Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_proto_icmp.c
Go to the documentation of this file.
1 /* (C) 1999-2001 Paul `Rusty' Russell
2  * (C) 2002-2004 Netfilter Core Team <[email protected]>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License version 2 as
6  * published by the Free Software Foundation.
7  */
8 
9 #include <linux/types.h>
10 #include <linux/timer.h>
11 #include <linux/netfilter.h>
12 #include <linux/in.h>
13 #include <linux/icmp.h>
14 #include <linux/seq_file.h>
15 #include <net/ip.h>
16 #include <net/checksum.h>
17 #include <linux/netfilter_ipv4.h>
18 #include <net/netfilter/nf_conntrack_tuple.h>
19 #include <net/netfilter/nf_conntrack_l4proto.h>
20 #include <net/netfilter/nf_conntrack_core.h>
21 #include <net/netfilter/nf_conntrack_zones.h>
22 #include <net/netfilter/nf_log.h>
23 
24 static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
25 
26 static inline struct nf_icmp_net *icmp_pernet(struct net *net)
27 {
28  return &net->ct.nf_ct_proto.icmp;
29 }
30 
31 static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
32  struct nf_conntrack_tuple *tuple)
33 {
34  const struct icmphdr *hp;
35  struct icmphdr _hdr;
36 
37  hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
38  if (hp == NULL)
39  return false;
40 
41  tuple->dst.u.icmp.type = hp->type;
42  tuple->src.u.icmp.id = hp->un.echo.id;
43  tuple->dst.u.icmp.code = hp->code;
44 
45  return true;
46 }
47 
48 /* Add 1; spaces filled with 0. */
49 static const u_int8_t invmap[] = {
50  [ICMP_ECHO] = ICMP_ECHOREPLY + 1,
51  [ICMP_ECHOREPLY] = ICMP_ECHO + 1,
52  [ICMP_TIMESTAMP] = ICMP_TIMESTAMPREPLY + 1,
53  [ICMP_TIMESTAMPREPLY] = ICMP_TIMESTAMP + 1,
54  [ICMP_INFO_REQUEST] = ICMP_INFO_REPLY + 1,
55  [ICMP_INFO_REPLY] = ICMP_INFO_REQUEST + 1,
56  [ICMP_ADDRESS] = ICMP_ADDRESSREPLY + 1,
57  [ICMP_ADDRESSREPLY] = ICMP_ADDRESS + 1
58 };
59 
60 static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
61  const struct nf_conntrack_tuple *orig)
62 {
63  if (orig->dst.u.icmp.type >= sizeof(invmap) ||
64  !invmap[orig->dst.u.icmp.type])
65  return false;
66 
67  tuple->src.u.icmp.id = orig->src.u.icmp.id;
68  tuple->dst.u.icmp.type = invmap[orig->dst.u.icmp.type] - 1;
69  tuple->dst.u.icmp.code = orig->dst.u.icmp.code;
70  return true;
71 }
72 
73 /* Print out the per-protocol part of the tuple. */
74 static int icmp_print_tuple(struct seq_file *s,
75  const struct nf_conntrack_tuple *tuple)
76 {
77  return seq_printf(s, "type=%u code=%u id=%u ",
78  tuple->dst.u.icmp.type,
79  tuple->dst.u.icmp.code,
80  ntohs(tuple->src.u.icmp.id));
81 }
82 
83 static unsigned int *icmp_get_timeouts(struct net *net)
84 {
85  return &icmp_pernet(net)->timeout;
86 }
87 
88 /* Returns verdict for packet, or -1 for invalid. */
89 static int icmp_packet(struct nf_conn *ct,
90  const struct sk_buff *skb,
91  unsigned int dataoff,
92  enum ip_conntrack_info ctinfo,
93  u_int8_t pf,
94  unsigned int hooknum,
95  unsigned int *timeout)
96 {
97  /* Do not immediately delete the connection after the first
98  successful reply to avoid excessive conntrackd traffic
99  and also to handle correctly ICMP echo reply duplicates. */
100  nf_ct_refresh_acct(ct, ctinfo, skb, *timeout);
101 
102  return NF_ACCEPT;
103 }
104 
105 /* Called when a new connection for this protocol found. */
106 static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
107  unsigned int dataoff, unsigned int *timeouts)
108 {
109  static const u_int8_t valid_new[] = {
110  [ICMP_ECHO] = 1,
111  [ICMP_TIMESTAMP] = 1,
112  [ICMP_INFO_REQUEST] = 1,
113  [ICMP_ADDRESS] = 1
114  };
115 
116  if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
117  !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
118  /* Can't create a new ICMP `conn' with this. */
119  pr_debug("icmp: can't create new conn with type %u\n",
120  ct->tuplehash[0].tuple.dst.u.icmp.type);
121  nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple);
122  return false;
123  }
124  return true;
125 }
126 
127 /* Returns conntrack if it dealt with ICMP, and filled in skb fields */
128 static int
129 icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
130  enum ip_conntrack_info *ctinfo,
131  unsigned int hooknum)
132 {
133  struct nf_conntrack_tuple innertuple, origtuple;
134  const struct nf_conntrack_l4proto *innerproto;
135  const struct nf_conntrack_tuple_hash *h;
136  u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE;
137 
138  NF_CT_ASSERT(skb->nfct == NULL);
139 
140  /* Are they talking about one of our connections? */
141  if (!nf_ct_get_tuplepr(skb,
142  skb_network_offset(skb) + ip_hdrlen(skb)
143  + sizeof(struct icmphdr),
144  PF_INET, &origtuple)) {
145  pr_debug("icmp_error_message: failed to get tuple\n");
146  return -NF_ACCEPT;
147  }
148 
149  /* rcu_read_lock()ed by nf_hook_slow */
150  innerproto = __nf_ct_l4proto_find(PF_INET, origtuple.dst.protonum);
151 
152  /* Ordinarily, we'd expect the inverted tupleproto, but it's
153  been preserved inside the ICMP. */
154  if (!nf_ct_invert_tuple(&innertuple, &origtuple,
155  &nf_conntrack_l3proto_ipv4, innerproto)) {
156  pr_debug("icmp_error_message: no match\n");
157  return -NF_ACCEPT;
158  }
159 
160  *ctinfo = IP_CT_RELATED;
161 
162  h = nf_conntrack_find_get(net, zone, &innertuple);
163  if (!h) {
164  pr_debug("icmp_error_message: no match\n");
165  return -NF_ACCEPT;
166  }
167 
168  if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
169  *ctinfo += IP_CT_IS_REPLY;
170 
171  /* Update skb to refer to this connection */
172  skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
173  skb->nfctinfo = *ctinfo;
174  return NF_ACCEPT;
175 }
176 
177 /* Small and modified version of icmp_rcv */
178 static int
179 icmp_error(struct net *net, struct nf_conn *tmpl,
180  struct sk_buff *skb, unsigned int dataoff,
181  enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum)
182 {
183  const struct icmphdr *icmph;
184  struct icmphdr _ih;
185 
186  /* Not enough header? */
187  icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih);
188  if (icmph == NULL) {
189  if (LOG_INVALID(net, IPPROTO_ICMP))
190  nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
191  "nf_ct_icmp: short packet ");
192  return -NF_ACCEPT;
193  }
194 
195  /* See ip_conntrack_proto_tcp.c */
196  if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
197  nf_ip_checksum(skb, hooknum, dataoff, 0)) {
198  if (LOG_INVALID(net, IPPROTO_ICMP))
199  nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
200  "nf_ct_icmp: bad HW ICMP checksum ");
201  return -NF_ACCEPT;
202  }
203 
204  /*
205  * 18 is the highest 'known' ICMP type. Anything else is a mystery
206  *
207  * RFC 1122: 3.2.2 Unknown ICMP messages types MUST be silently
208  * discarded.
209  */
210  if (icmph->type > NR_ICMP_TYPES) {
211  if (LOG_INVALID(net, IPPROTO_ICMP))
212  nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
213  "nf_ct_icmp: invalid ICMP type ");
214  return -NF_ACCEPT;
215  }
216 
217  /* Need to track icmp error message? */
218  if (icmph->type != ICMP_DEST_UNREACH &&
219  icmph->type != ICMP_SOURCE_QUENCH &&
220  icmph->type != ICMP_TIME_EXCEEDED &&
221  icmph->type != ICMP_PARAMETERPROB &&
222  icmph->type != ICMP_REDIRECT)
223  return NF_ACCEPT;
224 
225  return icmp_error_message(net, tmpl, skb, ctinfo, hooknum);
226 }
227 
228 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
229 
230 #include <linux/netfilter/nfnetlink.h>
231 #include <linux/netfilter/nfnetlink_conntrack.h>
232 
233 static int icmp_tuple_to_nlattr(struct sk_buff *skb,
234  const struct nf_conntrack_tuple *t)
235 {
236  if (nla_put_be16(skb, CTA_PROTO_ICMP_ID, t->src.u.icmp.id) ||
237  nla_put_u8(skb, CTA_PROTO_ICMP_TYPE, t->dst.u.icmp.type) ||
238  nla_put_u8(skb, CTA_PROTO_ICMP_CODE, t->dst.u.icmp.code))
239  goto nla_put_failure;
240  return 0;
241 
242 nla_put_failure:
243  return -1;
244 }
245 
246 static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
247  [CTA_PROTO_ICMP_TYPE] = { .type = NLA_U8 },
248  [CTA_PROTO_ICMP_CODE] = { .type = NLA_U8 },
249  [CTA_PROTO_ICMP_ID] = { .type = NLA_U16 },
250 };
251 
252 static int icmp_nlattr_to_tuple(struct nlattr *tb[],
253  struct nf_conntrack_tuple *tuple)
254 {
255  if (!tb[CTA_PROTO_ICMP_TYPE] ||
256  !tb[CTA_PROTO_ICMP_CODE] ||
257  !tb[CTA_PROTO_ICMP_ID])
258  return -EINVAL;
259 
260  tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
261  tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
262  tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
263 
264  if (tuple->dst.u.icmp.type >= sizeof(invmap) ||
265  !invmap[tuple->dst.u.icmp.type])
266  return -EINVAL;
267 
268  return 0;
269 }
270 
271 static int icmp_nlattr_tuple_size(void)
272 {
273  return nla_policy_len(icmp_nla_policy, CTA_PROTO_MAX + 1);
274 }
275 #endif
276 
277 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
278 
279 #include <linux/netfilter/nfnetlink.h>
280 #include <linux/netfilter/nfnetlink_cttimeout.h>
281 
282 static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[],
283  struct net *net, void *data)
284 {
285  unsigned int *timeout = data;
286  struct nf_icmp_net *in = icmp_pernet(net);
287 
288  if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) {
289  *timeout =
290  ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ;
291  } else {
292  /* Set default ICMP timeout. */
293  *timeout = in->timeout;
294  }
295  return 0;
296 }
297 
298 static int
299 icmp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
300 {
301  const unsigned int *timeout = data;
302 
303  if (nla_put_be32(skb, CTA_TIMEOUT_ICMP_TIMEOUT, htonl(*timeout / HZ)))
304  goto nla_put_failure;
305  return 0;
306 
307 nla_put_failure:
308  return -ENOSPC;
309 }
310 
311 static const struct nla_policy
312 icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
313  [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 },
314 };
315 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
316 
317 #ifdef CONFIG_SYSCTL
318 static struct ctl_table icmp_sysctl_table[] = {
319  {
320  .procname = "nf_conntrack_icmp_timeout",
321  .maxlen = sizeof(unsigned int),
322  .mode = 0644,
323  .proc_handler = proc_dointvec_jiffies,
324  },
325  { }
326 };
327 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
328 static struct ctl_table icmp_compat_sysctl_table[] = {
329  {
330  .procname = "ip_conntrack_icmp_timeout",
331  .maxlen = sizeof(unsigned int),
332  .mode = 0644,
333  .proc_handler = proc_dointvec_jiffies,
334  },
335  { }
336 };
337 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
338 #endif /* CONFIG_SYSCTL */
339 
340 static int icmp_kmemdup_sysctl_table(struct nf_proto_net *pn,
341  struct nf_icmp_net *in)
342 {
343 #ifdef CONFIG_SYSCTL
344  pn->ctl_table = kmemdup(icmp_sysctl_table,
345  sizeof(icmp_sysctl_table),
346  GFP_KERNEL);
347  if (!pn->ctl_table)
348  return -ENOMEM;
349 
350  pn->ctl_table[0].data = &in->timeout;
351 #endif
352  return 0;
353 }
354 
355 static int icmp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
356  struct nf_icmp_net *in)
357 {
358 #ifdef CONFIG_SYSCTL
359 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
360  pn->ctl_compat_table = kmemdup(icmp_compat_sysctl_table,
361  sizeof(icmp_compat_sysctl_table),
362  GFP_KERNEL);
363  if (!pn->ctl_compat_table)
364  return -ENOMEM;
365 
366  pn->ctl_compat_table[0].data = &in->timeout;
367 #endif
368 #endif
369  return 0;
370 }
371 
372 static int icmp_init_net(struct net *net, u_int16_t proto)
373 {
374  int ret;
375  struct nf_icmp_net *in = icmp_pernet(net);
376  struct nf_proto_net *pn = &in->pn;
377 
378  in->timeout = nf_ct_icmp_timeout;
379 
380  ret = icmp_kmemdup_compat_sysctl_table(pn, in);
381  if (ret < 0)
382  return ret;
383 
384  ret = icmp_kmemdup_sysctl_table(pn, in);
385  if (ret < 0)
386  nf_ct_kfree_compat_sysctl_table(pn);
387 
388  return ret;
389 }
390 
391 static struct nf_proto_net *icmp_get_net_proto(struct net *net)
392 {
393  return &net->ct.nf_ct_proto.icmp.pn;
394 }
395 
396 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
397 {
398  .l3proto = PF_INET,
399  .l4proto = IPPROTO_ICMP,
400  .name = "icmp",
401  .pkt_to_tuple = icmp_pkt_to_tuple,
402  .invert_tuple = icmp_invert_tuple,
403  .print_tuple = icmp_print_tuple,
404  .packet = icmp_packet,
405  .get_timeouts = icmp_get_timeouts,
406  .new = icmp_new,
407  .error = icmp_error,
408  .destroy = NULL,
409  .me = NULL,
410 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
411  .tuple_to_nlattr = icmp_tuple_to_nlattr,
412  .nlattr_tuple_size = icmp_nlattr_tuple_size,
413  .nlattr_to_tuple = icmp_nlattr_to_tuple,
414  .nla_policy = icmp_nla_policy,
415 #endif
416 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
417  .ctnl_timeout = {
418  .nlattr_to_obj = icmp_timeout_nlattr_to_obj,
419  .obj_to_nlattr = icmp_timeout_obj_to_nlattr,
420  .nlattr_max = CTA_TIMEOUT_ICMP_MAX,
421  .obj_size = sizeof(unsigned int),
422  .nla_policy = icmp_timeout_nla_policy,
423  },
424 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
425  .init_net = icmp_init_net,
426  .get_net_proto = icmp_get_net_proto,
427 };
Generated on Thu Jan 10 2013 14:58:41 for Linux Kernel by   doxygen 1.8.2