~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netfilter/nf_conntrack_proto_sctp.c

Version: ~ [ linux-5.3-rc1 ] ~ [ linux-5.2.2 ] ~ [ linux-5.1.19 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.60 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.134 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.186 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.186 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.70 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Connection tracking protocol helper module for SCTP.
  3  *
  4  * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
  5  * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
  6  *
  7  * SCTP is defined in RFC 2960. References to various sections in this code
  8  * are to this RFC.
  9  *
 10  * This program is free software; you can redistribute it and/or modify
 11  * it under the terms of the GNU General Public License version 2 as
 12  * published by the Free Software Foundation.
 13  */
 14 
 15 #include <linux/types.h>
 16 #include <linux/timer.h>
 17 #include <linux/netfilter.h>
 18 #include <linux/in.h>
 19 #include <linux/ip.h>
 20 #include <linux/sctp.h>
 21 #include <linux/string.h>
 22 #include <linux/seq_file.h>
 23 #include <linux/spinlock.h>
 24 #include <linux/interrupt.h>
 25 
 26 #include <net/netfilter/nf_conntrack.h>
 27 #include <net/netfilter/nf_conntrack_l4proto.h>
 28 #include <net/netfilter/nf_conntrack_ecache.h>
 29 
 30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
 31    closely.  They're more complex. --RR
 32 
 33    And so for me for SCTP :D -Kiran */
 34 
 35 static const char *const sctp_conntrack_names[] = {
 36         "NONE",
 37         "CLOSED",
 38         "COOKIE_WAIT",
 39         "COOKIE_ECHOED",
 40         "ESTABLISHED",
 41         "SHUTDOWN_SENT",
 42         "SHUTDOWN_RECD",
 43         "SHUTDOWN_ACK_SENT",
 44         "HEARTBEAT_SENT",
 45         "HEARTBEAT_ACKED",
 46 };
 47 
 48 #define SECS  * HZ
 49 #define MINS  * 60 SECS
 50 #define HOURS * 60 MINS
 51 #define DAYS  * 24 HOURS
 52 
 53 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
 54         [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
 55         [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
 56         [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
 57         [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
 58         [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
 59         [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
 60         [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
 61         [SCTP_CONNTRACK_HEARTBEAT_SENT]         = 30 SECS,
 62         [SCTP_CONNTRACK_HEARTBEAT_ACKED]        = 210 SECS,
 63 };
 64 
 65 #define sNO SCTP_CONNTRACK_NONE
 66 #define sCL SCTP_CONNTRACK_CLOSED
 67 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
 68 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
 69 #define sES SCTP_CONNTRACK_ESTABLISHED
 70 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
 71 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
 72 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
 73 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
 74 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
 75 #define sIV SCTP_CONNTRACK_MAX
 76 
 77 /*
 78         These are the descriptions of the states:
 79 
 80 NOTE: These state names are tantalizingly similar to the states of an
 81 SCTP endpoint. But the interpretation of the states is a little different,
 82 considering that these are the states of the connection and not of an end
 83 point. Please note the subtleties. -Kiran
 84 
 85 NONE              - Nothing so far.
 86 COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
 87                     an INIT_ACK chunk in the reply direction.
 88 COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
 89 ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
 90 SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
 91 SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
 92 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
 93                     to that of the SHUTDOWN chunk.
 94 CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
 95                     the SHUTDOWN chunk. Connection is closed.
 96 HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
 97 HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
 98                     that of the HEARTBEAT chunk. Secondary connection is
 99                     established.
100 */
101 
102 /* TODO
103  - I have assumed that the first INIT is in the original direction.
104  This messes things when an INIT comes in the reply direction in CLOSED
105  state.
106  - Check the error type in the reply dir before transitioning from
107 cookie echoed to closed.
108  - Sec 5.2.4 of RFC 2960
109  - Full Multi Homing support.
110 */
111 
112 /* SCTP conntrack state transitions */
113 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
114         {
115 /*      ORIGINAL        */
116 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
117 /* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118 /* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119 /* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120 /* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
121 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
122 /* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
123 /* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
124 /* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
125 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
126 /* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
127 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
128         },
129         {
130 /*      REPLY   */
131 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
132 /* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
133 /* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134 /* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135 /* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
137 /* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
138 /* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
139 /* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
140 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
141 /* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
142 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
143         }
144 };
145 
146 static inline struct nf_sctp_net *sctp_pernet(struct net *net)
147 {
148         return &net->ct.nf_ct_proto.sctp;
149 }
150 
151 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
152                               struct net *net, struct nf_conntrack_tuple *tuple)
153 {
154         const struct sctphdr *hp;
155         struct sctphdr _hdr;
156 
157         /* Actually only need first 4 bytes to get ports. */
158         hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
159         if (hp == NULL)
160                 return false;
161 
162         tuple->src.u.sctp.port = hp->source;
163         tuple->dst.u.sctp.port = hp->dest;
164         return true;
165 }
166 
167 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
168                               const struct nf_conntrack_tuple *orig)
169 {
170         tuple->src.u.sctp.port = orig->dst.u.sctp.port;
171         tuple->dst.u.sctp.port = orig->src.u.sctp.port;
172         return true;
173 }
174 
175 /* Print out the per-protocol part of the tuple. */
176 static void sctp_print_tuple(struct seq_file *s,
177                              const struct nf_conntrack_tuple *tuple)
178 {
179         seq_printf(s, "sport=%hu dport=%hu ",
180                    ntohs(tuple->src.u.sctp.port),
181                    ntohs(tuple->dst.u.sctp.port));
182 }
183 
184 /* Print out the private part of the conntrack. */
185 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
186 {
187         seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
188 }
189 
190 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
191 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;        \
192         (offset) < (skb)->len &&                                        \
193         ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
194         (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
195 
196 /* Some validity checks to make sure the chunks are fine */
197 static int do_basic_checks(struct nf_conn *ct,
198                            const struct sk_buff *skb,
199                            unsigned int dataoff,
200                            unsigned long *map)
201 {
202         u_int32_t offset, count;
203         sctp_chunkhdr_t _sch, *sch;
204         int flag;
205 
206         flag = 0;
207 
208         for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
209                 pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
210 
211                 if (sch->type == SCTP_CID_INIT ||
212                     sch->type == SCTP_CID_INIT_ACK ||
213                     sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
214                         flag = 1;
215 
216                 /*
217                  * Cookie Ack/Echo chunks not the first OR
218                  * Init / Init Ack / Shutdown compl chunks not the only chunks
219                  * OR zero-length.
220                  */
221                 if (((sch->type == SCTP_CID_COOKIE_ACK ||
222                       sch->type == SCTP_CID_COOKIE_ECHO ||
223                       flag) &&
224                      count != 0) || !sch->length) {
225                         pr_debug("Basic checks failed\n");
226                         return 1;
227                 }
228 
229                 if (map)
230                         set_bit(sch->type, map);
231         }
232 
233         pr_debug("Basic checks passed\n");
234         return count == 0;
235 }
236 
237 static int sctp_new_state(enum ip_conntrack_dir dir,
238                           enum sctp_conntrack cur_state,
239                           int chunk_type)
240 {
241         int i;
242 
243         pr_debug("Chunk type: %d\n", chunk_type);
244 
245         switch (chunk_type) {
246         case SCTP_CID_INIT:
247                 pr_debug("SCTP_CID_INIT\n");
248                 i = 0;
249                 break;
250         case SCTP_CID_INIT_ACK:
251                 pr_debug("SCTP_CID_INIT_ACK\n");
252                 i = 1;
253                 break;
254         case SCTP_CID_ABORT:
255                 pr_debug("SCTP_CID_ABORT\n");
256                 i = 2;
257                 break;
258         case SCTP_CID_SHUTDOWN:
259                 pr_debug("SCTP_CID_SHUTDOWN\n");
260                 i = 3;
261                 break;
262         case SCTP_CID_SHUTDOWN_ACK:
263                 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
264                 i = 4;
265                 break;
266         case SCTP_CID_ERROR:
267                 pr_debug("SCTP_CID_ERROR\n");
268                 i = 5;
269                 break;
270         case SCTP_CID_COOKIE_ECHO:
271                 pr_debug("SCTP_CID_COOKIE_ECHO\n");
272                 i = 6;
273                 break;
274         case SCTP_CID_COOKIE_ACK:
275                 pr_debug("SCTP_CID_COOKIE_ACK\n");
276                 i = 7;
277                 break;
278         case SCTP_CID_SHUTDOWN_COMPLETE:
279                 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
280                 i = 8;
281                 break;
282         case SCTP_CID_HEARTBEAT:
283                 pr_debug("SCTP_CID_HEARTBEAT");
284                 i = 9;
285                 break;
286         case SCTP_CID_HEARTBEAT_ACK:
287                 pr_debug("SCTP_CID_HEARTBEAT_ACK");
288                 i = 10;
289                 break;
290         default:
291                 /* Other chunks like DATA or SACK do not change the state */
292                 pr_debug("Unknown chunk type, Will stay in %s\n",
293                          sctp_conntrack_names[cur_state]);
294                 return cur_state;
295         }
296 
297         pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
298                  dir, sctp_conntrack_names[cur_state], chunk_type,
299                  sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
300 
301         return sctp_conntracks[dir][i][cur_state];
302 }
303 
304 static unsigned int *sctp_get_timeouts(struct net *net)
305 {
306         return sctp_pernet(net)->timeouts;
307 }
308 
309 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
310 static int sctp_packet(struct nf_conn *ct,
311                        const struct sk_buff *skb,
312                        unsigned int dataoff,
313                        enum ip_conntrack_info ctinfo,
314                        u_int8_t pf,
315                        unsigned int hooknum,
316                        unsigned int *timeouts)
317 {
318         enum sctp_conntrack new_state, old_state;
319         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
320         const struct sctphdr *sh;
321         struct sctphdr _sctph;
322         const struct sctp_chunkhdr *sch;
323         struct sctp_chunkhdr _sch;
324         u_int32_t offset, count;
325         unsigned long map[256 / sizeof(unsigned long)] = { 0 };
326 
327         sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
328         if (sh == NULL)
329                 goto out;
330 
331         if (do_basic_checks(ct, skb, dataoff, map) != 0)
332                 goto out;
333 
334         /* Check the verification tag (Sec 8.5) */
335         if (!test_bit(SCTP_CID_INIT, map) &&
336             !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
337             !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
338             !test_bit(SCTP_CID_ABORT, map) &&
339             !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
340             !test_bit(SCTP_CID_HEARTBEAT, map) &&
341             !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
342             sh->vtag != ct->proto.sctp.vtag[dir]) {
343                 pr_debug("Verification tag check failed\n");
344                 goto out;
345         }
346 
347         old_state = new_state = SCTP_CONNTRACK_NONE;
348         spin_lock_bh(&ct->lock);
349         for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
350                 /* Special cases of Verification tag check (Sec 8.5.1) */
351                 if (sch->type == SCTP_CID_INIT) {
352                         /* Sec 8.5.1 (A) */
353                         if (sh->vtag != 0)
354                                 goto out_unlock;
355                 } else if (sch->type == SCTP_CID_ABORT) {
356                         /* Sec 8.5.1 (B) */
357                         if (sh->vtag != ct->proto.sctp.vtag[dir] &&
358                             sh->vtag != ct->proto.sctp.vtag[!dir])
359                                 goto out_unlock;
360                 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
361                         /* Sec 8.5.1 (C) */
362                         if (sh->vtag != ct->proto.sctp.vtag[dir] &&
363                             sh->vtag != ct->proto.sctp.vtag[!dir] &&
364                             sch->flags & SCTP_CHUNK_FLAG_T)
365                                 goto out_unlock;
366                 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
367                         /* Sec 8.5.1 (D) */
368                         if (sh->vtag != ct->proto.sctp.vtag[dir])
369                                 goto out_unlock;
370                 } else if (sch->type == SCTP_CID_HEARTBEAT ||
371                            sch->type == SCTP_CID_HEARTBEAT_ACK) {
372                         if (ct->proto.sctp.vtag[dir] == 0) {
373                                 pr_debug("Setting vtag %x for dir %d\n",
374                                          sh->vtag, dir);
375                                 ct->proto.sctp.vtag[dir] = sh->vtag;
376                         } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
377                                 pr_debug("Verification tag check failed\n");
378                                 goto out_unlock;
379                         }
380                 }
381 
382                 old_state = ct->proto.sctp.state;
383                 new_state = sctp_new_state(dir, old_state, sch->type);
384 
385                 /* Invalid */
386                 if (new_state == SCTP_CONNTRACK_MAX) {
387                         pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
388                                  "conntrack=%u\n",
389                                  dir, sch->type, old_state);
390                         goto out_unlock;
391                 }
392 
393                 /* If it is an INIT or an INIT ACK note down the vtag */
394                 if (sch->type == SCTP_CID_INIT ||
395                     sch->type == SCTP_CID_INIT_ACK) {
396                         sctp_inithdr_t _inithdr, *ih;
397 
398                         ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
399                                                 sizeof(_inithdr), &_inithdr);
400                         if (ih == NULL)
401                                 goto out_unlock;
402                         pr_debug("Setting vtag %x for dir %d\n",
403                                  ih->init_tag, !dir);
404                         ct->proto.sctp.vtag[!dir] = ih->init_tag;
405                 }
406 
407                 ct->proto.sctp.state = new_state;
408                 if (old_state != new_state)
409                         nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
410         }
411         spin_unlock_bh(&ct->lock);
412 
413         nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
414 
415         if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
416             dir == IP_CT_DIR_REPLY &&
417             new_state == SCTP_CONNTRACK_ESTABLISHED) {
418                 pr_debug("Setting assured bit\n");
419                 set_bit(IPS_ASSURED_BIT, &ct->status);
420                 nf_conntrack_event_cache(IPCT_ASSURED, ct);
421         }
422 
423         return NF_ACCEPT;
424 
425 out_unlock:
426         spin_unlock_bh(&ct->lock);
427 out:
428         return -NF_ACCEPT;
429 }
430 
431 /* Called when a new connection for this protocol found. */
432 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
433                      unsigned int dataoff, unsigned int *timeouts)
434 {
435         enum sctp_conntrack new_state;
436         const struct sctphdr *sh;
437         struct sctphdr _sctph;
438         const struct sctp_chunkhdr *sch;
439         struct sctp_chunkhdr _sch;
440         u_int32_t offset, count;
441         unsigned long map[256 / sizeof(unsigned long)] = { 0 };
442 
443         sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
444         if (sh == NULL)
445                 return false;
446 
447         if (do_basic_checks(ct, skb, dataoff, map) != 0)
448                 return false;
449 
450         /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
451         if (test_bit(SCTP_CID_ABORT, map) ||
452             test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
453             test_bit(SCTP_CID_COOKIE_ACK, map))
454                 return false;
455 
456         memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
457         new_state = SCTP_CONNTRACK_MAX;
458         for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
459                 /* Don't need lock here: this conntrack not in circulation yet */
460                 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
461                                            SCTP_CONNTRACK_NONE, sch->type);
462 
463                 /* Invalid: delete conntrack */
464                 if (new_state == SCTP_CONNTRACK_NONE ||
465                     new_state == SCTP_CONNTRACK_MAX) {
466                         pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
467                         return false;
468                 }
469 
470                 /* Copy the vtag into the state info */
471                 if (sch->type == SCTP_CID_INIT) {
472                         if (sh->vtag == 0) {
473                                 sctp_inithdr_t _inithdr, *ih;
474 
475                                 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
476                                                         sizeof(_inithdr), &_inithdr);
477                                 if (ih == NULL)
478                                         return false;
479 
480                                 pr_debug("Setting vtag %x for new conn\n",
481                                          ih->init_tag);
482 
483                                 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
484                                                                 ih->init_tag;
485                         } else {
486                                 /* Sec 8.5.1 (A) */
487                                 return false;
488                         }
489                 } else if (sch->type == SCTP_CID_HEARTBEAT) {
490                         pr_debug("Setting vtag %x for secondary conntrack\n",
491                                  sh->vtag);
492                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
493                 }
494                 /* If it is a shutdown ack OOTB packet, we expect a return
495                    shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
496                 else {
497                         pr_debug("Setting vtag %x for new conn OOTB\n",
498                                  sh->vtag);
499                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
500                 }
501 
502                 ct->proto.sctp.state = new_state;
503         }
504 
505         return true;
506 }
507 
508 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
509 
510 #include <linux/netfilter/nfnetlink.h>
511 #include <linux/netfilter/nfnetlink_conntrack.h>
512 
513 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
514                           struct nf_conn *ct)
515 {
516         struct nlattr *nest_parms;
517 
518         spin_lock_bh(&ct->lock);
519         nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
520         if (!nest_parms)
521                 goto nla_put_failure;
522 
523         if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
524             nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
525                          ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
526             nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
527                          ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
528                 goto nla_put_failure;
529 
530         spin_unlock_bh(&ct->lock);
531 
532         nla_nest_end(skb, nest_parms);
533 
534         return 0;
535 
536 nla_put_failure:
537         spin_unlock_bh(&ct->lock);
538         return -1;
539 }
540 
541 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
542         [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
543         [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
544         [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
545 };
546 
547 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
548 {
549         struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
550         struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
551         int err;
552 
553         /* updates may not contain the internal protocol info, skip parsing */
554         if (!attr)
555                 return 0;
556 
557         err = nla_parse_nested(tb,
558                                CTA_PROTOINFO_SCTP_MAX,
559                                attr,
560                                sctp_nla_policy);
561         if (err < 0)
562                 return err;
563 
564         if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
565             !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
566             !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
567                 return -EINVAL;
568 
569         spin_lock_bh(&ct->lock);
570         ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
571         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
572                 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
573         ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
574                 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
575         spin_unlock_bh(&ct->lock);
576 
577         return 0;
578 }
579 
580 static int sctp_nlattr_size(void)
581 {
582         return nla_total_size(0)        /* CTA_PROTOINFO_SCTP */
583                 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
584 }
585 #endif
586 
587 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
588 
589 #include <linux/netfilter/nfnetlink.h>
590 #include <linux/netfilter/nfnetlink_cttimeout.h>
591 
592 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
593                                       struct net *net, void *data)
594 {
595         unsigned int *timeouts = data;
596         struct nf_sctp_net *sn = sctp_pernet(net);
597         int i;
598 
599         /* set default SCTP timeouts. */
600         for (i=0; i<SCTP_CONNTRACK_MAX; i++)
601                 timeouts[i] = sn->timeouts[i];
602 
603         /* there's a 1:1 mapping between attributes and protocol states. */
604         for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
605                 if (tb[i]) {
606                         timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
607                 }
608         }
609         return 0;
610 }
611 
612 static int
613 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
614 {
615         const unsigned int *timeouts = data;
616         int i;
617 
618         for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
619                 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
620                         goto nla_put_failure;
621         }
622         return 0;
623 
624 nla_put_failure:
625         return -ENOSPC;
626 }
627 
628 static const struct nla_policy
629 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
630         [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
631         [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
632         [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
633         [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
634         [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
635         [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
636         [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
637         [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
638         [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
639 };
640 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
641 
642 
643 #ifdef CONFIG_SYSCTL
644 static struct ctl_table sctp_sysctl_table[] = {
645         {
646                 .procname       = "nf_conntrack_sctp_timeout_closed",
647                 .maxlen         = sizeof(unsigned int),
648                 .mode           = 0644,
649                 .proc_handler   = proc_dointvec_jiffies,
650         },
651         {
652                 .procname       = "nf_conntrack_sctp_timeout_cookie_wait",
653                 .maxlen         = sizeof(unsigned int),
654                 .mode           = 0644,
655                 .proc_handler   = proc_dointvec_jiffies,
656         },
657         {
658                 .procname       = "nf_conntrack_sctp_timeout_cookie_echoed",
659                 .maxlen         = sizeof(unsigned int),
660                 .mode           = 0644,
661                 .proc_handler   = proc_dointvec_jiffies,
662         },
663         {
664                 .procname       = "nf_conntrack_sctp_timeout_established",
665                 .maxlen         = sizeof(unsigned int),
666                 .mode           = 0644,
667                 .proc_handler   = proc_dointvec_jiffies,
668         },
669         {
670                 .procname       = "nf_conntrack_sctp_timeout_shutdown_sent",
671                 .maxlen         = sizeof(unsigned int),
672                 .mode           = 0644,
673                 .proc_handler   = proc_dointvec_jiffies,
674         },
675         {
676                 .procname       = "nf_conntrack_sctp_timeout_shutdown_recd",
677                 .maxlen         = sizeof(unsigned int),
678                 .mode           = 0644,
679                 .proc_handler   = proc_dointvec_jiffies,
680         },
681         {
682                 .procname       = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
683                 .maxlen         = sizeof(unsigned int),
684                 .mode           = 0644,
685                 .proc_handler   = proc_dointvec_jiffies,
686         },
687         {
688                 .procname       = "nf_conntrack_sctp_timeout_heartbeat_sent",
689                 .maxlen         = sizeof(unsigned int),
690                 .mode           = 0644,
691                 .proc_handler   = proc_dointvec_jiffies,
692         },
693         {
694                 .procname       = "nf_conntrack_sctp_timeout_heartbeat_acked",
695                 .maxlen         = sizeof(unsigned int),
696                 .mode           = 0644,
697                 .proc_handler   = proc_dointvec_jiffies,
698         },
699         { }
700 };
701 #endif
702 
703 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
704                                      struct nf_sctp_net *sn)
705 {
706 #ifdef CONFIG_SYSCTL
707         if (pn->ctl_table)
708                 return 0;
709 
710         pn->ctl_table = kmemdup(sctp_sysctl_table,
711                                 sizeof(sctp_sysctl_table),
712                                 GFP_KERNEL);
713         if (!pn->ctl_table)
714                 return -ENOMEM;
715 
716         pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
717         pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
718         pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
719         pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
720         pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
721         pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
722         pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
723         pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
724         pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
725 #endif
726         return 0;
727 }
728 
729 static int sctp_init_net(struct net *net, u_int16_t proto)
730 {
731         struct nf_sctp_net *sn = sctp_pernet(net);
732         struct nf_proto_net *pn = &sn->pn;
733 
734         if (!pn->users) {
735                 int i;
736 
737                 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
738                         sn->timeouts[i] = sctp_timeouts[i];
739         }
740 
741         return sctp_kmemdup_sysctl_table(pn, sn);
742 }
743 
744 struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
745         .l3proto                = PF_INET,
746         .l4proto                = IPPROTO_SCTP,
747         .name                   = "sctp",
748         .pkt_to_tuple           = sctp_pkt_to_tuple,
749         .invert_tuple           = sctp_invert_tuple,
750         .print_tuple            = sctp_print_tuple,
751         .print_conntrack        = sctp_print_conntrack,
752         .packet                 = sctp_packet,
753         .get_timeouts           = sctp_get_timeouts,
754         .new                    = sctp_new,
755         .me                     = THIS_MODULE,
756 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
757         .to_nlattr              = sctp_to_nlattr,
758         .nlattr_size            = sctp_nlattr_size,
759         .from_nlattr            = nlattr_to_sctp,
760         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
761         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
762         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
763         .nla_policy             = nf_ct_port_nla_policy,
764 #endif
765 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
766         .ctnl_timeout           = {
767                 .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
768                 .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
769                 .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
770                 .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
771                 .nla_policy     = sctp_timeout_nla_policy,
772         },
773 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
774         .init_net               = sctp_init_net,
775 };
776 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
777 
778 struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
779         .l3proto                = PF_INET6,
780         .l4proto                = IPPROTO_SCTP,
781         .name                   = "sctp",
782         .pkt_to_tuple           = sctp_pkt_to_tuple,
783         .invert_tuple           = sctp_invert_tuple,
784         .print_tuple            = sctp_print_tuple,
785         .print_conntrack        = sctp_print_conntrack,
786         .packet                 = sctp_packet,
787         .get_timeouts           = sctp_get_timeouts,
788         .new                    = sctp_new,
789         .me                     = THIS_MODULE,
790 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
791         .to_nlattr              = sctp_to_nlattr,
792         .nlattr_size            = sctp_nlattr_size,
793         .from_nlattr            = nlattr_to_sctp,
794         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
795         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
796         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
797         .nla_policy             = nf_ct_port_nla_policy,
798 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
799         .ctnl_timeout           = {
800                 .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
801                 .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
802                 .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
803                 .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
804                 .nla_policy     = sctp_timeout_nla_policy,
805         },
806 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
807 #endif
808         .init_net               = sctp_init_net,
809 };
810 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
811 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp