2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
22 * Paul `Rusty' Russell properly handle non-linear skbs
23 * Harald Welte don't use nfcache
27 #define KMSG_COMPONENT "IPVS"
28 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
30 #include <linux/module.h>
31 #include <linux/kernel.h>
33 #include <linux/tcp.h>
34 #include <linux/sctp.h>
35 #include <linux/icmp.h>
36 #include <linux/slab.h>
41 #include <net/icmp.h> /* for icmp_send */
42 #include <net/route.h>
43 #include <net/ip6_checksum.h>
45 #include <linux/netfilter.h>
46 #include <linux/netfilter_ipv4.h>
48 #ifdef CONFIG_IP_VS_IPV6
50 #include <linux/netfilter_ipv6.h>
51 #include <net/ip6_route.h>
54 #include <net/ip_vs.h>
57 EXPORT_SYMBOL(register_ip_vs_scheduler);
58 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
59 EXPORT_SYMBOL(ip_vs_proto_name);
60 EXPORT_SYMBOL(ip_vs_conn_new);
61 EXPORT_SYMBOL(ip_vs_conn_in_get);
62 EXPORT_SYMBOL(ip_vs_conn_out_get);
63 #ifdef CONFIG_IP_VS_PROTO_TCP
64 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
66 EXPORT_SYMBOL(ip_vs_conn_put);
67 #ifdef CONFIG_IP_VS_DEBUG
68 EXPORT_SYMBOL(ip_vs_get_debug_level);
72 /* ID used in ICMP lookups */
73 #define icmp_id(icmph) (((icmph)->un).echo.id)
74 #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
76 const char *ip_vs_proto_name(unsigned proto)
91 #ifdef CONFIG_IP_VS_IPV6
96 sprintf(buf, "IP_%d", proto);
101 void ip_vs_init_hash_table(struct list_head *table, int rows)
104 INIT_LIST_HEAD(&table[rows]);
108 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
110 struct ip_vs_dest *dest = cp->dest;
111 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
112 spin_lock(&dest->stats.lock);
113 dest->stats.ustats.inpkts++;
114 dest->stats.ustats.inbytes += skb->len;
115 spin_unlock(&dest->stats.lock);
117 spin_lock(&dest->svc->stats.lock);
118 dest->svc->stats.ustats.inpkts++;
119 dest->svc->stats.ustats.inbytes += skb->len;
120 spin_unlock(&dest->svc->stats.lock);
122 spin_lock(&ip_vs_stats.lock);
123 ip_vs_stats.ustats.inpkts++;
124 ip_vs_stats.ustats.inbytes += skb->len;
125 spin_unlock(&ip_vs_stats.lock);
131 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
133 struct ip_vs_dest *dest = cp->dest;
134 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
135 spin_lock(&dest->stats.lock);
136 dest->stats.ustats.outpkts++;
137 dest->stats.ustats.outbytes += skb->len;
138 spin_unlock(&dest->stats.lock);
140 spin_lock(&dest->svc->stats.lock);
141 dest->svc->stats.ustats.outpkts++;
142 dest->svc->stats.ustats.outbytes += skb->len;
143 spin_unlock(&dest->svc->stats.lock);
145 spin_lock(&ip_vs_stats.lock);
146 ip_vs_stats.ustats.outpkts++;
147 ip_vs_stats.ustats.outbytes += skb->len;
148 spin_unlock(&ip_vs_stats.lock);
154 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
156 spin_lock(&cp->dest->stats.lock);
157 cp->dest->stats.ustats.conns++;
158 spin_unlock(&cp->dest->stats.lock);
160 spin_lock(&svc->stats.lock);
161 svc->stats.ustats.conns++;
162 spin_unlock(&svc->stats.lock);
164 spin_lock(&ip_vs_stats.lock);
165 ip_vs_stats.ustats.conns++;
166 spin_unlock(&ip_vs_stats.lock);
171 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
172 const struct sk_buff *skb,
173 struct ip_vs_protocol *pp)
175 if (unlikely(!pp->state_transition))
177 return pp->state_transition(cp, direction, skb, pp);
181 ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
182 struct sk_buff *skb, int protocol,
183 const union nf_inet_addr *caddr, __be16 cport,
184 const union nf_inet_addr *vaddr, __be16 vport,
185 struct ip_vs_conn_param *p)
187 ip_vs_conn_fill_param(svc->af, protocol, caddr, cport, vaddr, vport, p);
189 if (p->pe && p->pe->fill_param)
190 p->pe->fill_param(p, skb);
194 * IPVS persistent scheduling function
195 * It creates a connection entry according to its template if exists,
196 * or selects a server and creates a connection entry plus a template.
197 * Locking: we are svc user (svc->refcnt), so we hold all dests too
198 * Protocols supported: TCP, UDP
200 static struct ip_vs_conn *
201 ip_vs_sched_persist(struct ip_vs_service *svc,
205 struct ip_vs_conn *cp = NULL;
206 struct ip_vs_iphdr iph;
207 struct ip_vs_dest *dest;
208 struct ip_vs_conn *ct;
209 __be16 dport = 0; /* destination port to forward */
211 struct ip_vs_conn_param param;
212 union nf_inet_addr snet; /* source network of the client,
215 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
217 /* Mask saddr with the netmask to adjust template granularity */
218 #ifdef CONFIG_IP_VS_IPV6
219 if (svc->af == AF_INET6)
220 ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask);
223 snet.ip = iph.saddr.ip & svc->netmask;
225 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
227 IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(ports[0]),
228 IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(ports[1]),
229 IP_VS_DBG_ADDR(svc->af, &snet));
232 * As far as we know, FTP is a very complicated network protocol, and
233 * it uses control connection and data connections. For active FTP,
234 * FTP server initialize data connection to the client, its source port
235 * is often 20. For passive FTP, FTP server tells the clients the port
236 * that it passively listens to, and the client issues the data
237 * connection. In the tunneling or direct routing mode, the load
238 * balancer is on the client-to-server half of connection, the port
239 * number is unknown to the load balancer. So, a conn template like
240 * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
241 * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
242 * is created for other persistent services.
245 int protocol = iph.protocol;
246 const union nf_inet_addr *vaddr = &iph.daddr;
247 const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };
250 if (ports[1] == svc->port) {
252 * <protocol, caddr, 0, vaddr, vport, daddr, dport>
254 * <protocol, caddr, 0, vaddr, 0, daddr, 0>
256 if (svc->port != FTPPORT)
259 /* Note: persistent fwmark-based services and
260 * persistent port zero service are handled here.
262 * <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
263 * port zero template:
264 * <protocol,caddr,0,vaddr,0,daddr,0>
267 protocol = IPPROTO_IP;
271 ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
272 vaddr, vport, ¶m);
275 /* Check if a template already exists */
276 ct = ip_vs_ct_in_get(¶m);
277 if (!ct || !ip_vs_check_template(ct)) {
278 /* No template found or the dest of the connection
279 * template is not available.
281 dest = svc->scheduler->schedule(svc, skb);
283 IP_VS_DBG(1, "p-schedule: no dest found.\n");
284 kfree(param.pe_data);
288 if (ports[1] == svc->port && svc->port != FTPPORT)
292 * This adds param.pe_data to the template,
293 * and thus param.pe_data will be destroyed
294 * when the template expires */
295 ct = ip_vs_conn_new(¶m, &dest->addr, dport,
296 IP_VS_CONN_F_TEMPLATE, dest);
298 kfree(param.pe_data);
302 ct->timeout = svc->timeout;
304 /* set destination with the found template */
306 kfree(param.pe_data);
310 if (dport == svc->port && dest->port)
313 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
314 && iph.protocol == IPPROTO_UDP)?
315 IP_VS_CONN_F_ONE_PACKET : 0;
318 * Create a new connection according to the template
320 ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr, ports[0],
321 &iph.daddr, ports[1], ¶m);
322 cp = ip_vs_conn_new(¶m, &dest->addr, dport, flags, dest);
331 ip_vs_control_add(cp, ct);
334 ip_vs_conn_stats(cp, svc);
340 * IPVS main scheduling function
341 * It selects a server according to the virtual service, and
342 * creates a connection entry.
343 * Protocols supported: TCP, UDP
346 ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
347 struct ip_vs_protocol *pp, int *ignored)
349 struct ip_vs_conn *cp = NULL;
350 struct ip_vs_iphdr iph;
351 struct ip_vs_dest *dest;
352 __be16 _ports[2], *pptr;
356 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
357 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
362 * FTPDATA needs this check when using local real server.
363 * Never schedule Active FTPDATA connections from real server.
364 * For LVS-NAT they must be already created. For other methods
365 * with persistence the connection is created on SYN+ACK.
367 if (pptr[0] == FTPDATA) {
368 IP_VS_DBG_PKT(12, pp, skb, 0, "Not scheduling FTPDATA");
373 * Do not schedule replies from local real server. It is risky
374 * for fwmark services but mostly for persistent services.
376 if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
377 (svc->flags & IP_VS_SVC_F_PERSISTENT || svc->fwmark) &&
378 (cp = pp->conn_in_get(svc->af, skb, pp, &iph, iph.len, 1))) {
379 IP_VS_DBG_PKT(12, pp, skb, 0,
380 "Not scheduling reply for existing connection");
381 __ip_vs_conn_put(cp);
388 if (svc->flags & IP_VS_SVC_F_PERSISTENT) {
390 return ip_vs_sched_persist(svc, skb, pptr);
394 * Non-persistent service
396 if (!svc->fwmark && pptr[1] != svc->port) {
398 pr_err("Schedule: port zero only supported "
399 "in persistent services, "
400 "check your ipvs configuration\n");
406 dest = svc->scheduler->schedule(svc, skb);
408 IP_VS_DBG(1, "Schedule: no dest found.\n");
412 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
413 && iph.protocol == IPPROTO_UDP)?
414 IP_VS_CONN_F_ONE_PACKET : 0;
417 * Create a connection entry.
420 struct ip_vs_conn_param p;
421 ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr,
422 pptr[0], &iph.daddr, pptr[1], &p);
423 cp = ip_vs_conn_new(&p, &dest->addr,
424 dest->port ? dest->port : pptr[1],
430 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
431 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
433 IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport),
434 IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport),
435 IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport),
436 cp->flags, atomic_read(&cp->refcnt));
438 ip_vs_conn_stats(cp, svc);
444 * Pass or drop the packet.
445 * Called by ip_vs_in, when the virtual service is available but
446 * no destination is available for a new connection.
448 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
449 struct ip_vs_protocol *pp)
451 __be16 _ports[2], *pptr;
452 struct ip_vs_iphdr iph;
454 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
456 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
458 ip_vs_service_put(svc);
462 #ifdef CONFIG_IP_VS_IPV6
463 if (svc->af == AF_INET6)
464 unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
467 unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
469 /* if it is fwmark-based service, the cache_bypass sysctl is up
470 and the destination is a non-local unicast, then create
471 a cache_bypass connection entry */
472 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
474 struct ip_vs_conn *cp;
475 unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
476 iph.protocol == IPPROTO_UDP)?
477 IP_VS_CONN_F_ONE_PACKET : 0;
478 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
480 ip_vs_service_put(svc);
482 /* create a new connection entry */
483 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
485 struct ip_vs_conn_param p;
486 ip_vs_conn_fill_param(svc->af, iph.protocol,
488 &iph.daddr, pptr[1], &p);
489 cp = ip_vs_conn_new(&p, &daddr, 0,
490 IP_VS_CONN_F_BYPASS | flags,
497 ip_vs_in_stats(cp, skb);
500 cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
502 /* transmit the first SYN packet */
503 ret = cp->packet_xmit(skb, cp, pp);
504 /* do not touch skb anymore */
506 atomic_inc(&cp->in_pkts);
512 * When the virtual ftp service is presented, packets destined
513 * for other services on the VIP may get here (except services
514 * listed in the ipvs table), pass the packets, because it is
515 * not ipvs job to decide to drop the packets.
517 if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) {
518 ip_vs_service_put(svc);
522 ip_vs_service_put(svc);
525 * Notify the client that the destination is unreachable, and
526 * release the socket buffer.
527 * Since it is in IP layer, the TCP socket is not actually
528 * created, the TCP RST packet cannot be sent, instead that
529 * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
531 #ifdef CONFIG_IP_VS_IPV6
532 if (svc->af == AF_INET6) {
534 struct net *net = dev_net(skb_dst(skb)->dev);
536 skb->dev = net->loopback_dev;
538 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
541 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
546 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
548 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
551 static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum)
553 if (NF_INET_LOCAL_IN == hooknum)
554 return IP_DEFRAG_VS_IN;
555 if (NF_INET_FORWARD == hooknum)
556 return IP_DEFRAG_VS_FWD;
557 return IP_DEFRAG_VS_OUT;
560 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
562 int err = ip_defrag(skb, user);
565 ip_send_check(ip_hdr(skb));
570 #ifdef CONFIG_IP_VS_IPV6
571 static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
573 /* TODO IPv6: Find out what to do here for IPv6 */
579 * Packet has been made sufficiently writable in caller
580 * - inout: 1=in->out, 0=out->in
582 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
583 struct ip_vs_conn *cp, int inout)
585 struct iphdr *iph = ip_hdr(skb);
586 unsigned int icmp_offset = iph->ihl*4;
587 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
589 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
592 iph->saddr = cp->vaddr.ip;
594 ciph->daddr = cp->vaddr.ip;
597 iph->daddr = cp->daddr.ip;
599 ciph->saddr = cp->daddr.ip;
603 /* the TCP/UDP/SCTP port */
604 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
605 IPPROTO_SCTP == ciph->protocol) {
606 __be16 *ports = (void *)ciph + ciph->ihl*4;
609 ports[1] = cp->vport;
611 ports[0] = cp->dport;
614 /* And finally the ICMP checksum */
616 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
617 skb->ip_summed = CHECKSUM_UNNECESSARY;
620 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
621 "Forwarding altered outgoing ICMP");
623 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
624 "Forwarding altered incoming ICMP");
627 #ifdef CONFIG_IP_VS_IPV6
628 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
629 struct ip_vs_conn *cp, int inout)
631 struct ipv6hdr *iph = ipv6_hdr(skb);
632 unsigned int icmp_offset = sizeof(struct ipv6hdr);
633 struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) +
635 struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1);
638 iph->saddr = cp->vaddr.in6;
639 ciph->daddr = cp->vaddr.in6;
641 iph->daddr = cp->daddr.in6;
642 ciph->saddr = cp->daddr.in6;
645 /* the TCP/UDP/SCTP port */
646 if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr ||
647 IPPROTO_SCTP == ciph->nexthdr) {
648 __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr);
651 ports[1] = cp->vport;
653 ports[0] = cp->dport;
656 /* And finally the ICMP checksum */
657 icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr,
658 skb->len - icmp_offset,
660 skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset;
661 skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
662 skb->ip_summed = CHECKSUM_PARTIAL;
665 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
666 "Forwarding altered outgoing ICMPv6");
668 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
669 "Forwarding altered incoming ICMPv6");
673 /* Handle relevant response ICMP messages - forward to the right
674 * destination host. Used for NAT and local client.
676 static int handle_response_icmp(int af, struct sk_buff *skb,
677 union nf_inet_addr *snet,
678 __u8 protocol, struct ip_vs_conn *cp,
679 struct ip_vs_protocol *pp,
680 unsigned int offset, unsigned int ihl)
682 unsigned int verdict = NF_DROP;
684 if (IP_VS_FWD_METHOD(cp) != 0) {
685 pr_err("shouldn't reach here, because the box is on the "
686 "half connection in the tun/dr module.\n");
689 /* Ensure the checksum is correct */
690 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
691 /* Failed checksum! */
692 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
693 IP_VS_DBG_ADDR(af, snet));
697 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
698 IPPROTO_SCTP == protocol)
699 offset += 2 * sizeof(__u16);
700 if (!skb_make_writable(skb, offset))
703 #ifdef CONFIG_IP_VS_IPV6
705 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
708 ip_vs_nat_icmp(skb, pp, cp, 1);
710 #ifdef CONFIG_IP_VS_IPV6
711 if (af == AF_INET6) {
712 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
716 if ((sysctl_ip_vs_snat_reroute ||
717 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
718 ip_route_me_harder(skb, RTN_LOCAL) != 0)
721 /* do the statistics and put it back */
722 ip_vs_out_stats(cp, skb);
724 skb->ipvs_property = 1;
725 if (!(cp->flags & IP_VS_CONN_F_NFCT))
728 ip_vs_update_conntrack(skb, cp, 0);
732 __ip_vs_conn_put(cp);
738 * Handle ICMP messages in the inside-to-outside direction (outgoing).
739 * Find any that might be relevant, check against existing connections.
740 * Currently handles error types - unreachable, quench, ttl exceeded.
742 static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
743 unsigned int hooknum)
746 struct icmphdr _icmph, *ic;
747 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
748 struct ip_vs_iphdr ciph;
749 struct ip_vs_conn *cp;
750 struct ip_vs_protocol *pp;
751 unsigned int offset, ihl;
752 union nf_inet_addr snet;
756 /* reassemble IP fragments */
757 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
758 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
763 offset = ihl = iph->ihl * 4;
764 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
768 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
769 ic->type, ntohs(icmp_id(ic)),
770 &iph->saddr, &iph->daddr);
773 * Work through seeing if this is for us.
774 * These checks are supposed to be in an order that means easy
775 * things are checked first to speed up processing.... however
776 * this means that some packets will manage to get a long way
777 * down this stack and then be rejected, but that's life.
779 if ((ic->type != ICMP_DEST_UNREACH) &&
780 (ic->type != ICMP_SOURCE_QUENCH) &&
781 (ic->type != ICMP_TIME_EXCEEDED)) {
786 /* Now find the contained IP header */
787 offset += sizeof(_icmph);
788 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
790 return NF_ACCEPT; /* The packet looks wrong, ignore */
792 pp = ip_vs_proto_get(cih->protocol);
796 /* Is the embedded protocol header present? */
797 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
801 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMP for");
803 offset += cih->ihl * 4;
805 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
806 /* The embedded headers contain source and dest in reverse order */
807 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
811 snet.ip = iph->saddr;
812 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
816 #ifdef CONFIG_IP_VS_IPV6
817 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
818 unsigned int hooknum)
821 struct icmp6hdr _icmph, *ic;
822 struct ipv6hdr _ciph, *cih; /* The ip header contained
824 struct ip_vs_iphdr ciph;
825 struct ip_vs_conn *cp;
826 struct ip_vs_protocol *pp;
828 union nf_inet_addr snet;
832 /* reassemble IP fragments */
833 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
834 if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum)))
839 offset = sizeof(struct ipv6hdr);
840 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
844 IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) %pI6->%pI6\n",
845 ic->icmp6_type, ntohs(icmpv6_id(ic)),
846 &iph->saddr, &iph->daddr);
849 * Work through seeing if this is for us.
850 * These checks are supposed to be in an order that means easy
851 * things are checked first to speed up processing.... however
852 * this means that some packets will manage to get a long way
853 * down this stack and then be rejected, but that's life.
855 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
856 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
857 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
862 /* Now find the contained IP header */
863 offset += sizeof(_icmph);
864 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
866 return NF_ACCEPT; /* The packet looks wrong, ignore */
868 pp = ip_vs_proto_get(cih->nexthdr);
872 /* Is the embedded protocol header present? */
873 /* TODO: we don't support fragmentation at the moment anyways */
874 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
877 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMPv6 for");
879 offset += sizeof(struct ipv6hdr);
881 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
882 /* The embedded headers contain source and dest in reverse order */
883 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
887 ipv6_addr_copy(&snet.in6, &iph->saddr);
888 return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
889 pp, offset, sizeof(struct ipv6hdr));
894 * Check if sctp chunc is ABORT chunk
896 static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
898 sctp_chunkhdr_t *sch, schunk;
899 sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
900 sizeof(schunk), &schunk);
903 if (sch->type == SCTP_CID_ABORT)
908 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
910 struct tcphdr _tcph, *th;
912 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
918 /* Handle response packets: rewrite addresses and send away...
919 * Used for NAT and local client.
922 handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
923 struct ip_vs_conn *cp, int ihl)
925 IP_VS_DBG_PKT(11, pp, skb, 0, "Outgoing packet");
927 if (!skb_make_writable(skb, ihl))
930 /* mangle the packet */
931 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp))
934 #ifdef CONFIG_IP_VS_IPV6
936 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
940 ip_hdr(skb)->saddr = cp->vaddr.ip;
941 ip_send_check(ip_hdr(skb));
945 * nf_iterate does not expect change in the skb->dst->dev.
946 * It looks like it is not fatal to enable this code for hooks
947 * where our handlers are at the end of the chain list and
948 * when all next handlers use skb->dst->dev and not outdev.
949 * It will definitely route properly the inout NAT traffic
950 * when multiple paths are used.
953 /* For policy routing, packets originating from this
954 * machine itself may be routed differently to packets
955 * passing through. We want this packet to be routed as
956 * if it came from this machine itself. So re-compute
957 * the routing information.
959 #ifdef CONFIG_IP_VS_IPV6
960 if (af == AF_INET6) {
961 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
965 if ((sysctl_ip_vs_snat_reroute ||
966 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
967 ip_route_me_harder(skb, RTN_LOCAL) != 0)
970 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
972 ip_vs_out_stats(cp, skb);
973 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
974 skb->ipvs_property = 1;
975 if (!(cp->flags & IP_VS_CONN_F_NFCT))
978 ip_vs_update_conntrack(skb, cp, 0);
992 * Check if outgoing packet belongs to the established ip_vs_conn.
995 ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
997 struct ip_vs_iphdr iph;
998 struct ip_vs_protocol *pp;
999 struct ip_vs_conn *cp;
1003 /* Already marked as IPVS request or reply? */
1004 if (skb->ipvs_property)
1007 /* Bad... Do not break raw sockets */
1008 if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1010 struct sock *sk = skb->sk;
1011 struct inet_sock *inet = inet_sk(skb->sk);
1013 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1017 if (unlikely(!skb_dst(skb)))
1020 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1021 #ifdef CONFIG_IP_VS_IPV6
1022 if (af == AF_INET6) {
1023 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1025 int verdict = ip_vs_out_icmp_v6(skb, &related,
1030 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1034 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1036 int verdict = ip_vs_out_icmp(skb, &related, hooknum);
1040 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1043 pp = ip_vs_proto_get(iph.protocol);
1047 /* reassemble IP fragments */
1048 #ifdef CONFIG_IP_VS_IPV6
1049 if (af == AF_INET6) {
1050 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1051 if (ip_vs_gather_frags_v6(skb,
1052 ip_vs_defrag_user(hooknum)))
1056 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1059 if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) &&
1060 !pp->dont_defrag)) {
1061 if (ip_vs_gather_frags(skb,
1062 ip_vs_defrag_user(hooknum)))
1065 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1069 * Check if the packet belongs to an existing entry
1071 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1074 return handle_response(af, skb, pp, cp, iph.len);
1075 if (sysctl_ip_vs_nat_icmp_send &&
1076 (pp->protocol == IPPROTO_TCP ||
1077 pp->protocol == IPPROTO_UDP ||
1078 pp->protocol == IPPROTO_SCTP)) {
1079 __be16 _ports[2], *pptr;
1081 pptr = skb_header_pointer(skb, iph.len,
1082 sizeof(_ports), _ports);
1084 return NF_ACCEPT; /* Not for me */
1085 if (ip_vs_lookup_real_service(af, iph.protocol,
1089 * Notify the real server: there is no
1090 * existing entry if it is not RST
1091 * packet or not TCP packet.
1093 if ((iph.protocol != IPPROTO_TCP &&
1094 iph.protocol != IPPROTO_SCTP)
1095 || ((iph.protocol == IPPROTO_TCP
1096 && !is_tcp_reset(skb, iph.len))
1097 || (iph.protocol == IPPROTO_SCTP
1098 && !is_sctp_abort(skb,
1100 #ifdef CONFIG_IP_VS_IPV6
1101 if (af == AF_INET6) {
1103 dev_net(skb_dst(skb)->dev);
1106 skb->dev = net->loopback_dev;
1108 ICMPV6_DEST_UNREACH,
1109 ICMPV6_PORT_UNREACH,
1115 ICMP_PORT_UNREACH, 0);
1120 IP_VS_DBG_PKT(12, pp, skb, 0,
1121 "ip_vs_out: packet continues traversal as normal");
1126 * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1127 * used only for VS/NAT.
1128 * Check if packet is reply for established ip_vs_conn.
1131 ip_vs_reply4(unsigned int hooknum, struct sk_buff *skb,
1132 const struct net_device *in, const struct net_device *out,
1133 int (*okfn)(struct sk_buff *))
1135 return ip_vs_out(hooknum, skb, AF_INET);
1139 * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1140 * Check if packet is reply for established ip_vs_conn.
1143 ip_vs_local_reply4(unsigned int hooknum, struct sk_buff *skb,
1144 const struct net_device *in, const struct net_device *out,
1145 int (*okfn)(struct sk_buff *))
1147 unsigned int verdict;
1149 /* Disable BH in LOCAL_OUT until all places are fixed */
1151 verdict = ip_vs_out(hooknum, skb, AF_INET);
1156 #ifdef CONFIG_IP_VS_IPV6
1159 * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1160 * used only for VS/NAT.
1161 * Check if packet is reply for established ip_vs_conn.
1164 ip_vs_reply6(unsigned int hooknum, struct sk_buff *skb,
1165 const struct net_device *in, const struct net_device *out,
1166 int (*okfn)(struct sk_buff *))
1168 return ip_vs_out(hooknum, skb, AF_INET6);
1172 * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1173 * Check if packet is reply for established ip_vs_conn.
1176 ip_vs_local_reply6(unsigned int hooknum, struct sk_buff *skb,
1177 const struct net_device *in, const struct net_device *out,
1178 int (*okfn)(struct sk_buff *))
1180 unsigned int verdict;
1182 /* Disable BH in LOCAL_OUT until all places are fixed */
1184 verdict = ip_vs_out(hooknum, skb, AF_INET6);
1192 * Handle ICMP messages in the outside-to-inside direction (incoming).
1193 * Find any that might be relevant, check against existing connections,
1194 * forward to the right destination host if relevant.
1195 * Currently handles error types - unreachable, quench, ttl exceeded.
1198 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1201 struct icmphdr _icmph, *ic;
1202 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
1203 struct ip_vs_iphdr ciph;
1204 struct ip_vs_conn *cp;
1205 struct ip_vs_protocol *pp;
1206 unsigned int offset, ihl, verdict;
1207 union nf_inet_addr snet;
1211 /* reassemble IP fragments */
1212 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
1213 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
1218 offset = ihl = iph->ihl * 4;
1219 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1223 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1224 ic->type, ntohs(icmp_id(ic)),
1225 &iph->saddr, &iph->daddr);
1228 * Work through seeing if this is for us.
1229 * These checks are supposed to be in an order that means easy
1230 * things are checked first to speed up processing.... however
1231 * this means that some packets will manage to get a long way
1232 * down this stack and then be rejected, but that's life.
1234 if ((ic->type != ICMP_DEST_UNREACH) &&
1235 (ic->type != ICMP_SOURCE_QUENCH) &&
1236 (ic->type != ICMP_TIME_EXCEEDED)) {
1241 /* Now find the contained IP header */
1242 offset += sizeof(_icmph);
1243 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1245 return NF_ACCEPT; /* The packet looks wrong, ignore */
1247 pp = ip_vs_proto_get(cih->protocol);
1251 /* Is the embedded protocol header present? */
1252 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1256 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMP for");
1258 offset += cih->ihl * 4;
1260 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
1261 /* The embedded headers contain source and dest in reverse order */
1262 cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);
1264 /* The packet could also belong to a local client */
1265 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
1267 snet.ip = iph->saddr;
1268 return handle_response_icmp(AF_INET, skb, &snet,
1269 cih->protocol, cp, pp,
1277 /* Ensure the checksum is correct */
1278 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1279 /* Failed checksum! */
1280 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1285 /* do the statistics and put it back */
1286 ip_vs_in_stats(cp, skb);
1287 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
1288 offset += 2 * sizeof(__u16);
1289 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
1290 /* LOCALNODE from FORWARD hook is not supported */
1291 if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
1292 skb_rtable(skb)->rt_flags & RTCF_LOCAL) {
1293 IP_VS_DBG(1, "%s(): "
1294 "local delivery to %pI4 but in FORWARD\n",
1295 __func__, &skb_rtable(skb)->rt_dst);
1300 __ip_vs_conn_put(cp);
1305 #ifdef CONFIG_IP_VS_IPV6
1307 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
1309 struct ipv6hdr *iph;
1310 struct icmp6hdr _icmph, *ic;
1311 struct ipv6hdr _ciph, *cih; /* The ip header contained
1313 struct ip_vs_iphdr ciph;
1314 struct ip_vs_conn *cp;
1315 struct ip_vs_protocol *pp;
1316 unsigned int offset, verdict;
1317 union nf_inet_addr snet;
1318 struct rt6_info *rt;
1322 /* reassemble IP fragments */
1323 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1324 if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum)))
1328 iph = ipv6_hdr(skb);
1329 offset = sizeof(struct ipv6hdr);
1330 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1334 IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) %pI6->%pI6\n",
1335 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1336 &iph->saddr, &iph->daddr);
1339 * Work through seeing if this is for us.
1340 * These checks are supposed to be in an order that means easy
1341 * things are checked first to speed up processing.... however
1342 * this means that some packets will manage to get a long way
1343 * down this stack and then be rejected, but that's life.
1345 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
1346 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
1347 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
1352 /* Now find the contained IP header */
1353 offset += sizeof(_icmph);
1354 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1356 return NF_ACCEPT; /* The packet looks wrong, ignore */
1358 pp = ip_vs_proto_get(cih->nexthdr);
1362 /* Is the embedded protocol header present? */
1363 /* TODO: we don't support fragmentation at the moment anyways */
1364 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
1367 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMPv6 for");
1369 offset += sizeof(struct ipv6hdr);
1371 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
1372 /* The embedded headers contain source and dest in reverse order */
1373 cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);
1375 /* The packet could also belong to a local client */
1376 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
1378 ipv6_addr_copy(&snet.in6, &iph->saddr);
1379 return handle_response_icmp(AF_INET6, skb, &snet,
1382 sizeof(struct ipv6hdr));
1389 /* do the statistics and put it back */
1390 ip_vs_in_stats(cp, skb);
1391 if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
1392 IPPROTO_SCTP == cih->nexthdr)
1393 offset += 2 * sizeof(__u16);
1394 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
1395 /* LOCALNODE from FORWARD hook is not supported */
1396 if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
1397 (rt = (struct rt6_info *) skb_dst(skb)) &&
1398 rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) {
1399 IP_VS_DBG(1, "%s(): "
1400 "local delivery to %pI6 but in FORWARD\n",
1401 __func__, &rt->rt6i_dst);
1405 __ip_vs_conn_put(cp);
1413 * Check if it's for virtual services, look it up,
1414 * and send it on its way...
1417 ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
1419 struct ip_vs_iphdr iph;
1420 struct ip_vs_protocol *pp;
1421 struct ip_vs_conn *cp;
1422 int ret, restart, pkts;
1424 /* Already marked as IPVS request or reply? */
1425 if (skb->ipvs_property)
1430 * - remote client: only PACKET_HOST
1431 * - route: used for struct net when skb->dev is unset
1433 if (unlikely((skb->pkt_type != PACKET_HOST &&
1434 hooknum != NF_INET_LOCAL_OUT) ||
1436 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1437 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s"
1438 " ignored in hook %u\n",
1439 skb->pkt_type, iph.protocol,
1440 IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
1443 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1445 /* Bad... Do not break raw sockets */
1446 if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1448 struct sock *sk = skb->sk;
1449 struct inet_sock *inet = inet_sk(skb->sk);
1451 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1455 #ifdef CONFIG_IP_VS_IPV6
1456 if (af == AF_INET6) {
1457 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1459 int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
1463 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1467 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1469 int verdict = ip_vs_in_icmp(skb, &related, hooknum);
1473 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1476 /* Protocol supported? */
1477 pp = ip_vs_proto_get(iph.protocol);
1482 * Check if the packet belongs to an existing connection entry
1484 cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);
1486 if (unlikely(!cp)) {
1489 if (!pp->conn_schedule(af, skb, pp, &v, &cp))
1493 if (unlikely(!cp)) {
1494 /* sorry, all this trouble for a no-hit :) */
1495 IP_VS_DBG_PKT(12, pp, skb, 0,
1496 "ip_vs_in: packet continues traversal as normal");
1500 IP_VS_DBG_PKT(11, pp, skb, 0, "Incoming packet");
1502 /* Check the server status */
1503 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1504 /* the destination server is not available */
1506 if (sysctl_ip_vs_expire_nodest_conn) {
1507 /* try to expire the connection immediately */
1508 ip_vs_conn_expire_now(cp);
1510 /* don't restart its timer, and silently
1512 __ip_vs_conn_put(cp);
1516 ip_vs_in_stats(cp, skb);
1517 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
1518 if (cp->packet_xmit)
1519 ret = cp->packet_xmit(skb, cp, pp);
1520 /* do not touch skb anymore */
1522 IP_VS_DBG_RL("warning: packet_xmit is null");
1526 /* Increase its packet counter and check if it is needed
1527 * to be synchronized
1529 * Sync connection if it is about to close to
1530 * encorage the standby servers to update the connections timeout
1532 pkts = atomic_add_return(1, &cp->in_pkts);
1533 if (af == AF_INET && (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1534 cp->protocol == IPPROTO_SCTP) {
1535 if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
1536 (pkts % sysctl_ip_vs_sync_threshold[1]
1537 == sysctl_ip_vs_sync_threshold[0])) ||
1538 (cp->old_state != cp->state &&
1539 ((cp->state == IP_VS_SCTP_S_CLOSED) ||
1540 (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||
1541 (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) {
1542 ip_vs_sync_conn(cp);
1547 /* Keep this block last: TCP and others with pp->num_states <= 1 */
1548 else if (af == AF_INET &&
1549 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1550 (((cp->protocol != IPPROTO_TCP ||
1551 cp->state == IP_VS_TCP_S_ESTABLISHED) &&
1552 (pkts % sysctl_ip_vs_sync_threshold[1]
1553 == sysctl_ip_vs_sync_threshold[0])) ||
1554 ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
1555 ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
1556 (cp->state == IP_VS_TCP_S_CLOSE) ||
1557 (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
1558 (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
1559 ip_vs_sync_conn(cp);
1561 cp->old_state = cp->state;
1568 * AF_INET handler in NF_INET_LOCAL_IN chain
1569 * Schedule and forward packets from remote clients
1572 ip_vs_remote_request4(unsigned int hooknum, struct sk_buff *skb,
1573 const struct net_device *in,
1574 const struct net_device *out,
1575 int (*okfn)(struct sk_buff *))
1577 return ip_vs_in(hooknum, skb, AF_INET);
1581 * AF_INET handler in NF_INET_LOCAL_OUT chain
1582 * Schedule and forward packets from local clients
1585 ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb,
1586 const struct net_device *in, const struct net_device *out,
1587 int (*okfn)(struct sk_buff *))
1589 unsigned int verdict;
1591 /* Disable BH in LOCAL_OUT until all places are fixed */
1593 verdict = ip_vs_in(hooknum, skb, AF_INET);
1598 #ifdef CONFIG_IP_VS_IPV6
1601 * AF_INET6 handler in NF_INET_LOCAL_IN chain
1602 * Schedule and forward packets from remote clients
1605 ip_vs_remote_request6(unsigned int hooknum, struct sk_buff *skb,
1606 const struct net_device *in,
1607 const struct net_device *out,
1608 int (*okfn)(struct sk_buff *))
1610 return ip_vs_in(hooknum, skb, AF_INET6);
1614 * AF_INET6 handler in NF_INET_LOCAL_OUT chain
1615 * Schedule and forward packets from local clients
1618 ip_vs_local_request6(unsigned int hooknum, struct sk_buff *skb,
1619 const struct net_device *in, const struct net_device *out,
1620 int (*okfn)(struct sk_buff *))
1622 unsigned int verdict;
1624 /* Disable BH in LOCAL_OUT until all places are fixed */
1626 verdict = ip_vs_in(hooknum, skb, AF_INET6);
1635 * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1636 * related packets destined for 0.0.0.0/0.
1637 * When fwmark-based virtual service is used, such as transparent
1638 * cache cluster, TCP packets can be marked and routed to ip_vs_in,
1639 * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1640 * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1641 * and send them to ip_vs_in_icmp.
1644 ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1645 const struct net_device *in, const struct net_device *out,
1646 int (*okfn)(struct sk_buff *))
1650 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1653 return ip_vs_in_icmp(skb, &r, hooknum);
1656 #ifdef CONFIG_IP_VS_IPV6
1658 ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1659 const struct net_device *in, const struct net_device *out,
1660 int (*okfn)(struct sk_buff *))
1664 if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
1667 return ip_vs_in_icmp_v6(skb, &r, hooknum);
1672 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1673 /* After packet filtering, change source only for VS/NAT */
1675 .hook = ip_vs_reply4,
1676 .owner = THIS_MODULE,
1678 .hooknum = NF_INET_LOCAL_IN,
1681 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1682 * or VS/NAT(change destination), so that filtering rules can be
1683 * applied to IPVS. */
1685 .hook = ip_vs_remote_request4,
1686 .owner = THIS_MODULE,
1688 .hooknum = NF_INET_LOCAL_IN,
1691 /* Before ip_vs_in, change source only for VS/NAT */
1693 .hook = ip_vs_local_reply4,
1694 .owner = THIS_MODULE,
1696 .hooknum = NF_INET_LOCAL_OUT,
1699 /* After mangle, schedule and forward local requests */
1701 .hook = ip_vs_local_request4,
1702 .owner = THIS_MODULE,
1704 .hooknum = NF_INET_LOCAL_OUT,
1707 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1708 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1710 .hook = ip_vs_forward_icmp,
1711 .owner = THIS_MODULE,
1713 .hooknum = NF_INET_FORWARD,
1716 /* After packet filtering, change source only for VS/NAT */
1718 .hook = ip_vs_reply4,
1719 .owner = THIS_MODULE,
1721 .hooknum = NF_INET_FORWARD,
1724 #ifdef CONFIG_IP_VS_IPV6
1725 /* After packet filtering, change source only for VS/NAT */
1727 .hook = ip_vs_reply6,
1728 .owner = THIS_MODULE,
1730 .hooknum = NF_INET_LOCAL_IN,
1733 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1734 * or VS/NAT(change destination), so that filtering rules can be
1735 * applied to IPVS. */
1737 .hook = ip_vs_remote_request6,
1738 .owner = THIS_MODULE,
1740 .hooknum = NF_INET_LOCAL_IN,
1743 /* Before ip_vs_in, change source only for VS/NAT */
1745 .hook = ip_vs_local_reply6,
1746 .owner = THIS_MODULE,
1748 .hooknum = NF_INET_LOCAL_OUT,
1751 /* After mangle, schedule and forward local requests */
1753 .hook = ip_vs_local_request6,
1754 .owner = THIS_MODULE,
1756 .hooknum = NF_INET_LOCAL_OUT,
1759 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1760 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1762 .hook = ip_vs_forward_icmp_v6,
1763 .owner = THIS_MODULE,
1765 .hooknum = NF_INET_FORWARD,
1768 /* After packet filtering, change source only for VS/NAT */
1770 .hook = ip_vs_reply6,
1771 .owner = THIS_MODULE,
1773 .hooknum = NF_INET_FORWARD,
1781 * Initialize IP Virtual Server
1783 static int __init ip_vs_init(void)
1787 ip_vs_estimator_init();
1789 ret = ip_vs_control_init();
1791 pr_err("can't setup control.\n");
1792 goto cleanup_estimator;
1795 ip_vs_protocol_init();
1797 ret = ip_vs_app_init();
1799 pr_err("can't setup application helper.\n");
1800 goto cleanup_protocol;
1803 ret = ip_vs_conn_init();
1805 pr_err("can't setup connection table.\n");
1809 ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1811 pr_err("can't register hooks.\n");
1815 pr_info("ipvs loaded.\n");
1819 ip_vs_conn_cleanup();
1821 ip_vs_app_cleanup();
1823 ip_vs_protocol_cleanup();
1824 ip_vs_control_cleanup();
1826 ip_vs_estimator_cleanup();
1830 static void __exit ip_vs_cleanup(void)
1832 nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1833 ip_vs_conn_cleanup();
1834 ip_vs_app_cleanup();
1835 ip_vs_protocol_cleanup();
1836 ip_vs_control_cleanup();
1837 ip_vs_estimator_cleanup();
1838 pr_info("ipvs unloaded.\n");
1841 module_init(ip_vs_init);
1842 module_exit(ip_vs_cleanup);
1843 MODULE_LICENSE("GPL");
git.openpandora.org / pandora-kernel.git / blob