1 // SPDX-License-Identifier: GPL-2.0-only 2 /* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net> 5 */ 6 7 #include <linux/types.h> 8 #include <linux/timer.h> 9 #include <linux/module.h> 10 #include <linux/udp.h> 11 #include <linux/seq_file.h> 12 #include <linux/skbuff.h> 13 #include <linux/ipv6.h> 14 #include <net/ip6_checksum.h> 15 #include <net/checksum.h> 16 17 #include <linux/netfilter.h> 18 #include <linux/netfilter_ipv4.h> 19 #include <linux/netfilter_ipv6.h> 20 #include <net/netfilter/nf_conntrack_l4proto.h> 21 #include <net/netfilter/nf_conntrack_ecache.h> 22 #include <net/netfilter/nf_conntrack_timeout.h> 23 #include <net/netfilter/nf_log.h> 24 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 25 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 26 27 static const unsigned int udp_timeouts[UDP_CT_MAX] = { 28 [UDP_CT_UNREPLIED] = 30*HZ, 29 [UDP_CT_REPLIED] = 120*HZ, 30 }; 31 32 static unsigned int *udp_get_timeouts(struct net *net) 33 { 34 return nf_udp_pernet(net)->timeouts; 35 } 36 37 static void udp_error_log(const struct sk_buff *skb, 38 const struct nf_hook_state *state, 39 const char *msg) 40 { 41 nf_l4proto_log_invalid(skb, state->net, state->pf, 42 IPPROTO_UDP, "%s", msg); 43 } 44 45 static bool udp_error(struct sk_buff *skb, 46 unsigned int dataoff, 47 const struct nf_hook_state *state) 48 { 49 unsigned int udplen = skb->len - dataoff; 50 const struct udphdr *hdr; 51 struct udphdr _hdr; 52 53 /* Header is too small? */ 54 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 55 if (!hdr) { 56 udp_error_log(skb, state, "short packet"); 57 return true; 58 } 59 60 /* Truncated/malformed packets */ 61 if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { 62 udp_error_log(skb, state, "truncated/malformed packet"); 63 return true; 64 } 65 66 /* Packet with no checksum */ 67 if (!hdr->check) 68 return false; 69 70 /* Checksum invalid? Ignore. 71 * We skip checking packets on the outgoing path 72 * because the checksum is assumed to be correct. 73 * FIXME: Source route IP option packets --RR */ 74 if (state->hook == NF_INET_PRE_ROUTING && 75 state->net->ct.sysctl_checksum && 76 nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) { 77 udp_error_log(skb, state, "bad checksum"); 78 return true; 79 } 80 81 return false; 82 } 83 84 static void nf_conntrack_udp_refresh_unreplied(struct nf_conn *ct, 85 struct sk_buff *skb, 86 enum ip_conntrack_info ctinfo, 87 u32 extra_jiffies) 88 { 89 if (unlikely(ctinfo == IP_CT_ESTABLISHED_REPLY && 90 ct->status & IPS_NAT_CLASH)) 91 nf_ct_kill(ct); 92 else 93 nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies); 94 } 95 96 /* Returns verdict for packet, and may modify conntracktype */ 97 int nf_conntrack_udp_packet(struct nf_conn *ct, 98 struct sk_buff *skb, 99 unsigned int dataoff, 100 enum ip_conntrack_info ctinfo, 101 const struct nf_hook_state *state) 102 { 103 unsigned int *timeouts; 104 105 if (udp_error(skb, dataoff, state)) 106 return -NF_ACCEPT; 107 108 timeouts = nf_ct_timeout_lookup(ct); 109 if (!timeouts) 110 timeouts = udp_get_timeouts(nf_ct_net(ct)); 111 112 if (!nf_ct_is_confirmed(ct)) 113 ct->proto.udp.stream_ts = 2 * HZ + jiffies; 114 115 /* If we've seen traffic both ways, this is some kind of UDP 116 * stream. Set Assured. 117 */ 118 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 119 unsigned long extra = timeouts[UDP_CT_UNREPLIED]; 120 121 /* Still active after two seconds? Extend timeout. */ 122 if (time_after(jiffies, ct->proto.udp.stream_ts)) 123 extra = timeouts[UDP_CT_REPLIED]; 124 125 nf_ct_refresh_acct(ct, ctinfo, skb, extra); 126 127 /* Also, more likely to be important, and not a probe */ 128 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 129 nf_conntrack_event_cache(IPCT_ASSURED, ct); 130 } else { 131 nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, 132 timeouts[UDP_CT_UNREPLIED]); 133 } 134 return NF_ACCEPT; 135 } 136 137 #ifdef CONFIG_NF_CT_PROTO_UDPLITE 138 static void udplite_error_log(const struct sk_buff *skb, 139 const struct nf_hook_state *state, 140 const char *msg) 141 { 142 nf_l4proto_log_invalid(skb, state->net, state->pf, 143 IPPROTO_UDPLITE, "%s", msg); 144 } 145 146 static bool udplite_error(struct sk_buff *skb, 147 unsigned int dataoff, 148 const struct nf_hook_state *state) 149 { 150 unsigned int udplen = skb->len - dataoff; 151 const struct udphdr *hdr; 152 struct udphdr _hdr; 153 unsigned int cscov; 154 155 /* Header is too small? */ 156 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 157 if (!hdr) { 158 udplite_error_log(skb, state, "short packet"); 159 return true; 160 } 161 162 cscov = ntohs(hdr->len); 163 if (cscov == 0) { 164 cscov = udplen; 165 } else if (cscov < sizeof(*hdr) || cscov > udplen) { 166 udplite_error_log(skb, state, "invalid checksum coverage"); 167 return true; 168 } 169 170 /* UDPLITE mandates checksums */ 171 if (!hdr->check) { 172 udplite_error_log(skb, state, "checksum missing"); 173 return true; 174 } 175 176 /* Checksum invalid? Ignore. */ 177 if (state->hook == NF_INET_PRE_ROUTING && 178 state->net->ct.sysctl_checksum && 179 nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP, 180 state->pf)) { 181 udplite_error_log(skb, state, "bad checksum"); 182 return true; 183 } 184 185 return false; 186 } 187 188 /* Returns verdict for packet, and may modify conntracktype */ 189 int nf_conntrack_udplite_packet(struct nf_conn *ct, 190 struct sk_buff *skb, 191 unsigned int dataoff, 192 enum ip_conntrack_info ctinfo, 193 const struct nf_hook_state *state) 194 { 195 unsigned int *timeouts; 196 197 if (udplite_error(skb, dataoff, state)) 198 return -NF_ACCEPT; 199 200 timeouts = nf_ct_timeout_lookup(ct); 201 if (!timeouts) 202 timeouts = udp_get_timeouts(nf_ct_net(ct)); 203 204 /* If we've seen traffic both ways, this is some kind of UDP 205 stream. Extend timeout. */ 206 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 207 nf_ct_refresh_acct(ct, ctinfo, skb, 208 timeouts[UDP_CT_REPLIED]); 209 /* Also, more likely to be important, and not a probe */ 210 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 211 nf_conntrack_event_cache(IPCT_ASSURED, ct); 212 } else { 213 nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, 214 timeouts[UDP_CT_UNREPLIED]); 215 } 216 return NF_ACCEPT; 217 } 218 #endif 219 220 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 221 222 #include <linux/netfilter/nfnetlink.h> 223 #include <linux/netfilter/nfnetlink_cttimeout.h> 224 225 static int udp_timeout_nlattr_to_obj(struct nlattr *tb[], 226 struct net *net, void *data) 227 { 228 unsigned int *timeouts = data; 229 struct nf_udp_net *un = nf_udp_pernet(net); 230 231 if (!timeouts) 232 timeouts = un->timeouts; 233 234 /* set default timeouts for UDP. */ 235 timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED]; 236 timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED]; 237 238 if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) { 239 timeouts[UDP_CT_UNREPLIED] = 240 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ; 241 } 242 if (tb[CTA_TIMEOUT_UDP_REPLIED]) { 243 timeouts[UDP_CT_REPLIED] = 244 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ; 245 } 246 return 0; 247 } 248 249 static int 250 udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 251 { 252 const unsigned int *timeouts = data; 253 254 if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED, 255 htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) || 256 nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED, 257 htonl(timeouts[UDP_CT_REPLIED] / HZ))) 258 goto nla_put_failure; 259 return 0; 260 261 nla_put_failure: 262 return -ENOSPC; 263 } 264 265 static const struct nla_policy 266 udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = { 267 [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 }, 268 [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 }, 269 }; 270 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 271 272 void nf_conntrack_udp_init_net(struct net *net) 273 { 274 struct nf_udp_net *un = nf_udp_pernet(net); 275 int i; 276 277 for (i = 0; i < UDP_CT_MAX; i++) 278 un->timeouts[i] = udp_timeouts[i]; 279 } 280 281 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp = 282 { 283 .l4proto = IPPROTO_UDP, 284 .allow_clash = true, 285 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 286 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 287 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 288 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 289 .nla_policy = nf_ct_port_nla_policy, 290 #endif 291 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 292 .ctnl_timeout = { 293 .nlattr_to_obj = udp_timeout_nlattr_to_obj, 294 .obj_to_nlattr = udp_timeout_obj_to_nlattr, 295 .nlattr_max = CTA_TIMEOUT_UDP_MAX, 296 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, 297 .nla_policy = udp_timeout_nla_policy, 298 }, 299 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 300 }; 301 302 #ifdef CONFIG_NF_CT_PROTO_UDPLITE 303 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite = 304 { 305 .l4proto = IPPROTO_UDPLITE, 306 .allow_clash = true, 307 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 308 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 309 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 310 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 311 .nla_policy = nf_ct_port_nla_policy, 312 #endif 313 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 314 .ctnl_timeout = { 315 .nlattr_to_obj = udp_timeout_nlattr_to_obj, 316 .obj_to_nlattr = udp_timeout_obj_to_nlattr, 317 .nlattr_max = CTA_TIMEOUT_UDP_MAX, 318 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, 319 .nla_policy = udp_timeout_nla_policy, 320 }, 321 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 322 }; 323 #endif 324