tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: conntrack: remove DCCP protocol support
The DCCP socket family has now been removed from this tree, see:
8bb3212be4b4 ("Merge branch 'net-retire-dccp-socket'")
Remove connection tracking and NAT support for this protocol, this
should not pose a problem because no DCCP traffic is expected to be seen
on the wire.
As for the code for matching on dccp header for iptables and nftables,
mark it as deprecated and keep it in place. Ruleset restoration is an
atomic operation. Without dccp matching support, an astray match on dccp
could break this operation leaving your computer with no policy in
place, so let's follow a more conservative approach for matches.
Add CONFIG_NFT_EXTHDR_DCCP which is set to 'n' by default to deprecate
dccp extension support. Similarly, label CONFIG_NETFILTER_XT_MATCH_DCCP
as deprecated too and also set it to 'n' by default.
Code to match on DCCP protocol from ebtables also remains in place, this
is just a few checks on IPPROTO_DCCP from _check() path which is
exercised when ruleset is loaded. There is another use of IPPROTO_DCCP
from the _check() path in the iptables multiport match. Another check
for IPPROTO_DCCP from the packet in the reject target is also removed.
So let's schedule removal of the dccp matching for a second stage, this
should not interfer with the dccp retirement since this is only matching
on the dccp header.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+16
-1098
-1
Documentation/networking/nf_conntrack-sysctl.rst
-1
Documentation/networking/nf_conntrack-sysctl.rst
-1
arch/arm/configs/omap2plus_defconfig
-1
arch/arm/configs/omap2plus_defconfig
-1
arch/loongarch/configs/loongson3_defconfig
-1
arch/loongarch/configs/loongson3_defconfig
-1
arch/m68k/configs/amiga_defconfig
-1
arch/m68k/configs/amiga_defconfig
-1
arch/m68k/configs/apollo_defconfig
-1
arch/m68k/configs/apollo_defconfig
-1
arch/m68k/configs/atari_defconfig
-1
arch/m68k/configs/atari_defconfig
-1
arch/m68k/configs/bvme6000_defconfig
-1
arch/m68k/configs/bvme6000_defconfig
-1
arch/m68k/configs/hp300_defconfig
-1
arch/m68k/configs/hp300_defconfig
-1
arch/m68k/configs/mac_defconfig
-1
arch/m68k/configs/mac_defconfig
-1
arch/m68k/configs/multi_defconfig
-1
arch/m68k/configs/multi_defconfig
-1
arch/m68k/configs/mvme147_defconfig
-1
arch/m68k/configs/mvme147_defconfig
-1
arch/m68k/configs/mvme16x_defconfig
-1
arch/m68k/configs/mvme16x_defconfig
-1
arch/m68k/configs/q40_defconfig
-1
arch/m68k/configs/q40_defconfig
-1
arch/m68k/configs/sun3_defconfig
-1
arch/m68k/configs/sun3_defconfig
-1
arch/m68k/configs/sun3x_defconfig
-1
arch/m68k/configs/sun3x_defconfig
-1
arch/mips/configs/fuloong2e_defconfig
-1
arch/mips/configs/fuloong2e_defconfig
-1
arch/mips/configs/ip22_defconfig
-1
arch/mips/configs/ip22_defconfig
-1
arch/mips/configs/loongson2k_defconfig
-1
arch/mips/configs/loongson2k_defconfig
-1
arch/mips/configs/loongson3_defconfig
-1
arch/mips/configs/loongson3_defconfig
-1
arch/mips/configs/malta_defconfig
-1
arch/mips/configs/malta_defconfig
-1
arch/mips/configs/malta_kvm_defconfig
-1
arch/mips/configs/malta_kvm_defconfig
-1
arch/mips/configs/maltaup_xpa_defconfig
-1
arch/mips/configs/maltaup_xpa_defconfig
-1
arch/mips/configs/rb532_defconfig
-1
arch/mips/configs/rb532_defconfig
-1
arch/mips/configs/rm200_defconfig
-1
arch/mips/configs/rm200_defconfig
-1
arch/powerpc/configs/cell_defconfig
-1
arch/powerpc/configs/cell_defconfig
-1
arch/s390/configs/debug_defconfig
-1
arch/s390/configs/debug_defconfig
-1
arch/s390/configs/defconfig
-1
arch/s390/configs/defconfig
-1
arch/sh/configs/titan_defconfig
-1
arch/sh/configs/titan_defconfig
-38
include/linux/netfilter/nf_conntrack_dccp.h
-38
include/linux/netfilter/nf_conntrack_dccp.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0 */
2
-
#ifndef _NF_CONNTRACK_DCCP_H
3
-
#define _NF_CONNTRACK_DCCP_H
4
-
5
-
/* Exposed to userspace over nfnetlink */
6
-
enum ct_dccp_states {
7
-
CT_DCCP_NONE,
8
-
CT_DCCP_REQUEST,
9
-
CT_DCCP_RESPOND,
10
-
CT_DCCP_PARTOPEN,
11
-
CT_DCCP_OPEN,
12
-
CT_DCCP_CLOSEREQ,
13
-
CT_DCCP_CLOSING,
14
-
CT_DCCP_TIMEWAIT,
15
-
CT_DCCP_IGNORE,
16
-
CT_DCCP_INVALID,
17
-
__CT_DCCP_MAX
18
-
};
19
-
#define CT_DCCP_MAX (__CT_DCCP_MAX - 1)
20
-
21
-
enum ct_dccp_roles {
22
-
CT_DCCP_ROLE_CLIENT,
23
-
CT_DCCP_ROLE_SERVER,
24
-
__CT_DCCP_ROLE_MAX
25
-
};
26
-
#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
27
-
28
-
#include <linux/netfilter/nf_conntrack_tuple_common.h>
29
-
30
-
struct nf_ct_dccp {
31
-
u_int8_t role[IP_CT_DIR_MAX];
32
-
u_int8_t state;
33
-
u_int8_t last_pkt;
34
-
u_int8_t last_dir;
35
-
u_int64_t handshake_seq;
36
-
};
37
-
38
-
#endif /* _NF_CONNTRACK_DCCP_H */
-3
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
-3
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
···
13
13
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp;
14
14
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp;
15
15
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
16
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
17
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp;
18
-
#endif
19
16
#ifdef CONFIG_NF_CT_PROTO_SCTP
20
17
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp;
21
18
#endif
-2
include/net/netfilter/nf_conntrack.h
-2
include/net/netfilter/nf_conntrack.h
···
18
18
19
19
#include <linux/netfilter/nf_conntrack_common.h>
20
20
#include <linux/netfilter/nf_conntrack_tcp.h>
21
-
#include <linux/netfilter/nf_conntrack_dccp.h>
22
21
#include <linux/netfilter/nf_conntrack_sctp.h>
23
22
#include <linux/netfilter/nf_conntrack_proto_gre.h>
24
23
···
30
31
/* per conntrack: protocol private data */
31
32
union nf_conntrack_proto {
32
33
/* insert conntrack proto private data here */
33
-
struct nf_ct_dccp dccp;
34
34
struct ip_ct_sctp sctp;
35
35
struct ip_ct_tcp tcp;
36
36
struct nf_ct_udp udp;
-13
include/net/netfilter/nf_conntrack_l4proto.h
-13
include/net/netfilter/nf_conntrack_l4proto.h
···
117
117
unsigned int dataoff,
118
118
enum ip_conntrack_info ctinfo,
119
119
const struct nf_hook_state *state);
120
-
int nf_conntrack_dccp_packet(struct nf_conn *ct,
121
-
struct sk_buff *skb,
122
-
unsigned int dataoff,
123
-
enum ip_conntrack_info ctinfo,
124
-
const struct nf_hook_state *state);
125
120
int nf_conntrack_sctp_packet(struct nf_conn *ct,
126
121
struct sk_buff *skb,
127
122
unsigned int dataoff,
···
132
137
void nf_conntrack_tcp_init_net(struct net *net);
133
138
void nf_conntrack_udp_init_net(struct net *net);
134
139
void nf_conntrack_gre_init_net(struct net *net);
135
-
void nf_conntrack_dccp_init_net(struct net *net);
136
140
void nf_conntrack_sctp_init_net(struct net *net);
137
141
void nf_conntrack_icmp_init_net(struct net *net);
138
142
void nf_conntrack_icmpv6_init_net(struct net *net);
···
214
220
{
215
221
return ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED &&
216
222
test_bit(IPS_ASSURED_BIT, &ct->status);
217
-
}
218
-
#endif
219
-
220
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
221
-
static inline struct nf_dccp_net *nf_dccp_pernet(struct net *net)
222
-
{
223
-
return &net->ct.nf_ct_proto.dccp;
224
223
}
225
224
#endif
226
225
-1
include/net/netfilter/nf_reject.h
-1
include/net/netfilter/nf_reject.h
-13
include/net/netns/conntrack.h
-13
include/net/netns/conntrack.h
···
7
7
#include <linux/atomic.h>
8
8
#include <linux/workqueue.h>
9
9
#include <linux/netfilter/nf_conntrack_tcp.h>
10
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
11
-
#include <linux/netfilter/nf_conntrack_dccp.h>
12
-
#endif
13
10
#ifdef CONFIG_NF_CT_PROTO_SCTP
14
11
#include <linux/netfilter/nf_conntrack_sctp.h>
15
12
#endif
···
47
50
unsigned int timeout;
48
51
};
49
52
50
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
51
-
struct nf_dccp_net {
52
-
u8 dccp_loose;
53
-
unsigned int dccp_timeout[CT_DCCP_MAX + 1];
54
-
};
55
-
#endif
56
-
57
53
#ifdef CONFIG_NF_CT_PROTO_SCTP
58
54
struct nf_sctp_net {
59
55
unsigned int timeouts[SCTP_CONNTRACK_MAX];
···
72
82
struct nf_udp_net udp;
73
83
struct nf_icmp_net icmp;
74
84
struct nf_icmp_net icmpv6;
75
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
76
-
struct nf_dccp_net dccp;
77
-
#endif
78
85
#ifdef CONFIG_NF_CT_PROTO_SCTP
79
86
struct nf_sctp_net sctp;
80
87
#endif
+8
-12
net/netfilter/Kconfig
+8
-12
net/netfilter/Kconfig
···
195
195
config NF_CONNTRACK_OVS
196
196
bool
197
197
198
-
config NF_CT_PROTO_DCCP
199
-
bool 'DCCP protocol connection tracking support'
200
-
depends on NETFILTER_ADVANCED
201
-
default y
202
-
help
203
-
With this option enabled, the layer 3 independent connection
204
-
tracking code will be able to do state tracking on DCCP connections.
205
-
206
-
If unsure, say Y.
207
-
208
198
config NF_CT_PROTO_GRE
209
199
bool
210
200
···
505
515
help
506
516
This option adds the "ct" expression that you can use to match
507
517
connection tracking information such as the flow state.
518
+
519
+
config NFT_EXTHDR_DCCP
520
+
bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)"
521
+
default n
522
+
help
523
+
This option adds support for matching on DCCP extension headers.
508
524
509
525
config NFT_FLOW_OFFLOAD
510
526
depends on NF_CONNTRACK && NF_FLOW_TABLE
···
1274
1278
To compile it as a module, choose M here. If unsure, say N.
1275
1279
1276
1280
config NETFILTER_XT_MATCH_DCCP
1277
-
tristate '"dccp" protocol match support'
1281
+
tristate '"dccp" protocol match support (DEPRECATED)'
1278
1282
depends on NETFILTER_ADVANCED
1279
-
default IP_DCCP
1283
+
default n
1280
1284
help
1281
1285
With this option enabled, you will be able to use the iptables
1282
1286
`dccp' match in order to match on DCCP source/destination ports
-1
net/netfilter/Makefile
-1
net/netfilter/Makefile
···
12
12
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
13
13
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
14
14
nf_conntrack-$(CONFIG_NF_CONNTRACK_OVS) += nf_conntrack_ovs.o
15
-
nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
16
15
nf_conntrack-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
17
16
nf_conntrack-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
18
17
ifeq ($(CONFIG_NF_CONNTRACK),m)
-8
net/netfilter/nf_conntrack_core.c
-8
net/netfilter/nf_conntrack_core.c
···
329
329
#ifdef CONFIG_NF_CT_PROTO_SCTP
330
330
case IPPROTO_SCTP:
331
331
#endif
332
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
333
-
case IPPROTO_DCCP:
334
-
#endif
335
332
/* fallthrough */
336
333
return nf_ct_get_tuple_ports(skb, dataoff, tuple);
337
334
default:
···
1977
1980
#ifdef CONFIG_NF_CT_PROTO_SCTP
1978
1981
case IPPROTO_SCTP:
1979
1982
return nf_conntrack_sctp_packet(ct, skb, dataoff,
1980
-
ctinfo, state);
1981
-
#endif
1982
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
1983
-
case IPPROTO_DCCP:
1984
-
return nf_conntrack_dccp_packet(ct, skb, dataoff,
1985
1983
ctinfo, state);
1986
1984
#endif
1987
1985
#ifdef CONFIG_NF_CT_PROTO_GRE
-1
net/netfilter/nf_conntrack_netlink.c
-1
net/netfilter/nf_conntrack_netlink.c
-6
net/netfilter/nf_conntrack_proto.c
-6
net/netfilter/nf_conntrack_proto.c
···
100
100
case IPPROTO_UDP: return &nf_conntrack_l4proto_udp;
101
101
case IPPROTO_TCP: return &nf_conntrack_l4proto_tcp;
102
102
case IPPROTO_ICMP: return &nf_conntrack_l4proto_icmp;
103
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
104
-
case IPPROTO_DCCP: return &nf_conntrack_l4proto_dccp;
105
-
#endif
106
103
#ifdef CONFIG_NF_CT_PROTO_SCTP
107
104
case IPPROTO_SCTP: return &nf_conntrack_l4proto_sctp;
108
105
#endif
···
677
680
nf_conntrack_icmp_init_net(net);
678
681
#if IS_ENABLED(CONFIG_IPV6)
679
682
nf_conntrack_icmpv6_init_net(net);
680
-
#endif
681
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
682
-
nf_conntrack_dccp_init_net(net);
683
683
#endif
684
684
#ifdef CONFIG_NF_CT_PROTO_SCTP
685
685
nf_conntrack_sctp_init_net(net);
-826
net/netfilter/nf_conntrack_proto_dccp.c
-826
net/netfilter/nf_conntrack_proto_dccp.c
···
1
-
// SPDX-License-Identifier: GPL-2.0-only
2
-
/*
3
-
* DCCP connection tracking protocol helper
4
-
*
5
-
* Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
6
-
*/
7
-
#include <linux/kernel.h>
8
-
#include <linux/init.h>
9
-
#include <linux/sysctl.h>
10
-
#include <linux/spinlock.h>
11
-
#include <linux/skbuff.h>
12
-
#include <linux/dccp.h>
13
-
#include <linux/slab.h>
14
-
15
-
#include <net/net_namespace.h>
16
-
#include <net/netns/generic.h>
17
-
18
-
#include <linux/netfilter/nfnetlink_conntrack.h>
19
-
#include <net/netfilter/nf_conntrack.h>
20
-
#include <net/netfilter/nf_conntrack_l4proto.h>
21
-
#include <net/netfilter/nf_conntrack_ecache.h>
22
-
#include <net/netfilter/nf_conntrack_timeout.h>
23
-
#include <net/netfilter/nf_log.h>
24
-
25
-
/* Timeouts are based on values from RFC4340:
26
-
*
27
-
* - REQUEST:
28
-
*
29
-
* 8.1.2. Client Request
30
-
*
31
-
* A client MAY give up on its DCCP-Requests after some time
32
-
* (3 minutes, for example).
33
-
*
34
-
* - RESPOND:
35
-
*
36
-
* 8.1.3. Server Response
37
-
*
38
-
* It MAY also leave the RESPOND state for CLOSED after a timeout of
39
-
* not less than 4MSL (8 minutes);
40
-
*
41
-
* - PARTOPEN:
42
-
*
43
-
* 8.1.5. Handshake Completion
44
-
*
45
-
* If the client remains in PARTOPEN for more than 4MSL (8 minutes),
46
-
* it SHOULD reset the connection with Reset Code 2, "Aborted".
47
-
*
48
-
* - OPEN:
49
-
*
50
-
* The DCCP timestamp overflows after 11.9 hours. If the connection
51
-
* stays idle this long the sequence number won't be recognized
52
-
* as valid anymore.
53
-
*
54
-
* - CLOSEREQ/CLOSING:
55
-
*
56
-
* 8.3. Termination
57
-
*
58
-
* The retransmission timer should initially be set to go off in two
59
-
* round-trip times and should back off to not less than once every
60
-
* 64 seconds ...
61
-
*
62
-
* - TIMEWAIT:
63
-
*
64
-
* 4.3. States
65
-
*
66
-
* A server or client socket remains in this state for 2MSL (4 minutes)
67
-
* after the connection has been town down, ...
68
-
*/
69
-
70
-
#define DCCP_MSL (2 * 60 * HZ)
71
-
72
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
73
-
static const char * const dccp_state_names[] = {
74
-
[CT_DCCP_NONE] = "NONE",
75
-
[CT_DCCP_REQUEST] = "REQUEST",
76
-
[CT_DCCP_RESPOND] = "RESPOND",
77
-
[CT_DCCP_PARTOPEN] = "PARTOPEN",
78
-
[CT_DCCP_OPEN] = "OPEN",
79
-
[CT_DCCP_CLOSEREQ] = "CLOSEREQ",
80
-
[CT_DCCP_CLOSING] = "CLOSING",
81
-
[CT_DCCP_TIMEWAIT] = "TIMEWAIT",
82
-
[CT_DCCP_IGNORE] = "IGNORE",
83
-
[CT_DCCP_INVALID] = "INVALID",
84
-
};
85
-
#endif
86
-
87
-
#define sNO CT_DCCP_NONE
88
-
#define sRQ CT_DCCP_REQUEST
89
-
#define sRS CT_DCCP_RESPOND
90
-
#define sPO CT_DCCP_PARTOPEN
91
-
#define sOP CT_DCCP_OPEN
92
-
#define sCR CT_DCCP_CLOSEREQ
93
-
#define sCG CT_DCCP_CLOSING
94
-
#define sTW CT_DCCP_TIMEWAIT
95
-
#define sIG CT_DCCP_IGNORE
96
-
#define sIV CT_DCCP_INVALID
97
-
98
-
/*
99
-
* DCCP state transition table
100
-
*
101
-
* The assumption is the same as for TCP tracking:
102
-
*
103
-
* We are the man in the middle. All the packets go through us but might
104
-
* get lost in transit to the destination. It is assumed that the destination
105
-
* can't receive segments we haven't seen.
106
-
*
107
-
* The following states exist:
108
-
*
109
-
* NONE: Initial state, expecting Request
110
-
* REQUEST: Request seen, waiting for Response from server
111
-
* RESPOND: Response from server seen, waiting for Ack from client
112
-
* PARTOPEN: Ack after Response seen, waiting for packet other than Response,
113
-
* Reset or Sync from server
114
-
* OPEN: Packet other than Response, Reset or Sync seen
115
-
* CLOSEREQ: CloseReq from server seen, expecting Close from client
116
-
* CLOSING: Close seen, expecting Reset
117
-
* TIMEWAIT: Reset seen
118
-
* IGNORE: Not determinable whether packet is valid
119
-
*
120
-
* Some states exist only on one side of the connection: REQUEST, RESPOND,
121
-
* PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
122
-
* the one it was in before.
123
-
*
124
-
* Packets are marked as ignored (sIG) if we don't know if they're valid
125
-
* (for example a reincarnation of a connection we didn't notice is dead
126
-
* already) and the server may send back a connection closing Reset or a
127
-
* Response. They're also used for Sync/SyncAck packets, which we don't
128
-
* care about.
129
-
*/
130
-
static const u_int8_t
131
-
dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
132
-
[CT_DCCP_ROLE_CLIENT] = {
133
-
[DCCP_PKT_REQUEST] = {
134
-
/*
135
-
* sNO -> sRQ Regular Request
136
-
* sRQ -> sRQ Retransmitted Request or reincarnation
137
-
* sRS -> sRS Retransmitted Request (apparently Response
138
-
* got lost after we saw it) or reincarnation
139
-
* sPO -> sIG Ignore, conntrack might be out of sync
140
-
* sOP -> sIG Ignore, conntrack might be out of sync
141
-
* sCR -> sIG Ignore, conntrack might be out of sync
142
-
* sCG -> sIG Ignore, conntrack might be out of sync
143
-
* sTW -> sRQ Reincarnation
144
-
*
145
-
* sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
146
-
sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
147
-
},
148
-
[DCCP_PKT_RESPONSE] = {
149
-
/*
150
-
* sNO -> sIV Invalid
151
-
* sRQ -> sIG Ignore, might be response to ignored Request
152
-
* sRS -> sIG Ignore, might be response to ignored Request
153
-
* sPO -> sIG Ignore, might be response to ignored Request
154
-
* sOP -> sIG Ignore, might be response to ignored Request
155
-
* sCR -> sIG Ignore, might be response to ignored Request
156
-
* sCG -> sIG Ignore, might be response to ignored Request
157
-
* sTW -> sIV Invalid, reincarnation in reverse direction
158
-
* goes through sRQ
159
-
*
160
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
161
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
162
-
},
163
-
[DCCP_PKT_ACK] = {
164
-
/*
165
-
* sNO -> sIV No connection
166
-
* sRQ -> sIV No connection
167
-
* sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
168
-
* sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
169
-
* sOP -> sOP Regular ACK, remain in OPEN
170
-
* sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
171
-
* sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
172
-
* sTW -> sIV
173
-
*
174
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
175
-
sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
176
-
},
177
-
[DCCP_PKT_DATA] = {
178
-
/*
179
-
* sNO -> sIV No connection
180
-
* sRQ -> sIV No connection
181
-
* sRS -> sIV No connection
182
-
* sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
183
-
* sOP -> sOP Regular Data packet
184
-
* sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
185
-
* sCG -> sCG Data in CLOSING MAY be processed (8.3.)
186
-
* sTW -> sIV
187
-
*
188
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
189
-
sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
190
-
},
191
-
[DCCP_PKT_DATAACK] = {
192
-
/*
193
-
* sNO -> sIV No connection
194
-
* sRQ -> sIV No connection
195
-
* sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
196
-
* sPO -> sPO Remain in PARTOPEN state
197
-
* sOP -> sOP Regular DataAck packet in OPEN state
198
-
* sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
199
-
* sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
200
-
* sTW -> sIV
201
-
*
202
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
203
-
sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
204
-
},
205
-
[DCCP_PKT_CLOSEREQ] = {
206
-
/*
207
-
* CLOSEREQ may only be sent by the server.
208
-
*
209
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
210
-
sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
211
-
},
212
-
[DCCP_PKT_CLOSE] = {
213
-
/*
214
-
* sNO -> sIV No connection
215
-
* sRQ -> sIV No connection
216
-
* sRS -> sIV No connection
217
-
* sPO -> sCG Client-initiated close
218
-
* sOP -> sCG Client-initiated close
219
-
* sCR -> sCG Close in response to CloseReq (8.3.)
220
-
* sCG -> sCG Retransmit
221
-
* sTW -> sIV Late retransmit, already in TIME_WAIT
222
-
*
223
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
224
-
sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
225
-
},
226
-
[DCCP_PKT_RESET] = {
227
-
/*
228
-
* sNO -> sIV No connection
229
-
* sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
230
-
* sRS -> sTW Response received without Request
231
-
* sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
232
-
* sOP -> sTW Connection reset
233
-
* sCR -> sTW Connection reset
234
-
* sCG -> sTW Connection reset
235
-
* sTW -> sIG Ignore (don't refresh timer)
236
-
*
237
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
238
-
sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
239
-
},
240
-
[DCCP_PKT_SYNC] = {
241
-
/*
242
-
* We currently ignore Sync packets
243
-
*
244
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
245
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
246
-
},
247
-
[DCCP_PKT_SYNCACK] = {
248
-
/*
249
-
* We currently ignore SyncAck packets
250
-
*
251
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
252
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
253
-
},
254
-
},
255
-
[CT_DCCP_ROLE_SERVER] = {
256
-
[DCCP_PKT_REQUEST] = {
257
-
/*
258
-
* sNO -> sIV Invalid
259
-
* sRQ -> sIG Ignore, conntrack might be out of sync
260
-
* sRS -> sIG Ignore, conntrack might be out of sync
261
-
* sPO -> sIG Ignore, conntrack might be out of sync
262
-
* sOP -> sIG Ignore, conntrack might be out of sync
263
-
* sCR -> sIG Ignore, conntrack might be out of sync
264
-
* sCG -> sIG Ignore, conntrack might be out of sync
265
-
* sTW -> sRQ Reincarnation, must reverse roles
266
-
*
267
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
268
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
269
-
},
270
-
[DCCP_PKT_RESPONSE] = {
271
-
/*
272
-
* sNO -> sIV Response without Request
273
-
* sRQ -> sRS Response to clients Request
274
-
* sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
275
-
* sPO -> sIG Response to an ignored Request or late retransmit
276
-
* sOP -> sIG Ignore, might be response to ignored Request
277
-
* sCR -> sIG Ignore, might be response to ignored Request
278
-
* sCG -> sIG Ignore, might be response to ignored Request
279
-
* sTW -> sIV Invalid, Request from client in sTW moves to sRQ
280
-
*
281
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
282
-
sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
283
-
},
284
-
[DCCP_PKT_ACK] = {
285
-
/*
286
-
* sNO -> sIV No connection
287
-
* sRQ -> sIV No connection
288
-
* sRS -> sIV No connection
289
-
* sPO -> sOP Enter OPEN state (8.1.5.)
290
-
* sOP -> sOP Regular Ack in OPEN state
291
-
* sCR -> sIV Waiting for Close from client
292
-
* sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
293
-
* sTW -> sIV
294
-
*
295
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
296
-
sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
297
-
},
298
-
[DCCP_PKT_DATA] = {
299
-
/*
300
-
* sNO -> sIV No connection
301
-
* sRQ -> sIV No connection
302
-
* sRS -> sIV No connection
303
-
* sPO -> sOP Enter OPEN state (8.1.5.)
304
-
* sOP -> sOP Regular Data packet in OPEN state
305
-
* sCR -> sIV Waiting for Close from client
306
-
* sCG -> sCG Data in CLOSING MAY be processed (8.3.)
307
-
* sTW -> sIV
308
-
*
309
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
310
-
sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
311
-
},
312
-
[DCCP_PKT_DATAACK] = {
313
-
/*
314
-
* sNO -> sIV No connection
315
-
* sRQ -> sIV No connection
316
-
* sRS -> sIV No connection
317
-
* sPO -> sOP Enter OPEN state (8.1.5.)
318
-
* sOP -> sOP Regular DataAck in OPEN state
319
-
* sCR -> sIV Waiting for Close from client
320
-
* sCG -> sCG Data in CLOSING MAY be processed (8.3.)
321
-
* sTW -> sIV
322
-
*
323
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
324
-
sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
325
-
},
326
-
[DCCP_PKT_CLOSEREQ] = {
327
-
/*
328
-
* sNO -> sIV No connection
329
-
* sRQ -> sIV No connection
330
-
* sRS -> sIV No connection
331
-
* sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
332
-
* sOP -> sCR CloseReq in OPEN state
333
-
* sCR -> sCR Retransmit
334
-
* sCG -> sCR Simultaneous close, client sends another Close
335
-
* sTW -> sIV Already closed
336
-
*
337
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
338
-
sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
339
-
},
340
-
[DCCP_PKT_CLOSE] = {
341
-
/*
342
-
* sNO -> sIV No connection
343
-
* sRQ -> sIV No connection
344
-
* sRS -> sIV No connection
345
-
* sPO -> sOP -> sCG Move direcly to CLOSING
346
-
* sOP -> sCG Move to CLOSING
347
-
* sCR -> sIV Close after CloseReq is invalid
348
-
* sCG -> sCG Retransmit
349
-
* sTW -> sIV Already closed
350
-
*
351
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
352
-
sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
353
-
},
354
-
[DCCP_PKT_RESET] = {
355
-
/*
356
-
* sNO -> sIV No connection
357
-
* sRQ -> sTW Reset in response to Request
358
-
* sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
359
-
* sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
360
-
* sOP -> sTW
361
-
* sCR -> sTW
362
-
* sCG -> sTW
363
-
* sTW -> sIG Ignore (don't refresh timer)
364
-
*
365
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
366
-
sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
367
-
},
368
-
[DCCP_PKT_SYNC] = {
369
-
/*
370
-
* We currently ignore Sync packets
371
-
*
372
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
373
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
374
-
},
375
-
[DCCP_PKT_SYNCACK] = {
376
-
/*
377
-
* We currently ignore SyncAck packets
378
-
*
379
-
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
380
-
sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
381
-
},
382
-
},
383
-
};
384
-
385
-
static noinline bool
386
-
dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
387
-
const struct dccp_hdr *dh,
388
-
const struct nf_hook_state *hook_state)
389
-
{
390
-
struct net *net = nf_ct_net(ct);
391
-
struct nf_dccp_net *dn;
392
-
const char *msg;
393
-
u_int8_t state;
394
-
395
-
state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
396
-
switch (state) {
397
-
default:
398
-
dn = nf_dccp_pernet(net);
399
-
if (dn->dccp_loose == 0) {
400
-
msg = "not picking up existing connection ";
401
-
goto out_invalid;
402
-
}
403
-
break;
404
-
case CT_DCCP_REQUEST:
405
-
break;
406
-
case CT_DCCP_INVALID:
407
-
msg = "invalid state transition ";
408
-
goto out_invalid;
409
-
}
410
-
411
-
ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
412
-
ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
413
-
ct->proto.dccp.state = CT_DCCP_NONE;
414
-
ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
415
-
ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
416
-
ct->proto.dccp.handshake_seq = 0;
417
-
return true;
418
-
419
-
out_invalid:
420
-
nf_ct_l4proto_log_invalid(skb, ct, hook_state, "%s", msg);
421
-
return false;
422
-
}
423
-
424
-
static u64 dccp_ack_seq(const struct dccp_hdr *dh)
425
-
{
426
-
const struct dccp_hdr_ack_bits *dhack;
427
-
428
-
dhack = (void *)dh + __dccp_basic_hdr_len(dh);
429
-
return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
430
-
ntohl(dhack->dccph_ack_nr_low);
431
-
}
432
-
433
-
static bool dccp_error(const struct dccp_hdr *dh,
434
-
struct sk_buff *skb, unsigned int dataoff,
435
-
const struct nf_hook_state *state)
436
-
{
437
-
static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST |
438
-
1 << DCCP_PKT_RESPONSE |
439
-
1 << DCCP_PKT_CLOSEREQ |
440
-
1 << DCCP_PKT_CLOSE |
441
-
1 << DCCP_PKT_RESET |
442
-
1 << DCCP_PKT_SYNC |
443
-
1 << DCCP_PKT_SYNCACK;
444
-
unsigned int dccp_len = skb->len - dataoff;
445
-
unsigned int cscov;
446
-
const char *msg;
447
-
u8 type;
448
-
449
-
BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG);
450
-
451
-
if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
452
-
dh->dccph_doff * 4 > dccp_len) {
453
-
msg = "nf_ct_dccp: truncated/malformed packet ";
454
-
goto out_invalid;
455
-
}
456
-
457
-
cscov = dccp_len;
458
-
if (dh->dccph_cscov) {
459
-
cscov = (dh->dccph_cscov - 1) * 4;
460
-
if (cscov > dccp_len) {
461
-
msg = "nf_ct_dccp: bad checksum coverage ";
462
-
goto out_invalid;
463
-
}
464
-
}
465
-
466
-
if (state->hook == NF_INET_PRE_ROUTING &&
467
-
state->net->ct.sysctl_checksum &&
468
-
nf_checksum_partial(skb, state->hook, dataoff, cscov,
469
-
IPPROTO_DCCP, state->pf)) {
470
-
msg = "nf_ct_dccp: bad checksum ";
471
-
goto out_invalid;
472
-
}
473
-
474
-
type = dh->dccph_type;
475
-
if (type >= DCCP_PKT_INVALID) {
476
-
msg = "nf_ct_dccp: reserved packet type ";
477
-
goto out_invalid;
478
-
}
479
-
480
-
if (test_bit(type, &require_seq48) && !dh->dccph_x) {
481
-
msg = "nf_ct_dccp: type lacks 48bit sequence numbers";
482
-
goto out_invalid;
483
-
}
484
-
485
-
return false;
486
-
out_invalid:
487
-
nf_l4proto_log_invalid(skb, state, IPPROTO_DCCP, "%s", msg);
488
-
return true;
489
-
}
490
-
491
-
struct nf_conntrack_dccp_buf {
492
-
struct dccp_hdr dh; /* generic header part */
493
-
struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */
494
-
union { /* depends on header type */
495
-
struct dccp_hdr_ack_bits ack;
496
-
struct dccp_hdr_request req;
497
-
struct dccp_hdr_response response;
498
-
struct dccp_hdr_reset rst;
499
-
} u;
500
-
};
501
-
502
-
static struct dccp_hdr *
503
-
dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh,
504
-
struct nf_conntrack_dccp_buf *buf)
505
-
{
506
-
unsigned int hdrlen = __dccp_hdr_len(dh);
507
-
508
-
if (hdrlen > sizeof(*buf))
509
-
return NULL;
510
-
511
-
return skb_header_pointer(skb, offset, hdrlen, buf);
512
-
}
513
-
514
-
int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
515
-
unsigned int dataoff,
516
-
enum ip_conntrack_info ctinfo,
517
-
const struct nf_hook_state *state)
518
-
{
519
-
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
520
-
struct nf_conntrack_dccp_buf _dh;
521
-
u_int8_t type, old_state, new_state;
522
-
enum ct_dccp_roles role;
523
-
unsigned int *timeouts;
524
-
struct dccp_hdr *dh;
525
-
526
-
dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh);
527
-
if (!dh)
528
-
return -NF_ACCEPT;
529
-
530
-
if (dccp_error(dh, skb, dataoff, state))
531
-
return -NF_ACCEPT;
532
-
533
-
/* pull again, including possible 48 bit sequences and subtype header */
534
-
dh = dccp_header_pointer(skb, dataoff, dh, &_dh);
535
-
if (!dh)
536
-
return -NF_ACCEPT;
537
-
538
-
type = dh->dccph_type;
539
-
if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh, state))
540
-
return -NF_ACCEPT;
541
-
542
-
if (type == DCCP_PKT_RESET &&
543
-
!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
544
-
/* Tear down connection immediately if only reply is a RESET */
545
-
nf_ct_kill_acct(ct, ctinfo, skb);
546
-
return NF_ACCEPT;
547
-
}
548
-
549
-
spin_lock_bh(&ct->lock);
550
-
551
-
role = ct->proto.dccp.role[dir];
552
-
old_state = ct->proto.dccp.state;
553
-
new_state = dccp_state_table[role][type][old_state];
554
-
555
-
switch (new_state) {
556
-
case CT_DCCP_REQUEST:
557
-
if (old_state == CT_DCCP_TIMEWAIT &&
558
-
role == CT_DCCP_ROLE_SERVER) {
559
-
/* Reincarnation in the reverse direction: reopen and
560
-
* reverse client/server roles. */
561
-
ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
562
-
ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
563
-
}
564
-
break;
565
-
case CT_DCCP_RESPOND:
566
-
if (old_state == CT_DCCP_REQUEST)
567
-
ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
568
-
break;
569
-
case CT_DCCP_PARTOPEN:
570
-
if (old_state == CT_DCCP_RESPOND &&
571
-
type == DCCP_PKT_ACK &&
572
-
dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
573
-
set_bit(IPS_ASSURED_BIT, &ct->status);
574
-
break;
575
-
case CT_DCCP_IGNORE:
576
-
/*
577
-
* Connection tracking might be out of sync, so we ignore
578
-
* packets that might establish a new connection and resync
579
-
* if the server responds with a valid Response.
580
-
*/
581
-
if (ct->proto.dccp.last_dir == !dir &&
582
-
ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
583
-
type == DCCP_PKT_RESPONSE) {
584
-
ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
585
-
ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
586
-
ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
587
-
new_state = CT_DCCP_RESPOND;
588
-
break;
589
-
}
590
-
ct->proto.dccp.last_dir = dir;
591
-
ct->proto.dccp.last_pkt = type;
592
-
593
-
spin_unlock_bh(&ct->lock);
594
-
nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid packet");
595
-
return NF_ACCEPT;
596
-
case CT_DCCP_INVALID:
597
-
spin_unlock_bh(&ct->lock);
598
-
nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid state transition");
599
-
return -NF_ACCEPT;
600
-
}
601
-
602
-
ct->proto.dccp.last_dir = dir;
603
-
ct->proto.dccp.last_pkt = type;
604
-
ct->proto.dccp.state = new_state;
605
-
spin_unlock_bh(&ct->lock);
606
-
607
-
if (new_state != old_state)
608
-
nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
609
-
610
-
timeouts = nf_ct_timeout_lookup(ct);
611
-
if (!timeouts)
612
-
timeouts = nf_dccp_pernet(nf_ct_net(ct))->dccp_timeout;
613
-
nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
614
-
615
-
return NF_ACCEPT;
616
-
}
617
-
618
-
static bool dccp_can_early_drop(const struct nf_conn *ct)
619
-
{
620
-
switch (ct->proto.dccp.state) {
621
-
case CT_DCCP_CLOSEREQ:
622
-
case CT_DCCP_CLOSING:
623
-
case CT_DCCP_TIMEWAIT:
624
-
return true;
625
-
default:
626
-
break;
627
-
}
628
-
629
-
return false;
630
-
}
631
-
632
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
633
-
static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
634
-
{
635
-
seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
636
-
}
637
-
#endif
638
-
639
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
640
-
static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
641
-
struct nf_conn *ct, bool destroy)
642
-
{
643
-
struct nlattr *nest_parms;
644
-
645
-
spin_lock_bh(&ct->lock);
646
-
nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP);
647
-
if (!nest_parms)
648
-
goto nla_put_failure;
649
-
if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state))
650
-
goto nla_put_failure;
651
-
652
-
if (destroy)
653
-
goto skip_state;
654
-
655
-
if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE,
656
-
ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) ||
657
-
nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
658
-
cpu_to_be64(ct->proto.dccp.handshake_seq),
659
-
CTA_PROTOINFO_DCCP_PAD))
660
-
goto nla_put_failure;
661
-
skip_state:
662
-
nla_nest_end(skb, nest_parms);
663
-
spin_unlock_bh(&ct->lock);
664
-
665
-
return 0;
666
-
667
-
nla_put_failure:
668
-
spin_unlock_bh(&ct->lock);
669
-
return -1;
670
-
}
671
-
672
-
static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
673
-
[CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
674
-
[CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
675
-
[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
676
-
[CTA_PROTOINFO_DCCP_PAD] = { .type = NLA_UNSPEC },
677
-
};
678
-
679
-
#define DCCP_NLATTR_SIZE ( \
680
-
NLA_ALIGN(NLA_HDRLEN + 1) + \
681
-
NLA_ALIGN(NLA_HDRLEN + 1) + \
682
-
NLA_ALIGN(NLA_HDRLEN + sizeof(u64)) + \
683
-
NLA_ALIGN(NLA_HDRLEN + 0))
684
-
685
-
static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
686
-
{
687
-
struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
688
-
struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
689
-
int err;
690
-
691
-
if (!attr)
692
-
return 0;
693
-
694
-
err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_DCCP_MAX, attr,
695
-
dccp_nla_policy, NULL);
696
-
if (err < 0)
697
-
return err;
698
-
699
-
if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
700
-
!tb[CTA_PROTOINFO_DCCP_ROLE] ||
701
-
nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
702
-
nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
703
-
return -EINVAL;
704
-
}
705
-
706
-
spin_lock_bh(&ct->lock);
707
-
ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
708
-
if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
709
-
ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
710
-
ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
711
-
} else {
712
-
ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
713
-
ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
714
-
}
715
-
if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
716
-
ct->proto.dccp.handshake_seq =
717
-
be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
718
-
}
719
-
spin_unlock_bh(&ct->lock);
720
-
return 0;
721
-
}
722
-
#endif
723
-
724
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
725
-
726
-
#include <linux/netfilter/nfnetlink.h>
727
-
#include <linux/netfilter/nfnetlink_cttimeout.h>
728
-
729
-
static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
730
-
struct net *net, void *data)
731
-
{
732
-
struct nf_dccp_net *dn = nf_dccp_pernet(net);
733
-
unsigned int *timeouts = data;
734
-
int i;
735
-
736
-
if (!timeouts)
737
-
timeouts = dn->dccp_timeout;
738
-
739
-
/* set default DCCP timeouts. */
740
-
for (i=0; i<CT_DCCP_MAX; i++)
741
-
timeouts[i] = dn->dccp_timeout[i];
742
-
743
-
/* there's a 1:1 mapping between attributes and protocol states. */
744
-
for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
745
-
if (tb[i]) {
746
-
timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
747
-
}
748
-
}
749
-
750
-
timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
751
-
return 0;
752
-
}
753
-
754
-
static int
755
-
dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
756
-
{
757
-
const unsigned int *timeouts = data;
758
-
int i;
759
-
760
-
for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
761
-
if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
762
-
goto nla_put_failure;
763
-
}
764
-
return 0;
765
-
766
-
nla_put_failure:
767
-
return -ENOSPC;
768
-
}
769
-
770
-
static const struct nla_policy
771
-
dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
772
-
[CTA_TIMEOUT_DCCP_REQUEST] = { .type = NLA_U32 },
773
-
[CTA_TIMEOUT_DCCP_RESPOND] = { .type = NLA_U32 },
774
-
[CTA_TIMEOUT_DCCP_PARTOPEN] = { .type = NLA_U32 },
775
-
[CTA_TIMEOUT_DCCP_OPEN] = { .type = NLA_U32 },
776
-
[CTA_TIMEOUT_DCCP_CLOSEREQ] = { .type = NLA_U32 },
777
-
[CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 },
778
-
[CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 },
779
-
};
780
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
781
-
782
-
void nf_conntrack_dccp_init_net(struct net *net)
783
-
{
784
-
struct nf_dccp_net *dn = nf_dccp_pernet(net);
785
-
786
-
/* default values */
787
-
dn->dccp_loose = 1;
788
-
dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
789
-
dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
790
-
dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
791
-
dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
792
-
dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
793
-
dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
794
-
dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
795
-
796
-
/* timeouts[0] is unused, make it same as SYN_SENT so
797
-
* ->timeouts[0] contains 'new' timeout, like udp or icmp.
798
-
*/
799
-
dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
800
-
}
801
-
802
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp = {
803
-
.l4proto = IPPROTO_DCCP,
804
-
.can_early_drop = dccp_can_early_drop,
805
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
806
-
.print_conntrack = dccp_print_conntrack,
807
-
#endif
808
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
809
-
.nlattr_size = DCCP_NLATTR_SIZE,
810
-
.to_nlattr = dccp_to_nlattr,
811
-
.from_nlattr = nlattr_to_dccp,
812
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
813
-
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
814
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
815
-
.nla_policy = nf_ct_port_nla_policy,
816
-
#endif
817
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
818
-
.ctnl_timeout = {
819
-
.nlattr_to_obj = dccp_timeout_nlattr_to_obj,
820
-
.obj_to_nlattr = dccp_timeout_obj_to_nlattr,
821
-
.nlattr_max = CTA_TIMEOUT_DCCP_MAX,
822
-
.obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
823
-
.nla_policy = dccp_timeout_nla_policy,
824
-
},
825
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
826
-
};
-92
net/netfilter/nf_conntrack_standalone.c
-92
net/netfilter/nf_conntrack_standalone.c
···
67
67
ntohs(tuple->dst.u.udp.port));
68
68
69
69
break;
70
-
case IPPROTO_DCCP:
71
-
seq_printf(s, "sport=%hu dport=%hu ",
72
-
ntohs(tuple->src.u.dccp.port),
73
-
ntohs(tuple->dst.u.dccp.port));
74
-
break;
75
70
case IPPROTO_SCTP:
76
71
seq_printf(s, "sport=%hu dport=%hu ",
77
72
ntohs(tuple->src.u.sctp.port),
···
274
279
case IPPROTO_ICMP: return "icmp";
275
280
case IPPROTO_TCP: return "tcp";
276
281
case IPPROTO_UDP: return "udp";
277
-
case IPPROTO_DCCP: return "dccp";
278
282
case IPPROTO_GRE: return "gre";
279
283
case IPPROTO_SCTP: return "sctp";
280
284
case IPPROTO_UDPLITE: return "udplite";
···
606
612
NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
607
613
NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT,
608
614
#endif
609
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
610
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST,
611
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND,
612
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN,
613
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN,
614
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ,
615
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING,
616
-
NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT,
617
-
NF_SYSCTL_CT_PROTO_DCCP_LOOSE,
618
-
#endif
619
615
#ifdef CONFIG_NF_CT_PROTO_GRE
620
616
NF_SYSCTL_CT_PROTO_TIMEOUT_GRE,
621
617
NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
···
879
895
.proc_handler = proc_dointvec_jiffies,
880
896
},
881
897
#endif
882
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
883
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = {
884
-
.procname = "nf_conntrack_dccp_timeout_request",
885
-
.maxlen = sizeof(unsigned int),
886
-
.mode = 0644,
887
-
.proc_handler = proc_dointvec_jiffies,
888
-
},
889
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = {
890
-
.procname = "nf_conntrack_dccp_timeout_respond",
891
-
.maxlen = sizeof(unsigned int),
892
-
.mode = 0644,
893
-
.proc_handler = proc_dointvec_jiffies,
894
-
},
895
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = {
896
-
.procname = "nf_conntrack_dccp_timeout_partopen",
897
-
.maxlen = sizeof(unsigned int),
898
-
.mode = 0644,
899
-
.proc_handler = proc_dointvec_jiffies,
900
-
},
901
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = {
902
-
.procname = "nf_conntrack_dccp_timeout_open",
903
-
.maxlen = sizeof(unsigned int),
904
-
.mode = 0644,
905
-
.proc_handler = proc_dointvec_jiffies,
906
-
},
907
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = {
908
-
.procname = "nf_conntrack_dccp_timeout_closereq",
909
-
.maxlen = sizeof(unsigned int),
910
-
.mode = 0644,
911
-
.proc_handler = proc_dointvec_jiffies,
912
-
},
913
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = {
914
-
.procname = "nf_conntrack_dccp_timeout_closing",
915
-
.maxlen = sizeof(unsigned int),
916
-
.mode = 0644,
917
-
.proc_handler = proc_dointvec_jiffies,
918
-
},
919
-
[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = {
920
-
.procname = "nf_conntrack_dccp_timeout_timewait",
921
-
.maxlen = sizeof(unsigned int),
922
-
.mode = 0644,
923
-
.proc_handler = proc_dointvec_jiffies,
924
-
},
925
-
[NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = {
926
-
.procname = "nf_conntrack_dccp_loose",
927
-
.maxlen = sizeof(u8),
928
-
.mode = 0644,
929
-
.proc_handler = proc_dou8vec_minmax,
930
-
.extra1 = SYSCTL_ZERO,
931
-
.extra2 = SYSCTL_ONE,
932
-
},
933
-
#endif
934
898
#ifdef CONFIG_NF_CT_PROTO_GRE
935
899
[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = {
936
900
.procname = "nf_conntrack_gre_timeout",
···
964
1032
#endif
965
1033
}
966
1034
967
-
static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net,
968
-
struct ctl_table *table)
969
-
{
970
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
971
-
struct nf_dccp_net *dn = nf_dccp_pernet(net);
972
-
973
-
#define XASSIGN(XNAME, dn) \
974
-
table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \
975
-
&(dn)->dccp_timeout[CT_DCCP_ ## XNAME]
976
-
977
-
XASSIGN(REQUEST, dn);
978
-
XASSIGN(RESPOND, dn);
979
-
XASSIGN(PARTOPEN, dn);
980
-
XASSIGN(OPEN, dn);
981
-
XASSIGN(CLOSEREQ, dn);
982
-
XASSIGN(CLOSING, dn);
983
-
XASSIGN(TIMEWAIT, dn);
984
-
#undef XASSIGN
985
-
986
-
table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose;
987
-
#endif
988
-
}
989
-
990
1035
static void nf_conntrack_standalone_init_gre_sysctl(struct net *net,
991
1036
struct ctl_table *table)
992
1037
{
···
1009
1100
1010
1101
nf_conntrack_standalone_init_tcp_sysctl(net, table);
1011
1102
nf_conntrack_standalone_init_sctp_sysctl(net, table);
1012
-
nf_conntrack_standalone_init_dccp_sysctl(net, table);
1013
1103
nf_conntrack_standalone_init_gre_sysctl(net, table);
1014
1104
1015
1105
/* Don't allow non-init_net ns to alter global sysctls */
-6
net/netfilter/nf_nat_core.c
-6
net/netfilter/nf_nat_core.c
···
69
69
if (t->dst.protonum == IPPROTO_TCP ||
70
70
t->dst.protonum == IPPROTO_UDP ||
71
71
t->dst.protonum == IPPROTO_UDPLITE ||
72
-
t->dst.protonum == IPPROTO_DCCP ||
73
72
t->dst.protonum == IPPROTO_SCTP)
74
73
fl4->fl4_dport = t->dst.u.all;
75
74
}
···
80
81
if (t->dst.protonum == IPPROTO_TCP ||
81
82
t->dst.protonum == IPPROTO_UDP ||
82
83
t->dst.protonum == IPPROTO_UDPLITE ||
83
-
t->dst.protonum == IPPROTO_DCCP ||
84
84
t->dst.protonum == IPPROTO_SCTP)
85
85
fl4->fl4_sport = t->src.u.all;
86
86
}
···
100
102
if (t->dst.protonum == IPPROTO_TCP ||
101
103
t->dst.protonum == IPPROTO_UDP ||
102
104
t->dst.protonum == IPPROTO_UDPLITE ||
103
-
t->dst.protonum == IPPROTO_DCCP ||
104
105
t->dst.protonum == IPPROTO_SCTP)
105
106
fl6->fl6_dport = t->dst.u.all;
106
107
}
···
111
114
if (t->dst.protonum == IPPROTO_TCP ||
112
115
t->dst.protonum == IPPROTO_UDP ||
113
116
t->dst.protonum == IPPROTO_UDPLITE ||
114
-
t->dst.protonum == IPPROTO_DCCP ||
115
117
t->dst.protonum == IPPROTO_SCTP)
116
118
fl6->fl6_sport = t->src.u.all;
117
119
}
···
428
432
case IPPROTO_TCP:
429
433
case IPPROTO_UDP:
430
434
case IPPROTO_UDPLITE:
431
-
case IPPROTO_DCCP:
432
435
case IPPROTO_SCTP:
433
436
if (maniptype == NF_NAT_MANIP_SRC)
434
437
port = tuple->src.u.all;
···
627
632
case IPPROTO_UDPLITE:
628
633
case IPPROTO_TCP:
629
634
case IPPROTO_SCTP:
630
-
case IPPROTO_DCCP:
631
635
if (maniptype == NF_NAT_MANIP_SRC)
632
636
keyptr = &tuple->src.u.all;
633
637
else
-43
net/netfilter/nf_nat_proto.c
-43
net/netfilter/nf_nat_proto.c
···
180
180
}
181
181
182
182
static bool
183
-
dccp_manip_pkt(struct sk_buff *skb,
184
-
unsigned int iphdroff, unsigned int hdroff,
185
-
const struct nf_conntrack_tuple *tuple,
186
-
enum nf_nat_manip_type maniptype)
187
-
{
188
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
189
-
struct dccp_hdr *hdr;
190
-
__be16 *portptr, oldport, newport;
191
-
int hdrsize = 8; /* DCCP connection tracking guarantees this much */
192
-
193
-
if (skb->len >= hdroff + sizeof(struct dccp_hdr))
194
-
hdrsize = sizeof(struct dccp_hdr);
195
-
196
-
if (skb_ensure_writable(skb, hdroff + hdrsize))
197
-
return false;
198
-
199
-
hdr = (struct dccp_hdr *)(skb->data + hdroff);
200
-
201
-
if (maniptype == NF_NAT_MANIP_SRC) {
202
-
newport = tuple->src.u.dccp.port;
203
-
portptr = &hdr->dccph_sport;
204
-
} else {
205
-
newport = tuple->dst.u.dccp.port;
206
-
portptr = &hdr->dccph_dport;
207
-
}
208
-
209
-
oldport = *portptr;
210
-
*portptr = newport;
211
-
212
-
if (hdrsize < sizeof(*hdr))
213
-
return true;
214
-
215
-
nf_csum_update(skb, iphdroff, &hdr->dccph_checksum, tuple, maniptype);
216
-
inet_proto_csum_replace2(&hdr->dccph_checksum, skb, oldport, newport,
217
-
false);
218
-
#endif
219
-
return true;
220
-
}
221
-
222
-
static bool
223
183
icmp_manip_pkt(struct sk_buff *skb,
224
184
unsigned int iphdroff, unsigned int hdroff,
225
185
const struct nf_conntrack_tuple *tuple,
···
298
338
case IPPROTO_ICMPV6:
299
339
return icmpv6_manip_pkt(skb, iphdroff, hdroff,
300
340
tuple, maniptype);
301
-
case IPPROTO_DCCP:
302
-
return dccp_manip_pkt(skb, iphdroff, hdroff,
303
-
tuple, maniptype);
304
341
case IPPROTO_GRE:
305
342
return gre_manip_pkt(skb, iphdroff, hdroff,
306
343
tuple, maniptype);
-5
net/netfilter/nfnetlink_cttimeout.c
-5
net/netfilter/nfnetlink_cttimeout.c
···
461
461
case IPPROTO_UDPLITE:
462
462
timeouts = nf_udp_pernet(info->net)->timeouts;
463
463
break;
464
-
case IPPROTO_DCCP:
465
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
466
-
timeouts = nf_dccp_pernet(info->net)->dccp_timeout;
467
-
#endif
468
-
break;
469
464
case IPPROTO_ICMPV6:
470
465
timeouts = &nf_icmpv6_pernet(info->net)->timeout;
471
466
break;
+8
net/netfilter/nft_exthdr.c
+8
net/netfilter/nft_exthdr.c
···
407
407
regs->verdict.code = NFT_BREAK;
408
408
}
409
409
410
+
#ifdef CONFIG_NFT_EXTHDR_DCCP
410
411
static void nft_exthdr_dccp_eval(const struct nft_expr *expr,
411
412
struct nft_regs *regs,
412
413
const struct nft_pktinfo *pkt)
···
483
482
err:
484
483
*dest = 0;
485
484
}
485
+
#endif
486
486
487
487
static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
488
488
[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
···
636
634
return 0;
637
635
}
638
636
637
+
#ifdef CONFIG_NFT_EXTHDR_DCCP
639
638
static int nft_exthdr_dccp_init(const struct nft_ctx *ctx,
640
639
const struct nft_expr *expr,
641
640
const struct nlattr * const tb[])
···
652
649
653
650
return 0;
654
651
}
652
+
#endif
655
653
656
654
static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv)
657
655
{
···
783
779
.reduce = nft_exthdr_reduce,
784
780
};
785
781
782
+
#ifdef CONFIG_NFT_EXTHDR_DCCP
786
783
static const struct nft_expr_ops nft_exthdr_dccp_ops = {
787
784
.type = &nft_exthdr_type,
788
785
.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
···
792
787
.dump = nft_exthdr_dump,
793
788
.reduce = nft_exthdr_reduce,
794
789
};
790
+
#endif
795
791
796
792
static const struct nft_expr_ops *
797
793
nft_exthdr_select_ops(const struct nft_ctx *ctx,
···
828
822
if (tb[NFTA_EXTHDR_DREG])
829
823
return &nft_exthdr_sctp_ops;
830
824
break;
825
+
#ifdef CONFIG_NFT_EXTHDR_DCCP
831
826
case NFT_EXTHDR_OP_DCCP:
832
827
if (tb[NFTA_EXTHDR_DREG])
833
828
return &nft_exthdr_dccp_ops;
834
829
break;
830
+
#endif
835
831
}
836
832
837
833
return ERR_PTR(-EOPNOTSUPP);