1/* 2 * Connection tracking protocol helper module for SCTP. 3 * 4 * SCTP is defined in RFC 2960. References to various sections in this code 5 * are to this RFC. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12#include <linux/types.h> 13#include <linux/timer.h> 14#include <linux/netfilter.h> 15#include <linux/module.h> 16#include <linux/in.h> 17#include <linux/ip.h> 18#include <linux/sctp.h> 19#include <linux/string.h> 20#include <linux/seq_file.h> 21#include <linux/spinlock.h> 22#include <linux/interrupt.h> 23 24#include <net/netfilter/nf_conntrack.h> 25#include <net/netfilter/nf_conntrack_l4proto.h> 26#include <net/netfilter/nf_conntrack_ecache.h> 27 28#define DEBUGP(format, args...) 29 30/* Protects conntrack->proto.sctp */ 31static DEFINE_RWLOCK(sctp_lock); 32 33 34static const char *sctp_conntrack_names[] = { 35 "NONE", 36 "CLOSED", 37 "COOKIE_WAIT", 38 "COOKIE_ECHOED", 39 "ESTABLISHED", 40 "SHUTDOWN_SENT", 41 "SHUTDOWN_RECD", 42 "SHUTDOWN_ACK_SENT", 43}; 44 45#define SECS * HZ 46#define MINS * 60 SECS 47#define HOURS * 60 MINS 48#define DAYS * 24 HOURS 49 50static unsigned int nf_ct_sctp_timeout_closed __read_mostly = 10 SECS; 51static unsigned int nf_ct_sctp_timeout_cookie_wait __read_mostly = 3 SECS; 52static unsigned int nf_ct_sctp_timeout_cookie_echoed __read_mostly = 3 SECS; 53static unsigned int nf_ct_sctp_timeout_established __read_mostly = 5 DAYS; 54static unsigned int nf_ct_sctp_timeout_shutdown_sent __read_mostly = 300 SECS / 1000; 55static unsigned int nf_ct_sctp_timeout_shutdown_recd __read_mostly = 300 SECS / 1000; 56static unsigned int nf_ct_sctp_timeout_shutdown_ack_sent __read_mostly = 3 SECS; 57 58static unsigned int * sctp_timeouts[] 59= { NULL, /* SCTP_CONNTRACK_NONE */ 60 &nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */ 61 &nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */ 62 &nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */ 63 &nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */ 64 &nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */ 65 &nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */ 66 &nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */ 67 }; 68 69#define sNO SCTP_CONNTRACK_NONE 70#define sCL SCTP_CONNTRACK_CLOSED 71#define sCW SCTP_CONNTRACK_COOKIE_WAIT 72#define sCE SCTP_CONNTRACK_COOKIE_ECHOED 73#define sES SCTP_CONNTRACK_ESTABLISHED 74#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 75#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 76#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 77#define sIV SCTP_CONNTRACK_MAX 78 79/* 80 These are the descriptions of the states: 81 82NOTE: These state names are tantalizingly similar to the states of an 83SCTP endpoint. But the interpretation of the states is a little different, 84considering that these are the states of the connection and not of an end 85point. Please note the subtleties. -Kiran 86 87NONE - Nothing so far. 88COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 89 an INIT_ACK chunk in the reply direction. 90COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 91ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 92SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 93SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 94SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 95 to that of the SHUTDOWN chunk. 96CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 97 the SHUTDOWN chunk. Connection is closed. 98*/ 99 100/* TODO 101 - I have assumed that the first INIT is in the original direction. 102 This messes things when an INIT comes in the reply direction in CLOSED 103 state. 104 - Check the error type in the reply dir before transitioning from 105cookie echoed to closed. 106 - Sec 5.2.4 of RFC 2960 107 - Multi Homing support. 108*/ 109 110/* SCTP conntrack state transitions */ 111static enum sctp_conntrack sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = { 112 { 113/* ORIGINAL */ 114/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 115/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA}, 116/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 117/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 118/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA}, 119/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 120/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/ 121/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */ 122/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */ 123/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL} 124 }, 125 { 126/* REPLY */ 127/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 128/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */ 129/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 130/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 131/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA}, 132/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 133/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA}, 134/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */ 135/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA}, 136/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL} 137 } 138}; 139 140static int sctp_pkt_to_tuple(const struct sk_buff *skb, 141 unsigned int dataoff, 142 struct nf_conntrack_tuple *tuple) 143{ 144 sctp_sctphdr_t _hdr, *hp; 145 146 DEBUGP(__FUNCTION__); 147 DEBUGP("\n"); 148 149 /* Actually only need first 8 bytes. */ 150 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 151 if (hp == NULL) 152 return 0; 153 154 tuple->src.u.sctp.port = hp->source; 155 tuple->dst.u.sctp.port = hp->dest; 156 return 1; 157} 158 159static int sctp_invert_tuple(struct nf_conntrack_tuple *tuple, 160 const struct nf_conntrack_tuple *orig) 161{ 162 DEBUGP(__FUNCTION__); 163 DEBUGP("\n"); 164 165 tuple->src.u.sctp.port = orig->dst.u.sctp.port; 166 tuple->dst.u.sctp.port = orig->src.u.sctp.port; 167 return 1; 168} 169 170/* Print out the per-protocol part of the tuple. */ 171static int sctp_print_tuple(struct seq_file *s, 172 const struct nf_conntrack_tuple *tuple) 173{ 174 DEBUGP(__FUNCTION__); 175 DEBUGP("\n"); 176 177 return seq_printf(s, "sport=%hu dport=%hu ", 178 ntohs(tuple->src.u.sctp.port), 179 ntohs(tuple->dst.u.sctp.port)); 180} 181 182/* Print out the private part of the conntrack. */ 183static int sctp_print_conntrack(struct seq_file *s, 184 const struct nf_conn *conntrack) 185{ 186 enum sctp_conntrack state; 187 188 DEBUGP(__FUNCTION__); 189 DEBUGP("\n"); 190 191 read_lock_bh(&sctp_lock); 192 state = conntrack->proto.sctp.state; 193 read_unlock_bh(&sctp_lock); 194 195 return seq_printf(s, "%s ", sctp_conntrack_names[state]); 196} 197 198#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 199for (offset = dataoff + sizeof(sctp_sctphdr_t), count = 0; \ 200 offset < skb->len && \ 201 (sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch)); \ 202 offset += (ntohs(sch->length) + 3) & ~3, count++) 203 204/* Some validity checks to make sure the chunks are fine */ 205static int do_basic_checks(struct nf_conn *conntrack, 206 const struct sk_buff *skb, 207 unsigned int dataoff, 208 char *map) 209{ 210 u_int32_t offset, count; 211 sctp_chunkhdr_t _sch, *sch; 212 int flag; 213 214 DEBUGP(__FUNCTION__); 215 DEBUGP("\n"); 216 217 flag = 0; 218 219 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 220 DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type); 221 222 if (sch->type == SCTP_CID_INIT 223 || sch->type == SCTP_CID_INIT_ACK 224 || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 225 flag = 1; 226 } 227 228 /* 229 * Cookie Ack/Echo chunks not the first OR 230 * Init / Init Ack / Shutdown compl chunks not the only chunks 231 * OR zero-length. 232 */ 233 if (((sch->type == SCTP_CID_COOKIE_ACK 234 || sch->type == SCTP_CID_COOKIE_ECHO 235 || flag) 236 && count !=0) || !sch->length) { 237 DEBUGP("Basic checks failed\n"); 238 return 1; 239 } 240 241 if (map) { 242 set_bit(sch->type, (void *)map); 243 } 244 } 245 246 DEBUGP("Basic checks passed\n"); 247 return count == 0; 248} 249 250static int new_state(enum ip_conntrack_dir dir, 251 enum sctp_conntrack cur_state, 252 int chunk_type) 253{ 254 int i; 255 256 DEBUGP(__FUNCTION__); 257 DEBUGP("\n"); 258 259 DEBUGP("Chunk type: %d\n", chunk_type); 260 261 switch (chunk_type) { 262 case SCTP_CID_INIT: 263 DEBUGP("SCTP_CID_INIT\n"); 264 i = 0; break; 265 case SCTP_CID_INIT_ACK: 266 DEBUGP("SCTP_CID_INIT_ACK\n"); 267 i = 1; break; 268 case SCTP_CID_ABORT: 269 DEBUGP("SCTP_CID_ABORT\n"); 270 i = 2; break; 271 case SCTP_CID_SHUTDOWN: 272 DEBUGP("SCTP_CID_SHUTDOWN\n"); 273 i = 3; break; 274 case SCTP_CID_SHUTDOWN_ACK: 275 DEBUGP("SCTP_CID_SHUTDOWN_ACK\n"); 276 i = 4; break; 277 case SCTP_CID_ERROR: 278 DEBUGP("SCTP_CID_ERROR\n"); 279 i = 5; break; 280 case SCTP_CID_COOKIE_ECHO: 281 DEBUGP("SCTP_CID_COOKIE_ECHO\n"); 282 i = 6; break; 283 case SCTP_CID_COOKIE_ACK: 284 DEBUGP("SCTP_CID_COOKIE_ACK\n"); 285 i = 7; break; 286 case SCTP_CID_SHUTDOWN_COMPLETE: 287 DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n"); 288 i = 8; break; 289 default: 290 /* Other chunks like DATA, SACK, HEARTBEAT and 291 its ACK do not cause a change in state */ 292 DEBUGP("Unknown chunk type, Will stay in %s\n", 293 sctp_conntrack_names[cur_state]); 294 return cur_state; 295 } 296 297 DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 298 dir, sctp_conntrack_names[cur_state], chunk_type, 299 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 300 301 return sctp_conntracks[dir][i][cur_state]; 302} 303 304/* Returns verdict for packet, or -1 for invalid. */ 305static int sctp_packet(struct nf_conn *conntrack, 306 const struct sk_buff *skb, 307 unsigned int dataoff, 308 enum ip_conntrack_info ctinfo, 309 int pf, 310 unsigned int hooknum) 311{ 312 enum sctp_conntrack newconntrack, oldsctpstate; 313 sctp_sctphdr_t _sctph, *sh; 314 sctp_chunkhdr_t _sch, *sch; 315 u_int32_t offset, count; 316 char map[256 / sizeof (char)] = {0}; 317 318 DEBUGP(__FUNCTION__); 319 DEBUGP("\n"); 320 321 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 322 if (sh == NULL) 323 return -1; 324 325 if (do_basic_checks(conntrack, skb, dataoff, map) != 0) 326 return -1; 327 328 /* Check the verification tag (Sec 8.5) */ 329 if (!test_bit(SCTP_CID_INIT, (void *)map) 330 && !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) 331 && !test_bit(SCTP_CID_COOKIE_ECHO, (void *)map) 332 && !test_bit(SCTP_CID_ABORT, (void *)map) 333 && !test_bit(SCTP_CID_SHUTDOWN_ACK, (void *)map) 334 && (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) { 335 DEBUGP("Verification tag check failed\n"); 336 return -1; 337 } 338 339 oldsctpstate = newconntrack = SCTP_CONNTRACK_MAX; 340 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 341 write_lock_bh(&sctp_lock); 342 343 /* Special cases of Verification tag check (Sec 8.5.1) */ 344 if (sch->type == SCTP_CID_INIT) { 345 /* Sec 8.5.1 (A) */ 346 if (sh->vtag != 0) { 347 write_unlock_bh(&sctp_lock); 348 return -1; 349 } 350 } else if (sch->type == SCTP_CID_ABORT) { 351 /* Sec 8.5.1 (B) */ 352 if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) 353 && !(sh->vtag == conntrack->proto.sctp.vtag 354 [1 - CTINFO2DIR(ctinfo)])) { 355 write_unlock_bh(&sctp_lock); 356 return -1; 357 } 358 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 359 /* Sec 8.5.1 (C) */ 360 if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) 361 && !(sh->vtag == conntrack->proto.sctp.vtag 362 [1 - CTINFO2DIR(ctinfo)] 363 && (sch->flags & 1))) { 364 write_unlock_bh(&sctp_lock); 365 return -1; 366 } 367 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 368 /* Sec 8.5.1 (D) */ 369 if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) { 370 write_unlock_bh(&sctp_lock); 371 return -1; 372 } 373 } 374 375 oldsctpstate = conntrack->proto.sctp.state; 376 newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type); 377 378 /* Invalid */ 379 if (newconntrack == SCTP_CONNTRACK_MAX) { 380 DEBUGP("nf_conntrack_sctp: Invalid dir=%i ctype=%u conntrack=%u\n", 381 CTINFO2DIR(ctinfo), sch->type, oldsctpstate); 382 write_unlock_bh(&sctp_lock); 383 return -1; 384 } 385 386 /* If it is an INIT or an INIT ACK note down the vtag */ 387 if (sch->type == SCTP_CID_INIT 388 || sch->type == SCTP_CID_INIT_ACK) { 389 sctp_inithdr_t _inithdr, *ih; 390 391 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 392 sizeof(_inithdr), &_inithdr); 393 if (ih == NULL) { 394 write_unlock_bh(&sctp_lock); 395 return -1; 396 } 397 DEBUGP("Setting vtag %x for dir %d\n", 398 ih->init_tag, !CTINFO2DIR(ctinfo)); 399 conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag; 400 } 401 402 conntrack->proto.sctp.state = newconntrack; 403 if (oldsctpstate != newconntrack) 404 nf_conntrack_event_cache(IPCT_PROTOINFO, skb); 405 write_unlock_bh(&sctp_lock); 406 } 407 408 nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]); 409 410 if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED 411 && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY 412 && newconntrack == SCTP_CONNTRACK_ESTABLISHED) { 413 DEBUGP("Setting assured bit\n"); 414 set_bit(IPS_ASSURED_BIT, &conntrack->status); 415 nf_conntrack_event_cache(IPCT_STATUS, skb); 416 } 417 418 return NF_ACCEPT; 419} 420 421/* Called when a new connection for this protocol found. */ 422static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb, 423 unsigned int dataoff) 424{ 425 enum sctp_conntrack newconntrack; 426 sctp_sctphdr_t _sctph, *sh; 427 sctp_chunkhdr_t _sch, *sch; 428 u_int32_t offset, count; 429 char map[256 / sizeof (char)] = {0}; 430 431 DEBUGP(__FUNCTION__); 432 DEBUGP("\n"); 433 434 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 435 if (sh == NULL) 436 return 0; 437 438 if (do_basic_checks(conntrack, skb, dataoff, map) != 0) 439 return 0; 440 441 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 442 if ((test_bit (SCTP_CID_ABORT, (void *)map)) 443 || (test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map)) 444 || (test_bit (SCTP_CID_COOKIE_ACK, (void *)map))) { 445 return 0; 446 } 447 448 newconntrack = SCTP_CONNTRACK_MAX; 449 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 450 /* Don't need lock here: this conntrack not in circulation yet */ 451 newconntrack = new_state(IP_CT_DIR_ORIGINAL, 452 SCTP_CONNTRACK_NONE, sch->type); 453 454 /* Invalid: delete conntrack */ 455 if (newconntrack == SCTP_CONNTRACK_MAX) { 456 DEBUGP("nf_conntrack_sctp: invalid new deleting.\n"); 457 return 0; 458 } 459 460 /* Copy the vtag into the state info */ 461 if (sch->type == SCTP_CID_INIT) { 462 if (sh->vtag == 0) { 463 sctp_inithdr_t _inithdr, *ih; 464 465 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 466 sizeof(_inithdr), &_inithdr); 467 if (ih == NULL) 468 return 0; 469 470 DEBUGP("Setting vtag %x for new conn\n", 471 ih->init_tag); 472 473 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = 474 ih->init_tag; 475 } else { 476 /* Sec 8.5.1 (A) */ 477 return 0; 478 } 479 } 480 /* If it is a shutdown ack OOTB packet, we expect a return 481 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 482 else { 483 DEBUGP("Setting vtag %x for new conn OOTB\n", 484 sh->vtag); 485 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 486 } 487 488 conntrack->proto.sctp.state = newconntrack; 489 } 490 491 return 1; 492} 493 494#ifdef CONFIG_SYSCTL 495static unsigned int sctp_sysctl_table_users; 496static struct ctl_table_header *sctp_sysctl_header; 497static struct ctl_table sctp_sysctl_table[] = { 498 { 499 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED, 500 .procname = "nf_conntrack_sctp_timeout_closed", 501 .data = &nf_ct_sctp_timeout_closed, 502 .maxlen = sizeof(unsigned int), 503 .mode = 0644, 504 .proc_handler = &proc_dointvec_jiffies, 505 }, 506 { 507 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT, 508 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 509 .data = &nf_ct_sctp_timeout_cookie_wait, 510 .maxlen = sizeof(unsigned int), 511 .mode = 0644, 512 .proc_handler = &proc_dointvec_jiffies, 513 }, 514 { 515 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED, 516 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 517 .data = &nf_ct_sctp_timeout_cookie_echoed, 518 .maxlen = sizeof(unsigned int), 519 .mode = 0644, 520 .proc_handler = &proc_dointvec_jiffies, 521 }, 522 { 523 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED, 524 .procname = "nf_conntrack_sctp_timeout_established", 525 .data = &nf_ct_sctp_timeout_established, 526 .maxlen = sizeof(unsigned int), 527 .mode = 0644, 528 .proc_handler = &proc_dointvec_jiffies, 529 }, 530 { 531 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT, 532 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 533 .data = &nf_ct_sctp_timeout_shutdown_sent, 534 .maxlen = sizeof(unsigned int), 535 .mode = 0644, 536 .proc_handler = &proc_dointvec_jiffies, 537 }, 538 { 539 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD, 540 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 541 .data = &nf_ct_sctp_timeout_shutdown_recd, 542 .maxlen = sizeof(unsigned int), 543 .mode = 0644, 544 .proc_handler = &proc_dointvec_jiffies, 545 }, 546 { 547 .ctl_name = NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT, 548 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 549 .data = &nf_ct_sctp_timeout_shutdown_ack_sent, 550 .maxlen = sizeof(unsigned int), 551 .mode = 0644, 552 .proc_handler = &proc_dointvec_jiffies, 553 }, 554 { 555 .ctl_name = 0 556 } 557}; 558 559#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 560static struct ctl_table sctp_compat_sysctl_table[] = { 561 { 562 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED, 563 .procname = "ip_conntrack_sctp_timeout_closed", 564 .data = &nf_ct_sctp_timeout_closed, 565 .maxlen = sizeof(unsigned int), 566 .mode = 0644, 567 .proc_handler = &proc_dointvec_jiffies, 568 }, 569 { 570 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT, 571 .procname = "ip_conntrack_sctp_timeout_cookie_wait", 572 .data = &nf_ct_sctp_timeout_cookie_wait, 573 .maxlen = sizeof(unsigned int), 574 .mode = 0644, 575 .proc_handler = &proc_dointvec_jiffies, 576 }, 577 { 578 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED, 579 .procname = "ip_conntrack_sctp_timeout_cookie_echoed", 580 .data = &nf_ct_sctp_timeout_cookie_echoed, 581 .maxlen = sizeof(unsigned int), 582 .mode = 0644, 583 .proc_handler = &proc_dointvec_jiffies, 584 }, 585 { 586 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED, 587 .procname = "ip_conntrack_sctp_timeout_established", 588 .data = &nf_ct_sctp_timeout_established, 589 .maxlen = sizeof(unsigned int), 590 .mode = 0644, 591 .proc_handler = &proc_dointvec_jiffies, 592 }, 593 { 594 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT, 595 .procname = "ip_conntrack_sctp_timeout_shutdown_sent", 596 .data = &nf_ct_sctp_timeout_shutdown_sent, 597 .maxlen = sizeof(unsigned int), 598 .mode = 0644, 599 .proc_handler = &proc_dointvec_jiffies, 600 }, 601 { 602 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD, 603 .procname = "ip_conntrack_sctp_timeout_shutdown_recd", 604 .data = &nf_ct_sctp_timeout_shutdown_recd, 605 .maxlen = sizeof(unsigned int), 606 .mode = 0644, 607 .proc_handler = &proc_dointvec_jiffies, 608 }, 609 { 610 .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT, 611 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent", 612 .data = &nf_ct_sctp_timeout_shutdown_ack_sent, 613 .maxlen = sizeof(unsigned int), 614 .mode = 0644, 615 .proc_handler = &proc_dointvec_jiffies, 616 }, 617 { 618 .ctl_name = 0 619 } 620}; 621#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 622#endif 623 624struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = { 625 .l3proto = PF_INET, 626 .l4proto = IPPROTO_SCTP, 627 .name = "sctp", 628 .pkt_to_tuple = sctp_pkt_to_tuple, 629 .invert_tuple = sctp_invert_tuple, 630 .print_tuple = sctp_print_tuple, 631 .print_conntrack = sctp_print_conntrack, 632 .packet = sctp_packet, 633 .new = sctp_new, 634 .me = THIS_MODULE, 635#ifdef CONFIG_SYSCTL 636 .ctl_table_users = &sctp_sysctl_table_users, 637 .ctl_table_header = &sctp_sysctl_header, 638 .ctl_table = sctp_sysctl_table, 639#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 640 .ctl_compat_table = sctp_compat_sysctl_table, 641#endif 642#endif 643}; 644 645struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = { 646 .l3proto = PF_INET6, 647 .l4proto = IPPROTO_SCTP, 648 .name = "sctp", 649 .pkt_to_tuple = sctp_pkt_to_tuple, 650 .invert_tuple = sctp_invert_tuple, 651 .print_tuple = sctp_print_tuple, 652 .print_conntrack = sctp_print_conntrack, 653 .packet = sctp_packet, 654 .new = sctp_new, 655 .me = THIS_MODULE, 656#ifdef CONFIG_SYSCTL 657 .ctl_table_users = &sctp_sysctl_table_users, 658 .ctl_table_header = &sctp_sysctl_header, 659 .ctl_table = sctp_sysctl_table, 660#endif 661}; 662 663int __init nf_conntrack_proto_sctp_init(void) 664{ 665 int ret; 666 667 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4); 668 if (ret) { 669 printk("nf_conntrack_l4proto_sctp4: protocol register failed\n"); 670 goto out; 671 } 672 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6); 673 if (ret) { 674 printk("nf_conntrack_l4proto_sctp6: protocol register failed\n"); 675 goto cleanup_sctp4; 676 } 677 678 return ret; 679 680 cleanup_sctp4: 681 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 682 out: 683 DEBUGP("SCTP conntrack module loading %s\n", 684 ret ? "failed": "succeeded"); 685 return ret; 686} 687 688void __exit nf_conntrack_proto_sctp_fini(void) 689{ 690 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6); 691 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 692 DEBUGP("SCTP conntrack module unloaded\n"); 693} 694 695module_init(nf_conntrack_proto_sctp_init); 696module_exit(nf_conntrack_proto_sctp_fini); 697 698MODULE_LICENSE("GPL"); 699MODULE_AUTHOR("Kiran Kumar Immidi"); 700MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP"); 701MODULE_ALIAS("ip_conntrack_proto_sctp"); 702