1 // SPDX-License-Identifier: GPL-2.0-only 2 /* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net> 5 */ 6 7 #include <linux/types.h> 8 #include <linux/timer.h> 9 #include <linux/module.h> 10 #include <linux/udp.h> 11 #include <linux/seq_file.h> 12 #include <linux/skbuff.h> 13 #include <linux/ipv6.h> 14 #include <net/ip6_checksum.h> 15 #include <net/checksum.h> 16 17 #include <linux/netfilter.h> 18 #include <linux/netfilter_ipv4.h> 19 #include <linux/netfilter_ipv6.h> 20 #include <net/netfilter/nf_conntrack_l4proto.h> 21 #include <net/netfilter/nf_conntrack_ecache.h> 22 #include <net/netfilter/nf_conntrack_timeout.h> 23 #include <net/netfilter/nf_log.h> 24 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 25 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 26 27 static const unsigned int udp_timeouts[UDP_CT_MAX] = { 28 [UDP_CT_UNREPLIED] = 30*HZ, 29 [UDP_CT_REPLIED] = 120*HZ, 30 }; 31 32 static unsigned int *udp_get_timeouts(struct net *net) 33 { 34 return nf_udp_pernet(net)->timeouts; 35 } 36 37 static void udp_error_log(const struct sk_buff *skb, 38 const struct nf_hook_state *state, 39 const char *msg) 40 { 41 nf_l4proto_log_invalid(skb, state, IPPROTO_UDP, "%s", msg); 42 } 43 44 static bool udp_error(struct sk_buff *skb, 45 unsigned int dataoff, 46 const struct nf_hook_state *state) 47 { 48 unsigned int udplen = skb->len - dataoff; 49 const struct udphdr *hdr; 50 struct udphdr _hdr; 51 52 /* Header is too small? */ 53 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 54 if (!hdr) { 55 udp_error_log(skb, state, "short packet"); 56 return true; 57 } 58 59 /* Truncated/malformed packets */ 60 if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { 61 udp_error_log(skb, state, "truncated/malformed packet"); 62 return true; 63 } 64 65 /* Packet with no checksum */ 66 if (!hdr->check) 67 return false; 68 69 /* Checksum invalid? Ignore. 70 * We skip checking packets on the outgoing path 71 * because the checksum is assumed to be correct. 72 * FIXME: Source route IP option packets --RR */ 73 if (state->hook == NF_INET_PRE_ROUTING && 74 state->net->ct.sysctl_checksum && 75 nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) { 76 udp_error_log(skb, state, "bad checksum"); 77 return true; 78 } 79 80 return false; 81 } 82 83 /* Returns verdict for packet, and may modify conntracktype */ 84 int nf_conntrack_udp_packet(struct nf_conn *ct, 85 struct sk_buff *skb, 86 unsigned int dataoff, 87 enum ip_conntrack_info ctinfo, 88 const struct nf_hook_state *state) 89 { 90 unsigned int *timeouts; 91 92 if (udp_error(skb, dataoff, state)) 93 return -NF_ACCEPT; 94 95 timeouts = nf_ct_timeout_lookup(ct); 96 if (!timeouts) 97 timeouts = udp_get_timeouts(nf_ct_net(ct)); 98 99 if (!nf_ct_is_confirmed(ct)) 100 ct->proto.udp.stream_ts = 2 * HZ + jiffies; 101 102 /* If we've seen traffic both ways, this is some kind of UDP 103 * stream. Set Assured. 104 */ 105 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 106 unsigned long extra = timeouts[UDP_CT_UNREPLIED]; 107 bool stream = false; 108 109 /* Still active after two seconds? Extend timeout. */ 110 if (time_after(jiffies, ct->proto.udp.stream_ts)) { 111 extra = timeouts[UDP_CT_REPLIED]; 112 stream = true; 113 } 114 115 nf_ct_refresh_acct(ct, ctinfo, skb, extra); 116 117 /* never set ASSURED for IPS_NAT_CLASH, they time out soon */ 118 if (unlikely((ct->status & IPS_NAT_CLASH))) 119 return NF_ACCEPT; 120 121 /* Also, more likely to be important, and not a probe */ 122 if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 123 nf_conntrack_event_cache(IPCT_ASSURED, ct); 124 } else { 125 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]); 126 } 127 return NF_ACCEPT; 128 } 129 130 #ifdef CONFIG_NF_CT_PROTO_UDPLITE 131 static void udplite_error_log(const struct sk_buff *skb, 132 const struct nf_hook_state *state, 133 const char *msg) 134 { 135 nf_l4proto_log_invalid(skb, state, IPPROTO_UDPLITE, "%s", msg); 136 } 137 138 static bool udplite_error(struct sk_buff *skb, 139 unsigned int dataoff, 140 const struct nf_hook_state *state) 141 { 142 unsigned int udplen = skb->len - dataoff; 143 const struct udphdr *hdr; 144 struct udphdr _hdr; 145 unsigned int cscov; 146 147 /* Header is too small? */ 148 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 149 if (!hdr) { 150 udplite_error_log(skb, state, "short packet"); 151 return true; 152 } 153 154 cscov = ntohs(hdr->len); 155 if (cscov == 0) { 156 cscov = udplen; 157 } else if (cscov < sizeof(*hdr) || cscov > udplen) { 158 udplite_error_log(skb, state, "invalid checksum coverage"); 159 return true; 160 } 161 162 /* UDPLITE mandates checksums */ 163 if (!hdr->check) { 164 udplite_error_log(skb, state, "checksum missing"); 165 return true; 166 } 167 168 /* Checksum invalid? Ignore. */ 169 if (state->hook == NF_INET_PRE_ROUTING && 170 state->net->ct.sysctl_checksum && 171 nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP, 172 state->pf)) { 173 udplite_error_log(skb, state, "bad checksum"); 174 return true; 175 } 176 177 return false; 178 } 179 180 /* Returns verdict for packet, and may modify conntracktype */ 181 int nf_conntrack_udplite_packet(struct nf_conn *ct, 182 struct sk_buff *skb, 183 unsigned int dataoff, 184 enum ip_conntrack_info ctinfo, 185 const struct nf_hook_state *state) 186 { 187 unsigned int *timeouts; 188 189 if (udplite_error(skb, dataoff, state)) 190 return -NF_ACCEPT; 191 192 timeouts = nf_ct_timeout_lookup(ct); 193 if (!timeouts) 194 timeouts = udp_get_timeouts(nf_ct_net(ct)); 195 196 /* If we've seen traffic both ways, this is some kind of UDP 197 stream. Extend timeout. */ 198 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 199 nf_ct_refresh_acct(ct, ctinfo, skb, 200 timeouts[UDP_CT_REPLIED]); 201 202 if (unlikely((ct->status & IPS_NAT_CLASH))) 203 return NF_ACCEPT; 204 205 /* Also, more likely to be important, and not a probe */ 206 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 207 nf_conntrack_event_cache(IPCT_ASSURED, ct); 208 } else { 209 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]); 210 } 211 return NF_ACCEPT; 212 } 213 #endif 214 215 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 216 217 #include <linux/netfilter/nfnetlink.h> 218 #include <linux/netfilter/nfnetlink_cttimeout.h> 219 220 static int udp_timeout_nlattr_to_obj(struct nlattr *tb[], 221 struct net *net, void *data) 222 { 223 unsigned int *timeouts = data; 224 struct nf_udp_net *un = nf_udp_pernet(net); 225 226 if (!timeouts) 227 timeouts = un->timeouts; 228 229 /* set default timeouts for UDP. */ 230 timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED]; 231 timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED]; 232 233 if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) { 234 timeouts[UDP_CT_UNREPLIED] = 235 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ; 236 } 237 if (tb[CTA_TIMEOUT_UDP_REPLIED]) { 238 timeouts[UDP_CT_REPLIED] = 239 ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ; 240 } 241 return 0; 242 } 243 244 static int 245 udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 246 { 247 const unsigned int *timeouts = data; 248 249 if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED, 250 htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) || 251 nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED, 252 htonl(timeouts[UDP_CT_REPLIED] / HZ))) 253 goto nla_put_failure; 254 return 0; 255 256 nla_put_failure: 257 return -ENOSPC; 258 } 259 260 static const struct nla_policy 261 udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = { 262 [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 }, 263 [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 }, 264 }; 265 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 266 267 void nf_conntrack_udp_init_net(struct net *net) 268 { 269 struct nf_udp_net *un = nf_udp_pernet(net); 270 int i; 271 272 for (i = 0; i < UDP_CT_MAX; i++) 273 un->timeouts[i] = udp_timeouts[i]; 274 275 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 276 un->offload_timeout = 30 * HZ; 277 #endif 278 } 279 280 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp = 281 { 282 .l4proto = IPPROTO_UDP, 283 .allow_clash = true, 284 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 285 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 286 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 287 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 288 .nla_policy = nf_ct_port_nla_policy, 289 #endif 290 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 291 .ctnl_timeout = { 292 .nlattr_to_obj = udp_timeout_nlattr_to_obj, 293 .obj_to_nlattr = udp_timeout_obj_to_nlattr, 294 .nlattr_max = CTA_TIMEOUT_UDP_MAX, 295 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, 296 .nla_policy = udp_timeout_nla_policy, 297 }, 298 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 299 }; 300 301 #ifdef CONFIG_NF_CT_PROTO_UDPLITE 302 const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite = 303 { 304 .l4proto = IPPROTO_UDPLITE, 305 .allow_clash = true, 306 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 307 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 308 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 309 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 310 .nla_policy = nf_ct_port_nla_policy, 311 #endif 312 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 313 .ctnl_timeout = { 314 .nlattr_to_obj = udp_timeout_nlattr_to_obj, 315 .obj_to_nlattr = udp_timeout_obj_to_nlattr, 316 .nlattr_max = CTA_TIMEOUT_UDP_MAX, 317 .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, 318 .nla_policy = udp_timeout_nla_policy, 319 }, 320 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 321 }; 322 #endif 323