/net/netfilter/nf_conntrack_proto_dccp.c

https://bitbucket.org/abioy/linux · C · 896 lines · 542 code · 70 blank · 284 comment · 54 complexity · 879115b12a14435050f7da1504a17416 MD5 · raw file

  1. /*
  2. * DCCP connection tracking protocol helper
  3. *
  4. * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License version 2 as
  8. * published by the Free Software Foundation.
  9. *
  10. */
  11. #include <linux/kernel.h>
  12. #include <linux/module.h>
  13. #include <linux/init.h>
  14. #include <linux/sysctl.h>
  15. #include <linux/spinlock.h>
  16. #include <linux/skbuff.h>
  17. #include <linux/dccp.h>
  18. #include <linux/slab.h>
  19. #include <net/net_namespace.h>
  20. #include <net/netns/generic.h>
  21. #include <linux/netfilter/nfnetlink_conntrack.h>
  22. #include <net/netfilter/nf_conntrack.h>
  23. #include <net/netfilter/nf_conntrack_l4proto.h>
  24. #include <net/netfilter/nf_conntrack_ecache.h>
  25. #include <net/netfilter/nf_log.h>
  26. /* Timeouts are based on values from RFC4340:
  27. *
  28. * - REQUEST:
  29. *
  30. * 8.1.2. Client Request
  31. *
  32. * A client MAY give up on its DCCP-Requests after some time
  33. * (3 minutes, for example).
  34. *
  35. * - RESPOND:
  36. *
  37. * 8.1.3. Server Response
  38. *
  39. * It MAY also leave the RESPOND state for CLOSED after a timeout of
  40. * not less than 4MSL (8 minutes);
  41. *
  42. * - PARTOPEN:
  43. *
  44. * 8.1.5. Handshake Completion
  45. *
  46. * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
  47. * it SHOULD reset the connection with Reset Code 2, "Aborted".
  48. *
  49. * - OPEN:
  50. *
  51. * The DCCP timestamp overflows after 11.9 hours. If the connection
  52. * stays idle this long the sequence number won't be recognized
  53. * as valid anymore.
  54. *
  55. * - CLOSEREQ/CLOSING:
  56. *
  57. * 8.3. Termination
  58. *
  59. * The retransmission timer should initially be set to go off in two
  60. * round-trip times and should back off to not less than once every
  61. * 64 seconds ...
  62. *
  63. * - TIMEWAIT:
  64. *
  65. * 4.3. States
  66. *
  67. * A server or client socket remains in this state for 2MSL (4 minutes)
  68. * after the connection has been town down, ...
  69. */
  70. #define DCCP_MSL (2 * 60 * HZ)
  71. static const char * const dccp_state_names[] = {
  72. [CT_DCCP_NONE] = "NONE",
  73. [CT_DCCP_REQUEST] = "REQUEST",
  74. [CT_DCCP_RESPOND] = "RESPOND",
  75. [CT_DCCP_PARTOPEN] = "PARTOPEN",
  76. [CT_DCCP_OPEN] = "OPEN",
  77. [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
  78. [CT_DCCP_CLOSING] = "CLOSING",
  79. [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
  80. [CT_DCCP_IGNORE] = "IGNORE",
  81. [CT_DCCP_INVALID] = "INVALID",
  82. };
  83. #define sNO CT_DCCP_NONE
  84. #define sRQ CT_DCCP_REQUEST
  85. #define sRS CT_DCCP_RESPOND
  86. #define sPO CT_DCCP_PARTOPEN
  87. #define sOP CT_DCCP_OPEN
  88. #define sCR CT_DCCP_CLOSEREQ
  89. #define sCG CT_DCCP_CLOSING
  90. #define sTW CT_DCCP_TIMEWAIT
  91. #define sIG CT_DCCP_IGNORE
  92. #define sIV CT_DCCP_INVALID
  93. /*
  94. * DCCP state transistion table
  95. *
  96. * The assumption is the same as for TCP tracking:
  97. *
  98. * We are the man in the middle. All the packets go through us but might
  99. * get lost in transit to the destination. It is assumed that the destination
  100. * can't receive segments we haven't seen.
  101. *
  102. * The following states exist:
  103. *
  104. * NONE: Initial state, expecting Request
  105. * REQUEST: Request seen, waiting for Response from server
  106. * RESPOND: Response from server seen, waiting for Ack from client
  107. * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
  108. * Reset or Sync from server
  109. * OPEN: Packet other than Response, Reset or Sync seen
  110. * CLOSEREQ: CloseReq from server seen, expecting Close from client
  111. * CLOSING: Close seen, expecting Reset
  112. * TIMEWAIT: Reset seen
  113. * IGNORE: Not determinable whether packet is valid
  114. *
  115. * Some states exist only on one side of the connection: REQUEST, RESPOND,
  116. * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
  117. * the one it was in before.
  118. *
  119. * Packets are marked as ignored (sIG) if we don't know if they're valid
  120. * (for example a reincarnation of a connection we didn't notice is dead
  121. * already) and the server may send back a connection closing Reset or a
  122. * Response. They're also used for Sync/SyncAck packets, which we don't
  123. * care about.
  124. */
  125. static const u_int8_t
  126. dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
  127. [CT_DCCP_ROLE_CLIENT] = {
  128. [DCCP_PKT_REQUEST] = {
  129. /*
  130. * sNO -> sRQ Regular Request
  131. * sRQ -> sRQ Retransmitted Request or reincarnation
  132. * sRS -> sRS Retransmitted Request (apparently Response
  133. * got lost after we saw it) or reincarnation
  134. * sPO -> sIG Ignore, conntrack might be out of sync
  135. * sOP -> sIG Ignore, conntrack might be out of sync
  136. * sCR -> sIG Ignore, conntrack might be out of sync
  137. * sCG -> sIG Ignore, conntrack might be out of sync
  138. * sTW -> sRQ Reincarnation
  139. *
  140. * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
  141. sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
  142. },
  143. [DCCP_PKT_RESPONSE] = {
  144. /*
  145. * sNO -> sIV Invalid
  146. * sRQ -> sIG Ignore, might be response to ignored Request
  147. * sRS -> sIG Ignore, might be response to ignored Request
  148. * sPO -> sIG Ignore, might be response to ignored Request
  149. * sOP -> sIG Ignore, might be response to ignored Request
  150. * sCR -> sIG Ignore, might be response to ignored Request
  151. * sCG -> sIG Ignore, might be response to ignored Request
  152. * sTW -> sIV Invalid, reincarnation in reverse direction
  153. * goes through sRQ
  154. *
  155. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  156. sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
  157. },
  158. [DCCP_PKT_ACK] = {
  159. /*
  160. * sNO -> sIV No connection
  161. * sRQ -> sIV No connection
  162. * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
  163. * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
  164. * sOP -> sOP Regular ACK, remain in OPEN
  165. * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
  166. * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
  167. * sTW -> sIV
  168. *
  169. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  170. sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
  171. },
  172. [DCCP_PKT_DATA] = {
  173. /*
  174. * sNO -> sIV No connection
  175. * sRQ -> sIV No connection
  176. * sRS -> sIV No connection
  177. * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
  178. * sOP -> sOP Regular Data packet
  179. * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
  180. * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
  181. * sTW -> sIV
  182. *
  183. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  184. sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
  185. },
  186. [DCCP_PKT_DATAACK] = {
  187. /*
  188. * sNO -> sIV No connection
  189. * sRQ -> sIV No connection
  190. * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
  191. * sPO -> sPO Remain in PARTOPEN state
  192. * sOP -> sOP Regular DataAck packet in OPEN state
  193. * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
  194. * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
  195. * sTW -> sIV
  196. *
  197. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  198. sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
  199. },
  200. [DCCP_PKT_CLOSEREQ] = {
  201. /*
  202. * CLOSEREQ may only be sent by the server.
  203. *
  204. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  205. sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
  206. },
  207. [DCCP_PKT_CLOSE] = {
  208. /*
  209. * sNO -> sIV No connection
  210. * sRQ -> sIV No connection
  211. * sRS -> sIV No connection
  212. * sPO -> sCG Client-initiated close
  213. * sOP -> sCG Client-initiated close
  214. * sCR -> sCG Close in response to CloseReq (8.3.)
  215. * sCG -> sCG Retransmit
  216. * sTW -> sIV Late retransmit, already in TIME_WAIT
  217. *
  218. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  219. sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
  220. },
  221. [DCCP_PKT_RESET] = {
  222. /*
  223. * sNO -> sIV No connection
  224. * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
  225. * sRS -> sTW Response received without Request
  226. * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
  227. * sOP -> sTW Connection reset
  228. * sCR -> sTW Connection reset
  229. * sCG -> sTW Connection reset
  230. * sTW -> sIG Ignore (don't refresh timer)
  231. *
  232. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  233. sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
  234. },
  235. [DCCP_PKT_SYNC] = {
  236. /*
  237. * We currently ignore Sync packets
  238. *
  239. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  240. sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  241. },
  242. [DCCP_PKT_SYNCACK] = {
  243. /*
  244. * We currently ignore SyncAck packets
  245. *
  246. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  247. sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  248. },
  249. },
  250. [CT_DCCP_ROLE_SERVER] = {
  251. [DCCP_PKT_REQUEST] = {
  252. /*
  253. * sNO -> sIV Invalid
  254. * sRQ -> sIG Ignore, conntrack might be out of sync
  255. * sRS -> sIG Ignore, conntrack might be out of sync
  256. * sPO -> sIG Ignore, conntrack might be out of sync
  257. * sOP -> sIG Ignore, conntrack might be out of sync
  258. * sCR -> sIG Ignore, conntrack might be out of sync
  259. * sCG -> sIG Ignore, conntrack might be out of sync
  260. * sTW -> sRQ Reincarnation, must reverse roles
  261. *
  262. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  263. sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
  264. },
  265. [DCCP_PKT_RESPONSE] = {
  266. /*
  267. * sNO -> sIV Response without Request
  268. * sRQ -> sRS Response to clients Request
  269. * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
  270. * sPO -> sIG Response to an ignored Request or late retransmit
  271. * sOP -> sIG Ignore, might be response to ignored Request
  272. * sCR -> sIG Ignore, might be response to ignored Request
  273. * sCG -> sIG Ignore, might be response to ignored Request
  274. * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
  275. *
  276. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  277. sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
  278. },
  279. [DCCP_PKT_ACK] = {
  280. /*
  281. * sNO -> sIV No connection
  282. * sRQ -> sIV No connection
  283. * sRS -> sIV No connection
  284. * sPO -> sOP Enter OPEN state (8.1.5.)
  285. * sOP -> sOP Regular Ack in OPEN state
  286. * sCR -> sIV Waiting for Close from client
  287. * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
  288. * sTW -> sIV
  289. *
  290. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  291. sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
  292. },
  293. [DCCP_PKT_DATA] = {
  294. /*
  295. * sNO -> sIV No connection
  296. * sRQ -> sIV No connection
  297. * sRS -> sIV No connection
  298. * sPO -> sOP Enter OPEN state (8.1.5.)
  299. * sOP -> sOP Regular Data packet in OPEN state
  300. * sCR -> sIV Waiting for Close from client
  301. * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
  302. * sTW -> sIV
  303. *
  304. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  305. sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
  306. },
  307. [DCCP_PKT_DATAACK] = {
  308. /*
  309. * sNO -> sIV No connection
  310. * sRQ -> sIV No connection
  311. * sRS -> sIV No connection
  312. * sPO -> sOP Enter OPEN state (8.1.5.)
  313. * sOP -> sOP Regular DataAck in OPEN state
  314. * sCR -> sIV Waiting for Close from client
  315. * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
  316. * sTW -> sIV
  317. *
  318. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  319. sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
  320. },
  321. [DCCP_PKT_CLOSEREQ] = {
  322. /*
  323. * sNO -> sIV No connection
  324. * sRQ -> sIV No connection
  325. * sRS -> sIV No connection
  326. * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
  327. * sOP -> sCR CloseReq in OPEN state
  328. * sCR -> sCR Retransmit
  329. * sCG -> sCR Simultaneous close, client sends another Close
  330. * sTW -> sIV Already closed
  331. *
  332. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  333. sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
  334. },
  335. [DCCP_PKT_CLOSE] = {
  336. /*
  337. * sNO -> sIV No connection
  338. * sRQ -> sIV No connection
  339. * sRS -> sIV No connection
  340. * sPO -> sOP -> sCG Move direcly to CLOSING
  341. * sOP -> sCG Move to CLOSING
  342. * sCR -> sIV Close after CloseReq is invalid
  343. * sCG -> sCG Retransmit
  344. * sTW -> sIV Already closed
  345. *
  346. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  347. sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
  348. },
  349. [DCCP_PKT_RESET] = {
  350. /*
  351. * sNO -> sIV No connection
  352. * sRQ -> sTW Reset in response to Request
  353. * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
  354. * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
  355. * sOP -> sTW
  356. * sCR -> sTW
  357. * sCG -> sTW
  358. * sTW -> sIG Ignore (don't refresh timer)
  359. *
  360. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
  361. sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
  362. },
  363. [DCCP_PKT_SYNC] = {
  364. /*
  365. * We currently ignore Sync packets
  366. *
  367. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  368. sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  369. },
  370. [DCCP_PKT_SYNCACK] = {
  371. /*
  372. * We currently ignore SyncAck packets
  373. *
  374. * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
  375. sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  376. },
  377. },
  378. };
  379. /* this module per-net specifics */
  380. static int dccp_net_id __read_mostly;
  381. struct dccp_net {
  382. int dccp_loose;
  383. unsigned int dccp_timeout[CT_DCCP_MAX + 1];
  384. #ifdef CONFIG_SYSCTL
  385. struct ctl_table_header *sysctl_header;
  386. struct ctl_table *sysctl_table;
  387. #endif
  388. };
  389. static inline struct dccp_net *dccp_pernet(struct net *net)
  390. {
  391. return net_generic(net, dccp_net_id);
  392. }
  393. static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
  394. struct nf_conntrack_tuple *tuple)
  395. {
  396. struct dccp_hdr _hdr, *dh;
  397. dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
  398. if (dh == NULL)
  399. return false;
  400. tuple->src.u.dccp.port = dh->dccph_sport;
  401. tuple->dst.u.dccp.port = dh->dccph_dport;
  402. return true;
  403. }
  404. static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv,
  405. const struct nf_conntrack_tuple *tuple)
  406. {
  407. inv->src.u.dccp.port = tuple->dst.u.dccp.port;
  408. inv->dst.u.dccp.port = tuple->src.u.dccp.port;
  409. return true;
  410. }
  411. static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
  412. unsigned int dataoff)
  413. {
  414. struct net *net = nf_ct_net(ct);
  415. struct dccp_net *dn;
  416. struct dccp_hdr _dh, *dh;
  417. const char *msg;
  418. u_int8_t state;
  419. dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
  420. BUG_ON(dh == NULL);
  421. state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
  422. switch (state) {
  423. default:
  424. dn = dccp_pernet(net);
  425. if (dn->dccp_loose == 0) {
  426. msg = "nf_ct_dccp: not picking up existing connection ";
  427. goto out_invalid;
  428. }
  429. case CT_DCCP_REQUEST:
  430. break;
  431. case CT_DCCP_INVALID:
  432. msg = "nf_ct_dccp: invalid state transition ";
  433. goto out_invalid;
  434. }
  435. ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
  436. ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
  437. ct->proto.dccp.state = CT_DCCP_NONE;
  438. return true;
  439. out_invalid:
  440. if (LOG_INVALID(net, IPPROTO_DCCP))
  441. nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg);
  442. return false;
  443. }
  444. static u64 dccp_ack_seq(const struct dccp_hdr *dh)
  445. {
  446. const struct dccp_hdr_ack_bits *dhack;
  447. dhack = (void *)dh + __dccp_basic_hdr_len(dh);
  448. return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
  449. ntohl(dhack->dccph_ack_nr_low);
  450. }
  451. static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
  452. unsigned int dataoff, enum ip_conntrack_info ctinfo,
  453. u_int8_t pf, unsigned int hooknum)
  454. {
  455. struct net *net = nf_ct_net(ct);
  456. struct dccp_net *dn;
  457. enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
  458. struct dccp_hdr _dh, *dh;
  459. u_int8_t type, old_state, new_state;
  460. enum ct_dccp_roles role;
  461. dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
  462. BUG_ON(dh == NULL);
  463. type = dh->dccph_type;
  464. if (type == DCCP_PKT_RESET &&
  465. !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
  466. /* Tear down connection immediately if only reply is a RESET */
  467. nf_ct_kill_acct(ct, ctinfo, skb);
  468. return NF_ACCEPT;
  469. }
  470. spin_lock_bh(&ct->lock);
  471. role = ct->proto.dccp.role[dir];
  472. old_state = ct->proto.dccp.state;
  473. new_state = dccp_state_table[role][type][old_state];
  474. switch (new_state) {
  475. case CT_DCCP_REQUEST:
  476. if (old_state == CT_DCCP_TIMEWAIT &&
  477. role == CT_DCCP_ROLE_SERVER) {
  478. /* Reincarnation in the reverse direction: reopen and
  479. * reverse client/server roles. */
  480. ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
  481. ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
  482. }
  483. break;
  484. case CT_DCCP_RESPOND:
  485. if (old_state == CT_DCCP_REQUEST)
  486. ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
  487. break;
  488. case CT_DCCP_PARTOPEN:
  489. if (old_state == CT_DCCP_RESPOND &&
  490. type == DCCP_PKT_ACK &&
  491. dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
  492. set_bit(IPS_ASSURED_BIT, &ct->status);
  493. break;
  494. case CT_DCCP_IGNORE:
  495. /*
  496. * Connection tracking might be out of sync, so we ignore
  497. * packets that might establish a new connection and resync
  498. * if the server responds with a valid Response.
  499. */
  500. if (ct->proto.dccp.last_dir == !dir &&
  501. ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
  502. type == DCCP_PKT_RESPONSE) {
  503. ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
  504. ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
  505. ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
  506. new_state = CT_DCCP_RESPOND;
  507. break;
  508. }
  509. ct->proto.dccp.last_dir = dir;
  510. ct->proto.dccp.last_pkt = type;
  511. spin_unlock_bh(&ct->lock);
  512. if (LOG_INVALID(net, IPPROTO_DCCP))
  513. nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
  514. "nf_ct_dccp: invalid packet ignored ");
  515. return NF_ACCEPT;
  516. case CT_DCCP_INVALID:
  517. spin_unlock_bh(&ct->lock);
  518. if (LOG_INVALID(net, IPPROTO_DCCP))
  519. nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
  520. "nf_ct_dccp: invalid state transition ");
  521. return -NF_ACCEPT;
  522. }
  523. ct->proto.dccp.last_dir = dir;
  524. ct->proto.dccp.last_pkt = type;
  525. ct->proto.dccp.state = new_state;
  526. spin_unlock_bh(&ct->lock);
  527. if (new_state != old_state)
  528. nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
  529. dn = dccp_pernet(net);
  530. nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
  531. return NF_ACCEPT;
  532. }
  533. static int dccp_error(struct net *net, struct nf_conn *tmpl,
  534. struct sk_buff *skb, unsigned int dataoff,
  535. enum ip_conntrack_info *ctinfo,
  536. u_int8_t pf, unsigned int hooknum)
  537. {
  538. struct dccp_hdr _dh, *dh;
  539. unsigned int dccp_len = skb->len - dataoff;
  540. unsigned int cscov;
  541. const char *msg;
  542. dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
  543. if (dh == NULL) {
  544. msg = "nf_ct_dccp: short packet ";
  545. goto out_invalid;
  546. }
  547. if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
  548. dh->dccph_doff * 4 > dccp_len) {
  549. msg = "nf_ct_dccp: truncated/malformed packet ";
  550. goto out_invalid;
  551. }
  552. cscov = dccp_len;
  553. if (dh->dccph_cscov) {
  554. cscov = (dh->dccph_cscov - 1) * 4;
  555. if (cscov > dccp_len) {
  556. msg = "nf_ct_dccp: bad checksum coverage ";
  557. goto out_invalid;
  558. }
  559. }
  560. if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
  561. nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
  562. pf)) {
  563. msg = "nf_ct_dccp: bad checksum ";
  564. goto out_invalid;
  565. }
  566. if (dh->dccph_type >= DCCP_PKT_INVALID) {
  567. msg = "nf_ct_dccp: reserved packet type ";
  568. goto out_invalid;
  569. }
  570. return NF_ACCEPT;
  571. out_invalid:
  572. if (LOG_INVALID(net, IPPROTO_DCCP))
  573. nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg);
  574. return -NF_ACCEPT;
  575. }
  576. static int dccp_print_tuple(struct seq_file *s,
  577. const struct nf_conntrack_tuple *tuple)
  578. {
  579. return seq_printf(s, "sport=%hu dport=%hu ",
  580. ntohs(tuple->src.u.dccp.port),
  581. ntohs(tuple->dst.u.dccp.port));
  582. }
  583. static int dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
  584. {
  585. return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
  586. }
  587. #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
  588. static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
  589. struct nf_conn *ct)
  590. {
  591. struct nlattr *nest_parms;
  592. spin_lock_bh(&ct->lock);
  593. nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED);
  594. if (!nest_parms)
  595. goto nla_put_failure;
  596. NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
  597. NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
  598. ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
  599. NLA_PUT_BE64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
  600. cpu_to_be64(ct->proto.dccp.handshake_seq));
  601. nla_nest_end(skb, nest_parms);
  602. spin_unlock_bh(&ct->lock);
  603. return 0;
  604. nla_put_failure:
  605. spin_unlock_bh(&ct->lock);
  606. return -1;
  607. }
  608. static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
  609. [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
  610. [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
  611. [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
  612. };
  613. static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
  614. {
  615. struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
  616. struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
  617. int err;
  618. if (!attr)
  619. return 0;
  620. err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr,
  621. dccp_nla_policy);
  622. if (err < 0)
  623. return err;
  624. if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
  625. !tb[CTA_PROTOINFO_DCCP_ROLE] ||
  626. nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
  627. nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
  628. return -EINVAL;
  629. }
  630. spin_lock_bh(&ct->lock);
  631. ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
  632. if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
  633. ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
  634. ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
  635. } else {
  636. ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
  637. ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
  638. }
  639. if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
  640. ct->proto.dccp.handshake_seq =
  641. be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
  642. }
  643. spin_unlock_bh(&ct->lock);
  644. return 0;
  645. }
  646. static int dccp_nlattr_size(void)
  647. {
  648. return nla_total_size(0) /* CTA_PROTOINFO_DCCP */
  649. + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1);
  650. }
  651. #endif
  652. #ifdef CONFIG_SYSCTL
  653. /* template, data assigned later */
  654. static struct ctl_table dccp_sysctl_table[] = {
  655. {
  656. .procname = "nf_conntrack_dccp_timeout_request",
  657. .maxlen = sizeof(unsigned int),
  658. .mode = 0644,
  659. .proc_handler = proc_dointvec_jiffies,
  660. },
  661. {
  662. .procname = "nf_conntrack_dccp_timeout_respond",
  663. .maxlen = sizeof(unsigned int),
  664. .mode = 0644,
  665. .proc_handler = proc_dointvec_jiffies,
  666. },
  667. {
  668. .procname = "nf_conntrack_dccp_timeout_partopen",
  669. .maxlen = sizeof(unsigned int),
  670. .mode = 0644,
  671. .proc_handler = proc_dointvec_jiffies,
  672. },
  673. {
  674. .procname = "nf_conntrack_dccp_timeout_open",
  675. .maxlen = sizeof(unsigned int),
  676. .mode = 0644,
  677. .proc_handler = proc_dointvec_jiffies,
  678. },
  679. {
  680. .procname = "nf_conntrack_dccp_timeout_closereq",
  681. .maxlen = sizeof(unsigned int),
  682. .mode = 0644,
  683. .proc_handler = proc_dointvec_jiffies,
  684. },
  685. {
  686. .procname = "nf_conntrack_dccp_timeout_closing",
  687. .maxlen = sizeof(unsigned int),
  688. .mode = 0644,
  689. .proc_handler = proc_dointvec_jiffies,
  690. },
  691. {
  692. .procname = "nf_conntrack_dccp_timeout_timewait",
  693. .maxlen = sizeof(unsigned int),
  694. .mode = 0644,
  695. .proc_handler = proc_dointvec_jiffies,
  696. },
  697. {
  698. .procname = "nf_conntrack_dccp_loose",
  699. .maxlen = sizeof(int),
  700. .mode = 0644,
  701. .proc_handler = proc_dointvec,
  702. },
  703. { }
  704. };
  705. #endif /* CONFIG_SYSCTL */
  706. static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
  707. .l3proto = AF_INET,
  708. .l4proto = IPPROTO_DCCP,
  709. .name = "dccp",
  710. .pkt_to_tuple = dccp_pkt_to_tuple,
  711. .invert_tuple = dccp_invert_tuple,
  712. .new = dccp_new,
  713. .packet = dccp_packet,
  714. .error = dccp_error,
  715. .print_tuple = dccp_print_tuple,
  716. .print_conntrack = dccp_print_conntrack,
  717. #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
  718. .to_nlattr = dccp_to_nlattr,
  719. .nlattr_size = dccp_nlattr_size,
  720. .from_nlattr = nlattr_to_dccp,
  721. .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
  722. .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
  723. .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
  724. .nla_policy = nf_ct_port_nla_policy,
  725. #endif
  726. };
  727. static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
  728. .l3proto = AF_INET6,
  729. .l4proto = IPPROTO_DCCP,
  730. .name = "dccp",
  731. .pkt_to_tuple = dccp_pkt_to_tuple,
  732. .invert_tuple = dccp_invert_tuple,
  733. .new = dccp_new,
  734. .packet = dccp_packet,
  735. .error = dccp_error,
  736. .print_tuple = dccp_print_tuple,
  737. .print_conntrack = dccp_print_conntrack,
  738. #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
  739. .to_nlattr = dccp_to_nlattr,
  740. .nlattr_size = dccp_nlattr_size,
  741. .from_nlattr = nlattr_to_dccp,
  742. .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
  743. .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
  744. .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
  745. .nla_policy = nf_ct_port_nla_policy,
  746. #endif
  747. };
  748. static __net_init int dccp_net_init(struct net *net)
  749. {
  750. struct dccp_net *dn = dccp_pernet(net);
  751. /* default values */
  752. dn->dccp_loose = 1;
  753. dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
  754. dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
  755. dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
  756. dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
  757. dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
  758. dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
  759. dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
  760. #ifdef CONFIG_SYSCTL
  761. dn->sysctl_table = kmemdup(dccp_sysctl_table,
  762. sizeof(dccp_sysctl_table), GFP_KERNEL);
  763. if (!dn->sysctl_table)
  764. return -ENOMEM;
  765. dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
  766. dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
  767. dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
  768. dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
  769. dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
  770. dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
  771. dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
  772. dn->sysctl_table[7].data = &dn->dccp_loose;
  773. dn->sysctl_header = register_net_sysctl_table(net,
  774. nf_net_netfilter_sysctl_path, dn->sysctl_table);
  775. if (!dn->sysctl_header) {
  776. kfree(dn->sysctl_table);
  777. return -ENOMEM;
  778. }
  779. #endif
  780. return 0;
  781. }
  782. static __net_exit void dccp_net_exit(struct net *net)
  783. {
  784. struct dccp_net *dn = dccp_pernet(net);
  785. #ifdef CONFIG_SYSCTL
  786. unregister_net_sysctl_table(dn->sysctl_header);
  787. kfree(dn->sysctl_table);
  788. #endif
  789. }
  790. static struct pernet_operations dccp_net_ops = {
  791. .init = dccp_net_init,
  792. .exit = dccp_net_exit,
  793. .id = &dccp_net_id,
  794. .size = sizeof(struct dccp_net),
  795. };
  796. static int __init nf_conntrack_proto_dccp_init(void)
  797. {
  798. int err;
  799. err = register_pernet_subsys(&dccp_net_ops);
  800. if (err < 0)
  801. goto err1;
  802. err = nf_conntrack_l4proto_register(&dccp_proto4);
  803. if (err < 0)
  804. goto err2;
  805. err = nf_conntrack_l4proto_register(&dccp_proto6);
  806. if (err < 0)
  807. goto err3;
  808. return 0;
  809. err3:
  810. nf_conntrack_l4proto_unregister(&dccp_proto4);
  811. err2:
  812. unregister_pernet_subsys(&dccp_net_ops);
  813. err1:
  814. return err;
  815. }
  816. static void __exit nf_conntrack_proto_dccp_fini(void)
  817. {
  818. unregister_pernet_subsys(&dccp_net_ops);
  819. nf_conntrack_l4proto_unregister(&dccp_proto6);
  820. nf_conntrack_l4proto_unregister(&dccp_proto4);
  821. }
  822. module_init(nf_conntrack_proto_dccp_init);
  823. module_exit(nf_conntrack_proto_dccp_fini);
  824. MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
  825. MODULE_DESCRIPTION("DCCP connection tracking protocol helper");
  826. MODULE_LICENSE("GPL");