tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Revert "netfilter: conntrack: add sctp DATA_SENT state"

This reverts commit (bff3d0534804: "netfilter: conntrack: add sctp
DATA_SENT state")

Using DATA/SACK to detect a new connection on secondary/alternate paths
works only on new connections, while a HEARTBEAT is required on
connection re-use. It is probably consistent to wait for HEARTBEAT to
create a secondary connection in conntrack.

Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Sriram Yagnaraman and committed by
Pablo Neira Ayuso 13bd9b31 98ee0077

+42 -70
-1
include/uapi/linux/netfilter/nf_conntrack_sctp.h
··· 16 16 SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, 17 17 SCTP_CONNTRACK_HEARTBEAT_SENT, 18 18 SCTP_CONNTRACK_HEARTBEAT_ACKED, 19 - SCTP_CONNTRACK_DATA_SENT, 20 19 SCTP_CONNTRACK_MAX 21 20 }; 22 21
+42 -60
net/netfilter/nf_conntrack_proto_sctp.c
··· 60 60 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 61 61 [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, 62 62 [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, 63 - [SCTP_CONNTRACK_DATA_SENT] = 30 SECS, 64 63 }; 65 64 66 65 #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 ··· 74 75 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 75 76 #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT 76 77 #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED 77 - #define sDS SCTP_CONNTRACK_DATA_SENT 78 78 #define sIV SCTP_CONNTRACK_MAX 79 79 80 80 /* ··· 96 98 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 97 99 the SHUTDOWN chunk. Connection is closed. 98 100 HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. 99 - HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK/DATA/SACK in the direction 100 - opposite to that of the HEARTBEAT/DATA chunk. Secondary connection 101 - is established. 102 - DATA_SENT - We have seen a DATA/SACK in a new flow. 101 + HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to 102 + that of the HEARTBEAT chunk. Secondary connection is 103 + established. 103 104 */ 104 105 105 106 /* TODO ··· 112 115 */ 113 116 114 117 /* SCTP conntrack state transitions */ 115 - static const u8 sctp_conntracks[2][12][SCTP_CONNTRACK_MAX] = { 118 + static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { 116 119 { 117 120 /* ORIGINAL */ 118 - /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ 119 - /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA, sCW}, 120 - /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL}, 121 - /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 122 - /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS, sCL}, 123 - /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA, sSA}, 124 - /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't have Stale cookie*/ 125 - /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* 5.2.4 - Big TODO */ 126 - /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't come in orig dir */ 127 - /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA, sCL}, 128 - /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, 129 - /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, 130 - /* data/sack */ {sDS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS} 121 + /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 122 + /* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, 123 + /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, 124 + /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 125 + /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, 126 + /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA}, 127 + /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/ 128 + /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */ 129 + /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */ 130 + /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA}, 131 + /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 132 + /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA} 131 133 }, 132 134 { 133 135 /* REPLY */ 134 - /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ 135 - /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* INIT in sCL Big TODO */ 136 - /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 137 - /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL, sIV}, 138 - /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR, sIV}, 139 - /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA, sIV}, 140 - /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 141 - /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* Can't come in reply dir */ 142 - /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA, sIV}, 143 - /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA, sIV}, 144 - /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sHA}, 145 - /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, 146 - /* data/sack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, 136 + /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ 137 + /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ 138 + /* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, 139 + /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, 140 + /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, 141 + /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, 142 + /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA}, 143 + /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */ 144 + /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA}, 145 + /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA}, 146 + /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, 147 + /* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA} 147 148 } 148 149 }; 149 150 ··· 253 258 pr_debug("SCTP_CID_HEARTBEAT_ACK"); 254 259 i = 10; 255 260 break; 256 - case SCTP_CID_DATA: 257 - case SCTP_CID_SACK: 258 - pr_debug("SCTP_CID_DATA/SACK"); 259 - i = 11; 260 - break; 261 261 default: 262 262 /* Other chunks like DATA or SACK do not change the state */ 263 263 pr_debug("Unknown chunk type, Will stay in %s\n", ··· 306 316 ih->init_tag); 307 317 308 318 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; 309 - } else if (sch->type == SCTP_CID_HEARTBEAT || 310 - sch->type == SCTP_CID_DATA || 311 - sch->type == SCTP_CID_SACK) { 319 + } else if (sch->type == SCTP_CID_HEARTBEAT) { 312 320 pr_debug("Setting vtag %x for secondary conntrack\n", 313 321 sh->vtag); 314 322 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; ··· 392 404 393 405 if (!sctp_new(ct, skb, sh, dataoff)) 394 406 return -NF_ACCEPT; 395 - } else { 396 - /* Check the verification tag (Sec 8.5) */ 397 - if (!test_bit(SCTP_CID_INIT, map) && 398 - !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 399 - !test_bit(SCTP_CID_COOKIE_ECHO, map) && 400 - !test_bit(SCTP_CID_ABORT, map) && 401 - !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 402 - !test_bit(SCTP_CID_HEARTBEAT, map) && 403 - !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 404 - sh->vtag != ct->proto.sctp.vtag[dir]) { 405 - pr_debug("Verification tag check failed\n"); 406 - goto out; 407 - } 407 + } 408 + 409 + /* Check the verification tag (Sec 8.5) */ 410 + if (!test_bit(SCTP_CID_INIT, map) && 411 + !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 412 + !test_bit(SCTP_CID_COOKIE_ECHO, map) && 413 + !test_bit(SCTP_CID_ABORT, map) && 414 + !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 415 + !test_bit(SCTP_CID_HEARTBEAT, map) && 416 + !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && 417 + sh->vtag != ct->proto.sctp.vtag[dir]) { 418 + pr_debug("Verification tag check failed\n"); 419 + goto out; 408 420 } 409 421 410 422 old_state = new_state = SCTP_CONNTRACK_NONE; ··· 470 482 ct->proto.sctp.vtag[!dir] = 0; 471 483 } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { 472 484 ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; 473 - } 474 - } else if (sch->type == SCTP_CID_DATA || sch->type == SCTP_CID_SACK) { 475 - if (ct->proto.sctp.vtag[dir] == 0) { 476 - pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir); 477 - ct->proto.sctp.vtag[dir] = sh->vtag; 478 485 } 479 486 } 480 487 ··· 691 708 [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, 692 709 [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, 693 710 [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, 694 - [CTA_TIMEOUT_SCTP_DATA_SENT] = { .type = NLA_U32 }, 695 711 }; 696 712 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 697 713
-8
net/netfilter/nf_conntrack_standalone.c
··· 602 602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 603 603 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 604 604 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 605 - NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_DATA_SENT, 606 605 #endif 607 606 #ifdef CONFIG_NF_CT_PROTO_DCCP 608 607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, ··· 892 893 .mode = 0644, 893 894 .proc_handler = proc_dointvec_jiffies, 894 895 }, 895 - [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_DATA_SENT] = { 896 - .procname = "nf_conntrack_sctp_timeout_data_sent", 897 - .maxlen = sizeof(unsigned int), 898 - .mode = 0644, 899 - .proc_handler = proc_dointvec_jiffies, 900 - }, 901 896 #endif 902 897 #ifdef CONFIG_NF_CT_PROTO_DCCP 903 898 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { ··· 1036 1043 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1037 1044 XASSIGN(HEARTBEAT_SENT, sn); 1038 1045 XASSIGN(HEARTBEAT_ACKED, sn); 1039 - XASSIGN(DATA_SENT, sn); 1040 1046 #undef XASSIGN 1041 1047 #endif 1042 1048 }