1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Connection tracking protocol helper module for SCTP.
4 *
5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
7 *
8 * SCTP is defined in RFC 2960. References to various sections in this code
9 * are to this RFC.
10 */
11
12 #include <linux/types.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
15 #include <linux/in.h>
16 #include <linux/ip.h>
17 #include <linux/sctp.h>
18 #include <linux/string.h>
19 #include <linux/seq_file.h>
20 #include <linux/spinlock.h>
21 #include <linux/interrupt.h>
22 #include <net/sctp/checksum.h>
23
24 #include <net/netfilter/nf_log.h>
25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_ecache.h>
28 #include <net/netfilter/nf_conntrack_timeout.h>
29
30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
31 closely. They're more complex. --RR
32
33 And so for me for SCTP :D -Kiran */
34
35 static const char *const sctp_conntrack_names[] = {
36 "NONE",
37 "CLOSED",
38 "COOKIE_WAIT",
39 "COOKIE_ECHOED",
40 "ESTABLISHED",
41 "SHUTDOWN_SENT",
42 "SHUTDOWN_RECD",
43 "SHUTDOWN_ACK_SENT",
44 "HEARTBEAT_SENT",
45 "HEARTBEAT_ACKED",
46 };
47
48 #define SECS * HZ
49 #define MINS * 60 SECS
50 #define HOURS * 60 MINS
51 #define DAYS * 24 HOURS
52
53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
63 };
64
65 #define sNO SCTP_CONNTRACK_NONE
66 #define sCL SCTP_CONNTRACK_CLOSED
67 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
68 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
69 #define sES SCTP_CONNTRACK_ESTABLISHED
70 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
71 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
72 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
73 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
74 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
75 #define sIV SCTP_CONNTRACK_MAX
76
77 /*
78 These are the descriptions of the states:
79
80 NOTE: These state names are tantalizingly similar to the states of an
81 SCTP endpoint. But the interpretation of the states is a little different,
82 considering that these are the states of the connection and not of an end
83 point. Please note the subtleties. -Kiran
84
85 NONE - Nothing so far.
86 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
87 an INIT_ACK chunk in the reply direction.
88 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
89 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
90 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
91 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
92 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
93 to that of the SHUTDOWN chunk.
94 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
95 the SHUTDOWN chunk. Connection is closed.
96 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
97 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
98 that of the HEARTBEAT chunk. Secondary connection is
99 established.
100 */
101
102 /* TODO
103 - I have assumed that the first INIT is in the original direction.
104 This messes things when an INIT comes in the reply direction in CLOSED
105 state.
106 - Check the error type in the reply dir before transitioning from
107 cookie echoed to closed.
108 - Sec 5.2.4 of RFC 2960
109 - Full Multi Homing support.
110 */
111
112 /* SCTP conntrack state transitions */
113 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
114 {
115 /* ORIGINAL */
116 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
117 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
121 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
122 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
123 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
124 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
125 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
126 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
127 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
128 },
129 {
130 /* REPLY */
131 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
132 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
133 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
137 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
138 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
139 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
140 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
141 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
142 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
143 }
144 };
145
146 #ifdef CONFIG_NF_CONNTRACK_PROCFS
147 /* Print out the private part of the conntrack. */
148 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
149 {
150 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
151 }
152 #endif
153
154 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
155 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
156 (offset) < (skb)->len && \
157 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
158 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
159
160 /* Some validity checks to make sure the chunks are fine */
161 static int do_basic_checks(struct nf_conn *ct,
162 const struct sk_buff *skb,
163 unsigned int dataoff,
164 unsigned long *map)
165 {
166 u_int32_t offset, count;
167 struct sctp_chunkhdr _sch, *sch;
168 int flag;
169
170 flag = 0;
171
172 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
173 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
174
175 if (sch->type == SCTP_CID_INIT ||
176 sch->type == SCTP_CID_INIT_ACK ||
177 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
178 flag = 1;
179
180 /*
181 * Cookie Ack/Echo chunks not the first OR
182 * Init / Init Ack / Shutdown compl chunks not the only chunks
183 * OR zero-length.
184 */
185 if (((sch->type == SCTP_CID_COOKIE_ACK ||
186 sch->type == SCTP_CID_COOKIE_ECHO ||
187 flag) &&
188 count != 0) || !sch->length) {
189 pr_debug("Basic checks failed\n");
190 return 1;
191 }
192
193 if (map)
194 set_bit(sch->type, map);
195 }
196
197 pr_debug("Basic checks passed\n");
198 return count == 0;
199 }
200
201 static int sctp_new_state(enum ip_conntrack_dir dir,
202 enum sctp_conntrack cur_state,
203 int chunk_type)
204 {
205 int i;
206
207 pr_debug("Chunk type: %d\n", chunk_type);
208
209 switch (chunk_type) {
210 case SCTP_CID_INIT:
211 pr_debug("SCTP_CID_INIT\n");
212 i = 0;
213 break;
214 case SCTP_CID_INIT_ACK:
215 pr_debug("SCTP_CID_INIT_ACK\n");
216 i = 1;
217 break;
218 case SCTP_CID_ABORT:
219 pr_debug("SCTP_CID_ABORT\n");
220 i = 2;
221 break;
222 case SCTP_CID_SHUTDOWN:
223 pr_debug("SCTP_CID_SHUTDOWN\n");
224 i = 3;
225 break;
226 case SCTP_CID_SHUTDOWN_ACK:
227 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
228 i = 4;
229 break;
230 case SCTP_CID_ERROR:
231 pr_debug("SCTP_CID_ERROR\n");
232 i = 5;
233 break;
234 case SCTP_CID_COOKIE_ECHO:
235 pr_debug("SCTP_CID_COOKIE_ECHO\n");
236 i = 6;
237 break;
238 case SCTP_CID_COOKIE_ACK:
239 pr_debug("SCTP_CID_COOKIE_ACK\n");
240 i = 7;
241 break;
242 case SCTP_CID_SHUTDOWN_COMPLETE:
243 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
244 i = 8;
245 break;
246 case SCTP_CID_HEARTBEAT:
247 pr_debug("SCTP_CID_HEARTBEAT");
248 i = 9;
249 break;
250 case SCTP_CID_HEARTBEAT_ACK:
251 pr_debug("SCTP_CID_HEARTBEAT_ACK");
252 i = 10;
253 break;
254 default:
255 /* Other chunks like DATA or SACK do not change the state */
256 pr_debug("Unknown chunk type, Will stay in %s\n",
257 sctp_conntrack_names[cur_state]);
258 return cur_state;
259 }
260
261 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
262 dir, sctp_conntrack_names[cur_state], chunk_type,
263 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
264
265 return sctp_conntracks[dir][i][cur_state];
266 }
267
268 /* Don't need lock here: this conntrack not in circulation yet */
269 static noinline bool
270 sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
271 const struct sctphdr *sh, unsigned int dataoff)
272 {
273 enum sctp_conntrack new_state;
274 const struct sctp_chunkhdr *sch;
275 struct sctp_chunkhdr _sch;
276 u32 offset, count;
277
278 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
279 new_state = SCTP_CONNTRACK_MAX;
280 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
281 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
282 SCTP_CONNTRACK_NONE, sch->type);
283
284 /* Invalid: delete conntrack */
285 if (new_state == SCTP_CONNTRACK_NONE ||
286 new_state == SCTP_CONNTRACK_MAX) {
287 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
288 return false;
289 }
290
291 /* Copy the vtag into the state info */
292 if (sch->type == SCTP_CID_INIT) {
293 struct sctp_inithdr _inithdr, *ih;
294 /* Sec 8.5.1 (A) */
295 if (sh->vtag)
296 return false;
297
298 ih = skb_header_pointer(skb, offset + sizeof(_sch),
299 sizeof(_inithdr), &_inithdr);
300 if (!ih)
301 return false;
302
303 pr_debug("Setting vtag %x for new conn\n",
304 ih->init_tag);
305
306 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
307 } else if (sch->type == SCTP_CID_HEARTBEAT) {
308 pr_debug("Setting vtag %x for secondary conntrack\n",
309 sh->vtag);
310 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
311 } else {
312 /* If it is a shutdown ack OOTB packet, we expect a return
313 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
314 pr_debug("Setting vtag %x for new conn OOTB\n",
315 sh->vtag);
316 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
317 }
318
319 ct->proto.sctp.state = new_state;
320 }
321
322 return true;
323 }
324
325 static bool sctp_error(struct sk_buff *skb,
326 unsigned int dataoff,
327 const struct nf_hook_state *state)
328 {
329 const struct sctphdr *sh;
330 const char *logmsg;
331
332 if (skb->len < dataoff + sizeof(struct sctphdr)) {
333 logmsg = "nf_ct_sctp: short packet ";
334 goto out_invalid;
335 }
336 if (state->hook == NF_INET_PRE_ROUTING &&
337 state->net->ct.sysctl_checksum &&
338 skb->ip_summed == CHECKSUM_NONE) {
339 if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
340 logmsg = "nf_ct_sctp: failed to read header ";
341 goto out_invalid;
342 }
343 sh = (const struct sctphdr *)(skb->data + dataoff);
344 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
345 logmsg = "nf_ct_sctp: bad CRC ";
346 goto out_invalid;
347 }
348 skb->ip_summed = CHECKSUM_UNNECESSARY;
349 }
350 return false;
351 out_invalid:
352 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
353 return true;
354 }
355
356 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
357 int nf_conntrack_sctp_packet(struct nf_conn *ct,
358 struct sk_buff *skb,
359 unsigned int dataoff,
360 enum ip_conntrack_info ctinfo,
361 const struct nf_hook_state *state)
362 {
363 enum sctp_conntrack new_state, old_state;
364 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
365 const struct sctphdr *sh;
366 struct sctphdr _sctph;
367 const struct sctp_chunkhdr *sch;
368 struct sctp_chunkhdr _sch;
369 u_int32_t offset, count;
370 unsigned int *timeouts;
371 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
372
373 if (sctp_error(skb, dataoff, state))
374 return -NF_ACCEPT;
375
376 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
377 if (sh == NULL)
378 goto out;
379
380 if (do_basic_checks(ct, skb, dataoff, map) != 0)
381 goto out;
382
383 if (!nf_ct_is_confirmed(ct)) {
384 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
385 if (test_bit(SCTP_CID_ABORT, map) ||
386 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
387 test_bit(SCTP_CID_COOKIE_ACK, map))
388 return -NF_ACCEPT;
389
390 if (!sctp_new(ct, skb, sh, dataoff))
391 return -NF_ACCEPT;
392 }
393
394 /* Check the verification tag (Sec 8.5) */
395 if (!test_bit(SCTP_CID_INIT, map) &&
396 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
397 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
398 !test_bit(SCTP_CID_ABORT, map) &&
399 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
400 !test_bit(SCTP_CID_HEARTBEAT, map) &&
401 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
402 sh->vtag != ct->proto.sctp.vtag[dir]) {
403 pr_debug("Verification tag check failed\n");
404 goto out;
405 }
406
407 old_state = new_state = SCTP_CONNTRACK_NONE;
408 spin_lock_bh(&ct->lock);
409 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
410 /* Special cases of Verification tag check (Sec 8.5.1) */
411 if (sch->type == SCTP_CID_INIT) {
412 /* Sec 8.5.1 (A) */
413 if (sh->vtag != 0)
414 goto out_unlock;
415 } else if (sch->type == SCTP_CID_ABORT) {
416 /* Sec 8.5.1 (B) */
417 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
418 sh->vtag != ct->proto.sctp.vtag[!dir])
419 goto out_unlock;
420 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
421 /* Sec 8.5.1 (C) */
422 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
423 sh->vtag != ct->proto.sctp.vtag[!dir] &&
424 sch->flags & SCTP_CHUNK_FLAG_T)
425 goto out_unlock;
426 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
427 /* Sec 8.5.1 (D) */
428 if (sh->vtag != ct->proto.sctp.vtag[dir])
429 goto out_unlock;
430 } else if (sch->type == SCTP_CID_HEARTBEAT ||
431 sch->type == SCTP_CID_HEARTBEAT_ACK) {
432 if (ct->proto.sctp.vtag[dir] == 0) {
433 pr_debug("Setting vtag %x for dir %d\n",
434 sh->vtag, dir);
435 ct->proto.sctp.vtag[dir] = sh->vtag;
436 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
437 pr_debug("Verification tag check failed\n");
438 goto out_unlock;
439 }
440 }
441
442 old_state = ct->proto.sctp.state;
443 new_state = sctp_new_state(dir, old_state, sch->type);
444
445 /* Invalid */
446 if (new_state == SCTP_CONNTRACK_MAX) {
447 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
448 "conntrack=%u\n",
449 dir, sch->type, old_state);
450 goto out_unlock;
451 }
452
453 /* If it is an INIT or an INIT ACK note down the vtag */
454 if (sch->type == SCTP_CID_INIT ||
455 sch->type == SCTP_CID_INIT_ACK) {
456 struct sctp_inithdr _inithdr, *ih;
457
458 ih = skb_header_pointer(skb, offset + sizeof(_sch),
459 sizeof(_inithdr), &_inithdr);
460 if (ih == NULL)
461 goto out_unlock;
462 pr_debug("Setting vtag %x for dir %d\n",
463 ih->init_tag, !dir);
464 ct->proto.sctp.vtag[!dir] = ih->init_tag;
465 }
466
467 ct->proto.sctp.state = new_state;
468 if (old_state != new_state)
469 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
470 }
471 spin_unlock_bh(&ct->lock);
472
473 timeouts = nf_ct_timeout_lookup(ct);
474 if (!timeouts)
475 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
476
477 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
478
479 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
480 dir == IP_CT_DIR_REPLY &&
481 new_state == SCTP_CONNTRACK_ESTABLISHED) {
482 pr_debug("Setting assured bit\n");
483 set_bit(IPS_ASSURED_BIT, &ct->status);
484 nf_conntrack_event_cache(IPCT_ASSURED, ct);
485 }
486
487 return NF_ACCEPT;
488
489 out_unlock:
490 spin_unlock_bh(&ct->lock);
491 out:
492 return -NF_ACCEPT;
493 }
494
495 static bool sctp_can_early_drop(const struct nf_conn *ct)
496 {
497 switch (ct->proto.sctp.state) {
498 case SCTP_CONNTRACK_SHUTDOWN_SENT:
499 case SCTP_CONNTRACK_SHUTDOWN_RECD:
500 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
501 return true;
502 default:
503 break;
504 }
505
506 return false;
507 }
508
509 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
510
511 #include <linux/netfilter/nfnetlink.h>
512 #include <linux/netfilter/nfnetlink_conntrack.h>
513
514 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
515 struct nf_conn *ct)
516 {
517 struct nlattr *nest_parms;
518
519 spin_lock_bh(&ct->lock);
520 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
521 if (!nest_parms)
522 goto nla_put_failure;
523
524 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
525 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
526 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
527 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
528 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
529 goto nla_put_failure;
530
531 spin_unlock_bh(&ct->lock);
532
533 nla_nest_end(skb, nest_parms);
534
535 return 0;
536
537 nla_put_failure:
538 spin_unlock_bh(&ct->lock);
539 return -1;
540 }
541
542 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
543 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
544 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
545 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
546 };
547
548 #define SCTP_NLATTR_SIZE ( \
549 NLA_ALIGN(NLA_HDRLEN + 1) + \
550 NLA_ALIGN(NLA_HDRLEN + 4) + \
551 NLA_ALIGN(NLA_HDRLEN + 4))
552
553 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
554 {
555 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
556 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
557 int err;
558
559 /* updates may not contain the internal protocol info, skip parsing */
560 if (!attr)
561 return 0;
562
563 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
564 sctp_nla_policy, NULL);
565 if (err < 0)
566 return err;
567
568 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
569 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
570 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
571 return -EINVAL;
572
573 spin_lock_bh(&ct->lock);
574 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
575 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
576 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
577 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
578 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
579 spin_unlock_bh(&ct->lock);
580
581 return 0;
582 }
583 #endif
584
585 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
586
587 #include <linux/netfilter/nfnetlink.h>
588 #include <linux/netfilter/nfnetlink_cttimeout.h>
589
590 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
591 struct net *net, void *data)
592 {
593 unsigned int *timeouts = data;
594 struct nf_sctp_net *sn = nf_sctp_pernet(net);
595 int i;
596
597 /* set default SCTP timeouts. */
598 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
599 timeouts[i] = sn->timeouts[i];
600
601 /* there's a 1:1 mapping between attributes and protocol states. */
602 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
603 if (tb[i]) {
604 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
605 }
606 }
607
608 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
609 return 0;
610 }
611
612 static int
613 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
614 {
615 const unsigned int *timeouts = data;
616 int i;
617
618 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
619 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
620 goto nla_put_failure;
621 }
622 return 0;
623
624 nla_put_failure:
625 return -ENOSPC;
626 }
627
628 static const struct nla_policy
629 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
630 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
631 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
632 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
633 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
634 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
635 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
636 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
637 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
639 };
640 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
641
642 void nf_conntrack_sctp_init_net(struct net *net)
643 {
644 struct nf_sctp_net *sn = nf_sctp_pernet(net);
645 int i;
646
647 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
648 sn->timeouts[i] = sctp_timeouts[i];
649
650 /* timeouts[0] is unused, init it so ->timeouts[0] contains
651 * 'new' timeout, like udp or icmp.
652 */
653 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
654 }
655
656 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
657 .l4proto = IPPROTO_SCTP,
658 #ifdef CONFIG_NF_CONNTRACK_PROCFS
659 .print_conntrack = sctp_print_conntrack,
660 #endif
661 .can_early_drop = sctp_can_early_drop,
662 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
663 .nlattr_size = SCTP_NLATTR_SIZE,
664 .to_nlattr = sctp_to_nlattr,
665 .from_nlattr = nlattr_to_sctp,
666 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
667 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
668 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
669 .nla_policy = nf_ct_port_nla_policy,
670 #endif
671 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
672 .ctnl_timeout = {
673 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
674 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
675 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
676 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
677 .nla_policy = sctp_timeout_nla_policy,
678 },
679 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
680 };
681
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.