1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 * (C) 2002-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/types.h>
12 #include <linux/timer.h>
13 #include <linux/module.h>
15 #include <linux/tcp.h>
16 #include <linux/spinlock.h>
17 #include <linux/skbuff.h>
18 #include <linux/ipv6.h>
19 #include <net/ip6_checksum.h>
20 #include <asm/unaligned.h>
24 #include <linux/netfilter.h>
25 #include <linux/netfilter_ipv4.h>
26 #include <linux/netfilter_ipv6.h>
27 #include <net/netfilter/nf_conntrack.h>
28 #include <net/netfilter/nf_conntrack_l4proto.h>
29 #include <net/netfilter/nf_conntrack_ecache.h>
30 #include <net/netfilter/nf_conntrack_seqadj.h>
31 #include <net/netfilter/nf_log.h>
32 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
33 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
35 /* "Be conservative in what you do,
36 be liberal in what you accept from others."
37 If it's non-zero, we mark only out of window RST segments as INVALID. */
38 static int nf_ct_tcp_be_liberal __read_mostly = 0;
40 /* If it is set to zero, we disable picking up already established
42 static int nf_ct_tcp_loose __read_mostly = 1;
44 /* Max number of the retransmitted packets without receiving an (acceptable)
45 ACK from the destination. If this number is reached, a shorter timer
47 static int nf_ct_tcp_max_retrans __read_mostly = 3;
49 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
50 closely. They're more complex. --RR */
52 static const char *const tcp_conntrack_names[] = {
66 #define MINS * 60 SECS
67 #define HOURS * 60 MINS
68 #define DAYS * 24 HOURS
70 static unsigned int tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX] __read_mostly = {
71 [TCP_CONNTRACK_SYN_SENT] = 2 MINS,
72 [TCP_CONNTRACK_SYN_RECV] = 60 SECS,
73 [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS,
74 [TCP_CONNTRACK_FIN_WAIT] = 2 MINS,
75 [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS,
76 [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
77 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
78 [TCP_CONNTRACK_CLOSE] = 10 SECS,
79 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS,
80 /* RFC1122 says the R2 limit should be at least 100 seconds.
81 Linux uses 15 packets as limit, which corresponds
82 to ~13-30min depending on RTO. */
83 [TCP_CONNTRACK_RETRANS] = 5 MINS,
84 [TCP_CONNTRACK_UNACK] = 5 MINS,
87 #define sNO TCP_CONNTRACK_NONE
88 #define sSS TCP_CONNTRACK_SYN_SENT
89 #define sSR TCP_CONNTRACK_SYN_RECV
90 #define sES TCP_CONNTRACK_ESTABLISHED
91 #define sFW TCP_CONNTRACK_FIN_WAIT
92 #define sCW TCP_CONNTRACK_CLOSE_WAIT
93 #define sLA TCP_CONNTRACK_LAST_ACK
94 #define sTW TCP_CONNTRACK_TIME_WAIT
95 #define sCL TCP_CONNTRACK_CLOSE
96 #define sS2 TCP_CONNTRACK_SYN_SENT2
97 #define sIV TCP_CONNTRACK_MAX
98 #define sIG TCP_CONNTRACK_IGNORE
100 /* What TCP flags are set from RST/SYN/FIN/ACK. */
111 * The TCP state transition table needs a few words...
113 * We are the man in the middle. All the packets go through us
114 * but might get lost in transit to the destination.
115 * It is assumed that the destinations can't receive segments
118 * The checked segment is in window, but our windows are *not*
119 * equivalent with the ones of the sender/receiver. We always
120 * try to guess the state of the current sender.
122 * The meaning of the states are:
124 * NONE: initial state
125 * SYN_SENT: SYN-only packet seen
126 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
127 * SYN_RECV: SYN-ACK packet seen
128 * ESTABLISHED: ACK packet seen
129 * FIN_WAIT: FIN packet seen
130 * CLOSE_WAIT: ACK seen (after FIN)
131 * LAST_ACK: FIN seen (after FIN)
132 * TIME_WAIT: last ACK seen
133 * CLOSE: closed connection (RST)
135 * Packets marked as IGNORED (sIG):
136 * if they may be either invalid or valid
137 * and the receiver may send back a connection
138 * closing RST or a SYN/ACK.
140 * Packets marked as INVALID (sIV):
141 * if we regard them as truly invalid packets
143 static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
146 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
147 /*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
149 * sNO -> sSS Initialize a new connection
150 * sSS -> sSS Retransmitted SYN
151 * sS2 -> sS2 Late retransmitted SYN
153 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
154 * are errors. Receiver will reply with RST
155 * and close the connection.
156 * Or we are not in sync and hold a dead connection.
160 * sTW -> sSS Reopened connection (RFC 1122).
163 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
164 /*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
166 * sNO -> sIV Too late and no reason to do anything
167 * sSS -> sIV Client can't send SYN and then SYN/ACK
168 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
169 * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
170 * sES -> sIV Invalid SYN/ACK packets sent by the client
177 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
178 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
180 * sNO -> sIV Too late and no reason to do anything...
181 * sSS -> sIV Client migth not send FIN in this state:
182 * we enforce waiting for a SYN/ACK reply first.
184 * sSR -> sFW Close started.
186 * sFW -> sLA FIN seen in both directions, waiting for
188 * Migth be a retransmitted FIN as well...
190 * sLA -> sLA Retransmitted FIN. Remain in the same state.
194 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
195 /*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
197 * sNO -> sES Assumed.
198 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
200 * sSR -> sES Established state is reached.
202 * sFW -> sCW Normal close request answered by ACK.
204 * sLA -> sTW Last ACK detected.
205 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
208 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
209 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
210 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
214 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
215 /*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 },
217 * sNO -> sIV Never reached.
218 * sSS -> sS2 Simultaneous open
219 * sS2 -> sS2 Retransmitted simultaneous SYN
220 * sSR -> sIV Invalid SYN packets sent by the server
225 * sTW -> sIV Reopened connection, but server may not do it.
228 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
229 /*synack*/ { sIV, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
231 * sSS -> sSR Standard open.
232 * sS2 -> sSR Simultaneous open
233 * sSR -> sIG Retransmitted SYN/ACK, ignore it.
234 * sES -> sIG Late retransmitted SYN/ACK?
235 * sFW -> sIG Might be SYN/ACK answering ignored SYN
241 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
242 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
244 * sSS -> sIV Server might not send FIN in this state.
246 * sSR -> sFW Close started.
248 * sFW -> sLA FIN seen in both directions.
250 * sLA -> sLA Retransmitted FIN.
254 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
255 /*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
257 * sSS -> sIG Might be a half-open connection.
259 * sSR -> sSR Might answer late resent SYN.
261 * sFW -> sCW Normal close request answered by ACK.
263 * sLA -> sTW Last ACK detected.
264 * sTW -> sTW Retransmitted last ACK.
267 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
268 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
269 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
273 static inline struct nf_tcp_net *tcp_pernet(struct net *net)
275 return &net->ct.nf_ct_proto.tcp;
278 static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
279 struct nf_conntrack_tuple *tuple)
281 const struct tcphdr *hp;
284 /* Actually only need first 8 bytes. */
285 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
289 tuple->src.u.tcp.port = hp->source;
290 tuple->dst.u.tcp.port = hp->dest;
295 static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple,
296 const struct nf_conntrack_tuple *orig)
298 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
299 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
303 /* Print out the per-protocol part of the tuple. */
304 static int tcp_print_tuple(struct seq_file *s,
305 const struct nf_conntrack_tuple *tuple)
307 return seq_printf(s, "sport=%hu dport=%hu ",
308 ntohs(tuple->src.u.tcp.port),
309 ntohs(tuple->dst.u.tcp.port));
312 /* Print out the private part of the conntrack. */
313 static int tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
315 enum tcp_conntrack state;
317 spin_lock_bh(&ct->lock);
318 state = ct->proto.tcp.state;
319 spin_unlock_bh(&ct->lock);
321 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
324 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
326 if (tcph->rst) return TCP_RST_SET;
327 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
328 else if (tcph->fin) return TCP_FIN_SET;
329 else if (tcph->ack) return TCP_ACK_SET;
330 else return TCP_NONE_SET;
333 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
334 in IP Filter' by Guido van Rooij.
336 http://www.sane.nl/events/sane2000/papers.html
337 http://www.darkart.com/mirrors/www.obfuscation.org/ipf/
339 The boundaries and the conditions are changed according to RFC793:
340 the packet must intersect the window (i.e. segments may be
341 after the right or before the left edge) and thus receivers may ACK
342 segments after the right edge of the window.
344 td_maxend = max(sack + max(win,1)) seen in reply packets
345 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
346 td_maxwin += seq + len - sender.td_maxend
347 if seq + len > sender.td_maxend
348 td_end = max(seq + len) seen in sent packets
350 I. Upper bound for valid data: seq <= sender.td_maxend
351 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
352 III. Upper bound for valid (s)ack: sack <= receiver.td_end
353 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
355 where sack is the highest right edge of sack block found in the packet
356 or ack in the case of packet without SACK option.
358 The upper bound limit for a valid (s)ack is not ignored -
359 we doesn't have to deal with fragments.
362 static inline __u32 segment_seq_plus_len(__u32 seq,
364 unsigned int dataoff,
365 const struct tcphdr *tcph)
367 /* XXX Should I use payload length field in IP/IPv6 header ?
369 return (seq + len - dataoff - tcph->doff*4
370 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
373 /* Fixme: what about big packets? */
374 #define MAXACKWINCONST 66000
375 #define MAXACKWINDOW(sender) \
376 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
380 * Simplified tcp_parse_options routine from tcp_input.c
382 static void tcp_options(const struct sk_buff *skb,
383 unsigned int dataoff,
384 const struct tcphdr *tcph,
385 struct ip_ct_tcp_state *state)
387 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
388 const unsigned char *ptr;
389 int length = (tcph->doff*4) - sizeof(struct tcphdr);
394 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
408 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
413 if (opsize < 2) /* "silly options" */
416 return; /* don't parse partial options */
418 if (opcode == TCPOPT_SACK_PERM
419 && opsize == TCPOLEN_SACK_PERM)
420 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
421 else if (opcode == TCPOPT_WINDOW
422 && opsize == TCPOLEN_WINDOW) {
423 state->td_scale = *(u_int8_t *)ptr;
425 if (state->td_scale > 14) {
427 state->td_scale = 14;
430 IP_CT_TCP_FLAG_WINDOW_SCALE;
438 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
439 const struct tcphdr *tcph, __u32 *sack)
441 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
442 const unsigned char *ptr;
443 int length = (tcph->doff*4) - sizeof(struct tcphdr);
449 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
453 /* Fast path for timestamp-only option */
454 if (length == TCPOLEN_TSTAMP_ALIGNED
455 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
457 | (TCPOPT_TIMESTAMP << 8)
458 | TCPOLEN_TIMESTAMP))
468 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
473 if (opsize < 2) /* "silly options" */
476 return; /* don't parse partial options */
478 if (opcode == TCPOPT_SACK
479 && opsize >= (TCPOLEN_SACK_BASE
480 + TCPOLEN_SACK_PERBLOCK)
481 && !((opsize - TCPOLEN_SACK_BASE)
482 % TCPOLEN_SACK_PERBLOCK)) {
484 i < (opsize - TCPOLEN_SACK_BASE);
485 i += TCPOLEN_SACK_PERBLOCK) {
486 tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
488 if (after(tmp, *sack))
499 static bool tcp_in_window(const struct nf_conn *ct,
500 struct ip_ct_tcp *state,
501 enum ip_conntrack_dir dir,
503 const struct sk_buff *skb,
504 unsigned int dataoff,
505 const struct tcphdr *tcph,
508 struct net *net = nf_ct_net(ct);
509 struct nf_tcp_net *tn = tcp_pernet(net);
510 struct ip_ct_tcp_state *sender = &state->seen[dir];
511 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
512 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
513 __u32 seq, ack, sack, end, win, swin;
515 bool res, in_recv_win;
518 * Get the required data from the packet.
520 seq = ntohl(tcph->seq);
521 ack = sack = ntohl(tcph->ack_seq);
522 win = ntohs(tcph->window);
523 end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
525 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
526 tcp_sack(skb, dataoff, tcph, &sack);
528 /* Take into account NAT sequence number mangling */
529 receiver_offset = nf_ct_seq_offset(ct, !dir, ack - 1);
530 ack -= receiver_offset;
531 sack -= receiver_offset;
533 pr_debug("tcp_in_window: START\n");
534 pr_debug("tcp_in_window: ");
535 nf_ct_dump_tuple(tuple);
536 pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
537 seq, ack, receiver_offset, sack, receiver_offset, win, end);
538 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
539 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
540 sender->td_end, sender->td_maxend, sender->td_maxwin,
542 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
545 if (sender->td_maxwin == 0) {
547 * Initialize sender data.
551 * SYN-ACK in reply to a SYN
552 * or SYN from reply direction in simultaneous open.
555 sender->td_maxend = end;
556 sender->td_maxwin = (win == 0 ? 1 : win);
558 tcp_options(skb, dataoff, tcph, sender);
561 * Both sides must send the Window Scale option
562 * to enable window scaling in either direction.
564 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
565 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
567 receiver->td_scale = 0;
569 /* Simultaneous open */
573 * We are in the middle of a connection,
574 * its history is lost for us.
575 * Let's try to use the data from the packet.
577 sender->td_end = end;
578 swin = win << sender->td_scale;
579 sender->td_maxwin = (swin == 0 ? 1 : swin);
580 sender->td_maxend = end + sender->td_maxwin;
582 * We haven't seen traffic in the other direction yet
583 * but we have to tweak window tracking to pass III
584 * and IV until that happens.
586 if (receiver->td_maxwin == 0)
587 receiver->td_end = receiver->td_maxend = sack;
589 } else if (((state->state == TCP_CONNTRACK_SYN_SENT
590 && dir == IP_CT_DIR_ORIGINAL)
591 || (state->state == TCP_CONNTRACK_SYN_RECV
592 && dir == IP_CT_DIR_REPLY))
593 && after(end, sender->td_end)) {
595 * RFC 793: "if a TCP is reinitialized ... then it need
596 * not wait at all; it must only be sure to use sequence
597 * numbers larger than those recently used."
600 sender->td_maxend = end;
601 sender->td_maxwin = (win == 0 ? 1 : win);
603 tcp_options(skb, dataoff, tcph, sender);
608 * If there is no ACK, just pretend it was set and OK.
610 ack = sack = receiver->td_end;
611 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
612 (TCP_FLAG_ACK|TCP_FLAG_RST))
615 * Broken TCP stacks, that set ACK in RST packets as well
616 * with zero ack value.
618 ack = sack = receiver->td_end;
621 if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
623 * RST sent answering SYN.
625 seq = end = sender->td_end;
627 pr_debug("tcp_in_window: ");
628 nf_ct_dump_tuple(tuple);
629 pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n",
630 seq, ack, receiver_offset, sack, receiver_offset, win, end);
631 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
632 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
633 sender->td_end, sender->td_maxend, sender->td_maxwin,
635 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
638 /* Is the ending sequence in the receive window (if available)? */
639 in_recv_win = !receiver->td_maxwin ||
640 after(end, sender->td_end - receiver->td_maxwin - 1);
642 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
643 before(seq, sender->td_maxend + 1),
644 (in_recv_win ? 1 : 0),
645 before(sack, receiver->td_end + 1),
646 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
648 if (before(seq, sender->td_maxend + 1) &&
650 before(sack, receiver->td_end + 1) &&
651 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
653 * Take into account window scaling (RFC 1323).
656 win <<= sender->td_scale;
659 * Update sender data.
661 swin = win + (sack - ack);
662 if (sender->td_maxwin < swin)
663 sender->td_maxwin = swin;
664 if (after(end, sender->td_end)) {
665 sender->td_end = end;
666 sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
669 if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
670 sender->td_maxack = ack;
671 sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
672 } else if (after(ack, sender->td_maxack))
673 sender->td_maxack = ack;
677 * Update receiver data.
679 if (receiver->td_maxwin != 0 && after(end, sender->td_maxend))
680 receiver->td_maxwin += end - sender->td_maxend;
681 if (after(sack + win, receiver->td_maxend - 1)) {
682 receiver->td_maxend = sack + win;
684 receiver->td_maxend++;
686 if (ack == receiver->td_end)
687 receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
690 * Check retransmissions.
692 if (index == TCP_ACK_SET) {
693 if (state->last_dir == dir
694 && state->last_seq == seq
695 && state->last_ack == ack
696 && state->last_end == end
697 && state->last_win == win)
700 state->last_dir = dir;
701 state->last_seq = seq;
702 state->last_ack = ack;
703 state->last_end = end;
704 state->last_win = win;
711 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
714 if (!res && LOG_INVALID(net, IPPROTO_TCP))
715 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
717 before(seq, sender->td_maxend + 1) ?
719 before(sack, receiver->td_end + 1) ?
720 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
721 : "ACK is under the lower bound (possible overly delayed ACK)"
722 : "ACK is over the upper bound (ACKed data not seen yet)"
723 : "SEQ is under the lower bound (already ACKed data retransmitted)"
724 : "SEQ is over the upper bound (over the window of the receiver)");
727 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
728 "receiver end=%u maxend=%u maxwin=%u\n",
729 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
730 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
735 /* table of valid flag combinations - PUSH, ECE and CWR are always valid */
736 static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
740 [TCPHDR_SYN|TCPHDR_URG] = 1,
741 [TCPHDR_SYN|TCPHDR_ACK] = 1,
743 [TCPHDR_RST|TCPHDR_ACK] = 1,
744 [TCPHDR_FIN|TCPHDR_ACK] = 1,
745 [TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG] = 1,
747 [TCPHDR_ACK|TCPHDR_URG] = 1,
750 /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
751 static int tcp_error(struct net *net, struct nf_conn *tmpl,
753 unsigned int dataoff,
754 enum ip_conntrack_info *ctinfo,
756 unsigned int hooknum)
758 const struct tcphdr *th;
760 unsigned int tcplen = skb->len - dataoff;
763 /* Smaller that minimal TCP header? */
764 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
766 if (LOG_INVALID(net, IPPROTO_TCP))
767 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
768 "nf_ct_tcp: short packet ");
772 /* Not whole TCP header or malformed packet */
773 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
774 if (LOG_INVALID(net, IPPROTO_TCP))
775 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
776 "nf_ct_tcp: truncated/malformed packet ");
780 /* Checksum invalid? Ignore.
781 * We skip checking packets on the outgoing path
782 * because the checksum is assumed to be correct.
784 /* FIXME: Source route IP option packets --RR */
785 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
786 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
787 if (LOG_INVALID(net, IPPROTO_TCP))
788 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
789 "nf_ct_tcp: bad TCP checksum ");
793 /* Check TCP flags. */
794 tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH));
795 if (!tcp_valid_flags[tcpflags]) {
796 if (LOG_INVALID(net, IPPROTO_TCP))
797 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
798 "nf_ct_tcp: invalid TCP flag combination ");
805 static unsigned int *tcp_get_timeouts(struct net *net)
807 return tcp_pernet(net)->timeouts;
810 /* Returns verdict for packet, or -1 for invalid. */
811 static int tcp_packet(struct nf_conn *ct,
812 const struct sk_buff *skb,
813 unsigned int dataoff,
814 enum ip_conntrack_info ctinfo,
816 unsigned int hooknum,
817 unsigned int *timeouts)
819 struct net *net = nf_ct_net(ct);
820 struct nf_tcp_net *tn = tcp_pernet(net);
821 struct nf_conntrack_tuple *tuple;
822 enum tcp_conntrack new_state, old_state;
823 enum ip_conntrack_dir dir;
824 const struct tcphdr *th;
826 unsigned long timeout;
829 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
832 spin_lock_bh(&ct->lock);
833 old_state = ct->proto.tcp.state;
834 dir = CTINFO2DIR(ctinfo);
835 index = get_conntrack_index(th);
836 new_state = tcp_conntracks[dir][index][old_state];
837 tuple = &ct->tuplehash[dir].tuple;
840 case TCP_CONNTRACK_SYN_SENT:
841 if (old_state < TCP_CONNTRACK_TIME_WAIT)
843 /* RFC 1122: "When a connection is closed actively,
844 * it MUST linger in TIME-WAIT state for a time 2xMSL
845 * (Maximum Segment Lifetime). However, it MAY accept
846 * a new SYN from the remote TCP to reopen the connection
847 * directly from TIME-WAIT state, if..."
848 * We ignore the conditions because we are in the
849 * TIME-WAIT state anyway.
851 * Handle aborted connections: we and the server
852 * think there is an existing connection but the client
853 * aborts it and starts a new one.
855 if (((ct->proto.tcp.seen[dir].flags
856 | ct->proto.tcp.seen[!dir].flags)
857 & IP_CT_TCP_FLAG_CLOSE_INIT)
858 || (ct->proto.tcp.last_dir == dir
859 && ct->proto.tcp.last_index == TCP_RST_SET)) {
860 /* Attempt to reopen a closed/aborted connection.
861 * Delete this connection and look up again. */
862 spin_unlock_bh(&ct->lock);
864 /* Only repeat if we can actually remove the timer.
865 * Destruction may already be in progress in process
866 * context and we must give it a chance to terminate.
873 case TCP_CONNTRACK_IGNORE:
876 * Our connection entry may be out of sync, so ignore
877 * packets which may signal the real connection between
878 * the client and the server.
881 * b) SYN/ACK in REPLY
882 * c) ACK in reply direction after initial SYN in original.
884 * If the ignored packet is invalid, the receiver will send
885 * a RST we'll catch below.
887 if (index == TCP_SYNACK_SET
888 && ct->proto.tcp.last_index == TCP_SYN_SET
889 && ct->proto.tcp.last_dir != dir
890 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
891 /* b) This SYN/ACK acknowledges a SYN that we earlier
892 * ignored as invalid. This means that the client and
893 * the server are both in sync, while the firewall is
894 * not. We get in sync from the previously annotated
897 old_state = TCP_CONNTRACK_SYN_SENT;
898 new_state = TCP_CONNTRACK_SYN_RECV;
899 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
900 ct->proto.tcp.last_end;
901 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
902 ct->proto.tcp.last_end;
903 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
904 ct->proto.tcp.last_win == 0 ?
905 1 : ct->proto.tcp.last_win;
906 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
907 ct->proto.tcp.last_wscale;
908 ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
909 ct->proto.tcp.last_flags;
910 memset(&ct->proto.tcp.seen[dir], 0,
911 sizeof(struct ip_ct_tcp_state));
914 ct->proto.tcp.last_index = index;
915 ct->proto.tcp.last_dir = dir;
916 ct->proto.tcp.last_seq = ntohl(th->seq);
917 ct->proto.tcp.last_end =
918 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
919 ct->proto.tcp.last_win = ntohs(th->window);
921 /* a) This is a SYN in ORIGINAL. The client and the server
922 * may be in sync but we are not. In that case, we annotate
923 * the TCP options and let the packet go through. If it is a
924 * valid SYN packet, the server will reply with a SYN/ACK, and
925 * then we'll get in sync. Otherwise, the server ignores it. */
926 if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
927 struct ip_ct_tcp_state seen = {};
929 ct->proto.tcp.last_flags =
930 ct->proto.tcp.last_wscale = 0;
931 tcp_options(skb, dataoff, th, &seen);
932 if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
933 ct->proto.tcp.last_flags |=
934 IP_CT_TCP_FLAG_WINDOW_SCALE;
935 ct->proto.tcp.last_wscale = seen.td_scale;
937 if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
938 ct->proto.tcp.last_flags |=
939 IP_CT_TCP_FLAG_SACK_PERM;
942 spin_unlock_bh(&ct->lock);
943 if (LOG_INVALID(net, IPPROTO_TCP))
944 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
945 "nf_ct_tcp: invalid packet ignored in "
946 "state %s ", tcp_conntrack_names[old_state]);
948 case TCP_CONNTRACK_MAX:
950 pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
951 dir, get_conntrack_index(th), old_state);
952 spin_unlock_bh(&ct->lock);
953 if (LOG_INVALID(net, IPPROTO_TCP))
954 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
955 "nf_ct_tcp: invalid state ");
957 case TCP_CONNTRACK_CLOSE:
958 if (index == TCP_RST_SET
959 && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
960 && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
962 spin_unlock_bh(&ct->lock);
963 if (LOG_INVALID(net, IPPROTO_TCP))
964 nf_log_packet(net, pf, 0, skb, NULL, NULL,
965 NULL, "nf_ct_tcp: invalid RST ");
968 if (index == TCP_RST_SET
969 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
970 && ct->proto.tcp.last_index == TCP_SYN_SET)
971 || (!test_bit(IPS_ASSURED_BIT, &ct->status)
972 && ct->proto.tcp.last_index == TCP_ACK_SET))
973 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
974 /* RST sent to invalid SYN or ACK we had let through
975 * at a) and c) above:
977 * a) SYN was in window then
978 * c) we hold a half-open connection.
980 * Delete our connection entry.
981 * We skip window checking, because packet might ACK
982 * segments we ignored. */
985 /* Just fall through */
987 /* Keep compilers happy. */
991 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
992 skb, dataoff, th, pf)) {
993 spin_unlock_bh(&ct->lock);
997 /* From now on we have got in-window packets */
998 ct->proto.tcp.last_index = index;
999 ct->proto.tcp.last_dir = dir;
1001 pr_debug("tcp_conntracks: ");
1002 nf_ct_dump_tuple(tuple);
1003 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
1004 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
1005 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
1006 old_state, new_state);
1008 ct->proto.tcp.state = new_state;
1009 if (old_state != new_state
1010 && new_state == TCP_CONNTRACK_FIN_WAIT)
1011 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
1013 if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
1014 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
1015 timeout = timeouts[TCP_CONNTRACK_RETRANS];
1016 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
1017 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
1018 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
1019 timeout = timeouts[TCP_CONNTRACK_UNACK];
1021 timeout = timeouts[new_state];
1022 spin_unlock_bh(&ct->lock);
1024 if (new_state != old_state)
1025 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
1027 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
1028 /* If only reply is a RST, we can consider ourselves not to
1029 have an established connection: this is a fairly common
1030 problem case, so we can delete the conntrack
1031 immediately. --RR */
1033 nf_ct_kill_acct(ct, ctinfo, skb);
1036 /* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
1037 * pickup with loose=1. Avoid large ESTABLISHED timeout.
1039 if (new_state == TCP_CONNTRACK_ESTABLISHED &&
1040 timeout > timeouts[TCP_CONNTRACK_UNACK])
1041 timeout = timeouts[TCP_CONNTRACK_UNACK];
1042 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
1043 && (old_state == TCP_CONNTRACK_SYN_RECV
1044 || old_state == TCP_CONNTRACK_ESTABLISHED)
1045 && new_state == TCP_CONNTRACK_ESTABLISHED) {
1046 /* Set ASSURED if we see see valid ack in ESTABLISHED
1047 after SYN_RECV or a valid answer for a picked up
1049 set_bit(IPS_ASSURED_BIT, &ct->status);
1050 nf_conntrack_event_cache(IPCT_ASSURED, ct);
1052 nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
1057 /* Called when a new connection for this protocol found. */
1058 static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
1059 unsigned int dataoff, unsigned int *timeouts)
1061 enum tcp_conntrack new_state;
1062 const struct tcphdr *th;
1063 struct tcphdr _tcph;
1064 struct net *net = nf_ct_net(ct);
1065 struct nf_tcp_net *tn = tcp_pernet(net);
1066 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
1067 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
1069 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
1072 /* Don't need lock here: this conntrack not in circulation yet */
1073 new_state = tcp_conntracks[0][get_conntrack_index(th)][TCP_CONNTRACK_NONE];
1075 /* Invalid: delete conntrack */
1076 if (new_state >= TCP_CONNTRACK_MAX) {
1077 pr_debug("nf_ct_tcp: invalid new deleting.\n");
1081 if (new_state == TCP_CONNTRACK_SYN_SENT) {
1082 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
1084 ct->proto.tcp.seen[0].td_end =
1085 segment_seq_plus_len(ntohl(th->seq), skb->len,
1087 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1088 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1089 ct->proto.tcp.seen[0].td_maxwin = 1;
1090 ct->proto.tcp.seen[0].td_maxend =
1091 ct->proto.tcp.seen[0].td_end;
1093 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
1094 } else if (tn->tcp_loose == 0) {
1095 /* Don't try to pick up connections. */
1098 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
1100 * We are in the middle of a connection,
1101 * its history is lost for us.
1102 * Let's try to use the data from the packet.
1104 ct->proto.tcp.seen[0].td_end =
1105 segment_seq_plus_len(ntohl(th->seq), skb->len,
1107 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1108 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1109 ct->proto.tcp.seen[0].td_maxwin = 1;
1110 ct->proto.tcp.seen[0].td_maxend =
1111 ct->proto.tcp.seen[0].td_end +
1112 ct->proto.tcp.seen[0].td_maxwin;
1114 /* We assume SACK and liberal window checking to handle
1116 ct->proto.tcp.seen[0].flags =
1117 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1118 IP_CT_TCP_FLAG_BE_LIBERAL;
1121 /* tcp_packet will set them */
1122 ct->proto.tcp.last_index = TCP_NONE_SET;
1124 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1125 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1126 sender->td_end, sender->td_maxend, sender->td_maxwin,
1128 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1129 receiver->td_scale);
1133 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1135 #include <linux/netfilter/nfnetlink.h>
1136 #include <linux/netfilter/nfnetlink_conntrack.h>
1138 static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
1141 struct nlattr *nest_parms;
1142 struct nf_ct_tcp_flags tmp = {};
1144 spin_lock_bh(&ct->lock);
1145 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED);
1147 goto nla_put_failure;
1149 if (nla_put_u8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state) ||
1150 nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
1151 ct->proto.tcp.seen[0].td_scale) ||
1152 nla_put_u8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY,
1153 ct->proto.tcp.seen[1].td_scale))
1154 goto nla_put_failure;
1156 tmp.flags = ct->proto.tcp.seen[0].flags;
1157 if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
1158 sizeof(struct nf_ct_tcp_flags), &tmp))
1159 goto nla_put_failure;
1161 tmp.flags = ct->proto.tcp.seen[1].flags;
1162 if (nla_put(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
1163 sizeof(struct nf_ct_tcp_flags), &tmp))
1164 goto nla_put_failure;
1165 spin_unlock_bh(&ct->lock);
1167 nla_nest_end(skb, nest_parms);
1172 spin_unlock_bh(&ct->lock);
1176 static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
1177 [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
1178 [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1179 [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
1180 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
1181 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
1184 static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
1186 struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
1187 struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
1190 /* updates could not contain anything about the private
1191 * protocol info, in that case skip the parsing */
1195 err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr, tcp_nla_policy);
1199 if (tb[CTA_PROTOINFO_TCP_STATE] &&
1200 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
1203 spin_lock_bh(&ct->lock);
1204 if (tb[CTA_PROTOINFO_TCP_STATE])
1205 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
1207 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
1208 struct nf_ct_tcp_flags *attr =
1209 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
1210 ct->proto.tcp.seen[0].flags &= ~attr->mask;
1211 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
1214 if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
1215 struct nf_ct_tcp_flags *attr =
1216 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
1217 ct->proto.tcp.seen[1].flags &= ~attr->mask;
1218 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
1221 if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
1222 tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
1223 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
1224 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
1225 ct->proto.tcp.seen[0].td_scale =
1226 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
1227 ct->proto.tcp.seen[1].td_scale =
1228 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
1230 spin_unlock_bh(&ct->lock);
1235 static int tcp_nlattr_size(void)
1237 return nla_total_size(0) /* CTA_PROTOINFO_TCP */
1238 + nla_policy_len(tcp_nla_policy, CTA_PROTOINFO_TCP_MAX + 1);
1241 static int tcp_nlattr_tuple_size(void)
1243 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
1247 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1249 #include <linux/netfilter/nfnetlink.h>
1250 #include <linux/netfilter/nfnetlink_cttimeout.h>
1252 static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
1253 struct net *net, void *data)
1255 unsigned int *timeouts = data;
1256 struct nf_tcp_net *tn = tcp_pernet(net);
1259 /* set default TCP timeouts. */
1260 for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
1261 timeouts[i] = tn->timeouts[i];
1263 if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
1264 timeouts[TCP_CONNTRACK_SYN_SENT] =
1265 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
1267 if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
1268 timeouts[TCP_CONNTRACK_SYN_RECV] =
1269 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
1271 if (tb[CTA_TIMEOUT_TCP_ESTABLISHED]) {
1272 timeouts[TCP_CONNTRACK_ESTABLISHED] =
1273 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_ESTABLISHED]))*HZ;
1275 if (tb[CTA_TIMEOUT_TCP_FIN_WAIT]) {
1276 timeouts[TCP_CONNTRACK_FIN_WAIT] =
1277 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_FIN_WAIT]))*HZ;
1279 if (tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]) {
1280 timeouts[TCP_CONNTRACK_CLOSE_WAIT] =
1281 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]))*HZ;
1283 if (tb[CTA_TIMEOUT_TCP_LAST_ACK]) {
1284 timeouts[TCP_CONNTRACK_LAST_ACK] =
1285 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_LAST_ACK]))*HZ;
1287 if (tb[CTA_TIMEOUT_TCP_TIME_WAIT]) {
1288 timeouts[TCP_CONNTRACK_TIME_WAIT] =
1289 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_TIME_WAIT]))*HZ;
1291 if (tb[CTA_TIMEOUT_TCP_CLOSE]) {
1292 timeouts[TCP_CONNTRACK_CLOSE] =
1293 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE]))*HZ;
1295 if (tb[CTA_TIMEOUT_TCP_SYN_SENT2]) {
1296 timeouts[TCP_CONNTRACK_SYN_SENT2] =
1297 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT2]))*HZ;
1299 if (tb[CTA_TIMEOUT_TCP_RETRANS]) {
1300 timeouts[TCP_CONNTRACK_RETRANS] =
1301 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_RETRANS]))*HZ;
1303 if (tb[CTA_TIMEOUT_TCP_UNACK]) {
1304 timeouts[TCP_CONNTRACK_UNACK] =
1305 ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
1311 tcp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
1313 const unsigned int *timeouts = data;
1315 if (nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT,
1316 htonl(timeouts[TCP_CONNTRACK_SYN_SENT] / HZ)) ||
1317 nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_RECV,
1318 htonl(timeouts[TCP_CONNTRACK_SYN_RECV] / HZ)) ||
1319 nla_put_be32(skb, CTA_TIMEOUT_TCP_ESTABLISHED,
1320 htonl(timeouts[TCP_CONNTRACK_ESTABLISHED] / HZ)) ||
1321 nla_put_be32(skb, CTA_TIMEOUT_TCP_FIN_WAIT,
1322 htonl(timeouts[TCP_CONNTRACK_FIN_WAIT] / HZ)) ||
1323 nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE_WAIT,
1324 htonl(timeouts[TCP_CONNTRACK_CLOSE_WAIT] / HZ)) ||
1325 nla_put_be32(skb, CTA_TIMEOUT_TCP_LAST_ACK,
1326 htonl(timeouts[TCP_CONNTRACK_LAST_ACK] / HZ)) ||
1327 nla_put_be32(skb, CTA_TIMEOUT_TCP_TIME_WAIT,
1328 htonl(timeouts[TCP_CONNTRACK_TIME_WAIT] / HZ)) ||
1329 nla_put_be32(skb, CTA_TIMEOUT_TCP_CLOSE,
1330 htonl(timeouts[TCP_CONNTRACK_CLOSE] / HZ)) ||
1331 nla_put_be32(skb, CTA_TIMEOUT_TCP_SYN_SENT2,
1332 htonl(timeouts[TCP_CONNTRACK_SYN_SENT2] / HZ)) ||
1333 nla_put_be32(skb, CTA_TIMEOUT_TCP_RETRANS,
1334 htonl(timeouts[TCP_CONNTRACK_RETRANS] / HZ)) ||
1335 nla_put_be32(skb, CTA_TIMEOUT_TCP_UNACK,
1336 htonl(timeouts[TCP_CONNTRACK_UNACK] / HZ)))
1337 goto nla_put_failure;
1344 static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
1345 [CTA_TIMEOUT_TCP_SYN_SENT] = { .type = NLA_U32 },
1346 [CTA_TIMEOUT_TCP_SYN_RECV] = { .type = NLA_U32 },
1347 [CTA_TIMEOUT_TCP_ESTABLISHED] = { .type = NLA_U32 },
1348 [CTA_TIMEOUT_TCP_FIN_WAIT] = { .type = NLA_U32 },
1349 [CTA_TIMEOUT_TCP_CLOSE_WAIT] = { .type = NLA_U32 },
1350 [CTA_TIMEOUT_TCP_LAST_ACK] = { .type = NLA_U32 },
1351 [CTA_TIMEOUT_TCP_TIME_WAIT] = { .type = NLA_U32 },
1352 [CTA_TIMEOUT_TCP_CLOSE] = { .type = NLA_U32 },
1353 [CTA_TIMEOUT_TCP_SYN_SENT2] = { .type = NLA_U32 },
1354 [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 },
1355 [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 },
1357 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1359 #ifdef CONFIG_SYSCTL
1360 static struct ctl_table tcp_sysctl_table[] = {
1362 .procname = "nf_conntrack_tcp_timeout_syn_sent",
1363 .maxlen = sizeof(unsigned int),
1365 .proc_handler = proc_dointvec_jiffies,
1368 .procname = "nf_conntrack_tcp_timeout_syn_recv",
1369 .maxlen = sizeof(unsigned int),
1371 .proc_handler = proc_dointvec_jiffies,
1374 .procname = "nf_conntrack_tcp_timeout_established",
1375 .maxlen = sizeof(unsigned int),
1377 .proc_handler = proc_dointvec_jiffies,
1380 .procname = "nf_conntrack_tcp_timeout_fin_wait",
1381 .maxlen = sizeof(unsigned int),
1383 .proc_handler = proc_dointvec_jiffies,
1386 .procname = "nf_conntrack_tcp_timeout_close_wait",
1387 .maxlen = sizeof(unsigned int),
1389 .proc_handler = proc_dointvec_jiffies,
1392 .procname = "nf_conntrack_tcp_timeout_last_ack",
1393 .maxlen = sizeof(unsigned int),
1395 .proc_handler = proc_dointvec_jiffies,
1398 .procname = "nf_conntrack_tcp_timeout_time_wait",
1399 .maxlen = sizeof(unsigned int),
1401 .proc_handler = proc_dointvec_jiffies,
1404 .procname = "nf_conntrack_tcp_timeout_close",
1405 .maxlen = sizeof(unsigned int),
1407 .proc_handler = proc_dointvec_jiffies,
1410 .procname = "nf_conntrack_tcp_timeout_max_retrans",
1411 .maxlen = sizeof(unsigned int),
1413 .proc_handler = proc_dointvec_jiffies,
1416 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
1417 .maxlen = sizeof(unsigned int),
1419 .proc_handler = proc_dointvec_jiffies,
1422 .procname = "nf_conntrack_tcp_loose",
1423 .maxlen = sizeof(unsigned int),
1425 .proc_handler = proc_dointvec,
1428 .procname = "nf_conntrack_tcp_be_liberal",
1429 .maxlen = sizeof(unsigned int),
1431 .proc_handler = proc_dointvec,
1434 .procname = "nf_conntrack_tcp_max_retrans",
1435 .maxlen = sizeof(unsigned int),
1437 .proc_handler = proc_dointvec,
1442 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1443 static struct ctl_table tcp_compat_sysctl_table[] = {
1445 .procname = "ip_conntrack_tcp_timeout_syn_sent",
1446 .maxlen = sizeof(unsigned int),
1448 .proc_handler = proc_dointvec_jiffies,
1451 .procname = "ip_conntrack_tcp_timeout_syn_sent2",
1452 .maxlen = sizeof(unsigned int),
1454 .proc_handler = proc_dointvec_jiffies,
1457 .procname = "ip_conntrack_tcp_timeout_syn_recv",
1458 .maxlen = sizeof(unsigned int),
1460 .proc_handler = proc_dointvec_jiffies,
1463 .procname = "ip_conntrack_tcp_timeout_established",
1464 .maxlen = sizeof(unsigned int),
1466 .proc_handler = proc_dointvec_jiffies,
1469 .procname = "ip_conntrack_tcp_timeout_fin_wait",
1470 .maxlen = sizeof(unsigned int),
1472 .proc_handler = proc_dointvec_jiffies,
1475 .procname = "ip_conntrack_tcp_timeout_close_wait",
1476 .maxlen = sizeof(unsigned int),
1478 .proc_handler = proc_dointvec_jiffies,
1481 .procname = "ip_conntrack_tcp_timeout_last_ack",
1482 .maxlen = sizeof(unsigned int),
1484 .proc_handler = proc_dointvec_jiffies,
1487 .procname = "ip_conntrack_tcp_timeout_time_wait",
1488 .maxlen = sizeof(unsigned int),
1490 .proc_handler = proc_dointvec_jiffies,
1493 .procname = "ip_conntrack_tcp_timeout_close",
1494 .maxlen = sizeof(unsigned int),
1496 .proc_handler = proc_dointvec_jiffies,
1499 .procname = "ip_conntrack_tcp_timeout_max_retrans",
1500 .maxlen = sizeof(unsigned int),
1502 .proc_handler = proc_dointvec_jiffies,
1505 .procname = "ip_conntrack_tcp_loose",
1506 .maxlen = sizeof(unsigned int),
1508 .proc_handler = proc_dointvec,
1511 .procname = "ip_conntrack_tcp_be_liberal",
1512 .maxlen = sizeof(unsigned int),
1514 .proc_handler = proc_dointvec,
1517 .procname = "ip_conntrack_tcp_max_retrans",
1518 .maxlen = sizeof(unsigned int),
1520 .proc_handler = proc_dointvec,
1524 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
1525 #endif /* CONFIG_SYSCTL */
1527 static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn,
1528 struct nf_tcp_net *tn)
1530 #ifdef CONFIG_SYSCTL
1534 pn->ctl_table = kmemdup(tcp_sysctl_table,
1535 sizeof(tcp_sysctl_table),
1540 pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
1541 pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
1542 pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
1543 pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
1544 pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
1545 pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
1546 pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
1547 pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
1548 pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
1549 pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
1550 pn->ctl_table[10].data = &tn->tcp_loose;
1551 pn->ctl_table[11].data = &tn->tcp_be_liberal;
1552 pn->ctl_table[12].data = &tn->tcp_max_retrans;
1557 static int tcp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
1558 struct nf_tcp_net *tn)
1560 #ifdef CONFIG_SYSCTL
1561 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1562 pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
1563 sizeof(tcp_compat_sysctl_table),
1565 if (!pn->ctl_compat_table)
1568 pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
1569 pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
1570 pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
1571 pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
1572 pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
1573 pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
1574 pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
1575 pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
1576 pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
1577 pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
1578 pn->ctl_compat_table[10].data = &tn->tcp_loose;
1579 pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
1580 pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
1586 static int tcp_init_net(struct net *net, u_int16_t proto)
1589 struct nf_tcp_net *tn = tcp_pernet(net);
1590 struct nf_proto_net *pn = &tn->pn;
1595 for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
1596 tn->timeouts[i] = tcp_timeouts[i];
1598 tn->tcp_loose = nf_ct_tcp_loose;
1599 tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
1600 tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
1603 if (proto == AF_INET) {
1604 ret = tcp_kmemdup_compat_sysctl_table(pn, tn);
1608 ret = tcp_kmemdup_sysctl_table(pn, tn);
1610 nf_ct_kfree_compat_sysctl_table(pn);
1612 ret = tcp_kmemdup_sysctl_table(pn, tn);
1617 static struct nf_proto_net *tcp_get_net_proto(struct net *net)
1619 return &net->ct.nf_ct_proto.tcp.pn;
1622 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
1625 .l4proto = IPPROTO_TCP,
1627 .pkt_to_tuple = tcp_pkt_to_tuple,
1628 .invert_tuple = tcp_invert_tuple,
1629 .print_tuple = tcp_print_tuple,
1630 .print_conntrack = tcp_print_conntrack,
1631 .packet = tcp_packet,
1632 .get_timeouts = tcp_get_timeouts,
1635 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1636 .to_nlattr = tcp_to_nlattr,
1637 .nlattr_size = tcp_nlattr_size,
1638 .from_nlattr = nlattr_to_tcp,
1639 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1640 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1641 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1642 .nla_policy = nf_ct_port_nla_policy,
1644 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1646 .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1647 .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1648 .nlattr_max = CTA_TIMEOUT_TCP_MAX,
1649 .obj_size = sizeof(unsigned int) *
1650 TCP_CONNTRACK_TIMEOUT_MAX,
1651 .nla_policy = tcp_timeout_nla_policy,
1653 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1654 .init_net = tcp_init_net,
1655 .get_net_proto = tcp_get_net_proto,
1657 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
1659 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
1661 .l3proto = PF_INET6,
1662 .l4proto = IPPROTO_TCP,
1664 .pkt_to_tuple = tcp_pkt_to_tuple,
1665 .invert_tuple = tcp_invert_tuple,
1666 .print_tuple = tcp_print_tuple,
1667 .print_conntrack = tcp_print_conntrack,
1668 .packet = tcp_packet,
1669 .get_timeouts = tcp_get_timeouts,
1672 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1673 .to_nlattr = tcp_to_nlattr,
1674 .nlattr_size = tcp_nlattr_size,
1675 .from_nlattr = nlattr_to_tcp,
1676 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1677 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1678 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1679 .nla_policy = nf_ct_port_nla_policy,
1681 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1683 .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1684 .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1685 .nlattr_max = CTA_TIMEOUT_TCP_MAX,
1686 .obj_size = sizeof(unsigned int) *
1687 TCP_CONNTRACK_TIMEOUT_MAX,
1688 .nla_policy = tcp_timeout_nla_policy,
1690 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1691 .init_net = tcp_init_net,
1692 .get_net_proto = tcp_get_net_proto,
1694 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
projects / karo-tx-linux.git / blob