linux/net/netfilter/nf_conntrack_proto_sctp.c
<<
>>
Prefs
   1/*
   2 * Connection tracking protocol helper module for SCTP.
   3 *
   4 * SCTP is defined in RFC 2960. References to various sections in this code
   5 * are to this RFC.
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License version 2 as
   9 * published by the Free Software Foundation.
  10 */
  11
  12#include <linux/types.h>
  13#include <linux/timer.h>
  14#include <linux/netfilter.h>
  15#include <linux/module.h>
  16#include <linux/in.h>
  17#include <linux/ip.h>
  18#include <linux/sctp.h>
  19#include <linux/string.h>
  20#include <linux/seq_file.h>
  21#include <linux/spinlock.h>
  22#include <linux/interrupt.h>
  23
  24#include <net/netfilter/nf_conntrack.h>
  25#include <net/netfilter/nf_conntrack_l4proto.h>
  26#include <net/netfilter/nf_conntrack_ecache.h>
  27
  28/* Protects ct->proto.sctp */
  29static DEFINE_RWLOCK(sctp_lock);
  30
  31/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
  32   closely.  They're more complex. --RR
  33
  34   And so for me for SCTP :D -Kiran */
  35
  36static const char *const sctp_conntrack_names[] = {
  37        "NONE",
  38        "CLOSED",
  39        "COOKIE_WAIT",
  40        "COOKIE_ECHOED",
  41        "ESTABLISHED",
  42        "SHUTDOWN_SENT",
  43        "SHUTDOWN_RECD",
  44        "SHUTDOWN_ACK_SENT",
  45};
  46
  47#define SECS  * HZ
  48#define MINS  * 60 SECS
  49#define HOURS * 60 MINS
  50#define DAYS  * 24 HOURS
  51
  52static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
  53        [SCTP_CONNTRACK_CLOSED]                 = 10 SECS,
  54        [SCTP_CONNTRACK_COOKIE_WAIT]            = 3 SECS,
  55        [SCTP_CONNTRACK_COOKIE_ECHOED]          = 3 SECS,
  56        [SCTP_CONNTRACK_ESTABLISHED]            = 5 DAYS,
  57        [SCTP_CONNTRACK_SHUTDOWN_SENT]          = 300 SECS / 1000,
  58        [SCTP_CONNTRACK_SHUTDOWN_RECD]          = 300 SECS / 1000,
  59        [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]      = 3 SECS,
  60};
  61
  62#define sNO SCTP_CONNTRACK_NONE
  63#define sCL SCTP_CONNTRACK_CLOSED
  64#define sCW SCTP_CONNTRACK_COOKIE_WAIT
  65#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
  66#define sES SCTP_CONNTRACK_ESTABLISHED
  67#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
  68#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
  69#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
  70#define sIV SCTP_CONNTRACK_MAX
  71
  72/*
  73        These are the descriptions of the states:
  74
  75NOTE: These state names are tantalizingly similar to the states of an
  76SCTP endpoint. But the interpretation of the states is a little different,
  77considering that these are the states of the connection and not of an end
  78point. Please note the subtleties. -Kiran
  79
  80NONE              - Nothing so far.
  81COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
  82                    an INIT_ACK chunk in the reply direction.
  83COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
  84ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
  85SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
  86SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
  87SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
  88                    to that of the SHUTDOWN chunk.
  89CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
  90                    the SHUTDOWN chunk. Connection is closed.
  91*/
  92
  93/* TODO
  94 - I have assumed that the first INIT is in the original direction.
  95 This messes things when an INIT comes in the reply direction in CLOSED
  96 state.
  97 - Check the error type in the reply dir before transitioning from
  98cookie echoed to closed.
  99 - Sec 5.2.4 of RFC 2960
 100 - Multi Homing support.
 101*/
 102
 103/* SCTP conntrack state transitions */
 104static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
 105        {
 106/*      ORIGINAL        */
 107/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
 108/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA},
 109/* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},
 110/* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 111/* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
 112/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
 113/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/
 114/* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
 115/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */
 116/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
 117        },
 118        {
 119/*      REPLY   */
 120/*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
 121/* init         */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */
 122/* init_ack     */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},
 123/* abort        */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 124/* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
 125/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
 126/* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
 127/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */
 128/* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
 129/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
 130        }
 131};
 132
 133static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 134                              struct nf_conntrack_tuple *tuple)
 135{
 136        const struct sctphdr *hp;
 137        struct sctphdr _hdr;
 138
 139        /* Actually only need first 8 bytes. */
 140        hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
 141        if (hp == NULL)
 142                return false;
 143
 144        tuple->src.u.sctp.port = hp->source;
 145        tuple->dst.u.sctp.port = hp->dest;
 146        return true;
 147}
 148
 149static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
 150                              const struct nf_conntrack_tuple *orig)
 151{
 152        tuple->src.u.sctp.port = orig->dst.u.sctp.port;
 153        tuple->dst.u.sctp.port = orig->src.u.sctp.port;
 154        return true;
 155}
 156
 157/* Print out the per-protocol part of the tuple. */
 158static int sctp_print_tuple(struct seq_file *s,
 159                            const struct nf_conntrack_tuple *tuple)
 160{
 161        return seq_printf(s, "sport=%hu dport=%hu ",
 162                          ntohs(tuple->src.u.sctp.port),
 163                          ntohs(tuple->dst.u.sctp.port));
 164}
 165
 166/* Print out the private part of the conntrack. */
 167static int sctp_print_conntrack(struct seq_file *s, const struct nf_conn *ct)
 168{
 169        enum sctp_conntrack state;
 170
 171        read_lock_bh(&sctp_lock);
 172        state = ct->proto.sctp.state;
 173        read_unlock_bh(&sctp_lock);
 174
 175        return seq_printf(s, "%s ", sctp_conntrack_names[state]);
 176}
 177
 178#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)     \
 179for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0;        \
 180        (offset) < (skb)->len &&                                        \
 181        ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));   \
 182        (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 183
 184/* Some validity checks to make sure the chunks are fine */
 185static int do_basic_checks(struct nf_conn *ct,
 186                           const struct sk_buff *skb,
 187                           unsigned int dataoff,
 188                           unsigned long *map)
 189{
 190        u_int32_t offset, count;
 191        sctp_chunkhdr_t _sch, *sch;
 192        int flag;
 193
 194        flag = 0;
 195
 196        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 197                pr_debug("Chunk Num: %d  Type: %d\n", count, sch->type);
 198
 199                if (sch->type == SCTP_CID_INIT ||
 200                    sch->type == SCTP_CID_INIT_ACK ||
 201                    sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
 202                        flag = 1;
 203
 204                /*
 205                 * Cookie Ack/Echo chunks not the first OR
 206                 * Init / Init Ack / Shutdown compl chunks not the only chunks
 207                 * OR zero-length.
 208                 */
 209                if (((sch->type == SCTP_CID_COOKIE_ACK ||
 210                      sch->type == SCTP_CID_COOKIE_ECHO ||
 211                      flag) &&
 212                     count != 0) || !sch->length) {
 213                        pr_debug("Basic checks failed\n");
 214                        return 1;
 215                }
 216
 217                if (map)
 218                        set_bit(sch->type, map);
 219        }
 220
 221        pr_debug("Basic checks passed\n");
 222        return count == 0;
 223}
 224
 225static int sctp_new_state(enum ip_conntrack_dir dir,
 226                          enum sctp_conntrack cur_state,
 227                          int chunk_type)
 228{
 229        int i;
 230
 231        pr_debug("Chunk type: %d\n", chunk_type);
 232
 233        switch (chunk_type) {
 234        case SCTP_CID_INIT:
 235                pr_debug("SCTP_CID_INIT\n");
 236                i = 0;
 237                break;
 238        case SCTP_CID_INIT_ACK:
 239                pr_debug("SCTP_CID_INIT_ACK\n");
 240                i = 1;
 241                break;
 242        case SCTP_CID_ABORT:
 243                pr_debug("SCTP_CID_ABORT\n");
 244                i = 2;
 245                break;
 246        case SCTP_CID_SHUTDOWN:
 247                pr_debug("SCTP_CID_SHUTDOWN\n");
 248                i = 3;
 249                break;
 250        case SCTP_CID_SHUTDOWN_ACK:
 251                pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
 252                i = 4;
 253                break;
 254        case SCTP_CID_ERROR:
 255                pr_debug("SCTP_CID_ERROR\n");
 256                i = 5;
 257                break;
 258        case SCTP_CID_COOKIE_ECHO:
 259                pr_debug("SCTP_CID_COOKIE_ECHO\n");
 260                i = 6;
 261                break;
 262        case SCTP_CID_COOKIE_ACK:
 263                pr_debug("SCTP_CID_COOKIE_ACK\n");
 264                i = 7;
 265                break;
 266        case SCTP_CID_SHUTDOWN_COMPLETE:
 267                pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
 268                i = 8;
 269                break;
 270        default:
 271                /* Other chunks like DATA, SACK, HEARTBEAT and
 272                its ACK do not cause a change in state */
 273                pr_debug("Unknown chunk type, Will stay in %s\n",
 274                         sctp_conntrack_names[cur_state]);
 275                return cur_state;
 276        }
 277
 278        pr_debug("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 279                 dir, sctp_conntrack_names[cur_state], chunk_type,
 280                 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 281
 282        return sctp_conntracks[dir][i][cur_state];
 283}
 284
 285/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
 286static int sctp_packet(struct nf_conn *ct,
 287                       const struct sk_buff *skb,
 288                       unsigned int dataoff,
 289                       enum ip_conntrack_info ctinfo,
 290                       u_int8_t pf,
 291                       unsigned int hooknum)
 292{
 293        enum sctp_conntrack new_state, old_state;
 294        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 295        const struct sctphdr *sh;
 296        struct sctphdr _sctph;
 297        const struct sctp_chunkhdr *sch;
 298        struct sctp_chunkhdr _sch;
 299        u_int32_t offset, count;
 300        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 301
 302        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 303        if (sh == NULL)
 304                goto out;
 305
 306        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 307                goto out;
 308
 309        /* Check the verification tag (Sec 8.5) */
 310        if (!test_bit(SCTP_CID_INIT, map) &&
 311            !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
 312            !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
 313            !test_bit(SCTP_CID_ABORT, map) &&
 314            !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
 315            sh->vtag != ct->proto.sctp.vtag[dir]) {
 316                pr_debug("Verification tag check failed\n");
 317                goto out;
 318        }
 319
 320        old_state = new_state = SCTP_CONNTRACK_NONE;
 321        write_lock_bh(&sctp_lock);
 322        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 323                /* Special cases of Verification tag check (Sec 8.5.1) */
 324                if (sch->type == SCTP_CID_INIT) {
 325                        /* Sec 8.5.1 (A) */
 326                        if (sh->vtag != 0)
 327                                goto out_unlock;
 328                } else if (sch->type == SCTP_CID_ABORT) {
 329                        /* Sec 8.5.1 (B) */
 330                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 331                            sh->vtag != ct->proto.sctp.vtag[!dir])
 332                                goto out_unlock;
 333                } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 334                        /* Sec 8.5.1 (C) */
 335                        if (sh->vtag != ct->proto.sctp.vtag[dir] &&
 336                            sh->vtag != ct->proto.sctp.vtag[!dir] &&
 337                            sch->flags & SCTP_CHUNK_FLAG_T)
 338                                goto out_unlock;
 339                } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
 340                        /* Sec 8.5.1 (D) */
 341                        if (sh->vtag != ct->proto.sctp.vtag[dir])
 342                                goto out_unlock;
 343                }
 344
 345                old_state = ct->proto.sctp.state;
 346                new_state = sctp_new_state(dir, old_state, sch->type);
 347
 348                /* Invalid */
 349                if (new_state == SCTP_CONNTRACK_MAX) {
 350                        pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
 351                                 "conntrack=%u\n",
 352                                 dir, sch->type, old_state);
 353                        goto out_unlock;
 354                }
 355
 356                /* If it is an INIT or an INIT ACK note down the vtag */
 357                if (sch->type == SCTP_CID_INIT ||
 358                    sch->type == SCTP_CID_INIT_ACK) {
 359                        sctp_inithdr_t _inithdr, *ih;
 360
 361                        ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 362                                                sizeof(_inithdr), &_inithdr);
 363                        if (ih == NULL)
 364                                goto out_unlock;
 365                        pr_debug("Setting vtag %x for dir %d\n",
 366                                 ih->init_tag, !dir);
 367                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
 368                }
 369
 370                ct->proto.sctp.state = new_state;
 371                if (old_state != new_state)
 372                        nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
 373        }
 374        write_unlock_bh(&sctp_lock);
 375
 376        nf_ct_refresh_acct(ct, ctinfo, skb, sctp_timeouts[new_state]);
 377
 378        if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
 379            dir == IP_CT_DIR_REPLY &&
 380            new_state == SCTP_CONNTRACK_ESTABLISHED) {
 381                pr_debug("Setting assured bit\n");
 382                set_bit(IPS_ASSURED_BIT, &ct->status);
 383                nf_conntrack_event_cache(IPCT_STATUS, ct);
 384        }
 385
 386        return NF_ACCEPT;
 387
 388out_unlock:
 389        write_unlock_bh(&sctp_lock);
 390out:
 391        return -NF_ACCEPT;
 392}
 393
 394/* Called when a new connection for this protocol found. */
 395static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 396                     unsigned int dataoff)
 397{
 398        enum sctp_conntrack new_state;
 399        const struct sctphdr *sh;
 400        struct sctphdr _sctph;
 401        const struct sctp_chunkhdr *sch;
 402        struct sctp_chunkhdr _sch;
 403        u_int32_t offset, count;
 404        unsigned long map[256 / sizeof(unsigned long)] = { 0 };
 405
 406        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
 407        if (sh == NULL)
 408                return false;
 409
 410        if (do_basic_checks(ct, skb, dataoff, map) != 0)
 411                return false;
 412
 413        /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
 414        if (test_bit(SCTP_CID_ABORT, map) ||
 415            test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
 416            test_bit(SCTP_CID_COOKIE_ACK, map))
 417                return false;
 418
 419        new_state = SCTP_CONNTRACK_MAX;
 420        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 421                /* Don't need lock here: this conntrack not in circulation yet */
 422                new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
 423                                           SCTP_CONNTRACK_NONE, sch->type);
 424
 425                /* Invalid: delete conntrack */
 426                if (new_state == SCTP_CONNTRACK_NONE ||
 427                    new_state == SCTP_CONNTRACK_MAX) {
 428                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
 429                        return false;
 430                }
 431
 432                /* Copy the vtag into the state info */
 433                if (sch->type == SCTP_CID_INIT) {
 434                        if (sh->vtag == 0) {
 435                                sctp_inithdr_t _inithdr, *ih;
 436
 437                                ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
 438                                                        sizeof(_inithdr), &_inithdr);
 439                                if (ih == NULL)
 440                                        return false;
 441
 442                                pr_debug("Setting vtag %x for new conn\n",
 443                                         ih->init_tag);
 444
 445                                ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 446                                                                ih->init_tag;
 447                        } else {
 448                                /* Sec 8.5.1 (A) */
 449                                return false;
 450                        }
 451                }
 452                /* If it is a shutdown ack OOTB packet, we expect a return
 453                   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 454                else {
 455                        pr_debug("Setting vtag %x for new conn OOTB\n",
 456                                 sh->vtag);
 457                        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 458                }
 459
 460                ct->proto.sctp.state = new_state;
 461        }
 462
 463        return true;
 464}
 465
 466#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
 467
 468#include <linux/netfilter/nfnetlink.h>
 469#include <linux/netfilter/nfnetlink_conntrack.h>
 470
 471static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 472                          const struct nf_conn *ct)
 473{
 474        struct nlattr *nest_parms;
 475
 476        read_lock_bh(&sctp_lock);
 477        nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
 478        if (!nest_parms)
 479                goto nla_put_failure;
 480
 481        NLA_PUT_U8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state);
 482
 483        NLA_PUT_BE32(skb,
 484                     CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
 485                     ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]);
 486
 487        NLA_PUT_BE32(skb,
 488                     CTA_PROTOINFO_SCTP_VTAG_REPLY,
 489                     ct->proto.sctp.vtag[IP_CT_DIR_REPLY]);
 490
 491        read_unlock_bh(&sctp_lock);
 492
 493        nla_nest_end(skb, nest_parms);
 494
 495        return 0;
 496
 497nla_put_failure:
 498        read_unlock_bh(&sctp_lock);
 499        return -1;
 500}
 501
 502static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
 503        [CTA_PROTOINFO_SCTP_STATE]          = { .type = NLA_U8 },
 504        [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]  = { .type = NLA_U32 },
 505        [CTA_PROTOINFO_SCTP_VTAG_REPLY]     = { .type = NLA_U32 },
 506};
 507
 508static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 509{
 510        struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
 511        struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
 512        int err;
 513
 514        /* updates may not contain the internal protocol info, skip parsing */
 515        if (!attr)
 516                return 0;
 517
 518        err = nla_parse_nested(tb,
 519                               CTA_PROTOINFO_SCTP_MAX,
 520                               attr,
 521                               sctp_nla_policy);
 522        if (err < 0)
 523                return err;
 524
 525        if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
 526            !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
 527            !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
 528                return -EINVAL;
 529
 530        write_lock_bh(&sctp_lock);
 531        ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
 532        ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
 533                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
 534        ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 535                nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
 536        write_unlock_bh(&sctp_lock);
 537
 538        return 0;
 539}
 540
 541static int sctp_nlattr_size(void)
 542{
 543        return nla_total_size(0)        /* CTA_PROTOINFO_SCTP */
 544                + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
 545}
 546#endif
 547
 548#ifdef CONFIG_SYSCTL
 549static unsigned int sctp_sysctl_table_users;
 550static struct ctl_table_header *sctp_sysctl_header;
 551static struct ctl_table sctp_sysctl_table[] = {
 552        {
 553                .procname       = "nf_conntrack_sctp_timeout_closed",
 554                .data           = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
 555                .maxlen         = sizeof(unsigned int),
 556                .mode           = 0644,
 557                .proc_handler   = proc_dointvec_jiffies,
 558        },
 559        {
 560                .procname       = "nf_conntrack_sctp_timeout_cookie_wait",
 561                .data           = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
 562                .maxlen         = sizeof(unsigned int),
 563                .mode           = 0644,
 564                .proc_handler   = proc_dointvec_jiffies,
 565        },
 566        {
 567                .procname       = "nf_conntrack_sctp_timeout_cookie_echoed",
 568                .data           = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
 569                .maxlen         = sizeof(unsigned int),
 570                .mode           = 0644,
 571                .proc_handler   = proc_dointvec_jiffies,
 572        },
 573        {
 574                .procname       = "nf_conntrack_sctp_timeout_established",
 575                .data           = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
 576                .maxlen         = sizeof(unsigned int),
 577                .mode           = 0644,
 578                .proc_handler   = proc_dointvec_jiffies,
 579        },
 580        {
 581                .procname       = "nf_conntrack_sctp_timeout_shutdown_sent",
 582                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
 583                .maxlen         = sizeof(unsigned int),
 584                .mode           = 0644,
 585                .proc_handler   = proc_dointvec_jiffies,
 586        },
 587        {
 588                .procname       = "nf_conntrack_sctp_timeout_shutdown_recd",
 589                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
 590                .maxlen         = sizeof(unsigned int),
 591                .mode           = 0644,
 592                .proc_handler   = proc_dointvec_jiffies,
 593        },
 594        {
 595                .procname       = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
 596                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
 597                .maxlen         = sizeof(unsigned int),
 598                .mode           = 0644,
 599                .proc_handler   = proc_dointvec_jiffies,
 600        },
 601        {
 602                .ctl_name = 0
 603        }
 604};
 605
 606#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
 607static struct ctl_table sctp_compat_sysctl_table[] = {
 608        {
 609                .procname       = "ip_conntrack_sctp_timeout_closed",
 610                .data           = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
 611                .maxlen         = sizeof(unsigned int),
 612                .mode           = 0644,
 613                .proc_handler   = proc_dointvec_jiffies,
 614        },
 615        {
 616                .procname       = "ip_conntrack_sctp_timeout_cookie_wait",
 617                .data           = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
 618                .maxlen         = sizeof(unsigned int),
 619                .mode           = 0644,
 620                .proc_handler   = proc_dointvec_jiffies,
 621        },
 622        {
 623                .procname       = "ip_conntrack_sctp_timeout_cookie_echoed",
 624                .data           = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
 625                .maxlen         = sizeof(unsigned int),
 626                .mode           = 0644,
 627                .proc_handler   = proc_dointvec_jiffies,
 628        },
 629        {
 630                .procname       = "ip_conntrack_sctp_timeout_established",
 631                .data           = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
 632                .maxlen         = sizeof(unsigned int),
 633                .mode           = 0644,
 634                .proc_handler   = proc_dointvec_jiffies,
 635        },
 636        {
 637                .procname       = "ip_conntrack_sctp_timeout_shutdown_sent",
 638                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
 639                .maxlen         = sizeof(unsigned int),
 640                .mode           = 0644,
 641                .proc_handler   = proc_dointvec_jiffies,
 642        },
 643        {
 644                .procname       = "ip_conntrack_sctp_timeout_shutdown_recd",
 645                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
 646                .maxlen         = sizeof(unsigned int),
 647                .mode           = 0644,
 648                .proc_handler   = proc_dointvec_jiffies,
 649        },
 650        {
 651                .procname       = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
 652                .data           = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
 653                .maxlen         = sizeof(unsigned int),
 654                .mode           = 0644,
 655                .proc_handler   = proc_dointvec_jiffies,
 656        },
 657        {
 658                .ctl_name = 0
 659        }
 660};
 661#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 662#endif
 663
 664static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
 665        .l3proto                = PF_INET,
 666        .l4proto                = IPPROTO_SCTP,
 667        .name                   = "sctp",
 668        .pkt_to_tuple           = sctp_pkt_to_tuple,
 669        .invert_tuple           = sctp_invert_tuple,
 670        .print_tuple            = sctp_print_tuple,
 671        .print_conntrack        = sctp_print_conntrack,
 672        .packet                 = sctp_packet,
 673        .new                    = sctp_new,
 674        .me                     = THIS_MODULE,
 675#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
 676        .to_nlattr              = sctp_to_nlattr,
 677        .nlattr_size            = sctp_nlattr_size,
 678        .from_nlattr            = nlattr_to_sctp,
 679        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 680        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 681        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 682        .nla_policy             = nf_ct_port_nla_policy,
 683#endif
 684#ifdef CONFIG_SYSCTL
 685        .ctl_table_users        = &sctp_sysctl_table_users,
 686        .ctl_table_header       = &sctp_sysctl_header,
 687        .ctl_table              = sctp_sysctl_table,
 688#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
 689        .ctl_compat_table       = sctp_compat_sysctl_table,
 690#endif
 691#endif
 692};
 693
 694static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
 695        .l3proto                = PF_INET6,
 696        .l4proto                = IPPROTO_SCTP,
 697        .name                   = "sctp",
 698        .pkt_to_tuple           = sctp_pkt_to_tuple,
 699        .invert_tuple           = sctp_invert_tuple,
 700        .print_tuple            = sctp_print_tuple,
 701        .print_conntrack        = sctp_print_conntrack,
 702        .packet                 = sctp_packet,
 703        .new                    = sctp_new,
 704        .me                     = THIS_MODULE,
 705#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
 706        .to_nlattr              = sctp_to_nlattr,
 707        .nlattr_size            = sctp_nlattr_size,
 708        .from_nlattr            = nlattr_to_sctp,
 709        .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 710        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 711        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 712        .nla_policy             = nf_ct_port_nla_policy,
 713#endif
 714#ifdef CONFIG_SYSCTL
 715        .ctl_table_users        = &sctp_sysctl_table_users,
 716        .ctl_table_header       = &sctp_sysctl_header,
 717        .ctl_table              = sctp_sysctl_table,
 718#endif
 719};
 720
 721static int __init nf_conntrack_proto_sctp_init(void)
 722{
 723        int ret;
 724
 725        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
 726        if (ret) {
 727                printk("nf_conntrack_l4proto_sctp4: protocol register failed\n");
 728                goto out;
 729        }
 730        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
 731        if (ret) {
 732                printk("nf_conntrack_l4proto_sctp6: protocol register failed\n");
 733                goto cleanup_sctp4;
 734        }
 735
 736        return ret;
 737
 738 cleanup_sctp4:
 739        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 740 out:
 741        return ret;
 742}
 743
 744static void __exit nf_conntrack_proto_sctp_fini(void)
 745{
 746        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
 747        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 748}
 749
 750module_init(nf_conntrack_proto_sctp_init);
 751module_exit(nf_conntrack_proto_sctp_fini);
 752
 753MODULE_LICENSE("GPL");
 754MODULE_AUTHOR("Kiran Kumar Immidi");
 755MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
 756MODULE_ALIAS("ip_conntrack_proto_sctp");
 757