This source file includes following definitions.
- sctp_print_conntrack
- do_basic_checks
- sctp_new_state
- sctp_new
- sctp_error
- nf_conntrack_sctp_packet
- sctp_can_early_drop
- sctp_to_nlattr
- nlattr_to_sctp
- sctp_timeout_nlattr_to_obj
- sctp_timeout_obj_to_nlattr
- nf_conntrack_sctp_init_net
1
2
3
4
5
6
7
8
9
10
11
12 #include <linux/types.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
15 #include <linux/in.h>
16 #include <linux/ip.h>
17 #include <linux/sctp.h>
18 #include <linux/string.h>
19 #include <linux/seq_file.h>
20 #include <linux/spinlock.h>
21 #include <linux/interrupt.h>
22 #include <net/sctp/checksum.h>
23
24 #include <net/netfilter/nf_log.h>
25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_ecache.h>
28 #include <net/netfilter/nf_conntrack_timeout.h>
29
30
31
32
33
34
35 static const char *const sctp_conntrack_names[] = {
36 "NONE",
37 "CLOSED",
38 "COOKIE_WAIT",
39 "COOKIE_ECHOED",
40 "ESTABLISHED",
41 "SHUTDOWN_SENT",
42 "SHUTDOWN_RECD",
43 "SHUTDOWN_ACK_SENT",
44 "HEARTBEAT_SENT",
45 "HEARTBEAT_ACKED",
46 };
47
48 #define SECS * HZ
49 #define MINS * 60 SECS
50 #define HOURS * 60 MINS
51 #define DAYS * 24 HOURS
52
53 static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
54 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
55 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
56 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
57 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
58 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
63 };
64
65 #define sNO SCTP_CONNTRACK_NONE
66 #define sCL SCTP_CONNTRACK_CLOSED
67 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
68 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
69 #define sES SCTP_CONNTRACK_ESTABLISHED
70 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
71 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
72 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
73 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT
74 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED
75 #define sIV SCTP_CONNTRACK_MAX
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113 static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
114 {
115
116
117 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119 {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120 {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
121 {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA},
122 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
123 {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},
124 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
125 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA},
126 {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
127 {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}
128 },
129 {
130
131
132 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
133 {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134 {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135 {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136 {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
137 {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA},
138 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
139 {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA},
140 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA},
141 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA},
142 {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA}
143 }
144 };
145
146 #ifdef CONFIG_NF_CONNTRACK_PROCFS
147
148 static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
149 {
150 seq_printf(s, "%s ", sctp_conntrack_names[ct->proto.sctp.state]);
151 }
152 #endif
153
154 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
155 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
156 (offset) < (skb)->len && \
157 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
158 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
159
160
161 static int do_basic_checks(struct nf_conn *ct,
162 const struct sk_buff *skb,
163 unsigned int dataoff,
164 unsigned long *map)
165 {
166 u_int32_t offset, count;
167 struct sctp_chunkhdr _sch, *sch;
168 int flag;
169
170 flag = 0;
171
172 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
173 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
174
175 if (sch->type == SCTP_CID_INIT ||
176 sch->type == SCTP_CID_INIT_ACK ||
177 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
178 flag = 1;
179
180
181
182
183
184
185 if (((sch->type == SCTP_CID_COOKIE_ACK ||
186 sch->type == SCTP_CID_COOKIE_ECHO ||
187 flag) &&
188 count != 0) || !sch->length) {
189 pr_debug("Basic checks failed\n");
190 return 1;
191 }
192
193 if (map)
194 set_bit(sch->type, map);
195 }
196
197 pr_debug("Basic checks passed\n");
198 return count == 0;
199 }
200
201 static int sctp_new_state(enum ip_conntrack_dir dir,
202 enum sctp_conntrack cur_state,
203 int chunk_type)
204 {
205 int i;
206
207 pr_debug("Chunk type: %d\n", chunk_type);
208
209 switch (chunk_type) {
210 case SCTP_CID_INIT:
211 pr_debug("SCTP_CID_INIT\n");
212 i = 0;
213 break;
214 case SCTP_CID_INIT_ACK:
215 pr_debug("SCTP_CID_INIT_ACK\n");
216 i = 1;
217 break;
218 case SCTP_CID_ABORT:
219 pr_debug("SCTP_CID_ABORT\n");
220 i = 2;
221 break;
222 case SCTP_CID_SHUTDOWN:
223 pr_debug("SCTP_CID_SHUTDOWN\n");
224 i = 3;
225 break;
226 case SCTP_CID_SHUTDOWN_ACK:
227 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
228 i = 4;
229 break;
230 case SCTP_CID_ERROR:
231 pr_debug("SCTP_CID_ERROR\n");
232 i = 5;
233 break;
234 case SCTP_CID_COOKIE_ECHO:
235 pr_debug("SCTP_CID_COOKIE_ECHO\n");
236 i = 6;
237 break;
238 case SCTP_CID_COOKIE_ACK:
239 pr_debug("SCTP_CID_COOKIE_ACK\n");
240 i = 7;
241 break;
242 case SCTP_CID_SHUTDOWN_COMPLETE:
243 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
244 i = 8;
245 break;
246 case SCTP_CID_HEARTBEAT:
247 pr_debug("SCTP_CID_HEARTBEAT");
248 i = 9;
249 break;
250 case SCTP_CID_HEARTBEAT_ACK:
251 pr_debug("SCTP_CID_HEARTBEAT_ACK");
252 i = 10;
253 break;
254 default:
255
256 pr_debug("Unknown chunk type, Will stay in %s\n",
257 sctp_conntrack_names[cur_state]);
258 return cur_state;
259 }
260
261 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
262 dir, sctp_conntrack_names[cur_state], chunk_type,
263 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
264
265 return sctp_conntracks[dir][i][cur_state];
266 }
267
268
269 static noinline bool
270 sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
271 const struct sctphdr *sh, unsigned int dataoff)
272 {
273 enum sctp_conntrack new_state;
274 const struct sctp_chunkhdr *sch;
275 struct sctp_chunkhdr _sch;
276 u32 offset, count;
277
278 memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
279 new_state = SCTP_CONNTRACK_MAX;
280 for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) {
281 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
282 SCTP_CONNTRACK_NONE, sch->type);
283
284
285 if (new_state == SCTP_CONNTRACK_NONE ||
286 new_state == SCTP_CONNTRACK_MAX) {
287 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
288 return false;
289 }
290
291
292 if (sch->type == SCTP_CID_INIT) {
293 struct sctp_inithdr _inithdr, *ih;
294
295 if (sh->vtag)
296 return false;
297
298 ih = skb_header_pointer(skb, offset + sizeof(_sch),
299 sizeof(_inithdr), &_inithdr);
300 if (!ih)
301 return false;
302
303 pr_debug("Setting vtag %x for new conn\n",
304 ih->init_tag);
305
306 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag;
307 } else if (sch->type == SCTP_CID_HEARTBEAT) {
308 pr_debug("Setting vtag %x for secondary conntrack\n",
309 sh->vtag);
310 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
311 } else {
312
313
314 pr_debug("Setting vtag %x for new conn OOTB\n",
315 sh->vtag);
316 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
317 }
318
319 ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
320 }
321
322 return true;
323 }
324
325 static bool sctp_error(struct sk_buff *skb,
326 unsigned int dataoff,
327 const struct nf_hook_state *state)
328 {
329 const struct sctphdr *sh;
330 const char *logmsg;
331
332 if (skb->len < dataoff + sizeof(struct sctphdr)) {
333 logmsg = "nf_ct_sctp: short packet ";
334 goto out_invalid;
335 }
336 if (state->hook == NF_INET_PRE_ROUTING &&
337 state->net->ct.sysctl_checksum &&
338 skb->ip_summed == CHECKSUM_NONE) {
339 if (skb_ensure_writable(skb, dataoff + sizeof(*sh))) {
340 logmsg = "nf_ct_sctp: failed to read header ";
341 goto out_invalid;
342 }
343 sh = (const struct sctphdr *)(skb->data + dataoff);
344 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
345 logmsg = "nf_ct_sctp: bad CRC ";
346 goto out_invalid;
347 }
348 skb->ip_summed = CHECKSUM_UNNECESSARY;
349 }
350 return false;
351 out_invalid:
352 nf_l4proto_log_invalid(skb, state->net, state->pf, IPPROTO_SCTP, "%s", logmsg);
353 return true;
354 }
355
356
357 int nf_conntrack_sctp_packet(struct nf_conn *ct,
358 struct sk_buff *skb,
359 unsigned int dataoff,
360 enum ip_conntrack_info ctinfo,
361 const struct nf_hook_state *state)
362 {
363 enum sctp_conntrack new_state, old_state;
364 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
365 const struct sctphdr *sh;
366 struct sctphdr _sctph;
367 const struct sctp_chunkhdr *sch;
368 struct sctp_chunkhdr _sch;
369 u_int32_t offset, count;
370 unsigned int *timeouts;
371 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
372
373 if (sctp_error(skb, dataoff, state))
374 return -NF_ACCEPT;
375
376 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
377 if (sh == NULL)
378 goto out;
379
380 if (do_basic_checks(ct, skb, dataoff, map) != 0)
381 goto out;
382
383 if (!nf_ct_is_confirmed(ct)) {
384
385 if (test_bit(SCTP_CID_ABORT, map) ||
386 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
387 test_bit(SCTP_CID_COOKIE_ACK, map))
388 return -NF_ACCEPT;
389
390 if (!sctp_new(ct, skb, sh, dataoff))
391 return -NF_ACCEPT;
392 }
393
394
395 if (!test_bit(SCTP_CID_INIT, map) &&
396 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
397 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
398 !test_bit(SCTP_CID_ABORT, map) &&
399 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
400 !test_bit(SCTP_CID_HEARTBEAT, map) &&
401 !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
402 sh->vtag != ct->proto.sctp.vtag[dir]) {
403 pr_debug("Verification tag check failed\n");
404 goto out;
405 }
406
407 old_state = new_state = SCTP_CONNTRACK_NONE;
408 spin_lock_bh(&ct->lock);
409 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
410
411 if (sch->type == SCTP_CID_INIT) {
412
413 if (sh->vtag != 0)
414 goto out_unlock;
415 } else if (sch->type == SCTP_CID_ABORT) {
416
417 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
418 sh->vtag != ct->proto.sctp.vtag[!dir])
419 goto out_unlock;
420 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
421
422 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
423 sh->vtag != ct->proto.sctp.vtag[!dir] &&
424 sch->flags & SCTP_CHUNK_FLAG_T)
425 goto out_unlock;
426 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
427
428 if (sh->vtag != ct->proto.sctp.vtag[dir])
429 goto out_unlock;
430 } else if (sch->type == SCTP_CID_HEARTBEAT ||
431 sch->type == SCTP_CID_HEARTBEAT_ACK) {
432 if (ct->proto.sctp.vtag[dir] == 0) {
433 pr_debug("Setting vtag %x for dir %d\n",
434 sh->vtag, dir);
435 ct->proto.sctp.vtag[dir] = sh->vtag;
436 } else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
437 pr_debug("Verification tag check failed\n");
438 goto out_unlock;
439 }
440 }
441
442 old_state = ct->proto.sctp.state;
443 new_state = sctp_new_state(dir, old_state, sch->type);
444
445
446 if (new_state == SCTP_CONNTRACK_MAX) {
447 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
448 "conntrack=%u\n",
449 dir, sch->type, old_state);
450 goto out_unlock;
451 }
452
453
454 if (sch->type == SCTP_CID_INIT ||
455 sch->type == SCTP_CID_INIT_ACK) {
456 struct sctp_inithdr _inithdr, *ih;
457
458 ih = skb_header_pointer(skb, offset + sizeof(_sch),
459 sizeof(_inithdr), &_inithdr);
460 if (ih == NULL)
461 goto out_unlock;
462 pr_debug("Setting vtag %x for dir %d\n",
463 ih->init_tag, !dir);
464 ct->proto.sctp.vtag[!dir] = ih->init_tag;
465 }
466
467 ct->proto.sctp.state = new_state;
468 if (old_state != new_state)
469 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
470 }
471 spin_unlock_bh(&ct->lock);
472
473 timeouts = nf_ct_timeout_lookup(ct);
474 if (!timeouts)
475 timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;
476
477 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
478
479 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
480 dir == IP_CT_DIR_REPLY &&
481 new_state == SCTP_CONNTRACK_ESTABLISHED) {
482 pr_debug("Setting assured bit\n");
483 set_bit(IPS_ASSURED_BIT, &ct->status);
484 nf_conntrack_event_cache(IPCT_ASSURED, ct);
485 }
486
487 return NF_ACCEPT;
488
489 out_unlock:
490 spin_unlock_bh(&ct->lock);
491 out:
492 return -NF_ACCEPT;
493 }
494
495 static bool sctp_can_early_drop(const struct nf_conn *ct)
496 {
497 switch (ct->proto.sctp.state) {
498 case SCTP_CONNTRACK_SHUTDOWN_SENT:
499 case SCTP_CONNTRACK_SHUTDOWN_RECD:
500 case SCTP_CONNTRACK_SHUTDOWN_ACK_SENT:
501 return true;
502 default:
503 break;
504 }
505
506 return false;
507 }
508
509 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
510
511 #include <linux/netfilter/nfnetlink.h>
512 #include <linux/netfilter/nfnetlink_conntrack.h>
513
514 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
515 struct nf_conn *ct)
516 {
517 struct nlattr *nest_parms;
518
519 spin_lock_bh(&ct->lock);
520 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP);
521 if (!nest_parms)
522 goto nla_put_failure;
523
524 if (nla_put_u8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state) ||
525 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
526 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]) ||
527 nla_put_be32(skb, CTA_PROTOINFO_SCTP_VTAG_REPLY,
528 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]))
529 goto nla_put_failure;
530
531 spin_unlock_bh(&ct->lock);
532
533 nla_nest_end(skb, nest_parms);
534
535 return 0;
536
537 nla_put_failure:
538 spin_unlock_bh(&ct->lock);
539 return -1;
540 }
541
542 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
543 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
544 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
545 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
546 };
547
548 #define SCTP_NLATTR_SIZE ( \
549 NLA_ALIGN(NLA_HDRLEN + 1) + \
550 NLA_ALIGN(NLA_HDRLEN + 4) + \
551 NLA_ALIGN(NLA_HDRLEN + 4))
552
553 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
554 {
555 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
556 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
557 int err;
558
559
560 if (!attr)
561 return 0;
562
563 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_SCTP_MAX, attr,
564 sctp_nla_policy, NULL);
565 if (err < 0)
566 return err;
567
568 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
569 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
570 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
571 return -EINVAL;
572
573 spin_lock_bh(&ct->lock);
574 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
575 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
576 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
577 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
578 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
579 spin_unlock_bh(&ct->lock);
580
581 return 0;
582 }
583 #endif
584
585 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
586
587 #include <linux/netfilter/nfnetlink.h>
588 #include <linux/netfilter/nfnetlink_cttimeout.h>
589
590 static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
591 struct net *net, void *data)
592 {
593 unsigned int *timeouts = data;
594 struct nf_sctp_net *sn = nf_sctp_pernet(net);
595 int i;
596
597 if (!timeouts)
598 timeouts = sn->timeouts;
599
600
601 for (i=0; i<SCTP_CONNTRACK_MAX; i++)
602 timeouts[i] = sn->timeouts[i];
603
604
605 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
606 if (tb[i]) {
607 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
608 }
609 }
610
611 timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
612 return 0;
613 }
614
615 static int
616 sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
617 {
618 const unsigned int *timeouts = data;
619 int i;
620
621 for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
622 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
623 goto nla_put_failure;
624 }
625 return 0;
626
627 nla_put_failure:
628 return -ENOSPC;
629 }
630
631 static const struct nla_policy
632 sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
633 [CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
634 [CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
635 [CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
636 [CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
637 [CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
638 [CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
639 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
640 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
641 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
642 };
643 #endif
644
645 void nf_conntrack_sctp_init_net(struct net *net)
646 {
647 struct nf_sctp_net *sn = nf_sctp_pernet(net);
648 int i;
649
650 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
651 sn->timeouts[i] = sctp_timeouts[i];
652
653
654
655
656 sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
657 }
658
659 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
660 .l4proto = IPPROTO_SCTP,
661 #ifdef CONFIG_NF_CONNTRACK_PROCFS
662 .print_conntrack = sctp_print_conntrack,
663 #endif
664 .can_early_drop = sctp_can_early_drop,
665 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
666 .nlattr_size = SCTP_NLATTR_SIZE,
667 .to_nlattr = sctp_to_nlattr,
668 .from_nlattr = nlattr_to_sctp,
669 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
670 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
671 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
672 .nla_policy = nf_ct_port_nla_policy,
673 #endif
674 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
675 .ctnl_timeout = {
676 .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
677 .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
678 .nlattr_max = CTA_TIMEOUT_SCTP_MAX,
679 .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
680 .nla_policy = sctp_timeout_nla_policy,
681 },
682 #endif
683 };