projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / netfilter / nf_conntrack_proto_sctp.c
CommitLineData
9fb9cbb1
YK		 1/*
2 * Connection tracking protocol helper module for SCTP.
601e68e1
YH		 3 *
4 * SCTP is defined in RFC 2960. References to various sections in this code
9fb9cbb1 5 * are to this RFC.
601e68e1 6 *
9fb9cbb1
YK		 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
9fb9cbb1
YK		 10 */
11
12#include <linux/types.h>
9fb9cbb1
YK		 13#include <linux/timer.h>
14#include <linux/netfilter.h>
15#include <linux/module.h>
16#include <linux/in.h>
17#include <linux/ip.h>
18#include <linux/sctp.h>
19#include <linux/string.h>
20#include <linux/seq_file.h>
40a839fd
YK		 21#include <linux/spinlock.h>
22#include <linux/interrupt.h>
9fb9cbb1
YK		 23
24#include <net/netfilter/nf_conntrack.h>
605dcad6 25#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 26#include <net/netfilter/nf_conntrack_ecache.h>
9fb9cbb1 27
9fb9cbb1 28/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
601e68e1 29 closely. They're more complex. --RR
9fb9cbb1
YK		 30
31 And so for me for SCTP :D -Kiran */
32
12c33aa2 33static const char *const sctp_conntrack_names[] = {
9fb9cbb1
YK		 34 "NONE",
35 "CLOSED",
36 "COOKIE_WAIT",
37 "COOKIE_ECHOED",
38 "ESTABLISHED",
39 "SHUTDOWN_SENT",
40 "SHUTDOWN_RECD",
41 "SHUTDOWN_ACK_SENT",
42};
43
44#define SECS * HZ
45#define MINS * 60 SECS
46#define HOURS * 60 MINS
47#define DAYS * 24 HOURS
48
86c0bf40
PM		 49static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
50 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
51 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
52 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
53 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
54 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
55 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
56 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
57};
9fb9cbb1
YK		 58
59#define sNO SCTP_CONNTRACK_NONE
60#define sCL SCTP_CONNTRACK_CLOSED
61#define sCW SCTP_CONNTRACK_COOKIE_WAIT
62#define sCE SCTP_CONNTRACK_COOKIE_ECHOED
63#define sES SCTP_CONNTRACK_ESTABLISHED
64#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
65#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
66#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
67#define sIV SCTP_CONNTRACK_MAX
68
601e68e1 69/*
9fb9cbb1
YK		 70 These are the descriptions of the states:
71
601e68e1 72NOTE: These state names are tantalizingly similar to the states of an
9fb9cbb1 73SCTP endpoint. But the interpretation of the states is a little different,
601e68e1 74considering that these are the states of the connection and not of an end
9fb9cbb1
YK		 75point. Please note the subtleties. -Kiran
76
77NONE - Nothing so far.
601e68e1
YH		 78COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
79 an INIT_ACK chunk in the reply direction.
9fb9cbb1
YK		 80COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
81ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
82SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
83SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
84SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
601e68e1
YH		 85 to that of the SHUTDOWN chunk.
86CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
87 the SHUTDOWN chunk. Connection is closed.
9fb9cbb1
YK		 88*/
89
90/* TODO
601e68e1 91 - I have assumed that the first INIT is in the original direction.
9fb9cbb1
YK		 92 This messes things when an INIT comes in the reply direction in CLOSED
93 state.
601e68e1 94 - Check the error type in the reply dir before transitioning from
9fb9cbb1
YK		 95cookie echoed to closed.
96 - Sec 5.2.4 of RFC 2960
97 - Multi Homing support.
98*/
99
100/* SCTP conntrack state transitions */
a5e73c29 101static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 102 {
103/* ORIGINAL */
104/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
105/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA},
106/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},
107/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
108/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
109/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
25985edc 110/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't have Stale cookie*/
9fb9cbb1 111/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
25985edc 112/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in orig dir */
9fb9cbb1
YK		 113/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
114 },
115 {
116/* REPLY */
117/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
118/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */
119/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},
120/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
121/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
122/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
123/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
25985edc 124/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in reply dir */
9fb9cbb1
YK		 125/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
126/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
127 }
128};
129
49d485a3
G		 130static int sctp_net_id __read_mostly;
131struct sctp_net {
132 struct nf_proto_net pn;
133 unsigned int timeouts[SCTP_CONNTRACK_MAX];
134};
135
136static inline struct sctp_net *sctp_pernet(struct net *net)
137{
138 return net_generic(net, sctp_net_id);
139}
140
09f263cd
JE		 141static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
142 struct nf_conntrack_tuple *tuple)
9fb9cbb1 143{
12c33aa2
JE		 144 const struct sctphdr *hp;
145 struct sctphdr _hdr;
9fb9cbb1 146
9fb9cbb1
YK		 147 /* Actually only need first 8 bytes. */
148 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
149 if (hp == NULL)
09f263cd 150 return false;
9fb9cbb1
YK		 151
152 tuple->src.u.sctp.port = hp->source;
153 tuple->dst.u.sctp.port = hp->dest;
09f263cd 154 return true;
9fb9cbb1
YK		 155}
156
09f263cd
JE		 157static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
158 const struct nf_conntrack_tuple *orig)
9fb9cbb1 159{
9fb9cbb1
YK		 160 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
161 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
09f263cd 162 return true;
9fb9cbb1
YK		 163}
164
165/* Print out the per-protocol part of the tuple. */
166static int sctp_print_tuple(struct seq_file *s,
167 const struct nf_conntrack_tuple *tuple)
168{
9fb9cbb1
YK		 169 return seq_printf(s, "sport=%hu dport=%hu ",
170 ntohs(tuple->src.u.sctp.port),
171 ntohs(tuple->dst.u.sctp.port));
172}
173
174/* Print out the private part of the conntrack. */
440f0d58 175static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1
YK		 176{
177 enum sctp_conntrack state;
178
440f0d58 179 spin_lock_bh(&ct->lock);
112f35c9 180 state = ct->proto.sctp.state;
440f0d58 181 spin_unlock_bh(&ct->lock);
9fb9cbb1
YK		 182
183 return seq_printf(s, "%s ", sctp_conntrack_names[state]);
184}
185
186#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
e79ec50b
JE		 187for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
188 (offset) < (skb)->len && \
189 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
190 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
9fb9cbb1
YK		 191
192/* Some validity checks to make sure the chunks are fine */
112f35c9 193static int do_basic_checks(struct nf_conn *ct,
9fb9cbb1
YK		 194 const struct sk_buff *skb,
195 unsigned int dataoff,
35c6d3cb 196 unsigned long *map)
9fb9cbb1
YK		 197{
198 u_int32_t offset, count;
199 sctp_chunkhdr_t _sch, *sch;
200 int flag;
201
9fb9cbb1
YK		 202 flag = 0;
203
204 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
0d53778e 205 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
9fb9cbb1 206
5447d477
PM		 207 if (sch->type == SCTP_CID_INIT ||
208 sch->type == SCTP_CID_INIT_ACK ||
209 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
9fb9cbb1 210 flag = 1;
9fb9cbb1 211
e17df688
PM		 212 /*
213 * Cookie Ack/Echo chunks not the first OR
214 * Init / Init Ack / Shutdown compl chunks not the only chunks
215 * OR zero-length.
216 */
5447d477
PM		 217 if (((sch->type == SCTP_CID_COOKIE_ACK ||
218 sch->type == SCTP_CID_COOKIE_ECHO ||
219 flag) &&
220 count != 0) || !sch->length) {
0d53778e 221 pr_debug("Basic checks failed\n");
9fb9cbb1
YK		 222 return 1;
223 }
224
5447d477 225 if (map)
35c6d3cb 226 set_bit(sch->type, map);
9fb9cbb1
YK		 227 }
228
0d53778e 229 pr_debug("Basic checks passed\n");
dd7271fe 230 return count == 0;
9fb9cbb1
YK		 231}
232
efe9f68a
PM		 233static int sctp_new_state(enum ip_conntrack_dir dir,
234 enum sctp_conntrack cur_state,
235 int chunk_type)
9fb9cbb1
YK		 236{
237 int i;
238
0d53778e 239 pr_debug("Chunk type: %d\n", chunk_type);
9fb9cbb1
YK		 240
241 switch (chunk_type) {
5447d477
PM		 242 case SCTP_CID_INIT:
243 pr_debug("SCTP_CID_INIT\n");
244 i = 0;
245 break;
246 case SCTP_CID_INIT_ACK:
247 pr_debug("SCTP_CID_INIT_ACK\n");
248 i = 1;
249 break;
250 case SCTP_CID_ABORT:
251 pr_debug("SCTP_CID_ABORT\n");
252 i = 2;
253 break;
254 case SCTP_CID_SHUTDOWN:
255 pr_debug("SCTP_CID_SHUTDOWN\n");
256 i = 3;
257 break;
258 case SCTP_CID_SHUTDOWN_ACK:
259 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
260 i = 4;
261 break;
262 case SCTP_CID_ERROR:
263 pr_debug("SCTP_CID_ERROR\n");
264 i = 5;
265 break;
266 case SCTP_CID_COOKIE_ECHO:
267 pr_debug("SCTP_CID_COOKIE_ECHO\n");
268 i = 6;
269 break;
270 case SCTP_CID_COOKIE_ACK:
271 pr_debug("SCTP_CID_COOKIE_ACK\n");
272 i = 7;
273 break;
274 case SCTP_CID_SHUTDOWN_COMPLETE:
275 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
276 i = 8;
277 break;
278 default:
279 /* Other chunks like DATA, SACK, HEARTBEAT and
280 its ACK do not cause a change in state */
281 pr_debug("Unknown chunk type, Will stay in %s\n",
282 sctp_conntrack_names[cur_state]);
283 return cur_state;
9fb9cbb1
YK		 284 }
285
0d53778e
PM		 286 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
287 dir, sctp_conntrack_names[cur_state], chunk_type,
288 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
9fb9cbb1
YK		 289
290 return sctp_conntracks[dir][i][cur_state];
291}
292
2c8503f5
PNA		 293static unsigned int *sctp_get_timeouts(struct net *net)
294{
49d485a3 295 return sctp_pernet(net)->timeouts;
2c8503f5
PNA		 296}
297
b37e933a 298/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
112f35c9 299static int sctp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 300 const struct sk_buff *skb,
301 unsigned int dataoff,
302 enum ip_conntrack_info ctinfo,
76108cea 303 u_int8_t pf,
2c8503f5
PNA		 304 unsigned int hooknum,
305 unsigned int *timeouts)
9fb9cbb1 306{
efe9f68a 307 enum sctp_conntrack new_state, old_state;
8528819a 308 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
12c33aa2
JE		 309 const struct sctphdr *sh;
310 struct sctphdr _sctph;
311 const struct sctp_chunkhdr *sch;
312 struct sctp_chunkhdr _sch;
9fb9cbb1 313 u_int32_t offset, count;
35c6d3cb 314 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 315
9fb9cbb1
YK		 316 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
317 if (sh == NULL)
b37e933a 318 goto out;
9fb9cbb1 319
112f35c9 320 if (do_basic_checks(ct, skb, dataoff, map) != 0)
b37e933a 321 goto out;
9fb9cbb1
YK		 322
323 /* Check the verification tag (Sec 8.5) */
35c6d3cb
PM		 324 if (!test_bit(SCTP_CID_INIT, map) &&
325 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
326 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
327 !test_bit(SCTP_CID_ABORT, map) &&
328 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
8528819a 329 sh->vtag != ct->proto.sctp.vtag[dir]) {
0d53778e 330 pr_debug("Verification tag check failed\n");
b37e933a 331 goto out;
9fb9cbb1
YK		 332 }
333
328bd899 334 old_state = new_state = SCTP_CONNTRACK_NONE;
440f0d58 335 spin_lock_bh(&ct->lock);
9fb9cbb1 336 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
9fb9cbb1
YK		 337 /* Special cases of Verification tag check (Sec 8.5.1) */
338 if (sch->type == SCTP_CID_INIT) {
339 /* Sec 8.5.1 (A) */
b37e933a
PM		 340 if (sh->vtag != 0)
341 goto out_unlock;
9fb9cbb1
YK		 342 } else if (sch->type == SCTP_CID_ABORT) {
343 /* Sec 8.5.1 (B) */
8528819a 344 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
b37e933a
PM		 345 sh->vtag != ct->proto.sctp.vtag[!dir])
346 goto out_unlock;
9fb9cbb1
YK		 347 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
348 /* Sec 8.5.1 (C) */
8528819a
PM		 349 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
350 sh->vtag != ct->proto.sctp.vtag[!dir] &&
9b1c2cfd 351 sch->flags & SCTP_CHUNK_FLAG_T)
b37e933a 352 goto out_unlock;
9fb9cbb1
YK		 353 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
354 /* Sec 8.5.1 (D) */
b37e933a
PM		 355 if (sh->vtag != ct->proto.sctp.vtag[dir])
356 goto out_unlock;
9fb9cbb1
YK		 357 }
358
efe9f68a
PM		 359 old_state = ct->proto.sctp.state;
360 new_state = sctp_new_state(dir, old_state, sch->type);
9fb9cbb1
YK		 361
362 /* Invalid */
efe9f68a 363 if (new_state == SCTP_CONNTRACK_MAX) {
0d53778e
PM		 364 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
365 "conntrack=%u\n",
efe9f68a 366 dir, sch->type, old_state);
b37e933a 367 goto out_unlock;
9fb9cbb1
YK		 368 }
369
370 /* If it is an INIT or an INIT ACK note down the vtag */
5447d477
PM		 371 if (sch->type == SCTP_CID_INIT ||
372 sch->type == SCTP_CID_INIT_ACK) {
9fb9cbb1
YK		 373 sctp_inithdr_t _inithdr, *ih;
374
375 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 376 sizeof(_inithdr), &_inithdr);
b37e933a
PM		 377 if (ih == NULL)
378 goto out_unlock;
0d53778e 379 pr_debug("Setting vtag %x for dir %d\n",
8528819a
PM		 380 ih->init_tag, !dir);
381 ct->proto.sctp.vtag[!dir] = ih->init_tag;
9fb9cbb1
YK		 382 }
383
efe9f68a
PM		 384 ct->proto.sctp.state = new_state;
385 if (old_state != new_state)
a71996fc 386 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 387 }
440f0d58 388 spin_unlock_bh(&ct->lock);
9fb9cbb1 389
2c8503f5 390 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
9fb9cbb1 391
efe9f68a 392 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
8528819a 393 dir == IP_CT_DIR_REPLY &&
efe9f68a 394 new_state == SCTP_CONNTRACK_ESTABLISHED) {
0d53778e 395 pr_debug("Setting assured bit\n");
112f35c9 396 set_bit(IPS_ASSURED_BIT, &ct->status);
858b3133 397 nf_conntrack_event_cache(IPCT_ASSURED, ct);
9fb9cbb1
YK		 398 }
399
400 return NF_ACCEPT;
b37e933a
PM		 401
402out_unlock:
440f0d58 403 spin_unlock_bh(&ct->lock);
b37e933a
PM		 404out:
405 return -NF_ACCEPT;
9fb9cbb1
YK		 406}
407
408/* Called when a new connection for this protocol found. */
09f263cd 409static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
2c8503f5 410 unsigned int dataoff, unsigned int *timeouts)
9fb9cbb1 411{
efe9f68a 412 enum sctp_conntrack new_state;
12c33aa2
JE		 413 const struct sctphdr *sh;
414 struct sctphdr _sctph;
415 const struct sctp_chunkhdr *sch;
416 struct sctp_chunkhdr _sch;
9fb9cbb1 417 u_int32_t offset, count;
35c6d3cb 418 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
9fb9cbb1 419
9fb9cbb1
YK		 420 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
421 if (sh == NULL)
09f263cd 422 return false;
9fb9cbb1 423
112f35c9 424 if (do_basic_checks(ct, skb, dataoff, map) != 0)
09f263cd 425 return false;
9fb9cbb1
YK		 426
427 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
35c6d3cb
PM		 428 if (test_bit(SCTP_CID_ABORT, map) ||
429 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
430 test_bit(SCTP_CID_COOKIE_ACK, map))
09f263cd 431 return false;
9fb9cbb1 432
e5fc9e7a 433 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
efe9f68a 434 new_state = SCTP_CONNTRACK_MAX;
9fb9cbb1
YK		 435 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
436 /* Don't need lock here: this conntrack not in circulation yet */
efe9f68a
PM		 437 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
438 SCTP_CONNTRACK_NONE, sch->type);
9fb9cbb1
YK		 439
440 /* Invalid: delete conntrack */
efe9f68a
PM		 441 if (new_state == SCTP_CONNTRACK_NONE ||
442 new_state == SCTP_CONNTRACK_MAX) {
0d53778e 443 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
09f263cd 444 return false;
9fb9cbb1
YK		 445 }
446
447 /* Copy the vtag into the state info */
448 if (sch->type == SCTP_CID_INIT) {
449 if (sh->vtag == 0) {
450 sctp_inithdr_t _inithdr, *ih;
451
452 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
601e68e1 453 sizeof(_inithdr), &_inithdr);
9fb9cbb1 454 if (ih == NULL)
09f263cd 455 return false;
9fb9cbb1 456
0d53778e
PM		 457 pr_debug("Setting vtag %x for new conn\n",
458 ih->init_tag);
9fb9cbb1 459
112f35c9 460 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
9fb9cbb1
YK		 461 ih->init_tag;
462 } else {
463 /* Sec 8.5.1 (A) */
09f263cd 464 return false;
9fb9cbb1
YK		 465 }
466 }
467 /* If it is a shutdown ack OOTB packet, we expect a return
468 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
469 else {
0d53778e
PM		 470 pr_debug("Setting vtag %x for new conn OOTB\n",
471 sh->vtag);
112f35c9 472 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
9fb9cbb1
YK		 473 }
474
efe9f68a 475 ct->proto.sctp.state = new_state;
9fb9cbb1
YK		 476 }
477
09f263cd 478 return true;
9fb9cbb1
YK		 479}
480
c0cd1156 481#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e
PNA		 482
483#include <linux/netfilter/nfnetlink.h>
484#include <linux/netfilter/nfnetlink_conntrack.h>
485
486static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 487 struct nf_conn *ct)
a258860e
PNA		 488{
489 struct nlattr *nest_parms;
490
440f0d58 491 spin_lock_bh(&ct->lock);
a258860e
PNA		 492 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
493 if (!nest_parms)
494 goto nla_put_failure;
495
5e8d1eb5
DM		 496 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
497 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
498 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
499 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
500 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
501 goto nla_put_failure;
a258860e 502
440f0d58 503 spin_unlock_bh(&ct->lock);
a258860e
PNA		 504
505 nla_nest_end(skb, nest_parms);
506
507 return 0;
508
509nla_put_failure:
440f0d58 510 spin_unlock_bh(&ct->lock);
a258860e
PNA		 511 return -1;
512}
513
514static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
515 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
516 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
517 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
518};
519
520static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
521{
522 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
523 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
524 int err;
525
526 /* updates may not contain the internal protocol info, skip parsing */
527 if (!attr)
528 return 0;
529
530 err = nla_parse_nested(tb,
531 CTA_PROTOINFO_SCTP_MAX,
532 attr,
533 sctp_nla_policy);
534 if (err < 0)
535 return err;
536
537 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
538 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
539 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
540 return -EINVAL;
541
440f0d58 542 spin_lock_bh(&ct->lock);
a258860e
PNA		 543 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
544 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
5547cd0a 545 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
a258860e 546 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
5547cd0a 547 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
440f0d58 548 spin_unlock_bh(&ct->lock);
a258860e
PNA		 549
550 return 0;
551}
a400c30e
HE		 552
553static int sctp_nlattr_size(void)
554{
555 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
556 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
557}
a258860e
PNA		 558#endif
559
50978462
PNA		 560#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
561
562#include <linux/netfilter/nfnetlink.h>
563#include <linux/netfilter/nfnetlink_cttimeout.h>
564
8264deb8
G		 565static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
566 struct net *net, void *data)
50978462
PNA		 567{
568 unsigned int *timeouts = data;
8264deb8 569 struct sctp_net *sn = sctp_pernet(net);
50978462
PNA		 570 int i;
571
572 /* set default SCTP timeouts. */
573 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
8264deb8 574 timeouts[i] = sn->timeouts[i];
50978462
PNA		 575
576 /* there's a 1:1 mapping between attributes and protocol states. */
577 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
578 if (tb[i]) {
579 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
580 }
581 }
582 return 0;
583}
584
585static int
586sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
587{
588 const unsigned int *timeouts = data;
589 int i;
590
5e8d1eb5
DM		 591 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
592 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
593 goto nla_put_failure;
594 }
50978462
PNA		 595 return 0;
596
597nla_put_failure:
598 return -ENOSPC;
599}
600
601static const struct nla_policy
602sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
603 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
604 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
605 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
606 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
607 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
608 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
609 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
610};
611#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
612
613
9fb9cbb1 614#ifdef CONFIG_SYSCTL
933a41e7 615static struct ctl_table sctp_sysctl_table[] = {
9fb9cbb1 616 {
9fb9cbb1 617 .procname = "nf_conntrack_sctp_timeout_closed",
9fb9cbb1
YK		 618 .maxlen = sizeof(unsigned int),
619 .mode = 0644,
6d9f239a 620 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 621 },
622 {
9fb9cbb1 623 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
9fb9cbb1
YK		 624 .maxlen = sizeof(unsigned int),
625 .mode = 0644,
6d9f239a 626 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 627 },
628 {
9fb9cbb1 629 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
9fb9cbb1
YK		 630 .maxlen = sizeof(unsigned int),
631 .mode = 0644,
6d9f239a 632 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 633 },
634 {
9fb9cbb1 635 .procname = "nf_conntrack_sctp_timeout_established",
9fb9cbb1
YK		 636 .maxlen = sizeof(unsigned int),
637 .mode = 0644,
6d9f239a 638 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 639 },
640 {
9fb9cbb1 641 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
9fb9cbb1
YK		 642 .maxlen = sizeof(unsigned int),
643 .mode = 0644,
6d9f239a 644 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 645 },
646 {
9fb9cbb1 647 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
9fb9cbb1
YK		 648 .maxlen = sizeof(unsigned int),
649 .mode = 0644,
6d9f239a 650 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1
YK		 651 },
652 {
9fb9cbb1 653 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
9fb9cbb1
YK		 654 .maxlen = sizeof(unsigned int),
655 .mode = 0644,
6d9f239a 656 .proc_handler = proc_dointvec_jiffies,
9fb9cbb1 657 },
f8572d8f 658 { }
9fb9cbb1 659};
a999e683
PM		 660
661#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
662static struct ctl_table sctp_compat_sysctl_table[] = {
663 {
a999e683 664 .procname = "ip_conntrack_sctp_timeout_closed",
a999e683
PM		 665 .maxlen = sizeof(unsigned int),
666 .mode = 0644,
6d9f239a 667 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 668 },
669 {
a999e683 670 .procname = "ip_conntrack_sctp_timeout_cookie_wait",
a999e683
PM		 671 .maxlen = sizeof(unsigned int),
672 .mode = 0644,
6d9f239a 673 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 674 },
675 {
a999e683 676 .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
a999e683
PM		 677 .maxlen = sizeof(unsigned int),
678 .mode = 0644,
6d9f239a 679 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 680 },
681 {
a999e683 682 .procname = "ip_conntrack_sctp_timeout_established",
a999e683
PM		 683 .maxlen = sizeof(unsigned int),
684 .mode = 0644,
6d9f239a 685 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 686 },
687 {
a999e683 688 .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
a999e683
PM		 689 .maxlen = sizeof(unsigned int),
690 .mode = 0644,
6d9f239a 691 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 692 },
693 {
a999e683 694 .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
a999e683
PM		 695 .maxlen = sizeof(unsigned int),
696 .mode = 0644,
6d9f239a 697 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 698 },
699 {
a999e683 700 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
a999e683
PM		 701 .maxlen = sizeof(unsigned int),
702 .mode = 0644,
6d9f239a 703 .proc_handler = proc_dointvec_jiffies,
a999e683 704 },
f8572d8f 705 { }
a999e683
PM		 706};
707#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
933a41e7 708#endif
9fb9cbb1 709
f42c4183
G		 710static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
711 struct sctp_net *sn)
49d485a3
G		 712{
713#ifdef CONFIG_SYSCTL
49d485a3
G		 714 if (pn->ctl_table)
715 return 0;
716
717 pn->ctl_table = kmemdup(sctp_sysctl_table,
718 sizeof(sctp_sysctl_table),
719 GFP_KERNEL);
720 if (!pn->ctl_table)
721 return -ENOMEM;
722
723 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
724 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
725 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
726 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
727 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
728 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
729 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
730#endif
731 return 0;
732}
733
f42c4183
G		 734static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
735 struct sctp_net *sn)
49d485a3
G		 736{
737#ifdef CONFIG_SYSCTL
738#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
49d485a3
G		 739 pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
740 sizeof(sctp_compat_sysctl_table),
741 GFP_KERNEL);
742 if (!pn->ctl_compat_table)
743 return -ENOMEM;
744
745 pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
746 pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
747 pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
748 pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
749 pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
750 pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
751 pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
752#endif
753#endif
754 return 0;
755}
756
f42c4183 757static int sctp_init_net(struct net *net, u_int16_t proto)
49d485a3
G		 758{
759 int ret;
760 struct sctp_net *sn = sctp_pernet(net);
f42c4183 761 struct nf_proto_net *pn = &sn->pn;
49d485a3 762
f42c4183
G		 763 if (!pn->users) {
764 int i;
49d485a3 765
f42c4183
G		 766 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
767 sn->timeouts[i] = sctp_timeouts[i];
768 }
49d485a3 769
f42c4183
G		 770 if (proto == AF_INET) {
771 ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
772 if (ret < 0)
773 return ret;
49d485a3 774
f42c4183
G		 775 ret = sctp_kmemdup_sysctl_table(pn, sn);
776 if (ret < 0)
777 nf_ct_kfree_compat_sysctl_table(pn);
778 } else
779 ret = sctp_kmemdup_sysctl_table(pn, sn);
49d485a3 780
49d485a3
G		 781 return ret;
782}
783
61075af5 784static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
933a41e7
PM		 785 .l3proto = PF_INET,
786 .l4proto = IPPROTO_SCTP,
787 .name = "sctp",
788 .pkt_to_tuple = sctp_pkt_to_tuple,
789 .invert_tuple = sctp_invert_tuple,
790 .print_tuple = sctp_print_tuple,
791 .print_conntrack = sctp_print_conntrack,
792 .packet = sctp_packet,
2c8503f5 793 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 794 .new = sctp_new,
795 .me = THIS_MODULE,
c0cd1156 796#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 797 .to_nlattr = sctp_to_nlattr,
a400c30e 798 .nlattr_size = sctp_nlattr_size,
a258860e 799 .from_nlattr = nlattr_to_sctp,
c7212e9d 800 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 801 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 802 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
803 .nla_policy = nf_ct_port_nla_policy,
804#endif
50978462
PNA		 805#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
806 .ctnl_timeout = {
807 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
808 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
809 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
810 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
811 .nla_policy = sctp_timeout_nla_policy,
812 },
813#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
49d485a3 814 .net_id = &sctp_net_id,
f42c4183 815 .init_net = sctp_init_net,
9fb9cbb1
YK		 816};
817
61075af5 818static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
933a41e7
PM		 819 .l3proto = PF_INET6,
820 .l4proto = IPPROTO_SCTP,
821 .name = "sctp",
822 .pkt_to_tuple = sctp_pkt_to_tuple,
823 .invert_tuple = sctp_invert_tuple,
824 .print_tuple = sctp_print_tuple,
825 .print_conntrack = sctp_print_conntrack,
826 .packet = sctp_packet,
2c8503f5 827 .get_timeouts = sctp_get_timeouts,
933a41e7
PM		 828 .new = sctp_new,
829 .me = THIS_MODULE,
c0cd1156 830#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
a258860e 831 .to_nlattr = sctp_to_nlattr,
a400c30e 832 .nlattr_size = sctp_nlattr_size,
a258860e 833 .from_nlattr = nlattr_to_sctp,
c7212e9d 834 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
a400c30e 835 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
c7212e9d
PNA		 836 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
837 .nla_policy = nf_ct_port_nla_policy,
50978462
PNA		 838#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
839 .ctnl_timeout = {
840 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
841 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
842 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
843 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
844 .nla_policy = sctp_timeout_nla_policy,
845 },
846#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
9fb9cbb1 847#endif
49d485a3 848 .net_id = &sctp_net_id,
f42c4183 849 .init_net = sctp_init_net,
933a41e7 850};
9fb9cbb1 851
49d485a3 852static int sctp_net_init(struct net *net)
9fb9cbb1 853{
49d485a3 854 int ret = 0;
9fb9cbb1 855
c296bb4d 856 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4);
49d485a3 857 if (ret < 0) {
c296bb4d 858 pr_err("nf_conntrack_sctp4: pernet registration failed.\n");
9fb9cbb1
YK		 859 goto out;
860 }
c296bb4d 861 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6);
49d485a3 862 if (ret < 0) {
c296bb4d 863 pr_err("nf_conntrack_sctp6: pernet registration failed.\n");
9fb9cbb1
YK		 864 goto cleanup_sctp4;
865 }
49d485a3 866 return 0;
9fb9cbb1 867
49d485a3 868cleanup_sctp4:
c296bb4d 869 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
49d485a3 870out:
9fb9cbb1 871 return ret;
49d485a3 872}
9fb9cbb1 873
49d485a3
G		 874static void sctp_net_exit(struct net *net)
875{
c296bb4d
G		 876 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6);
877 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
49d485a3
G		 878}
879
880static struct pernet_operations sctp_net_ops = {
881 .init = sctp_net_init,
882 .exit = sctp_net_exit,
883 .id = &sctp_net_id,
884 .size = sizeof(struct sctp_net),
885};
886
887static int __init nf_conntrack_proto_sctp_init(void)
888{
c296bb4d
G		 889 int ret;
890
891 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
892 if (ret < 0)
893 goto out_sctp4;
894
895 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6);
896 if (ret < 0)
897 goto out_sctp6;
898
899 ret = register_pernet_subsys(&sctp_net_ops);
900 if (ret < 0)
901 goto out_pernet;
902
903 return 0;
904out_pernet:
905 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
906out_sctp6:
907 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
908out_sctp4:
909 return ret;
9fb9cbb1
YK		 910}
911
2f0d2f10 912static void __exit nf_conntrack_proto_sctp_fini(void)
9fb9cbb1 913{
c296bb4d
G		 914 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
915 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
49d485a3 916 unregister_pernet_subsys(&sctp_net_ops);
9fb9cbb1
YK		 917}
918
65b4b4e8
AM		 919module_init(nf_conntrack_proto_sctp_init);
920module_exit(nf_conntrack_proto_sctp_fini);
9fb9cbb1
YK		 921
922MODULE_LICENSE("GPL");
923MODULE_AUTHOR("Kiran Kumar Immidi");
924MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
d2483dde 925MODULE_ALIAS("ip_conntrack_proto_sctp");
kernel source for telekom puls (alcatel/mediatek)