1 // SPDX-License-Identifier: GPL-2.0-only
3 * Connection tracking protocol helper module for SCTP.
5 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
6 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
8 * SCTP is defined in RFC 2960. References to various sections in this code
12 #include <linux/types.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
17 #include <linux/sctp.h>
18 #include <linux/string.h>
19 #include <linux/seq_file.h>
20 #include <linux/spinlock.h>
21 #include <linux/interrupt.h>
22 #include <net/sctp/checksum.h>
24 #include <net/netfilter/nf_log.h>
25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_ecache.h>
28 #include <net/netfilter/nf_conntrack_timeout.h>
30 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
31 closely. They're more complex. --RR
33 And so for me for SCTP :D -Kiran */
35 static const char *const sctp_conntrack_names[] = {
49 #define MINS * 60 SECS
50 #define HOURS * 60 MINS
51 #define DAYS * 24 HOURS
53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
63 [SCTP_CONNTRACK_DATA_SENT] = 30 SECS,
66 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1
68 #define sNO SCTP_CONNTRACK_NONE
69 #define sCL SCTP_CONNTRACK_CLOSED
70 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
71 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
72 #define sES SCTP_CONNTRACK_ESTABLISHED
73 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
74 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
75 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
76 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
77 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
78 #define sDS SCTP_CONNTRACK_DATA_SENT
79 #define sIV SCTP_CONNTRACK_MAX
82 These are the descriptions of the states:
84 NOTE: These state names are tantalizingly similar to the states of an
85 SCTP endpoint. But the interpretation of the states is a little different,
86 considering that these are the states of the connection and not of an end
87 point. Please note the subtleties. -Kiran
89 NONE - Nothing so far.
90 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
91 an INIT_ACK chunk in the reply direction.
92 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
93 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
94 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
95 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction.
96 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
97 to that of the SHUTDOWN chunk.
98 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
99 the SHUTDOWN chunk. Connection is closed.
100 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
101 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK/DATA/SACK in the direction
102 opposite to that of the HEARTBEAT/DATA chunk. Secondary connection
104 DATA_SENT - We have seen a DATA/SACK in a new flow.
108 - I have assumed that the first INIT is in the original direction.
109 This messes things when an INIT comes in the reply direction in CLOSED
111 - Check the error type in the reply dir before transitioning from
112 cookie echoed to closed.
113 - Sec 5.2.4 of RFC 2960
114 - Full Multi Homing support.
117 /* SCTP conntrack state transitions */
118 static const u8 sctp_conntracks[2][12][SCTP_CONNTRACK_MAX] = {
121 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */
122 /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA, sCW},
123 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},
124 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
125 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS, sCL},
126 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA, sSA},
127 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't have Stale cookie*/
128 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* 5.2.4 - Big TODO */
129 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't come in orig dir */
130 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA, sCL},
131 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS},
132 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS},
133 /* data/sack */ {sDS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}
137 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */
138 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* INIT in sCL Big TODO */
139 /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},
140 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL, sIV},
141 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR, sIV},
142 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA, sIV},
143 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA, sIV},
144 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* Can't come in reply dir */
145 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA, sIV},
146 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA, sIV},
147 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sHA},
148 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA},
149 /* data/sack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA},
153 #ifdef CONFIG_NF_CONNTRACK_PROCFS
154 /* Print out the private part of the conntrack. */
155 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
157 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
161 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
162 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
163 (offset) < (skb)->len && \
164 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
165 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
167 /* Some validity checks to make sure the chunks are fine */
168 static int do_basic_checks(struct nf_conn *ct,
169 const struct sk_buff *skb,
170 unsigned int dataoff,
173 u_int32_t offset, count;
174 struct sctp_chunkhdr _sch, *sch;
179 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
180 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
182 if (sch->type == SCTP_CID_INIT ||
183 sch->type == SCTP_CID_INIT_ACK ||
184 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
188 * Cookie Ack/Echo chunks not the first OR
189 * Init / Init Ack / Shutdown compl chunks not the only chunks
192 if (((sch->type == SCTP_CID_COOKIE_ACK ||
193 sch->type == SCTP_CID_COOKIE_ECHO ||
195 count != 0) || !sch->length) {
196 pr_debug("Basic checks failed\n");
201 set_bit(sch->type, map);
204 pr_debug("Basic checks passed\n");
208 static int sctp_new_state(enum ip_conntrack_dir dir,
209 enum sctp_conntrack cur_state,
214 pr_debug("Chunk type: %d\n", chunk_type);
216 switch (chunk_type) {
218 pr_debug("SCTP_CID_INIT\n");
221 case SCTP_CID_INIT_ACK:
222 pr_debug("SCTP_CID_INIT_ACK\n");
226 pr_debug("SCTP_CID_ABORT\n");
229 case SCTP_CID_SHUTDOWN:
230 pr_debug("SCTP_CID_SHUTDOWN\n");
233 case SCTP_CID_SHUTDOWN_ACK:
234 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
238 pr_debug("SCTP_CID_ERROR\n");
241 case SCTP_CID_COOKIE_ECHO:
242 pr_debug("SCTP_CID_COOKIE_ECHO\n");
245 case SCTP_CID_COOKIE_ACK:
246 pr_debug("SCTP_CID_COOKIE_ACK\n");
249 case SCTP_CID_SHUTDOWN_COMPLETE:
250 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
253 case SCTP_CID_HEARTBEAT:
254 pr_debug("SCTP_CID_HEARTBEAT");
257 case SCTP_CID_HEARTBEAT_ACK:
258 pr_debug("SCTP_CID_HEARTBEAT_ACK");
263 pr_debug("SCTP_CID_DATA/SACK");
267 /* Other chunks like DATA or SACK do not change the state */
268 pr_debug("Unknown chunk type, Will stay in %s\n",
269 sctp_conntrack_names[cur_state]);
273 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
274 dir, sctp_conntrack_names[cur_state], chunk_type,
275 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
277 return sctp_conntracks[dir][i][cur_state];
280 /* Don't need lock here: this conntrack not in circulation yet */
282 sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
283 const struct sctphdr *sh, unsigned int dataoff)
285 enum sctp_conntrack new_state;
286 const struct sctp_chunkhdr *sch;
287 struct sctp_chunkhdr _sch;
290 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
291 new_state = SCTP_CONNTRACK_MAX;
292 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
293 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
294 SCTP_CONNTRACK_NONE, sch->type);
296 /* Invalid: delete conntrack */
297 if (new_state == SCTP_CONNTRACK_NONE ||
298 new_state == SCTP_CONNTRACK_MAX) {
299 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
303 /* Copy the vtag into the state info */
304 if (sch->type == SCTP_CID_INIT) {
305 struct sctp_inithdr _inithdr, *ih;
310 ih = skb_header_pointer(skb, offset + sizeof(_sch),
311 sizeof(_inithdr), &_inithdr);
315 pr_debug("Setting vtag %x for new conn\n",
318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
319 } else if (sch->type == SCTP_CID_HEARTBEAT ||
320 sch->type == SCTP_CID_DATA ||
321 sch->type == SCTP_CID_SACK) {
322 pr_debug("Setting vtag %x for secondary conntrack\n",
324 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
326 /* If it is a shutdown ack OOTB packet, we expect a return
327 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
328 pr_debug("Setting vtag %x for new conn OOTB\n",
330 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
333 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
339 static bool sctp_error(struct sk_buff *skb,
340 unsigned int dataoff,
341 const struct nf_hook_state *state)
343 const struct sctphdr *sh;
346 if (skb->len < dataoff + sizeof(struct sctphdr)) {
347 logmsg = "nf_ct_sctp: short packet ";
350 if (state->hook == NF_INET_PRE_ROUTING &&
351 state->net->ct.sysctl_checksum &&
352 skb->ip_summed == CHECKSUM_NONE) {
353 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
354 logmsg = "nf_ct_sctp: failed to read header ";
357 sh = (const struct sctphdr *)(skb->data + dataoff);
358 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
359 logmsg = "nf_ct_sctp: bad CRC ";
362 skb->ip_summed = CHECKSUM_UNNECESSARY;
366 nf_l4proto_log_invalid(skb, state, IPPROTO_SCTP, "%s", logmsg);
370 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
371 int nf_conntrack_sctp_packet(struct nf_conn *ct,
373 unsigned int dataoff,
374 enum ip_conntrack_info ctinfo,
375 const struct nf_hook_state *state)
377 enum sctp_conntrack new_state, old_state;
378 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
379 const struct sctphdr *sh;
380 struct sctphdr _sctph;
381 const struct sctp_chunkhdr *sch;
382 struct sctp_chunkhdr _sch;
383 u_int32_t offset, count;
384 unsigned int *timeouts;
385 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
388 if (sctp_error(skb, dataoff, state))
391 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
395 if (do_basic_checks(ct, skb, dataoff, map) != 0)
398 if (!nf_ct_is_confirmed(ct)) {
399 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
400 if (test_bit(SCTP_CID_ABORT, map) ||
401 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
402 test_bit(SCTP_CID_COOKIE_ACK, map))
405 if (!sctp_new(ct, skb, sh, dataoff))
408 /* Check the verification tag (Sec 8.5) */
409 if (!test_bit(SCTP_CID_INIT, map) &&
410 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
411 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
412 !test_bit(SCTP_CID_ABORT, map) &&
413 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
414 !test_bit(SCTP_CID_HEARTBEAT, map) &&
415 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
416 sh->vtag != ct->proto.sctp.vtag[dir]) {
417 pr_debug("Verification tag check failed\n");
422 old_state = new_state = SCTP_CONNTRACK_NONE;
423 spin_lock_bh(&ct->lock);
424 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
425 /* Special cases of Verification tag check (Sec 8.5.1) */
426 if (sch->type == SCTP_CID_INIT) {
427 /* (A) vtag MUST be zero */
430 } else if (sch->type == SCTP_CID_ABORT) {
431 /* (B) vtag MUST match own vtag if T flag is unset OR
432 * MUST match peer's vtag if T flag is set
434 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
435 sh->vtag != ct->proto.sctp.vtag[dir]) ||
436 ((sch->flags & SCTP_CHUNK_FLAG_T) &&
437 sh->vtag != ct->proto.sctp.vtag[!dir]))
439 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
440 /* (C) vtag MUST match own vtag if T flag is unset OR
441 * MUST match peer's vtag if T flag is set
443 if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
444 sh->vtag != ct->proto.sctp.vtag[dir]) ||
445 ((sch->flags & SCTP_CHUNK_FLAG_T) &&
446 sh->vtag != ct->proto.sctp.vtag[!dir]))
448 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
449 /* (D) vtag must be same as init_vtag as found in INIT_ACK */
450 if (sh->vtag != ct->proto.sctp.vtag[dir])
452 } else if (sch->type == SCTP_CID_HEARTBEAT) {
453 if (ct->proto.sctp.vtag[dir] == 0) {
454 pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
455 ct->proto.sctp.vtag[dir] = sh->vtag;
456 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
457 if (test_bit(SCTP_CID_DATA, map) || ignore)
460 ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
461 ct->proto.sctp.last_dir = dir;
464 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
465 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
467 } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {
468 if (ct->proto.sctp.vtag[dir] == 0) {
469 pr_debug("Setting vtag %x for dir %d\n",
471 ct->proto.sctp.vtag[dir] = sh->vtag;
472 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
473 if (test_bit(SCTP_CID_DATA, map) || ignore)
476 if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 ||
477 ct->proto.sctp.last_dir == dir)
480 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
481 ct->proto.sctp.vtag[dir] = sh->vtag;
482 ct->proto.sctp.vtag[!dir] = 0;
483 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
484 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
486 } else if (sch->type == SCTP_CID_DATA || sch->type == SCTP_CID_SACK) {
487 if (ct->proto.sctp.vtag[dir] == 0) {
488 pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir);
489 ct->proto.sctp.vtag[dir] = sh->vtag;
493 old_state = ct->proto.sctp.state;
494 new_state = sctp_new_state(dir, old_state, sch->type);
497 if (new_state == SCTP_CONNTRACK_MAX) {
498 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
500 dir, sch->type, old_state);
504 /* If it is an INIT or an INIT ACK note down the vtag */
505 if (sch->type == SCTP_CID_INIT ||
506 sch->type == SCTP_CID_INIT_ACK) {
507 struct sctp_inithdr _inithdr, *ih;
509 ih = skb_header_pointer(skb, offset + sizeof(_sch),
510 sizeof(_inithdr), &_inithdr);
513 pr_debug("Setting vtag %x for dir %d\n",
515 ct->proto.sctp.vtag[!dir] = ih->init_tag;
517 /* don't renew timeout on init retransmit so
518 * port reuse by client or NAT middlebox cannot
519 * keep entry alive indefinitely (incl. nat info).
521 if (new_state == SCTP_CONNTRACK_CLOSED &&
522 old_state == SCTP_CONNTRACK_CLOSED &&
523 nf_ct_is_confirmed(ct))
527 ct->proto.sctp.state = new_state;
528 if (old_state != new_state)
529 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
531 spin_unlock_bh(&ct->lock);
533 /* allow but do not refresh timeout */
537 timeouts = nf_ct_timeout_lookup(ct);
539 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
541 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
543 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
544 dir == IP_CT_DIR_REPLY &&
545 new_state == SCTP_CONNTRACK_ESTABLISHED) {
546 pr_debug("Setting assured bit\n");
547 set_bit(IPS_ASSURED_BIT, &ct->status);
548 nf_conntrack_event_cache(IPCT_ASSURED, ct);
554 spin_unlock_bh(&ct->lock);
559 static bool sctp_can_early_drop(const struct nf_conn *ct)
561 switch (ct->proto.sctp.state) {
562 case SCTP_CONNTRACK_SHUTDOWN_SENT:
563 case SCTP_CONNTRACK_SHUTDOWN_RECD:
564 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
573 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
575 #include <linux/netfilter/nfnetlink.h>
576 #include <linux/netfilter/nfnetlink_conntrack.h>
578 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
579 struct nf_conn *ct, bool destroy)
581 struct nlattr *nest_parms;
583 spin_lock_bh(&ct->lock);
584 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
586 goto nla_put_failure;
588 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state))
589 goto nla_put_failure;
594 if (nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
595 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
596 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
597 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
598 goto nla_put_failure;
601 spin_unlock_bh(&ct->lock);
602 nla_nest_end(skb, nest_parms);
607 spin_unlock_bh(&ct->lock);
611 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
612 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
613 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
614 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
617 #define SCTP_NLATTR_SIZE ( \
618 NLA_ALIGN(NLA_HDRLEN + 1) + \
619 NLA_ALIGN(NLA_HDRLEN + 4) + \
620 NLA_ALIGN(NLA_HDRLEN + 4))
622 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
624 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
625 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
628 /* updates may not contain the internal protocol info, skip parsing */
632 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
633 sctp_nla_policy, NULL);
637 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
638 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
639 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
642 spin_lock_bh(&ct->lock);
643 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
644 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
645 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
646 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
647 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
648 spin_unlock_bh(&ct->lock);
654 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
656 #include <linux/netfilter/nfnetlink.h>
657 #include <linux/netfilter/nfnetlink_cttimeout.h>
659 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
660 struct net *net, void *data)
662 unsigned int *timeouts = data;
663 struct nf_sctp_net *sn = nf_sctp_pernet(net);
667 timeouts = sn->timeouts;
669 /* set default SCTP timeouts. */
670 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
671 timeouts[i] = sn->timeouts[i];
673 /* there's a 1:1 mapping between attributes and protocol states. */
674 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
676 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
680 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
685 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
687 const unsigned int *timeouts = data;
690 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
691 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
692 goto nla_put_failure;
700 static const struct nla_policy
701 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
702 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
703 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
704 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
705 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
706 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
707 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
708 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
709 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
710 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
711 [CTA_TIMEOUT_SCTP_DATA_SENT] = { .type = NLA_U32 },
713 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
715 void nf_conntrack_sctp_init_net(struct net *net)
717 struct nf_sctp_net *sn = nf_sctp_pernet(net);
720 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
721 sn->timeouts[i] = sctp_timeouts[i];
723 /* timeouts[0] is unused, init it so ->timeouts[0] contains
724 * 'new' timeout, like udp or icmp.
726 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
729 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
730 .l4proto = IPPROTO_SCTP,
731 #ifdef CONFIG_NF_CONNTRACK_PROCFS
732 .print_conntrack = sctp_print_conntrack,
734 .can_early_drop = sctp_can_early_drop,
735 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
736 .nlattr_size = SCTP_NLATTR_SIZE,
737 .to_nlattr = sctp_to_nlattr,
738 .from_nlattr = nlattr_to_sctp,
739 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
740 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
741 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
742 .nla_policy = nf_ct_port_nla_policy,
744 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
746 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
747 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
748 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
749 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
750 .nla_policy = sctp_timeout_nla_policy,
752 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */