1// SPDX-License-Identifier: GPL-2.0-only
2/* (C) 1999-2001 Paul `Rusty' Russell
3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
5 */
6
7#include <linux/types.h>
8#include <linux/timer.h>
9#include <linux/module.h>
10#include <linux/udp.h>
11#include <linux/seq_file.h>
12#include <linux/skbuff.h>
13#include <linux/ipv6.h>
14#include <net/ip6_checksum.h>
15#include <net/checksum.h>
16
17#include <linux/netfilter.h>
18#include <linux/netfilter_ipv4.h>
19#include <linux/netfilter_ipv6.h>
20#include <net/netfilter/nf_conntrack_l4proto.h>
21#include <net/netfilter/nf_conntrack_ecache.h>
22#include <net/netfilter/nf_conntrack_timeout.h>
23#include <net/netfilter/nf_log.h>
24#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
25#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
26
27static const unsigned int udp_timeouts[UDP_CT_MAX] = {
28	[UDP_CT_UNREPLIED]	= 30*HZ,
29	[UDP_CT_REPLIED]	= 120*HZ,
30};
31
32static unsigned int *udp_get_timeouts(struct net *net)
33{
34	return nf_udp_pernet(net)->timeouts;
35}
36
37static void udp_error_log(const struct sk_buff *skb,
38			  const struct nf_hook_state *state,
39			  const char *msg)
40{
41	nf_l4proto_log_invalid(skb, state, IPPROTO_UDP, "%s", msg);
42}
43
44static bool udp_error(struct sk_buff *skb,
45		      unsigned int dataoff,
46		      const struct nf_hook_state *state)
47{
48	unsigned int udplen = skb->len - dataoff;
49	const struct udphdr *hdr;
50	struct udphdr _hdr;
51
52	/* Header is too small? */
53	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
54	if (!hdr) {
55		udp_error_log(skb, state, "short packet");
56		return true;
57	}
58
59	/* Truncated/malformed packets */
60	if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
61		udp_error_log(skb, state, "truncated/malformed packet");
62		return true;
63	}
64
65	/* Packet with no checksum */
66	if (!hdr->check)
67		return false;
68
69	/* Checksum invalid? Ignore.
70	 * We skip checking packets on the outgoing path
71	 * because the checksum is assumed to be correct.
72	 * FIXME: Source route IP option packets --RR */
73	if (state->hook == NF_INET_PRE_ROUTING &&
74	    state->net->ct.sysctl_checksum &&
75	    nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) {
76		udp_error_log(skb, state, "bad checksum");
77		return true;
78	}
79
80	return false;
81}
82
83/* Returns verdict for packet, and may modify conntracktype */
84int nf_conntrack_udp_packet(struct nf_conn *ct,
85			    struct sk_buff *skb,
86			    unsigned int dataoff,
87			    enum ip_conntrack_info ctinfo,
88			    const struct nf_hook_state *state)
89{
90	unsigned int *timeouts;
91	unsigned long status;
92
93	if (udp_error(skb, dataoff, state))
94		return -NF_ACCEPT;
95
96	timeouts = nf_ct_timeout_lookup(ct);
97	if (!timeouts)
98		timeouts = udp_get_timeouts(nf_ct_net(ct));
99
100	status = READ_ONCE(ct->status);
101	if ((status & IPS_CONFIRMED) == 0)
102		ct->proto.udp.stream_ts = 2 * HZ + jiffies;
103
104	/* If we've seen traffic both ways, this is some kind of UDP
105	 * stream. Set Assured.
106	 */
107	if (status & IPS_SEEN_REPLY) {
108		unsigned long extra = timeouts[UDP_CT_UNREPLIED];
109		bool stream = false;
110
111		/* Still active after two seconds? Extend timeout. */
112		if (time_after(jiffies, ct->proto.udp.stream_ts)) {
113			extra = timeouts[UDP_CT_REPLIED];
114			stream = (status & IPS_ASSURED) == 0;
115		}
116
117		nf_ct_refresh_acct(ct, ctinfo, skb, extra);
118
119		/* never set ASSURED for IPS_NAT_CLASH, they time out soon */
120		if (unlikely((status & IPS_NAT_CLASH)))
121			return NF_ACCEPT;
122
123		/* Also, more likely to be important, and not a probe */
124		if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
125			nf_conntrack_event_cache(IPCT_ASSURED, ct);
126	} else {
127		nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
128	}
129	return NF_ACCEPT;
130}
131
132#ifdef CONFIG_NF_CT_PROTO_UDPLITE
133static void udplite_error_log(const struct sk_buff *skb,
134			      const struct nf_hook_state *state,
135			      const char *msg)
136{
137	nf_l4proto_log_invalid(skb, state, IPPROTO_UDPLITE, "%s", msg);
138}
139
140static bool udplite_error(struct sk_buff *skb,
141			  unsigned int dataoff,
142			  const struct nf_hook_state *state)
143{
144	unsigned int udplen = skb->len - dataoff;
145	const struct udphdr *hdr;
146	struct udphdr _hdr;
147	unsigned int cscov;
148
149	/* Header is too small? */
150	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
151	if (!hdr) {
152		udplite_error_log(skb, state, "short packet");
153		return true;
154	}
155
156	cscov = ntohs(hdr->len);
157	if (cscov == 0) {
158		cscov = udplen;
159	} else if (cscov < sizeof(*hdr) || cscov > udplen) {
160		udplite_error_log(skb, state, "invalid checksum coverage");
161		return true;
162	}
163
164	/* UDPLITE mandates checksums */
165	if (!hdr->check) {
166		udplite_error_log(skb, state, "checksum missing");
167		return true;
168	}
169
170	/* Checksum invalid? Ignore. */
171	if (state->hook == NF_INET_PRE_ROUTING &&
172	    state->net->ct.sysctl_checksum &&
173	    nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP,
174				state->pf)) {
175		udplite_error_log(skb, state, "bad checksum");
176		return true;
177	}
178
179	return false;
180}
181
182/* Returns verdict for packet, and may modify conntracktype */
183int nf_conntrack_udplite_packet(struct nf_conn *ct,
184				struct sk_buff *skb,
185				unsigned int dataoff,
186				enum ip_conntrack_info ctinfo,
187				const struct nf_hook_state *state)
188{
189	unsigned int *timeouts;
190
191	if (udplite_error(skb, dataoff, state))
192		return -NF_ACCEPT;
193
194	timeouts = nf_ct_timeout_lookup(ct);
195	if (!timeouts)
196		timeouts = udp_get_timeouts(nf_ct_net(ct));
197
198	/* If we've seen traffic both ways, this is some kind of UDP
199	   stream.  Extend timeout. */
200	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
201		nf_ct_refresh_acct(ct, ctinfo, skb,
202				   timeouts[UDP_CT_REPLIED]);
203
204		if (unlikely((ct->status & IPS_NAT_CLASH)))
205			return NF_ACCEPT;
206
207		/* Also, more likely to be important, and not a probe */
208		if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
209			nf_conntrack_event_cache(IPCT_ASSURED, ct);
210	} else {
211		nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
212	}
213	return NF_ACCEPT;
214}
215#endif
216
217#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
218
219#include <linux/netfilter/nfnetlink.h>
220#include <linux/netfilter/nfnetlink_cttimeout.h>
221
222static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
223				     struct net *net, void *data)
224{
225	unsigned int *timeouts = data;
226	struct nf_udp_net *un = nf_udp_pernet(net);
227
228	if (!timeouts)
229		timeouts = un->timeouts;
230
231	/* set default timeouts for UDP. */
232	timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
233	timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
234
235	if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
236		timeouts[UDP_CT_UNREPLIED] =
237			ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
238	}
239	if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
240		timeouts[UDP_CT_REPLIED] =
241			ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
242	}
243	return 0;
244}
245
246static int
247udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
248{
249	const unsigned int *timeouts = data;
250
251	if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
252			 htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) ||
253	    nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED,
254			 htonl(timeouts[UDP_CT_REPLIED] / HZ)))
255		goto nla_put_failure;
256	return 0;
257
258nla_put_failure:
259	return -ENOSPC;
260}
261
262static const struct nla_policy
263udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
264       [CTA_TIMEOUT_UDP_UNREPLIED]	= { .type = NLA_U32 },
265       [CTA_TIMEOUT_UDP_REPLIED]	= { .type = NLA_U32 },
266};
267#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
268
269void nf_conntrack_udp_init_net(struct net *net)
270{
271	struct nf_udp_net *un = nf_udp_pernet(net);
272	int i;
273
274	for (i = 0; i < UDP_CT_MAX; i++)
275		un->timeouts[i] = udp_timeouts[i];
276
277#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
278	un->offload_timeout = 30 * HZ;
279#endif
280}
281
282const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp =
283{
284	.l4proto		= IPPROTO_UDP,
285	.allow_clash		= true,
286#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
287	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
288	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
289	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
290	.nla_policy		= nf_ct_port_nla_policy,
291#endif
292#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
293	.ctnl_timeout		= {
294		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
295		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
296		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
297		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
298		.nla_policy	= udp_timeout_nla_policy,
299	},
300#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
301};
302
303#ifdef CONFIG_NF_CT_PROTO_UDPLITE
304const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite =
305{
306	.l4proto		= IPPROTO_UDPLITE,
307	.allow_clash		= true,
308#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
309	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
310	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
311	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
312	.nla_policy		= nf_ct_port_nla_policy,
313#endif
314#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
315	.ctnl_timeout		= {
316		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
317		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
318		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
319		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
320		.nla_policy	= udp_timeout_nla_policy,
321	},
322#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
323};
324#endif
325