1/* 2 * Connection tracking protocol helper module for SCTP. 3 * 4 * SCTP is defined in RFC 2960. References to various sections in this code 5 * are to this RFC. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12#include <linux/types.h> 13#include <linux/timer.h> 14#include <linux/netfilter.h> 15#include <linux/module.h> 16#include <linux/in.h> 17#include <linux/ip.h> 18#include <linux/sctp.h> 19#include <linux/string.h> 20#include <linux/seq_file.h> 21#include <linux/spinlock.h> 22#include <linux/interrupt.h> 23 24#include <net/netfilter/nf_conntrack.h> 25#include <net/netfilter/nf_conntrack_l4proto.h> 26#include <net/netfilter/nf_conntrack_ecache.h> 27 28 29static const char *const sctp_conntrack_names[] = { 30 "NONE", 31 "CLOSED", 32 "COOKIE_WAIT", 33 "COOKIE_ECHOED", 34 "ESTABLISHED", 35 "SHUTDOWN_SENT", 36 "SHUTDOWN_RECD", 37 "SHUTDOWN_ACK_SENT", 38}; 39 40#define SECS * HZ 41#define MINS * 60 SECS 42#define HOURS * 60 MINS 43#define DAYS * 24 HOURS 44 45static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = { 46 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 47 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 48 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 49 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 50 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 51 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 52 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 53}; 54 55#define sNO SCTP_CONNTRACK_NONE 56#define sCL SCTP_CONNTRACK_CLOSED 57#define sCW SCTP_CONNTRACK_COOKIE_WAIT 58#define sCE SCTP_CONNTRACK_COOKIE_ECHOED 59#define sES SCTP_CONNTRACK_ESTABLISHED 60#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 61#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 62#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 63#define sIV SCTP_CONNTRACK_MAX 64 65/* 66 These are the descriptions of the states: 67 68NOTE: These state names are tantalizingly similar to the states of an 69SCTP endpoint. But the interpretation of the states is a little different, 70considering that these are the states of the connection and not of an end 71point. Please note the subtleties. -Kiran 72 73NONE - Nothing so far. 74COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 75 an INIT_ACK chunk in the reply direction. 76COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 77ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 78SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 79SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 80SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 81 to that of the SHUTDOWN chunk. 82CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 83 the SHUTDOWN chunk. Connection is closed. 84*/ 85 86/* TODO 87 - I have assumed that the first INIT is in the original direction. 88 This messes things when an INIT comes in the reply direction in CLOSED 89 state. 90 - Check the error type in the reply dir before transitioning from 91cookie echoed to closed. 92 - Sec 5.2.4 of RFC 2960 93 - Multi Homing support. 94*/ 95 96/* SCTP conntrack state transitions */ 97static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = { 98 { 99/* ORIGINAL */ 100/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 101/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA}, 102/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 103/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 104/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA}, 105/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 106/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/ 107/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */ 108/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */ 109/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL} 110 }, 111 { 112/* REPLY */ 113/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 114/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */ 115/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 116/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 117/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA}, 118/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 119/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA}, 120/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */ 121/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA}, 122/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL} 123 } 124}; 125 126static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 127 struct nf_conntrack_tuple *tuple) 128{ 129 const struct sctphdr *hp; 130 struct sctphdr _hdr; 131 132 /* Actually only need first 8 bytes. */ 133 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 134 if (hp == NULL) 135 return false; 136 137 tuple->src.u.sctp.port = hp->source; 138 tuple->dst.u.sctp.port = hp->dest; 139 return true; 140} 141 142static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple, 143 const struct nf_conntrack_tuple *orig) 144{ 145 tuple->src.u.sctp.port = orig->dst.u.sctp.port; 146 tuple->dst.u.sctp.port = orig->src.u.sctp.port; 147 return true; 148} 149 150/* Print out the per-protocol part of the tuple. */ 151static int sctp_print_tuple(struct seq_file *s, 152 const struct nf_conntrack_tuple *tuple) 153{ 154 return seq_printf(s, "sport=%hu dport=%hu ", 155 ntohs(tuple->src.u.sctp.port), 156 ntohs(tuple->dst.u.sctp.port)); 157} 158 159/* Print out the private part of the conntrack. */ 160static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 161{ 162 enum sctp_conntrack state; 163 164 spin_lock_bh(&ct->lock); 165 state = ct->proto.sctp.state; 166 spin_unlock_bh(&ct->lock); 167 168 return seq_printf(s, "%s ", sctp_conntrack_names[state]); 169} 170 171#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 172for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \ 173 (offset) < (skb)->len && \ 174 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 175 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 176 177/* Some validity checks to make sure the chunks are fine */ 178static int do_basic_checks(struct nf_conn *ct, 179 const struct sk_buff *skb, 180 unsigned int dataoff, 181 unsigned long *map) 182{ 183 u_int32_t offset, count; 184 sctp_chunkhdr_t _sch, *sch; 185 int flag; 186 187 flag = 0; 188 189 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 190 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 191 192 if (sch->type == SCTP_CID_INIT || 193 sch->type == SCTP_CID_INIT_ACK || 194 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 195 flag = 1; 196 197 /* 198 * Cookie Ack/Echo chunks not the first OR 199 * Init / Init Ack / Shutdown compl chunks not the only chunks 200 * OR zero-length. 201 */ 202 if (((sch->type == SCTP_CID_COOKIE_ACK || 203 sch->type == SCTP_CID_COOKIE_ECHO || 204 flag) && 205 count != 0) || !sch->length) { 206 pr_debug("Basic checks failed\n"); 207 return 1; 208 } 209 210 if (map) 211 set_bit(sch->type, map); 212 } 213 214 pr_debug("Basic checks passed\n"); 215 return count == 0; 216} 217 218static int sctp_new_state(enum ip_conntrack_dir dir, 219 enum sctp_conntrack cur_state, 220 int chunk_type) 221{ 222 int i; 223 224 pr_debug("Chunk type: %d\n", chunk_type); 225 226 switch (chunk_type) { 227 case SCTP_CID_INIT: 228 pr_debug("SCTP_CID_INIT\n"); 229 i = 0; 230 break; 231 case SCTP_CID_INIT_ACK: 232 pr_debug("SCTP_CID_INIT_ACK\n"); 233 i = 1; 234 break; 235 case SCTP_CID_ABORT: 236 pr_debug("SCTP_CID_ABORT\n"); 237 i = 2; 238 break; 239 case SCTP_CID_SHUTDOWN: 240 pr_debug("SCTP_CID_SHUTDOWN\n"); 241 i = 3; 242 break; 243 case SCTP_CID_SHUTDOWN_ACK: 244 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 245 i = 4; 246 break; 247 case SCTP_CID_ERROR: 248 pr_debug("SCTP_CID_ERROR\n"); 249 i = 5; 250 break; 251 case SCTP_CID_COOKIE_ECHO: 252 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 253 i = 6; 254 break; 255 case SCTP_CID_COOKIE_ACK: 256 pr_debug("SCTP_CID_COOKIE_ACK\n"); 257 i = 7; 258 break; 259 case SCTP_CID_SHUTDOWN_COMPLETE: 260 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 261 i = 8; 262 break; 263 default: 264 /* Other chunks like DATA, SACK, HEARTBEAT and 265 its ACK do not cause a change in state */ 266 pr_debug("Unknown chunk type, Will stay in %s\n", 267 sctp_conntrack_names[cur_state]); 268 return cur_state; 269 } 270 271 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 272 dir, sctp_conntrack_names[cur_state], chunk_type, 273 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 274 275 return sctp_conntracks[dir][i][cur_state]; 276} 277 278/* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 279static int sctp_packet(struct nf_conn *ct, 280 const struct sk_buff *skb, 281 unsigned int dataoff, 282 enum ip_conntrack_info ctinfo, 283 u_int8_t pf, 284 unsigned int hooknum) 285{ 286 enum sctp_conntrack new_state, old_state; 287 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 288 const struct sctphdr *sh; 289 struct sctphdr _sctph; 290 const struct sctp_chunkhdr *sch; 291 struct sctp_chunkhdr _sch; 292 u_int32_t offset, count; 293 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 294 295 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 296 if (sh == NULL) 297 goto out; 298 299 if (do_basic_checks(ct, skb, dataoff, map) != 0) 300 goto out; 301 302 /* Check the verification tag (Sec 8.5) */ 303 if (!test_bit(SCTP_CID_INIT, map) && 304 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 305 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 306 !test_bit(SCTP_CID_ABORT, map) && 307 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 308 sh->vtag != ct->proto.sctp.vtag[dir]) { 309 pr_debug("Verification tag check failed\n"); 310 goto out; 311 } 312 313 old_state = new_state = SCTP_CONNTRACK_NONE; 314 spin_lock_bh(&ct->lock); 315 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 316 /* Special cases of Verification tag check (Sec 8.5.1) */ 317 if (sch->type == SCTP_CID_INIT) { 318 /* Sec 8.5.1 (A) */ 319 if (sh->vtag != 0) 320 goto out_unlock; 321 } else if (sch->type == SCTP_CID_ABORT) { 322 /* Sec 8.5.1 (B) */ 323 if (sh->vtag != ct->proto.sctp.vtag[dir] && 324 sh->vtag != ct->proto.sctp.vtag[!dir]) 325 goto out_unlock; 326 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 327 /* Sec 8.5.1 (C) */ 328 if (sh->vtag != ct->proto.sctp.vtag[dir] && 329 sh->vtag != ct->proto.sctp.vtag[!dir] && 330 sch->flags & SCTP_CHUNK_FLAG_T) 331 goto out_unlock; 332 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 333 /* Sec 8.5.1 (D) */ 334 if (sh->vtag != ct->proto.sctp.vtag[dir]) 335 goto out_unlock; 336 } 337 338 old_state = ct->proto.sctp.state; 339 new_state = sctp_new_state(dir, old_state, sch->type); 340 341 /* Invalid */ 342 if (new_state == SCTP_CONNTRACK_MAX) { 343 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 344 "conntrack=%u\n", 345 dir, sch->type, old_state); 346 goto out_unlock; 347 } 348 349 /* If it is an INIT or an INIT ACK note down the vtag */ 350 if (sch->type == SCTP_CID_INIT || 351 sch->type == SCTP_CID_INIT_ACK) { 352 sctp_inithdr_t _inithdr, *ih; 353 354 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 355 sizeof(_inithdr), &_inithdr); 356 if (ih == NULL) 357 goto out_unlock; 358 pr_debug("Setting vtag %x for dir %d\n", 359 ih->init_tag, !dir); 360 ct->proto.sctp.vtag[!dir] = ih->init_tag; 361 } 362 363 ct->proto.sctp.state = new_state; 364 if (old_state != new_state) 365 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 366 } 367 spin_unlock_bh(&ct->lock); 368 369 nf_ct_refresh_acct(ct, ctinfo, skb, sctp_timeouts[new_state]); 370 371 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 372 dir == IP_CT_DIR_REPLY && 373 new_state == SCTP_CONNTRACK_ESTABLISHED) { 374 pr_debug("Setting assured bit\n"); 375 set_bit(IPS_ASSURED_BIT, &ct->status); 376 nf_conntrack_event_cache(IPCT_ASSURED, ct); 377 } 378 379 return NF_ACCEPT; 380 381out_unlock: 382 spin_unlock_bh(&ct->lock); 383out: 384 return -NF_ACCEPT; 385} 386 387/* Called when a new connection for this protocol found. */ 388static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 389 unsigned int dataoff) 390{ 391 enum sctp_conntrack new_state; 392 const struct sctphdr *sh; 393 struct sctphdr _sctph; 394 const struct sctp_chunkhdr *sch; 395 struct sctp_chunkhdr _sch; 396 u_int32_t offset, count; 397 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 398 399 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 400 if (sh == NULL) 401 return false; 402 403 if (do_basic_checks(ct, skb, dataoff, map) != 0) 404 return false; 405 406 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 407 if (test_bit(SCTP_CID_ABORT, map) || 408 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 409 test_bit(SCTP_CID_COOKIE_ACK, map)) 410 return false; 411 412 new_state = SCTP_CONNTRACK_MAX; 413 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 414 /* Don't need lock here: this conntrack not in circulation yet */ 415 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 416 SCTP_CONNTRACK_NONE, sch->type); 417 418 /* Invalid: delete conntrack */ 419 if (new_state == SCTP_CONNTRACK_NONE || 420 new_state == SCTP_CONNTRACK_MAX) { 421 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 422 return false; 423 } 424 425 /* Copy the vtag into the state info */ 426 if (sch->type == SCTP_CID_INIT) { 427 if (sh->vtag == 0) { 428 sctp_inithdr_t _inithdr, *ih; 429 430 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 431 sizeof(_inithdr), &_inithdr); 432 if (ih == NULL) 433 return false; 434 435 pr_debug("Setting vtag %x for new conn\n", 436 ih->init_tag); 437 438 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 439 ih->init_tag; 440 } else { 441 /* Sec 8.5.1 (A) */ 442 return false; 443 } 444 } 445 /* If it is a shutdown ack OOTB packet, we expect a return 446 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 447 else { 448 pr_debug("Setting vtag %x for new conn OOTB\n", 449 sh->vtag); 450 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 451 } 452 453 ct->proto.sctp.state = new_state; 454 } 455 456 return true; 457} 458 459#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 460 461#include <linux/netfilter/nfnetlink.h> 462#include <linux/netfilter/nfnetlink_conntrack.h> 463 464static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 465 struct nf_conn *ct) 466{ 467 struct nlattr *nest_parms; 468 469 spin_lock_bh(&ct->lock); 470 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED); 471 if (!nest_parms) 472 goto nla_put_failure; 473 474 NLA_PUT_U8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state); 475 476 NLA_PUT_BE32(skb, 477 CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 478 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]); 479 480 NLA_PUT_BE32(skb, 481 CTA_PROTOINFO_SCTP_VTAG_REPLY, 482 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]); 483 484 spin_unlock_bh(&ct->lock); 485 486 nla_nest_end(skb, nest_parms); 487 488 return 0; 489 490nla_put_failure: 491 spin_unlock_bh(&ct->lock); 492 return -1; 493} 494 495static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 496 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 497 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 498 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 499}; 500 501static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 502{ 503 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 504 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 505 int err; 506 507 /* updates may not contain the internal protocol info, skip parsing */ 508 if (!attr) 509 return 0; 510 511 err = nla_parse_nested(tb, 512 CTA_PROTOINFO_SCTP_MAX, 513 attr, 514 sctp_nla_policy); 515 if (err < 0) 516 return err; 517 518 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 519 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 520 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 521 return -EINVAL; 522 523 spin_lock_bh(&ct->lock); 524 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 525 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 526 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 527 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 528 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 529 spin_unlock_bh(&ct->lock); 530 531 return 0; 532} 533 534static int sctp_nlattr_size(void) 535{ 536 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */ 537 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1); 538} 539#endif 540 541#ifdef CONFIG_SYSCTL 542static unsigned int sctp_sysctl_table_users; 543static struct ctl_table_header *sctp_sysctl_header; 544static struct ctl_table sctp_sysctl_table[] = { 545 { 546 .procname = "nf_conntrack_sctp_timeout_closed", 547 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED], 548 .maxlen = sizeof(unsigned int), 549 .mode = 0644, 550 .proc_handler = proc_dointvec_jiffies, 551 }, 552 { 553 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 554 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT], 555 .maxlen = sizeof(unsigned int), 556 .mode = 0644, 557 .proc_handler = proc_dointvec_jiffies, 558 }, 559 { 560 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 561 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED], 562 .maxlen = sizeof(unsigned int), 563 .mode = 0644, 564 .proc_handler = proc_dointvec_jiffies, 565 }, 566 { 567 .procname = "nf_conntrack_sctp_timeout_established", 568 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED], 569 .maxlen = sizeof(unsigned int), 570 .mode = 0644, 571 .proc_handler = proc_dointvec_jiffies, 572 }, 573 { 574 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 575 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT], 576 .maxlen = sizeof(unsigned int), 577 .mode = 0644, 578 .proc_handler = proc_dointvec_jiffies, 579 }, 580 { 581 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 582 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD], 583 .maxlen = sizeof(unsigned int), 584 .mode = 0644, 585 .proc_handler = proc_dointvec_jiffies, 586 }, 587 { 588 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 589 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT], 590 .maxlen = sizeof(unsigned int), 591 .mode = 0644, 592 .proc_handler = proc_dointvec_jiffies, 593 }, 594 { } 595}; 596 597#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 598static struct ctl_table sctp_compat_sysctl_table[] = { 599 { 600 .procname = "ip_conntrack_sctp_timeout_closed", 601 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED], 602 .maxlen = sizeof(unsigned int), 603 .mode = 0644, 604 .proc_handler = proc_dointvec_jiffies, 605 }, 606 { 607 .procname = "ip_conntrack_sctp_timeout_cookie_wait", 608 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT], 609 .maxlen = sizeof(unsigned int), 610 .mode = 0644, 611 .proc_handler = proc_dointvec_jiffies, 612 }, 613 { 614 .procname = "ip_conntrack_sctp_timeout_cookie_echoed", 615 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED], 616 .maxlen = sizeof(unsigned int), 617 .mode = 0644, 618 .proc_handler = proc_dointvec_jiffies, 619 }, 620 { 621 .procname = "ip_conntrack_sctp_timeout_established", 622 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED], 623 .maxlen = sizeof(unsigned int), 624 .mode = 0644, 625 .proc_handler = proc_dointvec_jiffies, 626 }, 627 { 628 .procname = "ip_conntrack_sctp_timeout_shutdown_sent", 629 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT], 630 .maxlen = sizeof(unsigned int), 631 .mode = 0644, 632 .proc_handler = proc_dointvec_jiffies, 633 }, 634 { 635 .procname = "ip_conntrack_sctp_timeout_shutdown_recd", 636 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD], 637 .maxlen = sizeof(unsigned int), 638 .mode = 0644, 639 .proc_handler = proc_dointvec_jiffies, 640 }, 641 { 642 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent", 643 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT], 644 .maxlen = sizeof(unsigned int), 645 .mode = 0644, 646 .proc_handler = proc_dointvec_jiffies, 647 }, 648 { } 649}; 650#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 651#endif 652 653static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = { 654 .l3proto = PF_INET, 655 .l4proto = IPPROTO_SCTP, 656 .name = "sctp", 657 .pkt_to_tuple = sctp_pkt_to_tuple, 658 .invert_tuple = sctp_invert_tuple, 659 .print_tuple = sctp_print_tuple, 660 .print_conntrack = sctp_print_conntrack, 661 .packet = sctp_packet, 662 .new = sctp_new, 663 .me = THIS_MODULE, 664#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 665 .to_nlattr = sctp_to_nlattr, 666 .nlattr_size = sctp_nlattr_size, 667 .from_nlattr = nlattr_to_sctp, 668 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 669 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 670 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 671 .nla_policy = nf_ct_port_nla_policy, 672#endif 673#ifdef CONFIG_SYSCTL 674 .ctl_table_users = &sctp_sysctl_table_users, 675 .ctl_table_header = &sctp_sysctl_header, 676 .ctl_table = sctp_sysctl_table, 677#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 678 .ctl_compat_table = sctp_compat_sysctl_table, 679#endif 680#endif 681}; 682 683static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = { 684 .l3proto = PF_INET6, 685 .l4proto = IPPROTO_SCTP, 686 .name = "sctp", 687 .pkt_to_tuple = sctp_pkt_to_tuple, 688 .invert_tuple = sctp_invert_tuple, 689 .print_tuple = sctp_print_tuple, 690 .print_conntrack = sctp_print_conntrack, 691 .packet = sctp_packet, 692 .new = sctp_new, 693 .me = THIS_MODULE, 694#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 695 .to_nlattr = sctp_to_nlattr, 696 .nlattr_size = sctp_nlattr_size, 697 .from_nlattr = nlattr_to_sctp, 698 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 699 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 700 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 701 .nla_policy = nf_ct_port_nla_policy, 702#endif 703#ifdef CONFIG_SYSCTL 704 .ctl_table_users = &sctp_sysctl_table_users, 705 .ctl_table_header = &sctp_sysctl_header, 706 .ctl_table = sctp_sysctl_table, 707#endif 708}; 709 710static int __init nf_conntrack_proto_sctp_init(void) 711{ 712 int ret; 713 714 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4); 715 if (ret) { 716 pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n"); 717 goto out; 718 } 719 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6); 720 if (ret) { 721 pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n"); 722 goto cleanup_sctp4; 723 } 724 725 return ret; 726 727 cleanup_sctp4: 728 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 729 out: 730 return ret; 731} 732 733static void __exit nf_conntrack_proto_sctp_fini(void) 734{ 735 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6); 736 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 737} 738 739module_init(nf_conntrack_proto_sctp_init); 740module_exit(nf_conntrack_proto_sctp_fini); 741 742MODULE_LICENSE("GPL"); 743MODULE_AUTHOR("Kiran Kumar Immidi"); 744MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP"); 745MODULE_ALIAS("ip_conntrack_proto_sctp"); 746