Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_proto_sctp.c
Go to the documentation of this file.
1 /*
2  * Connection tracking protocol helper module for SCTP.
3  *
4  * SCTP is defined in RFC 2960. References to various sections in this code
5  * are to this RFC.
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 
12 #include <linux/types.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
15 #include <linux/module.h>
16 #include <linux/in.h>
17 #include <linux/ip.h>
18 #include <linux/sctp.h>
19 #include <linux/string.h>
20 #include <linux/seq_file.h>
21 #include <linux/spinlock.h>
22 #include <linux/interrupt.h>
23 
24 #include <net/netfilter/nf_conntrack.h>
25 #include <net/netfilter/nf_conntrack_l4proto.h>
26 #include <net/netfilter/nf_conntrack_ecache.h>
27 
28 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
29  closely. They're more complex. --RR
30 
31  And so for me for SCTP :D -Kiran */
32 
33 static const char *const sctp_conntrack_names[] = {
34  "NONE",
35  "CLOSED",
36  "COOKIE_WAIT",
37  "COOKIE_ECHOED",
38  "ESTABLISHED",
39  "SHUTDOWN_SENT",
40  "SHUTDOWN_RECD",
41  "SHUTDOWN_ACK_SENT",
42 };
43 
44 #define SECS * HZ
45 #define MINS * 60 SECS
46 #define HOURS * 60 MINS
47 #define DAYS * 24 HOURS
48 
49 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
50  [SCTP_CONNTRACK_CLOSED] = 10 SECS,
51  [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
52  [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
53  [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
54  [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
55  [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
56  [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
57 };
58 
59 #define sNO SCTP_CONNTRACK_NONE
60 #define sCL SCTP_CONNTRACK_CLOSED
61 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
62 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
63 #define sES SCTP_CONNTRACK_ESTABLISHED
64 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
65 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
66 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
67 #define sIV SCTP_CONNTRACK_MAX
68 
69 /*
70  These are the descriptions of the states:
71 
72 NOTE: These state names are tantalizingly similar to the states of an
73 SCTP endpoint. But the interpretation of the states is a little different,
74 considering that these are the states of the connection and not of an end
75 point. Please note the subtleties. -Kiran
76 
77 NONE - Nothing so far.
78 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
79  an INIT_ACK chunk in the reply direction.
80 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
81 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
82 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
83 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
84 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
85  to that of the SHUTDOWN chunk.
86 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
87  the SHUTDOWN chunk. Connection is closed.
88 */
89 
90 /* TODO
91  - I have assumed that the first INIT is in the original direction.
92  This messes things when an INIT comes in the reply direction in CLOSED
93  state.
94  - Check the error type in the reply dir before transitioning from
95 cookie echoed to closed.
96  - Sec 5.2.4 of RFC 2960
97  - Multi Homing support.
98 */
99 
100 /* SCTP conntrack state transitions */
101 static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
102  {
103 /* ORIGINAL */
104 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
105 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA},
106 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},
107 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
108 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
109 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
110 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't have Stale cookie*/
111 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
112 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in orig dir */
113 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
114  },
115  {
116 /* REPLY */
117 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
118 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */
119 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},
120 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
121 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
122 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
123 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
124 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in reply dir */
125 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
126 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
127  }
128 };
129 
130 static int sctp_net_id __read_mostly;
131 struct sctp_net {
132  struct nf_proto_net pn;
133  unsigned int timeouts[SCTP_CONNTRACK_MAX];
134 };
135 
136 static inline struct sctp_net *sctp_pernet(struct net *net)
137 {
138  return net_generic(net, sctp_net_id);
139 }
140 
141 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
142  struct nf_conntrack_tuple *tuple)
143 {
144  const struct sctphdr *hp;
145  struct sctphdr _hdr;
146 
147  /* Actually only need first 8 bytes. */
148  hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
149  if (hp == NULL)
150  return false;
151 
152  tuple->src.u.sctp.port = hp->source;
153  tuple->dst.u.sctp.port = hp->dest;
154  return true;
155 }
156 
157 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
158  const struct nf_conntrack_tuple *orig)
159 {
160  tuple->src.u.sctp.port = orig->dst.u.sctp.port;
161  tuple->dst.u.sctp.port = orig->src.u.sctp.port;
162  return true;
163 }
164 
165 /* Print out the per-protocol part of the tuple. */
166 static int sctp_print_tuple(struct seq_file *s,
167  const struct nf_conntrack_tuple *tuple)
168 {
169  return seq_printf(s, "sport=%hu dport=%hu ",
170  ntohs(tuple->src.u.sctp.port),
171  ntohs(tuple->dst.u.sctp.port));
172 }
173 
174 /* Print out the private part of the conntrack. */
175 static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
176 {
177  enum sctp_conntrack state;
178 
179  spin_lock_bh(&ct->lock);
180  state = ct->proto.sctp.state;
181  spin_unlock_bh(&ct->lock);
182 
183  return seq_printf(s, "%s ", sctp_conntrack_names[state]);
184 }
185 
186 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
187 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
188  (offset) < (skb)->len && \
189  ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
190  (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
191 
192 /* Some validity checks to make sure the chunks are fine */
193 static int do_basic_checks(struct nf_conn *ct,
194  const struct sk_buff *skb,
195  unsigned int dataoff,
196  unsigned long *map)
197 {
198  u_int32_t offset, count;
199  sctp_chunkhdr_t _sch, *sch;
200  int flag;
201 
202  flag = 0;
203 
204  for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
205  pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
206 
207  if (sch->type == SCTP_CID_INIT ||
208  sch->type == SCTP_CID_INIT_ACK ||
209  sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
210  flag = 1;
211 
212  /*
213  * Cookie Ack/Echo chunks not the first OR
214  * Init / Init Ack / Shutdown compl chunks not the only chunks
215  * OR zero-length.
216  */
217  if (((sch->type == SCTP_CID_COOKIE_ACK ||
218  sch->type == SCTP_CID_COOKIE_ECHO ||
219  flag) &&
220  count != 0) || !sch->length) {
221  pr_debug("Basic checks failed\n");
222  return 1;
223  }
224 
225  if (map)
226  set_bit(sch->type, map);
227  }
228 
229  pr_debug("Basic checks passed\n");
230  return count == 0;
231 }
232 
233 static int sctp_new_state(enum ip_conntrack_dir dir,
234  enum sctp_conntrack cur_state,
235  int chunk_type)
236 {
237  int i;
238 
239  pr_debug("Chunk type: %d\n", chunk_type);
240 
241  switch (chunk_type) {
242  case SCTP_CID_INIT:
243  pr_debug("SCTP_CID_INIT\n");
244  i = 0;
245  break;
246  case SCTP_CID_INIT_ACK:
247  pr_debug("SCTP_CID_INIT_ACK\n");
248  i = 1;
249  break;
250  case SCTP_CID_ABORT:
251  pr_debug("SCTP_CID_ABORT\n");
252  i = 2;
253  break;
254  case SCTP_CID_SHUTDOWN:
255  pr_debug("SCTP_CID_SHUTDOWN\n");
256  i = 3;
257  break;
258  case SCTP_CID_SHUTDOWN_ACK:
259  pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
260  i = 4;
261  break;
262  case SCTP_CID_ERROR:
263  pr_debug("SCTP_CID_ERROR\n");
264  i = 5;
265  break;
266  case SCTP_CID_COOKIE_ECHO:
267  pr_debug("SCTP_CID_COOKIE_ECHO\n");
268  i = 6;
269  break;
270  case SCTP_CID_COOKIE_ACK:
271  pr_debug("SCTP_CID_COOKIE_ACK\n");
272  i = 7;
273  break;
274  case SCTP_CID_SHUTDOWN_COMPLETE:
275  pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
276  i = 8;
277  break;
278  default:
279  /* Other chunks like DATA, SACK, HEARTBEAT and
280  its ACK do not cause a change in state */
281  pr_debug("Unknown chunk type, Will stay in %s\n",
282  sctp_conntrack_names[cur_state]);
283  return cur_state;
284  }
285 
286  pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
287  dir, sctp_conntrack_names[cur_state], chunk_type,
288  sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
289 
290  return sctp_conntracks[dir][i][cur_state];
291 }
292 
293 static unsigned int *sctp_get_timeouts(struct net *net)
294 {
295  return sctp_pernet(net)->timeouts;
296 }
297 
298 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
299 static int sctp_packet(struct nf_conn *ct,
300  const struct sk_buff *skb,
301  unsigned int dataoff,
302  enum ip_conntrack_info ctinfo,
303  u_int8_t pf,
304  unsigned int hooknum,
305  unsigned int *timeouts)
306 {
307  enum sctp_conntrack new_state, old_state;
308  enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
309  const struct sctphdr *sh;
310  struct sctphdr _sctph;
311  const struct sctp_chunkhdr *sch;
312  struct sctp_chunkhdr _sch;
313  u_int32_t offset, count;
314  unsigned long map[256 / sizeof(unsigned long)] = { 0 };
315 
316  sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
317  if (sh == NULL)
318  goto out;
319 
320  if (do_basic_checks(ct, skb, dataoff, map) != 0)
321  goto out;
322 
323  /* Check the verification tag (Sec 8.5) */
324  if (!test_bit(SCTP_CID_INIT, map) &&
325  !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
326  !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
327  !test_bit(SCTP_CID_ABORT, map) &&
328  !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
329  sh->vtag != ct->proto.sctp.vtag[dir]) {
330  pr_debug("Verification tag check failed\n");
331  goto out;
332  }
333 
334  old_state = new_state = SCTP_CONNTRACK_NONE;
335  spin_lock_bh(&ct->lock);
336  for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
337  /* Special cases of Verification tag check (Sec 8.5.1) */
338  if (sch->type == SCTP_CID_INIT) {
339  /* Sec 8.5.1 (A) */
340  if (sh->vtag != 0)
341  goto out_unlock;
342  } else if (sch->type == SCTP_CID_ABORT) {
343  /* Sec 8.5.1 (B) */
344  if (sh->vtag != ct->proto.sctp.vtag[dir] &&
345  sh->vtag != ct->proto.sctp.vtag[!dir])
346  goto out_unlock;
347  } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
348  /* Sec 8.5.1 (C) */
349  if (sh->vtag != ct->proto.sctp.vtag[dir] &&
350  sh->vtag != ct->proto.sctp.vtag[!dir] &&
351  sch->flags & SCTP_CHUNK_FLAG_T)
352  goto out_unlock;
353  } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
354  /* Sec 8.5.1 (D) */
355  if (sh->vtag != ct->proto.sctp.vtag[dir])
356  goto out_unlock;
357  }
358 
359  old_state = ct->proto.sctp.state;
360  new_state = sctp_new_state(dir, old_state, sch->type);
361 
362  /* Invalid */
363  if (new_state == SCTP_CONNTRACK_MAX) {
364  pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
365  "conntrack=%u\n",
366  dir, sch->type, old_state);
367  goto out_unlock;
368  }
369 
370  /* If it is an INIT or an INIT ACK note down the vtag */
371  if (sch->type == SCTP_CID_INIT ||
372  sch->type == SCTP_CID_INIT_ACK) {
373  sctp_inithdr_t _inithdr, *ih;
374 
375  ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
376  sizeof(_inithdr), &_inithdr);
377  if (ih == NULL)
378  goto out_unlock;
379  pr_debug("Setting vtag %x for dir %d\n",
380  ih->init_tag, !dir);
381  ct->proto.sctp.vtag[!dir] = ih->init_tag;
382  }
383 
384  ct->proto.sctp.state = new_state;
385  if (old_state != new_state)
386  nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
387  }
388  spin_unlock_bh(&ct->lock);
389 
390  nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
391 
392  if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
393  dir == IP_CT_DIR_REPLY &&
394  new_state == SCTP_CONNTRACK_ESTABLISHED) {
395  pr_debug("Setting assured bit\n");
396  set_bit(IPS_ASSURED_BIT, &ct->status);
397  nf_conntrack_event_cache(IPCT_ASSURED, ct);
398  }
399 
400  return NF_ACCEPT;
401 
402 out_unlock:
403  spin_unlock_bh(&ct->lock);
404 out:
405  return -NF_ACCEPT;
406 }
407 
408 /* Called when a new connection for this protocol found. */
409 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
410  unsigned int dataoff, unsigned int *timeouts)
411 {
412  enum sctp_conntrack new_state;
413  const struct sctphdr *sh;
414  struct sctphdr _sctph;
415  const struct sctp_chunkhdr *sch;
416  struct sctp_chunkhdr _sch;
417  u_int32_t offset, count;
418  unsigned long map[256 / sizeof(unsigned long)] = { 0 };
419 
420  sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
421  if (sh == NULL)
422  return false;
423 
424  if (do_basic_checks(ct, skb, dataoff, map) != 0)
425  return false;
426 
427  /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
428  if (test_bit(SCTP_CID_ABORT, map) ||
429  test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
430  test_bit(SCTP_CID_COOKIE_ACK, map))
431  return false;
432 
433  memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
434  new_state = SCTP_CONNTRACK_MAX;
435  for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
436  /* Don't need lock here: this conntrack not in circulation yet */
437  new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
438  SCTP_CONNTRACK_NONE, sch->type);
439 
440  /* Invalid: delete conntrack */
441  if (new_state == SCTP_CONNTRACK_NONE ||
442  new_state == SCTP_CONNTRACK_MAX) {
443  pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
444  return false;
445  }
446 
447  /* Copy the vtag into the state info */
448  if (sch->type == SCTP_CID_INIT) {
449  if (sh->vtag == 0) {
450  sctp_inithdr_t _inithdr, *ih;
451 
452  ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
453  sizeof(_inithdr), &_inithdr);
454  if (ih == NULL)
455  return false;
456 
457  pr_debug("Setting vtag %x for new conn\n",
458  ih->init_tag);
459 
460  ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
461  ih->init_tag;
462  } else {
463  /* Sec 8.5.1 (A) */
464  return false;
465  }
466  }
467  /* If it is a shutdown ack OOTB packet, we expect a return
468  shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
469  else {
470  pr_debug("Setting vtag %x for new conn OOTB\n",
471  sh->vtag);
472  ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
473  }
474 
475  ct->proto.sctp.state = new_state;
476  }
477 
478  return true;
479 }
480 
481 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
482 
483 #include <linux/netfilter/nfnetlink.h>
484 #include <linux/netfilter/nfnetlink_conntrack.h>
485 
486 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
487  struct nf_conn *ct)
488 {
489  struct nlattr *nest_parms;
490 
491  spin_lock_bh(&ct->lock);
492  nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
493  if (!nest_parms)
494  goto nla_put_failure;
495 
496  if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
497  nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
498  ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
499  nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
500  ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
501  goto nla_put_failure;
502 
503  spin_unlock_bh(&ct->lock);
504 
505  nla_nest_end(skb, nest_parms);
506 
507  return 0;
508 
509 nla_put_failure:
510  spin_unlock_bh(&ct->lock);
511  return -1;
512 }
513 
514 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
515  [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
516  [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
517  [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
518 };
519 
520 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
521 {
522  struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
523  struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
524  int err;
525 
526  /* updates may not contain the internal protocol info, skip parsing */
527  if (!attr)
528  return 0;
529 
530  err = nla_parse_nested(tb,
531  CTA_PROTOINFO_SCTP_MAX,
532  attr,
533  sctp_nla_policy);
534  if (err < 0)
535  return err;
536 
537  if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
538  !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
539  !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
540  return -EINVAL;
541 
542  spin_lock_bh(&ct->lock);
543  ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
544  ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
545  nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
546  ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
547  nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
548  spin_unlock_bh(&ct->lock);
549 
550  return 0;
551 }
552 
553 static int sctp_nlattr_size(void)
554 {
555  return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
556  + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
557 }
558 #endif
559 
560 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
561 
562 #include <linux/netfilter/nfnetlink.h>
563 #include <linux/netfilter/nfnetlink_cttimeout.h>
564 
565 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
566  struct net *net, void *data)
567 {
568  unsigned int *timeouts = data;
569  struct sctp_net *sn = sctp_pernet(net);
570  int i;
571 
572  /* set default SCTP timeouts. */
573  for (i=0; i<SCTP_CONNTRACK_MAX; i++)
574  timeouts[i] = sn->timeouts[i];
575 
576  /* there's a 1:1 mapping between attributes and protocol states. */
577  for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
578  if (tb[i]) {
579  timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
580  }
581  }
582  return 0;
583 }
584 
585 static int
586 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
587 {
588  const unsigned int *timeouts = data;
589  int i;
590 
591  for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
592  if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
593  goto nla_put_failure;
594  }
595  return 0;
596 
597 nla_put_failure:
598  return -ENOSPC;
599 }
600 
601 static const struct nla_policy
602 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
603  [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
604  [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
605  [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
606  [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
607  [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
608  [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
609  [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
610 };
611 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
612 
613 
614 #ifdef CONFIG_SYSCTL
615 static struct ctl_table sctp_sysctl_table[] = {
616  {
617  .procname = "nf_conntrack_sctp_timeout_closed",
618  .maxlen = sizeof(unsigned int),
619  .mode = 0644,
620  .proc_handler = proc_dointvec_jiffies,
621  },
622  {
623  .procname = "nf_conntrack_sctp_timeout_cookie_wait",
624  .maxlen = sizeof(unsigned int),
625  .mode = 0644,
626  .proc_handler = proc_dointvec_jiffies,
627  },
628  {
629  .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
630  .maxlen = sizeof(unsigned int),
631  .mode = 0644,
632  .proc_handler = proc_dointvec_jiffies,
633  },
634  {
635  .procname = "nf_conntrack_sctp_timeout_established",
636  .maxlen = sizeof(unsigned int),
637  .mode = 0644,
638  .proc_handler = proc_dointvec_jiffies,
639  },
640  {
641  .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
642  .maxlen = sizeof(unsigned int),
643  .mode = 0644,
644  .proc_handler = proc_dointvec_jiffies,
645  },
646  {
647  .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
648  .maxlen = sizeof(unsigned int),
649  .mode = 0644,
650  .proc_handler = proc_dointvec_jiffies,
651  },
652  {
653  .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
654  .maxlen = sizeof(unsigned int),
655  .mode = 0644,
656  .proc_handler = proc_dointvec_jiffies,
657  },
658  { }
659 };
660 
661 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
662 static struct ctl_table sctp_compat_sysctl_table[] = {
663  {
664  .procname = "ip_conntrack_sctp_timeout_closed",
665  .maxlen = sizeof(unsigned int),
666  .mode = 0644,
667  .proc_handler = proc_dointvec_jiffies,
668  },
669  {
670  .procname = "ip_conntrack_sctp_timeout_cookie_wait",
671  .maxlen = sizeof(unsigned int),
672  .mode = 0644,
673  .proc_handler = proc_dointvec_jiffies,
674  },
675  {
676  .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
677  .maxlen = sizeof(unsigned int),
678  .mode = 0644,
679  .proc_handler = proc_dointvec_jiffies,
680  },
681  {
682  .procname = "ip_conntrack_sctp_timeout_established",
683  .maxlen = sizeof(unsigned int),
684  .mode = 0644,
685  .proc_handler = proc_dointvec_jiffies,
686  },
687  {
688  .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
689  .maxlen = sizeof(unsigned int),
690  .mode = 0644,
691  .proc_handler = proc_dointvec_jiffies,
692  },
693  {
694  .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
695  .maxlen = sizeof(unsigned int),
696  .mode = 0644,
697  .proc_handler = proc_dointvec_jiffies,
698  },
699  {
700  .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
701  .maxlen = sizeof(unsigned int),
702  .mode = 0644,
703  .proc_handler = proc_dointvec_jiffies,
704  },
705  { }
706 };
707 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
708 #endif
709 
710 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
711  struct sctp_net *sn)
712 {
713 #ifdef CONFIG_SYSCTL
714  if (pn->ctl_table)
715  return 0;
716 
717  pn->ctl_table = kmemdup(sctp_sysctl_table,
718  sizeof(sctp_sysctl_table),
719  GFP_KERNEL);
720  if (!pn->ctl_table)
721  return -ENOMEM;
722 
723  pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
724  pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
725  pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
726  pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
727  pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
728  pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
729  pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
730 #endif
731  return 0;
732 }
733 
734 static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
735  struct sctp_net *sn)
736 {
737 #ifdef CONFIG_SYSCTL
738 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
739  pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
740  sizeof(sctp_compat_sysctl_table),
741  GFP_KERNEL);
742  if (!pn->ctl_compat_table)
743  return -ENOMEM;
744 
745  pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
746  pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
747  pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
748  pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
749  pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
750  pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
751  pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
752 #endif
753 #endif
754  return 0;
755 }
756 
757 static int sctp_init_net(struct net *net, u_int16_t proto)
758 {
759  int ret;
760  struct sctp_net *sn = sctp_pernet(net);
761  struct nf_proto_net *pn = &sn->pn;
762 
763  if (!pn->users) {
764  int i;
765 
766  for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
767  sn->timeouts[i] = sctp_timeouts[i];
768  }
769 
770  if (proto == AF_INET) {
771  ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
772  if (ret < 0)
773  return ret;
774 
775  ret = sctp_kmemdup_sysctl_table(pn, sn);
776  if (ret < 0)
777  nf_ct_kfree_compat_sysctl_table(pn);
778  } else
779  ret = sctp_kmemdup_sysctl_table(pn, sn);
780 
781  return ret;
782 }
783 
784 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
785  .l3proto = PF_INET,
786  .l4proto = IPPROTO_SCTP,
787  .name = "sctp",
788  .pkt_to_tuple = sctp_pkt_to_tuple,
789  .invert_tuple = sctp_invert_tuple,
790  .print_tuple = sctp_print_tuple,
791  .print_conntrack = sctp_print_conntrack,
792  .packet = sctp_packet,
793  .get_timeouts = sctp_get_timeouts,
794  .new = sctp_new,
795  .me = THIS_MODULE,
796 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
797  .to_nlattr = sctp_to_nlattr,
798  .nlattr_size = sctp_nlattr_size,
799  .from_nlattr = nlattr_to_sctp,
800  .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
801  .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
802  .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
803  .nla_policy = nf_ct_port_nla_policy,
804 #endif
805 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
806  .ctnl_timeout = {
807  .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
808  .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
809  .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
810  .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
811  .nla_policy = sctp_timeout_nla_policy,
812  },
813 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
814  .net_id = &sctp_net_id,
815  .init_net = sctp_init_net,
816 };
817 
818 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
819  .l3proto = PF_INET6,
820  .l4proto = IPPROTO_SCTP,
821  .name = "sctp",
822  .pkt_to_tuple = sctp_pkt_to_tuple,
823  .invert_tuple = sctp_invert_tuple,
824  .print_tuple = sctp_print_tuple,
825  .print_conntrack = sctp_print_conntrack,
826  .packet = sctp_packet,
827  .get_timeouts = sctp_get_timeouts,
828  .new = sctp_new,
829  .me = THIS_MODULE,
830 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
831  .to_nlattr = sctp_to_nlattr,
832  .nlattr_size = sctp_nlattr_size,
833  .from_nlattr = nlattr_to_sctp,
834  .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
835  .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
836  .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
837  .nla_policy = nf_ct_port_nla_policy,
838 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
839  .ctnl_timeout = {
840  .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
841  .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
842  .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
843  .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
844  .nla_policy = sctp_timeout_nla_policy,
845  },
846 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
847 #endif
848  .net_id = &sctp_net_id,
849  .init_net = sctp_init_net,
850 };
851 
852 static int sctp_net_init(struct net *net)
853 {
854  int ret = 0;
855 
856  ret = nf_conntrack_l4proto_register(net,
857  &nf_conntrack_l4proto_sctp4);
858  if (ret < 0) {
859  pr_err("nf_conntrack_l4proto_sctp4 :protocol register failed.\n");
860  goto out;
861  }
862  ret = nf_conntrack_l4proto_register(net,
863  &nf_conntrack_l4proto_sctp6);
864  if (ret < 0) {
865  pr_err("nf_conntrack_l4proto_sctp6 :protocol register failed.\n");
866  goto cleanup_sctp4;
867  }
868  return 0;
869 
870 cleanup_sctp4:
871  nf_conntrack_l4proto_unregister(net,
872  &nf_conntrack_l4proto_sctp4);
873 out:
874  return ret;
875 }
876 
877 static void sctp_net_exit(struct net *net)
878 {
879  nf_conntrack_l4proto_unregister(net,
880  &nf_conntrack_l4proto_sctp6);
881  nf_conntrack_l4proto_unregister(net,
882  &nf_conntrack_l4proto_sctp4);
883 }
884 
885 static struct pernet_operations sctp_net_ops = {
886  .init = sctp_net_init,
887  .exit = sctp_net_exit,
888  .id = &sctp_net_id,
889  .size = sizeof(struct sctp_net),
890 };
891 
892 static int __init nf_conntrack_proto_sctp_init(void)
893 {
894  return register_pernet_subsys(&sctp_net_ops);
895 }
896 
897 static void __exit nf_conntrack_proto_sctp_fini(void)
898 {
899  unregister_pernet_subsys(&sctp_net_ops);
900 }
901 
902 module_init(nf_conntrack_proto_sctp_init);
903 module_exit(nf_conntrack_proto_sctp_fini);
904 
905 MODULE_LICENSE("GPL");
906 MODULE_AUTHOR("Kiran Kumar Immidi");
907 MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
908 MODULE_ALIAS("ip_conntrack_proto_sctp");
Generated on Thu Jan 10 2013 15:00:33 for Linux Kernel by   doxygen 1.8.2