1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 * (C) 2002-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/types.h>
12 #include <linux/timer.h>
13 #include <linux/module.h>
15 #include <linux/tcp.h>
16 #include <linux/spinlock.h>
17 #include <linux/skbuff.h>
18 #include <linux/ipv6.h>
19 #include <net/ip6_checksum.h>
20 #include <asm/unaligned.h>
24 #include <linux/netfilter.h>
25 #include <linux/netfilter_ipv4.h>
26 #include <linux/netfilter_ipv6.h>
27 #include <net/netfilter/nf_conntrack.h>
28 #include <net/netfilter/nf_conntrack_l4proto.h>
29 #include <net/netfilter/nf_conntrack_ecache.h>
30 #include <net/netfilter/nf_conntrack_seqadj.h>
31 #include <net/netfilter/nf_conntrack_synproxy.h>
32 #include <net/netfilter/nf_log.h>
33 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
34 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
36 /* "Be conservative in what you do,
37 be liberal in what you accept from others."
38 If it's non-zero, we mark only out of window RST segments as INVALID. */
39 static int nf_ct_tcp_be_liberal __read_mostly = 0;
41 /* If it is set to zero, we disable picking up already established
43 static int nf_ct_tcp_loose __read_mostly = 1;
45 /* Max number of the retransmitted packets without receiving an (acceptable)
46 ACK from the destination. If this number is reached, a shorter timer
48 static int nf_ct_tcp_max_retrans __read_mostly = 3;
50 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
51 closely. They're more complex. --RR */
53 static const char *const tcp_conntrack_names[] = {
67 #define MINS * 60 SECS
68 #define HOURS * 60 MINS
69 #define DAYS * 24 HOURS
71 static const unsigned int tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX] = {
72 [TCP_CONNTRACK_SYN_SENT] = 2 MINS,
73 [TCP_CONNTRACK_SYN_RECV] = 60 SECS,
74 [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS,
75 [TCP_CONNTRACK_FIN_WAIT] = 2 MINS,
76 [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS,
77 [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
78 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
79 [TCP_CONNTRACK_CLOSE] = 10 SECS,
80 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS,
81 /* RFC1122 says the R2 limit should be at least 100 seconds.
82 Linux uses 15 packets as limit, which corresponds
83 to ~13-30min depending on RTO. */
84 [TCP_CONNTRACK_RETRANS] = 5 MINS,
85 [TCP_CONNTRACK_UNACK] = 5 MINS,
88 #define sNO TCP_CONNTRACK_NONE
89 #define sSS TCP_CONNTRACK_SYN_SENT
90 #define sSR TCP_CONNTRACK_SYN_RECV
91 #define sES TCP_CONNTRACK_ESTABLISHED
92 #define sFW TCP_CONNTRACK_FIN_WAIT
93 #define sCW TCP_CONNTRACK_CLOSE_WAIT
94 #define sLA TCP_CONNTRACK_LAST_ACK
95 #define sTW TCP_CONNTRACK_TIME_WAIT
96 #define sCL TCP_CONNTRACK_CLOSE
97 #define sS2 TCP_CONNTRACK_SYN_SENT2
98 #define sIV TCP_CONNTRACK_MAX
99 #define sIG TCP_CONNTRACK_IGNORE
101 /* What TCP flags are set from RST/SYN/FIN/ACK. */
112 * The TCP state transition table needs a few words...
114 * We are the man in the middle. All the packets go through us
115 * but might get lost in transit to the destination.
116 * It is assumed that the destinations can't receive segments
119 * The checked segment is in window, but our windows are *not*
120 * equivalent with the ones of the sender/receiver. We always
121 * try to guess the state of the current sender.
123 * The meaning of the states are:
125 * NONE: initial state
126 * SYN_SENT: SYN-only packet seen
127 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
128 * SYN_RECV: SYN-ACK packet seen
129 * ESTABLISHED: ACK packet seen
130 * FIN_WAIT: FIN packet seen
131 * CLOSE_WAIT: ACK seen (after FIN)
132 * LAST_ACK: FIN seen (after FIN)
133 * TIME_WAIT: last ACK seen
134 * CLOSE: closed connection (RST)
136 * Packets marked as IGNORED (sIG):
137 * if they may be either invalid or valid
138 * and the receiver may send back a connection
139 * closing RST or a SYN/ACK.
141 * Packets marked as INVALID (sIV):
142 * if we regard them as truly invalid packets
144 static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
147 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
148 /*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
150 * sNO -> sSS Initialize a new connection
151 * sSS -> sSS Retransmitted SYN
152 * sS2 -> sS2 Late retransmitted SYN
154 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
155 * are errors. Receiver will reply with RST
156 * and close the connection.
157 * Or we are not in sync and hold a dead connection.
161 * sTW -> sSS Reopened connection (RFC 1122).
164 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
165 /*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
167 * sNO -> sIV Too late and no reason to do anything
168 * sSS -> sIV Client can't send SYN and then SYN/ACK
169 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
170 * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
171 * sES -> sIV Invalid SYN/ACK packets sent by the client
178 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
179 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
181 * sNO -> sIV Too late and no reason to do anything...
182 * sSS -> sIV Client migth not send FIN in this state:
183 * we enforce waiting for a SYN/ACK reply first.
185 * sSR -> sFW Close started.
187 * sFW -> sLA FIN seen in both directions, waiting for
189 * Migth be a retransmitted FIN as well...
191 * sLA -> sLA Retransmitted FIN. Remain in the same state.
195 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
196 /*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
198 * sNO -> sES Assumed.
199 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
201 * sSR -> sES Established state is reached.
203 * sFW -> sCW Normal close request answered by ACK.
205 * sLA -> sTW Last ACK detected (RFC5961 challenged)
206 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
209 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
210 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
211 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
215 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
216 /*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sSS, sIV, sS2 },
218 * sNO -> sIV Never reached.
219 * sSS -> sS2 Simultaneous open
220 * sS2 -> sS2 Retransmitted simultaneous SYN
221 * sSR -> sIV Invalid SYN packets sent by the server
226 * sTW -> sSS Reopened connection, but server may have switched role
229 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
230 /*synack*/ { sIV, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
232 * sSS -> sSR Standard open.
233 * sS2 -> sSR Simultaneous open
234 * sSR -> sIG Retransmitted SYN/ACK, ignore it.
235 * sES -> sIG Late retransmitted SYN/ACK?
236 * sFW -> sIG Might be SYN/ACK answering ignored SYN
242 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
243 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
245 * sSS -> sIV Server might not send FIN in this state.
247 * sSR -> sFW Close started.
249 * sFW -> sLA FIN seen in both directions.
251 * sLA -> sLA Retransmitted FIN.
255 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
256 /*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
258 * sSS -> sIG Might be a half-open connection.
260 * sSR -> sSR Might answer late resent SYN.
262 * sFW -> sCW Normal close request answered by ACK.
264 * sLA -> sTW Last ACK detected (RFC5961 challenged)
265 * sTW -> sTW Retransmitted last ACK.
268 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
269 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
270 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
274 static inline struct nf_tcp_net *tcp_pernet(struct net *net)
276 return &net->ct.nf_ct_proto.tcp;
279 static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
280 struct net *net, struct nf_conntrack_tuple *tuple)
282 const struct tcphdr *hp;
285 /* Actually only need first 4 bytes to get ports. */
286 hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
290 tuple->src.u.tcp.port = hp->source;
291 tuple->dst.u.tcp.port = hp->dest;
296 static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple,
297 const struct nf_conntrack_tuple *orig)
299 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
300 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
304 #ifdef CONFIG_NF_CONNTRACK_PROCFS
305 /* Print out the private part of the conntrack. */
306 static void tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
308 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
311 seq_printf(s, "%s ", tcp_conntrack_names[ct->proto.tcp.state]);
315 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
317 if (tcph->rst) return TCP_RST_SET;
318 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
319 else if (tcph->fin) return TCP_FIN_SET;
320 else if (tcph->ack) return TCP_ACK_SET;
321 else return TCP_NONE_SET;
324 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
325 in IP Filter' by Guido van Rooij.
327 http://www.sane.nl/events/sane2000/papers.html
328 http://www.darkart.com/mirrors/www.obfuscation.org/ipf/
330 The boundaries and the conditions are changed according to RFC793:
331 the packet must intersect the window (i.e. segments may be
332 after the right or before the left edge) and thus receivers may ACK
333 segments after the right edge of the window.
335 td_maxend = max(sack + max(win,1)) seen in reply packets
336 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
337 td_maxwin += seq + len - sender.td_maxend
338 if seq + len > sender.td_maxend
339 td_end = max(seq + len) seen in sent packets
341 I. Upper bound for valid data: seq <= sender.td_maxend
342 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
343 III. Upper bound for valid (s)ack: sack <= receiver.td_end
344 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
346 where sack is the highest right edge of sack block found in the packet
347 or ack in the case of packet without SACK option.
349 The upper bound limit for a valid (s)ack is not ignored -
350 we doesn't have to deal with fragments.
353 static inline __u32 segment_seq_plus_len(__u32 seq,
355 unsigned int dataoff,
356 const struct tcphdr *tcph)
358 /* XXX Should I use payload length field in IP/IPv6 header ?
360 return (seq + len - dataoff - tcph->doff*4
361 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
364 /* Fixme: what about big packets? */
365 #define MAXACKWINCONST 66000
366 #define MAXACKWINDOW(sender) \
367 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
371 * Simplified tcp_parse_options routine from tcp_input.c
373 static void tcp_options(const struct sk_buff *skb,
374 unsigned int dataoff,
375 const struct tcphdr *tcph,
376 struct ip_ct_tcp_state *state)
378 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
379 const unsigned char *ptr;
380 int length = (tcph->doff*4) - sizeof(struct tcphdr);
385 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
399 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
406 if (opsize < 2) /* "silly options" */
409 return; /* don't parse partial options */
411 if (opcode == TCPOPT_SACK_PERM
412 && opsize == TCPOLEN_SACK_PERM)
413 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
414 else if (opcode == TCPOPT_WINDOW
415 && opsize == TCPOLEN_WINDOW) {
416 state->td_scale = *(u_int8_t *)ptr;
418 if (state->td_scale > TCP_MAX_WSCALE)
419 state->td_scale = TCP_MAX_WSCALE;
422 IP_CT_TCP_FLAG_WINDOW_SCALE;
430 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
431 const struct tcphdr *tcph, __u32 *sack)
433 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
434 const unsigned char *ptr;
435 int length = (tcph->doff*4) - sizeof(struct tcphdr);
441 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
445 /* Fast path for timestamp-only option */
446 if (length == TCPOLEN_TSTAMP_ALIGNED
447 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
449 | (TCPOPT_TIMESTAMP << 8)
450 | TCPOLEN_TIMESTAMP))
460 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
467 if (opsize < 2) /* "silly options" */
470 return; /* don't parse partial options */
472 if (opcode == TCPOPT_SACK
473 && opsize >= (TCPOLEN_SACK_BASE
474 + TCPOLEN_SACK_PERBLOCK)
475 && !((opsize - TCPOLEN_SACK_BASE)
476 % TCPOLEN_SACK_PERBLOCK)) {
478 i < (opsize - TCPOLEN_SACK_BASE);
479 i += TCPOLEN_SACK_PERBLOCK) {
480 tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
482 if (after(tmp, *sack))
493 static bool tcp_in_window(const struct nf_conn *ct,
494 struct ip_ct_tcp *state,
495 enum ip_conntrack_dir dir,
497 const struct sk_buff *skb,
498 unsigned int dataoff,
499 const struct tcphdr *tcph)
501 struct net *net = nf_ct_net(ct);
502 struct nf_tcp_net *tn = tcp_pernet(net);
503 struct ip_ct_tcp_state *sender = &state->seen[dir];
504 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
505 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
506 __u32 seq, ack, sack, end, win, swin;
508 bool res, in_recv_win;
511 * Get the required data from the packet.
513 seq = ntohl(tcph->seq);
514 ack = sack = ntohl(tcph->ack_seq);
515 win = ntohs(tcph->window);
516 end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
518 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
519 tcp_sack(skb, dataoff, tcph, &sack);
521 /* Take into account NAT sequence number mangling */
522 receiver_offset = nf_ct_seq_offset(ct, !dir, ack - 1);
523 ack -= receiver_offset;
524 sack -= receiver_offset;
526 pr_debug("tcp_in_window: START\n");
527 pr_debug("tcp_in_window: ");
528 nf_ct_dump_tuple(tuple);
529 pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
530 seq, ack, receiver_offset, sack, receiver_offset, win, end);
531 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
532 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
533 sender->td_end, sender->td_maxend, sender->td_maxwin,
535 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
538 if (sender->td_maxwin == 0) {
540 * Initialize sender data.
544 * SYN-ACK in reply to a SYN
545 * or SYN from reply direction in simultaneous open.
548 sender->td_maxend = end;
549 sender->td_maxwin = (win == 0 ? 1 : win);
551 tcp_options(skb, dataoff, tcph, sender);
554 * Both sides must send the Window Scale option
555 * to enable window scaling in either direction.
557 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
558 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
560 receiver->td_scale = 0;
562 /* Simultaneous open */
566 * We are in the middle of a connection,
567 * its history is lost for us.
568 * Let's try to use the data from the packet.
570 sender->td_end = end;
571 swin = win << sender->td_scale;
572 sender->td_maxwin = (swin == 0 ? 1 : swin);
573 sender->td_maxend = end + sender->td_maxwin;
575 * We haven't seen traffic in the other direction yet
576 * but we have to tweak window tracking to pass III
577 * and IV until that happens.
579 if (receiver->td_maxwin == 0)
580 receiver->td_end = receiver->td_maxend = sack;
582 } else if (((state->state == TCP_CONNTRACK_SYN_SENT
583 && dir == IP_CT_DIR_ORIGINAL)
584 || (state->state == TCP_CONNTRACK_SYN_RECV
585 && dir == IP_CT_DIR_REPLY))
586 && after(end, sender->td_end)) {
588 * RFC 793: "if a TCP is reinitialized ... then it need
589 * not wait at all; it must only be sure to use sequence
590 * numbers larger than those recently used."
593 sender->td_maxend = end;
594 sender->td_maxwin = (win == 0 ? 1 : win);
596 tcp_options(skb, dataoff, tcph, sender);
601 * If there is no ACK, just pretend it was set and OK.
603 ack = sack = receiver->td_end;
604 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
605 (TCP_FLAG_ACK|TCP_FLAG_RST))
608 * Broken TCP stacks, that set ACK in RST packets as well
609 * with zero ack value.
611 ack = sack = receiver->td_end;
614 if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
616 * RST sent answering SYN.
618 seq = end = sender->td_end;
620 pr_debug("tcp_in_window: ");
621 nf_ct_dump_tuple(tuple);
622 pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
623 seq, ack, receiver_offset, sack, receiver_offset, win, end);
624 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
625 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
626 sender->td_end, sender->td_maxend, sender->td_maxwin,
628 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
631 /* Is the ending sequence in the receive window (if available)? */
632 in_recv_win = !receiver->td_maxwin ||
633 after(end, sender->td_end - receiver->td_maxwin - 1);
635 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
636 before(seq, sender->td_maxend + 1),
637 (in_recv_win ? 1 : 0),
638 before(sack, receiver->td_end + 1),
639 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
641 if (before(seq, sender->td_maxend + 1) &&
643 before(sack, receiver->td_end + 1) &&
644 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
646 * Take into account window scaling (RFC 1323).
649 win <<= sender->td_scale;
652 * Update sender data.
654 swin = win + (sack - ack);
655 if (sender->td_maxwin < swin)
656 sender->td_maxwin = swin;
657 if (after(end, sender->td_end)) {
658 sender->td_end = end;
659 sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
662 if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
663 sender->td_maxack = ack;
664 sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
665 } else if (after(ack, sender->td_maxack))
666 sender->td_maxack = ack;
670 * Update receiver data.
672 if (receiver->td_maxwin != 0 && after(end, sender->td_maxend))
673 receiver->td_maxwin += end - sender->td_maxend;
674 if (after(sack + win, receiver->td_maxend - 1)) {
675 receiver->td_maxend = sack + win;
677 receiver->td_maxend++;
679 if (ack == receiver->td_end)
680 receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
683 * Check retransmissions.
685 if (index == TCP_ACK_SET) {
686 if (state->last_dir == dir
687 && state->last_seq == seq
688 && state->last_ack == ack
689 && state->last_end == end
690 && state->last_win == win)
693 state->last_dir = dir;
694 state->last_seq = seq;
695 state->last_ack = ack;
696 state->last_end = end;
697 state->last_win = win;
704 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
708 nf_ct_l4proto_log_invalid(skb, ct,
710 before(seq, sender->td_maxend + 1) ?
712 before(sack, receiver->td_end + 1) ?
713 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
714 : "ACK is under the lower bound (possible overly delayed ACK)"
715 : "ACK is over the upper bound (ACKed data not seen yet)"
716 : "SEQ is under the lower bound (already ACKed data retransmitted)"
717 : "SEQ is over the upper bound (over the window of the receiver)");
721 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
722 "receiver end=%u maxend=%u maxwin=%u\n",
723 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
724 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
729 /* table of valid flag combinations - PUSH, ECE and CWR are always valid */
730 static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
734 [TCPHDR_SYN|TCPHDR_URG] = 1,
735 [TCPHDR_SYN|TCPHDR_ACK] = 1,
737 [TCPHDR_RST|TCPHDR_ACK] = 1,
738 [TCPHDR_FIN|TCPHDR_ACK] = 1,
739 [TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG] = 1,
741 [TCPHDR_ACK|TCPHDR_URG] = 1,
744 static void tcp_error_log(const struct sk_buff *skb, struct net *net,
745 u8 pf, const char *msg)
747 nf_l4proto_log_invalid(skb, net, pf, IPPROTO_TCP, "%s", msg);
750 /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
751 static int tcp_error(struct net *net, struct nf_conn *tmpl,
753 unsigned int dataoff,
755 unsigned int hooknum)
757 const struct tcphdr *th;
759 unsigned int tcplen = skb->len - dataoff;
762 /* Smaller that minimal TCP header? */
763 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
765 tcp_error_log(skb, net, pf, "short packet");
769 /* Not whole TCP header or malformed packet */
770 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
771 tcp_error_log(skb, net, pf, "truncated packet");
775 /* Checksum invalid? Ignore.
776 * We skip checking packets on the outgoing path
777 * because the checksum is assumed to be correct.
779 /* FIXME: Source route IP option packets --RR */
780 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
781 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
782 tcp_error_log(skb, net, pf, "bad checksum");
786 /* Check TCP flags. */
787 tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH));
788 if (!tcp_valid_flags[tcpflags]) {
789 tcp_error_log(skb, net, pf, "invalid tcp flag combination");
796 static unsigned int *tcp_get_timeouts(struct net *net)
798 return tcp_pernet(net)->timeouts;
801 /* Returns verdict for packet, or -1 for invalid. */
802 static int tcp_packet(struct nf_conn *ct,
803 const struct sk_buff *skb,
804 unsigned int dataoff,
805 enum ip_conntrack_info ctinfo,
806 unsigned int *timeouts)
808 struct net *net = nf_ct_net(ct);
809 struct nf_tcp_net *tn = tcp_pernet(net);
810 struct nf_conntrack_tuple *tuple;
811 enum tcp_conntrack new_state, old_state;
812 enum ip_conntrack_dir dir;
813 const struct tcphdr *th;
815 unsigned long timeout;
818 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
821 spin_lock_bh(&ct->lock);
822 old_state = ct->proto.tcp.state;
823 dir = CTINFO2DIR(ctinfo);
824 index = get_conntrack_index(th);
825 new_state = tcp_conntracks[dir][index][old_state];
826 tuple = &ct->tuplehash[dir].tuple;
829 case TCP_CONNTRACK_SYN_SENT:
830 if (old_state < TCP_CONNTRACK_TIME_WAIT)
832 /* RFC 1122: "When a connection is closed actively,
833 * it MUST linger in TIME-WAIT state for a time 2xMSL
834 * (Maximum Segment Lifetime). However, it MAY accept
835 * a new SYN from the remote TCP to reopen the connection
836 * directly from TIME-WAIT state, if..."
837 * We ignore the conditions because we are in the
838 * TIME-WAIT state anyway.
840 * Handle aborted connections: we and the server
841 * think there is an existing connection but the client
842 * aborts it and starts a new one.
844 if (((ct->proto.tcp.seen[dir].flags
845 | ct->proto.tcp.seen[!dir].flags)
846 & IP_CT_TCP_FLAG_CLOSE_INIT)
847 || (ct->proto.tcp.last_dir == dir
848 && ct->proto.tcp.last_index == TCP_RST_SET)) {
849 /* Attempt to reopen a closed/aborted connection.
850 * Delete this connection and look up again. */
851 spin_unlock_bh(&ct->lock);
853 /* Only repeat if we can actually remove the timer.
854 * Destruction may already be in progress in process
855 * context and we must give it a chance to terminate.
862 case TCP_CONNTRACK_IGNORE:
865 * Our connection entry may be out of sync, so ignore
866 * packets which may signal the real connection between
867 * the client and the server.
870 * b) SYN/ACK in REPLY
871 * c) ACK in reply direction after initial SYN in original.
873 * If the ignored packet is invalid, the receiver will send
874 * a RST we'll catch below.
876 if (index == TCP_SYNACK_SET
877 && ct->proto.tcp.last_index == TCP_SYN_SET
878 && ct->proto.tcp.last_dir != dir
879 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
880 /* b) This SYN/ACK acknowledges a SYN that we earlier
881 * ignored as invalid. This means that the client and
882 * the server are both in sync, while the firewall is
883 * not. We get in sync from the previously annotated
886 old_state = TCP_CONNTRACK_SYN_SENT;
887 new_state = TCP_CONNTRACK_SYN_RECV;
888 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
889 ct->proto.tcp.last_end;
890 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
891 ct->proto.tcp.last_end;
892 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
893 ct->proto.tcp.last_win == 0 ?
894 1 : ct->proto.tcp.last_win;
895 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
896 ct->proto.tcp.last_wscale;
897 ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
898 ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
899 ct->proto.tcp.last_flags;
900 memset(&ct->proto.tcp.seen[dir], 0,
901 sizeof(struct ip_ct_tcp_state));
904 ct->proto.tcp.last_index = index;
905 ct->proto.tcp.last_dir = dir;
906 ct->proto.tcp.last_seq = ntohl(th->seq);
907 ct->proto.tcp.last_end =
908 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
909 ct->proto.tcp.last_win = ntohs(th->window);
911 /* a) This is a SYN in ORIGINAL. The client and the server
912 * may be in sync but we are not. In that case, we annotate
913 * the TCP options and let the packet go through. If it is a
914 * valid SYN packet, the server will reply with a SYN/ACK, and
915 * then we'll get in sync. Otherwise, the server potentially
916 * responds with a challenge ACK if implementing RFC5961.
918 if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
919 struct ip_ct_tcp_state seen = {};
921 ct->proto.tcp.last_flags =
922 ct->proto.tcp.last_wscale = 0;
923 tcp_options(skb, dataoff, th, &seen);
924 if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
925 ct->proto.tcp.last_flags |=
926 IP_CT_TCP_FLAG_WINDOW_SCALE;
927 ct->proto.tcp.last_wscale = seen.td_scale;
929 if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
930 ct->proto.tcp.last_flags |=
931 IP_CT_TCP_FLAG_SACK_PERM;
933 /* Mark the potential for RFC5961 challenge ACK,
934 * this pose a special problem for LAST_ACK state
935 * as ACK is intrepretated as ACKing last FIN.
937 if (old_state == TCP_CONNTRACK_LAST_ACK)
938 ct->proto.tcp.last_flags |=
939 IP_CT_EXP_CHALLENGE_ACK;
941 spin_unlock_bh(&ct->lock);
942 nf_ct_l4proto_log_invalid(skb, ct, "invalid packet ignored in "
943 "state %s ", tcp_conntrack_names[old_state]);
945 case TCP_CONNTRACK_MAX:
946 /* Special case for SYN proxy: when the SYN to the server or
947 * the SYN/ACK from the server is lost, the client may transmit
948 * a keep-alive packet while in SYN_SENT state. This needs to
949 * be associated with the original conntrack entry in order to
950 * generate a new SYN with the correct sequence number.
952 if (nfct_synproxy(ct) && old_state == TCP_CONNTRACK_SYN_SENT &&
953 index == TCP_ACK_SET && dir == IP_CT_DIR_ORIGINAL &&
954 ct->proto.tcp.last_dir == IP_CT_DIR_ORIGINAL &&
955 ct->proto.tcp.seen[dir].td_end - 1 == ntohl(th->seq)) {
956 pr_debug("nf_ct_tcp: SYN proxy client keep alive\n");
957 spin_unlock_bh(&ct->lock);
962 pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
963 dir, get_conntrack_index(th), old_state);
964 spin_unlock_bh(&ct->lock);
965 nf_ct_l4proto_log_invalid(skb, ct, "invalid state");
967 case TCP_CONNTRACK_TIME_WAIT:
968 /* RFC5961 compliance cause stack to send "challenge-ACK"
969 * e.g. in response to spurious SYNs. Conntrack MUST
970 * not believe this ACK is acking last FIN.
972 if (old_state == TCP_CONNTRACK_LAST_ACK &&
973 index == TCP_ACK_SET &&
974 ct->proto.tcp.last_dir != dir &&
975 ct->proto.tcp.last_index == TCP_SYN_SET &&
976 (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {
977 /* Detected RFC5961 challenge ACK */
978 ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
979 spin_unlock_bh(&ct->lock);
980 nf_ct_l4proto_log_invalid(skb, ct, "challenge-ack ignored");
981 return NF_ACCEPT; /* Don't change state */
984 case TCP_CONNTRACK_CLOSE:
985 if (index == TCP_RST_SET
986 && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
987 && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
989 spin_unlock_bh(&ct->lock);
990 nf_ct_l4proto_log_invalid(skb, ct, "invalid rst");
993 if (index == TCP_RST_SET
994 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
995 && ct->proto.tcp.last_index == TCP_SYN_SET)
996 || (!test_bit(IPS_ASSURED_BIT, &ct->status)
997 && ct->proto.tcp.last_index == TCP_ACK_SET))
998 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
999 /* RST sent to invalid SYN or ACK we had let through
1000 * at a) and c) above:
1002 * a) SYN was in window then
1003 * c) we hold a half-open connection.
1005 * Delete our connection entry.
1006 * We skip window checking, because packet might ACK
1007 * segments we ignored. */
1010 /* Just fall through */
1012 /* Keep compilers happy. */
1016 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
1017 skb, dataoff, th)) {
1018 spin_unlock_bh(&ct->lock);
1022 /* From now on we have got in-window packets */
1023 ct->proto.tcp.last_index = index;
1024 ct->proto.tcp.last_dir = dir;
1026 pr_debug("tcp_conntracks: ");
1027 nf_ct_dump_tuple(tuple);
1028 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
1029 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
1030 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
1031 old_state, new_state);
1033 ct->proto.tcp.state = new_state;
1034 if (old_state != new_state
1035 && new_state == TCP_CONNTRACK_FIN_WAIT)
1036 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
1038 if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
1039 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
1040 timeout = timeouts[TCP_CONNTRACK_RETRANS];
1041 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
1042 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
1043 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
1044 timeout = timeouts[TCP_CONNTRACK_UNACK];
1045 else if (ct->proto.tcp.last_win == 0 &&
1046 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
1047 timeout = timeouts[TCP_CONNTRACK_RETRANS];
1049 timeout = timeouts[new_state];
1050 spin_unlock_bh(&ct->lock);
1052 if (new_state != old_state)
1053 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
1055 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
1056 /* If only reply is a RST, we can consider ourselves not to
1057 have an established connection: this is a fairly common
1058 problem case, so we can delete the conntrack
1059 immediately. --RR */
1061 nf_ct_kill_acct(ct, ctinfo, skb);
1064 /* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
1065 * pickup with loose=1. Avoid large ESTABLISHED timeout.
1067 if (new_state == TCP_CONNTRACK_ESTABLISHED &&
1068 timeout > timeouts[TCP_CONNTRACK_UNACK])
1069 timeout = timeouts[TCP_CONNTRACK_UNACK];
1070 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
1071 && (old_state == TCP_CONNTRACK_SYN_RECV
1072 || old_state == TCP_CONNTRACK_ESTABLISHED)
1073 && new_state == TCP_CONNTRACK_ESTABLISHED) {
1074 /* Set ASSURED if we see see valid ack in ESTABLISHED
1075 after SYN_RECV or a valid answer for a picked up
1077 set_bit(IPS_ASSURED_BIT, &ct->status);
1078 nf_conntrack_event_cache(IPCT_ASSURED, ct);
1080 nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
1085 /* Called when a new connection for this protocol found. */
1086 static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
1087 unsigned int dataoff, unsigned int *timeouts)
1089 enum tcp_conntrack new_state;
1090 const struct tcphdr *th;
1091 struct tcphdr _tcph;
1092 struct net *net = nf_ct_net(ct);
1093 struct nf_tcp_net *tn = tcp_pernet(net);
1094 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
1095 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
1097 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
1100 /* Don't need lock here: this conntrack not in circulation yet */
1101 new_state = tcp_conntracks[0][get_conntrack_index(th)][TCP_CONNTRACK_NONE];
1103 /* Invalid: delete conntrack */
1104 if (new_state >= TCP_CONNTRACK_MAX) {
1105 pr_debug("nf_ct_tcp: invalid new deleting.\n");
1109 if (new_state == TCP_CONNTRACK_SYN_SENT) {
1110 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
1112 ct->proto.tcp.seen[0].td_end =
1113 segment_seq_plus_len(ntohl(th->seq), skb->len,
1115 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1116 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1117 ct->proto.tcp.seen[0].td_maxwin = 1;
1118 ct->proto.tcp.seen[0].td_maxend =
1119 ct->proto.tcp.seen[0].td_end;
1121 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
1122 } else if (tn->tcp_loose == 0) {
1123 /* Don't try to pick up connections. */
1126 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
1128 * We are in the middle of a connection,
1129 * its history is lost for us.
1130 * Let's try to use the data from the packet.
1132 ct->proto.tcp.seen[0].td_end =
1133 segment_seq_plus_len(ntohl(th->seq), skb->len,
1135 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1136 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1137 ct->proto.tcp.seen[0].td_maxwin = 1;
1138 ct->proto.tcp.seen[0].td_maxend =
1139 ct->proto.tcp.seen[0].td_end +
1140 ct->proto.tcp.seen[0].td_maxwin;
1142 /* We assume SACK and liberal window checking to handle
1144 ct->proto.tcp.seen[0].flags =
1145 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1146 IP_CT_TCP_FLAG_BE_LIBERAL;
1149 /* tcp_packet will set them */
1150 ct->proto.tcp.last_index = TCP_NONE_SET;
1152 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1153 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1154 sender->td_end, sender->td_maxend, sender->td_maxwin,
1156 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1157 receiver->td_scale);
1161 static bool tcp_can_early_drop(const struct nf_conn *ct)
1163 switch (ct->proto.tcp.state) {
1164 case TCP_CONNTRACK_FIN_WAIT:
1165 case TCP_CONNTRACK_LAST_ACK:
1166 case TCP_CONNTRACK_TIME_WAIT:
1167 case TCP_CONNTRACK_CLOSE:
1168 case TCP_CONNTRACK_CLOSE_WAIT:
1177 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1179 #include <linux/netfilter/nfnetlink.h>
1180 #include <linux/netfilter/nfnetlink_conntrack.h>
1182 static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
1185 struct nlattr *nest_parms;
1186 struct nf_ct_tcp_flags tmp = {};
1188 spin_lock_bh(&ct->lock);
1189 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED);
1191 goto nla_put_failure;
1193 if (nla_put_u8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state) ||
1194 nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
1195 ct->proto.tcp.seen[0].td_scale) ||
1196 nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY,
1197 ct->proto.tcp.seen[1].td_scale))
1198 goto nla_put_failure;
1200 tmp.flags = ct->proto.tcp.seen[0].flags;
1201 if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
1202 sizeof(struct nf_ct_tcp_flags), &tmp))
1203 goto nla_put_failure;
1205 tmp.flags = ct->proto.tcp.seen[1].flags;
1206 if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
1207 sizeof(struct nf_ct_tcp_flags), &tmp))
1208 goto nla_put_failure;
1209 spin_unlock_bh(&ct->lock);
1211 nla_nest_end(skb, nest_parms);
1216 spin_unlock_bh(&ct->lock);
1220 static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
1221 [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
1222 [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1223 [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
1224 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
1225 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
1228 #define TCP_NLATTR_SIZE ( \
1229 NLA_ALIGN(NLA_HDRLEN + 1) + \
1230 NLA_ALIGN(NLA_HDRLEN + 1) + \
1231 NLA_ALIGN(NLA_HDRLEN + sizeof(sizeof(struct nf_ct_tcp_flags))) + \
1232 NLA_ALIGN(NLA_HDRLEN + sizeof(sizeof(struct nf_ct_tcp_flags))))
1234 static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
1236 struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
1237 struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
1240 /* updates could not contain anything about the private
1241 * protocol info, in that case skip the parsing */
1245 err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr,
1246 tcp_nla_policy, NULL);
1250 if (tb[CTA_PROTOINFO_TCP_STATE] &&
1251 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
1254 spin_lock_bh(&ct->lock);
1255 if (tb[CTA_PROTOINFO_TCP_STATE])
1256 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
1258 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
1259 struct nf_ct_tcp_flags *attr =
1260 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
1261 ct->proto.tcp.seen[0].flags &= ~attr->mask;
1262 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
1265 if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
1266 struct nf_ct_tcp_flags *attr =
1267 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
1268 ct->proto.tcp.seen[1].flags &= ~attr->mask;
1269 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
1272 if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
1273 tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
1274 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
1275 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
1276 ct->proto.tcp.seen[0].td_scale =
1277 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
1278 ct->proto.tcp.seen[1].td_scale =
1279 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
1281 spin_unlock_bh(&ct->lock);
1286 static unsigned int tcp_nlattr_tuple_size(void)
1288 static unsigned int size __read_mostly;
1291 size = nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
1297 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1299 #include <linux/netfilter/nfnetlink.h>
1300 #include <linux/netfilter/nfnetlink_cttimeout.h>
1302 static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
1303 struct net *net, void *data)
1305 unsigned int *timeouts = data;
1306 struct nf_tcp_net *tn = tcp_pernet(net);
1309 /* set default TCP timeouts. */
1310 for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
1311 timeouts[i] = tn->timeouts[i];
1313 if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
1314 timeouts[TCP_CONNTRACK_SYN_SENT] =
1315 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
1317 if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
1318 timeouts[TCP_CONNTRACK_SYN_RECV] =
1319 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
1321 if (tb[CTA_TIMEOUT_TCP_ESTABLISHED]) {
1322 timeouts[TCP_CONNTRACK_ESTABLISHED] =
1323 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_ESTABLISHED]))*HZ;
1325 if (tb[CTA_TIMEOUT_TCP_FIN_WAIT]) {
1326 timeouts[TCP_CONNTRACK_FIN_WAIT] =
1327 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_FIN_WAIT]))*HZ;
1329 if (tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]) {
1330 timeouts[TCP_CONNTRACK_CLOSE_WAIT] =
1331 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]))*HZ;
1333 if (tb[CTA_TIMEOUT_TCP_LAST_ACK]) {
1334 timeouts[TCP_CONNTRACK_LAST_ACK] =
1335 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_LAST_ACK]))*HZ;
1337 if (tb[CTA_TIMEOUT_TCP_TIME_WAIT]) {
1338 timeouts[TCP_CONNTRACK_TIME_WAIT] =
1339 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_TIME_WAIT]))*HZ;
1341 if (tb[CTA_TIMEOUT_TCP_CLOSE]) {
1342 timeouts[TCP_CONNTRACK_CLOSE] =
1343 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE]))*HZ;
1345 if (tb[CTA_TIMEOUT_TCP_SYN_SENT2]) {
1346 timeouts[TCP_CONNTRACK_SYN_SENT2] =
1347 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT2]))*HZ;
1349 if (tb[CTA_TIMEOUT_TCP_RETRANS]) {
1350 timeouts[TCP_CONNTRACK_RETRANS] =
1351 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_RETRANS]))*HZ;
1353 if (tb[CTA_TIMEOUT_TCP_UNACK]) {
1354 timeouts[TCP_CONNTRACK_UNACK] =
1355 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
1361 tcp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
1363 const unsigned int *timeouts = data;
1365 if (nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT,
1366 htonl(timeouts[TCP_CONNTRACK_SYN_SENT] / HZ)) ||
1367 nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_RECV,
1368 htonl(timeouts[TCP_CONNTRACK_SYN_RECV] / HZ)) ||
1369 nla_put_be32(skb, CTA_TIMEOUT_TCP_ESTABLISHED,
1370 htonl(timeouts[TCP_CONNTRACK_ESTABLISHED] / HZ)) ||
1371 nla_put_be32(skb, CTA_TIMEOUT_TCP_FIN_WAIT,
1372 htonl(timeouts[TCP_CONNTRACK_FIN_WAIT] / HZ)) ||
1373 nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE_WAIT,
1374 htonl(timeouts[TCP_CONNTRACK_CLOSE_WAIT] / HZ)) ||
1375 nla_put_be32(skb, CTA_TIMEOUT_TCP_LAST_ACK,
1376 htonl(timeouts[TCP_CONNTRACK_LAST_ACK] / HZ)) ||
1377 nla_put_be32(skb, CTA_TIMEOUT_TCP_TIME_WAIT,
1378 htonl(timeouts[TCP_CONNTRACK_TIME_WAIT] / HZ)) ||
1379 nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE,
1380 htonl(timeouts[TCP_CONNTRACK_CLOSE] / HZ)) ||
1381 nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT2,
1382 htonl(timeouts[TCP_CONNTRACK_SYN_SENT2] / HZ)) ||
1383 nla_put_be32(skb, CTA_TIMEOUT_TCP_RETRANS,
1384 htonl(timeouts[TCP_CONNTRACK_RETRANS] / HZ)) ||
1385 nla_put_be32(skb, CTA_TIMEOUT_TCP_UNACK,
1386 htonl(timeouts[TCP_CONNTRACK_UNACK] / HZ)))
1387 goto nla_put_failure;
1394 static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
1395 [CTA_TIMEOUT_TCP_SYN_SENT] = { .type = NLA_U32 },
1396 [CTA_TIMEOUT_TCP_SYN_RECV] = { .type = NLA_U32 },
1397 [CTA_TIMEOUT_TCP_ESTABLISHED] = { .type = NLA_U32 },
1398 [CTA_TIMEOUT_TCP_FIN_WAIT] = { .type = NLA_U32 },
1399 [CTA_TIMEOUT_TCP_CLOSE_WAIT] = { .type = NLA_U32 },
1400 [CTA_TIMEOUT_TCP_LAST_ACK] = { .type = NLA_U32 },
1401 [CTA_TIMEOUT_TCP_TIME_WAIT] = { .type = NLA_U32 },
1402 [CTA_TIMEOUT_TCP_CLOSE] = { .type = NLA_U32 },
1403 [CTA_TIMEOUT_TCP_SYN_SENT2] = { .type = NLA_U32 },
1404 [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 },
1405 [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 },
1407 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1409 #ifdef CONFIG_SYSCTL
1410 static struct ctl_table tcp_sysctl_table[] = {
1412 .procname = "nf_conntrack_tcp_timeout_syn_sent",
1413 .maxlen = sizeof(unsigned int),
1415 .proc_handler = proc_dointvec_jiffies,
1418 .procname = "nf_conntrack_tcp_timeout_syn_recv",
1419 .maxlen = sizeof(unsigned int),
1421 .proc_handler = proc_dointvec_jiffies,
1424 .procname = "nf_conntrack_tcp_timeout_established",
1425 .maxlen = sizeof(unsigned int),
1427 .proc_handler = proc_dointvec_jiffies,
1430 .procname = "nf_conntrack_tcp_timeout_fin_wait",
1431 .maxlen = sizeof(unsigned int),
1433 .proc_handler = proc_dointvec_jiffies,
1436 .procname = "nf_conntrack_tcp_timeout_close_wait",
1437 .maxlen = sizeof(unsigned int),
1439 .proc_handler = proc_dointvec_jiffies,
1442 .procname = "nf_conntrack_tcp_timeout_last_ack",
1443 .maxlen = sizeof(unsigned int),
1445 .proc_handler = proc_dointvec_jiffies,
1448 .procname = "nf_conntrack_tcp_timeout_time_wait",
1449 .maxlen = sizeof(unsigned int),
1451 .proc_handler = proc_dointvec_jiffies,
1454 .procname = "nf_conntrack_tcp_timeout_close",
1455 .maxlen = sizeof(unsigned int),
1457 .proc_handler = proc_dointvec_jiffies,
1460 .procname = "nf_conntrack_tcp_timeout_max_retrans",
1461 .maxlen = sizeof(unsigned int),
1463 .proc_handler = proc_dointvec_jiffies,
1466 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
1467 .maxlen = sizeof(unsigned int),
1469 .proc_handler = proc_dointvec_jiffies,
1472 .procname = "nf_conntrack_tcp_loose",
1473 .maxlen = sizeof(unsigned int),
1475 .proc_handler = proc_dointvec,
1478 .procname = "nf_conntrack_tcp_be_liberal",
1479 .maxlen = sizeof(unsigned int),
1481 .proc_handler = proc_dointvec,
1484 .procname = "nf_conntrack_tcp_max_retrans",
1485 .maxlen = sizeof(unsigned int),
1487 .proc_handler = proc_dointvec,
1491 #endif /* CONFIG_SYSCTL */
1493 static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn,
1494 struct nf_tcp_net *tn)
1496 #ifdef CONFIG_SYSCTL
1500 pn->ctl_table = kmemdup(tcp_sysctl_table,
1501 sizeof(tcp_sysctl_table),
1506 pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
1507 pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
1508 pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
1509 pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
1510 pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
1511 pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
1512 pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
1513 pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
1514 pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
1515 pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
1516 pn->ctl_table[10].data = &tn->tcp_loose;
1517 pn->ctl_table[11].data = &tn->tcp_be_liberal;
1518 pn->ctl_table[12].data = &tn->tcp_max_retrans;
1523 static int tcp_init_net(struct net *net, u_int16_t proto)
1525 struct nf_tcp_net *tn = tcp_pernet(net);
1526 struct nf_proto_net *pn = &tn->pn;
1531 for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
1532 tn->timeouts[i] = tcp_timeouts[i];
1534 tn->tcp_loose = nf_ct_tcp_loose;
1535 tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
1536 tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
1539 return tcp_kmemdup_sysctl_table(pn, tn);
1542 static struct nf_proto_net *tcp_get_net_proto(struct net *net)
1544 return &net->ct.nf_ct_proto.tcp.pn;
1547 const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
1550 .l4proto = IPPROTO_TCP,
1551 .pkt_to_tuple = tcp_pkt_to_tuple,
1552 .invert_tuple = tcp_invert_tuple,
1553 #ifdef CONFIG_NF_CONNTRACK_PROCFS
1554 .print_conntrack = tcp_print_conntrack,
1556 .packet = tcp_packet,
1557 .get_timeouts = tcp_get_timeouts,
1560 .can_early_drop = tcp_can_early_drop,
1561 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1562 .to_nlattr = tcp_to_nlattr,
1563 .from_nlattr = nlattr_to_tcp,
1564 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1565 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1566 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1567 .nlattr_size = TCP_NLATTR_SIZE,
1568 .nla_policy = nf_ct_port_nla_policy,
1570 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1572 .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1573 .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1574 .nlattr_max = CTA_TIMEOUT_TCP_MAX,
1575 .obj_size = sizeof(unsigned int) *
1576 TCP_CONNTRACK_TIMEOUT_MAX,
1577 .nla_policy = tcp_timeout_nla_policy,
1579 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1580 .init_net = tcp_init_net,
1581 .get_net_proto = tcp_get_net_proto,
1583 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
1585 const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
1587 .l3proto = PF_INET6,
1588 .l4proto = IPPROTO_TCP,
1589 .pkt_to_tuple = tcp_pkt_to_tuple,
1590 .invert_tuple = tcp_invert_tuple,
1591 #ifdef CONFIG_NF_CONNTRACK_PROCFS
1592 .print_conntrack = tcp_print_conntrack,
1594 .packet = tcp_packet,
1595 .get_timeouts = tcp_get_timeouts,
1598 .can_early_drop = tcp_can_early_drop,
1599 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1600 .nlattr_size = TCP_NLATTR_SIZE,
1601 .to_nlattr = tcp_to_nlattr,
1602 .from_nlattr = nlattr_to_tcp,
1603 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1604 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1605 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1606 .nla_policy = nf_ct_port_nla_policy,
1608 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1610 .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1611 .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1612 .nlattr_max = CTA_TIMEOUT_TCP_MAX,
1613 .obj_size = sizeof(unsigned int) *
1614 TCP_CONNTRACK_TIMEOUT_MAX,
1615 .nla_policy = tcp_timeout_nla_policy,
1617 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1618 .init_net = tcp_init_net,
1619 .get_net_proto = tcp_get_net_proto,
1621 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);