From patchwork Fri Oct 28 20:52:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sriram Yagnaraman X-Patchwork-Id: 1696482 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=estab.onmicrosoft.com header.i=@estab.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-estab-onmicrosoft-com header.b=miLQny7a; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4MzZVz2czCz23kr for ; Sat, 29 Oct 2022 07:52:43 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229553AbiJ1Uwl (ORCPT ); Fri, 28 Oct 2022 16:52:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229678AbiJ1Uwk (ORCPT ); Fri, 28 Oct 2022 16:52:40 -0400 Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150121.outbound.protection.outlook.com [40.107.15.121]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20EC32475FF for ; Fri, 28 Oct 2022 13:52:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gOO9+U9np/1dTLDLqO60ffyIOGwOnHvEixHT7uL/rCT1QjfU/uj8FwrrBi1l5QJYOmPI0ZedTVT9MOfjBHtS7/4PpDndHhvhug8LfHRZv6QYabzr63pRMzMLQwAlZZdzJ8jOiLTIQzY8WIHanov0MzfBk5a4mFeCDwLptAB41heuu9S/v2WhKpxQEQUebYd/m7BNFrsX0sw9J3Zm6TfkBqWPj6zYFJ9T1pWh1WSeuhIp0KQpf30dn8w7mpIUIvzUEDwEPj2vuPrD2dCNyayyZKrmJQREP7zCdxNHDRGT+yWWR8LrmbHeKg5ezSQG90HZN5nuBml92J+YkvGCw0oVCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JxCLCbY4lj1UZ4PX8v1q0hMRYk+eLpmtGa71ViOZ8V0=; b=bbvXGbeX5japdlJAAcRYsaqJxlsWJUyEvVSHkvMnWuMcWMF0X++ZCFKfXL5GwIkUYcoMlC8u0UpW0rofxtuKC0Znw2l1Ko1+NtR9CDiDKMQFc7XaCm90J4N7yEQARuo0dA6QROyYjPJ2K3TraCARTgdcpWz92w3MM+o3rSPumh45B5cQoFDwpyQ7jsOtrfhSw+B9abPtuWNAFOvlV/vh6MVcz6TROM7971EdicyXg3MmsWraL1yDLGxMLmHuzwf82ZpR2Dd956NiM3sBdQkj7O462E2CqnP8IbcV/j0tsrSLCOwjShxyBZNEwmPZRtbFl6d1fbigdlK9UL5kUUEIzQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=estab.onmicrosoft.com; s=selector2-estab-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JxCLCbY4lj1UZ4PX8v1q0hMRYk+eLpmtGa71ViOZ8V0=; b=miLQny7abhHyi+ImmQ5/k7C+lIRkjJeyM6tnN/VJY+da4qzfeAK7vltvYHw6kdh5T8zyxL8Hyck+isOeEFz3Lxm3Nilzm3p4cWAnJiW0ghmjd/694VxoBnjIoaqiq1vGEDS6okdqxBmu8ojXGzp/IzQcm41nvqODMaWxufTAx8E= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DBBP189MB1433.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::15) by VI1P189MB2563.EURP189.PROD.OUTLOOK.COM (2603:10a6:800:1c8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Fri, 28 Oct 2022 20:52:37 +0000 Received: from DBBP189MB1433.EURP189.PROD.OUTLOOK.COM ([fe80::86af:ff77:340b:3faa]) by DBBP189MB1433.EURP189.PROD.OUTLOOK.COM ([fe80::86af:ff77:340b:3faa%9]) with mapi id 15.20.5746.029; Fri, 28 Oct 2022 20:52:36 +0000 From: sriram.yagnaraman@est.tech To: netfilter-devel@vger.kernel.org Cc: Sriram Yagnaraman Subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry Date: Fri, 28 Oct 2022 22:52:24 +0200 Message-Id: <20221028205225.10189-2-sriram.yagnaraman@est.tech> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028205225.10189-1-sriram.yagnaraman@est.tech> References: <20221028205225.10189-1-sriram.yagnaraman@est.tech> X-ClientProxiedBy: PA7P264CA0022.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2df::10) To DBBP189MB1433.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DBBP189MB1433:EE_|VI1P189MB2563:EE_ X-MS-Office365-Filtering-Correlation-Id: 01a78a08-f300-489a-4c98-08dab9265827 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 16G8SaiHYSMZM2+3X4dyqAEQUw60413pzctiWj+2TWHqnUThUiMsDBFCqJhwIoVCi2Nv1yMMRXGdJl11JvbK5ByA7ZWJgHmq4UsSWlOZq/JzQH/25w9+j0kdBnF/T55FdOiymawsHk3Dqy4dMerydatw1U+/OJxPh9tUItzTObjXZ2quwL+72XSTtBklJyTB5aCKIgkz3uRjGFSlRTv1o3nj5EzCJT8rbmdkKo2G1kJofr5SJ4lOANRzMVAEpGiOPSNkXR4dc4IwSYwDE5zSXwtJxsiHDQEIVt5U2gHYypkpqBwrp0RqqSu5qrqlYkb/73eKrefwJcLL0HrIl/5jhICiP1fNkAaoZ+fEE9nxVyBjE6EGVphRjVSObL+lmPkHBg22wY50f9FYSGEhUH5mbH67smJ4MOBrWRlTYc/vfKPOJf+Ku0KOFkLKLJ28PU4xLVNOCX3/pnWfCJ69wiQv1OiGGtuyegWrKjh4Hu09tcO0fkSqXGg8mtqv6o/QOG4ZighKLHBvUWKwjlj4U4Zotc2VUFYMXtecQdI29kjlsotIgTvWdbWqchVcf8OTM2GX8F/WppP1Bvf81awQekPLOxUZD9j016wfTjBwjz4ZXozIgQDP/qTEcQcA1ew/0/fYpjXZEfzS1XVbeGTnT2ZbCkeZ83qEpoMw94axTDwuQxBeg1xkv3IG0sDq+Fw48gtnqZ5g74a9lt1YqP5a8hIxH23upc5Gx5zoo3Z2QVWxOcpw5r85khmtajaVhNo+4qDP X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBP189MB1433.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(39840400004)(396003)(346002)(136003)(376002)(451199015)(86362001)(38100700002)(1076003)(186003)(2616005)(6666004)(6506007)(5660300002)(36756003)(2906002)(70586007)(8676002)(8936002)(83380400001)(66946007)(66476007)(66556008)(4326008)(316002)(478600001)(6916009)(6512007)(9686003)(26005)(41300700001)(6486002)(37730700002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dGUvQh5/aYMILVBFcXv+GLHBppHuV2vp7MwmktPQsY7E5z4exPzOgqfTPnWszGRHFK5Tj2cXGFUBDnzH20U6V8RdN5uEPmUiBaAHoRCNfzj4FRp6NdiiT9G6gmHub960qrO0ffQWUJS0z/tbELE5qVg6zaB7GEm6O+/26ifmhsXk9ZMSCT/rgSZXUUE35Y1+shiCZjWxzuXrYlw7ppU++czooQAxo5yWoyigz3Chp6/Lnic1OQciR0opssEkNuYWH9Ee0xGofSvg9CLopqBiUUlOyvlMVHTJGQOoQpZCBFBNk+7M1KvAAd/Q9O/oQ2eUgKcO4SeW9kzAVB6qEAOkpPZCgxH/G+fzxcrNHQbN0fSRaNy3l7T/jVTr9byAAvfIQdzN4Mv2gfXkudIlruzsTnnZfFMg0U0oqnxj91Iz/cbr5l5f7hBstlzYr2tUCT4AXepET6cmTkAUOs/q/iqtF4ux+IioFObqfd5iN4OybO/mKGIAYoH26JD5ussj+4aaO7euzSpHgWO57pPipnzlcGtFjsCuNDYqIB3FJZXPXtV/FVVcm4SXHRUH53CJGQFr2BfFAmhAyVYecYbY1ixmB7+M4Kb45+CvaqssV+I9dMa3UbwTTvI3esOZbP0sTbtB7CxTyE1ESzmWOVUwlRDiOPPLN8lHUqw3CozREWSbXMmzx664ksff2+nBPOWWXbam7iZqAq+uexpFfGbgx+injcktWSaI07mqbwHEEg3fSGtfk0eiiyAP9V9uuefW3aH48/7z48DWOR+m/O5//ttGYtFi1sFDhNclXnrua+ZZ1w+EsJe+BB69bLjuuq9YaiPTo4aZE/TMZ6il6gxmxszWNIQNJRMKJm5wwvBEWwYvqdv1av/VJu4+uksqhyShFywl84BzL/57acZ9ViUoG/m4Wa9Qg9WB2ffpZkx0T/a03unL2KUYll7yS1xA9c0kfY6VY8W7pdsb2DsN2zzA428a3EQQ907HZ3iafMwow89J7rFJh35FJqm9jXz3gF5o57JeIOav1FUVviBWEI8Xo8bKss0q6IgIJdkN5Bg4ekPRn/J92IlIfdbxwKu01y4p7l4S3YWcogOxWyZM+70cj5O6Lod6vz+JDWyYFt47wxDj2bHrbLNn31cMApjzQ6d/AIWj0qj3etvnmtA8WtkDHJT1MhSUTxueFW32eU+Gvm8C+Z3Lk6uFUr/rLEqJbt6a4+rM7iP/pBeObyXkijR7YbIrothVJS5lYQ4/QXX6y5mzlGRGDw4TNk4NURdrrnJxmYvIWOcgEuL+xoH6EvjrPJ3v8uni6J9wL2QfbGSeWpgDhmE452W1t9WFK16hyXAqEdT61kBmLs8j3a5WbZJ7f8cZB+flwXBb9KNSSF3zRDkb9XapVUnbQYjc8sNNzzuPeEs9PH8R/7OK9Ycz33SbRQkQoSnh3JCUDQ6eFgcAKqclphP08TclcKo/J12Ms+mBeCiq3+tpdVZr6kXplbNRHXrvoIxtA3cGMc/fNwBKQo09TYYu50G6RPrjAYQ1bAavn8pyTO6FijkUxHAAEnmswi9BbHOU1J5PM1odnvRdFy3CdkfWpUo4dS9sw1AlYr3ykcGz561L+r+OhEE1oH3ddLFF8w== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 01a78a08-f300-489a-4c98-08dab9265827 X-MS-Exchange-CrossTenant-AuthSource: DBBP189MB1433.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2022 20:52:36.6618 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bTYhIkZoaXzADxsi4MTzccfPqmyqEKDCZoaNKuXJbnBfrZwGHcUjMExBCaepUQXbcP14TBWEbNE5GnevbSxXQDswCYaayZy7/pqXYBfv1eE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB2563 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Sriram Yagnaraman This patch introduces a new proc entry to disable source port randomization for SCTP connections. As specified in RFC9260 all transport addresses used by an SCTP endpoint MUST use the same port number but can use multiple IP addresses. That means that all paths taken within an SCTP association should have the same port even if they pass through different NAT/middleboxes in the network. Disabling source port randomization provides a deterministic source port for the remote SCTP endpoint for all paths used in the SCTP association. On NAT/middlebox restarts we will always end up with the same port after the restart, and the SCTP endpoints involved in the SCTP association can remain transparent to restarts. Of course, there is a downside as this makes it impossible to have multiple SCTP endpoints behind NAT that use the same source port. But, this is a lesser of a problem than losing an existing association altogether. Signed-off-by: Sriram Yagnaraman --- include/net/netns/conntrack.h | 1 + net/netfilter/nf_conntrack_proto_sctp.c | 3 +++ net/netfilter/nf_conntrack_standalone.c | 13 +++++++++++++ net/netfilter/nf_nat_core.c | 8 +++++++- 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index e1290c159184..097bed663805 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h @@ -60,6 +60,7 @@ struct nf_dccp_net { #ifdef CONFIG_NF_CT_PROTO_SCTP struct nf_sctp_net { unsigned int timeouts[SCTP_CONNTRACK_MAX]; + u8 sctp_no_random_port; }; #endif diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 5a936334b517..5e4d3215dcf6 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -699,6 +699,9 @@ void nf_conntrack_sctp_init_net(struct net *net) * 'new' timeout, like udp or icmp. */ sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; + + /* leave source port randomization as true by default */ + sn->sctp_no_random_port = 0; } const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 4ffe84c5a82c..e35876ce418d 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -602,6 +602,7 @@ enum nf_ct_sysctl_index { NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, + NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT, #endif #ifdef CONFIG_NF_CT_PROTO_DCCP NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, @@ -892,6 +893,14 @@ static struct ctl_table nf_ct_sysctl_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies, }, + [NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT] = { + .procname = "nf_conntrack_sctp_no_random_port", + .maxlen = sizeof(u8), + .mode = 0644, + .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, #endif #ifdef CONFIG_NF_CT_PROTO_DCCP [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { @@ -1037,6 +1046,10 @@ static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, XASSIGN(HEARTBEAT_SENT, sn); XASSIGN(HEARTBEAT_ACKED, sn); #undef XASSIGN +#define XASSIGN(XNAME, rval) \ + table[NF_SYSCTL_CT_PROTO_SCTP_ ## XNAME].data = (rval) + XASSIGN(NO_RANDOM_PORT, &sn->sctp_no_random_port); +#undef XASSIGN #endif } diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 18319a6e6806..de0134d99d58 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -422,10 +422,16 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, } goto find_free_id; #endif + case IPPROTO_SCTP: + /* SCTP port randomization disabled, try to use the same source port + * as in the original packet. Drop packets if another endpoint tries + * to use same source port behind NAT. + */ + if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) + return; case IPPROTO_UDP: case IPPROTO_UDPLITE: case IPPROTO_TCP: - case IPPROTO_SCTP: case IPPROTO_DCCP: if (maniptype == NF_NAT_MANIP_SRC) keyptr = &tuple->src.u.all; From patchwork Fri Oct 28 20:52:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sriram Yagnaraman X-Patchwork-Id: 1696483 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=estab.onmicrosoft.com header.i=@estab.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-estab-onmicrosoft-com header.b=IExRP3A0; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4MzZW056d5z23kr for ; Sat, 29 Oct 2022 07:52:44 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229678AbiJ1Uwn (ORCPT ); Fri, 28 Oct 2022 16:52:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57616 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229686AbiJ1Uwm (ORCPT ); Fri, 28 Oct 2022 16:52:42 -0400 Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150121.outbound.protection.outlook.com [40.107.15.121]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3CAF247E0A for ; Fri, 28 Oct 2022 13:52:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EsqP/QUN5w9SQCIW8sFcHt8828yM3/Yc5fM8H7vjn3J3uCJH6iYlu2NDizh4IzZ/j9RiKsy2qEQtejT0FzdfYiNqPhYgkm4EYRsNAPBQ4YktyJV5jkicnoqdhn/wepoXZDNf0T7MHnQSJ9HUhZZYqflRqKCaRDbLs5DZkxTu97QQypMsTXPUbgIuEi2Dlj1o/1w32uetQJtcS4AgzlVmUV9NB6+NroCAbkUnxKw4nUB+MeGFUYwzAPIcLTY9CzutHV2LdpJLdPI94KmHWEuZeEl+Twds77uPV9Moswr/N8JC9Pe9pmYxN8ibLE+p0YxcbWZIPdJqPNqR0u7RXJnlYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3EYkFLe54JVkRAaqHwIwR6MRxlyiQXnwMaaH4OuXieA=; b=dMMroDlipEPW19X6E4+k6UVFRvmOl4fXGevCiX2gbAExE0kaCwyiP7K504hqr/70ph9Zpt1qadvh5M21hw5PAeezEemSStQgVupmg3kiSvfTzPr4u1UeeLk54m3aYUGfOFZDgZI+DSrj5ZagFRIxFNWYoXMpsN1/eiwcWsChQbBWUMcOlH+bMKAfokmEkGCN23eWdogboaXJt51NkVbl8d2hgbNC8tqYvF2nIu1963/ufdASHd/yjCWQvWqtB4hCaJK8qH2JNwQOVQZqXB4BRwJxWpAvHztb9s+DnmmZjojn4vf57qxablhsX8KdeyF1LnYfppeXHyGMUC7tWEnlVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=estab.onmicrosoft.com; s=selector2-estab-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3EYkFLe54JVkRAaqHwIwR6MRxlyiQXnwMaaH4OuXieA=; b=IExRP3A0XkWKgJOidk3itPLkc7JDL2wZKkJx7GFmh35ifP8Av5UccJtojYJa1MZLaMAJX3XSay9vh4ZR1uad0a+JJPl6MjSlX5VbhkP0qEO27qfeROKbd+sru0dAgV9pcOdqD5snMc8HX9bxfJ7ZUvrNkWsfHVdPgB5kOHlgjb0= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DBBP189MB1433.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::15) by VI1P189MB2563.EURP189.PROD.OUTLOOK.COM (2603:10a6:800:1c8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Fri, 28 Oct 2022 20:52:38 +0000 Received: from DBBP189MB1433.EURP189.PROD.OUTLOOK.COM ([fe80::86af:ff77:340b:3faa]) by DBBP189MB1433.EURP189.PROD.OUTLOOK.COM ([fe80::86af:ff77:340b:3faa%9]) with mapi id 15.20.5746.029; Fri, 28 Oct 2022 20:52:38 +0000 From: sriram.yagnaraman@est.tech To: netfilter-devel@vger.kernel.org Cc: Sriram Yagnaraman Subject: [PATCH 2/2] netfilter: nf_ct_sctp: add DATA_SENT conntrack state Date: Fri, 28 Oct 2022 22:52:25 +0200 Message-Id: <20221028205225.10189-3-sriram.yagnaraman@est.tech> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028205225.10189-1-sriram.yagnaraman@est.tech> References: <20221028205225.10189-1-sriram.yagnaraman@est.tech> X-ClientProxiedBy: PA7P264CA0024.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2df::8) To DBBP189MB1433.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DBBP189MB1433:EE_|VI1P189MB2563:EE_ X-MS-Office365-Filtering-Correlation-Id: b05c03f2-13ef-4924-2421-08dab9265924 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3n+rqWN9u6YJr7BL783NPu2BgxNYOB9YLhZ+kb1H+L5yDRBE9DiyZRgNol9i+Cbv2mNLy84pAbPQwhmYXfDN0A9ZA9AX62tZxAysvqzAs+xvLXNSitA5sJ8VzoGVYcXJCgNMkH+UEirpy/kg8ZpMIjgZMdmlD3N52d2sgLjogXpNqxx5MWYqbEp1+AnmUzO68BoRRQxiecasbNfXU32NmK9QQaX62CKshQ6AfaD+1YFD0FT9QDwxmap5rbsxnHXU72Og4ppFy8fLO79cl4ID4b1HOYwaiXHHL8JeAbe1mQxctS+lTtmirJ6Mm0RYnsPvOXk/O5NOtMskdLpKJmblrt+T/5pBooKeA2MqTYmmfjR9Yc97OtkRmu8P2pOwkA7eObvK7B0CEB8ZTS6ZIOVnV2aXbBGXeyqVCI+V5LTIHCpdCFcAe6T9Cxgmcd+Q2Josc4hF7qLBuvytvxC49+hcYrjop5krxwYe2SOpn0lwAGUZvlROXm85xbpuW4GvVUDyFUrNiJ19lXuxPIpGxI47byIWIhlQSuWS3JYdhd/z5JgsF8sUb7V4rXvq66581fflymnZDleRnYerwjeEVARe05p++zsx+nUCqptCXFZ2ZdlBZN1CMsSvL3Gv+xNcp+uSYoLlZpYdjD3GJDYuqjVCjLE2SHarHA07+5KPeVFL+K4d3LB8CaR/haw67XLEMn+NGGNmuFUGDAjD/NvKx1Zc1XwE/VqPO6ph5YQhrCI3hU/fLXt7Y10sgFJUCIup9DVA X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBP189MB1433.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(39840400004)(396003)(346002)(136003)(376002)(451199015)(86362001)(38100700002)(1076003)(186003)(2616005)(6666004)(6506007)(5660300002)(30864003)(36756003)(2906002)(70586007)(8676002)(8936002)(83380400001)(66946007)(66476007)(66556008)(4326008)(316002)(478600001)(6916009)(6512007)(9686003)(26005)(41300700001)(6486002)(37730700002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Rp1QcAHsldGq43+NTgJ+s35ixUMZ48pyHjUiwLr4mbsBSzV+JOvsFqDdxasl8DNQbL2fvDrgr/WrTDWET2eYUuVnyTER461ZLexrxiD2xp3oHGreliSB4WBXUVt5MDXD+VvNEMf8W5BGN/wqF6vOhUQ2Dv5YmnpiVauOf1bb1vbU2gV+oGE7dWrtwnMBXIHmkh73J94NjRzHXU+0lBVFVccWswFK/vXRY4GaM8Jn6zADgvFeLbXPdQXRo56s0rlC2M6B9T7BxjzeAkwmHhRjaZ4GMa2NWGeNB/zHaP8IF+GAuS49ft0Y2psg7ekwbbvMU29mjzkr4sUYCTl5nDNfn3R0frsLN/1SgDRFYl88z2aq4HlnslHlyLoK+bBztg4UH/AAdOirV2HCvenv3bLAJBQvKGmZ4zAz+75WSiQZylC8Jsb+td9Z505tQORsdIECDV6+vpt2vhywPR4/Iqr8HN7OfT12DRSXwWMkvTrbahnIyLuOsEdM6XodUxIus4cue6abVIwPct2hkuNa3dy2va4Fx5BadDXVYaV1FIs7/eQcinKFhkFZjGKwsLOgqLoKjS1Zm6kiLUGVoZs+Hhxue4veCUXNXvskOwOS21Dyh7b78GUJ29G8oAs2VNerS6SiIqfR7LyCIuGyjBQ6809f4yeZSipCcjjYgrf4Xu0mOwy4+SIBe8P/+a29awbZoEtGPB1yF4ciC2g/wlLQaZUTfmCxrrLL9BBpqiEKvIhbWfDkUNk9e2DfTYr5kMJ3HY93x30kplZSht8I+WrfWZayzYsso7vBBQJzPYpoAeWCHTxVHvbAHx2QB/W/r4RlBYxhv5koxdcCz37lsezr31UEVqT16DdqivYA55u4Q245x9acv7TZnEdfJ1fIjlPzXw7Oin72WN2B9xJnnfUdVC1iMrIbfhE4IBLShZwDS2fuhWjNiSVjsH3QJP2SlvZZQtTcEZzix+6tyT0bSnBbqrAjmDIxb35EO5gqOIhiMKQ194R/GI1OcE5jofP6SRfqqR1H97bkdZcumV/CpeAXt74VI1YiUz+YwpGAUKudA7k/Rb1m75MKLy5J5CrFFFYrsZ3LyIQMKZp65Y3o9L9hecp9oKocZdpEHle4zioIV5py7chs8NqQMTrmFOvIH6VpNBfFKuqkDAdLSMPKq9klqxT4LCq9KQ24pSuXbchx/bfnhdH1A7PA/ltY5PIlKhAju1ZPWZwwfXk1H0Ja3wZsc1xqxIz94uW49cdYfFIsCAiAtu4G8SRVQizA9iJgSQFVLxWMwroBSeq80xmrYsXhyK/Tgfsz2mVYUUUkK3yJ9Wwr5L+yOFL11CgWYkILR7jvGh+4sOY7NLxTGTgWEzYT77X8G+dZ2ew/HlyIFMibxOpIcPqKSQqNYMoM04vw3Q0PwmCg0NSx1eKb6pNl5zZ5XQx1sfv+nQVG0HhUMSiKw2zlZ3Q1cnMV5U/30/iqIN1KvbO3ppjvYkqojyqtalYYqOJBaEoE8pL043o1pzJBSmY1tl72MKseQ2xgHffJcuCAbuaI+bMhwgKdJCX6XGRhJ1NU7yRjbRtXs/CWcuCodeFatjOzhYRJBS82oPOBJvVft66+GjBOhqq3eNfvFsycmEEOSw== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: b05c03f2-13ef-4924-2421-08dab9265924 X-MS-Exchange-CrossTenant-AuthSource: DBBP189MB1433.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2022 20:52:38.3549 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JTRBLPfdBn8cm4ZTZ8VB4r8LiiEmcW9wRs3pOBq7m6ehUbOo5gAnYyyH+KFfMjvqNlYnVD/RQC3wgmFoUyKkKIcpCUsLuDshwtfCt82gOCE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB2563 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Sriram Yagnaraman SCTP conntrack currently assumes that the SCTP endpoints will probe secondary paths using HEARTBEAT before sending traffic. But, according to RFC 9260, SCTP endpoints can send any traffic on any of the confirmed paths after SCTP association is up. SCTP endpoints that sends INIT will confirm all peer addresses that upper layer configures, and the SCTP endpoint that receives COOKIE_ECHO will only confirm the address it sent the INIT_ACK to. So, we can have a situation where the INIT sender can start to use secondary paths without the need to send HEARTBEAT. This patch allows DATA/SACK packets to create new connection tracking entry. A new state has been added to indicate that a DATA/SACK chunk has been seen in the original direction - SCTP_CONNTRACK_DATA_SENT. State transitions mostly follows the HEARTBEAT_SENT, except on receiving HEARTBEAT/HEARTBEAT_ACK/DATA/SACK in the reply direction. State transitions in original direction: - DATA_SENT behaves similar to HEARTBEAT_SENT for all chunks, except that it remains in DATA_SENT on receving HEARTBEAT, HEARTBEAT_ACK/DATA/SACK chunks State transitions in reply direction: - DATA_SENT behaves similar to HEARTBEAT_SENT for all chunks, except that it moves to HEARTBEAT_ACKED on receiving HEARTBEAT/HEARTBEAT_ACK/DATA/SACK chunks Note: This patch still doesn't solve the problem when the SCTP endpoint decides to use primary paths for association establishment but uses a secondary path for association shutdown. We still have to depend on timeout for connections to expire in such a case. Signed-off-by: Sriram Yagnaraman --- .../uapi/linux/netfilter/nf_conntrack_sctp.h | 1 + .../linux/netfilter/nfnetlink_cttimeout.h | 1 + net/netfilter/nf_conntrack_proto_sctp.c | 104 ++++++++++-------- net/netfilter/nf_conntrack_standalone.c | 8 ++ 4 files changed, 71 insertions(+), 43 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h index edc6ddab0de6..c742469afe21 100644 --- a/include/uapi/linux/netfilter/nf_conntrack_sctp.h +++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h @@ -16,6 +16,7 @@ enum sctp_conntrack { SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, SCTP_CONNTRACK_HEARTBEAT_SENT, SCTP_CONNTRACK_HEARTBEAT_ACKED, + SCTP_CONNTRACK_DATA_SENT, SCTP_CONNTRACK_MAX }; diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h index 6b20fb22717b..94e74034706d 100644 --- a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h +++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h @@ -95,6 +95,7 @@ enum ctattr_timeout_sctp { CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, CTA_TIMEOUT_SCTP_HEARTBEAT_SENT, CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED, + CTA_TIMEOUT_SCTP_DATA_SENT, __CTA_TIMEOUT_SCTP_MAX }; #define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1) diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 5e4d3215dcf6..d7f11145c7eb 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -60,6 +60,7 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, + [SCTP_CONNTRACK_DATA_SENT] = 30 SECS, }; #define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 @@ -74,6 +75,7 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT #define sHS SCTP_CONNTRACK_HEARTBEAT_SENT #define sHA SCTP_CONNTRACK_HEARTBEAT_ACKED +#define sDS SCTP_CONNTRACK_DATA_SENT #define sIV SCTP_CONNTRACK_MAX /* @@ -90,15 +92,16 @@ COOKIE WAIT - We have seen an INIT chunk in the original direction, or als COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. -SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. +SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply direction. SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite to that of the SHUTDOWN chunk. CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of the SHUTDOWN chunk. Connection is closed. HEARTBEAT_SENT - We have seen a HEARTBEAT in a new flow. -HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK in the direction opposite to - that of the HEARTBEAT chunk. Secondary connection is - established. +HEARTBEAT_ACKED - We have seen a HEARTBEAT-ACK/DATA/SACK in the direction + opposite to that of the HEARTBEAT/DATA chunk. Secondary connection + is established. +DATA_SENT - We have seen a DATA/SACK in a new flow. */ /* TODO @@ -112,36 +115,38 @@ cookie echoed to closed. */ /* SCTP conntrack state transitions */ -static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { +static const u8 sctp_conntracks[2][12][SCTP_CONNTRACK_MAX] = { { /* ORIGINAL */ -/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ -/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, -/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, -/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, -/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, -/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA}, -/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't have Stale cookie*/ -/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* 5.2.4 - Big TODO */ -/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},/* Can't come in orig dir */ -/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA}, -/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, -/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA} +/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ +/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA, sCW}, +/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL}, +/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, +/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS, sCL}, +/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA, sHA, sSA}, +/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't have Stale cookie*/ +/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* 5.2.4 - Big TODO */ +/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA, sCL},/* Can't come in orig dir */ +/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL, sHA, sCL}, +/* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, +/* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS}, +/* data/sack */ {sDS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS} }, { /* REPLY */ -/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ -/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ -/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, -/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, -/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, -/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, -/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA}, -/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* Can't come in reply dir */ -/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA}, -/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA}, -/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA}, -/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA} +/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sDS */ +/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* INIT in sCL Big TODO */ +/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV}, +/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL, sIV}, +/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR, sIV}, +/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA, sIV}, +/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV, sHA, sIV}, +/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA, sIV},/* Can't come in reply dir */ +/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV, sHA, sIV}, +/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV, sHA, sIV}, +/* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA, sHA}, +/* heartbeat_ack*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, +/* data/sack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHA, sHA, sHA}, } }; @@ -253,6 +258,11 @@ static int sctp_new_state(enum ip_conntrack_dir dir, pr_debug("SCTP_CID_HEARTBEAT_ACK"); i = 10; break; + case SCTP_CID_DATA: + case SCTP_CID_SACK: + pr_debug("SCTP_CID_DATA/SACK"); + i = 11; + break; default: /* Other chunks like DATA or SACK do not change the state */ pr_debug("Unknown chunk type, Will stay in %s\n", @@ -306,7 +316,9 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb, ih->init_tag); ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; - } else if (sch->type == SCTP_CID_HEARTBEAT) { + } else if (sch->type == SCTP_CID_HEARTBEAT || + sch->type == SCTP_CID_DATA || + sch->type == SCTP_CID_SACK) { pr_debug("Setting vtag %x for secondary conntrack\n", sh->vtag); ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag; @@ -392,19 +404,19 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, if (!sctp_new(ct, skb, sh, dataoff)) return -NF_ACCEPT; - } - - /* Check the verification tag (Sec 8.5) */ - if (!test_bit(SCTP_CID_INIT, map) && - !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && - !test_bit(SCTP_CID_COOKIE_ECHO, map) && - !test_bit(SCTP_CID_ABORT, map) && - !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && - !test_bit(SCTP_CID_HEARTBEAT, map) && - !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && - sh->vtag != ct->proto.sctp.vtag[dir]) { - pr_debug("Verification tag check failed\n"); - goto out; + } else { + /* Check the verification tag (Sec 8.5) */ + if (!test_bit(SCTP_CID_INIT, map) && + !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && + !test_bit(SCTP_CID_COOKIE_ECHO, map) && + !test_bit(SCTP_CID_ABORT, map) && + !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && + !test_bit(SCTP_CID_HEARTBEAT, map) && + !test_bit(SCTP_CID_HEARTBEAT_ACK, map) && + sh->vtag != ct->proto.sctp.vtag[dir]) { + pr_debug("Verification tag check failed\n"); + goto out; + } } old_state = new_state = SCTP_CONNTRACK_NONE; @@ -464,6 +476,11 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; } + } else if (sch->type == SCTP_CID_DATA || sch->type == SCTP_CID_SACK) { + if (ct->proto.sctp.vtag[dir] == 0) { + pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir); + ct->proto.sctp.vtag[dir] = sh->vtag; + } } old_state = ct->proto.sctp.state; @@ -684,6 +701,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { [CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 }, [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, + [CTA_TIMEOUT_SCTP_DATA_SENT] = { .type = NLA_U32 }, }; #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index e35876ce418d..15199f00e33f 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -602,6 +602,7 @@ enum nf_ct_sysctl_index { NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, + NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_DATA_SENT, NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT, #endif #ifdef CONFIG_NF_CT_PROTO_DCCP @@ -893,6 +894,12 @@ static struct ctl_table nf_ct_sysctl_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies, }, + [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_DATA_SENT] = { + .procname = "nf_conntrack_sctp_timeout_data_sent", + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, [NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT] = { .procname = "nf_conntrack_sctp_no_random_port", .maxlen = sizeof(u8), @@ -1045,6 +1052,7 @@ static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, XASSIGN(SHUTDOWN_ACK_SENT, sn); XASSIGN(HEARTBEAT_SENT, sn); XASSIGN(HEARTBEAT_ACKED, sn); + XASSIGN(DATA_SENT, sn); #undef XASSIGN #define XASSIGN(XNAME, rval) \ table[NF_SYSCTL_CT_PROTO_SCTP_ ## XNAME].data = (rval)