LXR linux/net/netfilter/nf_conntrack_proto

   1/*
   2 * Connection tracking protocol helper module for SCTP.
   3 *
   4 * SCTP is defined in RFC 2960. References to various sections in this code
   5 * are to this RFC.
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License version 2 as
   9 * published by the Free Software Foundation.
  10 */
  11
  12#include <linux/types.h>
  13#include <linux/timer.h>
  14#include <linux/netfilter.h>
  15#include <linux/module.h>
  16#include <linux/in.h>
  17#include <linux/ip.h>
  18#include <linux/sctp.h>
  19#include <linux/string.h>
  20#include <linux/seq_file.h>
  21#include <linux/spinlock.h>
  22#include <linux/interrupt.h>
  23
  24#include <net/netfilter/nf_conntrack.h>
  25#include <net/netfilter/nf_conntrack_l4proto.h>
  26#include <net/netfilter/nf_conntrack_ecache.h>
  27
  28/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  29   closely.  They're more complex. --RR
  30
  31   And so for me for SCTP :D -Kiran */
  32
  33static const char *const sctp_conntrack_names[] = {
  34        "NONE",
  35        "CLOSED",
  36        "COOKIE_WAIT",
  37        "COOKIE_ECHOED",
  38        "ESTABLISHED",
  39        "SHUTDOWN_SENT",
  40        "SHUTDOWN_RECD",
  41        "SHUTDOWN_ACK_SENT",
  42};
  43
  44#define SECS  * HZ
  45#define MINS  * 60 SECS
  46#define HOURS * 60 MINS
  47#define DAYS  * 24 HOURS
  48
  49static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
  50        [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  51        [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  52        [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  53        [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  54        [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  55        [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  56        [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  57};
  58
  59#define sNO SCTP_CONNTRACK_NONE
  60#define sCL SCTP_CONNTRACK_CLOSED
  61#define sCW SCTP_CONNTRACK_COOKIE_WAIT
  62#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  63#define sES SCTP_CONNTRACK_ESTABLISHED
  64#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  65#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  66#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  67#define sIV SCTP_CONNTRACK_MAX
  68
  69/*
  70        These are the descriptions of the states:
  71
  72NOTE: These state names are tantalizingly similar to the states of an
  73SCTP endpoint. But the interpretation of the states is a little different,
  74considering that these are the states of the connection and not of an end
  75point. Please note the subtleties. -Kiran
  76
  77NONE              - Nothing so far.
  78COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  79                    an INIT_ACK chunk in the reply direction.
  80COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  81ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  82SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  83SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  84SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  85                    to that of the SHUTDOWN chunk.
  86CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  87                    the SHUTDOWN chunk. Connection is closed.
  88*/
  89
  90/* TODO
  91 - I have assumed that the first INIT is in the original direction.
  92 This messes things when an INIT comes in the reply direction in CLOSED
  93 state.
  94 - Check the error type in the reply dir before transitioning from
  95cookie echoed to closed.
  96 - Sec 5.2.4 of RFC 2960
  97 - Multi Homing support.
  98*/
  99
 100/* SCTP conntrack state transitions */
 101static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
 102        {
 103/*      ORIGINAL        */
 104/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
 105/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA},
 106/* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},
 107/* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 108/* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
 109/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
 110/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't have Stale cookie*/
 111/* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
 112/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in orig dir */
 113/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
 114        },
 115        {
 116/*      REPLY   */
 117/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
 118/* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */
 119/* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},
 120/* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 121/* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
 122/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
 123/* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
 124/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in reply dir */
 125/* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
 126/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
 127        }
 128};
 129
 130static int sctp_net_id  __read_mostly;
 131struct sctp_net {
 132        struct nf_proto_net pn;
 133        unsigned int timeouts[SCTP_CONNTRACK_MAX];
 134};
 135
 136static inline struct sctp_net *sctp_pernet(struct net *net)
 137{
 138        return net_generic(net, sctp_net_id);
 139}
 140
 141static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 142                              struct nf_conntrack_tuple *tuple)
 143{
 144        const struct sctphdr *hp;
 145        struct sctphdr _hdr;
 146
 147        /* Actually only need first 8 bytes. */
 148        hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
 149        if (hp == NULL)
 150                return false;
 151
 152        tuple->src.u.sctp.port = hp->source;
 153        tuple->dst.u.sctp.port = hp->dest;
 154        return true;
 155}
 156
 157static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
 158                              const struct nf_conntrack_tuple *orig)
 159{
 160        tuple->src.u.sctp.port = orig->dst.u.sctp.port;
 161        tuple->dst.u.sctp.port = orig->src.u.sctp.port;
 162        return true;
 163}
 164
 165/* Print out the per-protocol part of the tuple. */
 166static int sctp_print_tuple(struct seq_file *s,
 167                            const struct nf_conntrack_tuple *tuple)
 168{
 169        return seq_printf(s, "sport=%hu dport=%hu ",
 170                          ntohs(tuple->src.u.sctp.port),
 171                          ntohs(tuple->dst.u.sctp.port));
 172}
 173
 174/* Print out the private part of the conntrack. */
 175static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 176{
 177        enum sctp_conntrack state;
 178
 179        spin_lock_bh(&ct->lock);
 180        state = ct->proto.sctp.state;
 181        spin_unlock_bh(&ct->lock);
 182
 183        return seq_printf(s, "%s ", sctp_conntrack_names[state]);
 184}
 185
 186#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 187for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;        \
 188        (offset) < (skb)->len &&                                        \
 189        ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 190        (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 191
 192/* Some validity checks to make sure the chunks are fine */
 193static int do_basic_checks(struct nf_conn *ct,
 194                           const struct sk_buff *skb,
 195                           unsigned int dataoff,
 196                           unsigned long *map)
 197{
 198        u_int32_t offset, count;
 199        sctp_chunkhdr_t _sch, *sch;
 200        int flag;
 201
 202        flag = 0;
 203
 204        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 205                pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 206
 207                if (sch->type == SCTP_CID_INIT ||
 208                    sch->type == SCTP_CID_INIT_ACK ||
 209                    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 210                        flag = 1;
 211
 212                /*
 213                 * Cookie Ack/Echo chunks not the first OR
 214                 * Init / Init Ack / Shutdown compl chunks not the only chunks
 215                 * OR zero-length.
 216                 */
 217                if (((sch->type == SCTP_CID_COOKIE_ACK ||
 218                      sch->type == SCTP_CID_COOKIE_ECHO ||
 219                      flag) &&
 220                     count != 0) || !sch->length) {
 221                        pr_debug("Basic checks failed\n");
 222                        return 1;
 223                }
 224
 225                if (map)
 226                        set_bit(sch->type, map);
 227        }
 228
 229        pr_debug("Basic checks passed\n");
 230        return count == 0;
 231}
 232
 233static int sctp_new_state(enum ip_conntrack_dir dir,
 234                          enum sctp_conntrack cur_state,
 235                          int chunk_type)
 236{
 237        int i;
 238
 239        pr_debug("Chunk type: %d\n", chunk_type);
 240
 241        switch (chunk_type) {
 242        case SCTP_CID_INIT:
 243                pr_debug("SCTP_CID_INIT\n");
 244                i = 0;
 245                break;
 246        case SCTP_CID_INIT_ACK:
 247                pr_debug("SCTP_CID_INIT_ACK\n");
 248                i = 1;
 249                break;
 250        case SCTP_CID_ABORT:
 251                pr_debug("SCTP_CID_ABORT\n");
 252                i = 2;
 253                break;
 254        case SCTP_CID_SHUTDOWN:
 255                pr_debug("SCTP_CID_SHUTDOWN\n");
 256                i = 3;
 257                break;
 258        case SCTP_CID_SHUTDOWN_ACK:
 259                pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 260                i = 4;
 261                break;
 262        case SCTP_CID_ERROR:
 263                pr_debug("SCTP_CID_ERROR\n");
 264                i = 5;
 265                break;
 266        case SCTP_CID_COOKIE_ECHO:
 267                pr_debug("SCTP_CID_COOKIE_ECHO\n");
 268                i = 6;
 269                break;
 270        case SCTP_CID_COOKIE_ACK:
 271                pr_debug("SCTP_CID_COOKIE_ACK\n");
 272                i = 7;
 273                break;
 274        case SCTP_CID_SHUTDOWN_COMPLETE:
 275                pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 276                i = 8;
 277                break;
 278        default:
 279                /* Other chunks like DATA, SACK, HEARTBEAT and
 280                its ACK do not cause a change in state */
 281                pr_debug("Unknown chunk type, Will stay in %s\n",
 282                         sctp_conntrack_names[cur_state]);
 283                return cur_state;
 284        }
 285
 286        pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 287                 dir, sctp_conntrack_names[cur_state], chunk_type,
 288                 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 289
 290        return sctp_conntracks[dir][i][cur_state];
 291}
 292
 293static unsigned int *sctp_get_timeouts(struct net *net)
 294{
 295        return sctp_pernet(net)->timeouts;
 296}
 297
 298/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 299static int sctp_packet(struct nf_conn *ct,
 300                       const struct sk_buff *skb,
 301                       unsigned int dataoff,
 302                       enum ip_conntrack_info ctinfo,
 303                       u_int8_t pf,
 304                       unsigned int hooknum,
 305                       unsigned int *timeouts)
 306{
 307        enum sctp_conntrack new_state, old_state;
 308        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 309        const struct sctphdr *sh;
 310        struct sctphdr _sctph;
 311        const struct sctp_chunkhdr *sch;
 312        struct sctp_chunkhdr _sch;
 313        u_int32_t offset, count;
 314        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 315
 316        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 317        if (sh == NULL)
 318                goto out;
 319
 320        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 321                goto out;
 322
 323        /* Check the verification tag (Sec 8.5) */
 324        if (!test_bit(SCTP_CID_INIT, map) &&
 325            !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 326            !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 327            !test_bit(SCTP_CID_ABORT, map) &&
 328            !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 329            sh->vtag != ct->proto.sctp.vtag[dir]) {
 330                pr_debug("Verification tag check failed\n");
 331                goto out;
 332        }
 333
 334        old_state = new_state = SCTP_CONNTRACK_NONE;
 335        spin_lock_bh(&ct->lock);
 336        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 337                /* Special cases of Verification tag check (Sec 8.5.1) */
 338                if (sch->type == SCTP_CID_INIT) {
 339                        /* Sec 8.5.1 (A) */
 340                        if (sh->vtag != 0)
 341                                goto out_unlock;
 342                } else if (sch->type == SCTP_CID_ABORT) {
 343                        /* Sec 8.5.1 (B) */
 344                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 345                            sh->vtag != ct->proto.sctp.vtag[!dir])
 346                                goto out_unlock;
 347                } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 348                        /* Sec 8.5.1 (C) */
 349                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 350                            sh->vtag != ct->proto.sctp.vtag[!dir] &&
 351                            sch->flags & SCTP_CHUNK_FLAG_T)
 352                                goto out_unlock;
 353                } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 354                        /* Sec 8.5.1 (D) */
 355                        if (sh->vtag != ct->proto.sctp.vtag[dir])
 356                                goto out_unlock;
 357                }
 358
 359                old_state = ct->proto.sctp.state;
 360                new_state = sctp_new_state(dir, old_state, sch->type);
 361
 362                /* Invalid */
 363                if (new_state == SCTP_CONNTRACK_MAX) {
 364                        pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 365                                 "conntrack=%u\n",
 366                                 dir, sch->type, old_state);
 367                        goto out_unlock;
 368                }
 369
 370                /* If it is an INIT or an INIT ACK note down the vtag */
 371                if (sch->type == SCTP_CID_INIT ||
 372                    sch->type == SCTP_CID_INIT_ACK) {
 373                        sctp_inithdr_t _inithdr, *ih;
 374
 375                        ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 376                                                sizeof(_inithdr), &_inithdr);
 377                        if (ih == NULL)
 378                                goto out_unlock;
 379                        pr_debug("Setting vtag %x for dir %d\n",
 380                                 ih->init_tag, !dir);
 381                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
 382                }
 383
 384                ct->proto.sctp.state = new_state;
 385                if (old_state != new_state)
 386                        nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 387        }
 388        spin_unlock_bh(&ct->lock);
 389
 390        nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
 391
 392        if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 393            dir == IP_CT_DIR_REPLY &&
 394            new_state == SCTP_CONNTRACK_ESTABLISHED) {
 395                pr_debug("Setting assured bit\n");
 396                set_bit(IPS_ASSURED_BIT, &ct->status);
 397                nf_conntrack_event_cache(IPCT_ASSURED, ct);
 398        }
 399
 400        return NF_ACCEPT;
 401
 402out_unlock:
 403        spin_unlock_bh(&ct->lock);
 404out:
 405        return -NF_ACCEPT;
 406}
 407
 408/* Called when a new connection for this protocol found. */
 409static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 410                     unsigned int dataoff, unsigned int *timeouts)
 411{
 412        enum sctp_conntrack new_state;
 413        const struct sctphdr *sh;
 414        struct sctphdr _sctph;
 415        const struct sctp_chunkhdr *sch;
 416        struct sctp_chunkhdr _sch;
 417        u_int32_t offset, count;
 418        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 419
 420        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 421        if (sh == NULL)
 422                return false;
 423
 424        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 425                return false;
 426
 427        /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 428        if (test_bit(SCTP_CID_ABORT, map) ||
 429            test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 430            test_bit(SCTP_CID_COOKIE_ACK, map))
 431                return false;
 432
 433        memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
 434        new_state = SCTP_CONNTRACK_MAX;
 435        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 436                /* Don't need lock here: this conntrack not in circulation yet */
 437                new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 438                                           SCTP_CONNTRACK_NONE, sch->type);
 439
 440                /* Invalid: delete conntrack */
 441                if (new_state == SCTP_CONNTRACK_NONE ||
 442                    new_state == SCTP_CONNTRACK_MAX) {
 443                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 444                        return false;
 445                }
 446
 447                /* Copy the vtag into the state info */
 448                if (sch->type == SCTP_CID_INIT) {
 449                        if (sh->vtag == 0) {
 450                                sctp_inithdr_t _inithdr, *ih;
 451
 452                                ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 453                                                        sizeof(_inithdr), &_inithdr);
 454                                if (ih == NULL)
 455                                        return false;
 456
 457                                pr_debug("Setting vtag %x for new conn\n",
 458                                         ih->init_tag);
 459
 460                                ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 461                                                                ih->init_tag;
 462                        } else {
 463                                /* Sec 8.5.1 (A) */
 464                                return false;
 465                        }
 466                }
 467                /* If it is a shutdown ack OOTB packet, we expect a return
 468                   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 469                else {
 470                        pr_debug("Setting vtag %x for new conn OOTB\n",
 471                                 sh->vtag);
 472                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 473                }
 474
 475                ct->proto.sctp.state = new_state;
 476        }
 477
 478        return true;
 479}
 480
 481#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 482
 483#include <linux/netfilter/nfnetlink.h>
 484#include <linux/netfilter/nfnetlink_conntrack.h>
 485
 486static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 487                          struct nf_conn *ct)
 488{
 489        struct nlattr *nest_parms;
 490
 491        spin_lock_bh(&ct->lock);
 492        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
 493        if (!nest_parms)
 494                goto nla_put_failure;
 495
 496        if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
 497            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 498                         ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
 499            nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
 500                         ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
 501                goto nla_put_failure;
 502
 503        spin_unlock_bh(&ct->lock);
 504
 505        nla_nest_end(skb, nest_parms);
 506
 507        return 0;
 508
 509nla_put_failure:
 510        spin_unlock_bh(&ct->lock);
 511        return -1;
 512}
 513
 514static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 515        [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 516        [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 517        [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 518};
 519
 520static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 521{
 522        struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 523        struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 524        int err;
 525
 526        /* updates may not contain the internal protocol info, skip parsing */
 527        if (!attr)
 528                return 0;
 529
 530        err = nla_parse_nested(tb,
 531                               CTA_PROTOINFO_SCTP_MAX,
 532                               attr,
 533                               sctp_nla_policy);
 534        if (err < 0)
 535                return err;
 536
 537        if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 538            !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 539            !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 540                return -EINVAL;
 541
 542        spin_lock_bh(&ct->lock);
 543        ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 544        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 545                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 546        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 547                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 548        spin_unlock_bh(&ct->lock);
 549
 550        return 0;
 551}
 552
 553static int sctp_nlattr_size(void)
 554{
 555        return nla_total_size(0)        /* CTA_PROTOINFO_SCTP */
 556                + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
 557}
 558#endif
 559
 560#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 561
 562#include <linux/netfilter/nfnetlink.h>
 563#include <linux/netfilter/nfnetlink_cttimeout.h>
 564
 565static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
 566                                      struct net *net, void *data)
 567{
 568        unsigned int *timeouts = data;
 569        struct sctp_net *sn = sctp_pernet(net);
 570        int i;
 571
 572        /* set default SCTP timeouts. */
 573        for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 574                timeouts[i] = sn->timeouts[i];
 575
 576        /* there's a 1:1 mapping between attributes and protocol states. */
 577        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 578                if (tb[i]) {
 579                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
 580                }
 581        }
 582        return 0;
 583}
 584
 585static int
 586sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 587{
 588        const unsigned int *timeouts = data;
 589        int i;
 590
 591        for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
 592                if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
 593                        goto nla_put_failure;
 594        }
 595        return 0;
 596
 597nla_put_failure:
 598        return -ENOSPC;
 599}
 600
 601static const struct nla_policy
 602sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 603        [CTA_TIMEOUT_SCTP_CLOSED]               = { .type = NLA_U32 },
 604        [CTA_TIMEOUT_SCTP_COOKIE_WAIT]          = { .type = NLA_U32 },
 605        [CTA_TIMEOUT_SCTP_COOKIE_ECHOED]        = { .type = NLA_U32 },
 606        [CTA_TIMEOUT_SCTP_ESTABLISHED]          = { .type = NLA_U32 },
 607        [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT]        = { .type = NLA_U32 },
 608        [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD]        = { .type = NLA_U32 },
 609        [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT]    = { .type = NLA_U32 },
 610};
 611#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 612
 613
 614#ifdef CONFIG_SYSCTL
 615static struct ctl_table sctp_sysctl_table[] = {
 616        {
 617                .procname       = "nf_conntrack_sctp_timeout_closed",
 618                .maxlen         = sizeof(unsigned int),
 619                .mode           = 0644,
 620                .proc_handler   = proc_dointvec_jiffies,
 621        },
 622        {
 623                .procname       = "nf_conntrack_sctp_timeout_cookie_wait",
 624                .maxlen         = sizeof(unsigned int),
 625                .mode           = 0644,
 626                .proc_handler   = proc_dointvec_jiffies,
 627        },
 628        {
 629                .procname       = "nf_conntrack_sctp_timeout_cookie_echoed",
 630                .maxlen         = sizeof(unsigned int),
 631                .mode           = 0644,
 632                .proc_handler   = proc_dointvec_jiffies,
 633        },
 634        {
 635                .procname       = "nf_conntrack_sctp_timeout_established",
 636                .maxlen         = sizeof(unsigned int),
 637                .mode           = 0644,
 638                .proc_handler   = proc_dointvec_jiffies,
 639        },
 640        {
 641                .procname       = "nf_conntrack_sctp_timeout_shutdown_sent",
 642                .maxlen         = sizeof(unsigned int),
 643                .mode           = 0644,
 644                .proc_handler   = proc_dointvec_jiffies,
 645        },
 646        {
 647                .procname       = "nf_conntrack_sctp_timeout_shutdown_recd",
 648                .maxlen         = sizeof(unsigned int),
 649                .mode           = 0644,
 650                .proc_handler   = proc_dointvec_jiffies,
 651        },
 652        {
 653                .procname       = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
 654                .maxlen         = sizeof(unsigned int),
 655                .mode           = 0644,
 656                .proc_handler   = proc_dointvec_jiffies,
 657        },
 658        { }
 659};
 660
 661#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
 662static struct ctl_table sctp_compat_sysctl_table[] = {
 663        {
 664                .procname       = "ip_conntrack_sctp_timeout_closed",
 665                .maxlen         = sizeof(unsigned int),
 666                .mode           = 0644,
 667                .proc_handler   = proc_dointvec_jiffies,
 668        },
 669        {
 670                .procname       = "ip_conntrack_sctp_timeout_cookie_wait",
 671                .maxlen         = sizeof(unsigned int),
 672                .mode           = 0644,
 673                .proc_handler   = proc_dointvec_jiffies,
 674        },
 675        {
 676                .procname       = "ip_conntrack_sctp_timeout_cookie_echoed",
 677                .maxlen         = sizeof(unsigned int),
 678                .mode           = 0644,
 679                .proc_handler   = proc_dointvec_jiffies,
 680        },
 681        {
 682                .procname       = "ip_conntrack_sctp_timeout_established",
 683                .maxlen         = sizeof(unsigned int),
 684                .mode           = 0644,
 685                .proc_handler   = proc_dointvec_jiffies,
 686        },
 687        {
 688                .procname       = "ip_conntrack_sctp_timeout_shutdown_sent",
 689                .maxlen         = sizeof(unsigned int),
 690                .mode           = 0644,
 691                .proc_handler   = proc_dointvec_jiffies,
 692        },
 693        {
 694                .procname       = "ip_conntrack_sctp_timeout_shutdown_recd",
 695                .maxlen         = sizeof(unsigned int),
 696                .mode           = 0644,
 697                .proc_handler   = proc_dointvec_jiffies,
 698        },
 699        {
 700                .procname       = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
 701                .maxlen         = sizeof(unsigned int),
 702                .mode           = 0644,
 703                .proc_handler   = proc_dointvec_jiffies,
 704        },
 705        { }
 706};
 707#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 708#endif
 709
 710static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
 711                                     struct sctp_net *sn)
 712{
 713#ifdef CONFIG_SYSCTL
 714        if (pn->ctl_table)
 715                return 0;
 716
 717        pn->ctl_table = kmemdup(sctp_sysctl_table,
 718                                sizeof(sctp_sysctl_table),
 719                                GFP_KERNEL);
 720        if (!pn->ctl_table)
 721                return -ENOMEM;
 722
 723        pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
 724        pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
 725        pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
 726        pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
 727        pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
 728        pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
 729        pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
 730#endif
 731        return 0;
 732}
 733
 734static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
 735                                            struct sctp_net *sn)
 736{
 737#ifdef CONFIG_SYSCTL
 738#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
 739        pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
 740                                       sizeof(sctp_compat_sysctl_table),
 741                                       GFP_KERNEL);
 742        if (!pn->ctl_compat_table)
 743                return -ENOMEM;
 744
 745        pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
 746        pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
 747        pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
 748        pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
 749        pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
 750        pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
 751        pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
 752#endif
 753#endif
 754        return 0;
 755}
 756
 757static int sctp_init_net(struct net *net, u_int16_t proto)
 758{
 759        int ret;
 760        struct sctp_net *sn = sctp_pernet(net);
 761        struct nf_proto_net *pn = &sn->pn;
 762
 763        if (!pn->users) {
 764                int i;
 765
 766                for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
 767                        sn->timeouts[i] = sctp_timeouts[i];
 768        }
 769
 770        if (proto == AF_INET) {
 771                ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
 772                if (ret < 0)
 773                        return ret;
 774
 775                ret = sctp_kmemdup_sysctl_table(pn, sn);
 776                if (ret < 0)
 777                        nf_ct_kfree_compat_sysctl_table(pn);
 778        } else
 779                ret = sctp_kmemdup_sysctl_table(pn, sn);
 780
 781        return ret;
 782}
 783
 784static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
 785        .l3proto                = PF_INET,
 786        .l4proto                = IPPROTO_SCTP,
 787        .name                   = "sctp",
 788        .pkt_to_tuple           = sctp_pkt_to_tuple,
 789        .invert_tuple           = sctp_invert_tuple,
 790        .print_tuple            = sctp_print_tuple,
 791        .print_conntrack        = sctp_print_conntrack,
 792        .packet                 = sctp_packet,
 793        .get_timeouts           = sctp_get_timeouts,
 794        .new                    = sctp_new,
 795        .me                     = THIS_MODULE,
 796#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 797        .to_nlattr              = sctp_to_nlattr,
 798        .nlattr_size            = sctp_nlattr_size,
 799        .from_nlattr            = nlattr_to_sctp,
 800        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 801        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 802        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 803        .nla_policy             = nf_ct_port_nla_policy,
 804#endif
 805#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 806        .ctnl_timeout           = {
 807                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 808                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 809                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 810                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 811                .nla_policy     = sctp_timeout_nla_policy,
 812        },
 813#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 814        .net_id                 = &sctp_net_id,
 815        .init_net               = sctp_init_net,
 816};
 817
 818static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
 819        .l3proto                = PF_INET6,
 820        .l4proto                = IPPROTO_SCTP,
 821        .name                   = "sctp",
 822        .pkt_to_tuple           = sctp_pkt_to_tuple,
 823        .invert_tuple           = sctp_invert_tuple,
 824        .print_tuple            = sctp_print_tuple,
 825        .print_conntrack        = sctp_print_conntrack,
 826        .packet                 = sctp_packet,
 827        .get_timeouts           = sctp_get_timeouts,
 828        .new                    = sctp_new,
 829        .me                     = THIS_MODULE,
 830#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 831        .to_nlattr              = sctp_to_nlattr,
 832        .nlattr_size            = sctp_nlattr_size,
 833        .from_nlattr            = nlattr_to_sctp,
 834        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 835        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 836        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 837        .nla_policy             = nf_ct_port_nla_policy,
 838#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 839        .ctnl_timeout           = {
 840                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
 841                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
 842                .nlattr_max     = CTA_TIMEOUT_SCTP_MAX,
 843                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
 844                .nla_policy     = sctp_timeout_nla_policy,
 845        },
 846#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 847#endif
 848        .net_id                 = &sctp_net_id,
 849        .init_net               = sctp_init_net,
 850};
 851
 852static int sctp_net_init(struct net *net)
 853{
 854        int ret = 0;
 855
 856        ret = nf_conntrack_l4proto_register(net,
 857                                            &nf_conntrack_l4proto_sctp4);
 858        if (ret < 0) {
 859                pr_err("nf_conntrack_l4proto_sctp4 :protocol register failed.\n");
 860                goto out;
 861        }
 862        ret = nf_conntrack_l4proto_register(net,
 863                                            &nf_conntrack_l4proto_sctp6);
 864        if (ret < 0) {
 865                pr_err("nf_conntrack_l4proto_sctp6 :protocol register failed.\n");
 866                goto cleanup_sctp4;
 867        }
 868        return 0;
 869
 870cleanup_sctp4:
 871        nf_conntrack_l4proto_unregister(net,
 872                                        &nf_conntrack_l4proto_sctp4);
 873out:
 874        return ret;
 875}
 876
 877static void sctp_net_exit(struct net *net)
 878{
 879        nf_conntrack_l4proto_unregister(net,
 880                                        &nf_conntrack_l4proto_sctp6);
 881        nf_conntrack_l4proto_unregister(net,
 882                                        &nf_conntrack_l4proto_sctp4);
 883}
 884
 885static struct pernet_operations sctp_net_ops = {
 886        .init = sctp_net_init,
 887        .exit = sctp_net_exit,
 888        .id   = &sctp_net_id,
 889        .size = sizeof(struct sctp_net),
 890};
 891
 892static int __init nf_conntrack_proto_sctp_init(void)
 893{
 894        return register_pernet_subsys(&sctp_net_ops);
 895}
 896
 897static void __exit nf_conntrack_proto_sctp_fini(void)
 898{
 899        unregister_pernet_subsys(&sctp_net_ops);
 900}
 901
 902module_init(nf_conntrack_proto_sctp_init);
 903module_exit(nf_conntrack_proto_sctp_fini);
 904
 905MODULE_LICENSE("GPL");
 906MODULE_AUTHOR("Kiran Kumar Immidi");
 907MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
 908MODULE_ALIAS("ip_conntrack_proto_sctp");
 909