net/netfilter/nf_conntrack_proto_udp.c

   1 /* (C) 1999-2001 Paul `Rusty' Russell
   2  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
   3  * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  */
   9
  10 #include <linux/types.h>
  11 #include <linux/timer.h>
  12 #include <linux/module.h>
  13 #include <linux/udp.h>
  14 #include <linux/seq_file.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/ipv6.h>
  17 #include <net/ip6_checksum.h>
  18 #include <net/checksum.h>
  19
  20 #include <linux/netfilter.h>
  21 #include <linux/netfilter_ipv4.h>
  22 #include <linux/netfilter_ipv6.h>
  23 #include <net/netfilter/nf_conntrack_l4proto.h>
  24 #include <net/netfilter/nf_conntrack_ecache.h>
  25 #include <net/netfilter/nf_log.h>
  26 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
  27 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
  28
  29 static unsigned int udp_timeouts[UDP_CT_MAX] = {
  30         [UDP_CT_UNREPLIED]      = 30*HZ,
  31         [UDP_CT_REPLIED]        = 180*HZ,
  32 };
  33
  34 static inline struct nf_udp_net *udp_pernet(struct net *net)
  35 {
  36         return &net->ct.nf_ct_proto.udp;
  37 }
  38
  39 static bool udp_pkt_to_tuple(const struct sk_buff *skb,
  40                              unsigned int dataoff,
  41                              struct net *net,
  42                              struct nf_conntrack_tuple *tuple)
  43 {
  44         const struct udphdr *hp;
  45         struct udphdr _hdr;
  46
  47         /* Actually only need first 4 bytes to get ports. */
  48         hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
  49         if (hp == NULL)
  50                 return false;
  51
  52         tuple->src.u.udp.port = hp->source;
  53         tuple->dst.u.udp.port = hp->dest;
  54
  55         return true;
  56 }
  57
  58 static bool udp_invert_tuple(struct nf_conntrack_tuple *tuple,
  59                              const struct nf_conntrack_tuple *orig)
  60 {
  61         tuple->src.u.udp.port = orig->dst.u.udp.port;
  62         tuple->dst.u.udp.port = orig->src.u.udp.port;
  63         return true;
  64 }
  65
  66 static unsigned int *udp_get_timeouts(struct net *net)
  67 {
  68         return udp_pernet(net)->timeouts;
  69 }
  70
  71 /* Returns verdict for packet, and may modify conntracktype */
  72 static int udp_packet(struct nf_conn *ct,
  73                       const struct sk_buff *skb,
  74                       unsigned int dataoff,
  75                       enum ip_conntrack_info ctinfo,
  76                       u_int8_t pf,
  77                       unsigned int *timeouts)
  78 {
  79         /* If we've seen traffic both ways, this is some kind of UDP
  80            stream.  Extend timeout. */
  81         if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
  82                 nf_ct_refresh_acct(ct, ctinfo, skb,
  83                                    timeouts[UDP_CT_REPLIED]);
  84                 /* Also, more likely to be important, and not a probe */
  85                 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
  86                         nf_conntrack_event_cache(IPCT_ASSURED, ct);
  87         } else {
  88                 nf_ct_refresh_acct(ct, ctinfo, skb,
  89                                    timeouts[UDP_CT_UNREPLIED]);
  90         }
  91         return NF_ACCEPT;
  92 }
  93
  94 /* Called when a new connection for this protocol found. */
  95 static bool udp_new(struct nf_conn *ct, const struct sk_buff *skb,
  96                     unsigned int dataoff, unsigned int *timeouts)
  97 {
  98         return true;
  99 }
 100
 101 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
 102 static int udplite_error(struct net *net, struct nf_conn *tmpl,
 103                          struct sk_buff *skb,
 104                          unsigned int dataoff,
 105                          u8 pf, unsigned int hooknum)
 106 {
 107         unsigned int udplen = skb->len - dataoff;
 108         const struct udphdr *hdr;
 109         struct udphdr _hdr;
 110         unsigned int cscov;
 111
 112         /* Header is too small? */
 113         hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
 114         if (!hdr) {
 115                 if (LOG_INVALID(net, IPPROTO_UDPLITE))
 116                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 117                                       "nf_ct_udplite: short packet ");
 118                 return -NF_ACCEPT;
 119         }
 120
 121         cscov = ntohs(hdr->len);
 122         if (cscov == 0) {
 123                 cscov = udplen;
 124         } else if (cscov < sizeof(*hdr) || cscov > udplen) {
 125                 if (LOG_INVALID(net, IPPROTO_UDPLITE))
 126                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 127                                       "nf_ct_udplite: invalid checksum coverage ");
 128                 return -NF_ACCEPT;
 129         }
 130
 131         /* UDPLITE mandates checksums */
 132         if (!hdr->check) {
 133                 if (LOG_INVALID(net, IPPROTO_UDPLITE))
 134                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 135                                       "nf_ct_udplite: checksum missing ");
 136                 return -NF_ACCEPT;
 137         }
 138
 139         /* Checksum invalid? Ignore. */
 140         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
 141             nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
 142                                 pf)) {
 143                 if (LOG_INVALID(net, IPPROTO_UDPLITE))
 144                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 145                                       "nf_ct_udplite: bad UDPLite checksum ");
 146                 return -NF_ACCEPT;
 147         }
 148
 149         return NF_ACCEPT;
 150 }
 151 #endif
 152
 153 static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
 154                      unsigned int dataoff,
 155                      u_int8_t pf,
 156                      unsigned int hooknum)
 157 {
 158         unsigned int udplen = skb->len - dataoff;
 159         const struct udphdr *hdr;
 160         struct udphdr _hdr;
 161
 162         /* Header is too small? */
 163         hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
 164         if (hdr == NULL) {
 165                 if (LOG_INVALID(net, IPPROTO_UDP))
 166                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 167                                       "nf_ct_udp: short packet ");
 168                 return -NF_ACCEPT;
 169         }
 170
 171         /* Truncated/malformed packets */
 172         if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
 173                 if (LOG_INVALID(net, IPPROTO_UDP))
 174                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 175                                 "nf_ct_udp: truncated/malformed packet ");
 176                 return -NF_ACCEPT;
 177         }
 178
 179         /* Packet with no checksum */
 180         if (!hdr->check)
 181                 return NF_ACCEPT;
 182
 183         /* Checksum invalid? Ignore.
 184          * We skip checking packets on the outgoing path
 185          * because the checksum is assumed to be correct.
 186          * FIXME: Source route IP option packets --RR */
 187         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
 188             nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
 189                 if (LOG_INVALID(net, IPPROTO_UDP))
 190                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
 191                                 "nf_ct_udp: bad UDP checksum ");
 192                 return -NF_ACCEPT;
 193         }
 194
 195         return NF_ACCEPT;
 196 }
 197
 198 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 199
 200 #include <linux/netfilter/nfnetlink.h>
 201 #include <linux/netfilter/nfnetlink_cttimeout.h>
 202
 203 static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
 204                                      struct net *net, void *data)
 205 {
 206         unsigned int *timeouts = data;
 207         struct nf_udp_net *un = udp_pernet(net);
 208
 209         /* set default timeouts for UDP. */
 210         timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
 211         timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
 212
 213         if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
 214                 timeouts[UDP_CT_UNREPLIED] =
 215                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
 216         }
 217         if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
 218                 timeouts[UDP_CT_REPLIED] =
 219                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
 220         }
 221         return 0;
 222 }
 223
 224 static int
 225 udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
 226 {
 227         const unsigned int *timeouts = data;
 228
 229         if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
 230                          htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) ||
 231             nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED,
 232                          htonl(timeouts[UDP_CT_REPLIED] / HZ)))
 233                 goto nla_put_failure;
 234         return 0;
 235
 236 nla_put_failure:
 237         return -ENOSPC;
 238 }
 239
 240 static const struct nla_policy
 241 udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
 242        [CTA_TIMEOUT_UDP_UNREPLIED]      = { .type = NLA_U32 },
 243        [CTA_TIMEOUT_UDP_REPLIED]        = { .type = NLA_U32 },
 244 };
 245 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 246
 247 #ifdef CONFIG_SYSCTL
 248 static struct ctl_table udp_sysctl_table[] = {
 249         {
 250                 .procname       = "nf_conntrack_udp_timeout",
 251                 .maxlen         = sizeof(unsigned int),
 252                 .mode           = 0644,
 253                 .proc_handler   = proc_dointvec_jiffies,
 254         },
 255         {
 256                 .procname       = "nf_conntrack_udp_timeout_stream",
 257                 .maxlen         = sizeof(unsigned int),
 258                 .mode           = 0644,
 259                 .proc_handler   = proc_dointvec_jiffies,
 260         },
 261         { }
 262 };
 263 #endif /* CONFIG_SYSCTL */
 264
 265 static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
 266                                     struct nf_udp_net *un)
 267 {
 268 #ifdef CONFIG_SYSCTL
 269         if (pn->ctl_table)
 270                 return 0;
 271         pn->ctl_table = kmemdup(udp_sysctl_table,
 272                                 sizeof(udp_sysctl_table),
 273                                 GFP_KERNEL);
 274         if (!pn->ctl_table)
 275                 return -ENOMEM;
 276         pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
 277         pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
 278 #endif
 279         return 0;
 280 }
 281
 282 static int udp_init_net(struct net *net, u_int16_t proto)
 283 {
 284         struct nf_udp_net *un = udp_pernet(net);
 285         struct nf_proto_net *pn = &un->pn;
 286
 287         if (!pn->users) {
 288                 int i;
 289
 290                 for (i = 0; i < UDP_CT_MAX; i++)
 291                         un->timeouts[i] = udp_timeouts[i];
 292         }
 293
 294         return udp_kmemdup_sysctl_table(pn, un);
 295 }
 296
 297 static struct nf_proto_net *udp_get_net_proto(struct net *net)
 298 {
 299         return &net->ct.nf_ct_proto.udp.pn;
 300 }
 301
 302 struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
 303 {
 304         .l3proto                = PF_INET,
 305         .l4proto                = IPPROTO_UDP,
 306         .allow_clash            = true,
 307         .pkt_to_tuple           = udp_pkt_to_tuple,
 308         .invert_tuple           = udp_invert_tuple,
 309         .packet                 = udp_packet,
 310         .get_timeouts           = udp_get_timeouts,
 311         .new                    = udp_new,
 312         .error                  = udp_error,
 313 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 314         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 315         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 316         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 317         .nla_policy             = nf_ct_port_nla_policy,
 318 #endif
 319 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 320         .ctnl_timeout           = {
 321                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 322                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 323                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 324                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 325                 .nla_policy     = udp_timeout_nla_policy,
 326         },
 327 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 328         .init_net               = udp_init_net,
 329         .get_net_proto          = udp_get_net_proto,
 330 };
 331 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
 332
 333 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
 334 struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
 335 {
 336         .l3proto                = PF_INET,
 337         .l4proto                = IPPROTO_UDPLITE,
 338         .allow_clash            = true,
 339         .pkt_to_tuple           = udp_pkt_to_tuple,
 340         .invert_tuple           = udp_invert_tuple,
 341         .packet                 = udp_packet,
 342         .get_timeouts           = udp_get_timeouts,
 343         .new                    = udp_new,
 344         .error                  = udplite_error,
 345 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 346         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 347         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 348         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 349         .nla_policy             = nf_ct_port_nla_policy,
 350 #endif
 351 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 352         .ctnl_timeout           = {
 353                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 354                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 355                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 356                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 357                 .nla_policy     = udp_timeout_nla_policy,
 358         },
 359 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 360         .init_net               = udp_init_net,
 361         .get_net_proto          = udp_get_net_proto,
 362 };
 363 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite4);
 364 #endif
 365
 366 struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
 367 {
 368         .l3proto                = PF_INET6,
 369         .l4proto                = IPPROTO_UDP,
 370         .allow_clash            = true,
 371         .pkt_to_tuple           = udp_pkt_to_tuple,
 372         .invert_tuple           = udp_invert_tuple,
 373         .packet                 = udp_packet,
 374         .get_timeouts           = udp_get_timeouts,
 375         .new                    = udp_new,
 376         .error                  = udp_error,
 377 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 378         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 379         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 380         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 381         .nla_policy             = nf_ct_port_nla_policy,
 382 #endif
 383 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 384         .ctnl_timeout           = {
 385                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 386                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 387                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 388                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 389                 .nla_policy     = udp_timeout_nla_policy,
 390         },
 391 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 392         .init_net               = udp_init_net,
 393         .get_net_proto          = udp_get_net_proto,
 394 };
 395 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
 396
 397 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
 398 struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
 399 {
 400         .l3proto                = PF_INET6,
 401         .l4proto                = IPPROTO_UDPLITE,
 402         .allow_clash            = true,
 403         .pkt_to_tuple           = udp_pkt_to_tuple,
 404         .invert_tuple           = udp_invert_tuple,
 405         .packet                 = udp_packet,
 406         .get_timeouts           = udp_get_timeouts,
 407         .new                    = udp_new,
 408         .error                  = udplite_error,
 409 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
 410         .tuple_to_nlattr        = nf_ct_port_tuple_to_nlattr,
 411         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
 412         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
 413         .nla_policy             = nf_ct_port_nla_policy,
 414 #endif
 415 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 416         .ctnl_timeout           = {
 417                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
 418                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
 419                 .nlattr_max     = CTA_TIMEOUT_UDP_MAX,
 420                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
 421                 .nla_policy     = udp_timeout_nla_policy,
 422         },
 423 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 424         .init_net               = udp_init_net,
 425         .get_net_proto          = udp_get_net_proto,
 426 };
 427 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
 428 #endif