/net/netfilter/nf_conntrack_proto_dccp.c
C | 896 lines | 542 code | 70 blank | 284 comment | 54 complexity | 879115b12a14435050f7da1504a17416 MD5 | raw file
Possible License(s): CC-BY-SA-3.0, GPL-2.0, LGPL-2.0, AGPL-1.0
1/*
2 * DCCP connection tracking protocol helper
3 *
4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 */
11#include <linux/kernel.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sysctl.h>
15#include <linux/spinlock.h>
16#include <linux/skbuff.h>
17#include <linux/dccp.h>
18#include <linux/slab.h>
19
20#include <net/net_namespace.h>
21#include <net/netns/generic.h>
22
23#include <linux/netfilter/nfnetlink_conntrack.h>
24#include <net/netfilter/nf_conntrack.h>
25#include <net/netfilter/nf_conntrack_l4proto.h>
26#include <net/netfilter/nf_conntrack_ecache.h>
27#include <net/netfilter/nf_log.h>
28
29/* Timeouts are based on values from RFC4340:
30 *
31 * - REQUEST:
32 *
33 * 8.1.2. Client Request
34 *
35 * A client MAY give up on its DCCP-Requests after some time
36 * (3 minutes, for example).
37 *
38 * - RESPOND:
39 *
40 * 8.1.3. Server Response
41 *
42 * It MAY also leave the RESPOND state for CLOSED after a timeout of
43 * not less than 4MSL (8 minutes);
44 *
45 * - PARTOPEN:
46 *
47 * 8.1.5. Handshake Completion
48 *
49 * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
50 * it SHOULD reset the connection with Reset Code 2, "Aborted".
51 *
52 * - OPEN:
53 *
54 * The DCCP timestamp overflows after 11.9 hours. If the connection
55 * stays idle this long the sequence number won't be recognized
56 * as valid anymore.
57 *
58 * - CLOSEREQ/CLOSING:
59 *
60 * 8.3. Termination
61 *
62 * The retransmission timer should initially be set to go off in two
63 * round-trip times and should back off to not less than once every
64 * 64 seconds ...
65 *
66 * - TIMEWAIT:
67 *
68 * 4.3. States
69 *
70 * A server or client socket remains in this state for 2MSL (4 minutes)
71 * after the connection has been town down, ...
72 */
73
74#define DCCP_MSL (2 * 60 * HZ)
75
76static const char * const dccp_state_names[] = {
77 [CT_DCCP_NONE] = "NONE",
78 [CT_DCCP_REQUEST] = "REQUEST",
79 [CT_DCCP_RESPOND] = "RESPOND",
80 [CT_DCCP_PARTOPEN] = "PARTOPEN",
81 [CT_DCCP_OPEN] = "OPEN",
82 [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
83 [CT_DCCP_CLOSING] = "CLOSING",
84 [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
85 [CT_DCCP_IGNORE] = "IGNORE",
86 [CT_DCCP_INVALID] = "INVALID",
87};
88
89#define sNO CT_DCCP_NONE
90#define sRQ CT_DCCP_REQUEST
91#define sRS CT_DCCP_RESPOND
92#define sPO CT_DCCP_PARTOPEN
93#define sOP CT_DCCP_OPEN
94#define sCR CT_DCCP_CLOSEREQ
95#define sCG CT_DCCP_CLOSING
96#define sTW CT_DCCP_TIMEWAIT
97#define sIG CT_DCCP_IGNORE
98#define sIV CT_DCCP_INVALID
99
100/*
101 * DCCP state transistion table
102 *
103 * The assumption is the same as for TCP tracking:
104 *
105 * We are the man in the middle. All the packets go through us but might
106 * get lost in transit to the destination. It is assumed that the destination
107 * can't receive segments we haven't seen.
108 *
109 * The following states exist:
110 *
111 * NONE: Initial state, expecting Request
112 * REQUEST: Request seen, waiting for Response from server
113 * RESPOND: Response from server seen, waiting for Ack from client
114 * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
115 * Reset or Sync from server
116 * OPEN: Packet other than Response, Reset or Sync seen
117 * CLOSEREQ: CloseReq from server seen, expecting Close from client
118 * CLOSING: Close seen, expecting Reset
119 * TIMEWAIT: Reset seen
120 * IGNORE: Not determinable whether packet is valid
121 *
122 * Some states exist only on one side of the connection: REQUEST, RESPOND,
123 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
124 * the one it was in before.
125 *
126 * Packets are marked as ignored (sIG) if we don't know if they're valid
127 * (for example a reincarnation of a connection we didn't notice is dead
128 * already) and the server may send back a connection closing Reset or a
129 * Response. They're also used for Sync/SyncAck packets, which we don't
130 * care about.
131 */
132static const u_int8_t
133dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
134 [CT_DCCP_ROLE_CLIENT] = {
135 [DCCP_PKT_REQUEST] = {
136 /*
137 * sNO -> sRQ Regular Request
138 * sRQ -> sRQ Retransmitted Request or reincarnation
139 * sRS -> sRS Retransmitted Request (apparently Response
140 * got lost after we saw it) or reincarnation
141 * sPO -> sIG Ignore, conntrack might be out of sync
142 * sOP -> sIG Ignore, conntrack might be out of sync
143 * sCR -> sIG Ignore, conntrack might be out of sync
144 * sCG -> sIG Ignore, conntrack might be out of sync
145 * sTW -> sRQ Reincarnation
146 *
147 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
148 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
149 },
150 [DCCP_PKT_RESPONSE] = {
151 /*
152 * sNO -> sIV Invalid
153 * sRQ -> sIG Ignore, might be response to ignored Request
154 * sRS -> sIG Ignore, might be response to ignored Request
155 * sPO -> sIG Ignore, might be response to ignored Request
156 * sOP -> sIG Ignore, might be response to ignored Request
157 * sCR -> sIG Ignore, might be response to ignored Request
158 * sCG -> sIG Ignore, might be response to ignored Request
159 * sTW -> sIV Invalid, reincarnation in reverse direction
160 * goes through sRQ
161 *
162 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
163 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
164 },
165 [DCCP_PKT_ACK] = {
166 /*
167 * sNO -> sIV No connection
168 * sRQ -> sIV No connection
169 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
170 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
171 * sOP -> sOP Regular ACK, remain in OPEN
172 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
173 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
174 * sTW -> sIV
175 *
176 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
177 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
178 },
179 [DCCP_PKT_DATA] = {
180 /*
181 * sNO -> sIV No connection
182 * sRQ -> sIV No connection
183 * sRS -> sIV No connection
184 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
185 * sOP -> sOP Regular Data packet
186 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
187 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
188 * sTW -> sIV
189 *
190 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
191 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
192 },
193 [DCCP_PKT_DATAACK] = {
194 /*
195 * sNO -> sIV No connection
196 * sRQ -> sIV No connection
197 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
198 * sPO -> sPO Remain in PARTOPEN state
199 * sOP -> sOP Regular DataAck packet in OPEN state
200 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
201 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
202 * sTW -> sIV
203 *
204 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
205 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
206 },
207 [DCCP_PKT_CLOSEREQ] = {
208 /*
209 * CLOSEREQ may only be sent by the server.
210 *
211 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
212 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
213 },
214 [DCCP_PKT_CLOSE] = {
215 /*
216 * sNO -> sIV No connection
217 * sRQ -> sIV No connection
218 * sRS -> sIV No connection
219 * sPO -> sCG Client-initiated close
220 * sOP -> sCG Client-initiated close
221 * sCR -> sCG Close in response to CloseReq (8.3.)
222 * sCG -> sCG Retransmit
223 * sTW -> sIV Late retransmit, already in TIME_WAIT
224 *
225 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
226 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
227 },
228 [DCCP_PKT_RESET] = {
229 /*
230 * sNO -> sIV No connection
231 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
232 * sRS -> sTW Response received without Request
233 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
234 * sOP -> sTW Connection reset
235 * sCR -> sTW Connection reset
236 * sCG -> sTW Connection reset
237 * sTW -> sIG Ignore (don't refresh timer)
238 *
239 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
240 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
241 },
242 [DCCP_PKT_SYNC] = {
243 /*
244 * We currently ignore Sync packets
245 *
246 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
247 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
248 },
249 [DCCP_PKT_SYNCACK] = {
250 /*
251 * We currently ignore SyncAck packets
252 *
253 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
254 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
255 },
256 },
257 [CT_DCCP_ROLE_SERVER] = {
258 [DCCP_PKT_REQUEST] = {
259 /*
260 * sNO -> sIV Invalid
261 * sRQ -> sIG Ignore, conntrack might be out of sync
262 * sRS -> sIG Ignore, conntrack might be out of sync
263 * sPO -> sIG Ignore, conntrack might be out of sync
264 * sOP -> sIG Ignore, conntrack might be out of sync
265 * sCR -> sIG Ignore, conntrack might be out of sync
266 * sCG -> sIG Ignore, conntrack might be out of sync
267 * sTW -> sRQ Reincarnation, must reverse roles
268 *
269 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
270 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
271 },
272 [DCCP_PKT_RESPONSE] = {
273 /*
274 * sNO -> sIV Response without Request
275 * sRQ -> sRS Response to clients Request
276 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
277 * sPO -> sIG Response to an ignored Request or late retransmit
278 * sOP -> sIG Ignore, might be response to ignored Request
279 * sCR -> sIG Ignore, might be response to ignored Request
280 * sCG -> sIG Ignore, might be response to ignored Request
281 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
282 *
283 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
284 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
285 },
286 [DCCP_PKT_ACK] = {
287 /*
288 * sNO -> sIV No connection
289 * sRQ -> sIV No connection
290 * sRS -> sIV No connection
291 * sPO -> sOP Enter OPEN state (8.1.5.)
292 * sOP -> sOP Regular Ack in OPEN state
293 * sCR -> sIV Waiting for Close from client
294 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
295 * sTW -> sIV
296 *
297 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
298 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
299 },
300 [DCCP_PKT_DATA] = {
301 /*
302 * sNO -> sIV No connection
303 * sRQ -> sIV No connection
304 * sRS -> sIV No connection
305 * sPO -> sOP Enter OPEN state (8.1.5.)
306 * sOP -> sOP Regular Data packet in OPEN state
307 * sCR -> sIV Waiting for Close from client
308 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
309 * sTW -> sIV
310 *
311 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
312 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
313 },
314 [DCCP_PKT_DATAACK] = {
315 /*
316 * sNO -> sIV No connection
317 * sRQ -> sIV No connection
318 * sRS -> sIV No connection
319 * sPO -> sOP Enter OPEN state (8.1.5.)
320 * sOP -> sOP Regular DataAck in OPEN state
321 * sCR -> sIV Waiting for Close from client
322 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
323 * sTW -> sIV
324 *
325 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
326 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
327 },
328 [DCCP_PKT_CLOSEREQ] = {
329 /*
330 * sNO -> sIV No connection
331 * sRQ -> sIV No connection
332 * sRS -> sIV No connection
333 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
334 * sOP -> sCR CloseReq in OPEN state
335 * sCR -> sCR Retransmit
336 * sCG -> sCR Simultaneous close, client sends another Close
337 * sTW -> sIV Already closed
338 *
339 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
340 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
341 },
342 [DCCP_PKT_CLOSE] = {
343 /*
344 * sNO -> sIV No connection
345 * sRQ -> sIV No connection
346 * sRS -> sIV No connection
347 * sPO -> sOP -> sCG Move direcly to CLOSING
348 * sOP -> sCG Move to CLOSING
349 * sCR -> sIV Close after CloseReq is invalid
350 * sCG -> sCG Retransmit
351 * sTW -> sIV Already closed
352 *
353 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
354 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
355 },
356 [DCCP_PKT_RESET] = {
357 /*
358 * sNO -> sIV No connection
359 * sRQ -> sTW Reset in response to Request
360 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
361 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
362 * sOP -> sTW
363 * sCR -> sTW
364 * sCG -> sTW
365 * sTW -> sIG Ignore (don't refresh timer)
366 *
367 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
368 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
369 },
370 [DCCP_PKT_SYNC] = {
371 /*
372 * We currently ignore Sync packets
373 *
374 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
375 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
376 },
377 [DCCP_PKT_SYNCACK] = {
378 /*
379 * We currently ignore SyncAck packets
380 *
381 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
382 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
383 },
384 },
385};
386
387/* this module per-net specifics */
388static int dccp_net_id __read_mostly;
389struct dccp_net {
390 int dccp_loose;
391 unsigned int dccp_timeout[CT_DCCP_MAX + 1];
392#ifdef CONFIG_SYSCTL
393 struct ctl_table_header *sysctl_header;
394 struct ctl_table *sysctl_table;
395#endif
396};
397
398static inline struct dccp_net *dccp_pernet(struct net *net)
399{
400 return net_generic(net, dccp_net_id);
401}
402
403static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
404 struct nf_conntrack_tuple *tuple)
405{
406 struct dccp_hdr _hdr, *dh;
407
408 dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
409 if (dh == NULL)
410 return false;
411
412 tuple->src.u.dccp.port = dh->dccph_sport;
413 tuple->dst.u.dccp.port = dh->dccph_dport;
414 return true;
415}
416
417static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv,
418 const struct nf_conntrack_tuple *tuple)
419{
420 inv->src.u.dccp.port = tuple->dst.u.dccp.port;
421 inv->dst.u.dccp.port = tuple->src.u.dccp.port;
422 return true;
423}
424
425static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
426 unsigned int dataoff)
427{
428 struct net *net = nf_ct_net(ct);
429 struct dccp_net *dn;
430 struct dccp_hdr _dh, *dh;
431 const char *msg;
432 u_int8_t state;
433
434 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
435 BUG_ON(dh == NULL);
436
437 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
438 switch (state) {
439 default:
440 dn = dccp_pernet(net);
441 if (dn->dccp_loose == 0) {
442 msg = "nf_ct_dccp: not picking up existing connection ";
443 goto out_invalid;
444 }
445 case CT_DCCP_REQUEST:
446 break;
447 case CT_DCCP_INVALID:
448 msg = "nf_ct_dccp: invalid state transition ";
449 goto out_invalid;
450 }
451
452 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
453 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
454 ct->proto.dccp.state = CT_DCCP_NONE;
455 return true;
456
457out_invalid:
458 if (LOG_INVALID(net, IPPROTO_DCCP))
459 nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg);
460 return false;
461}
462
463static u64 dccp_ack_seq(const struct dccp_hdr *dh)
464{
465 const struct dccp_hdr_ack_bits *dhack;
466
467 dhack = (void *)dh + __dccp_basic_hdr_len(dh);
468 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
469 ntohl(dhack->dccph_ack_nr_low);
470}
471
472static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
473 unsigned int dataoff, enum ip_conntrack_info ctinfo,
474 u_int8_t pf, unsigned int hooknum)
475{
476 struct net *net = nf_ct_net(ct);
477 struct dccp_net *dn;
478 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
479 struct dccp_hdr _dh, *dh;
480 u_int8_t type, old_state, new_state;
481 enum ct_dccp_roles role;
482
483 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
484 BUG_ON(dh == NULL);
485 type = dh->dccph_type;
486
487 if (type == DCCP_PKT_RESET &&
488 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
489 /* Tear down connection immediately if only reply is a RESET */
490 nf_ct_kill_acct(ct, ctinfo, skb);
491 return NF_ACCEPT;
492 }
493
494 spin_lock_bh(&ct->lock);
495
496 role = ct->proto.dccp.role[dir];
497 old_state = ct->proto.dccp.state;
498 new_state = dccp_state_table[role][type][old_state];
499
500 switch (new_state) {
501 case CT_DCCP_REQUEST:
502 if (old_state == CT_DCCP_TIMEWAIT &&
503 role == CT_DCCP_ROLE_SERVER) {
504 /* Reincarnation in the reverse direction: reopen and
505 * reverse client/server roles. */
506 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
507 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
508 }
509 break;
510 case CT_DCCP_RESPOND:
511 if (old_state == CT_DCCP_REQUEST)
512 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
513 break;
514 case CT_DCCP_PARTOPEN:
515 if (old_state == CT_DCCP_RESPOND &&
516 type == DCCP_PKT_ACK &&
517 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
518 set_bit(IPS_ASSURED_BIT, &ct->status);
519 break;
520 case CT_DCCP_IGNORE:
521 /*
522 * Connection tracking might be out of sync, so we ignore
523 * packets that might establish a new connection and resync
524 * if the server responds with a valid Response.
525 */
526 if (ct->proto.dccp.last_dir == !dir &&
527 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
528 type == DCCP_PKT_RESPONSE) {
529 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
530 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
531 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
532 new_state = CT_DCCP_RESPOND;
533 break;
534 }
535 ct->proto.dccp.last_dir = dir;
536 ct->proto.dccp.last_pkt = type;
537
538 spin_unlock_bh(&ct->lock);
539 if (LOG_INVALID(net, IPPROTO_DCCP))
540 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
541 "nf_ct_dccp: invalid packet ignored ");
542 return NF_ACCEPT;
543 case CT_DCCP_INVALID:
544 spin_unlock_bh(&ct->lock);
545 if (LOG_INVALID(net, IPPROTO_DCCP))
546 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
547 "nf_ct_dccp: invalid state transition ");
548 return -NF_ACCEPT;
549 }
550
551 ct->proto.dccp.last_dir = dir;
552 ct->proto.dccp.last_pkt = type;
553 ct->proto.dccp.state = new_state;
554 spin_unlock_bh(&ct->lock);
555
556 if (new_state != old_state)
557 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
558
559 dn = dccp_pernet(net);
560 nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
561
562 return NF_ACCEPT;
563}
564
565static int dccp_error(struct net *net, struct nf_conn *tmpl,
566 struct sk_buff *skb, unsigned int dataoff,
567 enum ip_conntrack_info *ctinfo,
568 u_int8_t pf, unsigned int hooknum)
569{
570 struct dccp_hdr _dh, *dh;
571 unsigned int dccp_len = skb->len - dataoff;
572 unsigned int cscov;
573 const char *msg;
574
575 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
576 if (dh == NULL) {
577 msg = "nf_ct_dccp: short packet ";
578 goto out_invalid;
579 }
580
581 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
582 dh->dccph_doff * 4 > dccp_len) {
583 msg = "nf_ct_dccp: truncated/malformed packet ";
584 goto out_invalid;
585 }
586
587 cscov = dccp_len;
588 if (dh->dccph_cscov) {
589 cscov = (dh->dccph_cscov - 1) * 4;
590 if (cscov > dccp_len) {
591 msg = "nf_ct_dccp: bad checksum coverage ";
592 goto out_invalid;
593 }
594 }
595
596 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
597 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
598 pf)) {
599 msg = "nf_ct_dccp: bad checksum ";
600 goto out_invalid;
601 }
602
603 if (dh->dccph_type >= DCCP_PKT_INVALID) {
604 msg = "nf_ct_dccp: reserved packet type ";
605 goto out_invalid;
606 }
607
608 return NF_ACCEPT;
609
610out_invalid:
611 if (LOG_INVALID(net, IPPROTO_DCCP))
612 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg);
613 return -NF_ACCEPT;
614}
615
616static int dccp_print_tuple(struct seq_file *s,
617 const struct nf_conntrack_tuple *tuple)
618{
619 return seq_printf(s, "sport=%hu dport=%hu ",
620 ntohs(tuple->src.u.dccp.port),
621 ntohs(tuple->dst.u.dccp.port));
622}
623
624static int dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
625{
626 return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
627}
628
629#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
630static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
631 struct nf_conn *ct)
632{
633 struct nlattr *nest_parms;
634
635 spin_lock_bh(&ct->lock);
636 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED);
637 if (!nest_parms)
638 goto nla_put_failure;
639 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
640 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
641 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
642 NLA_PUT_BE64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
643 cpu_to_be64(ct->proto.dccp.handshake_seq));
644 nla_nest_end(skb, nest_parms);
645 spin_unlock_bh(&ct->lock);
646 return 0;
647
648nla_put_failure:
649 spin_unlock_bh(&ct->lock);
650 return -1;
651}
652
653static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
654 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
655 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
656 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
657};
658
659static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
660{
661 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
662 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
663 int err;
664
665 if (!attr)
666 return 0;
667
668 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr,
669 dccp_nla_policy);
670 if (err < 0)
671 return err;
672
673 if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
674 !tb[CTA_PROTOINFO_DCCP_ROLE] ||
675 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
676 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
677 return -EINVAL;
678 }
679
680 spin_lock_bh(&ct->lock);
681 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
682 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
683 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
684 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
685 } else {
686 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
687 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
688 }
689 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
690 ct->proto.dccp.handshake_seq =
691 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
692 }
693 spin_unlock_bh(&ct->lock);
694 return 0;
695}
696
697static int dccp_nlattr_size(void)
698{
699 return nla_total_size(0) /* CTA_PROTOINFO_DCCP */
700 + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1);
701}
702#endif
703
704#ifdef CONFIG_SYSCTL
705/* template, data assigned later */
706static struct ctl_table dccp_sysctl_table[] = {
707 {
708 .procname = "nf_conntrack_dccp_timeout_request",
709 .maxlen = sizeof(unsigned int),
710 .mode = 0644,
711 .proc_handler = proc_dointvec_jiffies,
712 },
713 {
714 .procname = "nf_conntrack_dccp_timeout_respond",
715 .maxlen = sizeof(unsigned int),
716 .mode = 0644,
717 .proc_handler = proc_dointvec_jiffies,
718 },
719 {
720 .procname = "nf_conntrack_dccp_timeout_partopen",
721 .maxlen = sizeof(unsigned int),
722 .mode = 0644,
723 .proc_handler = proc_dointvec_jiffies,
724 },
725 {
726 .procname = "nf_conntrack_dccp_timeout_open",
727 .maxlen = sizeof(unsigned int),
728 .mode = 0644,
729 .proc_handler = proc_dointvec_jiffies,
730 },
731 {
732 .procname = "nf_conntrack_dccp_timeout_closereq",
733 .maxlen = sizeof(unsigned int),
734 .mode = 0644,
735 .proc_handler = proc_dointvec_jiffies,
736 },
737 {
738 .procname = "nf_conntrack_dccp_timeout_closing",
739 .maxlen = sizeof(unsigned int),
740 .mode = 0644,
741 .proc_handler = proc_dointvec_jiffies,
742 },
743 {
744 .procname = "nf_conntrack_dccp_timeout_timewait",
745 .maxlen = sizeof(unsigned int),
746 .mode = 0644,
747 .proc_handler = proc_dointvec_jiffies,
748 },
749 {
750 .procname = "nf_conntrack_dccp_loose",
751 .maxlen = sizeof(int),
752 .mode = 0644,
753 .proc_handler = proc_dointvec,
754 },
755 { }
756};
757#endif /* CONFIG_SYSCTL */
758
759static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
760 .l3proto = AF_INET,
761 .l4proto = IPPROTO_DCCP,
762 .name = "dccp",
763 .pkt_to_tuple = dccp_pkt_to_tuple,
764 .invert_tuple = dccp_invert_tuple,
765 .new = dccp_new,
766 .packet = dccp_packet,
767 .error = dccp_error,
768 .print_tuple = dccp_print_tuple,
769 .print_conntrack = dccp_print_conntrack,
770#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
771 .to_nlattr = dccp_to_nlattr,
772 .nlattr_size = dccp_nlattr_size,
773 .from_nlattr = nlattr_to_dccp,
774 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
775 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
776 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
777 .nla_policy = nf_ct_port_nla_policy,
778#endif
779};
780
781static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
782 .l3proto = AF_INET6,
783 .l4proto = IPPROTO_DCCP,
784 .name = "dccp",
785 .pkt_to_tuple = dccp_pkt_to_tuple,
786 .invert_tuple = dccp_invert_tuple,
787 .new = dccp_new,
788 .packet = dccp_packet,
789 .error = dccp_error,
790 .print_tuple = dccp_print_tuple,
791 .print_conntrack = dccp_print_conntrack,
792#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
793 .to_nlattr = dccp_to_nlattr,
794 .nlattr_size = dccp_nlattr_size,
795 .from_nlattr = nlattr_to_dccp,
796 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
797 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
798 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
799 .nla_policy = nf_ct_port_nla_policy,
800#endif
801};
802
803static __net_init int dccp_net_init(struct net *net)
804{
805 struct dccp_net *dn = dccp_pernet(net);
806
807 /* default values */
808 dn->dccp_loose = 1;
809 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
810 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
811 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
812 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
813 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
814 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
815 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
816
817#ifdef CONFIG_SYSCTL
818 dn->sysctl_table = kmemdup(dccp_sysctl_table,
819 sizeof(dccp_sysctl_table), GFP_KERNEL);
820 if (!dn->sysctl_table)
821 return -ENOMEM;
822
823 dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
824 dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
825 dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
826 dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
827 dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
828 dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
829 dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
830 dn->sysctl_table[7].data = &dn->dccp_loose;
831
832 dn->sysctl_header = register_net_sysctl_table(net,
833 nf_net_netfilter_sysctl_path, dn->sysctl_table);
834 if (!dn->sysctl_header) {
835 kfree(dn->sysctl_table);
836 return -ENOMEM;
837 }
838#endif
839
840 return 0;
841}
842
843static __net_exit void dccp_net_exit(struct net *net)
844{
845 struct dccp_net *dn = dccp_pernet(net);
846#ifdef CONFIG_SYSCTL
847 unregister_net_sysctl_table(dn->sysctl_header);
848 kfree(dn->sysctl_table);
849#endif
850}
851
852static struct pernet_operations dccp_net_ops = {
853 .init = dccp_net_init,
854 .exit = dccp_net_exit,
855 .id = &dccp_net_id,
856 .size = sizeof(struct dccp_net),
857};
858
859static int __init nf_conntrack_proto_dccp_init(void)
860{
861 int err;
862
863 err = register_pernet_subsys(&dccp_net_ops);
864 if (err < 0)
865 goto err1;
866
867 err = nf_conntrack_l4proto_register(&dccp_proto4);
868 if (err < 0)
869 goto err2;
870
871 err = nf_conntrack_l4proto_register(&dccp_proto6);
872 if (err < 0)
873 goto err3;
874 return 0;
875
876err3:
877 nf_conntrack_l4proto_unregister(&dccp_proto4);
878err2:
879 unregister_pernet_subsys(&dccp_net_ops);
880err1:
881 return err;
882}
883
884static void __exit nf_conntrack_proto_dccp_fini(void)
885{
886 unregister_pernet_subsys(&dccp_net_ops);
887 nf_conntrack_l4proto_unregister(&dccp_proto6);
888 nf_conntrack_l4proto_unregister(&dccp_proto4);
889}
890
891module_init(nf_conntrack_proto_dccp_init);
892module_exit(nf_conntrack_proto_dccp_fini);
893
894MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
895MODULE_DESCRIPTION("DCCP connection tracking protocol helper");
896MODULE_LICENSE("GPL");