1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Connection tracking protocol helper module for SCTP. 4 * 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * SCTP is defined in RFC 2960. References to various sections in this code 9 * are to this RFC. 10 */ 11 12 #include <linux/types.h> 13 #include <linux/timer.h> 14 #include <linux/netfilter.h> 15 #include <linux/in.h> 16 #include <linux/ip.h> 17 #include <linux/sctp.h> 18 #include <linux/string.h> 19 #include <linux/seq_file.h> 20 #include <linux/spinlock.h> 21 #include <linux/interrupt.h> 22 #include <net/sctp/checksum.h> 23 24 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_conntrack.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h> 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 #include <net/netfilter/nf_conntrack_timeout.h> 29 30 static const char *const sctp_conntrack_names[] = { 31 [SCTP_CONNTRACK_NONE] = "NONE", 32 [SCTP_CONNTRACK_CLOSED] = "CLOSED", 33 [SCTP_CONNTRACK_COOKIE_WAIT] = "COOKIE_WAIT", 34 [SCTP_CONNTRACK_COOKIE_ECHOED] = "COOKIE_ECHOED", 35 [SCTP_CONNTRACK_ESTABLISHED] = "ESTABLISHED", 36 [SCTP_CONNTRACK_SHUTDOWN_SENT] = "SHUTDOWN_SENT", 37 [SCTP_CONNTRACK_SHUTDOWN_RECD] = "SHUTDOWN_RECD", 38 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = "SHUTDOWN_ACK_SENT", 39 [SCTP_CONNTRACK_HEARTBEAT_SENT] = "HEARTBEAT_SENT", 40 }; 41 42 #define SECS * HZ 43 #define MINS * 60 SECS 44 #define HOURS * 60 MINS 45 #define DAYS * 24 HOURS 46 47 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 48 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 49 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 50 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 51 [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS, 52 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 3 SECS, 53 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 3 SECS, 54 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 55 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 56 }; 57 58 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 59 60 #define sNO SCTP_CONNTRACK_NONE 61 #define sCL SCTP_CONNTRACK_CLOSED 62 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 63 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 64 #define sES SCTP_CONNTRACK_ESTABLISHED 65 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 66 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 67 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 68 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 69 #define sIV SCTP_CONNTRACK_MAX 70 71 /* 72 These are the descriptions of the states: 73 74 NOTE: These state names are tantalizingly similar to the states of an 75 SCTP endpoint. But the interpretation of the states is a little different, 76 considering that these are the states of the connection and not of an end 77 point. Please note the subtleties. -Kiran 78 79 NONE - Nothing so far. 80 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 81 an INIT_ACK chunk in the reply direction. 82 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 83 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 84 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 85 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction. 86 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 87 to that of the SHUTDOWN chunk. 88 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 89 the SHUTDOWN chunk. Connection is closed. 90 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 91 */ 92 93 /* TODO 94 - I have assumed that the first INIT is in the original direction. 95 This messes things when an INIT comes in the reply direction in CLOSED 96 state. 97 - Check the error type in the reply dir before transitioning from 98 cookie echoed to closed. 99 - Sec 5.2.4 of RFC 2960 100 - Full Multi Homing support. 101 */ 102 103 /* SCTP conntrack state transitions */ 104 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 105 { 106 /* ORIGINAL */ 107 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ 108 /* init */ {sCL, sCL, sCW, sCE, sES, sCL, sCL, sSA, sCW}, 109 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL}, 110 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 111 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL}, 112 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA}, 113 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/ 114 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */ 115 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */ 116 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL}, 117 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 118 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 119 }, 120 { 121 /* REPLY */ 122 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ 123 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* INIT in sCL Big TODO */ 124 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV}, 125 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV}, 126 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV}, 127 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV}, 128 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV}, 129 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */ 130 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV}, 131 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV}, 132 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 133 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sES}, 134 } 135 }; 136 137 #ifdef CONFIG_NF_CONNTRACK_PROCFS 138 /* Print out the private part of the conntrack. */ 139 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 140 { 141 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 142 } 143 #endif 144 145 /* do_basic_checks ensures sch->length > 0, do not use before */ 146 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 147 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 148 (offset) < (skb)->len && \ 149 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 150 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 151 152 /* Some validity checks to make sure the chunks are fine */ 153 static int do_basic_checks(struct nf_conn *ct, 154 const struct sk_buff *skb, 155 unsigned int dataoff, 156 unsigned long *map, 157 const struct nf_hook_state *state) 158 { 159 u_int32_t offset, count; 160 struct sctp_chunkhdr _sch, *sch; 161 int flag; 162 163 flag = 0; 164 165 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 166 if (sch->type == SCTP_CID_INIT || 167 sch->type == SCTP_CID_INIT_ACK || 168 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 169 flag = 1; 170 171 /* 172 * Cookie Ack/Echo chunks not the first OR 173 * Init / Init Ack / Shutdown compl chunks not the only chunks 174 * OR zero-length. 175 */ 176 if (((sch->type == SCTP_CID_COOKIE_ACK || 177 sch->type == SCTP_CID_COOKIE_ECHO || 178 flag) && 179 count != 0) || !sch->length) { 180 nf_ct_l4proto_log_invalid(skb, ct, state, 181 "%s failed. chunk num %d, type %d, len %d flag %d\n", 182 __func__, count, sch->type, sch->length, flag); 183 return 1; 184 } 185 186 if (map) 187 set_bit(sch->type, map); 188 } 189 190 return count == 0; 191 } 192 193 static int sctp_new_state(enum ip_conntrack_dir dir, 194 enum sctp_conntrack cur_state, 195 int chunk_type) 196 { 197 int i; 198 199 switch (chunk_type) { 200 case SCTP_CID_INIT: 201 i = 0; 202 break; 203 case SCTP_CID_INIT_ACK: 204 i = 1; 205 break; 206 case SCTP_CID_ABORT: 207 i = 2; 208 break; 209 case SCTP_CID_SHUTDOWN: 210 i = 3; 211 break; 212 case SCTP_CID_SHUTDOWN_ACK: 213 i = 4; 214 break; 215 case SCTP_CID_ERROR: 216 i = 5; 217 break; 218 case SCTP_CID_COOKIE_ECHO: 219 i = 6; 220 break; 221 case SCTP_CID_COOKIE_ACK: 222 i = 7; 223 break; 224 case SCTP_CID_SHUTDOWN_COMPLETE: 225 i = 8; 226 break; 227 case SCTP_CID_HEARTBEAT: 228 i = 9; 229 break; 230 case SCTP_CID_HEARTBEAT_ACK: 231 i = 10; 232 break; 233 default: 234 /* Other chunks like DATA or SACK do not change the state */ 235 pr_debug("Unknown chunk type %d, Will stay in %s\n", 236 chunk_type, sctp_conntrack_names[cur_state]); 237 return cur_state; 238 } 239 240 return sctp_conntracks[dir][i][cur_state]; 241 } 242 243 /* Don't need lock here: this conntrack not in circulation yet */ 244 static noinline bool 245 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 246 const struct sctphdr *sh, unsigned int dataoff) 247 { 248 enum sctp_conntrack new_state; 249 const struct sctp_chunkhdr *sch; 250 struct sctp_chunkhdr _sch; 251 u32 offset, count; 252 253 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 254 new_state = SCTP_CONNTRACK_MAX; 255 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 256 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 257 SCTP_CONNTRACK_NONE, sch->type); 258 259 /* Invalid: delete conntrack */ 260 if (new_state == SCTP_CONNTRACK_NONE || 261 new_state == SCTP_CONNTRACK_MAX) { 262 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 263 return false; 264 } 265 266 /* Copy the vtag into the state info */ 267 if (sch->type == SCTP_CID_INIT) { 268 struct sctp_inithdr _inithdr, *ih; 269 /* Sec 8.5.1 (A) */ 270 if (sh->vtag) 271 return false; 272 273 ih = skb_header_pointer(skb, offset + sizeof(_sch), 274 sizeof(_inithdr), &_inithdr); 275 if (!ih) 276 return false; 277 278 pr_debug("Setting vtag %x for new conn\n", 279 ih->init_tag); 280 281 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 282 } else if (sch->type == SCTP_CID_HEARTBEAT) { 283 pr_debug("Setting vtag %x for secondary conntrack\n", 284 sh->vtag); 285 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 286 } else { 287 /* If it is a shutdown ack OOTB packet, we expect a return 288 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 289 pr_debug("Setting vtag %x for new conn OOTB\n", 290 sh->vtag); 291 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 292 } 293 294 ct->proto.sctp.state = SCTP_CONNTRACK_NONE; 295 } 296 297 return true; 298 } 299 300 static bool sctp_error(struct sk_buff *skb, 301 unsigned int dataoff, 302 const struct nf_hook_state *state) 303 { 304 const struct sctphdr *sh; 305 const char *logmsg; 306 307 if (skb->len < dataoff + sizeof(struct sctphdr)) { 308 logmsg = "nf_ct_sctp: short packet "; 309 goto out_invalid; 310 } 311 if (state->hook == NF_INET_PRE_ROUTING && 312 state->net->ct.sysctl_checksum && 313 skb->ip_summed == CHECKSUM_NONE) { 314 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { 315 logmsg = "nf_ct_sctp: failed to read header "; 316 goto out_invalid; 317 } 318 sh = (const struct sctphdr *)(skb->data + dataoff); 319 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 320 logmsg = "nf_ct_sctp: bad CRC "; 321 goto out_invalid; 322 } 323 skb->ip_summed = CHECKSUM_UNNECESSARY; 324 } 325 return false; 326 out_invalid: 327 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg); 328 return true; 329 } 330 331 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 332 int nf_conntrack_sctp_packet(struct nf_conn *ct, 333 struct sk_buff *skb, 334 unsigned int dataoff, 335 enum ip_conntrack_info ctinfo, 336 const struct nf_hook_state *state) 337 { 338 enum sctp_conntrack new_state, old_state; 339 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 340 const struct sctphdr *sh; 341 struct sctphdr _sctph; 342 const struct sctp_chunkhdr *sch; 343 struct sctp_chunkhdr _sch; 344 u_int32_t offset, count; 345 unsigned int *timeouts; 346 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 347 bool ignore = false; 348 349 if (sctp_error(skb, dataoff, state)) 350 return -NF_ACCEPT; 351 352 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 353 if (sh == NULL) 354 goto out; 355 356 if (do_basic_checks(ct, skb, dataoff, map, state) != 0) 357 goto out; 358 359 if (!nf_ct_is_confirmed(ct)) { 360 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 361 if (test_bit(SCTP_CID_ABORT, map) || 362 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 363 test_bit(SCTP_CID_COOKIE_ACK, map)) 364 return -NF_ACCEPT; 365 366 if (!sctp_new(ct, skb, sh, dataoff)) 367 return -NF_ACCEPT; 368 } 369 370 /* Check the verification tag (Sec 8.5) */ 371 if (!test_bit(SCTP_CID_INIT, map) && 372 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 373 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 374 !test_bit(SCTP_CID_ABORT, map) && 375 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 376 !test_bit(SCTP_CID_HEARTBEAT, map) && 377 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 378 sh->vtag != ct->proto.sctp.vtag[dir]) { 379 nf_ct_l4proto_log_invalid(skb, ct, state, 380 "verification tag check failed %x vs %x for dir %d", 381 sh->vtag, ct->proto.sctp.vtag[dir], dir); 382 goto out; 383 } 384 385 old_state = new_state = SCTP_CONNTRACK_NONE; 386 spin_lock_bh(&ct->lock); 387 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 388 /* Special cases of Verification tag check (Sec 8.5.1) */ 389 if (sch->type == SCTP_CID_INIT) { 390 /* (A) vtag MUST be zero */ 391 if (sh->vtag != 0) 392 goto out_unlock; 393 } else if (sch->type == SCTP_CID_ABORT) { 394 /* (B) vtag MUST match own vtag if T flag is unset OR 395 * MUST match peer's vtag if T flag is set 396 */ 397 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && 398 sh->vtag != ct->proto.sctp.vtag[dir]) || 399 ((sch->flags & SCTP_CHUNK_FLAG_T) && 400 sh->vtag != ct->proto.sctp.vtag[!dir])) 401 goto out_unlock; 402 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 403 /* (C) vtag MUST match own vtag if T flag is unset OR 404 * MUST match peer's vtag if T flag is set 405 */ 406 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && 407 sh->vtag != ct->proto.sctp.vtag[dir]) || 408 ((sch->flags & SCTP_CHUNK_FLAG_T) && 409 sh->vtag != ct->proto.sctp.vtag[!dir])) 410 goto out_unlock; 411 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 412 /* (D) vtag must be same as init_vtag as found in INIT_ACK */ 413 if (sh->vtag != ct->proto.sctp.vtag[dir]) 414 goto out_unlock; 415 } else if (sch->type == SCTP_CID_HEARTBEAT) { 416 if (ct->proto.sctp.vtag[dir] == 0) { 417 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); 418 ct->proto.sctp.vtag[dir] = sh->vtag; 419 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 420 if (test_bit(SCTP_CID_DATA, map) || ignore) 421 goto out_unlock; 422 423 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 424 ct->proto.sctp.last_dir = dir; 425 ignore = true; 426 continue; 427 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 428 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 429 } 430 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { 431 if (ct->proto.sctp.vtag[dir] == 0) { 432 pr_debug("Setting vtag %x for dir %d\n", 433 sh->vtag, dir); 434 ct->proto.sctp.vtag[dir] = sh->vtag; 435 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 436 if (test_bit(SCTP_CID_DATA, map) || ignore) 437 goto out_unlock; 438 439 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || 440 ct->proto.sctp.last_dir == dir) 441 goto out_unlock; 442 443 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 444 ct->proto.sctp.vtag[dir] = sh->vtag; 445 ct->proto.sctp.vtag[!dir] = 0; 446 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 447 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 448 } 449 } 450 451 old_state = ct->proto.sctp.state; 452 new_state = sctp_new_state(dir, old_state, sch->type); 453 454 /* Invalid */ 455 if (new_state == SCTP_CONNTRACK_MAX) { 456 nf_ct_l4proto_log_invalid(skb, ct, state, 457 "Invalid, old_state %d, dir %d, type %d", 458 old_state, dir, sch->type); 459 460 goto out_unlock; 461 } 462 463 /* If it is an INIT or an INIT ACK note down the vtag */ 464 if (sch->type == SCTP_CID_INIT || 465 sch->type == SCTP_CID_INIT_ACK) { 466 struct sctp_inithdr _inithdr, *ih; 467 468 ih = skb_header_pointer(skb, offset + sizeof(_sch), 469 sizeof(_inithdr), &_inithdr); 470 if (ih == NULL) 471 goto out_unlock; 472 pr_debug("Setting vtag %x for dir %d\n", 473 ih->init_tag, !dir); 474 ct->proto.sctp.vtag[!dir] = ih->init_tag; 475 476 /* don't renew timeout on init retransmit so 477 * port reuse by client or NAT middlebox cannot 478 * keep entry alive indefinitely (incl. nat info). 479 */ 480 if (new_state == SCTP_CONNTRACK_CLOSED && 481 old_state == SCTP_CONNTRACK_CLOSED && 482 nf_ct_is_confirmed(ct)) 483 ignore = true; 484 } 485 486 ct->proto.sctp.state = new_state; 487 if (old_state != new_state) { 488 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 489 if (new_state == SCTP_CONNTRACK_ESTABLISHED && 490 !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 491 nf_conntrack_event_cache(IPCT_ASSURED, ct); 492 } 493 } 494 spin_unlock_bh(&ct->lock); 495 496 /* allow but do not refresh timeout */ 497 if (ignore) 498 return NF_ACCEPT; 499 500 timeouts = nf_ct_timeout_lookup(ct); 501 if (!timeouts) 502 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 503 504 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 505 506 return NF_ACCEPT; 507 508 out_unlock: 509 spin_unlock_bh(&ct->lock); 510 out: 511 return -NF_ACCEPT; 512 } 513 514 static bool sctp_can_early_drop(const struct nf_conn *ct) 515 { 516 switch (ct->proto.sctp.state) { 517 case SCTP_CONNTRACK_SHUTDOWN_SENT: 518 case SCTP_CONNTRACK_SHUTDOWN_RECD: 519 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 520 return true; 521 default: 522 break; 523 } 524 525 return false; 526 } 527 528 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 529 530 #include <linux/netfilter/nfnetlink.h> 531 #include <linux/netfilter/nfnetlink_conntrack.h> 532 533 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 534 struct nf_conn *ct, bool destroy) 535 { 536 struct nlattr *nest_parms; 537 538 spin_lock_bh(&ct->lock); 539 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); 540 if (!nest_parms) 541 goto nla_put_failure; 542 543 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) 544 goto nla_put_failure; 545 546 if (destroy) 547 goto skip_state; 548 549 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 550 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 551 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 552 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 553 goto nla_put_failure; 554 555 skip_state: 556 spin_unlock_bh(&ct->lock); 557 nla_nest_end(skb, nest_parms); 558 559 return 0; 560 561 nla_put_failure: 562 spin_unlock_bh(&ct->lock); 563 return -1; 564 } 565 566 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 567 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 568 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 569 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 570 }; 571 572 #define SCTP_NLATTR_SIZE ( \ 573 NLA_ALIGN(NLA_HDRLEN + 1) + \ 574 NLA_ALIGN(NLA_HDRLEN + 4) + \ 575 NLA_ALIGN(NLA_HDRLEN + 4)) 576 577 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 578 { 579 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 580 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 581 int err; 582 583 /* updates may not contain the internal protocol info, skip parsing */ 584 if (!attr) 585 return 0; 586 587 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, 588 sctp_nla_policy, NULL); 589 if (err < 0) 590 return err; 591 592 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 593 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 594 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 595 return -EINVAL; 596 597 spin_lock_bh(&ct->lock); 598 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 599 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 600 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 601 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 602 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 603 spin_unlock_bh(&ct->lock); 604 605 return 0; 606 } 607 #endif 608 609 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 610 611 #include <linux/netfilter/nfnetlink.h> 612 #include <linux/netfilter/nfnetlink_cttimeout.h> 613 614 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 615 struct net *net, void *data) 616 { 617 unsigned int *timeouts = data; 618 struct nf_sctp_net *sn = nf_sctp_pernet(net); 619 int i; 620 621 if (!timeouts) 622 timeouts = sn->timeouts; 623 624 /* set default SCTP timeouts. */ 625 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 626 timeouts[i] = sn->timeouts[i]; 627 628 /* there's a 1:1 mapping between attributes and protocol states. */ 629 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 630 if (tb[i]) { 631 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 632 } 633 } 634 635 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 636 return 0; 637 } 638 639 static int 640 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 641 { 642 const unsigned int *timeouts = data; 643 int i; 644 645 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 646 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 647 goto nla_put_failure; 648 } 649 return 0; 650 651 nla_put_failure: 652 return -ENOSPC; 653 } 654 655 static const struct nla_policy 656 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 657 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 658 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 659 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 660 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 661 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 662 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 663 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 664 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 665 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 666 }; 667 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 668 669 void nf_conntrack_sctp_init_net(struct net *net) 670 { 671 struct nf_sctp_net *sn = nf_sctp_pernet(net); 672 int i; 673 674 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 675 sn->timeouts[i] = sctp_timeouts[i]; 676 677 /* timeouts[0] is unused, init it so ->timeouts[0] contains 678 * 'new' timeout, like udp or icmp. 679 */ 680 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 681 } 682 683 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 684 .l4proto = IPPROTO_SCTP, 685 #ifdef CONFIG_NF_CONNTRACK_PROCFS 686 .print_conntrack = sctp_print_conntrack, 687 #endif 688 .can_early_drop = sctp_can_early_drop, 689 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 690 .nlattr_size = SCTP_NLATTR_SIZE, 691 .to_nlattr = sctp_to_nlattr, 692 .from_nlattr = nlattr_to_sctp, 693 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 694 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 695 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 696 .nla_policy = nf_ct_port_nla_policy, 697 #endif 698 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 699 .ctnl_timeout = { 700 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 701 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 702 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 703 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 704 .nla_policy = sctp_timeout_nla_policy, 705 }, 706 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 707 }; 708