr *sh; 368 struct sctphdr _sctph; 369 const struct sctp_chunkhdr *sch; 370 struct sctp_chunkhdr _sch; 371 u_int32_t offset, count; 372 unsigned int *timeouts; 373 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 374 bool ignore = false; 375 376 if (sctp_error(skb, dataoff, state)) 377 return -NF_ACCEPT; 378 379 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 380 if (sh == NULL) 381 goto out; 382 383 if (do_basic_checks(ct, skb, dataoff, map) != 0) 384 goto out; 385 386 if (!nf_ct_is_confirmed(ct)) { 387 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 388 if (test_bit(SCTP_CID_ABORT, map) || 389 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 390 test_bit(SCTP_CID_COOKIE_ACK, map)) 391 return -NF_ACCEPT; 392 393 if (!sctp_new(ct, skb, sh, dataoff)) 394 return -NF_ACCEPT; 395 } 396 397 /* Check the verification tag (Sec 8.5) */ 398 if (!test_bit(SCTP_CID_INIT, map) && 399 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 400 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 401 !test_bit(SCTP_CID_ABORT, map) && 402 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 403 !test_bit(SCTP_CID_HEARTBEAT, map) && 404 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 405 sh->vtag != ct->proto.sctp.vtag[dir]) { 406 pr_debug("Verification tag check failed\n"); 407 goto out; 408 } 409 410 old_state = new_state = SCTP_CONNTRACK_NONE; 411 spin_lock_bh(&ct->lock); 412 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 413 /* Special cases of Verification tag check (Sec 8.5.1) */ 414 if (sch->type == SCTP_CID_INIT) { 415 /* Sec 8.5.1 (A) */ 416 if (sh->vtag != 0) 417 goto out_unlock; 418 } else if (sch->type == SCTP_CID_ABORT) { 419 /* Sec 8.5.1 (B) */ 420 if (sh->vtag != ct->proto.sctp.vtag[dir] && 421 sh->vtag != ct->proto.sctp.vtag[!dir]) 422 goto out_unlock; 423 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 424 /* Sec 8.5.1 (C) */ 425 if (sh->vtag != ct->proto.sctp.vtag[dir] && 426 sh->vtag != ct->proto.sctp.vtag[!dir] && 427 sch->flags & SCTP_CHUNK_FLAG_T) 428 goto out_unlock; 429 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 430 /* Sec 8.5.1 (D) */ 431 if (sh->vtag != ct->proto.sctp.vtag[dir]) 432 goto out_unlock; 433 } else if (sch->type == SCTP_CID_HEARTBEAT) { 434 if (ct->proto.sctp.vtag[dir] == 0) { 435 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); 436 ct->proto.sctp.vtag[dir] = sh->vtag; 437 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 438 if (test_bit(SCTP_CID_DATA, map) || ignore) 439 goto out_unlock; 440 441 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 442 ct->proto.sctp.last_dir = dir; 443 ignore = true; 444 continue; 445 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 446 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 447 } 448 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { 449 if (ct->proto.sctp.vtag[dir] == 0) { 450 pr_debug("Setting vtag %x for dir %d\n", 451 sh->vtag, dir); 452 ct->proto.sctp.vtag[dir] = sh->vtag; 453 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 454 if (test_bit(SCTP_CID_DATA, map) || ignore) 455 goto out_unlock; 456 457 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || 458 ct->proto.sctp.last_dir == dir) 459 goto out_unlock; 460 461 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 462 ct->proto.sctp.vtag[dir] = sh->vtag; 463 ct->proto.sctp.vtag[!dir] = 0; 464 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 465 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 466 } 467 } 468 469 old_state = ct->proto.sctp.state; 470 new_state = sctp_new_state(dir, old_state, sch->type); 471 472 /* Invalid */ 473 if (new_state == SCTP_CONNTRACK_MAX) { 474 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 475 "conntrack=%u\n", 476 dir, sch->type, old_state); 477 goto out_unlock; 478 } 479 480 /* If it is an INIT or an INIT ACK note down the vtag */ 481 if (sch->type == SCTP_CID_INIT || 482 sch->type == SCTP_CID_INIT_ACK) { 483 struct sctp_inithdr _inithdr, *ih; 484 485 ih = skb_header_pointer(skb, offset + sizeof(_sch), 486 sizeof(_inithdr), &_inithdr); 487 if (ih == NULL) 488 goto out_unlock; 489 pr_debug("Setting vtag %x for dir %d\n", 490 ih->init_tag, !dir); 491 ct->proto.sctp.vtag[!dir] = ih->init_tag; 492 493 /* don't renew timeout on init retransmit so 494 * port reuse by client or NAT middlebox cannot 495 * keep entry alive indefinitely (incl. nat info). 496 */ 497 if (new_state == SCTP_CONNTRACK_CLOSED && 498 old_state == SCTP_CONNTRACK_CLOSED && 499 nf_ct_is_confirmed(ct)) 500 ignore = true; 501 } 502 503 ct->proto.sctp.state = new_state; 504 if (old_state != new_state) 505 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 506 } 507 spin_unlock_bh(&ct->lock); 508 509 /* allow but do not refresh timeout */ 510 if (ignore) 511 return NF_ACCEPT; 512 513 timeouts = nf_ct_timeout_lookup(ct); 514 if (!timeouts) 515 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 516 517 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 518 519 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 520 dir == IP_CT_DIR_REPLY && 521 new_state == SCTP_CONNTRACK_ESTABLISHED) { 522 pr_debug("Setting assured bit\n"); 523 set_bit(IPS_ASSURED_BIT, &ct->status); 524 nf_conntrack_event_cache(IPCT_ASSURED, ct); 525 } 526 527 return NF_ACCEPT; 528 529 out_unlock: 530 spin_unlock_bh(&ct->lock); 531 out: 532 return -NF_ACCEPT; 533 } 534 535 static bool sctp_can_early_drop(const struct nf_conn *ct) 536 { 537 switch (ct->proto.sctp.state) { 538 case SCTP_CONNTRACK_SHUTDOWN_SENT: 539 case SCTP_CONNTRACK_SHUTDOWN_RECD: 540 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 541 return true; 542 default: 543 break; 544 } 545 546 return false; 547 } 548 549 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 550 551 #include <linux/netfilter/nfnetlink.h> 552 #include <linux/netfilter/nfnetlink_conntrack.h> 553 554 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 555 struct nf_conn *ct, bool destroy) 556 { 557 struct nlattr *nest_parms; 558 559 spin_lock_bh(&ct->lock); 560 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); 561 if (!nest_parms) 562 goto nla_put_failure; 563 564 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) 565 goto nla_put_failure; 566 567 if (destroy) 568 goto skip_state; 569 570 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 571 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 572 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 573 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 574 goto nla_put_failure; 575 576 skip_state: 577 spin_unlock_bh(&ct->lock); 578 nla_nest_end(skb, nest_parms); 579 580 return 0; 581 582 nla_put_failure: 583 spin_unlock_bh(&ct->lock); 584 return -1; 585 } 586 587 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 588 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 589 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 590 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 591 }; 592 593 #define SCTP_NLATTR_SIZE ( \ 594 NLA_ALIGN(NLA_HDRLEN + 1) + \ 595 NLA_ALIGN(NLA_HDRLEN + 4) + \ 596 NLA_ALIGN(NLA_HDRLEN + 4)) 597 598 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 599 { 600 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 601 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 602 int err; 603 604 /* updates may not contain the internal protocol info, skip parsing */ 605 if (!attr) 606 return 0; 607 608 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, 609 sctp_nla_policy, NULL); 610 if (err < 0) 611 return err; 612 613 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 614 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 615 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 616 return -EINVAL; 617 618 spin_lock_bh(&ct->lock); 619 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 620 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 621 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 622 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 623 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 624 spin_unlock_bh(&ct->lock); 625 626 return 0; 627 } 628 #endif 629 630 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 631 632 #include <linux/netfilter/nfnetlink.h> 633 #include <linux/netfilter/nfnetlink_cttimeout.h> 634 635 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 636 struct net *net, void *data) 637 { 638 unsigned int *timeouts = data; 639 struct nf_sctp_net *sn = nf_sctp_pernet(net); 640 int i; 641 642 if (!timeouts) 643 timeouts = sn->timeouts; 644 645 /* set default SCTP timeouts. */ 646 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 647 timeouts[i] = sn->timeouts[i]; 648 649 /* there's a 1:1 mapping between attributes and protocol states. */ 650 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 651 if (tb[i]) { 652 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 653 } 654 } 655 656 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 657 return 0; 658 } 659 660 static int 661 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 662 { 663 const unsigned int *timeouts = data; 664 int i; 665 666 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 667 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 668 goto nla_put_failure; 669 } 670 return 0; 671 672 nla_put_failure: 673 return -ENOSPC; 674 } 675 676 static const struct nla_policy 677 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 678 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 679 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 680 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 681 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 682 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 683 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 684 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 685 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 686 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 687 }; 688 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 689 690 void nf_conntrack_sctp_init_net(struct net *net) 691 { 692 struct nf_sctp_net *sn = nf_sctp_pernet(net); 693 int i; 694 695 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 696 sn->timeouts[i] = sctp_timeouts[i]; 697 698 /* timeouts[0] is unused, init it so ->timeouts[0] contains 699 * 'new' timeout, like udp or icmp. 700 */ 701 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 702 } 703 704 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 705 .l4proto = IPPROTO_SCTP, 706 #ifdef CONFIG_NF_CONNTRACK_PROCFS 707 .print_conntrack = sctp_print_conntrack, 708 #endif 709 .can_early_drop = sctp_can_early_drop, 710 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 711 .nlattr_size = SCTP_NLATTR_SIZE, 712 .to_nlattr = sctp_to_nlattr, 713 .from_nlattr = nlattr_to_sctp, 714 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 715 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 716 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 717 .nla_policy = nf_ct_port_nla_policy, 718 #endif 719 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 720 .ctnl_timeout = { 721 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 722 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 723 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 724 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 725 .nla_policy = sctp_timeout_nla_policy, 726 }, 727 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 728 }; 729