/* (C) 1999-2001 Paul `Rusty' Russell
   * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>

   * (C) 2006-2012 Patrick McHardy <kaber@trash.net>

   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 as
   * published by the Free Software Foundation.

   */
  
  #include <linux/types.h>

  #include <linux/timer.h>
  #include <linux/module.h>

  #include <linux/udp.h>
  #include <linux/seq_file.h>
  #include <linux/skbuff.h>
  #include <linux/ipv6.h>
  #include <net/ip6_checksum.h>
  #include <net/checksum.h>

  #include <linux/netfilter.h>
  #include <linux/netfilter_ipv4.h>
  #include <linux/netfilter_ipv6.h>

  #include <net/netfilter/nf_conntrack_l4proto.h>

  #include <net/netfilter/nf_conntrack_ecache.h>

  #include <net/netfilter/nf_log.h>

  #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
  #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>

  static unsigned int udp_timeouts[UDP_CT_MAX] = {
  	[UDP_CT_UNREPLIED]	= 30*HZ,
  	[UDP_CT_REPLIED]	= 180*HZ,
  };

  static inline struct nf_udp_net *udp_pernet(struct net *net)
  {
  	return &net->ct.nf_ct_proto.udp;
  }

  static bool udp_pkt_to_tuple(const struct sk_buff *skb,

  			     unsigned int dataoff,

  			     struct net *net,

  			     struct nf_conntrack_tuple *tuple)
  {

  	const struct udphdr *hp;
  	struct udphdr _hdr;

  	/* Actually only need first 4 bytes to get ports. */
  	hp = skb_header_pointer(skb, dataoff, 4, &_hdr);

  	if (hp == NULL)

  		return false;

  
  	tuple->src.u.udp.port = hp->source;
  	tuple->dst.u.udp.port = hp->dest;

  	return true;

  }

  static bool udp_invert_tuple(struct nf_conntrack_tuple *tuple,
  			     const struct nf_conntrack_tuple *orig)

  {
  	tuple->src.u.udp.port = orig->dst.u.udp.port;
  	tuple->dst.u.udp.port = orig->src.u.udp.port;

  	return true;

  }

  static unsigned int *udp_get_timeouts(struct net *net)
  {

  	return udp_pernet(net)->timeouts;

  }

  /* Returns verdict for packet, and may modify conntracktype */

  static int udp_packet(struct nf_conn *ct,

  		      const struct sk_buff *skb,
  		      unsigned int dataoff,
  		      enum ip_conntrack_info ctinfo,

  		      u_int8_t pf,

  		      unsigned int *timeouts)

  {
  	/* If we've seen traffic both ways, this is some kind of UDP
  	   stream.  Extend timeout. */

  	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {

  		nf_ct_refresh_acct(ct, ctinfo, skb,

  				   timeouts[UDP_CT_REPLIED]);

  		/* Also, more likely to be important, and not a probe */

  		if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))

  			nf_conntrack_event_cache(IPCT_ASSURED, ct);

  	} else {
  		nf_ct_refresh_acct(ct, ctinfo, skb,

  				   timeouts[UDP_CT_UNREPLIED]);

  	}

  	return NF_ACCEPT;
  }
  
  /* Called when a new connection for this protocol found. */

  static bool udp_new(struct nf_conn *ct, const struct sk_buff *skb,

  		    unsigned int dataoff, unsigned int *timeouts)

  {

  	return true;

  }

  #ifdef CONFIG_NF_CT_PROTO_UDPLITE
  static int udplite_error(struct net *net, struct nf_conn *tmpl,
  			 struct sk_buff *skb,
  			 unsigned int dataoff,

  			 u8 pf, unsigned int hooknum)
  {
  	unsigned int udplen = skb->len - dataoff;
  	const struct udphdr *hdr;
  	struct udphdr _hdr;
  	unsigned int cscov;
  
  	/* Header is too small? */
  	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
  	if (!hdr) {
  		if (LOG_INVALID(net, IPPROTO_UDPLITE))
  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
  				      "nf_ct_udplite: short packet ");
  		return -NF_ACCEPT;
  	}
  
  	cscov = ntohs(hdr->len);
  	if (cscov == 0) {
  		cscov = udplen;
  	} else if (cscov < sizeof(*hdr) || cscov > udplen) {
  		if (LOG_INVALID(net, IPPROTO_UDPLITE))
  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
  				      "nf_ct_udplite: invalid checksum coverage ");
  		return -NF_ACCEPT;
  	}
  
  	/* UDPLITE mandates checksums */
  	if (!hdr->check) {
  		if (LOG_INVALID(net, IPPROTO_UDPLITE))
  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
  				      "nf_ct_udplite: checksum missing ");
  		return -NF_ACCEPT;
  	}
  
  	/* Checksum invalid? Ignore. */
  	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
  	    nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
  				pf)) {
  		if (LOG_INVALID(net, IPPROTO_UDPLITE))
  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
  				      "nf_ct_udplite: bad UDPLite checksum ");
  		return -NF_ACCEPT;
  	}
  
  	return NF_ACCEPT;
  }
  #endif

  static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,

  		     unsigned int dataoff,

  		     u_int8_t pf,

  		     unsigned int hooknum)

  {
  	unsigned int udplen = skb->len - dataoff;

  	const struct udphdr *hdr;
  	struct udphdr _hdr;

  
  	/* Header is too small? */
  	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
  	if (hdr == NULL) {

  		if (LOG_INVALID(net, IPPROTO_UDP))

  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

  				      "nf_ct_udp: short packet ");
  		return -NF_ACCEPT;
  	}
  
  	/* Truncated/malformed packets */
  	if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {

  		if (LOG_INVALID(net, IPPROTO_UDP))

  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

  				"nf_ct_udp: truncated/malformed packet ");
  		return -NF_ACCEPT;
  	}
  
  	/* Packet with no checksum */
  	if (!hdr->check)
  		return NF_ACCEPT;
  
  	/* Checksum invalid? Ignore.
  	 * We skip checking packets on the outgoing path

  	 * because the checksum is assumed to be correct.

  	 * FIXME: Source route IP option packets --RR */

  	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&

  	    nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {

  		if (LOG_INVALID(net, IPPROTO_UDP))

  			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

  				"nf_ct_udp: bad UDP checksum ");
  		return -NF_ACCEPT;
  	}
  
  	return NF_ACCEPT;
  }

  #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
  
  #include <linux/netfilter/nfnetlink.h>
  #include <linux/netfilter/nfnetlink_cttimeout.h>

  static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
  				     struct net *net, void *data)

  {
  	unsigned int *timeouts = data;

  	struct nf_udp_net *un = udp_pernet(net);

  
  	/* set default timeouts for UDP. */

  	timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
  	timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];

  
  	if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
  		timeouts[UDP_CT_UNREPLIED] =
  			ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
  	}
  	if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
  		timeouts[UDP_CT_REPLIED] =
  			ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
  	}
  	return 0;
  }
  
  static int
  udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
  {
  	const unsigned int *timeouts = data;

  	if (nla_put_be32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
  			 htonl(timeouts[UDP_CT_UNREPLIED] / HZ)) ||
  	    nla_put_be32(skb, CTA_TIMEOUT_UDP_REPLIED,
  			 htonl(timeouts[UDP_CT_REPLIED] / HZ)))
  		goto nla_put_failure;

  	return 0;
  
  nla_put_failure:
  	return -ENOSPC;
  }
  
  static const struct nla_policy
  udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
         [CTA_TIMEOUT_UDP_UNREPLIED]	= { .type = NLA_U32 },
         [CTA_TIMEOUT_UDP_REPLIED]	= { .type = NLA_U32 },
  };
  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

  #ifdef CONFIG_SYSCTL

  static struct ctl_table udp_sysctl_table[] = {
  	{

  		.procname	= "nf_conntrack_udp_timeout",

  		.maxlen		= sizeof(unsigned int),
  		.mode		= 0644,

  		.proc_handler	= proc_dointvec_jiffies,

  	},
  	{

  		.procname	= "nf_conntrack_udp_timeout_stream",

  		.maxlen		= sizeof(unsigned int),
  		.mode		= 0644,

  		.proc_handler	= proc_dointvec_jiffies,

  	},

  	{ }

  };
  #endif /* CONFIG_SYSCTL */

  static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
  				    struct nf_udp_net *un)

  {
  #ifdef CONFIG_SYSCTL

  	if (pn->ctl_table)
  		return 0;
  	pn->ctl_table = kmemdup(udp_sysctl_table,
  				sizeof(udp_sysctl_table),
  				GFP_KERNEL);
  	if (!pn->ctl_table)
  		return -ENOMEM;
  	pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
  	pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
  #endif
  	return 0;
  }

  static int udp_init_net(struct net *net, u_int16_t proto)

  {

  	struct nf_udp_net *un = udp_pernet(net);

  	struct nf_proto_net *pn = &un->pn;

  	if (!pn->users) {
  		int i;

  		for (i = 0; i < UDP_CT_MAX; i++)
  			un->timeouts[i] = udp_timeouts[i];

  	}

  	return udp_kmemdup_sysctl_table(pn, un);

  }

  static struct nf_proto_net *udp_get_net_proto(struct net *net)
  {
  	return &net->ct.nf_ct_proto.udp.pn;
  }

  struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =

  {
  	.l3proto		= PF_INET,

  	.l4proto		= IPPROTO_UDP,

  	.allow_clash		= true,

  	.pkt_to_tuple		= udp_pkt_to_tuple,
  	.invert_tuple		= udp_invert_tuple,

  	.packet			= udp_packet,

  	.get_timeouts		= udp_get_timeouts,

  	.new			= udp_new,

  	.error			= udp_error,

  #if IS_ENABLED(CONFIG_NF_CT_NETLINK)

  	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
  	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

  	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,

  	.nla_policy		= nf_ct_port_nla_policy,

  #endif

  #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
  	.ctnl_timeout		= {
  		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
  		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
  		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
  		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
  		.nla_policy	= udp_timeout_nla_policy,
  	},
  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

  	.init_net		= udp_init_net,

  	.get_net_proto		= udp_get_net_proto,

  };

  EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);

  #ifdef CONFIG_NF_CT_PROTO_UDPLITE
  struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
  {
  	.l3proto		= PF_INET,
  	.l4proto		= IPPROTO_UDPLITE,

  	.allow_clash		= true,
  	.pkt_to_tuple		= udp_pkt_to_tuple,
  	.invert_tuple		= udp_invert_tuple,

  	.packet			= udp_packet,
  	.get_timeouts		= udp_get_timeouts,
  	.new			= udp_new,
  	.error			= udplite_error,
  #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
  	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
  	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
  	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
  	.nla_policy		= nf_ct_port_nla_policy,
  #endif
  #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
  	.ctnl_timeout		= {
  		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
  		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
  		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
  		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
  		.nla_policy	= udp_timeout_nla_policy,
  	},
  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
  	.init_net		= udp_init_net,
  	.get_net_proto		= udp_get_net_proto,
  };
  EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite4);
  #endif

  struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =

  {
  	.l3proto		= PF_INET6,

  	.l4proto		= IPPROTO_UDP,

  	.allow_clash		= true,

  	.pkt_to_tuple		= udp_pkt_to_tuple,
  	.invert_tuple		= udp_invert_tuple,

  	.packet			= udp_packet,

  	.get_timeouts		= udp_get_timeouts,

  	.new			= udp_new,

  	.error			= udp_error,

  #if IS_ENABLED(CONFIG_NF_CT_NETLINK)

  	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
  	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

  	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,

  	.nla_policy		= nf_ct_port_nla_policy,

  #endif

  #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
  	.ctnl_timeout		= {
  		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
  		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
  		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
  		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
  		.nla_policy	= udp_timeout_nla_policy,
  	},
  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

  	.init_net		= udp_init_net,

  	.get_net_proto		= udp_get_net_proto,

  };

  EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);

  
  #ifdef CONFIG_NF_CT_PROTO_UDPLITE
  struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
  {
  	.l3proto		= PF_INET6,
  	.l4proto		= IPPROTO_UDPLITE,

  	.allow_clash		= true,
  	.pkt_to_tuple		= udp_pkt_to_tuple,
  	.invert_tuple		= udp_invert_tuple,

  	.packet			= udp_packet,
  	.get_timeouts		= udp_get_timeouts,
  	.new			= udp_new,
  	.error			= udplite_error,
  #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
  	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,
  	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,
  	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,
  	.nla_policy		= nf_ct_port_nla_policy,
  #endif
  #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
  	.ctnl_timeout		= {
  		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,
  		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,
  		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,
  		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
  		.nla_policy	= udp_timeout_nla_policy,
  	},
  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
  	.init_net		= udp_init_net,
  	.get_net_proto		= udp_get_net_proto,
  };
  EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
  #endif