📄 nf_conntrack_proto_tcp.c
字号:
/* (C) 1999-2001 Paul `Rusty' Russell * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */#include <linux/types.h>#include <linux/timer.h>#include <linux/module.h>#include <linux/in.h>#include <linux/tcp.h>#include <linux/spinlock.h>#include <linux/skbuff.h>#include <linux/ipv6.h>#include <net/ip6_checksum.h>#include <net/tcp.h>#include <linux/netfilter.h>#include <linux/netfilter_ipv4.h>#include <linux/netfilter_ipv6.h>#include <net/netfilter/nf_conntrack.h>#include <net/netfilter/nf_conntrack_l4proto.h>#include <net/netfilter/nf_conntrack_ecache.h>/* Protects conntrack->proto.tcp */static DEFINE_RWLOCK(tcp_lock);/* "Be conservative in what you do, be liberal in what you accept from others." If it's non-zero, we mark only out of window RST segments as INVALID. */static int nf_ct_tcp_be_liberal __read_mostly = 0;/* If it is set to zero, we disable picking up already established connections. */static int nf_ct_tcp_loose __read_mostly = 1;/* Max number of the retransmitted packets without receiving an (acceptable) ACK from the destination. If this number is reached, a shorter timer will be started. */static int nf_ct_tcp_max_retrans __read_mostly = 3; /* FIXME: Examine ipfilter's timeouts and conntrack transitions more closely. They're more complex. --RR */static const char *tcp_conntrack_names[] = { "NONE", "SYN_SENT", "SYN_RECV", "ESTABLISHED", "FIN_WAIT", "CLOSE_WAIT", "LAST_ACK", "TIME_WAIT", "CLOSE", "LISTEN"};#define SECS * HZ#define MINS * 60 SECS#define HOURS * 60 MINS#define DAYS * 24 HOURSstatic unsigned int nf_ct_tcp_timeout_syn_sent __read_mostly = 2 MINS;static unsigned int nf_ct_tcp_timeout_syn_recv __read_mostly = 60 SECS;static unsigned int nf_ct_tcp_timeout_established __read_mostly = 5 DAYS;static unsigned int nf_ct_tcp_timeout_fin_wait __read_mostly = 2 MINS;static unsigned int nf_ct_tcp_timeout_close_wait __read_mostly = 60 SECS;static unsigned int nf_ct_tcp_timeout_last_ack __read_mostly = 30 SECS;static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly = 2 MINS;static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS;/* RFC1122 says the R2 limit should be at least 100 seconds. Linux uses 15 packets as limit, which corresponds to ~13-30min depending on RTO. */static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS;static unsigned int * tcp_timeouts[] = { NULL, /* TCP_CONNTRACK_NONE */ &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ &nf_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */ &nf_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */ &nf_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */ &nf_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */ &nf_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */ &nf_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */ &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ NULL, /* TCP_CONNTRACK_LISTEN */ };#define sNO TCP_CONNTRACK_NONE#define sSS TCP_CONNTRACK_SYN_SENT#define sSR TCP_CONNTRACK_SYN_RECV#define sES TCP_CONNTRACK_ESTABLISHED#define sFW TCP_CONNTRACK_FIN_WAIT#define sCW TCP_CONNTRACK_CLOSE_WAIT#define sLA TCP_CONNTRACK_LAST_ACK#define sTW TCP_CONNTRACK_TIME_WAIT#define sCL TCP_CONNTRACK_CLOSE#define sLI TCP_CONNTRACK_LISTEN#define sIV TCP_CONNTRACK_MAX#define sIG TCP_CONNTRACK_IGNORE/* What TCP flags are set from RST/SYN/FIN/ACK. */enum tcp_bit_set { TCP_SYN_SET, TCP_SYNACK_SET, TCP_FIN_SET, TCP_ACK_SET, TCP_RST_SET, TCP_NONE_SET,};/* * The TCP state transition table needs a few words... * * We are the man in the middle. All the packets go through us * but might get lost in transit to the destination. * It is assumed that the destinations can't receive segments * we haven't seen. * * The checked segment is in window, but our windows are *not* * equivalent with the ones of the sender/receiver. We always * try to guess the state of the current sender. * * The meaning of the states are: * * NONE: initial state * SYN_SENT: SYN-only packet seen * SYN_RECV: SYN-ACK packet seen * ESTABLISHED: ACK packet seen * FIN_WAIT: FIN packet seen * CLOSE_WAIT: ACK seen (after FIN) * LAST_ACK: FIN seen (after FIN) * TIME_WAIT: last ACK seen * CLOSE: closed connection * * LISTEN state is not used. * * Packets marked as IGNORED (sIG): * if they may be either invalid or valid * and the receiver may send back a connection * closing RST or a SYN/ACK. * * Packets marked as INVALID (sIV): * if they are invalid * or we do not support the request (simultaneous open) */static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { {/* ORIGINAL *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sIV },/* * sNO -> sSS Initialize a new connection * sSS -> sSS Retransmitted SYN * sSR -> sIG Late retransmitted SYN? * sES -> sIG Error: SYNs in window outside the SYN_SENT state * are errors. Receiver will reply with RST * and close the connection. * Or we are not in sync and hold a dead connection. * sFW -> sIG * sCW -> sIG * sLA -> sIG * sTW -> sSS Reopened connection (RFC 1122). * sCL -> sSS *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },/* * A SYN/ACK from the client is always invalid: * - either it tries to set up a simultaneous open, which is * not supported; * - or the firewall has just been inserted between the two hosts * during the session set-up. The SYN will be retransmitted * by the true client (or it'll time out). *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },/* * sNO -> sIV Too late and no reason to do anything... * sSS -> sIV Client migth not send FIN in this state: * we enforce waiting for a SYN/ACK reply first. * sSR -> sFW Close started. * sES -> sFW * sFW -> sLA FIN seen in both directions, waiting for * the last ACK. * Migth be a retransmitted FIN as well... * sCW -> sLA * sLA -> sLA Retransmitted FIN. Remain in the same state. * sTW -> sTW * sCL -> sCL *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },/* * sNO -> sES Assumed. * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet. * sSR -> sES Established state is reached. * sES -> sES :-) * sFW -> sCW Normal close request answered by ACK. * sCW -> sCW * sLA -> sTW Last ACK detected. * sTW -> sTW Retransmitted last ACK. Remain in the same state. * sCL -> sCL *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } }, {/* REPLY *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*syn*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },/* * sNO -> sIV Never reached. * sSS -> sIV Simultaneous open, not supported * sSR -> sIV Simultaneous open, not supported. * sES -> sIV Server may not initiate a connection. * sFW -> sIV * sCW -> sIV * sLA -> sIV * sTW -> sIV Reopened connection, but server may not do it. * sCL -> sIV *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIV },/* * sSS -> sSR Standard open. * sSR -> sSR Retransmitted SYN/ACK. * sES -> sIG Late retransmitted SYN/ACK? * sFW -> sIG Might be SYN/ACK answering ignored SYN * sCW -> sIG * sLA -> sIG * sTW -> sIG * sCL -> sIG *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },/* * sSS -> sIV Server might not send FIN in this state. * sSR -> sFW Close started. * sES -> sFW * sFW -> sLA FIN seen in both directions. * sCW -> sLA * sLA -> sLA Retransmitted FIN. * sTW -> sTW * sCL -> sCL *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIV },/* * sSS -> sIG Might be a half-open connection. * sSR -> sSR Might answer late resent SYN. * sES -> sES :-) * sFW -> sCW Normal close request answered by ACK. * sCW -> sCW * sLA -> sTW Last ACK detected. * sTW -> sTW Retransmitted last ACK. * sCL -> sCL *//* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI *//*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } }};static int tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, struct nf_conntrack_tuple *tuple){ struct tcphdr _hdr, *hp; /* Actually only need first 8 bytes. */ hp = skb_header_pointer(skb, dataoff, 8, &_hdr); if (hp == NULL) return 0; tuple->src.u.tcp.port = hp->source; tuple->dst.u.tcp.port = hp->dest; return 1;}static int tcp_invert_tuple(struct nf_conntrack_tuple *tuple, const struct nf_conntrack_tuple *orig){ tuple->src.u.tcp.port = orig->dst.u.tcp.port; tuple->dst.u.tcp.port = orig->src.u.tcp.port; return 1;}/* Print out the per-protocol part of the tuple. */static int tcp_print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple){ return seq_printf(s, "sport=%hu dport=%hu ", ntohs(tuple->src.u.tcp.port), ntohs(tuple->dst.u.tcp.port));}/* Print out the private part of the conntrack. */static int tcp_print_conntrack(struct seq_file *s, const struct nf_conn *conntrack){ enum tcp_conntrack state; read_lock_bh(&tcp_lock); state = conntrack->proto.tcp.state; read_unlock_bh(&tcp_lock); return seq_printf(s, "%s ", tcp_conntrack_names[state]);}static unsigned int get_conntrack_index(const struct tcphdr *tcph){ if (tcph->rst) return TCP_RST_SET; else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET); else if (tcph->fin) return TCP_FIN_SET; else if (tcph->ack) return TCP_ACK_SET; else return TCP_NONE_SET;}/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering in IP Filter' by Guido van Rooij. http://www.nluug.nl/events/sane2000/papers.html http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz The boundaries and the conditions are changed according to RFC793: the packet must intersect the window (i.e. segments may be after the right or before the left edge) and thus receivers may ACK segments after the right edge of the window. td_maxend = max(sack + max(win,1)) seen in reply packets td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets td_maxwin += seq + len - sender.td_maxend if seq + len > sender.td_maxend td_end = max(seq + len) seen in sent packets I. Upper bound for valid data: seq <= sender.td_maxend II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin III. Upper bound for valid ack: sack <= receiver.td_end IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW where sack is the highest right edge of sack block found in the packet. The upper bound limit for a valid ack is not ignored - we doesn't have to deal with fragments.*/static inline __u32 segment_seq_plus_len(__u32 seq, size_t len, unsigned int dataoff, struct tcphdr *tcph){ /* XXX Should I use payload length field in IP/IPv6 header ? * - YK */ return (seq + len - dataoff - tcph->doff*4 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));}/* Fixme: what about big packets? */#define MAXACKWINCONST 66000#define MAXACKWINDOW(sender) \ ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ : MAXACKWINCONST)/* * Simplified tcp_parse_options routine from tcp_input.c */static void tcp_options(const struct sk_buff *skb, unsigned int dataoff, struct tcphdr *tcph, struct ip_ct_tcp_state *state){ unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; unsigned char *ptr; int length = (tcph->doff*4) - sizeof(struct tcphdr); if (!length) return; ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr), length, buff); BUG_ON(ptr == NULL); state->td_scale = state->flags = 0; while (length > 0) { int opcode=*ptr++; int opsize; switch (opcode) { case TCPOPT_EOL: return; case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ length--; continue; default: opsize=*ptr++; if (opsize < 2) /* "silly options" */ return; if (opsize > length) break; /* don't parse partial options */ if (opcode == TCPOPT_SACK_PERM && opsize == TCPOLEN_SACK_PERM) state->flags |= IP_CT_TCP_FLAG_SACK_PERM; else if (opcode == TCPOPT_WINDOW && opsize == TCPOLEN_WINDOW) { state->td_scale = *(u_int8_t *)ptr; if (state->td_scale > 14) { /* See RFC1323 */ state->td_scale = 14; } state->flags |= IP_CT_TCP_FLAG_WINDOW_SCALE; } ptr += opsize - 2; length -= opsize; } }}static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, struct tcphdr *tcph, __u32 *sack){ unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; unsigned char *ptr; int length = (tcph->doff*4) - sizeof(struct tcphdr); __u32 tmp; if (!length) return; ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr), length, buff); BUG_ON(ptr == NULL); /* Fast path for timestamp-only option */ if (length == TCPOLEN_TSTAMP_ALIGNED*4 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP)) return; while (length > 0) { int opcode = *ptr++; int opsize, i; switch (opcode) { case TCPOPT_EOL: return; case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ length--; continue; default: opsize = *ptr++; if (opsize < 2) /* "silly options" */ return; if (opsize > length) break; /* don't parse partial options */ if (opcode == TCPOPT_SACK && opsize >= (TCPOLEN_SACK_BASE⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -