Commit 72388433 authored by Bhaskar Dutta's avatar Bhaskar Dutta Committed by Vlad Yasevich

sctp: Sysctl configuration for IPv4 Address Scoping

This patch introduces a new sysctl option to make IPv4 Address Scoping
configurable <draft-stewart-tsvwg-sctp-ipv4-00.txt>.

In networking environments where DNAT rules in iptables prerouting
chains convert destination IP's to link-local/private IP addresses,
SCTP connections fail to establish as the INIT chunk is dropped by the
kernel due to address scope match failure.
For example to support overlapping IP addresses (same IP address with
different vlan id) a Layer-5 application listens on link local IP's,
and there is a DNAT rule that maps the destination IP to a link local
IP. Such applications never get the SCTP INIT if the address-scoping
draft is strictly followed.

This sysctl configuration allows SCTP to function in such
unconventional networking environments.

Sysctl options:
0 - Disable IPv4 address scoping draft altogether
1 - Enable IPv4 address scoping (default, current behavior)
2 - Enable address scoping but allow IPv4 private addresses in init/init-ack
3 - Enable address scoping but allow IPv4 link local address in init/init-ack
Signed-off-by: default avatarBhaskar Dutta <bhaskar.dutta@globallogic.com>
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
parent 8da645e1
...@@ -1297,6 +1297,16 @@ sctp_rmem - vector of 3 INTEGERs: min, default, max ...@@ -1297,6 +1297,16 @@ sctp_rmem - vector of 3 INTEGERs: min, default, max
sctp_wmem - vector of 3 INTEGERs: min, default, max sctp_wmem - vector of 3 INTEGERs: min, default, max
See tcp_wmem for a description. See tcp_wmem for a description.
addr_scope_policy - INTEGER
Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
0 - Disable IPv4 address scoping
1 - Enable IPv4 address scoping
2 - Follow draft but allow IPv4 private addresses
3 - Follow draft but allow IPv4 link local addresses
Default: 1
/proc/sys/net/core/* /proc/sys/net/core/*
dev_weight - INTEGER dev_weight - INTEGER
......
...@@ -363,6 +363,13 @@ typedef enum { ...@@ -363,6 +363,13 @@ typedef enum {
SCTP_SCOPE_UNUSABLE, /* IPv4 unusable addresses */ SCTP_SCOPE_UNUSABLE, /* IPv4 unusable addresses */
} sctp_scope_t; } sctp_scope_t;
typedef enum {
SCTP_SCOPE_POLICY_DISABLE, /* Disable IPv4 address scoping */
SCTP_SCOPE_POLICY_ENABLE, /* Enable IPv4 address scoping */
SCTP_SCOPE_POLICY_PRIVATE, /* Follow draft but allow IPv4 private addresses */
SCTP_SCOPE_POLICY_LINK, /* Follow draft but allow IPv4 link local addresses */
} sctp_scope_policy_t;
/* Based on IPv4 scoping <draft-stewart-tsvwg-sctp-ipv4-00.txt>, /* Based on IPv4 scoping <draft-stewart-tsvwg-sctp-ipv4-00.txt>,
* SCTP IPv4 unusable addresses: 0.0.0.0/8, 224.0.0.0/4, 198.18.0.0/24, * SCTP IPv4 unusable addresses: 0.0.0.0/8, 224.0.0.0/4, 198.18.0.0/24,
* 192.88.99.0/24. * 192.88.99.0/24.
......
...@@ -219,6 +219,15 @@ extern struct sctp_globals { ...@@ -219,6 +219,15 @@ extern struct sctp_globals {
/* Flag to idicate if SCTP-AUTH is enabled */ /* Flag to idicate if SCTP-AUTH is enabled */
int auth_enable; int auth_enable;
/*
* Policy to control SCTP IPv4 address scoping
* 0 - Disable IPv4 address scoping
* 1 - Enable IPv4 address scoping
* 2 - Selectively allow only IPv4 private addresses
* 3 - Selectively allow only IPv4 link local address
*/
int ipv4_scope_policy;
/* Flag to indicate whether computing and verifying checksum /* Flag to indicate whether computing and verifying checksum
* is disabled. */ * is disabled. */
int checksum_disable; int checksum_disable;
...@@ -252,6 +261,7 @@ extern struct sctp_globals { ...@@ -252,6 +261,7 @@ extern struct sctp_globals {
#define sctp_port_hashtable (sctp_globals.port_hashtable) #define sctp_port_hashtable (sctp_globals.port_hashtable)
#define sctp_local_addr_list (sctp_globals.local_addr_list) #define sctp_local_addr_list (sctp_globals.local_addr_list)
#define sctp_local_addr_lock (sctp_globals.addr_list_lock) #define sctp_local_addr_lock (sctp_globals.addr_list_lock)
#define sctp_scope_policy (sctp_globals.ipv4_scope_policy)
#define sctp_addip_enable (sctp_globals.addip_enable) #define sctp_addip_enable (sctp_globals.addip_enable)
#define sctp_addip_noauth (sctp_globals.addip_noauth_enable) #define sctp_addip_noauth (sctp_globals.addip_noauth_enable)
#define sctp_prsctp_enable (sctp_globals.prsctp_enable) #define sctp_prsctp_enable (sctp_globals.prsctp_enable)
......
...@@ -510,9 +510,28 @@ int sctp_in_scope(const union sctp_addr *addr, sctp_scope_t scope) ...@@ -510,9 +510,28 @@ int sctp_in_scope(const union sctp_addr *addr, sctp_scope_t scope)
* of requested destination address, sender and receiver * of requested destination address, sender and receiver
* SHOULD include all of its addresses with level greater * SHOULD include all of its addresses with level greater
* than or equal to L. * than or equal to L.
*
* Address scoping can be selectively controlled via sysctl
* option
*/ */
switch (sctp_scope_policy) {
case SCTP_SCOPE_POLICY_DISABLE:
return 1;
case SCTP_SCOPE_POLICY_ENABLE:
if (addr_scope <= scope) if (addr_scope <= scope)
return 1; return 1;
break;
case SCTP_SCOPE_POLICY_PRIVATE:
if (addr_scope <= scope || SCTP_SCOPE_PRIVATE == addr_scope)
return 1;
break;
case SCTP_SCOPE_POLICY_LINK:
if (addr_scope <= scope || SCTP_SCOPE_LINK == addr_scope)
return 1;
break;
default:
break;
}
return 0; return 0;
} }
......
...@@ -431,16 +431,14 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp) ...@@ -431,16 +431,14 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp)
* of requested destination address, sender and receiver * of requested destination address, sender and receiver
* SHOULD include all of its addresses with level greater * SHOULD include all of its addresses with level greater
* than or equal to L. * than or equal to L.
*
* IPv4 scoping can be controlled through sysctl option
* net.sctp.addr_scope_policy
*/ */
static sctp_scope_t sctp_v4_scope(union sctp_addr *addr) static sctp_scope_t sctp_v4_scope(union sctp_addr *addr)
{ {
sctp_scope_t retval; sctp_scope_t retval;
/* Should IPv4 scoping be a sysctl configurable option
* so users can turn it off (default on) for certain
* unconventional networking environments?
*/
/* Check for unusable SCTP addresses. */ /* Check for unusable SCTP addresses. */
if (IS_IPV4_UNUSABLE_ADDRESS(addr->v4.sin_addr.s_addr)) { if (IS_IPV4_UNUSABLE_ADDRESS(addr->v4.sin_addr.s_addr)) {
retval = SCTP_SCOPE_UNUSABLE; retval = SCTP_SCOPE_UNUSABLE;
...@@ -1259,6 +1257,9 @@ SCTP_STATIC __init int sctp_init(void) ...@@ -1259,6 +1257,9 @@ SCTP_STATIC __init int sctp_init(void)
/* Disable AUTH by default. */ /* Disable AUTH by default. */
sctp_auth_enable = 0; sctp_auth_enable = 0;
/* Set SCOPE policy to enabled */
sctp_scope_policy = SCTP_SCOPE_POLICY_ENABLE;
sctp_sysctl_register(); sctp_sysctl_register();
INIT_LIST_HEAD(&sctp_address_families); INIT_LIST_HEAD(&sctp_address_families);
......
...@@ -51,6 +51,7 @@ static int timer_max = 86400000; /* ms in one day */ ...@@ -51,6 +51,7 @@ static int timer_max = 86400000; /* ms in one day */
static int int_max = INT_MAX; static int int_max = INT_MAX;
static int sack_timer_min = 1; static int sack_timer_min = 1;
static int sack_timer_max = 500; static int sack_timer_max = 500;
static int addr_scope_max = 3; /* check sctp_scope_policy_t in include/net/sctp/constants.h for max entries */
extern int sysctl_sctp_mem[3]; extern int sysctl_sctp_mem[3];
extern int sysctl_sctp_rmem[3]; extern int sysctl_sctp_rmem[3];
...@@ -272,6 +273,17 @@ static ctl_table sctp_table[] = { ...@@ -272,6 +273,17 @@ static ctl_table sctp_table[] = {
.proc_handler = proc_dointvec, .proc_handler = proc_dointvec,
.strategy = sysctl_intvec .strategy = sysctl_intvec
}, },
{
.ctl_name = CTL_UNNUMBERED,
.procname = "addr_scope_policy",
.data = &sctp_scope_policy,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &proc_dointvec_minmax,
.strategy = &sysctl_intvec,
.extra1 = &zero,
.extra2 = &addr_scope_max,
},
{ .ctl_name = 0 } { .ctl_name = 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment