2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
22 * Paul `Rusty' Russell properly handle non-linear skbs
23 * Harald Welte don't use nfcache
27 #define KMSG_COMPONENT "IPVS"
28 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
30 #include <linux/module.h>
31 #include <linux/kernel.h>
33 #include <linux/tcp.h>
34 #include <linux/sctp.h>
35 #include <linux/icmp.h>
36 #include <linux/slab.h>
41 #include <net/icmp.h> /* for icmp_send */
42 #include <net/route.h>
43 #include <net/ip6_checksum.h>
44 #include <net/netns/generic.h> /* net_generic() */
46 #include <linux/netfilter.h>
47 #include <linux/netfilter_ipv4.h>
49 #ifdef CONFIG_IP_VS_IPV6
51 #include <linux/netfilter_ipv6.h>
52 #include <net/ip6_route.h>
55 #include <net/ip_vs.h>
58 EXPORT_SYMBOL(register_ip_vs_scheduler);
59 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
60 EXPORT_SYMBOL(ip_vs_proto_name);
61 EXPORT_SYMBOL(ip_vs_conn_new);
62 EXPORT_SYMBOL(ip_vs_conn_in_get);
63 EXPORT_SYMBOL(ip_vs_conn_out_get);
64 #ifdef CONFIG_IP_VS_PROTO_TCP
65 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
67 EXPORT_SYMBOL(ip_vs_conn_put);
68 #ifdef CONFIG_IP_VS_DEBUG
69 EXPORT_SYMBOL(ip_vs_get_debug_level);
72 int ip_vs_net_id __read_mostly;
73 #ifdef IP_VS_GENERIC_NETNS
74 EXPORT_SYMBOL(ip_vs_net_id);
76 /* netns cnt used for uniqueness */
77 static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0);
79 /* ID used in ICMP lookups */
80 #define icmp_id(icmph) (((icmph)->un).echo.id)
81 #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
83 const char *ip_vs_proto_name(unsigned proto)
98 #ifdef CONFIG_IP_VS_IPV6
103 sprintf(buf, "IP_%d", proto);
108 void ip_vs_init_hash_table(struct list_head *table, int rows)
111 INIT_LIST_HEAD(&table[rows]);
115 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
117 struct ip_vs_dest *dest = cp->dest;
118 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
119 spin_lock(&dest->stats.lock);
120 dest->stats.ustats.inpkts++;
121 dest->stats.ustats.inbytes += skb->len;
122 spin_unlock(&dest->stats.lock);
124 spin_lock(&dest->svc->stats.lock);
125 dest->svc->stats.ustats.inpkts++;
126 dest->svc->stats.ustats.inbytes += skb->len;
127 spin_unlock(&dest->svc->stats.lock);
129 spin_lock(&ip_vs_stats.lock);
130 ip_vs_stats.ustats.inpkts++;
131 ip_vs_stats.ustats.inbytes += skb->len;
132 spin_unlock(&ip_vs_stats.lock);
138 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
140 struct ip_vs_dest *dest = cp->dest;
141 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
142 spin_lock(&dest->stats.lock);
143 dest->stats.ustats.outpkts++;
144 dest->stats.ustats.outbytes += skb->len;
145 spin_unlock(&dest->stats.lock);
147 spin_lock(&dest->svc->stats.lock);
148 dest->svc->stats.ustats.outpkts++;
149 dest->svc->stats.ustats.outbytes += skb->len;
150 spin_unlock(&dest->svc->stats.lock);
152 spin_lock(&ip_vs_stats.lock);
153 ip_vs_stats.ustats.outpkts++;
154 ip_vs_stats.ustats.outbytes += skb->len;
155 spin_unlock(&ip_vs_stats.lock);
161 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
163 spin_lock(&cp->dest->stats.lock);
164 cp->dest->stats.ustats.conns++;
165 spin_unlock(&cp->dest->stats.lock);
167 spin_lock(&svc->stats.lock);
168 svc->stats.ustats.conns++;
169 spin_unlock(&svc->stats.lock);
171 spin_lock(&ip_vs_stats.lock);
172 ip_vs_stats.ustats.conns++;
173 spin_unlock(&ip_vs_stats.lock);
178 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
179 const struct sk_buff *skb,
180 struct ip_vs_proto_data *pd)
182 if (unlikely(!pd->pp->state_transition))
184 return pd->pp->state_transition(cp, direction, skb, pd);
188 ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
189 struct sk_buff *skb, int protocol,
190 const union nf_inet_addr *caddr, __be16 cport,
191 const union nf_inet_addr *vaddr, __be16 vport,
192 struct ip_vs_conn_param *p)
194 ip_vs_conn_fill_param(svc->af, protocol, caddr, cport, vaddr, vport, p);
196 if (p->pe && p->pe->fill_param)
197 return p->pe->fill_param(p, skb);
203 * IPVS persistent scheduling function
204 * It creates a connection entry according to its template if exists,
205 * or selects a server and creates a connection entry plus a template.
206 * Locking: we are svc user (svc->refcnt), so we hold all dests too
207 * Protocols supported: TCP, UDP
209 static struct ip_vs_conn *
210 ip_vs_sched_persist(struct ip_vs_service *svc,
212 __be16 src_port, __be16 dst_port, int *ignored)
214 struct ip_vs_conn *cp = NULL;
215 struct ip_vs_iphdr iph;
216 struct ip_vs_dest *dest;
217 struct ip_vs_conn *ct;
218 __be16 dport = 0; /* destination port to forward */
220 struct ip_vs_conn_param param;
221 union nf_inet_addr snet; /* source network of the client,
224 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
226 /* Mask saddr with the netmask to adjust template granularity */
227 #ifdef CONFIG_IP_VS_IPV6
228 if (svc->af == AF_INET6)
229 ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask);
232 snet.ip = iph.saddr.ip & svc->netmask;
234 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
236 IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(src_port),
237 IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(dst_port),
238 IP_VS_DBG_ADDR(svc->af, &snet));
241 * As far as we know, FTP is a very complicated network protocol, and
242 * it uses control connection and data connections. For active FTP,
243 * FTP server initialize data connection to the client, its source port
244 * is often 20. For passive FTP, FTP server tells the clients the port
245 * that it passively listens to, and the client issues the data
246 * connection. In the tunneling or direct routing mode, the load
247 * balancer is on the client-to-server half of connection, the port
248 * number is unknown to the load balancer. So, a conn template like
249 * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
250 * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
251 * is created for other persistent services.
254 int protocol = iph.protocol;
255 const union nf_inet_addr *vaddr = &iph.daddr;
256 const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };
259 if (dst_port == svc->port) {
261 * <protocol, caddr, 0, vaddr, vport, daddr, dport>
263 * <protocol, caddr, 0, vaddr, 0, daddr, 0>
265 if (svc->port != FTPPORT)
268 /* Note: persistent fwmark-based services and
269 * persistent port zero service are handled here.
271 * <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
272 * port zero template:
273 * <protocol,caddr,0,vaddr,0,daddr,0>
276 protocol = IPPROTO_IP;
280 /* return *ignored = -1 so NF_DROP can be used */
281 if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
282 vaddr, vport, ¶m) < 0) {
288 /* Check if a template already exists */
289 ct = ip_vs_ct_in_get(¶m);
290 if (!ct || !ip_vs_check_template(ct)) {
292 * No template found or the dest of the connection
293 * template is not available.
294 * return *ignored=0 i.e. ICMP and NF_DROP
296 dest = svc->scheduler->schedule(svc, skb);
298 IP_VS_DBG(1, "p-schedule: no dest found.\n");
299 kfree(param.pe_data);
304 if (dst_port == svc->port && svc->port != FTPPORT)
308 * This adds param.pe_data to the template,
309 * and thus param.pe_data will be destroyed
310 * when the template expires */
311 ct = ip_vs_conn_new(¶m, &dest->addr, dport,
312 IP_VS_CONN_F_TEMPLATE, dest, skb->mark);
314 kfree(param.pe_data);
319 ct->timeout = svc->timeout;
321 /* set destination with the found template */
323 kfree(param.pe_data);
327 if (dport == svc->port && dest->port)
330 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
331 && iph.protocol == IPPROTO_UDP)?
332 IP_VS_CONN_F_ONE_PACKET : 0;
335 * Create a new connection according to the template
337 ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr, src_port,
338 &iph.daddr, dst_port, ¶m);
340 cp = ip_vs_conn_new(¶m, &dest->addr, dport, flags, dest, skb->mark);
350 ip_vs_control_add(cp, ct);
353 ip_vs_conn_stats(cp, svc);
359 * IPVS main scheduling function
360 * It selects a server according to the virtual service, and
361 * creates a connection entry.
362 * Protocols supported: TCP, UDP
366 * 1 : protocol tried to schedule (eg. on SYN), found svc but the
367 * svc/scheduler decides that this packet should be accepted with
368 * NF_ACCEPT because it must not be scheduled.
370 * 0 : scheduler can not find destination, so try bypass or
371 * return ICMP and then NF_DROP (ip_vs_leave).
373 * -1 : scheduler tried to schedule but fatal error occurred, eg.
374 * ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param
375 * failure such as missing Call-ID, ENOMEM on skb_linearize
376 * or pe_data. In this case we should return NF_DROP without
377 * any attempts to send ICMP with ip_vs_leave.
380 ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
381 struct ip_vs_proto_data *pd, int *ignored)
383 struct ip_vs_protocol *pp = pd->pp;
384 struct ip_vs_conn *cp = NULL;
385 struct ip_vs_iphdr iph;
386 struct ip_vs_dest *dest;
387 __be16 _ports[2], *pptr;
391 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
392 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
397 * FTPDATA needs this check when using local real server.
398 * Never schedule Active FTPDATA connections from real server.
399 * For LVS-NAT they must be already created. For other methods
400 * with persistence the connection is created on SYN+ACK.
402 if (pptr[0] == FTPDATA) {
403 IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,
404 "Not scheduling FTPDATA");
409 * Do not schedule replies from local real server.
411 if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
412 (cp = pp->conn_in_get(svc->af, skb, &iph, iph.len, 1))) {
413 IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,
414 "Not scheduling reply for existing connection");
415 __ip_vs_conn_put(cp);
422 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
423 return ip_vs_sched_persist(svc, skb, pptr[0], pptr[1], ignored);
428 * Non-persistent service
430 if (!svc->fwmark && pptr[1] != svc->port) {
432 pr_err("Schedule: port zero only supported "
433 "in persistent services, "
434 "check your ipvs configuration\n");
438 dest = svc->scheduler->schedule(svc, skb);
440 IP_VS_DBG(1, "Schedule: no dest found.\n");
444 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
445 && iph.protocol == IPPROTO_UDP)?
446 IP_VS_CONN_F_ONE_PACKET : 0;
449 * Create a connection entry.
452 struct ip_vs_conn_param p;
453 ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr,
454 pptr[0], &iph.daddr, pptr[1], &p);
455 cp = ip_vs_conn_new(&p, &dest->addr,
456 dest->port ? dest->port : pptr[1],
457 flags, dest, skb->mark);
464 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
465 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
467 IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport),
468 IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport),
469 IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport),
470 cp->flags, atomic_read(&cp->refcnt));
472 ip_vs_conn_stats(cp, svc);
478 * Pass or drop the packet.
479 * Called by ip_vs_in, when the virtual service is available but
480 * no destination is available for a new connection.
482 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
483 struct ip_vs_proto_data *pd)
485 __be16 _ports[2], *pptr;
486 struct ip_vs_iphdr iph;
489 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
491 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
493 ip_vs_service_put(svc);
497 #ifdef CONFIG_IP_VS_IPV6
498 if (svc->af == AF_INET6)
499 unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
502 unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
504 /* if it is fwmark-based service, the cache_bypass sysctl is up
505 and the destination is a non-local unicast, then create
506 a cache_bypass connection entry */
507 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
509 struct ip_vs_conn *cp;
510 unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
511 iph.protocol == IPPROTO_UDP)?
512 IP_VS_CONN_F_ONE_PACKET : 0;
513 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
515 ip_vs_service_put(svc);
517 /* create a new connection entry */
518 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
520 struct ip_vs_conn_param p;
521 ip_vs_conn_fill_param(svc->af, iph.protocol,
523 &iph.daddr, pptr[1], &p);
524 cp = ip_vs_conn_new(&p, &daddr, 0,
525 IP_VS_CONN_F_BYPASS | flags,
532 ip_vs_in_stats(cp, skb);
535 cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
537 /* transmit the first SYN packet */
538 ret = cp->packet_xmit(skb, cp, pd->pp);
539 /* do not touch skb anymore */
541 atomic_inc(&cp->in_pkts);
547 * When the virtual ftp service is presented, packets destined
548 * for other services on the VIP may get here (except services
549 * listed in the ipvs table), pass the packets, because it is
550 * not ipvs job to decide to drop the packets.
552 if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) {
553 ip_vs_service_put(svc);
557 ip_vs_service_put(svc);
560 * Notify the client that the destination is unreachable, and
561 * release the socket buffer.
562 * Since it is in IP layer, the TCP socket is not actually
563 * created, the TCP RST packet cannot be sent, instead that
564 * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
566 #ifdef CONFIG_IP_VS_IPV6
567 if (svc->af == AF_INET6) {
569 struct net *net = dev_net(skb_dst(skb)->dev);
571 skb->dev = net->loopback_dev;
573 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
576 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
581 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
583 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
586 static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum)
588 if (NF_INET_LOCAL_IN == hooknum)
589 return IP_DEFRAG_VS_IN;
590 if (NF_INET_FORWARD == hooknum)
591 return IP_DEFRAG_VS_FWD;
592 return IP_DEFRAG_VS_OUT;
595 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
597 int err = ip_defrag(skb, user);
600 ip_send_check(ip_hdr(skb));
605 #ifdef CONFIG_IP_VS_IPV6
606 static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
608 /* TODO IPv6: Find out what to do here for IPv6 */
614 * Packet has been made sufficiently writable in caller
615 * - inout: 1=in->out, 0=out->in
617 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
618 struct ip_vs_conn *cp, int inout)
620 struct iphdr *iph = ip_hdr(skb);
621 unsigned int icmp_offset = iph->ihl*4;
622 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
624 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
627 iph->saddr = cp->vaddr.ip;
629 ciph->daddr = cp->vaddr.ip;
632 iph->daddr = cp->daddr.ip;
634 ciph->saddr = cp->daddr.ip;
638 /* the TCP/UDP/SCTP port */
639 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
640 IPPROTO_SCTP == ciph->protocol) {
641 __be16 *ports = (void *)ciph + ciph->ihl*4;
644 ports[1] = cp->vport;
646 ports[0] = cp->dport;
649 /* And finally the ICMP checksum */
651 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
652 skb->ip_summed = CHECKSUM_UNNECESSARY;
655 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
656 "Forwarding altered outgoing ICMP");
658 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
659 "Forwarding altered incoming ICMP");
662 #ifdef CONFIG_IP_VS_IPV6
663 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
664 struct ip_vs_conn *cp, int inout)
666 struct ipv6hdr *iph = ipv6_hdr(skb);
667 unsigned int icmp_offset = sizeof(struct ipv6hdr);
668 struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) +
670 struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1);
673 iph->saddr = cp->vaddr.in6;
674 ciph->daddr = cp->vaddr.in6;
676 iph->daddr = cp->daddr.in6;
677 ciph->saddr = cp->daddr.in6;
680 /* the TCP/UDP/SCTP port */
681 if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr ||
682 IPPROTO_SCTP == ciph->nexthdr) {
683 __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr);
686 ports[1] = cp->vport;
688 ports[0] = cp->dport;
691 /* And finally the ICMP checksum */
692 icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr,
693 skb->len - icmp_offset,
695 skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset;
696 skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
697 skb->ip_summed = CHECKSUM_PARTIAL;
700 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
701 (void *)ciph - (void *)iph,
702 "Forwarding altered outgoing ICMPv6");
704 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
705 (void *)ciph - (void *)iph,
706 "Forwarding altered incoming ICMPv6");
710 /* Handle relevant response ICMP messages - forward to the right
711 * destination host. Used for NAT and local client.
713 static int handle_response_icmp(int af, struct sk_buff *skb,
714 union nf_inet_addr *snet,
715 __u8 protocol, struct ip_vs_conn *cp,
716 struct ip_vs_protocol *pp,
717 unsigned int offset, unsigned int ihl)
719 unsigned int verdict = NF_DROP;
721 if (IP_VS_FWD_METHOD(cp) != 0) {
722 pr_err("shouldn't reach here, because the box is on the "
723 "half connection in the tun/dr module.\n");
726 /* Ensure the checksum is correct */
727 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
728 /* Failed checksum! */
729 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
730 IP_VS_DBG_ADDR(af, snet));
734 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
735 IPPROTO_SCTP == protocol)
736 offset += 2 * sizeof(__u16);
737 if (!skb_make_writable(skb, offset))
740 #ifdef CONFIG_IP_VS_IPV6
742 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
745 ip_vs_nat_icmp(skb, pp, cp, 1);
747 #ifdef CONFIG_IP_VS_IPV6
748 if (af == AF_INET6) {
749 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
753 if ((sysctl_ip_vs_snat_reroute ||
754 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
755 ip_route_me_harder(skb, RTN_LOCAL) != 0)
758 /* do the statistics and put it back */
759 ip_vs_out_stats(cp, skb);
761 skb->ipvs_property = 1;
762 if (!(cp->flags & IP_VS_CONN_F_NFCT))
765 ip_vs_update_conntrack(skb, cp, 0);
769 __ip_vs_conn_put(cp);
775 * Handle ICMP messages in the inside-to-outside direction (outgoing).
776 * Find any that might be relevant, check against existing connections.
777 * Currently handles error types - unreachable, quench, ttl exceeded.
779 static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
780 unsigned int hooknum)
783 struct icmphdr _icmph, *ic;
784 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
785 struct ip_vs_iphdr ciph;
786 struct ip_vs_conn *cp;
787 struct ip_vs_protocol *pp;
788 unsigned int offset, ihl;
789 union nf_inet_addr snet;
793 /* reassemble IP fragments */
794 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
795 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
800 offset = ihl = iph->ihl * 4;
801 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
805 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
806 ic->type, ntohs(icmp_id(ic)),
807 &iph->saddr, &iph->daddr);
810 * Work through seeing if this is for us.
811 * These checks are supposed to be in an order that means easy
812 * things are checked first to speed up processing.... however
813 * this means that some packets will manage to get a long way
814 * down this stack and then be rejected, but that's life.
816 if ((ic->type != ICMP_DEST_UNREACH) &&
817 (ic->type != ICMP_SOURCE_QUENCH) &&
818 (ic->type != ICMP_TIME_EXCEEDED)) {
823 /* Now find the contained IP header */
824 offset += sizeof(_icmph);
825 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
827 return NF_ACCEPT; /* The packet looks wrong, ignore */
829 pp = ip_vs_proto_get(cih->protocol);
833 /* Is the embedded protocol header present? */
834 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
838 IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
839 "Checking outgoing ICMP for");
841 offset += cih->ihl * 4;
843 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
844 /* The embedded headers contain source and dest in reverse order */
845 cp = pp->conn_out_get(AF_INET, skb, &ciph, offset, 1);
849 snet.ip = iph->saddr;
850 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
854 #ifdef CONFIG_IP_VS_IPV6
855 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
856 unsigned int hooknum)
859 struct icmp6hdr _icmph, *ic;
860 struct ipv6hdr _ciph, *cih; /* The ip header contained
862 struct ip_vs_iphdr ciph;
863 struct ip_vs_conn *cp;
864 struct ip_vs_protocol *pp;
866 union nf_inet_addr snet;
870 /* reassemble IP fragments */
871 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
872 if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum)))
877 offset = sizeof(struct ipv6hdr);
878 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
882 IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) %pI6->%pI6\n",
883 ic->icmp6_type, ntohs(icmpv6_id(ic)),
884 &iph->saddr, &iph->daddr);
887 * Work through seeing if this is for us.
888 * These checks are supposed to be in an order that means easy
889 * things are checked first to speed up processing.... however
890 * this means that some packets will manage to get a long way
891 * down this stack and then be rejected, but that's life.
893 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
894 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
895 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
900 /* Now find the contained IP header */
901 offset += sizeof(_icmph);
902 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
904 return NF_ACCEPT; /* The packet looks wrong, ignore */
906 pp = ip_vs_proto_get(cih->nexthdr);
910 /* Is the embedded protocol header present? */
911 /* TODO: we don't support fragmentation at the moment anyways */
912 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
915 IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offset,
916 "Checking outgoing ICMPv6 for");
918 offset += sizeof(struct ipv6hdr);
920 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
921 /* The embedded headers contain source and dest in reverse order */
922 cp = pp->conn_out_get(AF_INET6, skb, &ciph, offset, 1);
926 ipv6_addr_copy(&snet.in6, &iph->saddr);
927 return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
928 pp, offset, sizeof(struct ipv6hdr));
933 * Check if sctp chunc is ABORT chunk
935 static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
937 sctp_chunkhdr_t *sch, schunk;
938 sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
939 sizeof(schunk), &schunk);
942 if (sch->type == SCTP_CID_ABORT)
947 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
949 struct tcphdr _tcph, *th;
951 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
957 /* Handle response packets: rewrite addresses and send away...
958 * Used for NAT and local client.
961 handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
962 struct ip_vs_conn *cp, int ihl)
964 struct ip_vs_protocol *pp = pd->pp;
966 IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet");
968 if (!skb_make_writable(skb, ihl))
971 /* mangle the packet */
972 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp))
975 #ifdef CONFIG_IP_VS_IPV6
977 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
981 ip_hdr(skb)->saddr = cp->vaddr.ip;
982 ip_send_check(ip_hdr(skb));
986 * nf_iterate does not expect change in the skb->dst->dev.
987 * It looks like it is not fatal to enable this code for hooks
988 * where our handlers are at the end of the chain list and
989 * when all next handlers use skb->dst->dev and not outdev.
990 * It will definitely route properly the inout NAT traffic
991 * when multiple paths are used.
994 /* For policy routing, packets originating from this
995 * machine itself may be routed differently to packets
996 * passing through. We want this packet to be routed as
997 * if it came from this machine itself. So re-compute
998 * the routing information.
1000 #ifdef CONFIG_IP_VS_IPV6
1001 if (af == AF_INET6) {
1002 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
1006 if ((sysctl_ip_vs_snat_reroute ||
1007 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
1008 ip_route_me_harder(skb, RTN_LOCAL) != 0)
1011 IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
1013 ip_vs_out_stats(cp, skb);
1014 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd);
1015 skb->ipvs_property = 1;
1016 if (!(cp->flags & IP_VS_CONN_F_NFCT))
1019 ip_vs_update_conntrack(skb, cp, 0);
1033 * Check if outgoing packet belongs to the established ip_vs_conn.
1036 ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
1038 struct net *net = NULL;
1039 struct ip_vs_iphdr iph;
1040 struct ip_vs_protocol *pp;
1041 struct ip_vs_proto_data *pd;
1042 struct ip_vs_conn *cp;
1046 /* Already marked as IPVS request or reply? */
1047 if (skb->ipvs_property)
1050 /* Bad... Do not break raw sockets */
1051 if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1053 struct sock *sk = skb->sk;
1054 struct inet_sock *inet = inet_sk(skb->sk);
1056 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1060 if (unlikely(!skb_dst(skb)))
1064 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1065 #ifdef CONFIG_IP_VS_IPV6
1066 if (af == AF_INET6) {
1067 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1069 int verdict = ip_vs_out_icmp_v6(skb, &related,
1074 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1078 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1080 int verdict = ip_vs_out_icmp(skb, &related, hooknum);
1084 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1087 pd = ip_vs_proto_data_get(net, iph.protocol);
1092 /* reassemble IP fragments */
1093 #ifdef CONFIG_IP_VS_IPV6
1094 if (af == AF_INET6) {
1095 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1096 if (ip_vs_gather_frags_v6(skb,
1097 ip_vs_defrag_user(hooknum)))
1101 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1104 if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) &&
1105 !pp->dont_defrag)) {
1106 if (ip_vs_gather_frags(skb,
1107 ip_vs_defrag_user(hooknum)))
1110 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1114 * Check if the packet belongs to an existing entry
1116 cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);
1119 return handle_response(af, skb, pd, cp, iph.len);
1120 if (sysctl_ip_vs_nat_icmp_send &&
1121 (pp->protocol == IPPROTO_TCP ||
1122 pp->protocol == IPPROTO_UDP ||
1123 pp->protocol == IPPROTO_SCTP)) {
1124 __be16 _ports[2], *pptr;
1126 pptr = skb_header_pointer(skb, iph.len,
1127 sizeof(_ports), _ports);
1129 return NF_ACCEPT; /* Not for me */
1130 if (ip_vs_lookup_real_service(net, af, iph.protocol,
1134 * Notify the real server: there is no
1135 * existing entry if it is not RST
1136 * packet or not TCP packet.
1138 if ((iph.protocol != IPPROTO_TCP &&
1139 iph.protocol != IPPROTO_SCTP)
1140 || ((iph.protocol == IPPROTO_TCP
1141 && !is_tcp_reset(skb, iph.len))
1142 || (iph.protocol == IPPROTO_SCTP
1143 && !is_sctp_abort(skb,
1145 #ifdef CONFIG_IP_VS_IPV6
1146 if (af == AF_INET6) {
1148 dev_net(skb_dst(skb)->dev);
1151 skb->dev = net->loopback_dev;
1153 ICMPV6_DEST_UNREACH,
1154 ICMPV6_PORT_UNREACH,
1160 ICMP_PORT_UNREACH, 0);
1165 IP_VS_DBG_PKT(12, af, pp, skb, 0,
1166 "ip_vs_out: packet continues traversal as normal");
1171 * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1172 * used only for VS/NAT.
1173 * Check if packet is reply for established ip_vs_conn.
1176 ip_vs_reply4(unsigned int hooknum, struct sk_buff *skb,
1177 const struct net_device *in, const struct net_device *out,
1178 int (*okfn)(struct sk_buff *))
1180 return ip_vs_out(hooknum, skb, AF_INET);
1184 * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1185 * Check if packet is reply for established ip_vs_conn.
1188 ip_vs_local_reply4(unsigned int hooknum, struct sk_buff *skb,
1189 const struct net_device *in, const struct net_device *out,
1190 int (*okfn)(struct sk_buff *))
1192 unsigned int verdict;
1194 /* Disable BH in LOCAL_OUT until all places are fixed */
1196 verdict = ip_vs_out(hooknum, skb, AF_INET);
1201 #ifdef CONFIG_IP_VS_IPV6
1204 * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1205 * used only for VS/NAT.
1206 * Check if packet is reply for established ip_vs_conn.
1209 ip_vs_reply6(unsigned int hooknum, struct sk_buff *skb,
1210 const struct net_device *in, const struct net_device *out,
1211 int (*okfn)(struct sk_buff *))
1213 return ip_vs_out(hooknum, skb, AF_INET6);
1217 * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1218 * Check if packet is reply for established ip_vs_conn.
1221 ip_vs_local_reply6(unsigned int hooknum, struct sk_buff *skb,
1222 const struct net_device *in, const struct net_device *out,
1223 int (*okfn)(struct sk_buff *))
1225 unsigned int verdict;
1227 /* Disable BH in LOCAL_OUT until all places are fixed */
1229 verdict = ip_vs_out(hooknum, skb, AF_INET6);
1237 * Handle ICMP messages in the outside-to-inside direction (incoming).
1238 * Find any that might be relevant, check against existing connections,
1239 * forward to the right destination host if relevant.
1240 * Currently handles error types - unreachable, quench, ttl exceeded.
1243 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1245 struct net *net = NULL;
1247 struct icmphdr _icmph, *ic;
1248 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
1249 struct ip_vs_iphdr ciph;
1250 struct ip_vs_conn *cp;
1251 struct ip_vs_protocol *pp;
1252 struct ip_vs_proto_data *pd;
1253 unsigned int offset, ihl, verdict;
1254 union nf_inet_addr snet;
1258 /* reassemble IP fragments */
1259 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
1260 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
1265 offset = ihl = iph->ihl * 4;
1266 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1270 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1271 ic->type, ntohs(icmp_id(ic)),
1272 &iph->saddr, &iph->daddr);
1275 * Work through seeing if this is for us.
1276 * These checks are supposed to be in an order that means easy
1277 * things are checked first to speed up processing.... however
1278 * this means that some packets will manage to get a long way
1279 * down this stack and then be rejected, but that's life.
1281 if ((ic->type != ICMP_DEST_UNREACH) &&
1282 (ic->type != ICMP_SOURCE_QUENCH) &&
1283 (ic->type != ICMP_TIME_EXCEEDED)) {
1288 /* Now find the contained IP header */
1289 offset += sizeof(_icmph);
1290 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1292 return NF_ACCEPT; /* The packet looks wrong, ignore */
1295 pd = ip_vs_proto_data_get(net, cih->protocol);
1300 /* Is the embedded protocol header present? */
1301 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1305 IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
1306 "Checking incoming ICMP for");
1308 offset += cih->ihl * 4;
1310 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
1311 /* The embedded headers contain source and dest in reverse order */
1312 cp = pp->conn_in_get(AF_INET, skb, &ciph, offset, 1);
1314 /* The packet could also belong to a local client */
1315 cp = pp->conn_out_get(AF_INET, skb, &ciph, offset, 1);
1317 snet.ip = iph->saddr;
1318 return handle_response_icmp(AF_INET, skb, &snet,
1319 cih->protocol, cp, pp,
1327 /* Ensure the checksum is correct */
1328 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1329 /* Failed checksum! */
1330 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1335 /* do the statistics and put it back */
1336 ip_vs_in_stats(cp, skb);
1337 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
1338 offset += 2 * sizeof(__u16);
1339 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
1340 /* LOCALNODE from FORWARD hook is not supported */
1341 if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
1342 skb_rtable(skb)->rt_flags & RTCF_LOCAL) {
1343 IP_VS_DBG(1, "%s(): "
1344 "local delivery to %pI4 but in FORWARD\n",
1345 __func__, &skb_rtable(skb)->rt_dst);
1350 __ip_vs_conn_put(cp);
1355 #ifdef CONFIG_IP_VS_IPV6
1357 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
1359 struct net *net = NULL;
1360 struct ipv6hdr *iph;
1361 struct icmp6hdr _icmph, *ic;
1362 struct ipv6hdr _ciph, *cih; /* The ip header contained
1364 struct ip_vs_iphdr ciph;
1365 struct ip_vs_conn *cp;
1366 struct ip_vs_protocol *pp;
1367 struct ip_vs_proto_data *pd;
1368 unsigned int offset, verdict;
1369 union nf_inet_addr snet;
1370 struct rt6_info *rt;
1374 /* reassemble IP fragments */
1375 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1376 if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum)))
1380 iph = ipv6_hdr(skb);
1381 offset = sizeof(struct ipv6hdr);
1382 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1386 IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) %pI6->%pI6\n",
1387 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1388 &iph->saddr, &iph->daddr);
1391 * Work through seeing if this is for us.
1392 * These checks are supposed to be in an order that means easy
1393 * things are checked first to speed up processing.... however
1394 * this means that some packets will manage to get a long way
1395 * down this stack and then be rejected, but that's life.
1397 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
1398 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
1399 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
1404 /* Now find the contained IP header */
1405 offset += sizeof(_icmph);
1406 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1408 return NF_ACCEPT; /* The packet looks wrong, ignore */
1411 pd = ip_vs_proto_data_get(net, cih->nexthdr);
1416 /* Is the embedded protocol header present? */
1417 /* TODO: we don't support fragmentation at the moment anyways */
1418 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
1421 IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offset,
1422 "Checking incoming ICMPv6 for");
1424 offset += sizeof(struct ipv6hdr);
1426 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
1427 /* The embedded headers contain source and dest in reverse order */
1428 cp = pp->conn_in_get(AF_INET6, skb, &ciph, offset, 1);
1430 /* The packet could also belong to a local client */
1431 cp = pp->conn_out_get(AF_INET6, skb, &ciph, offset, 1);
1433 ipv6_addr_copy(&snet.in6, &iph->saddr);
1434 return handle_response_icmp(AF_INET6, skb, &snet,
1437 sizeof(struct ipv6hdr));
1444 /* do the statistics and put it back */
1445 ip_vs_in_stats(cp, skb);
1446 if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
1447 IPPROTO_SCTP == cih->nexthdr)
1448 offset += 2 * sizeof(__u16);
1449 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
1450 /* LOCALNODE from FORWARD hook is not supported */
1451 if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
1452 (rt = (struct rt6_info *) skb_dst(skb)) &&
1453 rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) {
1454 IP_VS_DBG(1, "%s(): "
1455 "local delivery to %pI6 but in FORWARD\n",
1456 __func__, &rt->rt6i_dst);
1460 __ip_vs_conn_put(cp);
1468 * Check if it's for virtual services, look it up,
1469 * and send it on its way...
1472 ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
1475 struct ip_vs_iphdr iph;
1476 struct ip_vs_protocol *pp;
1477 struct ip_vs_proto_data *pd;
1478 struct ip_vs_conn *cp;
1479 int ret, restart, pkts;
1480 struct netns_ipvs *ipvs;
1482 /* Already marked as IPVS request or reply? */
1483 if (skb->ipvs_property)
1488 * - remote client: only PACKET_HOST
1489 * - route: used for struct net when skb->dev is unset
1491 if (unlikely((skb->pkt_type != PACKET_HOST &&
1492 hooknum != NF_INET_LOCAL_OUT) ||
1494 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1495 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s"
1496 " ignored in hook %u\n",
1497 skb->pkt_type, iph.protocol,
1498 IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
1501 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1503 /* Bad... Do not break raw sockets */
1504 if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1506 struct sock *sk = skb->sk;
1507 struct inet_sock *inet = inet_sk(skb->sk);
1509 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1513 #ifdef CONFIG_IP_VS_IPV6
1514 if (af == AF_INET6) {
1515 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1517 int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
1521 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1525 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1527 int verdict = ip_vs_in_icmp(skb, &related, hooknum);
1531 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1535 /* Protocol supported? */
1536 pd = ip_vs_proto_data_get(net, iph.protocol);
1541 * Check if the packet belongs to an existing connection entry
1543 cp = pp->conn_in_get(af, skb, &iph, iph.len, 0);
1545 if (unlikely(!cp)) {
1548 if (!pp->conn_schedule(af, skb, pd, &v, &cp))
1552 if (unlikely(!cp)) {
1553 /* sorry, all this trouble for a no-hit :) */
1554 IP_VS_DBG_PKT(12, af, pp, skb, 0,
1555 "ip_vs_in: packet continues traversal as normal");
1559 IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
1561 ipvs = net_ipvs(net);
1562 /* Check the server status */
1563 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1564 /* the destination server is not available */
1566 if (sysctl_ip_vs_expire_nodest_conn) {
1567 /* try to expire the connection immediately */
1568 ip_vs_conn_expire_now(cp);
1570 /* don't restart its timer, and silently
1572 __ip_vs_conn_put(cp);
1576 ip_vs_in_stats(cp, skb);
1577 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
1578 if (cp->packet_xmit)
1579 ret = cp->packet_xmit(skb, cp, pp);
1580 /* do not touch skb anymore */
1582 IP_VS_DBG_RL("warning: packet_xmit is null");
1586 /* Increase its packet counter and check if it is needed
1587 * to be synchronized
1589 * Sync connection if it is about to close to
1590 * encorage the standby servers to update the connections timeout
1592 * For ONE_PKT let ip_vs_sync_conn() do the filter work.
1595 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
1596 pkts = sysctl_ip_vs_sync_threshold[0];
1598 pkts = atomic_add_return(1, &cp->in_pkts);
1600 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
1601 cp->protocol == IPPROTO_SCTP) {
1602 if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
1603 (pkts % sysctl_ip_vs_sync_threshold[1]
1604 == sysctl_ip_vs_sync_threshold[0])) ||
1605 (cp->old_state != cp->state &&
1606 ((cp->state == IP_VS_SCTP_S_CLOSED) ||
1607 (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||
1608 (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) {
1609 ip_vs_sync_conn(net, cp);
1614 /* Keep this block last: TCP and others with pp->num_states <= 1 */
1615 else if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
1616 (((cp->protocol != IPPROTO_TCP ||
1617 cp->state == IP_VS_TCP_S_ESTABLISHED) &&
1618 (pkts % sysctl_ip_vs_sync_threshold[1]
1619 == sysctl_ip_vs_sync_threshold[0])) ||
1620 ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
1621 ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
1622 (cp->state == IP_VS_TCP_S_CLOSE) ||
1623 (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
1624 (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
1625 ip_vs_sync_conn(net, cp);
1627 cp->old_state = cp->state;
1634 * AF_INET handler in NF_INET_LOCAL_IN chain
1635 * Schedule and forward packets from remote clients
1638 ip_vs_remote_request4(unsigned int hooknum, struct sk_buff *skb,
1639 const struct net_device *in,
1640 const struct net_device *out,
1641 int (*okfn)(struct sk_buff *))
1643 return ip_vs_in(hooknum, skb, AF_INET);
1647 * AF_INET handler in NF_INET_LOCAL_OUT chain
1648 * Schedule and forward packets from local clients
1651 ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb,
1652 const struct net_device *in, const struct net_device *out,
1653 int (*okfn)(struct sk_buff *))
1655 unsigned int verdict;
1657 /* Disable BH in LOCAL_OUT until all places are fixed */
1659 verdict = ip_vs_in(hooknum, skb, AF_INET);
1664 #ifdef CONFIG_IP_VS_IPV6
1667 * AF_INET6 handler in NF_INET_LOCAL_IN chain
1668 * Schedule and forward packets from remote clients
1671 ip_vs_remote_request6(unsigned int hooknum, struct sk_buff *skb,
1672 const struct net_device *in,
1673 const struct net_device *out,
1674 int (*okfn)(struct sk_buff *))
1676 return ip_vs_in(hooknum, skb, AF_INET6);
1680 * AF_INET6 handler in NF_INET_LOCAL_OUT chain
1681 * Schedule and forward packets from local clients
1684 ip_vs_local_request6(unsigned int hooknum, struct sk_buff *skb,
1685 const struct net_device *in, const struct net_device *out,
1686 int (*okfn)(struct sk_buff *))
1688 unsigned int verdict;
1690 /* Disable BH in LOCAL_OUT until all places are fixed */
1692 verdict = ip_vs_in(hooknum, skb, AF_INET6);
1701 * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1702 * related packets destined for 0.0.0.0/0.
1703 * When fwmark-based virtual service is used, such as transparent
1704 * cache cluster, TCP packets can be marked and routed to ip_vs_in,
1705 * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1706 * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1707 * and send them to ip_vs_in_icmp.
1710 ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1711 const struct net_device *in, const struct net_device *out,
1712 int (*okfn)(struct sk_buff *))
1716 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1719 return ip_vs_in_icmp(skb, &r, hooknum);
1722 #ifdef CONFIG_IP_VS_IPV6
1724 ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1725 const struct net_device *in, const struct net_device *out,
1726 int (*okfn)(struct sk_buff *))
1730 if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
1733 return ip_vs_in_icmp_v6(skb, &r, hooknum);
1738 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1739 /* After packet filtering, change source only for VS/NAT */
1741 .hook = ip_vs_reply4,
1742 .owner = THIS_MODULE,
1744 .hooknum = NF_INET_LOCAL_IN,
1747 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1748 * or VS/NAT(change destination), so that filtering rules can be
1749 * applied to IPVS. */
1751 .hook = ip_vs_remote_request4,
1752 .owner = THIS_MODULE,
1754 .hooknum = NF_INET_LOCAL_IN,
1757 /* Before ip_vs_in, change source only for VS/NAT */
1759 .hook = ip_vs_local_reply4,
1760 .owner = THIS_MODULE,
1762 .hooknum = NF_INET_LOCAL_OUT,
1765 /* After mangle, schedule and forward local requests */
1767 .hook = ip_vs_local_request4,
1768 .owner = THIS_MODULE,
1770 .hooknum = NF_INET_LOCAL_OUT,
1773 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1774 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1776 .hook = ip_vs_forward_icmp,
1777 .owner = THIS_MODULE,
1779 .hooknum = NF_INET_FORWARD,
1782 /* After packet filtering, change source only for VS/NAT */
1784 .hook = ip_vs_reply4,
1785 .owner = THIS_MODULE,
1787 .hooknum = NF_INET_FORWARD,
1790 #ifdef CONFIG_IP_VS_IPV6
1791 /* After packet filtering, change source only for VS/NAT */
1793 .hook = ip_vs_reply6,
1794 .owner = THIS_MODULE,
1796 .hooknum = NF_INET_LOCAL_IN,
1799 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1800 * or VS/NAT(change destination), so that filtering rules can be
1801 * applied to IPVS. */
1803 .hook = ip_vs_remote_request6,
1804 .owner = THIS_MODULE,
1806 .hooknum = NF_INET_LOCAL_IN,
1809 /* Before ip_vs_in, change source only for VS/NAT */
1811 .hook = ip_vs_local_reply6,
1812 .owner = THIS_MODULE,
1814 .hooknum = NF_INET_LOCAL_OUT,
1817 /* After mangle, schedule and forward local requests */
1819 .hook = ip_vs_local_request6,
1820 .owner = THIS_MODULE,
1822 .hooknum = NF_INET_LOCAL_OUT,
1825 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1826 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1828 .hook = ip_vs_forward_icmp_v6,
1829 .owner = THIS_MODULE,
1831 .hooknum = NF_INET_FORWARD,
1834 /* After packet filtering, change source only for VS/NAT */
1836 .hook = ip_vs_reply6,
1837 .owner = THIS_MODULE,
1839 .hooknum = NF_INET_FORWARD,
1846 * Initialize IP Virtual Server netns mem.
1848 static int __net_init __ip_vs_init(struct net *net)
1850 struct netns_ipvs *ipvs;
1852 if (!net_eq(net, &init_net)) {
1853 pr_err("The final patch for enabling netns is missing\n");
1856 ipvs = net_generic(net, ip_vs_net_id);
1858 pr_err("%s(): no memory.\n", __func__);
1861 /* Counters used for creating unique names */
1862 ipvs->gen = atomic_read(&ipvs_netns_cnt);
1863 atomic_inc(&ipvs_netns_cnt);
1865 printk(KERN_INFO "IPVS: Creating netns size=%lu id=%d\n",
1866 sizeof(struct netns_ipvs), ipvs->gen);
1870 static void __net_exit __ip_vs_cleanup(struct net *net)
1872 struct netns_ipvs *ipvs = net_ipvs(net);
1874 IP_VS_DBG(10, "ipvs netns %d released\n", ipvs->gen);
1877 static struct pernet_operations ipvs_core_ops = {
1878 .init = __ip_vs_init,
1879 .exit = __ip_vs_cleanup,
1880 .id = &ip_vs_net_id,
1881 .size = sizeof(struct netns_ipvs),
1885 * Initialize IP Virtual Server
1887 static int __init ip_vs_init(void)
1891 ret = register_pernet_subsys(&ipvs_core_ops); /* Alloc ip_vs struct */
1895 ip_vs_estimator_init();
1896 ret = ip_vs_control_init();
1898 pr_err("can't setup control.\n");
1899 goto cleanup_estimator;
1902 ip_vs_protocol_init();
1904 ret = ip_vs_app_init();
1906 pr_err("can't setup application helper.\n");
1907 goto cleanup_protocol;
1910 ret = ip_vs_conn_init();
1912 pr_err("can't setup connection table.\n");
1916 ret = ip_vs_sync_init();
1918 pr_err("can't setup sync data.\n");
1922 ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1924 pr_err("can't register hooks.\n");
1928 pr_info("ipvs loaded.\n");
1932 ip_vs_sync_cleanup();
1934 ip_vs_conn_cleanup();
1936 ip_vs_app_cleanup();
1938 ip_vs_protocol_cleanup();
1939 ip_vs_control_cleanup();
1941 ip_vs_estimator_cleanup();
1942 unregister_pernet_subsys(&ipvs_core_ops); /* free ip_vs struct */
1946 static void __exit ip_vs_cleanup(void)
1948 nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1949 ip_vs_sync_cleanup();
1950 ip_vs_conn_cleanup();
1951 ip_vs_app_cleanup();
1952 ip_vs_protocol_cleanup();
1953 ip_vs_control_cleanup();
1954 ip_vs_estimator_cleanup();
1955 unregister_pernet_subsys(&ipvs_core_ops); /* free ip_vs struct */
1956 pr_info("ipvs unloaded.\n");
1959 module_init(ip_vs_init);
1960 module_exit(ip_vs_cleanup);
1961 MODULE_LICENSE("GPL");
git.openpandora.org / pandora-kernel.git / blob