+40

include/linux/netfilter/nf_conntrack_dccp.h

reviewed

··· 1 1 + #ifndef _NF_CONNTRACK_DCCP_H 2 2 + #define _NF_CONNTRACK_DCCP_H 3 3 + 4 4 + /* Exposed to userspace over nfnetlink */ 5 5 + enum ct_dccp_states { 6 6 + CT_DCCP_NONE, 7 7 + CT_DCCP_REQUEST, 8 8 + CT_DCCP_RESPOND, 9 9 + CT_DCCP_PARTOPEN, 10 10 + CT_DCCP_OPEN, 11 11 + CT_DCCP_CLOSEREQ, 12 12 + CT_DCCP_CLOSING, 13 13 + CT_DCCP_TIMEWAIT, 14 14 + CT_DCCP_IGNORE, 15 15 + CT_DCCP_INVALID, 16 16 + __CT_DCCP_MAX 17 17 + }; 18 18 + #define CT_DCCP_MAX (__CT_DCCP_MAX - 1) 19 19 + 20 20 + enum ct_dccp_roles { 21 21 + CT_DCCP_ROLE_CLIENT, 22 22 + CT_DCCP_ROLE_SERVER, 23 23 + __CT_DCCP_ROLE_MAX 24 24 + }; 25 25 + #define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1) 26 26 + 27 27 + #ifdef __KERNEL__ 28 28 + #include <net/netfilter/nf_conntrack_tuple.h> 29 29 + 30 30 + struct nf_ct_dccp { 31 31 + u_int8_t role[IP_CT_DIR_MAX]; 32 32 + u_int8_t state; 33 33 + u_int8_t last_pkt; 34 34 + u_int8_t last_dir; 35 35 + u_int64_t handshake_seq; 36 36 + }; 37 37 + 38 38 + #endif /* __KERNEL__ */ 39 39 + 40 40 + #endif /* _NF_CONNTRACK_DCCP_H */

+8

include/linux/netfilter/nfnetlink_conntrack.h

reviewed

··· 80 80 enum ctattr_protoinfo { 81 81 CTA_PROTOINFO_UNSPEC, 82 82 CTA_PROTOINFO_TCP, 83 83 + CTA_PROTOINFO_DCCP, 83 84 __CTA_PROTOINFO_MAX 84 85 }; 85 86 #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) ··· 95 94 __CTA_PROTOINFO_TCP_MAX 96 95 }; 97 96 #define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) 97 97 + 98 98 + enum ctattr_protoinfo_dccp { 99 99 + CTA_PROTOINFO_DCCP_UNSPEC, 100 100 + CTA_PROTOINFO_DCCP_STATE, 101 101 + __CTA_PROTOINFO_DCCP_MAX, 102 102 + }; 103 103 + #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1) 98 104 99 105 enum ctattr_counters { 100 106 CTA_COUNTERS_UNSPEC,

+2

include/net/netfilter/nf_conntrack.h

reviewed

··· 20 20 #include <asm/atomic.h> 21 21 22 22 #include <linux/netfilter/nf_conntrack_tcp.h> 23 23 + #include <linux/netfilter/nf_conntrack_dccp.h> 23 24 #include <linux/netfilter/nf_conntrack_sctp.h> 24 25 #include <linux/netfilter/nf_conntrack_proto_gre.h> 25 26 #include <net/netfilter/ipv4/nf_conntrack_icmp.h> ··· 31 30 /* per conntrack: protocol private data */ 32 31 union nf_conntrack_proto { 33 32 /* insert conntrack proto private data here */ 33 33 + struct nf_ct_dccp dccp; 34 34 struct ip_ct_sctp sctp; 35 35 struct ip_ct_tcp tcp; 36 36 struct ip_ct_icmp icmp;

+6

include/net/netfilter/nf_conntrack_tuple.h

reviewed

··· 41 41 } icmp; 42 42 struct { 43 43 __be16 port; 44 44 + } dccp; 45 45 + struct { 46 46 + __be16 port; 44 47 } sctp; 45 48 struct { 46 49 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ ··· 80 77 struct { 81 78 u_int8_t type, code; 82 79 } icmp; 80 80 + struct { 81 81 + __be16 port; 82 82 + } dccp; 83 83 struct { 84 84 __be16 port; 85 85 } sctp;

+10

net/netfilter/Kconfig

reviewed

··· 86 86 87 87 If unsure, say `N'. 88 88 89 89 + config NF_CT_PROTO_DCCP 90 90 + tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 91 91 + depends on EXPERIMENTAL && NF_CONNTRACK 92 92 + depends on NETFILTER_ADVANCED 93 93 + help 94 94 + With this option enabled, the layer 3 independent connection 95 95 + tracking code will be able to do state tracking on DCCP connections. 96 96 + 97 97 + If unsure, say 'N'. 98 98 + 89 99 config NF_CT_PROTO_GRE 90 100 tristate 91 101 depends on NF_CONNTRACK

+1

net/netfilter/Makefile

reviewed

··· 13 13 obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o 14 14 15 15 # SCTP protocol connection tracking 16 16 + obj-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o 16 17 obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o 17 18 obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o 18 19 obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o

+816

net/netfilter/nf_conntrack_proto_dccp.c

reviewed

··· 1 1 + /* 2 2 + * DCCP connection tracking protocol helper 3 3 + * 4 4 + * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net> 5 5 + * 6 6 + * This program is free software; you can redistribute it and/or modify 7 7 + * it under the terms of the GNU General Public License version 2 as 8 8 + * published by the Free Software Foundation. 9 9 + * 10 10 + */ 11 11 + #include <linux/kernel.h> 12 12 + #include <linux/module.h> 13 13 + #include <linux/init.h> 14 14 + #include <linux/sysctl.h> 15 15 + #include <linux/spinlock.h> 16 16 + #include <linux/skbuff.h> 17 17 + #include <linux/dccp.h> 18 18 + 19 19 + #include <linux/netfilter/nfnetlink_conntrack.h> 20 20 + #include <net/netfilter/nf_conntrack.h> 21 21 + #include <net/netfilter/nf_conntrack_l4proto.h> 22 22 + #include <net/netfilter/nf_log.h> 23 23 + 24 24 + static DEFINE_RWLOCK(dccp_lock); 25 25 + 26 26 + static int nf_ct_dccp_loose __read_mostly = 1; 27 27 + 28 28 + /* Timeouts are based on values from RFC4340: 29 29 + * 30 30 + * - REQUEST: 31 31 + * 32 32 + * 8.1.2. Client Request 33 33 + * 34 34 + * A client MAY give up on its DCCP-Requests after some time 35 35 + * (3 minutes, for example). 36 36 + * 37 37 + * - RESPOND: 38 38 + * 39 39 + * 8.1.3. Server Response 40 40 + * 41 41 + * It MAY also leave the RESPOND state for CLOSED after a timeout of 42 42 + * not less than 4MSL (8 minutes); 43 43 + * 44 44 + * - PARTOPEN: 45 45 + * 46 46 + * 8.1.5. Handshake Completion 47 47 + * 48 48 + * If the client remains in PARTOPEN for more than 4MSL (8 minutes), 49 49 + * it SHOULD reset the connection with Reset Code 2, "Aborted". 50 50 + * 51 51 + * - OPEN: 52 52 + * 53 53 + * The DCCP timestamp overflows after 11.9 hours. If the connection 54 54 + * stays idle this long the sequence number won't be recognized 55 55 + * as valid anymore. 56 56 + * 57 57 + * - CLOSEREQ/CLOSING: 58 58 + * 59 59 + * 8.3. Termination 60 60 + * 61 61 + * The retransmission timer should initially be set to go off in two 62 62 + * round-trip times and should back off to not less than once every 63 63 + * 64 seconds ... 64 64 + * 65 65 + * - TIMEWAIT: 66 66 + * 67 67 + * 4.3. States 68 68 + * 69 69 + * A server or client socket remains in this state for 2MSL (4 minutes) 70 70 + * after the connection has been town down, ... 71 71 + */ 72 72 + 73 73 + #define DCCP_MSL (2 * 60 * HZ) 74 74 + 75 75 + static unsigned int dccp_timeout[CT_DCCP_MAX + 1] __read_mostly = { 76 76 + [CT_DCCP_REQUEST] = 2 * DCCP_MSL, 77 77 + [CT_DCCP_RESPOND] = 4 * DCCP_MSL, 78 78 + [CT_DCCP_PARTOPEN] = 4 * DCCP_MSL, 79 79 + [CT_DCCP_OPEN] = 12 * 3600 * HZ, 80 80 + [CT_DCCP_CLOSEREQ] = 64 * HZ, 81 81 + [CT_DCCP_CLOSING] = 64 * HZ, 82 82 + [CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL, 83 83 + }; 84 84 + 85 85 + static const char * const dccp_state_names[] = { 86 86 + [CT_DCCP_NONE] = "NONE", 87 87 + [CT_DCCP_REQUEST] = "REQUEST", 88 88 + [CT_DCCP_RESPOND] = "RESPOND", 89 89 + [CT_DCCP_PARTOPEN] = "PARTOPEN", 90 90 + [CT_DCCP_OPEN] = "OPEN", 91 91 + [CT_DCCP_CLOSEREQ] = "CLOSEREQ", 92 92 + [CT_DCCP_CLOSING] = "CLOSING", 93 93 + [CT_DCCP_TIMEWAIT] = "TIMEWAIT", 94 94 + [CT_DCCP_IGNORE] = "IGNORE", 95 95 + [CT_DCCP_INVALID] = "INVALID", 96 96 + }; 97 97 + 98 98 + #define sNO CT_DCCP_NONE 99 99 + #define sRQ CT_DCCP_REQUEST 100 100 + #define sRS CT_DCCP_RESPOND 101 101 + #define sPO CT_DCCP_PARTOPEN 102 102 + #define sOP CT_DCCP_OPEN 103 103 + #define sCR CT_DCCP_CLOSEREQ 104 104 + #define sCG CT_DCCP_CLOSING 105 105 + #define sTW CT_DCCP_TIMEWAIT 106 106 + #define sIG CT_DCCP_IGNORE 107 107 + #define sIV CT_DCCP_INVALID 108 108 + 109 109 + /* 110 110 + * DCCP state transistion table 111 111 + * 112 112 + * The assumption is the same as for TCP tracking: 113 113 + * 114 114 + * We are the man in the middle. All the packets go through us but might 115 115 + * get lost in transit to the destination. It is assumed that the destination 116 116 + * can't receive segments we haven't seen. 117 117 + * 118 118 + * The following states exist: 119 119 + * 120 120 + * NONE: Initial state, expecting Request 121 121 + * REQUEST: Request seen, waiting for Response from server 122 122 + * RESPOND: Response from server seen, waiting for Ack from client 123 123 + * PARTOPEN: Ack after Response seen, waiting for packet other than Response, 124 124 + * Reset or Sync from server 125 125 + * OPEN: Packet other than Response, Reset or Sync seen 126 126 + * CLOSEREQ: CloseReq from server seen, expecting Close from client 127 127 + * CLOSING: Close seen, expecting Reset 128 128 + * TIMEWAIT: Reset seen 129 129 + * IGNORE: Not determinable whether packet is valid 130 130 + * 131 131 + * Some states exist only on one side of the connection: REQUEST, RESPOND, 132 132 + * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to 133 133 + * the one it was in before. 134 134 + * 135 135 + * Packets are marked as ignored (sIG) if we don't know if they're valid 136 136 + * (for example a reincarnation of a connection we didn't notice is dead 137 137 + * already) and the server may send back a connection closing Reset or a 138 138 + * Response. They're also used for Sync/SyncAck packets, which we don't 139 139 + * care about. 140 140 + */ 141 141 + static const u_int8_t 142 142 + dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = { 143 143 + [CT_DCCP_ROLE_CLIENT] = { 144 144 + [DCCP_PKT_REQUEST] = { 145 145 + /* 146 146 + * sNO -> sRQ Regular Request 147 147 + * sRQ -> sRQ Retransmitted Request or reincarnation 148 148 + * sRS -> sRS Retransmitted Request (apparently Response 149 149 + * got lost after we saw it) or reincarnation 150 150 + * sPO -> sIG Ignore, conntrack might be out of sync 151 151 + * sOP -> sIG Ignore, conntrack might be out of sync 152 152 + * sCR -> sIG Ignore, conntrack might be out of sync 153 153 + * sCG -> sIG Ignore, conntrack might be out of sync 154 154 + * sTW -> sRQ Reincarnation 155 155 + * 156 156 + * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */ 157 157 + sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ, 158 158 + }, 159 159 + [DCCP_PKT_RESPONSE] = { 160 160 + /* 161 161 + * sNO -> sIV Invalid 162 162 + * sRQ -> sIG Ignore, might be response to ignored Request 163 163 + * sRS -> sIG Ignore, might be response to ignored Request 164 164 + * sPO -> sIG Ignore, might be response to ignored Request 165 165 + * sOP -> sIG Ignore, might be response to ignored Request 166 166 + * sCR -> sIG Ignore, might be response to ignored Request 167 167 + * sCG -> sIG Ignore, might be response to ignored Request 168 168 + * sTW -> sIV Invalid, reincarnation in reverse direction 169 169 + * goes through sRQ 170 170 + * 171 171 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 172 172 + sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV, 173 173 + }, 174 174 + [DCCP_PKT_ACK] = { 175 175 + /* 176 176 + * sNO -> sIV No connection 177 177 + * sRQ -> sIV No connection 178 178 + * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 179 179 + * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN 180 180 + * sOP -> sOP Regular ACK, remain in OPEN 181 181 + * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.) 182 182 + * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 183 183 + * sTW -> sIV 184 184 + * 185 185 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 186 186 + sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 187 187 + }, 188 188 + [DCCP_PKT_DATA] = { 189 189 + /* 190 190 + * sNO -> sIV No connection 191 191 + * sRQ -> sIV No connection 192 192 + * sRS -> sIV No connection 193 193 + * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.) 194 194 + * sOP -> sOP Regular Data packet 195 195 + * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.) 196 196 + * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 197 197 + * sTW -> sIV 198 198 + * 199 199 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 200 200 + sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV, 201 201 + }, 202 202 + [DCCP_PKT_DATAACK] = { 203 203 + /* 204 204 + * sNO -> sIV No connection 205 205 + * sRQ -> sIV No connection 206 206 + * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 207 207 + * sPO -> sPO Remain in PARTOPEN state 208 208 + * sOP -> sOP Regular DataAck packet in OPEN state 209 209 + * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.) 210 210 + * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.) 211 211 + * sTW -> sIV 212 212 + * 213 213 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 214 214 + sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 215 215 + }, 216 216 + [DCCP_PKT_CLOSEREQ] = { 217 217 + /* 218 218 + * CLOSEREQ may only be sent by the server. 219 219 + * 220 220 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 221 221 + sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV 222 222 + }, 223 223 + [DCCP_PKT_CLOSE] = { 224 224 + /* 225 225 + * sNO -> sIV No connection 226 226 + * sRQ -> sIV No connection 227 227 + * sRS -> sIV No connection 228 228 + * sPO -> sCG Client-initiated close 229 229 + * sOP -> sCG Client-initiated close 230 230 + * sCR -> sCG Close in response to CloseReq (8.3.) 231 231 + * sCG -> sCG Retransmit 232 232 + * sTW -> sIV Late retransmit, already in TIME_WAIT 233 233 + * 234 234 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 235 235 + sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV 236 236 + }, 237 237 + [DCCP_PKT_RESET] = { 238 238 + /* 239 239 + * sNO -> sIV No connection 240 240 + * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.) 241 241 + * sRS -> sTW Response received without Request 242 242 + * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.) 243 243 + * sOP -> sTW Connection reset 244 244 + * sCR -> sTW Connection reset 245 245 + * sCG -> sTW Connection reset 246 246 + * sTW -> sIG Ignore (don't refresh timer) 247 247 + * 248 248 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 249 249 + sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG 250 250 + }, 251 251 + [DCCP_PKT_SYNC] = { 252 252 + /* 253 253 + * We currently ignore Sync packets 254 254 + * 255 255 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 256 256 + sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 257 257 + }, 258 258 + [DCCP_PKT_SYNCACK] = { 259 259 + /* 260 260 + * We currently ignore SyncAck packets 261 261 + * 262 262 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 263 263 + sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 264 264 + }, 265 265 + }, 266 266 + [CT_DCCP_ROLE_SERVER] = { 267 267 + [DCCP_PKT_REQUEST] = { 268 268 + /* 269 269 + * sNO -> sIV Invalid 270 270 + * sRQ -> sIG Ignore, conntrack might be out of sync 271 271 + * sRS -> sIG Ignore, conntrack might be out of sync 272 272 + * sPO -> sIG Ignore, conntrack might be out of sync 273 273 + * sOP -> sIG Ignore, conntrack might be out of sync 274 274 + * sCR -> sIG Ignore, conntrack might be out of sync 275 275 + * sCG -> sIG Ignore, conntrack might be out of sync 276 276 + * sTW -> sRQ Reincarnation, must reverse roles 277 277 + * 278 278 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 279 279 + sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ 280 280 + }, 281 281 + [DCCP_PKT_RESPONSE] = { 282 282 + /* 283 283 + * sNO -> sIV Response without Request 284 284 + * sRQ -> sRS Response to clients Request 285 285 + * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT) 286 286 + * sPO -> sIG Response to an ignored Request or late retransmit 287 287 + * sOP -> sIG Ignore, might be response to ignored Request 288 288 + * sCR -> sIG Ignore, might be response to ignored Request 289 289 + * sCG -> sIG Ignore, might be response to ignored Request 290 290 + * sTW -> sIV Invalid, Request from client in sTW moves to sRQ 291 291 + * 292 292 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 293 293 + sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV 294 294 + }, 295 295 + [DCCP_PKT_ACK] = { 296 296 + /* 297 297 + * sNO -> sIV No connection 298 298 + * sRQ -> sIV No connection 299 299 + * sRS -> sIV No connection 300 300 + * sPO -> sOP Enter OPEN state (8.1.5.) 301 301 + * sOP -> sOP Regular Ack in OPEN state 302 302 + * sCR -> sIV Waiting for Close from client 303 303 + * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 304 304 + * sTW -> sIV 305 305 + * 306 306 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 307 307 + sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 308 308 + }, 309 309 + [DCCP_PKT_DATA] = { 310 310 + /* 311 311 + * sNO -> sIV No connection 312 312 + * sRQ -> sIV No connection 313 313 + * sRS -> sIV No connection 314 314 + * sPO -> sOP Enter OPEN state (8.1.5.) 315 315 + * sOP -> sOP Regular Data packet in OPEN state 316 316 + * sCR -> sIV Waiting for Close from client 317 317 + * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 318 318 + * sTW -> sIV 319 319 + * 320 320 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 321 321 + sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 322 322 + }, 323 323 + [DCCP_PKT_DATAACK] = { 324 324 + /* 325 325 + * sNO -> sIV No connection 326 326 + * sRQ -> sIV No connection 327 327 + * sRS -> sIV No connection 328 328 + * sPO -> sOP Enter OPEN state (8.1.5.) 329 329 + * sOP -> sOP Regular DataAck in OPEN state 330 330 + * sCR -> sIV Waiting for Close from client 331 331 + * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 332 332 + * sTW -> sIV 333 333 + * 334 334 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 335 335 + sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 336 336 + }, 337 337 + [DCCP_PKT_CLOSEREQ] = { 338 338 + /* 339 339 + * sNO -> sIV No connection 340 340 + * sRQ -> sIV No connection 341 341 + * sRS -> sIV No connection 342 342 + * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.) 343 343 + * sOP -> sCR CloseReq in OPEN state 344 344 + * sCR -> sCR Retransmit 345 345 + * sCG -> sCR Simultaneous close, client sends another Close 346 346 + * sTW -> sIV Already closed 347 347 + * 348 348 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 349 349 + sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV 350 350 + }, 351 351 + [DCCP_PKT_CLOSE] = { 352 352 + /* 353 353 + * sNO -> sIV No connection 354 354 + * sRQ -> sIV No connection 355 355 + * sRS -> sIV No connection 356 356 + * sPO -> sOP -> sCG Move direcly to CLOSING 357 357 + * sOP -> sCG Move to CLOSING 358 358 + * sCR -> sIV Close after CloseReq is invalid 359 359 + * sCG -> sCG Retransmit 360 360 + * sTW -> sIV Already closed 361 361 + * 362 362 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 363 363 + sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV 364 364 + }, 365 365 + [DCCP_PKT_RESET] = { 366 366 + /* 367 367 + * sNO -> sIV No connection 368 368 + * sRQ -> sTW Reset in response to Request 369 369 + * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.) 370 370 + * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.) 371 371 + * sOP -> sTW 372 372 + * sCR -> sTW 373 373 + * sCG -> sTW 374 374 + * sTW -> sIG Ignore (don't refresh timer) 375 375 + * 376 376 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */ 377 377 + sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG 378 378 + }, 379 379 + [DCCP_PKT_SYNC] = { 380 380 + /* 381 381 + * We currently ignore Sync packets 382 382 + * 383 383 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 384 384 + sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 385 385 + }, 386 386 + [DCCP_PKT_SYNCACK] = { 387 387 + /* 388 388 + * We currently ignore SyncAck packets 389 389 + * 390 390 + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 391 391 + sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 392 392 + }, 393 393 + }, 394 394 + }; 395 395 + 396 396 + static int dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 397 397 + struct nf_conntrack_tuple *tuple) 398 398 + { 399 399 + struct dccp_hdr _hdr, *dh; 400 400 + 401 401 + dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 402 402 + if (dh == NULL) 403 403 + return 0; 404 404 + 405 405 + tuple->src.u.dccp.port = dh->dccph_sport; 406 406 + tuple->dst.u.dccp.port = dh->dccph_dport; 407 407 + return 1; 408 408 + } 409 409 + 410 410 + static int dccp_invert_tuple(struct nf_conntrack_tuple *inv, 411 411 + const struct nf_conntrack_tuple *tuple) 412 412 + { 413 413 + inv->src.u.dccp.port = tuple->dst.u.dccp.port; 414 414 + inv->dst.u.dccp.port = tuple->src.u.dccp.port; 415 415 + return 1; 416 416 + } 417 417 + 418 418 + static int dccp_new(struct nf_conn *ct, const struct sk_buff *skb, 419 419 + unsigned int dataoff) 420 420 + { 421 421 + int pf = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; 422 422 + struct dccp_hdr _dh, *dh; 423 423 + const char *msg; 424 424 + u_int8_t state; 425 425 + 426 426 + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 427 427 + BUG_ON(dh == NULL); 428 428 + 429 429 + state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; 430 430 + switch (state) { 431 431 + default: 432 432 + if (nf_ct_dccp_loose == 0) { 433 433 + msg = "nf_ct_dccp: not picking up existing connection "; 434 434 + goto out_invalid; 435 435 + } 436 436 + case CT_DCCP_REQUEST: 437 437 + break; 438 438 + case CT_DCCP_INVALID: 439 439 + msg = "nf_ct_dccp: invalid state transition "; 440 440 + goto out_invalid; 441 441 + } 442 442 + 443 443 + ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT; 444 444 + ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER; 445 445 + ct->proto.dccp.state = CT_DCCP_NONE; 446 446 + return 1; 447 447 + 448 448 + out_invalid: 449 449 + if (LOG_INVALID(IPPROTO_DCCP)) 450 450 + nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg); 451 451 + return 0; 452 452 + } 453 453 + 454 454 + static u64 dccp_ack_seq(const struct dccp_hdr *dh) 455 455 + { 456 456 + const struct dccp_hdr_ack_bits *dhack; 457 457 + 458 458 + dhack = (void *)dh + __dccp_basic_hdr_len(dh); 459 459 + return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) + 460 460 + ntohl(dhack->dccph_ack_nr_low); 461 461 + } 462 462 + 463 463 + static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, 464 464 + unsigned int dataoff, enum ip_conntrack_info ctinfo, 465 465 + int pf, unsigned int hooknum) 466 466 + { 467 467 + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 468 468 + struct dccp_hdr _dh, *dh; 469 469 + u_int8_t type, old_state, new_state; 470 470 + enum ct_dccp_roles role; 471 471 + 472 472 + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 473 473 + BUG_ON(dh == NULL); 474 474 + type = dh->dccph_type; 475 475 + 476 476 + if (type == DCCP_PKT_RESET && 477 477 + !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 478 478 + /* Tear down connection immediately if only reply is a RESET */ 479 479 + if (del_timer(&ct->timeout)) 480 480 + ct->timeout.function((unsigned long)ct); 481 481 + return NF_ACCEPT; 482 482 + } 483 483 + 484 484 + write_lock_bh(&dccp_lock); 485 485 + 486 486 + role = ct->proto.dccp.role[dir]; 487 487 + old_state = ct->proto.dccp.state; 488 488 + new_state = dccp_state_table[role][type][old_state]; 489 489 + 490 490 + switch (new_state) { 491 491 + case CT_DCCP_REQUEST: 492 492 + if (old_state == CT_DCCP_TIMEWAIT && 493 493 + role == CT_DCCP_ROLE_SERVER) { 494 494 + /* Reincarnation in the reverse direction: reopen and 495 495 + * reverse client/server roles. */ 496 496 + ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT; 497 497 + ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER; 498 498 + } 499 499 + break; 500 500 + case CT_DCCP_RESPOND: 501 501 + if (old_state == CT_DCCP_REQUEST) 502 502 + ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 503 503 + break; 504 504 + case CT_DCCP_PARTOPEN: 505 505 + if (old_state == CT_DCCP_RESPOND && 506 506 + type == DCCP_PKT_ACK && 507 507 + dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq) 508 508 + set_bit(IPS_ASSURED_BIT, &ct->status); 509 509 + break; 510 510 + case CT_DCCP_IGNORE: 511 511 + /* 512 512 + * Connection tracking might be out of sync, so we ignore 513 513 + * packets that might establish a new connection and resync 514 514 + * if the server responds with a valid Response. 515 515 + */ 516 516 + if (ct->proto.dccp.last_dir == !dir && 517 517 + ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST && 518 518 + type == DCCP_PKT_RESPONSE) { 519 519 + ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT; 520 520 + ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER; 521 521 + ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 522 522 + new_state = CT_DCCP_RESPOND; 523 523 + break; 524 524 + } 525 525 + ct->proto.dccp.last_dir = dir; 526 526 + ct->proto.dccp.last_pkt = type; 527 527 + 528 528 + write_unlock_bh(&dccp_lock); 529 529 + if (LOG_INVALID(IPPROTO_DCCP)) 530 530 + nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 531 531 + "nf_ct_dccp: invalid packet ignored "); 532 532 + return NF_ACCEPT; 533 533 + case CT_DCCP_INVALID: 534 534 + write_unlock_bh(&dccp_lock); 535 535 + if (LOG_INVALID(IPPROTO_DCCP)) 536 536 + nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 537 537 + "nf_ct_dccp: invalid state transition "); 538 538 + return -NF_ACCEPT; 539 539 + } 540 540 + 541 541 + ct->proto.dccp.last_dir = dir; 542 542 + ct->proto.dccp.last_pkt = type; 543 543 + ct->proto.dccp.state = new_state; 544 544 + write_unlock_bh(&dccp_lock); 545 545 + nf_ct_refresh_acct(ct, ctinfo, skb, dccp_timeout[new_state]); 546 546 + 547 547 + return NF_ACCEPT; 548 548 + } 549 549 + 550 550 + static int dccp_error(struct sk_buff *skb, unsigned int dataoff, 551 551 + enum ip_conntrack_info *ctinfo, int pf, 552 552 + unsigned int hooknum) 553 553 + { 554 554 + struct dccp_hdr _dh, *dh; 555 555 + unsigned int dccp_len = skb->len - dataoff; 556 556 + unsigned int cscov; 557 557 + const char *msg; 558 558 + 559 559 + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 560 560 + if (dh == NULL) { 561 561 + msg = "nf_ct_dccp: short packet "; 562 562 + goto out_invalid; 563 563 + } 564 564 + 565 565 + if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || 566 566 + dh->dccph_doff * 4 > dccp_len) { 567 567 + msg = "nf_ct_dccp: truncated/malformed packet "; 568 568 + goto out_invalid; 569 569 + } 570 570 + 571 571 + cscov = dccp_len; 572 572 + if (dh->dccph_cscov) { 573 573 + cscov = (dh->dccph_cscov - 1) * 4; 574 574 + if (cscov > dccp_len) { 575 575 + msg = "nf_ct_dccp: bad checksum coverage "; 576 576 + goto out_invalid; 577 577 + } 578 578 + } 579 579 + 580 580 + if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && 581 581 + nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP, 582 582 + pf)) { 583 583 + msg = "nf_ct_dccp: bad checksum "; 584 584 + goto out_invalid; 585 585 + } 586 586 + 587 587 + if (dh->dccph_type >= DCCP_PKT_INVALID) { 588 588 + msg = "nf_ct_dccp: reserved packet type "; 589 589 + goto out_invalid; 590 590 + } 591 591 + 592 592 + return NF_ACCEPT; 593 593 + 594 594 + out_invalid: 595 595 + if (LOG_INVALID(IPPROTO_DCCP)) 596 596 + nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg); 597 597 + return -NF_ACCEPT; 598 598 + } 599 599 + 600 600 + static int dccp_print_tuple(struct seq_file *s, 601 601 + const struct nf_conntrack_tuple *tuple) 602 602 + { 603 603 + return seq_printf(s, "sport=%hu dport=%hu ", 604 604 + ntohs(tuple->src.u.dccp.port), 605 605 + ntohs(tuple->dst.u.dccp.port)); 606 606 + } 607 607 + 608 608 + static int dccp_print_conntrack(struct seq_file *s, const struct nf_conn *ct) 609 609 + { 610 610 + return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]); 611 611 + } 612 612 + 613 613 + #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 614 614 + static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 615 615 + const struct nf_conn *ct) 616 616 + { 617 617 + struct nlattr *nest_parms; 618 618 + 619 619 + read_lock_bh(&dccp_lock); 620 620 + nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED); 621 621 + if (!nest_parms) 622 622 + goto nla_put_failure; 623 623 + NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state); 624 624 + nla_nest_end(skb, nest_parms); 625 625 + read_unlock_bh(&dccp_lock); 626 626 + return 0; 627 627 + 628 628 + nla_put_failure: 629 629 + read_unlock_bh(&dccp_lock); 630 630 + return -1; 631 631 + } 632 632 + 633 633 + static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = { 634 634 + [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 }, 635 635 + }; 636 636 + 637 637 + static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct) 638 638 + { 639 639 + struct nlattr *attr = cda[CTA_PROTOINFO_DCCP]; 640 640 + struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1]; 641 641 + int err; 642 642 + 643 643 + if (!attr) 644 644 + return 0; 645 645 + 646 646 + err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr, 647 647 + dccp_nla_policy); 648 648 + if (err < 0) 649 649 + return err; 650 650 + 651 651 + if (!tb[CTA_PROTOINFO_DCCP_STATE] || 652 652 + nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) 653 653 + return -EINVAL; 654 654 + 655 655 + write_lock_bh(&dccp_lock); 656 656 + ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]); 657 657 + write_unlock_bh(&dccp_lock); 658 658 + return 0; 659 659 + } 660 660 + #endif 661 661 + 662 662 + #ifdef CONFIG_SYSCTL 663 663 + static unsigned int dccp_sysctl_table_users; 664 664 + static struct ctl_table_header *dccp_sysctl_header; 665 665 + static ctl_table dccp_sysctl_table[] = { 666 666 + { 667 667 + .ctl_name = CTL_UNNUMBERED, 668 668 + .procname = "nf_conntrack_dccp_timeout_request", 669 669 + .data = &dccp_timeout[CT_DCCP_REQUEST], 670 670 + .maxlen = sizeof(unsigned int), 671 671 + .mode = 0644, 672 672 + .proc_handler = proc_dointvec_jiffies, 673 673 + }, 674 674 + { 675 675 + .ctl_name = CTL_UNNUMBERED, 676 676 + .procname = "nf_conntrack_dccp_timeout_respond", 677 677 + .data = &dccp_timeout[CT_DCCP_RESPOND], 678 678 + .maxlen = sizeof(unsigned int), 679 679 + .mode = 0644, 680 680 + .proc_handler = proc_dointvec_jiffies, 681 681 + }, 682 682 + { 683 683 + .ctl_name = CTL_UNNUMBERED, 684 684 + .procname = "nf_conntrack_dccp_timeout_partopen", 685 685 + .data = &dccp_timeout[CT_DCCP_PARTOPEN], 686 686 + .maxlen = sizeof(unsigned int), 687 687 + .mode = 0644, 688 688 + .proc_handler = proc_dointvec_jiffies, 689 689 + }, 690 690 + { 691 691 + .ctl_name = CTL_UNNUMBERED, 692 692 + .procname = "nf_conntrack_dccp_timeout_open", 693 693 + .data = &dccp_timeout[CT_DCCP_OPEN], 694 694 + .maxlen = sizeof(unsigned int), 695 695 + .mode = 0644, 696 696 + .proc_handler = proc_dointvec_jiffies, 697 697 + }, 698 698 + { 699 699 + .ctl_name = CTL_UNNUMBERED, 700 700 + .procname = "nf_conntrack_dccp_timeout_closereq", 701 701 + .data = &dccp_timeout[CT_DCCP_CLOSEREQ], 702 702 + .maxlen = sizeof(unsigned int), 703 703 + .mode = 0644, 704 704 + .proc_handler = proc_dointvec_jiffies, 705 705 + }, 706 706 + { 707 707 + .ctl_name = CTL_UNNUMBERED, 708 708 + .procname = "nf_conntrack_dccp_timeout_closing", 709 709 + .data = &dccp_timeout[CT_DCCP_CLOSING], 710 710 + .maxlen = sizeof(unsigned int), 711 711 + .mode = 0644, 712 712 + .proc_handler = proc_dointvec_jiffies, 713 713 + }, 714 714 + { 715 715 + .ctl_name = CTL_UNNUMBERED, 716 716 + .procname = "nf_conntrack_dccp_timeout_timewait", 717 717 + .data = &dccp_timeout[CT_DCCP_TIMEWAIT], 718 718 + .maxlen = sizeof(unsigned int), 719 719 + .mode = 0644, 720 720 + .proc_handler = proc_dointvec_jiffies, 721 721 + }, 722 722 + { 723 723 + .ctl_name = CTL_UNNUMBERED, 724 724 + .procname = "nf_conntrack_dccp_loose", 725 725 + .data = &nf_ct_dccp_loose, 726 726 + .maxlen = sizeof(nf_ct_dccp_loose), 727 727 + .mode = 0644, 728 728 + .proc_handler = proc_dointvec, 729 729 + }, 730 730 + { 731 731 + .ctl_name = 0, 732 732 + } 733 733 + }; 734 734 + #endif /* CONFIG_SYSCTL */ 735 735 + 736 736 + static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = { 737 737 + .l3proto = AF_INET, 738 738 + .l4proto = IPPROTO_DCCP, 739 739 + .name = "dccp", 740 740 + .pkt_to_tuple = dccp_pkt_to_tuple, 741 741 + .invert_tuple = dccp_invert_tuple, 742 742 + .new = dccp_new, 743 743 + .packet = dccp_packet, 744 744 + .error = dccp_error, 745 745 + .print_tuple = dccp_print_tuple, 746 746 + .print_conntrack = dccp_print_conntrack, 747 747 + #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 748 748 + .to_nlattr = dccp_to_nlattr, 749 749 + .from_nlattr = nlattr_to_dccp, 750 750 + .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 751 751 + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 752 752 + .nla_policy = nf_ct_port_nla_policy, 753 753 + #endif 754 754 + #ifdef CONFIG_SYSCTL 755 755 + .ctl_table_users = &dccp_sysctl_table_users, 756 756 + .ctl_table_header = &dccp_sysctl_header, 757 757 + .ctl_table = dccp_sysctl_table, 758 758 + #endif 759 759 + }; 760 760 + 761 761 + static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = { 762 762 + .l3proto = AF_INET6, 763 763 + .l4proto = IPPROTO_DCCP, 764 764 + .name = "dccp", 765 765 + .pkt_to_tuple = dccp_pkt_to_tuple, 766 766 + .invert_tuple = dccp_invert_tuple, 767 767 + .new = dccp_new, 768 768 + .packet = dccp_packet, 769 769 + .error = dccp_error, 770 770 + .print_tuple = dccp_print_tuple, 771 771 + .print_conntrack = dccp_print_conntrack, 772 772 + #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 773 773 + .to_nlattr = dccp_to_nlattr, 774 774 + .from_nlattr = nlattr_to_dccp, 775 775 + .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 776 776 + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 777 777 + .nla_policy = nf_ct_port_nla_policy, 778 778 + #endif 779 779 + #ifdef CONFIG_SYSCTL 780 780 + .ctl_table_users = &dccp_sysctl_table_users, 781 781 + .ctl_table_header = &dccp_sysctl_header, 782 782 + .ctl_table = dccp_sysctl_table, 783 783 + #endif 784 784 + }; 785 785 + 786 786 + static int __init nf_conntrack_proto_dccp_init(void) 787 787 + { 788 788 + int err; 789 789 + 790 790 + err = nf_conntrack_l4proto_register(&dccp_proto4); 791 791 + if (err < 0) 792 792 + goto err1; 793 793 + 794 794 + err = nf_conntrack_l4proto_register(&dccp_proto6); 795 795 + if (err < 0) 796 796 + goto err2; 797 797 + return 0; 798 798 + 799 799 + err2: 800 800 + nf_conntrack_l4proto_unregister(&dccp_proto4); 801 801 + err1: 802 802 + return err; 803 803 + } 804 804 + 805 805 + static void __exit nf_conntrack_proto_dccp_fini(void) 806 806 + { 807 807 + nf_conntrack_l4proto_unregister(&dccp_proto6); 808 808 + nf_conntrack_l4proto_unregister(&dccp_proto4); 809 809 + } 810 810 + 811 811 + module_init(nf_conntrack_proto_dccp_init); 812 812 + module_exit(nf_conntrack_proto_dccp_fini); 813 813 + 814 814 + MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 815 815 + MODULE_DESCRIPTION("DCCP connection tracking protocol helper"); 816 816 + MODULE_LICENSE("GPL");