2 * DCCP connection tracking protocol helper
4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/sysctl.h>
14 #include <linux/spinlock.h>
15 #include <linux/skbuff.h>
16 #include <linux/dccp.h>
17 #include <linux/slab.h>
19 #include <net/net_namespace.h>
20 #include <net/netns/generic.h>
22 #include <linux/netfilter/nfnetlink_conntrack.h>
23 #include <net/netfilter/nf_conntrack.h>
24 #include <net/netfilter/nf_conntrack_l4proto.h>
25 #include <net/netfilter/nf_conntrack_ecache.h>
26 #include <net/netfilter/nf_log.h>
28 /* Timeouts are based on values from RFC4340:
32 * 8.1.2. Client Request
34 * A client MAY give up on its DCCP-Requests after some time
35 * (3 minutes, for example).
39 * 8.1.3. Server Response
41 * It MAY also leave the RESPOND state for CLOSED after a timeout of
42 * not less than 4MSL (8 minutes);
46 * 8.1.5. Handshake Completion
48 * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
49 * it SHOULD reset the connection with Reset Code 2, "Aborted".
53 * The DCCP timestamp overflows after 11.9 hours. If the connection
54 * stays idle this long the sequence number won't be recognized
61 * The retransmission timer should initially be set to go off in two
62 * round-trip times and should back off to not less than once every
69 * A server or client socket remains in this state for 2MSL (4 minutes)
70 * after the connection has been town down, ...
73 #define DCCP_MSL (2 * 60 * HZ)
75 static const char * const dccp_state_names[] = {
76 [CT_DCCP_NONE] = "NONE",
77 [CT_DCCP_REQUEST] = "REQUEST",
78 [CT_DCCP_RESPOND] = "RESPOND",
79 [CT_DCCP_PARTOPEN] = "PARTOPEN",
80 [CT_DCCP_OPEN] = "OPEN",
81 [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
82 [CT_DCCP_CLOSING] = "CLOSING",
83 [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
84 [CT_DCCP_IGNORE] = "IGNORE",
85 [CT_DCCP_INVALID] = "INVALID",
88 #define sNO CT_DCCP_NONE
89 #define sRQ CT_DCCP_REQUEST
90 #define sRS CT_DCCP_RESPOND
91 #define sPO CT_DCCP_PARTOPEN
92 #define sOP CT_DCCP_OPEN
93 #define sCR CT_DCCP_CLOSEREQ
94 #define sCG CT_DCCP_CLOSING
95 #define sTW CT_DCCP_TIMEWAIT
96 #define sIG CT_DCCP_IGNORE
97 #define sIV CT_DCCP_INVALID
100 * DCCP state transition table
102 * The assumption is the same as for TCP tracking:
104 * We are the man in the middle. All the packets go through us but might
105 * get lost in transit to the destination. It is assumed that the destination
106 * can't receive segments we haven't seen.
108 * The following states exist:
110 * NONE: Initial state, expecting Request
111 * REQUEST: Request seen, waiting for Response from server
112 * RESPOND: Response from server seen, waiting for Ack from client
113 * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
114 * Reset or Sync from server
115 * OPEN: Packet other than Response, Reset or Sync seen
116 * CLOSEREQ: CloseReq from server seen, expecting Close from client
117 * CLOSING: Close seen, expecting Reset
118 * TIMEWAIT: Reset seen
119 * IGNORE: Not determinable whether packet is valid
121 * Some states exist only on one side of the connection: REQUEST, RESPOND,
122 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
123 * the one it was in before.
125 * Packets are marked as ignored (sIG) if we don't know if they're valid
126 * (for example a reincarnation of a connection we didn't notice is dead
127 * already) and the server may send back a connection closing Reset or a
128 * Response. They're also used for Sync/SyncAck packets, which we don't
131 static const u_int8_t
132 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
133 [CT_DCCP_ROLE_CLIENT] = {
134 [DCCP_PKT_REQUEST] = {
136 * sNO -> sRQ Regular Request
137 * sRQ -> sRQ Retransmitted Request or reincarnation
138 * sRS -> sRS Retransmitted Request (apparently Response
139 * got lost after we saw it) or reincarnation
140 * sPO -> sIG Ignore, conntrack might be out of sync
141 * sOP -> sIG Ignore, conntrack might be out of sync
142 * sCR -> sIG Ignore, conntrack might be out of sync
143 * sCG -> sIG Ignore, conntrack might be out of sync
144 * sTW -> sRQ Reincarnation
146 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
147 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
149 [DCCP_PKT_RESPONSE] = {
152 * sRQ -> sIG Ignore, might be response to ignored Request
153 * sRS -> sIG Ignore, might be response to ignored Request
154 * sPO -> sIG Ignore, might be response to ignored Request
155 * sOP -> sIG Ignore, might be response to ignored Request
156 * sCR -> sIG Ignore, might be response to ignored Request
157 * sCG -> sIG Ignore, might be response to ignored Request
158 * sTW -> sIV Invalid, reincarnation in reverse direction
161 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
162 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
166 * sNO -> sIV No connection
167 * sRQ -> sIV No connection
168 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
169 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
170 * sOP -> sOP Regular ACK, remain in OPEN
171 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
172 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
175 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
176 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
180 * sNO -> sIV No connection
181 * sRQ -> sIV No connection
182 * sRS -> sIV No connection
183 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
184 * sOP -> sOP Regular Data packet
185 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
186 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
189 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
190 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
192 [DCCP_PKT_DATAACK] = {
194 * sNO -> sIV No connection
195 * sRQ -> sIV No connection
196 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
197 * sPO -> sPO Remain in PARTOPEN state
198 * sOP -> sOP Regular DataAck packet in OPEN state
199 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
200 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
203 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
204 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
206 [DCCP_PKT_CLOSEREQ] = {
208 * CLOSEREQ may only be sent by the server.
210 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
211 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
215 * sNO -> sIV No connection
216 * sRQ -> sIV No connection
217 * sRS -> sIV No connection
218 * sPO -> sCG Client-initiated close
219 * sOP -> sCG Client-initiated close
220 * sCR -> sCG Close in response to CloseReq (8.3.)
221 * sCG -> sCG Retransmit
222 * sTW -> sIV Late retransmit, already in TIME_WAIT
224 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
225 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
229 * sNO -> sIV No connection
230 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
231 * sRS -> sTW Response received without Request
232 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
233 * sOP -> sTW Connection reset
234 * sCR -> sTW Connection reset
235 * sCG -> sTW Connection reset
236 * sTW -> sIG Ignore (don't refresh timer)
238 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
239 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
243 * We currently ignore Sync packets
245 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
246 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
248 [DCCP_PKT_SYNCACK] = {
250 * We currently ignore SyncAck packets
252 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
253 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
256 [CT_DCCP_ROLE_SERVER] = {
257 [DCCP_PKT_REQUEST] = {
260 * sRQ -> sIG Ignore, conntrack might be out of sync
261 * sRS -> sIG Ignore, conntrack might be out of sync
262 * sPO -> sIG Ignore, conntrack might be out of sync
263 * sOP -> sIG Ignore, conntrack might be out of sync
264 * sCR -> sIG Ignore, conntrack might be out of sync
265 * sCG -> sIG Ignore, conntrack might be out of sync
266 * sTW -> sRQ Reincarnation, must reverse roles
268 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
269 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
271 [DCCP_PKT_RESPONSE] = {
273 * sNO -> sIV Response without Request
274 * sRQ -> sRS Response to clients Request
275 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
276 * sPO -> sIG Response to an ignored Request or late retransmit
277 * sOP -> sIG Ignore, might be response to ignored Request
278 * sCR -> sIG Ignore, might be response to ignored Request
279 * sCG -> sIG Ignore, might be response to ignored Request
280 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
282 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
283 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
287 * sNO -> sIV No connection
288 * sRQ -> sIV No connection
289 * sRS -> sIV No connection
290 * sPO -> sOP Enter OPEN state (8.1.5.)
291 * sOP -> sOP Regular Ack in OPEN state
292 * sCR -> sIV Waiting for Close from client
293 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
296 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
297 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
301 * sNO -> sIV No connection
302 * sRQ -> sIV No connection
303 * sRS -> sIV No connection
304 * sPO -> sOP Enter OPEN state (8.1.5.)
305 * sOP -> sOP Regular Data packet in OPEN state
306 * sCR -> sIV Waiting for Close from client
307 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
310 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
311 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
313 [DCCP_PKT_DATAACK] = {
315 * sNO -> sIV No connection
316 * sRQ -> sIV No connection
317 * sRS -> sIV No connection
318 * sPO -> sOP Enter OPEN state (8.1.5.)
319 * sOP -> sOP Regular DataAck in OPEN state
320 * sCR -> sIV Waiting for Close from client
321 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
324 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
325 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
327 [DCCP_PKT_CLOSEREQ] = {
329 * sNO -> sIV No connection
330 * sRQ -> sIV No connection
331 * sRS -> sIV No connection
332 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
333 * sOP -> sCR CloseReq in OPEN state
334 * sCR -> sCR Retransmit
335 * sCG -> sCR Simultaneous close, client sends another Close
336 * sTW -> sIV Already closed
338 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
339 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
343 * sNO -> sIV No connection
344 * sRQ -> sIV No connection
345 * sRS -> sIV No connection
346 * sPO -> sOP -> sCG Move direcly to CLOSING
347 * sOP -> sCG Move to CLOSING
348 * sCR -> sIV Close after CloseReq is invalid
349 * sCG -> sCG Retransmit
350 * sTW -> sIV Already closed
352 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
353 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
357 * sNO -> sIV No connection
358 * sRQ -> sTW Reset in response to Request
359 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
360 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
364 * sTW -> sIG Ignore (don't refresh timer)
366 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
367 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
371 * We currently ignore Sync packets
373 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
374 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
376 [DCCP_PKT_SYNCACK] = {
378 * We currently ignore SyncAck packets
380 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
381 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
386 static inline struct nf_dccp_net *dccp_pernet(struct net *net)
388 return &net->ct.nf_ct_proto.dccp;
391 static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
392 struct net *net, struct nf_conntrack_tuple *tuple)
394 struct dccp_hdr _hdr, *dh;
396 /* Actually only need first 4 bytes to get ports. */
397 dh = skb_header_pointer(skb, dataoff, 4, &_hdr);
401 tuple->src.u.dccp.port = dh->dccph_sport;
402 tuple->dst.u.dccp.port = dh->dccph_dport;
406 static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv,
407 const struct nf_conntrack_tuple *tuple)
409 inv->src.u.dccp.port = tuple->dst.u.dccp.port;
410 inv->dst.u.dccp.port = tuple->src.u.dccp.port;
414 static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
415 unsigned int dataoff, unsigned int *timeouts)
417 struct net *net = nf_ct_net(ct);
418 struct nf_dccp_net *dn;
419 struct dccp_hdr _dh, *dh;
423 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
426 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
429 dn = dccp_pernet(net);
430 if (dn->dccp_loose == 0) {
431 msg = "nf_ct_dccp: not picking up existing connection ";
434 case CT_DCCP_REQUEST:
436 case CT_DCCP_INVALID:
437 msg = "nf_ct_dccp: invalid state transition ";
441 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
442 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
443 ct->proto.dccp.state = CT_DCCP_NONE;
444 ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
445 ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
446 ct->proto.dccp.handshake_seq = 0;
450 if (LOG_INVALID(net, IPPROTO_DCCP))
451 nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL,
456 static u64 dccp_ack_seq(const struct dccp_hdr *dh)
458 const struct dccp_hdr_ack_bits *dhack;
460 dhack = (void *)dh + __dccp_basic_hdr_len(dh);
461 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
462 ntohl(dhack->dccph_ack_nr_low);
465 static unsigned int *dccp_get_timeouts(struct net *net)
467 return dccp_pernet(net)->dccp_timeout;
470 static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
471 unsigned int dataoff, enum ip_conntrack_info ctinfo,
473 unsigned int *timeouts)
475 struct net *net = nf_ct_net(ct);
476 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
477 struct dccp_hdr _dh, *dh;
478 u_int8_t type, old_state, new_state;
479 enum ct_dccp_roles role;
481 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
483 type = dh->dccph_type;
485 if (type == DCCP_PKT_RESET &&
486 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
487 /* Tear down connection immediately if only reply is a RESET */
488 nf_ct_kill_acct(ct, ctinfo, skb);
492 spin_lock_bh(&ct->lock);
494 role = ct->proto.dccp.role[dir];
495 old_state = ct->proto.dccp.state;
496 new_state = dccp_state_table[role][type][old_state];
499 case CT_DCCP_REQUEST:
500 if (old_state == CT_DCCP_TIMEWAIT &&
501 role == CT_DCCP_ROLE_SERVER) {
502 /* Reincarnation in the reverse direction: reopen and
503 * reverse client/server roles. */
504 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
505 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
508 case CT_DCCP_RESPOND:
509 if (old_state == CT_DCCP_REQUEST)
510 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
512 case CT_DCCP_PARTOPEN:
513 if (old_state == CT_DCCP_RESPOND &&
514 type == DCCP_PKT_ACK &&
515 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
516 set_bit(IPS_ASSURED_BIT, &ct->status);
520 * Connection tracking might be out of sync, so we ignore
521 * packets that might establish a new connection and resync
522 * if the server responds with a valid Response.
524 if (ct->proto.dccp.last_dir == !dir &&
525 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
526 type == DCCP_PKT_RESPONSE) {
527 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
528 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
529 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
530 new_state = CT_DCCP_RESPOND;
533 ct->proto.dccp.last_dir = dir;
534 ct->proto.dccp.last_pkt = type;
536 spin_unlock_bh(&ct->lock);
537 if (LOG_INVALID(net, IPPROTO_DCCP))
538 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
539 "nf_ct_dccp: invalid packet ignored ");
541 case CT_DCCP_INVALID:
542 spin_unlock_bh(&ct->lock);
543 if (LOG_INVALID(net, IPPROTO_DCCP))
544 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
545 "nf_ct_dccp: invalid state transition ");
549 ct->proto.dccp.last_dir = dir;
550 ct->proto.dccp.last_pkt = type;
551 ct->proto.dccp.state = new_state;
552 spin_unlock_bh(&ct->lock);
554 if (new_state != old_state)
555 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
557 nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);
562 static int dccp_error(struct net *net, struct nf_conn *tmpl,
563 struct sk_buff *skb, unsigned int dataoff,
564 u_int8_t pf, unsigned int hooknum)
566 struct dccp_hdr _dh, *dh;
567 unsigned int dccp_len = skb->len - dataoff;
571 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
573 msg = "nf_ct_dccp: short packet ";
577 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
578 dh->dccph_doff * 4 > dccp_len) {
579 msg = "nf_ct_dccp: truncated/malformed packet ";
584 if (dh->dccph_cscov) {
585 cscov = (dh->dccph_cscov - 1) * 4;
586 if (cscov > dccp_len) {
587 msg = "nf_ct_dccp: bad checksum coverage ";
592 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
593 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
595 msg = "nf_ct_dccp: bad checksum ";
599 if (dh->dccph_type >= DCCP_PKT_INVALID) {
600 msg = "nf_ct_dccp: reserved packet type ";
607 if (LOG_INVALID(net, IPPROTO_DCCP))
608 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", msg);
612 static bool dccp_can_early_drop(const struct nf_conn *ct)
614 switch (ct->proto.dccp.state) {
615 case CT_DCCP_CLOSEREQ:
616 case CT_DCCP_CLOSING:
617 case CT_DCCP_TIMEWAIT:
626 #ifdef CONFIG_NF_CONNTRACK_PROCFS
627 static void dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
629 seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
633 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
634 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
637 struct nlattr *nest_parms;
639 spin_lock_bh(&ct->lock);
640 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED);
642 goto nla_put_failure;
643 if (nla_put_u8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state) ||
644 nla_put_u8(skb, CTA_PROTOINFO_DCCP_ROLE,
645 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]) ||
646 nla_put_be64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
647 cpu_to_be64(ct->proto.dccp.handshake_seq),
648 CTA_PROTOINFO_DCCP_PAD))
649 goto nla_put_failure;
650 nla_nest_end(skb, nest_parms);
651 spin_unlock_bh(&ct->lock);
655 spin_unlock_bh(&ct->lock);
659 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
660 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
661 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
662 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
663 [CTA_PROTOINFO_DCCP_PAD] = { .type = NLA_UNSPEC },
666 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
668 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
669 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
675 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr,
676 dccp_nla_policy, NULL);
680 if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
681 !tb[CTA_PROTOINFO_DCCP_ROLE] ||
682 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
683 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
687 spin_lock_bh(&ct->lock);
688 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
689 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
690 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
691 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
693 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
694 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
696 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
697 ct->proto.dccp.handshake_seq =
698 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
700 spin_unlock_bh(&ct->lock);
704 static int dccp_nlattr_size(void)
706 return nla_total_size(0) /* CTA_PROTOINFO_DCCP */
707 + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1);
712 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
714 #include <linux/netfilter/nfnetlink.h>
715 #include <linux/netfilter/nfnetlink_cttimeout.h>
717 static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
718 struct net *net, void *data)
720 struct nf_dccp_net *dn = dccp_pernet(net);
721 unsigned int *timeouts = data;
724 /* set default DCCP timeouts. */
725 for (i=0; i<CT_DCCP_MAX; i++)
726 timeouts[i] = dn->dccp_timeout[i];
728 /* there's a 1:1 mapping between attributes and protocol states. */
729 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
731 timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
738 dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
740 const unsigned int *timeouts = data;
743 for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
744 if (nla_put_be32(skb, i, htonl(timeouts[i] / HZ)))
745 goto nla_put_failure;
753 static const struct nla_policy
754 dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
755 [CTA_TIMEOUT_DCCP_REQUEST] = { .type = NLA_U32 },
756 [CTA_TIMEOUT_DCCP_RESPOND] = { .type = NLA_U32 },
757 [CTA_TIMEOUT_DCCP_PARTOPEN] = { .type = NLA_U32 },
758 [CTA_TIMEOUT_DCCP_OPEN] = { .type = NLA_U32 },
759 [CTA_TIMEOUT_DCCP_CLOSEREQ] = { .type = NLA_U32 },
760 [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 },
761 [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 },
763 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
766 /* template, data assigned later */
767 static struct ctl_table dccp_sysctl_table[] = {
769 .procname = "nf_conntrack_dccp_timeout_request",
770 .maxlen = sizeof(unsigned int),
772 .proc_handler = proc_dointvec_jiffies,
775 .procname = "nf_conntrack_dccp_timeout_respond",
776 .maxlen = sizeof(unsigned int),
778 .proc_handler = proc_dointvec_jiffies,
781 .procname = "nf_conntrack_dccp_timeout_partopen",
782 .maxlen = sizeof(unsigned int),
784 .proc_handler = proc_dointvec_jiffies,
787 .procname = "nf_conntrack_dccp_timeout_open",
788 .maxlen = sizeof(unsigned int),
790 .proc_handler = proc_dointvec_jiffies,
793 .procname = "nf_conntrack_dccp_timeout_closereq",
794 .maxlen = sizeof(unsigned int),
796 .proc_handler = proc_dointvec_jiffies,
799 .procname = "nf_conntrack_dccp_timeout_closing",
800 .maxlen = sizeof(unsigned int),
802 .proc_handler = proc_dointvec_jiffies,
805 .procname = "nf_conntrack_dccp_timeout_timewait",
806 .maxlen = sizeof(unsigned int),
808 .proc_handler = proc_dointvec_jiffies,
811 .procname = "nf_conntrack_dccp_loose",
812 .maxlen = sizeof(int),
814 .proc_handler = proc_dointvec,
818 #endif /* CONFIG_SYSCTL */
820 static int dccp_kmemdup_sysctl_table(struct net *net, struct nf_proto_net *pn,
821 struct nf_dccp_net *dn)
827 pn->ctl_table = kmemdup(dccp_sysctl_table,
828 sizeof(dccp_sysctl_table),
833 pn->ctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
834 pn->ctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
835 pn->ctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
836 pn->ctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
837 pn->ctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
838 pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
839 pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
840 pn->ctl_table[7].data = &dn->dccp_loose;
842 /* Don't export sysctls to unprivileged users */
843 if (net->user_ns != &init_user_ns)
844 pn->ctl_table[0].procname = NULL;
849 static int dccp_init_net(struct net *net, u_int16_t proto)
851 struct nf_dccp_net *dn = dccp_pernet(net);
852 struct nf_proto_net *pn = &dn->pn;
857 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
858 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
859 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
860 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
861 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
862 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
863 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
866 return dccp_kmemdup_sysctl_table(net, pn, dn);
869 static struct nf_proto_net *dccp_get_net_proto(struct net *net)
871 return &net->ct.nf_ct_proto.dccp.pn;
874 struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 __read_mostly = {
876 .l4proto = IPPROTO_DCCP,
877 .pkt_to_tuple = dccp_pkt_to_tuple,
878 .invert_tuple = dccp_invert_tuple,
880 .packet = dccp_packet,
881 .get_timeouts = dccp_get_timeouts,
883 .can_early_drop = dccp_can_early_drop,
884 #ifdef CONFIG_NF_CONNTRACK_PROCFS
885 .print_conntrack = dccp_print_conntrack,
887 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
888 .to_nlattr = dccp_to_nlattr,
889 .nlattr_size = dccp_nlattr_size,
890 .from_nlattr = nlattr_to_dccp,
891 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
892 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
893 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
894 .nla_policy = nf_ct_port_nla_policy,
896 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
898 .nlattr_to_obj = dccp_timeout_nlattr_to_obj,
899 .obj_to_nlattr = dccp_timeout_obj_to_nlattr,
900 .nlattr_max = CTA_TIMEOUT_DCCP_MAX,
901 .obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
902 .nla_policy = dccp_timeout_nla_policy,
904 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
905 .init_net = dccp_init_net,
906 .get_net_proto = dccp_get_net_proto,
908 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp4);
910 struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 __read_mostly = {
912 .l4proto = IPPROTO_DCCP,
913 .pkt_to_tuple = dccp_pkt_to_tuple,
914 .invert_tuple = dccp_invert_tuple,
916 .packet = dccp_packet,
917 .get_timeouts = dccp_get_timeouts,
919 .can_early_drop = dccp_can_early_drop,
920 #ifdef CONFIG_NF_CONNTRACK_PROCFS
921 .print_conntrack = dccp_print_conntrack,
923 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
924 .to_nlattr = dccp_to_nlattr,
925 .nlattr_size = dccp_nlattr_size,
926 .from_nlattr = nlattr_to_dccp,
927 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
928 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
929 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
930 .nla_policy = nf_ct_port_nla_policy,
932 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
934 .nlattr_to_obj = dccp_timeout_nlattr_to_obj,
935 .obj_to_nlattr = dccp_timeout_obj_to_nlattr,
936 .nlattr_max = CTA_TIMEOUT_DCCP_MAX,
937 .obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
938 .nla_policy = dccp_timeout_nla_policy,
940 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
941 .init_net = dccp_init_net,
942 .get_net_proto = dccp_get_net_proto,
944 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp6);
git.samba.org / sfrench / cifs-2.6.git / blob