• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Connection tracking protocol helper module for SCTP.
3  *
4  * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5  * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
6  *
7  * SCTP is defined in RFC 2960. References to various sections in this code
8  * are to this RFC.
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2 as
12  * published by the Free Software Foundation.
13  */
14 
15 #include <linux/types.h>
16 #include <linux/timer.h>
17 #include <linux/netfilter.h>
18 #include <linux/module.h>
19 #include <linux/in.h>
20 #include <linux/ip.h>
21 #include <linux/sctp.h>
22 #include <linux/string.h>
23 #include <linux/seq_file.h>
24 #include <linux/spinlock.h>
25 #include <linux/interrupt.h>
26 
27 #include <net/netfilter/nf_conntrack.h>
28 #include <net/netfilter/nf_conntrack_l4proto.h>
29 #include <net/netfilter/nf_conntrack_ecache.h>
30 
31 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
32    closely.  They're more complex. --RR
33 
34    And so for me for SCTP :D -Kiran */
35 
36 static const char *const sctp_conntrack_names[] = {
37 	"NONE",
38 	"CLOSED",
39 	"COOKIE_WAIT",
40 	"COOKIE_ECHOED",
41 	"ESTABLISHED",
42 	"SHUTDOWN_SENT",
43 	"SHUTDOWN_RECD",
44 	"SHUTDOWN_ACK_SENT",
45 	"HEARTBEAT_SENT",
46 	"HEARTBEAT_ACKED",
47 };
48 
49 #define SECS  * HZ
50 #define MINS  * 60 SECS
51 #define HOURS * 60 MINS
52 #define DAYS  * 24 HOURS
53 
54 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
55 	[SCTP_CONNTRACK_CLOSED]			= 10 SECS,
56 	[SCTP_CONNTRACK_COOKIE_WAIT]		= 3 SECS,
57 	[SCTP_CONNTRACK_COOKIE_ECHOED]		= 3 SECS,
58 	[SCTP_CONNTRACK_ESTABLISHED]		= 5 DAYS,
59 	[SCTP_CONNTRACK_SHUTDOWN_SENT]		= 300 SECS / 1000,
60 	[SCTP_CONNTRACK_SHUTDOWN_RECD]		= 300 SECS / 1000,
61 	[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]	= 3 SECS,
62 	[SCTP_CONNTRACK_HEARTBEAT_SENT]		= 30 SECS,
63 	[SCTP_CONNTRACK_HEARTBEAT_ACKED]	= 210 SECS,
64 };
65 
66 #define sNO SCTP_CONNTRACK_NONE
67 #define	sCL SCTP_CONNTRACK_CLOSED
68 #define	sCW SCTP_CONNTRACK_COOKIE_WAIT
69 #define	sCE SCTP_CONNTRACK_COOKIE_ECHOED
70 #define	sES SCTP_CONNTRACK_ESTABLISHED
71 #define	sSS SCTP_CONNTRACK_SHUTDOWN_SENT
72 #define	sSR SCTP_CONNTRACK_SHUTDOWN_RECD
73 #define	sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
74 #define	sHS SCTP_CONNTRACK_HEARTBEAT_SENT
75 #define	sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
76 #define	sIV SCTP_CONNTRACK_MAX
77 
78 /*
79 	These are the descriptions of the states:
80 
81 NOTE: These state names are tantalizingly similar to the states of an
82 SCTP endpoint. But the interpretation of the states is a little different,
83 considering that these are the states of the connection and not of an end
84 point. Please note the subtleties. -Kiran
85 
86 NONE              - Nothing so far.
87 COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
88 		    an INIT_ACK chunk in the reply direction.
89 COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
90 ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
91 SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
92 SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
93 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
94 		    to that of the SHUTDOWN chunk.
95 CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
96 		    the SHUTDOWN chunk. Connection is closed.
97 HEARTBEAT_SENT    - We have seen a HEARTBEAT in a new flow.
98 HEARTBEAT_ACKED   - We have seen a HEARTBEAT-ACK in the direction opposite to
99 		    that of the HEARTBEAT chunk. Secondary connection is
100 		    established.
101 */
102 
103 /* TODO
104  - I have assumed that the first INIT is in the original direction.
105  This messes things when an INIT comes in the reply direction in CLOSED
106  state.
107  - Check the error type in the reply dir before transitioning from
108 cookie echoed to closed.
109  - Sec 5.2.4 of RFC 2960
110  - Full Multi Homing support.
111 */
112 
113 /* SCTP conntrack state transitions */
114 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
115 	{
116 /*	ORIGINAL	*/
117 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
118 /* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
119 /* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
120 /* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
121 /* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
122 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
123 /* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
124 /* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
125 /* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
126 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
127 /* heartbeat    */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
128 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
129 	},
130 	{
131 /*	REPLY	*/
132 /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
133 /* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
134 /* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
135 /* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
136 /* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
137 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
138 /* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
139 /* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
140 /* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
141 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
142 /* heartbeat    */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
143 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
144 	}
145 };
146 
147 static int sctp_net_id	__read_mostly;
148 struct sctp_net {
149 	struct nf_proto_net pn;
150 	unsigned int timeouts[SCTP_CONNTRACK_MAX];
151 };
152 
sctp_pernet(struct net * net)153 static inline struct sctp_net *sctp_pernet(struct net *net)
154 {
155 	return net_generic(net, sctp_net_id);
156 }
157 
sctp_pkt_to_tuple(const struct sk_buff * skb,unsigned int dataoff,struct net * net,struct nf_conntrack_tuple * tuple)158 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
159 			      struct net *net, struct nf_conntrack_tuple *tuple)
160 {
161 	const struct sctphdr *hp;
162 	struct sctphdr _hdr;
163 
164 	/* Actually only need first 8 bytes. */
165 	hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
166 	if (hp == NULL)
167 		return false;
168 
169 	tuple->src.u.sctp.port = hp->source;
170 	tuple->dst.u.sctp.port = hp->dest;
171 	return true;
172 }
173 
sctp_invert_tuple(struct nf_conntrack_tuple * tuple,const struct nf_conntrack_tuple * orig)174 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
175 			      const struct nf_conntrack_tuple *orig)
176 {
177 	tuple->src.u.sctp.port = orig->dst.u.sctp.port;
178 	tuple->dst.u.sctp.port = orig->src.u.sctp.port;
179 	return true;
180 }
181 
182 /* Print out the per-protocol part of the tuple. */
sctp_print_tuple(struct seq_file * s,const struct nf_conntrack_tuple * tuple)183 static void sctp_print_tuple(struct seq_file *s,
184 			     const struct nf_conntrack_tuple *tuple)
185 {
186 	seq_printf(s, "sport=%hu dport=%hu ",
187 		   ntohs(tuple->src.u.sctp.port),
188 		   ntohs(tuple->dst.u.sctp.port));
189 }
190 
191 /* Print out the private part of the conntrack. */
sctp_print_conntrack(struct seq_file * s,struct nf_conn * ct)192 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
193 {
194 	enum sctp_conntrack state;
195 
196 	spin_lock_bh(&ct->lock);
197 	state = ct->proto.sctp.state;
198 	spin_unlock_bh(&ct->lock);
199 
200 	seq_printf(s, "%s ", sctp_conntrack_names[state]);
201 }
202 
203 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)	\
204 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;	\
205 	(offset) < (skb)->len &&					\
206 	((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));	\
207 	(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
208 
209 /* Some validity checks to make sure the chunks are fine */
do_basic_checks(struct nf_conn * ct,const struct sk_buff * skb,unsigned int dataoff,unsigned long * map)210 static int do_basic_checks(struct nf_conn *ct,
211 			   const struct sk_buff *skb,
212 			   unsigned int dataoff,
213 			   unsigned long *map)
214 {
215 	u_int32_t offset, count;
216 	sctp_chunkhdr_t _sch, *sch;
217 	int flag;
218 
219 	flag = 0;
220 
221 	for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
222 		pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
223 
224 		if (sch->type == SCTP_CID_INIT ||
225 		    sch->type == SCTP_CID_INIT_ACK ||
226 		    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
227 			flag = 1;
228 
229 		/*
230 		 * Cookie Ack/Echo chunks not the first OR
231 		 * Init / Init Ack / Shutdown compl chunks not the only chunks
232 		 * OR zero-length.
233 		 */
234 		if (((sch->type == SCTP_CID_COOKIE_ACK ||
235 		      sch->type == SCTP_CID_COOKIE_ECHO ||
236 		      flag) &&
237 		     count != 0) || !sch->length) {
238 			pr_debug("Basic checks failed\n");
239 			return 1;
240 		}
241 
242 		if (map)
243 			set_bit(sch->type, map);
244 	}
245 
246 	pr_debug("Basic checks passed\n");
247 	return count == 0;
248 }
249 
sctp_new_state(enum ip_conntrack_dir dir,enum sctp_conntrack cur_state,int chunk_type)250 static int sctp_new_state(enum ip_conntrack_dir dir,
251 			  enum sctp_conntrack cur_state,
252 			  int chunk_type)
253 {
254 	int i;
255 
256 	pr_debug("Chunk type: %d\n", chunk_type);
257 
258 	switch (chunk_type) {
259 	case SCTP_CID_INIT:
260 		pr_debug("SCTP_CID_INIT\n");
261 		i = 0;
262 		break;
263 	case SCTP_CID_INIT_ACK:
264 		pr_debug("SCTP_CID_INIT_ACK\n");
265 		i = 1;
266 		break;
267 	case SCTP_CID_ABORT:
268 		pr_debug("SCTP_CID_ABORT\n");
269 		i = 2;
270 		break;
271 	case SCTP_CID_SHUTDOWN:
272 		pr_debug("SCTP_CID_SHUTDOWN\n");
273 		i = 3;
274 		break;
275 	case SCTP_CID_SHUTDOWN_ACK:
276 		pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
277 		i = 4;
278 		break;
279 	case SCTP_CID_ERROR:
280 		pr_debug("SCTP_CID_ERROR\n");
281 		i = 5;
282 		break;
283 	case SCTP_CID_COOKIE_ECHO:
284 		pr_debug("SCTP_CID_COOKIE_ECHO\n");
285 		i = 6;
286 		break;
287 	case SCTP_CID_COOKIE_ACK:
288 		pr_debug("SCTP_CID_COOKIE_ACK\n");
289 		i = 7;
290 		break;
291 	case SCTP_CID_SHUTDOWN_COMPLETE:
292 		pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
293 		i = 8;
294 		break;
295 	case SCTP_CID_HEARTBEAT:
296 		pr_debug("SCTP_CID_HEARTBEAT");
297 		i = 9;
298 		break;
299 	case SCTP_CID_HEARTBEAT_ACK:
300 		pr_debug("SCTP_CID_HEARTBEAT_ACK");
301 		i = 10;
302 		break;
303 	default:
304 		/* Other chunks like DATA or SACK do not change the state */
305 		pr_debug("Unknown chunk type, Will stay in %s\n",
306 			 sctp_conntrack_names[cur_state]);
307 		return cur_state;
308 	}
309 
310 	pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
311 		 dir, sctp_conntrack_names[cur_state], chunk_type,
312 		 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
313 
314 	return sctp_conntracks[dir][i][cur_state];
315 }
316 
sctp_get_timeouts(struct net * net)317 static unsigned int *sctp_get_timeouts(struct net *net)
318 {
319 	return sctp_pernet(net)->timeouts;
320 }
321 
322 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
sctp_packet(struct nf_conn * ct,const struct sk_buff * skb,unsigned int dataoff,enum ip_conntrack_info ctinfo,u_int8_t pf,unsigned int hooknum,unsigned int * timeouts)323 static int sctp_packet(struct nf_conn *ct,
324 		       const struct sk_buff *skb,
325 		       unsigned int dataoff,
326 		       enum ip_conntrack_info ctinfo,
327 		       u_int8_t pf,
328 		       unsigned int hooknum,
329 		       unsigned int *timeouts)
330 {
331 	enum sctp_conntrack new_state, old_state;
332 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
333 	const struct sctphdr *sh;
334 	struct sctphdr _sctph;
335 	const struct sctp_chunkhdr *sch;
336 	struct sctp_chunkhdr _sch;
337 	u_int32_t offset, count;
338 	unsigned long map[256 / sizeof(unsigned long)] = { 0 };
339 
340 	sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
341 	if (sh == NULL)
342 		goto out;
343 
344 	if (do_basic_checks(ct, skb, dataoff, map) != 0)
345 		goto out;
346 
347 	/* Check the verification tag (Sec 8.5) */
348 	if (!test_bit(SCTP_CID_INIT, map) &&
349 	    !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
350 	    !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
351 	    !test_bit(SCTP_CID_ABORT, map) &&
352 	    !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
353 	    !test_bit(SCTP_CID_HEARTBEAT, map) &&
354 	    !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
355 	    sh->vtag != ct->proto.sctp.vtag[dir]) {
356 		pr_debug("Verification tag check failed\n");
357 		goto out;
358 	}
359 
360 	old_state = new_state = SCTP_CONNTRACK_NONE;
361 	spin_lock_bh(&ct->lock);
362 	for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
363 		/* Special cases of Verification tag check (Sec 8.5.1) */
364 		if (sch->type == SCTP_CID_INIT) {
365 			/* Sec 8.5.1 (A) */
366 			if (sh->vtag != 0)
367 				goto out_unlock;
368 		} else if (sch->type == SCTP_CID_ABORT) {
369 			/* Sec 8.5.1 (B) */
370 			if (sh->vtag != ct->proto.sctp.vtag[dir] &&
371 			    sh->vtag != ct->proto.sctp.vtag[!dir])
372 				goto out_unlock;
373 		} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
374 			/* Sec 8.5.1 (C) */
375 			if (sh->vtag != ct->proto.sctp.vtag[dir] &&
376 			    sh->vtag != ct->proto.sctp.vtag[!dir] &&
377 			    sch->flags & SCTP_CHUNK_FLAG_T)
378 				goto out_unlock;
379 		} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
380 			/* Sec 8.5.1 (D) */
381 			if (sh->vtag != ct->proto.sctp.vtag[dir])
382 				goto out_unlock;
383 		} else if (sch->type == SCTP_CID_HEARTBEAT ||
384 			   sch->type == SCTP_CID_HEARTBEAT_ACK) {
385 			if (ct->proto.sctp.vtag[dir] == 0) {
386 				pr_debug("Setting vtag %x for dir %d\n",
387 					 sh->vtag, dir);
388 				ct->proto.sctp.vtag[dir] = sh->vtag;
389 			} else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
390 				pr_debug("Verification tag check failed\n");
391 				goto out_unlock;
392 			}
393 		}
394 
395 		old_state = ct->proto.sctp.state;
396 		new_state = sctp_new_state(dir, old_state, sch->type);
397 
398 		/* Invalid */
399 		if (new_state == SCTP_CONNTRACK_MAX) {
400 			pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
401 				 "conntrack=%u\n",
402 				 dir, sch->type, old_state);
403 			goto out_unlock;
404 		}
405 
406 		/* If it is an INIT or an INIT ACK note down the vtag */
407 		if (sch->type == SCTP_CID_INIT ||
408 		    sch->type == SCTP_CID_INIT_ACK) {
409 			sctp_inithdr_t _inithdr, *ih;
410 
411 			ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
412 						sizeof(_inithdr), &_inithdr);
413 			if (ih == NULL)
414 				goto out_unlock;
415 			pr_debug("Setting vtag %x for dir %d\n",
416 				 ih->init_tag, !dir);
417 			ct->proto.sctp.vtag[!dir] = ih->init_tag;
418 		}
419 
420 		ct->proto.sctp.state = new_state;
421 		if (old_state != new_state)
422 			nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
423 	}
424 	spin_unlock_bh(&ct->lock);
425 
426 	nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
427 
428 	if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
429 	    dir == IP_CT_DIR_REPLY &&
430 	    new_state == SCTP_CONNTRACK_ESTABLISHED) {
431 		pr_debug("Setting assured bit\n");
432 		set_bit(IPS_ASSURED_BIT, &ct->status);
433 		nf_conntrack_event_cache(IPCT_ASSURED, ct);
434 	}
435 
436 	return NF_ACCEPT;
437 
438 out_unlock:
439 	spin_unlock_bh(&ct->lock);
440 out:
441 	return -NF_ACCEPT;
442 }
443 
444 /* Called when a new connection for this protocol found. */
sctp_new(struct nf_conn * ct,const struct sk_buff * skb,unsigned int dataoff,unsigned int * timeouts)445 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
446 		     unsigned int dataoff, unsigned int *timeouts)
447 {
448 	enum sctp_conntrack new_state;
449 	const struct sctphdr *sh;
450 	struct sctphdr _sctph;
451 	const struct sctp_chunkhdr *sch;
452 	struct sctp_chunkhdr _sch;
453 	u_int32_t offset, count;
454 	unsigned long map[256 / sizeof(unsigned long)] = { 0 };
455 
456 	sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
457 	if (sh == NULL)
458 		return false;
459 
460 	if (do_basic_checks(ct, skb, dataoff, map) != 0)
461 		return false;
462 
463 	/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
464 	if (test_bit(SCTP_CID_ABORT, map) ||
465 	    test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
466 	    test_bit(SCTP_CID_COOKIE_ACK, map))
467 		return false;
468 
469 	memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
470 	new_state = SCTP_CONNTRACK_MAX;
471 	for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
472 		/* Don't need lock here: this conntrack not in circulation yet */
473 		new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
474 					   SCTP_CONNTRACK_NONE, sch->type);
475 
476 		/* Invalid: delete conntrack */
477 		if (new_state == SCTP_CONNTRACK_NONE ||
478 		    new_state == SCTP_CONNTRACK_MAX) {
479 			pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
480 			return false;
481 		}
482 
483 		/* Copy the vtag into the state info */
484 		if (sch->type == SCTP_CID_INIT) {
485 			if (sh->vtag == 0) {
486 				sctp_inithdr_t _inithdr, *ih;
487 
488 				ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
489 							sizeof(_inithdr), &_inithdr);
490 				if (ih == NULL)
491 					return false;
492 
493 				pr_debug("Setting vtag %x for new conn\n",
494 					 ih->init_tag);
495 
496 				ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
497 								ih->init_tag;
498 			} else {
499 				/* Sec 8.5.1 (A) */
500 				return false;
501 			}
502 		} else if (sch->type == SCTP_CID_HEARTBEAT) {
503 			pr_debug("Setting vtag %x for secondary conntrack\n",
504 				 sh->vtag);
505 			ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
506 		}
507 		/* If it is a shutdown ack OOTB packet, we expect a return
508 		   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
509 		else {
510 			pr_debug("Setting vtag %x for new conn OOTB\n",
511 				 sh->vtag);
512 			ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
513 		}
514 
515 		ct->proto.sctp.state = new_state;
516 	}
517 
518 	return true;
519 }
520 
521 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
522 
523 #include <linux/netfilter/nfnetlink.h>
524 #include <linux/netfilter/nfnetlink_conntrack.h>
525 
sctp_to_nlattr(struct sk_buff * skb,struct nlattr * nla,struct nf_conn * ct)526 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
527 			  struct nf_conn *ct)
528 {
529 	struct nlattr *nest_parms;
530 
531 	spin_lock_bh(&ct->lock);
532 	nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
533 	if (!nest_parms)
534 		goto nla_put_failure;
535 
536 	if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
537 	    nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
538 			 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
539 	    nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
540 			 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
541 		goto nla_put_failure;
542 
543 	spin_unlock_bh(&ct->lock);
544 
545 	nla_nest_end(skb, nest_parms);
546 
547 	return 0;
548 
549 nla_put_failure:
550 	spin_unlock_bh(&ct->lock);
551 	return -1;
552 }
553 
554 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
555 	[CTA_PROTOINFO_SCTP_STATE]	    = { .type = NLA_U8 },
556 	[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
557 	[CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
558 };
559 
nlattr_to_sctp(struct nlattr * cda[],struct nf_conn * ct)560 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
561 {
562 	struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
563 	struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
564 	int err;
565 
566 	/* updates may not contain the internal protocol info, skip parsing */
567 	if (!attr)
568 		return 0;
569 
570 	err = nla_parse_nested(tb,
571 			       CTA_PROTOINFO_SCTP_MAX,
572 			       attr,
573 			       sctp_nla_policy);
574 	if (err < 0)
575 		return err;
576 
577 	if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
578 	    !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
579 	    !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
580 		return -EINVAL;
581 
582 	spin_lock_bh(&ct->lock);
583 	ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
584 	ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
585 		nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
586 	ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
587 		nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
588 	spin_unlock_bh(&ct->lock);
589 
590 	return 0;
591 }
592 
sctp_nlattr_size(void)593 static int sctp_nlattr_size(void)
594 {
595 	return nla_total_size(0)	/* CTA_PROTOINFO_SCTP */
596 		+ nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
597 }
598 #endif
599 
600 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
601 
602 #include <linux/netfilter/nfnetlink.h>
603 #include <linux/netfilter/nfnetlink_cttimeout.h>
604 
sctp_timeout_nlattr_to_obj(struct nlattr * tb[],struct net * net,void * data)605 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
606 				      struct net *net, void *data)
607 {
608 	unsigned int *timeouts = data;
609 	struct sctp_net *sn = sctp_pernet(net);
610 	int i;
611 
612 	/* set default SCTP timeouts. */
613 	for (i=0; i<SCTP_CONNTRACK_MAX; i++)
614 		timeouts[i] = sn->timeouts[i];
615 
616 	/* there's a 1:1 mapping between attributes and protocol states. */
617 	for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
618 		if (tb[i]) {
619 			timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
620 		}
621 	}
622 	return 0;
623 }
624 
625 static int
sctp_timeout_obj_to_nlattr(struct sk_buff * skb,const void * data)626 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
627 {
628         const unsigned int *timeouts = data;
629 	int i;
630 
631 	for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
632 	        if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
633 			goto nla_put_failure;
634 	}
635         return 0;
636 
637 nla_put_failure:
638         return -ENOSPC;
639 }
640 
641 static const struct nla_policy
642 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
643 	[CTA_TIMEOUT_SCTP_CLOSED]		= { .type = NLA_U32 },
644 	[CTA_TIMEOUT_SCTP_COOKIE_WAIT]		= { .type = NLA_U32 },
645 	[CTA_TIMEOUT_SCTP_COOKIE_ECHOED]	= { .type = NLA_U32 },
646 	[CTA_TIMEOUT_SCTP_ESTABLISHED]		= { .type = NLA_U32 },
647 	[CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]	= { .type = NLA_U32 },
648 	[CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]	= { .type = NLA_U32 },
649 	[CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]	= { .type = NLA_U32 },
650 	[CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]	= { .type = NLA_U32 },
651 	[CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]	= { .type = NLA_U32 },
652 };
653 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
654 
655 
656 #ifdef CONFIG_SYSCTL
657 static struct ctl_table sctp_sysctl_table[] = {
658 	{
659 		.procname	= "nf_conntrack_sctp_timeout_closed",
660 		.maxlen		= sizeof(unsigned int),
661 		.mode		= 0644,
662 		.proc_handler	= proc_dointvec_jiffies,
663 	},
664 	{
665 		.procname	= "nf_conntrack_sctp_timeout_cookie_wait",
666 		.maxlen		= sizeof(unsigned int),
667 		.mode		= 0644,
668 		.proc_handler	= proc_dointvec_jiffies,
669 	},
670 	{
671 		.procname	= "nf_conntrack_sctp_timeout_cookie_echoed",
672 		.maxlen		= sizeof(unsigned int),
673 		.mode		= 0644,
674 		.proc_handler	= proc_dointvec_jiffies,
675 	},
676 	{
677 		.procname	= "nf_conntrack_sctp_timeout_established",
678 		.maxlen		= sizeof(unsigned int),
679 		.mode		= 0644,
680 		.proc_handler	= proc_dointvec_jiffies,
681 	},
682 	{
683 		.procname	= "nf_conntrack_sctp_timeout_shutdown_sent",
684 		.maxlen		= sizeof(unsigned int),
685 		.mode		= 0644,
686 		.proc_handler	= proc_dointvec_jiffies,
687 	},
688 	{
689 		.procname	= "nf_conntrack_sctp_timeout_shutdown_recd",
690 		.maxlen		= sizeof(unsigned int),
691 		.mode		= 0644,
692 		.proc_handler	= proc_dointvec_jiffies,
693 	},
694 	{
695 		.procname	= "nf_conntrack_sctp_timeout_shutdown_ack_sent",
696 		.maxlen		= sizeof(unsigned int),
697 		.mode		= 0644,
698 		.proc_handler	= proc_dointvec_jiffies,
699 	},
700 	{
701 		.procname	= "nf_conntrack_sctp_timeout_heartbeat_sent",
702 		.maxlen		= sizeof(unsigned int),
703 		.mode		= 0644,
704 		.proc_handler	= proc_dointvec_jiffies,
705 	},
706 	{
707 		.procname	= "nf_conntrack_sctp_timeout_heartbeat_acked",
708 		.maxlen		= sizeof(unsigned int),
709 		.mode		= 0644,
710 		.proc_handler	= proc_dointvec_jiffies,
711 	},
712 	{ }
713 };
714 
715 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
716 static struct ctl_table sctp_compat_sysctl_table[] = {
717 	{
718 		.procname	= "ip_conntrack_sctp_timeout_closed",
719 		.maxlen		= sizeof(unsigned int),
720 		.mode		= 0644,
721 		.proc_handler	= proc_dointvec_jiffies,
722 	},
723 	{
724 		.procname	= "ip_conntrack_sctp_timeout_cookie_wait",
725 		.maxlen		= sizeof(unsigned int),
726 		.mode		= 0644,
727 		.proc_handler	= proc_dointvec_jiffies,
728 	},
729 	{
730 		.procname	= "ip_conntrack_sctp_timeout_cookie_echoed",
731 		.maxlen		= sizeof(unsigned int),
732 		.mode		= 0644,
733 		.proc_handler	= proc_dointvec_jiffies,
734 	},
735 	{
736 		.procname	= "ip_conntrack_sctp_timeout_established",
737 		.maxlen		= sizeof(unsigned int),
738 		.mode		= 0644,
739 		.proc_handler	= proc_dointvec_jiffies,
740 	},
741 	{
742 		.procname	= "ip_conntrack_sctp_timeout_shutdown_sent",
743 		.maxlen		= sizeof(unsigned int),
744 		.mode		= 0644,
745 		.proc_handler	= proc_dointvec_jiffies,
746 	},
747 	{
748 		.procname	= "ip_conntrack_sctp_timeout_shutdown_recd",
749 		.maxlen		= sizeof(unsigned int),
750 		.mode		= 0644,
751 		.proc_handler	= proc_dointvec_jiffies,
752 	},
753 	{
754 		.procname	= "ip_conntrack_sctp_timeout_shutdown_ack_sent",
755 		.maxlen		= sizeof(unsigned int),
756 		.mode		= 0644,
757 		.proc_handler	= proc_dointvec_jiffies,
758 	},
759 	{ }
760 };
761 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
762 #endif
763 
sctp_kmemdup_sysctl_table(struct nf_proto_net * pn,struct sctp_net * sn)764 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
765 				     struct sctp_net *sn)
766 {
767 #ifdef CONFIG_SYSCTL
768 	if (pn->ctl_table)
769 		return 0;
770 
771 	pn->ctl_table = kmemdup(sctp_sysctl_table,
772 				sizeof(sctp_sysctl_table),
773 				GFP_KERNEL);
774 	if (!pn->ctl_table)
775 		return -ENOMEM;
776 
777 	pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
778 	pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
779 	pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
780 	pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
781 	pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
782 	pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
783 	pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
784 	pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
785 	pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
786 #endif
787 	return 0;
788 }
789 
sctp_kmemdup_compat_sysctl_table(struct nf_proto_net * pn,struct sctp_net * sn)790 static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
791 					    struct sctp_net *sn)
792 {
793 #ifdef CONFIG_SYSCTL
794 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
795 	pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
796 				       sizeof(sctp_compat_sysctl_table),
797 				       GFP_KERNEL);
798 	if (!pn->ctl_compat_table)
799 		return -ENOMEM;
800 
801 	pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
802 	pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
803 	pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
804 	pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
805 	pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
806 	pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
807 	pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
808 #endif
809 #endif
810 	return 0;
811 }
812 
sctp_init_net(struct net * net,u_int16_t proto)813 static int sctp_init_net(struct net *net, u_int16_t proto)
814 {
815 	int ret;
816 	struct sctp_net *sn = sctp_pernet(net);
817 	struct nf_proto_net *pn = &sn->pn;
818 
819 	if (!pn->users) {
820 		int i;
821 
822 		for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
823 			sn->timeouts[i] = sctp_timeouts[i];
824 	}
825 
826 	if (proto == AF_INET) {
827 		ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
828 		if (ret < 0)
829 			return ret;
830 
831 		ret = sctp_kmemdup_sysctl_table(pn, sn);
832 		if (ret < 0)
833 			nf_ct_kfree_compat_sysctl_table(pn);
834 	} else
835 		ret = sctp_kmemdup_sysctl_table(pn, sn);
836 
837 	return ret;
838 }
839 
840 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
841 	.l3proto		= PF_INET,
842 	.l4proto 		= IPPROTO_SCTP,
843 	.name 			= "sctp",
844 	.pkt_to_tuple 		= sctp_pkt_to_tuple,
845 	.invert_tuple 		= sctp_invert_tuple,
846 	.print_tuple 		= sctp_print_tuple,
847 	.print_conntrack	= sctp_print_conntrack,
848 	.packet 		= sctp_packet,
849 	.get_timeouts		= sctp_get_timeouts,
850 	.new 			= sctp_new,
851 	.me 			= THIS_MODULE,
852 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
853 	.to_nlattr		= sctp_to_nlattr,
854 	.nlattr_size		= sctp_nlattr_size,
855 	.from_nlattr		= nlattr_to_sctp,
856 	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
857 	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
858 	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
859 	.nla_policy		= nf_ct_port_nla_policy,
860 #endif
861 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
862 	.ctnl_timeout		= {
863 		.nlattr_to_obj	= sctp_timeout_nlattr_to_obj,
864 		.obj_to_nlattr	= sctp_timeout_obj_to_nlattr,
865 		.nlattr_max	= CTA_TIMEOUT_SCTP_MAX,
866 		.obj_size	= sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
867 		.nla_policy	= sctp_timeout_nla_policy,
868 	},
869 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
870 	.net_id			= &sctp_net_id,
871 	.init_net		= sctp_init_net,
872 };
873 
874 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
875 	.l3proto		= PF_INET6,
876 	.l4proto 		= IPPROTO_SCTP,
877 	.name 			= "sctp",
878 	.pkt_to_tuple 		= sctp_pkt_to_tuple,
879 	.invert_tuple 		= sctp_invert_tuple,
880 	.print_tuple 		= sctp_print_tuple,
881 	.print_conntrack	= sctp_print_conntrack,
882 	.packet 		= sctp_packet,
883 	.get_timeouts		= sctp_get_timeouts,
884 	.new 			= sctp_new,
885 	.me 			= THIS_MODULE,
886 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
887 	.to_nlattr		= sctp_to_nlattr,
888 	.nlattr_size		= sctp_nlattr_size,
889 	.from_nlattr		= nlattr_to_sctp,
890 	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
891 	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
892 	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
893 	.nla_policy		= nf_ct_port_nla_policy,
894 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
895 	.ctnl_timeout		= {
896 		.nlattr_to_obj	= sctp_timeout_nlattr_to_obj,
897 		.obj_to_nlattr	= sctp_timeout_obj_to_nlattr,
898 		.nlattr_max	= CTA_TIMEOUT_SCTP_MAX,
899 		.obj_size	= sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
900 		.nla_policy	= sctp_timeout_nla_policy,
901 	},
902 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
903 #endif
904 	.net_id			= &sctp_net_id,
905 	.init_net		= sctp_init_net,
906 };
907 
sctp_net_init(struct net * net)908 static int sctp_net_init(struct net *net)
909 {
910 	int ret = 0;
911 
912 	ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4);
913 	if (ret < 0) {
914 		pr_err("nf_conntrack_sctp4: pernet registration failed.\n");
915 		goto out;
916 	}
917 	ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6);
918 	if (ret < 0) {
919 		pr_err("nf_conntrack_sctp6: pernet registration failed.\n");
920 		goto cleanup_sctp4;
921 	}
922 	return 0;
923 
924 cleanup_sctp4:
925 	nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
926 out:
927 	return ret;
928 }
929 
sctp_net_exit(struct net * net)930 static void sctp_net_exit(struct net *net)
931 {
932 	nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6);
933 	nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
934 }
935 
936 static struct pernet_operations sctp_net_ops = {
937 	.init = sctp_net_init,
938 	.exit = sctp_net_exit,
939 	.id   = &sctp_net_id,
940 	.size = sizeof(struct sctp_net),
941 };
942 
nf_conntrack_proto_sctp_init(void)943 static int __init nf_conntrack_proto_sctp_init(void)
944 {
945 	int ret;
946 
947 	ret = register_pernet_subsys(&sctp_net_ops);
948 	if (ret < 0)
949 		goto out_pernet;
950 
951 	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
952 	if (ret < 0)
953 		goto out_sctp4;
954 
955 	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6);
956 	if (ret < 0)
957 		goto out_sctp6;
958 
959 	return 0;
960 out_sctp6:
961 	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
962 out_sctp4:
963 	unregister_pernet_subsys(&sctp_net_ops);
964 out_pernet:
965 	return ret;
966 }
967 
nf_conntrack_proto_sctp_fini(void)968 static void __exit nf_conntrack_proto_sctp_fini(void)
969 {
970 	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
971 	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
972 	unregister_pernet_subsys(&sctp_net_ops);
973 }
974 
975 module_init(nf_conntrack_proto_sctp_init);
976 module_exit(nf_conntrack_proto_sctp_fini);
977 
978 MODULE_LICENSE("GPL");
979 MODULE_AUTHOR("Kiran Kumar Immidi");
980 MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
981 MODULE_ALIAS("ip_conntrack_proto_sctp");
982