2 * Connection tracking protocol helper module for SCTP.
4 * Copyright (c) 2004 Kiran Kumar Immidi <immidi_kiran@yahoo.com>
5 * Copyright (c) 2004-2012 Patrick McHardy <kaber@trash.net>
7 * SCTP is defined in RFC 2960. References to various sections in this code
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
15 #include <linux/types.h>
16 #include <linux/timer.h>
17 #include <linux/netfilter.h>
18 #include <linux/module.h>
21 #include <linux/sctp.h>
22 #include <linux/string.h>
23 #include <linux/seq_file.h>
24 #include <linux/spinlock.h>
25 #include <linux/interrupt.h>
27 #include <net/netfilter/nf_conntrack.h>
28 #include <net/netfilter/nf_conntrack_l4proto.h>
29 #include <net/netfilter/nf_conntrack_ecache.h>
31 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
32 closely. They're more complex. --RR
34 And so for me for SCTP :D -Kiran */
36 static const char *const sctp_conntrack_names[] = {
50 #define MINS * 60 SECS
51 #define HOURS * 60 MINS
52 #define DAYS * 24 HOURS
54 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
55 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
56 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
57 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
58 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
59 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
61 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
63 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
66 #define sNO SCTP_CONNTRACK_NONE
67 #define sCL SCTP_CONNTRACK_CLOSED
68 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
69 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
70 #define sES SCTP_CONNTRACK_ESTABLISHED
71 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
72 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
73 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
74 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
75 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
76 #define sIV SCTP_CONNTRACK_MAX
79 These are the descriptions of the states:
81 NOTE: These state names are tantalizingly similar to the states of an
82 SCTP endpoint. But the interpretation of the states is a little different,
83 considering that these are the states of the connection and not of an end
84 point. Please note the subtleties. -Kiran
86 NONE - Nothing so far.
87 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
88 an INIT_ACK chunk in the reply direction.
89 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
90 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
91 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
92 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
93 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
94 to that of the SHUTDOWN chunk.
95 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
96 the SHUTDOWN chunk. Connection is closed.
97 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow.
98 HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to
99 that of the HEARTBEAT chunk. Secondary connection is
104 - I have assumed that the first INIT is in the original direction.
105 This messes things when an INIT comes in the reply direction in CLOSED
107 - Check the error type in the reply dir before transitioning from
108 cookie echoed to closed.
109 - Sec 5.2.4 of RFC 2960
110 - Full Multi Homing support.
113 /* SCTP conntrack state transitions */
114 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
117 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
118 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
119 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
120 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
121 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
122 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
123 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/
124 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */
125 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */
126 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
127 /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
128 /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
132 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
133 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
134 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
135 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
136 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
137 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
138 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
139 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */
140 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
141 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
142 /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
143 /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
147 static int sctp_net_id __read_mostly;
149 struct nf_proto_net pn;
150 unsigned int timeouts[SCTP_CONNTRACK_MAX];
153 static inline struct sctp_net *sctp_pernet(struct net *net)
155 return net_generic(net, sctp_net_id);
158 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
159 struct net *net, struct nf_conntrack_tuple *tuple)
161 const struct sctphdr *hp;
164 /* Actually only need first 8 bytes. */
165 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
169 tuple->src.u.sctp.port = hp->source;
170 tuple->dst.u.sctp.port = hp->dest;
174 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
175 const struct nf_conntrack_tuple *orig)
177 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
178 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
182 /* Print out the per-protocol part of the tuple. */
183 static void sctp_print_tuple(struct seq_file *s,
184 const struct nf_conntrack_tuple *tuple)
186 seq_printf(s, "sport=%hu dport=%hu ",
187 ntohs(tuple->src.u.sctp.port),
188 ntohs(tuple->dst.u.sctp.port));
191 /* Print out the private part of the conntrack. */
192 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
194 enum sctp_conntrack state;
196 spin_lock_bh(&ct->lock);
197 state = ct->proto.sctp.state;
198 spin_unlock_bh(&ct->lock);
200 seq_printf(s, "%s ", sctp_conntrack_names[state]);
203 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
204 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
205 (offset) < (skb)->len && \
206 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
207 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
209 /* Some validity checks to make sure the chunks are fine */
210 static int do_basic_checks(struct nf_conn *ct,
211 const struct sk_buff *skb,
212 unsigned int dataoff,
215 u_int32_t offset, count;
216 sctp_chunkhdr_t _sch, *sch;
221 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
222 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
224 if (sch->type == SCTP_CID_INIT ||
225 sch->type == SCTP_CID_INIT_ACK ||
226 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
230 * Cookie Ack/Echo chunks not the first OR
231 * Init / Init Ack / Shutdown compl chunks not the only chunks
234 if (((sch->type == SCTP_CID_COOKIE_ACK ||
235 sch->type == SCTP_CID_COOKIE_ECHO ||
237 count != 0) || !sch->length) {
238 pr_debug("Basic checks failed\n");
243 set_bit(sch->type, map);
246 pr_debug("Basic checks passed\n");
250 static int sctp_new_state(enum ip_conntrack_dir dir,
251 enum sctp_conntrack cur_state,
256 pr_debug("Chunk type: %d\n", chunk_type);
258 switch (chunk_type) {
260 pr_debug("SCTP_CID_INIT\n");
263 case SCTP_CID_INIT_ACK:
264 pr_debug("SCTP_CID_INIT_ACK\n");
268 pr_debug("SCTP_CID_ABORT\n");
271 case SCTP_CID_SHUTDOWN:
272 pr_debug("SCTP_CID_SHUTDOWN\n");
275 case SCTP_CID_SHUTDOWN_ACK:
276 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
280 pr_debug("SCTP_CID_ERROR\n");
283 case SCTP_CID_COOKIE_ECHO:
284 pr_debug("SCTP_CID_COOKIE_ECHO\n");
287 case SCTP_CID_COOKIE_ACK:
288 pr_debug("SCTP_CID_COOKIE_ACK\n");
291 case SCTP_CID_SHUTDOWN_COMPLETE:
292 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
295 case SCTP_CID_HEARTBEAT:
296 pr_debug("SCTP_CID_HEARTBEAT");
299 case SCTP_CID_HEARTBEAT_ACK:
300 pr_debug("SCTP_CID_HEARTBEAT_ACK");
304 /* Other chunks like DATA or SACK do not change the state */
305 pr_debug("Unknown chunk type, Will stay in %s\n",
306 sctp_conntrack_names[cur_state]);
310 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
311 dir, sctp_conntrack_names[cur_state], chunk_type,
312 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
314 return sctp_conntracks[dir][i][cur_state];
317 static unsigned int *sctp_get_timeouts(struct net *net)
319 return sctp_pernet(net)->timeouts;
322 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
323 static int sctp_packet(struct nf_conn *ct,
324 const struct sk_buff *skb,
325 unsigned int dataoff,
326 enum ip_conntrack_info ctinfo,
328 unsigned int hooknum,
329 unsigned int *timeouts)
331 enum sctp_conntrack new_state, old_state;
332 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
333 const struct sctphdr *sh;
334 struct sctphdr _sctph;
335 const struct sctp_chunkhdr *sch;
336 struct sctp_chunkhdr _sch;
337 u_int32_t offset, count;
338 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
340 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
344 if (do_basic_checks(ct, skb, dataoff, map) != 0)
347 /* Check the verification tag (Sec 8.5) */
348 if (!test_bit(SCTP_CID_INIT, map) &&
349 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
350 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
351 !test_bit(SCTP_CID_ABORT, map) &&
352 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
353 !test_bit(SCTP_CID_HEARTBEAT, map) &&
354 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
355 sh->vtag != ct->proto.sctp.vtag[dir]) {
356 pr_debug("Verification tag check failed\n");
360 old_state = new_state = SCTP_CONNTRACK_NONE;
361 spin_lock_bh(&ct->lock);
362 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
363 /* Special cases of Verification tag check (Sec 8.5.1) */
364 if (sch->type == SCTP_CID_INIT) {
368 } else if (sch->type == SCTP_CID_ABORT) {
370 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
371 sh->vtag != ct->proto.sctp.vtag[!dir])
373 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
375 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
376 sh->vtag != ct->proto.sctp.vtag[!dir] &&
377 sch->flags & SCTP_CHUNK_FLAG_T)
379 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
381 if (sh->vtag != ct->proto.sctp.vtag[dir])
383 } else if (sch->type == SCTP_CID_HEARTBEAT ||
384 sch->type == SCTP_CID_HEARTBEAT_ACK) {
385 if (ct->proto.sctp.vtag[dir] == 0) {
386 pr_debug("Setting vtag %x for dir %d\n",
388 ct->proto.sctp.vtag[dir] = sh->vtag;
389 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
390 pr_debug("Verification tag check failed\n");
395 old_state = ct->proto.sctp.state;
396 new_state = sctp_new_state(dir, old_state, sch->type);
399 if (new_state == SCTP_CONNTRACK_MAX) {
400 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
402 dir, sch->type, old_state);
406 /* If it is an INIT or an INIT ACK note down the vtag */
407 if (sch->type == SCTP_CID_INIT ||
408 sch->type == SCTP_CID_INIT_ACK) {
409 sctp_inithdr_t _inithdr, *ih;
411 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
412 sizeof(_inithdr), &_inithdr);
415 pr_debug("Setting vtag %x for dir %d\n",
417 ct->proto.sctp.vtag[!dir] = ih->init_tag;
420 ct->proto.sctp.state = new_state;
421 if (old_state != new_state)
422 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
424 spin_unlock_bh(&ct->lock);
426 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
428 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
429 dir == IP_CT_DIR_REPLY &&
430 new_state == SCTP_CONNTRACK_ESTABLISHED) {
431 pr_debug("Setting assured bit\n");
432 set_bit(IPS_ASSURED_BIT, &ct->status);
433 nf_conntrack_event_cache(IPCT_ASSURED, ct);
439 spin_unlock_bh(&ct->lock);
444 /* Called when a new connection for this protocol found. */
445 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
446 unsigned int dataoff, unsigned int *timeouts)
448 enum sctp_conntrack new_state;
449 const struct sctphdr *sh;
450 struct sctphdr _sctph;
451 const struct sctp_chunkhdr *sch;
452 struct sctp_chunkhdr _sch;
453 u_int32_t offset, count;
454 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
456 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
460 if (do_basic_checks(ct, skb, dataoff, map) != 0)
463 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
464 if (test_bit(SCTP_CID_ABORT, map) ||
465 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
466 test_bit(SCTP_CID_COOKIE_ACK, map))
469 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
470 new_state = SCTP_CONNTRACK_MAX;
471 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
472 /* Don't need lock here: this conntrack not in circulation yet */
473 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
474 SCTP_CONNTRACK_NONE, sch->type);
476 /* Invalid: delete conntrack */
477 if (new_state == SCTP_CONNTRACK_NONE ||
478 new_state == SCTP_CONNTRACK_MAX) {
479 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
483 /* Copy the vtag into the state info */
484 if (sch->type == SCTP_CID_INIT) {
486 sctp_inithdr_t _inithdr, *ih;
488 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
489 sizeof(_inithdr), &_inithdr);
493 pr_debug("Setting vtag %x for new conn\n",
496 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
502 } else if (sch->type == SCTP_CID_HEARTBEAT) {
503 pr_debug("Setting vtag %x for secondary conntrack\n",
505 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
507 /* If it is a shutdown ack OOTB packet, we expect a return
508 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
510 pr_debug("Setting vtag %x for new conn OOTB\n",
512 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
515 ct->proto.sctp.state = new_state;
521 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
523 #include <linux/netfilter/nfnetlink.h>
524 #include <linux/netfilter/nfnetlink_conntrack.h>
526 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
529 struct nlattr *nest_parms;
531 spin_lock_bh(&ct->lock);
532 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
534 goto nla_put_failure;
536 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
537 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
538 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
539 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
540 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
541 goto nla_put_failure;
543 spin_unlock_bh(&ct->lock);
545 nla_nest_end(skb, nest_parms);
550 spin_unlock_bh(&ct->lock);
554 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
555 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
556 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
557 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
560 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
562 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
563 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
566 /* updates may not contain the internal protocol info, skip parsing */
570 err = nla_parse_nested(tb,
571 CTA_PROTOINFO_SCTP_MAX,
577 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
578 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
579 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
582 spin_lock_bh(&ct->lock);
583 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
584 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
585 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
586 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
587 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
588 spin_unlock_bh(&ct->lock);
593 static int sctp_nlattr_size(void)
595 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
596 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
600 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
602 #include <linux/netfilter/nfnetlink.h>
603 #include <linux/netfilter/nfnetlink_cttimeout.h>
605 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
606 struct net *net, void *data)
608 unsigned int *timeouts = data;
609 struct sctp_net *sn = sctp_pernet(net);
612 /* set default SCTP timeouts. */
613 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
614 timeouts[i] = sn->timeouts[i];
616 /* there's a 1:1 mapping between attributes and protocol states. */
617 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
619 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
626 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
628 const unsigned int *timeouts = data;
631 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
632 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
633 goto nla_put_failure;
641 static const struct nla_policy
642 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
643 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
644 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
645 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
646 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
647 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
648 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
649 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
650 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
651 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
653 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
657 static struct ctl_table sctp_sysctl_table[] = {
659 .procname = "nf_conntrack_sctp_timeout_closed",
660 .maxlen = sizeof(unsigned int),
662 .proc_handler = proc_dointvec_jiffies,
665 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
666 .maxlen = sizeof(unsigned int),
668 .proc_handler = proc_dointvec_jiffies,
671 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
672 .maxlen = sizeof(unsigned int),
674 .proc_handler = proc_dointvec_jiffies,
677 .procname = "nf_conntrack_sctp_timeout_established",
678 .maxlen = sizeof(unsigned int),
680 .proc_handler = proc_dointvec_jiffies,
683 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
684 .maxlen = sizeof(unsigned int),
686 .proc_handler = proc_dointvec_jiffies,
689 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
690 .maxlen = sizeof(unsigned int),
692 .proc_handler = proc_dointvec_jiffies,
695 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
696 .maxlen = sizeof(unsigned int),
698 .proc_handler = proc_dointvec_jiffies,
701 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
702 .maxlen = sizeof(unsigned int),
704 .proc_handler = proc_dointvec_jiffies,
707 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
708 .maxlen = sizeof(unsigned int),
710 .proc_handler = proc_dointvec_jiffies,
715 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
716 static struct ctl_table sctp_compat_sysctl_table[] = {
718 .procname = "ip_conntrack_sctp_timeout_closed",
719 .maxlen = sizeof(unsigned int),
721 .proc_handler = proc_dointvec_jiffies,
724 .procname = "ip_conntrack_sctp_timeout_cookie_wait",
725 .maxlen = sizeof(unsigned int),
727 .proc_handler = proc_dointvec_jiffies,
730 .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
731 .maxlen = sizeof(unsigned int),
733 .proc_handler = proc_dointvec_jiffies,
736 .procname = "ip_conntrack_sctp_timeout_established",
737 .maxlen = sizeof(unsigned int),
739 .proc_handler = proc_dointvec_jiffies,
742 .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
743 .maxlen = sizeof(unsigned int),
745 .proc_handler = proc_dointvec_jiffies,
748 .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
749 .maxlen = sizeof(unsigned int),
751 .proc_handler = proc_dointvec_jiffies,
754 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
755 .maxlen = sizeof(unsigned int),
757 .proc_handler = proc_dointvec_jiffies,
761 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
764 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
771 pn->ctl_table = kmemdup(sctp_sysctl_table,
772 sizeof(sctp_sysctl_table),
777 pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
778 pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
779 pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
780 pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
781 pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
782 pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
783 pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
784 pn->ctl_table[7].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_SENT];
785 pn->ctl_table[8].data = &sn->timeouts[SCTP_CONNTRACK_HEARTBEAT_ACKED];
790 static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
794 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
795 pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
796 sizeof(sctp_compat_sysctl_table),
798 if (!pn->ctl_compat_table)
801 pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
802 pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
803 pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
804 pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
805 pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
806 pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
807 pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
813 static int sctp_init_net(struct net *net, u_int16_t proto)
816 struct sctp_net *sn = sctp_pernet(net);
817 struct nf_proto_net *pn = &sn->pn;
822 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
823 sn->timeouts[i] = sctp_timeouts[i];
826 if (proto == AF_INET) {
827 ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
831 ret = sctp_kmemdup_sysctl_table(pn, sn);
833 nf_ct_kfree_compat_sysctl_table(pn);
835 ret = sctp_kmemdup_sysctl_table(pn, sn);
840 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
842 .l4proto = IPPROTO_SCTP,
844 .pkt_to_tuple = sctp_pkt_to_tuple,
845 .invert_tuple = sctp_invert_tuple,
846 .print_tuple = sctp_print_tuple,
847 .print_conntrack = sctp_print_conntrack,
848 .packet = sctp_packet,
849 .get_timeouts = sctp_get_timeouts,
852 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
853 .to_nlattr = sctp_to_nlattr,
854 .nlattr_size = sctp_nlattr_size,
855 .from_nlattr = nlattr_to_sctp,
856 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
857 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
858 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
859 .nla_policy = nf_ct_port_nla_policy,
861 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
863 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
864 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
865 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
866 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
867 .nla_policy = sctp_timeout_nla_policy,
869 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
870 .net_id = &sctp_net_id,
871 .init_net = sctp_init_net,
874 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
876 .l4proto = IPPROTO_SCTP,
878 .pkt_to_tuple = sctp_pkt_to_tuple,
879 .invert_tuple = sctp_invert_tuple,
880 .print_tuple = sctp_print_tuple,
881 .print_conntrack = sctp_print_conntrack,
882 .packet = sctp_packet,
883 .get_timeouts = sctp_get_timeouts,
886 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
887 .to_nlattr = sctp_to_nlattr,
888 .nlattr_size = sctp_nlattr_size,
889 .from_nlattr = nlattr_to_sctp,
890 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
891 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
892 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
893 .nla_policy = nf_ct_port_nla_policy,
894 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
896 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
897 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
898 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
899 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
900 .nla_policy = sctp_timeout_nla_policy,
902 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
904 .net_id = &sctp_net_id,
905 .init_net = sctp_init_net,
908 static int sctp_net_init(struct net *net)
912 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4);
914 pr_err("nf_conntrack_sctp4: pernet registration failed.\n");
917 ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6);
919 pr_err("nf_conntrack_sctp6: pernet registration failed.\n");
925 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
930 static void sctp_net_exit(struct net *net)
932 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6);
933 nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4);
936 static struct pernet_operations sctp_net_ops = {
937 .init = sctp_net_init,
938 .exit = sctp_net_exit,
940 .size = sizeof(struct sctp_net),
943 static int __init nf_conntrack_proto_sctp_init(void)
947 ret = register_pernet_subsys(&sctp_net_ops);
951 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
955 ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6);
961 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
963 unregister_pernet_subsys(&sctp_net_ops);
968 static void __exit nf_conntrack_proto_sctp_fini(void)
970 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
971 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
972 unregister_pernet_subsys(&sctp_net_ops);
975 module_init(nf_conntrack_proto_sctp_init);
976 module_exit(nf_conntrack_proto_sctp_fini);
978 MODULE_LICENSE("GPL");
979 MODULE_AUTHOR("Kiran Kumar Immidi");
980 MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
981 MODULE_ALIAS("ip_conntrack_proto_sctp");
Code Review / kvmfornfv.git / blob