1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Connection tracking protocol helper module for SCTP. 4 * 5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com> 6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * SCTP is defined in RFC 2960. References to various sections in this code 9 * are to this RFC. 10 */ 11 12 #include <linux/types.h> 13 #include <linux/timer.h> 14 #include <linux/netfilter.h> 15 #include <linux/in.h> 16 #include <linux/ip.h> 17 #include <linux/sctp.h> 18 #include <linux/string.h> 19 #include <linux/seq_file.h> 20 #include <linux/spinlock.h> 21 #include <linux/interrupt.h> 22 #include <net/sctp/checksum.h> 23 24 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_conntrack.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h> 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 #include <net/netfilter/nf_conntrack_timeout.h> 29 30 static const char *const sctp_conntrack_names[] = { 31 [SCTP_CONNTRACK_NONE] = "NONE", 32 [SCTP_CONNTRACK_CLOSED] = "CLOSED", 33 [SCTP_CONNTRACK_COOKIE_WAIT] = "COOKIE_WAIT", 34 [SCTP_CONNTRACK_COOKIE_ECHOED] = "COOKIE_ECHOED", 35 [SCTP_CONNTRACK_ESTABLISHED] = "ESTABLISHED", 36 [SCTP_CONNTRACK_SHUTDOWN_SENT] = "SHUTDOWN_SENT", 37 [SCTP_CONNTRACK_SHUTDOWN_RECD] = "SHUTDOWN_RECD", 38 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = "SHUTDOWN_ACK_SENT", 39 [SCTP_CONNTRACK_HEARTBEAT_SENT] = "HEARTBEAT_SENT", 40 }; 41 42 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 43 [SCTP_CONNTRACK_CLOSED] = secs_to_jiffies(10), 44 [SCTP_CONNTRACK_COOKIE_WAIT] = secs_to_jiffies(3), 45 [SCTP_CONNTRACK_COOKIE_ECHOED] = secs_to_jiffies(3), 46 [SCTP_CONNTRACK_ESTABLISHED] = secs_to_jiffies(210), 47 [SCTP_CONNTRACK_SHUTDOWN_SENT] = secs_to_jiffies(3), 48 [SCTP_CONNTRACK_SHUTDOWN_RECD] = secs_to_jiffies(3), 49 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = secs_to_jiffies(3), 50 [SCTP_CONNTRACK_HEARTBEAT_SENT] = secs_to_jiffies(30), 51 }; 52 53 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 54 55 #define sNO SCTP_CONNTRACK_NONE 56 #define sCL SCTP_CONNTRACK_CLOSED 57 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 58 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 59 #define sES SCTP_CONNTRACK_ESTABLISHED 60 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 61 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 62 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 63 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 64 #define sIV SCTP_CONNTRACK_MAX 65 66 /* 67 These are the descriptions of the states: 68 69 NOTE: These state names are tantalizingly similar to the states of an 70 SCTP endpoint. But the interpretation of the states is a little different, 71 considering that these are the states of the connection and not of an end 72 point. Please note the subtleties. -Kiran 73 74 NONE - Nothing so far. 75 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 76 an INIT_ACK chunk in the reply direction. 77 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 78 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 79 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 80 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction. 81 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 82 to that of the SHUTDOWN chunk. 83 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 84 the SHUTDOWN chunk. Connection is closed. 85 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 86 */ 87 88 /* TODO 89 - I have assumed that the first INIT is in the original direction. 90 This messes things when an INIT comes in the reply direction in CLOSED 91 state. 92 - Check the error type in the reply dir before transitioning from 93 cookie echoed to closed. 94 - Sec 5.2.4 of RFC 2960 95 - Full Multi Homing support. 96 */ 97 98 /* SCTP conntrack state transitions */ 99 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 100 { 101 /* ORIGINAL */ 102 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ 103 /* init */ {sCL, sCL, sCW, sCE, sES, sCL, sCL, sSA, sCW}, 104 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL}, 105 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 106 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL}, 107 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA}, 108 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/ 109 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */ 110 /* cookie_ack */ {sCL, sCL, sCW, sES, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */ 111 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL}, 112 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 113 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 114 }, 115 { 116 /* REPLY */ 117 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ 118 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* INIT in sCL Big TODO */ 119 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV}, 120 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV}, 121 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV}, 122 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV}, 123 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV}, 124 /* cookie_echo */ {sIV, sCL, sCE, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */ 125 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV}, 126 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV}, 127 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, 128 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sES}, 129 } 130 }; 131 132 #ifdef CONFIG_NF_CONNTRACK_PROCFS 133 /* Print out the private part of the conntrack. */ 134 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 135 { 136 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]); 137 } 138 #endif 139 140 /* do_basic_checks ensures sch->length > 0, do not use before */ 141 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 142 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ 143 (offset) < (skb)->len && \ 144 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 145 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 146 147 /* Some validity checks to make sure the chunks are fine */ 148 static int do_basic_checks(struct nf_conn *ct, 149 const struct sk_buff *skb, 150 unsigned int dataoff, 151 unsigned long *map, 152 const struct nf_hook_state *state) 153 { 154 u_int32_t offset, count; 155 struct sctp_chunkhdr _sch, *sch; 156 int flag; 157 158 flag = 0; 159 160 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 161 if (sch->type == SCTP_CID_INIT || 162 sch->type == SCTP_CID_INIT_ACK || 163 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 164 flag = 1; 165 166 /* 167 * Cookie Ack/Echo chunks not the first OR 168 * Init / Init Ack / Shutdown compl chunks not the only chunks 169 * OR zero-length. 170 */ 171 if (((sch->type == SCTP_CID_COOKIE_ACK || 172 sch->type == SCTP_CID_COOKIE_ECHO || 173 flag) && 174 count != 0) || !sch->length) { 175 nf_ct_l4proto_log_invalid(skb, ct, state, 176 "%s failed. chunk num %d, type %d, len %d flag %d\n", 177 __func__, count, sch->type, sch->length, flag); 178 return 1; 179 } 180 181 if (map) 182 set_bit(sch->type, map); 183 } 184 185 return count == 0; 186 } 187 188 static int sctp_new_state(enum ip_conntrack_dir dir, 189 enum sctp_conntrack cur_state, 190 int chunk_type) 191 { 192 int i; 193 194 switch (chunk_type) { 195 case SCTP_CID_INIT: 196 i = 0; 197 break; 198 case SCTP_CID_INIT_ACK: 199 i = 1; 200 break; 201 case SCTP_CID_ABORT: 202 i = 2; 203 break; 204 case SCTP_CID_SHUTDOWN: 205 i = 3; 206 break; 207 case SCTP_CID_SHUTDOWN_ACK: 208 i = 4; 209 break; 210 case SCTP_CID_ERROR: 211 i = 5; 212 break; 213 case SCTP_CID_COOKIE_ECHO: 214 i = 6; 215 break; 216 case SCTP_CID_COOKIE_ACK: 217 i = 7; 218 break; 219 case SCTP_CID_SHUTDOWN_COMPLETE: 220 i = 8; 221 break; 222 case SCTP_CID_HEARTBEAT: 223 i = 9; 224 break; 225 case SCTP_CID_HEARTBEAT_ACK: 226 i = 10; 227 break; 228 default: 229 /* Other chunks like DATA or SACK do not change the state */ 230 pr_debug("Unknown chunk type %d, Will stay in %s\n", 231 chunk_type, sctp_conntrack_names[cur_state]); 232 return cur_state; 233 } 234 235 return sctp_conntracks[dir][i][cur_state]; 236 } 237 238 /* Don't need lock here: this conntrack not in circulation yet */ 239 static noinline bool 240 sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 241 const struct sctphdr *sh, unsigned int dataoff) 242 { 243 enum sctp_conntrack new_state; 244 const struct sctp_chunkhdr *sch; 245 struct sctp_chunkhdr _sch; 246 u32 offset, count; 247 248 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp)); 249 new_state = SCTP_CONNTRACK_MAX; 250 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) { 251 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 252 SCTP_CONNTRACK_NONE, sch->type); 253 254 /* Invalid: delete conntrack */ 255 if (new_state == SCTP_CONNTRACK_NONE || 256 new_state == SCTP_CONNTRACK_MAX) { 257 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 258 return false; 259 } 260 261 /* Copy the vtag into the state info */ 262 if (sch->type == SCTP_CID_INIT) { 263 struct sctp_inithdr _inithdr, *ih; 264 /* Sec 8.5.1 (A) */ 265 if (sh->vtag) 266 return false; 267 268 ih = skb_header_pointer(skb, offset + sizeof(_sch), 269 sizeof(_inithdr), &_inithdr); 270 if (!ih) 271 return false; 272 273 pr_debug("Setting vtag %x for new conn\n", 274 ih->init_tag); 275 276 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 277 } else if (sch->type == SCTP_CID_HEARTBEAT) { 278 pr_debug("Setting vtag %x for secondary conntrack\n", 279 sh->vtag); 280 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; 281 } else if (sch->type == SCTP_CID_SHUTDOWN_ACK) { 282 /* If it is a shutdown ack OOTB packet, we expect a return 283 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 284 pr_debug("Setting vtag %x for new conn OOTB\n", 285 sh->vtag); 286 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 287 } 288 289 ct->proto.sctp.state = SCTP_CONNTRACK_NONE; 290 } 291 292 return true; 293 } 294 295 static bool sctp_error(struct sk_buff *skb, 296 unsigned int dataoff, 297 const struct nf_hook_state *state) 298 { 299 const struct sctphdr *sh; 300 const char *logmsg; 301 302 if (skb->len < dataoff + sizeof(struct sctphdr)) { 303 logmsg = "nf_ct_sctp: short packet "; 304 goto out_invalid; 305 } 306 if (state->hook == NF_INET_PRE_ROUTING && 307 state->net->ct.sysctl_checksum && 308 skb->ip_summed == CHECKSUM_NONE) { 309 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) { 310 logmsg = "nf_ct_sctp: failed to read header "; 311 goto out_invalid; 312 } 313 sh = (const struct sctphdr *)(skb->data + dataoff); 314 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) { 315 logmsg = "nf_ct_sctp: bad CRC "; 316 goto out_invalid; 317 } 318 skb->ip_summed = CHECKSUM_UNNECESSARY; 319 } 320 return false; 321 out_invalid: 322 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg); 323 return true; 324 } 325 326 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 327 int nf_conntrack_sctp_packet(struct nf_conn *ct, 328 struct sk_buff *skb, 329 unsigned int dataoff, 330 enum ip_conntrack_info ctinfo, 331 const struct nf_hook_state *state) 332 { 333 enum sctp_conntrack new_state, old_state; 334 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 335 const struct sctphdr *sh; 336 struct sctphdr _sctph; 337 const struct sctp_chunkhdr *sch; 338 struct sctp_chunkhdr _sch; 339 u_int32_t offset, count; 340 unsigned int *timeouts; 341 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 342 bool ignore = false; 343 344 if (sctp_error(skb, dataoff, state)) 345 return -NF_ACCEPT; 346 347 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 348 if (sh == NULL) 349 goto out; 350 351 if (do_basic_checks(ct, skb, dataoff, map, state) != 0) 352 goto out; 353 354 if (!nf_ct_is_confirmed(ct)) { 355 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 356 if (test_bit(SCTP_CID_ABORT, map) || 357 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 358 test_bit(SCTP_CID_COOKIE_ACK, map)) 359 return -NF_ACCEPT; 360 361 if (!sctp_new(ct, skb, sh, dataoff)) 362 return -NF_ACCEPT; 363 } 364 365 /* Check the verification tag (Sec 8.5) */ 366 if (!test_bit(SCTP_CID_INIT, map) && 367 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 368 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 369 !test_bit(SCTP_CID_ABORT, map) && 370 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 371 !test_bit(SCTP_CID_HEARTBEAT, map) && 372 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 373 sh->vtag != ct->proto.sctp.vtag[dir]) { 374 nf_ct_l4proto_log_invalid(skb, ct, state, 375 "verification tag check failed %x vs %x for dir %d", 376 sh->vtag, ct->proto.sctp.vtag[dir], dir); 377 goto out; 378 } 379 380 old_state = new_state = SCTP_CONNTRACK_NONE; 381 spin_lock_bh(&ct->lock); 382 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 383 /* Special cases of Verification tag check (Sec 8.5.1) */ 384 if (sch->type == SCTP_CID_INIT) { 385 /* (A) vtag MUST be zero */ 386 if (sh->vtag != 0) 387 goto out_unlock; 388 } else if (sch->type == SCTP_CID_ABORT) { 389 /* (B) vtag MUST match own vtag if T flag is unset OR 390 * MUST match peer's vtag if T flag is set 391 */ 392 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && 393 sh->vtag != ct->proto.sctp.vtag[dir]) || 394 ((sch->flags & SCTP_CHUNK_FLAG_T) && 395 sh->vtag != ct->proto.sctp.vtag[!dir])) 396 goto out_unlock; 397 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 398 /* (C) vtag MUST match own vtag if T flag is unset OR 399 * MUST match peer's vtag if T flag is set 400 */ 401 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && 402 sh->vtag != ct->proto.sctp.vtag[dir]) || 403 ((sch->flags & SCTP_CHUNK_FLAG_T) && 404 sh->vtag != ct->proto.sctp.vtag[!dir])) 405 goto out_unlock; 406 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 407 /* (D) vtag must be same as init_vtag as found in INIT_ACK */ 408 if (sh->vtag != ct->proto.sctp.vtag[dir]) 409 goto out_unlock; 410 } else if (sch->type == SCTP_CID_COOKIE_ACK) { 411 ct->proto.sctp.init[dir] = 0; 412 ct->proto.sctp.init[!dir] = 0; 413 } else if (sch->type == SCTP_CID_HEARTBEAT) { 414 if (ct->proto.sctp.vtag[dir] == 0) { 415 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); 416 ct->proto.sctp.vtag[dir] = sh->vtag; 417 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 418 if (test_bit(SCTP_CID_DATA, map) || ignore) 419 goto out_unlock; 420 421 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 422 ct->proto.sctp.last_dir = dir; 423 ignore = true; 424 continue; 425 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 426 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 427 } 428 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { 429 if (ct->proto.sctp.vtag[dir] == 0) { 430 pr_debug("Setting vtag %x for dir %d\n", 431 sh->vtag, dir); 432 ct->proto.sctp.vtag[dir] = sh->vtag; 433 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { 434 if (test_bit(SCTP_CID_DATA, map) || ignore) 435 goto out_unlock; 436 437 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || 438 ct->proto.sctp.last_dir == dir) 439 goto out_unlock; 440 441 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 442 ct->proto.sctp.vtag[dir] = sh->vtag; 443 ct->proto.sctp.vtag[!dir] = 0; 444 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 445 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 446 } 447 } 448 449 old_state = ct->proto.sctp.state; 450 new_state = sctp_new_state(dir, old_state, sch->type); 451 452 /* Invalid */ 453 if (new_state == SCTP_CONNTRACK_MAX) { 454 nf_ct_l4proto_log_invalid(skb, ct, state, 455 "Invalid, old_state %d, dir %d, type %d", 456 old_state, dir, sch->type); 457 458 goto out_unlock; 459 } 460 461 /* If it is an INIT or an INIT ACK note down the vtag */ 462 if (sch->type == SCTP_CID_INIT) { 463 struct sctp_inithdr _ih, *ih; 464 465 ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih); 466 if (!ih) 467 goto out_unlock; 468 469 if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir]) 470 ct->proto.sctp.init[!dir] = 0; 471 ct->proto.sctp.init[dir] = 1; 472 473 pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir); 474 ct->proto.sctp.vtag[!dir] = ih->init_tag; 475 476 /* don't renew timeout on init retransmit so 477 * port reuse by client or NAT middlebox cannot 478 * keep entry alive indefinitely (incl. nat info). 479 */ 480 if (new_state == SCTP_CONNTRACK_CLOSED && 481 old_state == SCTP_CONNTRACK_CLOSED && 482 nf_ct_is_confirmed(ct)) 483 ignore = true; 484 } else if (sch->type == SCTP_CID_INIT_ACK) { 485 struct sctp_inithdr _ih, *ih; 486 __be32 vtag; 487 488 ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih); 489 if (!ih) 490 goto out_unlock; 491 492 vtag = ct->proto.sctp.vtag[!dir]; 493 if (!ct->proto.sctp.init[!dir] && vtag && vtag != ih->init_tag) 494 goto out_unlock; 495 /* collision */ 496 if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] && 497 vtag != ih->init_tag) 498 goto out_unlock; 499 500 pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir); 501 ct->proto.sctp.vtag[!dir] = ih->init_tag; 502 } 503 504 ct->proto.sctp.state = new_state; 505 if (old_state != new_state) { 506 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 507 if (new_state == SCTP_CONNTRACK_ESTABLISHED && 508 !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 509 nf_conntrack_event_cache(IPCT_ASSURED, ct); 510 } 511 } 512 spin_unlock_bh(&ct->lock); 513 514 /* allow but do not refresh timeout */ 515 if (ignore) 516 return NF_ACCEPT; 517 518 timeouts = nf_ct_timeout_lookup(ct); 519 if (!timeouts) 520 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts; 521 522 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]); 523 524 return NF_ACCEPT; 525 526 out_unlock: 527 spin_unlock_bh(&ct->lock); 528 out: 529 return -NF_ACCEPT; 530 } 531 532 static bool sctp_can_early_drop(const struct nf_conn *ct) 533 { 534 switch (ct->proto.sctp.state) { 535 case SCTP_CONNTRACK_SHUTDOWN_SENT: 536 case SCTP_CONNTRACK_SHUTDOWN_RECD: 537 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 538 return true; 539 default: 540 break; 541 } 542 543 return false; 544 } 545 546 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 547 548 #include <linux/netfilter/nfnetlink.h> 549 #include <linux/netfilter/nfnetlink_conntrack.h> 550 551 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 552 struct nf_conn *ct, bool destroy) 553 { 554 struct nlattr *nest_parms; 555 556 spin_lock_bh(&ct->lock); 557 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP); 558 if (!nest_parms) 559 goto nla_put_failure; 560 561 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state)) 562 goto nla_put_failure; 563 564 if (destroy) 565 goto skip_state; 566 567 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 568 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) || 569 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY, 570 ct->proto.sctp.vtag[IP_CT_DIR_REPLY])) 571 goto nla_put_failure; 572 573 skip_state: 574 spin_unlock_bh(&ct->lock); 575 nla_nest_end(skb, nest_parms); 576 577 return 0; 578 579 nla_put_failure: 580 spin_unlock_bh(&ct->lock); 581 return -1; 582 } 583 584 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 585 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 586 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 587 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 588 }; 589 590 #define SCTP_NLATTR_SIZE ( \ 591 NLA_ALIGN(NLA_HDRLEN + 1) + \ 592 NLA_ALIGN(NLA_HDRLEN + 4) + \ 593 NLA_ALIGN(NLA_HDRLEN + 4)) 594 595 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 596 { 597 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 598 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 599 int err; 600 601 /* updates may not contain the internal protocol info, skip parsing */ 602 if (!attr) 603 return 0; 604 605 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr, 606 sctp_nla_policy, NULL); 607 if (err < 0) 608 return err; 609 610 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 611 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 612 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 613 return -EINVAL; 614 615 spin_lock_bh(&ct->lock); 616 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 617 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 618 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 619 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 620 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 621 spin_unlock_bh(&ct->lock); 622 623 return 0; 624 } 625 #endif 626 627 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 628 629 #include <linux/netfilter/nfnetlink.h> 630 #include <linux/netfilter/nfnetlink_cttimeout.h> 631 632 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], 633 struct net *net, void *data) 634 { 635 unsigned int *timeouts = data; 636 struct nf_sctp_net *sn = nf_sctp_pernet(net); 637 int i; 638 639 if (!timeouts) 640 timeouts = sn->timeouts; 641 642 /* set default SCTP timeouts. */ 643 for (i=0; i<SCTP_CONNTRACK_MAX; i++) 644 timeouts[i] = sn->timeouts[i]; 645 646 /* there's a 1:1 mapping between attributes and protocol states. */ 647 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 648 if (tb[i]) { 649 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; 650 } 651 } 652 653 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; 654 return 0; 655 } 656 657 static int 658 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 659 { 660 const unsigned int *timeouts = data; 661 int i; 662 663 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) { 664 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ))) 665 goto nla_put_failure; 666 } 667 return 0; 668 669 nla_put_failure: 670 return -ENOSPC; 671 } 672 673 static const struct nla_policy 674 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { 675 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 }, 676 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 }, 677 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 }, 678 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 }, 679 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 }, 680 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 }, 681 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 682 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 683 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 684 }; 685 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 686 687 void nf_conntrack_sctp_init_net(struct net *net) 688 { 689 struct nf_sctp_net *sn = nf_sctp_pernet(net); 690 int i; 691 692 for (i = 0; i < SCTP_CONNTRACK_MAX; i++) 693 sn->timeouts[i] = sctp_timeouts[i]; 694 695 /* timeouts[0] is unused, init it so ->timeouts[0] contains 696 * 'new' timeout, like udp or icmp. 697 */ 698 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; 699 } 700 701 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { 702 .l4proto = IPPROTO_SCTP, 703 #ifdef CONFIG_NF_CONNTRACK_PROCFS 704 .print_conntrack = sctp_print_conntrack, 705 #endif 706 .can_early_drop = sctp_can_early_drop, 707 #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 708 .nlattr_size = SCTP_NLATTR_SIZE, 709 .to_nlattr = sctp_to_nlattr, 710 .from_nlattr = nlattr_to_sctp, 711 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 712 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 713 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 714 .nla_policy = nf_ct_port_nla_policy, 715 #endif 716 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 717 .ctnl_timeout = { 718 .nlattr_to_obj = sctp_timeout_nlattr_to_obj, 719 .obj_to_nlattr = sctp_timeout_obj_to_nlattr, 720 .nlattr_max = CTA_TIMEOUT_SCTP_MAX, 721 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, 722 .nla_policy = sctp_timeout_nla_policy, 723 }, 724 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 725 }; 726