2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
14 * Description of forwarding methods:
15 * - all transmitters are called from LOCAL_IN (remote clients) and
16 * LOCAL_OUT (local clients) but for ICMP can be called from FORWARD
17 * - not all connections have destination server, for example,
18 * connections in backup server when fwmark is used
19 * - bypass connections use daddr from packet
21 * - skb->dev is NULL, skb->protocol is not set (both are set in POST_ROUTING)
22 * - skb->pkt_type is not set yet
23 * - the only place where we can see skb->sk != NULL
26 #define KMSG_COMPONENT "IPVS"
27 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
29 #include <linux/kernel.h>
30 #include <linux/slab.h>
31 #include <linux/tcp.h> /* for tcphdr */
33 #include <net/tcp.h> /* for csum_tcpudp_magic */
35 #include <net/icmp.h> /* for icmp_send */
36 #include <net/route.h> /* for ip_route_output */
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <linux/icmpv6.h>
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv4.h>
44 #include <net/ip_vs.h>
48 * Destination cache to speed up outgoing route lookup
51 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst,
54 struct dst_entry *old_dst;
56 old_dst = dest->dst_cache;
57 dest->dst_cache = dst;
58 dest->dst_rtos = rtos;
59 dest->dst_cookie = dst_cookie;
63 static inline struct dst_entry *
64 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
66 struct dst_entry *dst = dest->dst_cache;
70 if ((dst->obsolete || rtos != dest->dst_rtos) &&
71 dst->ops->check(dst, dest->dst_cookie) == NULL) {
72 dest->dst_cache = NULL;
81 * Get route to destination or remote server
82 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
83 * &4=Allow redirect from remote daddr to local
85 static struct rtable *
86 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
87 __be32 daddr, u32 rtos, int rt_mode)
89 struct net *net = dev_net(skb_dst(skb)->dev);
90 struct rtable *rt; /* Route to the other host */
91 struct rtable *ort; /* Original route */
95 spin_lock(&dest->dst_lock);
96 if (!(rt = (struct rtable *)
97 __ip_vs_dst_check(dest, rtos))) {
102 .daddr = dest->addr.ip,
107 if (ip_route_output_key(net, &rt, &fl)) {
108 spin_unlock(&dest->dst_lock);
109 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
113 __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
114 IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
116 atomic_read(&rt->dst.__refcnt), rtos);
118 spin_unlock(&dest->dst_lock);
129 if (ip_route_output_key(net, &rt, &fl)) {
130 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
136 local = rt->rt_flags & RTCF_LOCAL;
137 if (!((local ? 1 : 2) & rt_mode)) {
138 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
139 (rt->rt_flags & RTCF_LOCAL) ?
140 "local":"non-local", &rt->rt_dst);
144 if (local && !(rt_mode & 4) && !((ort = skb_rtable(skb)) &&
145 ort->rt_flags & RTCF_LOCAL)) {
146 IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
147 "requires NAT method, dest: %pI4\n",
148 &ip_hdr(skb)->daddr, &rt->rt_dst);
152 if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
153 IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
154 "to non-local address, dest: %pI4\n",
155 &ip_hdr(skb)->saddr, &rt->rt_dst);
163 /* Reroute packet to local IPv4 stack after DNAT */
165 __ip_vs_reroute_locally(struct sk_buff *skb)
167 struct rtable *rt = skb_rtable(skb);
168 struct net_device *dev = rt->dst.dev;
169 struct net *net = dev_net(dev);
170 struct iphdr *iph = ip_hdr(skb);
173 unsigned long orefdst = skb->_skb_refdst;
175 if (ip_route_input(skb, iph->daddr, iph->saddr,
178 refdst_drop(orefdst);
186 .tos = RT_TOS(iph->tos),
193 if (ip_route_output_key(net, &rt, &fl))
195 if (!(rt->rt_flags & RTCF_LOCAL)) {
199 /* Drop old route. */
201 skb_dst_set(skb, &rt->dst);
206 #ifdef CONFIG_IP_VS_IPV6
208 static inline int __ip_vs_is_local_route6(struct rt6_info *rt)
210 return rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK;
213 static struct dst_entry *
214 __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
215 struct in6_addr *ret_saddr, int do_xfrm)
217 struct dst_entry *dst;
227 dst = ip6_route_output(net, NULL, &fl);
232 if (ipv6_addr_any(&fl.fl6_src) &&
233 ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
234 &fl.fl6_dst, 0, &fl.fl6_src) < 0)
236 if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0)
238 ipv6_addr_copy(ret_saddr, &fl.fl6_src);
243 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n", daddr);
248 * Get route to destination or remote server
249 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
250 * &4=Allow redirect from remote daddr to local
252 static struct rt6_info *
253 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
254 struct in6_addr *daddr, struct in6_addr *ret_saddr,
255 int do_xfrm, int rt_mode)
257 struct net *net = dev_net(skb_dst(skb)->dev);
258 struct rt6_info *rt; /* Route to the other host */
259 struct rt6_info *ort; /* Original route */
260 struct dst_entry *dst;
264 spin_lock(&dest->dst_lock);
265 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0);
269 dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
273 spin_unlock(&dest->dst_lock);
276 rt = (struct rt6_info *) dst;
277 cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
278 __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
279 IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
280 &dest->addr.in6, &dest->dst_saddr,
281 atomic_read(&rt->dst.__refcnt));
284 ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
285 spin_unlock(&dest->dst_lock);
287 dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
290 rt = (struct rt6_info *) dst;
293 local = __ip_vs_is_local_route6(rt);
294 if (!((local ? 1 : 2) & rt_mode)) {
295 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
296 local ? "local":"non-local", daddr);
297 dst_release(&rt->dst);
300 if (local && !(rt_mode & 4) &&
301 !((ort = (struct rt6_info *) skb_dst(skb)) &&
302 __ip_vs_is_local_route6(ort))) {
303 IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
304 "requires NAT method, dest: %pI6\n",
305 &ipv6_hdr(skb)->daddr, daddr);
306 dst_release(&rt->dst);
309 if (unlikely(!local && (!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
310 ipv6_addr_type(&ipv6_hdr(skb)->saddr) &
311 IPV6_ADDR_LOOPBACK)) {
312 IP_VS_DBG_RL("Stopping traffic from loopback address %pI6 "
313 "to non-local address, dest: %pI6\n",
314 &ipv6_hdr(skb)->saddr, daddr);
315 dst_release(&rt->dst);
325 * Release dest->dst_cache before a dest is removed
328 ip_vs_dst_reset(struct ip_vs_dest *dest)
330 struct dst_entry *old_dst;
332 old_dst = dest->dst_cache;
333 dest->dst_cache = NULL;
334 dst_release(old_dst);
337 #define IP_VS_XMIT_TUNNEL(skb, cp) \
339 int __ret = NF_ACCEPT; \
341 (skb)->ipvs_property = 1; \
342 if (unlikely((cp)->flags & IP_VS_CONN_F_NFCT)) \
343 __ret = ip_vs_confirm_conntrack(skb, cp); \
344 if (__ret == NF_ACCEPT) { \
346 skb_forward_csum(skb); \
351 #define IP_VS_XMIT_NAT(pf, skb, cp, local) \
353 (skb)->ipvs_property = 1; \
354 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
355 ip_vs_notrack(skb); \
357 ip_vs_update_conntrack(skb, cp, 1); \
360 skb_forward_csum(skb); \
361 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
362 skb_dst(skb)->dev, dst_output); \
365 #define IP_VS_XMIT(pf, skb, cp, local) \
367 (skb)->ipvs_property = 1; \
368 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
369 ip_vs_notrack(skb); \
372 skb_forward_csum(skb); \
373 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
374 skb_dst(skb)->dev, dst_output); \
379 * NULL transmitter (do nothing except return NF_ACCEPT)
382 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
383 struct ip_vs_protocol *pp)
385 /* we do not touch skb and do not need pskb ptr */
386 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
392 * Let packets bypass the destination when the destination is not
393 * available, it may be only used in transparent cache cluster.
396 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
397 struct ip_vs_protocol *pp)
399 struct rtable *rt; /* Route to the other host */
400 struct iphdr *iph = ip_hdr(skb);
405 if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr,
406 RT_TOS(iph->tos), 2)))
410 mtu = dst_mtu(&rt->dst);
411 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
413 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
414 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
419 * Call ip_send_check because we are not sure it is called
420 * after ip_defrag. Is copy-on-write needed?
422 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
426 ip_send_check(ip_hdr(skb));
430 skb_dst_set(skb, &rt->dst);
432 /* Another hack: avoid icmp_send in ip_fragment */
435 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
441 dst_link_failure(skb);
448 #ifdef CONFIG_IP_VS_IPV6
450 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
451 struct ip_vs_protocol *pp)
453 struct rt6_info *rt; /* Route to the other host */
454 struct ipv6hdr *iph = ipv6_hdr(skb);
459 if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
463 mtu = dst_mtu(&rt->dst);
464 if (skb->len > mtu) {
466 struct net *net = dev_net(skb_dst(skb)->dev);
468 skb->dev = net->loopback_dev;
470 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
471 dst_release(&rt->dst);
472 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
477 * Call ip_send_check because we are not sure it is called
478 * after ip_defrag. Is copy-on-write needed?
480 skb = skb_share_check(skb, GFP_ATOMIC);
481 if (unlikely(skb == NULL)) {
482 dst_release(&rt->dst);
488 skb_dst_set(skb, &rt->dst);
490 /* Another hack: avoid icmp_send in ip_fragment */
493 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
499 dst_link_failure(skb);
508 * NAT transmitter (only for outside-to-inside nat forwarding)
509 * Not used for related ICMP
512 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
513 struct ip_vs_protocol *pp)
515 struct rtable *rt; /* Route to the other host */
517 struct iphdr *iph = ip_hdr(skb);
522 /* check if it is a connection of no-client-port */
523 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
525 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
528 ip_vs_conn_fill_cport(cp, *p);
529 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
532 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
533 RT_TOS(iph->tos), 1|2|4)))
535 local = rt->rt_flags & RTCF_LOCAL;
537 * Avoid duplicate tuple in reply direction for NAT traffic
538 * to local address when connection is sync-ed
540 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
541 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
542 enum ip_conntrack_info ctinfo;
543 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
545 if (ct && !nf_ct_is_untracked(ct)) {
546 IP_VS_DBG_RL_PKT(10, pp, skb, 0, "ip_vs_nat_xmit(): "
547 "stopping DNAT to local address");
553 /* From world but DNAT to loopback address? */
554 if (local && ipv4_is_loopback(rt->rt_dst) && skb_rtable(skb)->fl.iif) {
555 IP_VS_DBG_RL_PKT(1, pp, skb, 0, "ip_vs_nat_xmit(): "
556 "stopping DNAT to loopback address");
561 mtu = dst_mtu(&rt->dst);
562 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
563 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
564 IP_VS_DBG_RL_PKT(0, pp, skb, 0, "ip_vs_nat_xmit(): frag needed for");
568 /* copy-on-write the packet before mangling it */
569 if (!skb_make_writable(skb, sizeof(struct iphdr)))
572 if (skb_cow(skb, rt->dst.dev->hard_header_len))
575 /* mangle the packet */
576 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
578 ip_hdr(skb)->daddr = cp->daddr.ip;
579 ip_send_check(ip_hdr(skb));
584 skb_dst_set(skb, &rt->dst);
588 * Some IPv4 replies get local address from routes,
589 * not from iph, so while we DNAT after routing
590 * we need this second input/output route.
592 if (!__ip_vs_reroute_locally(skb))
596 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
598 /* FIXME: when application helper enlarges the packet and the length
599 is larger than the MTU of outgoing device, there will be still
602 /* Another hack: avoid icmp_send in ip_fragment */
605 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
611 dst_link_failure(skb);
621 #ifdef CONFIG_IP_VS_IPV6
623 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
624 struct ip_vs_protocol *pp)
626 struct rt6_info *rt; /* Route to the other host */
632 /* check if it is a connection of no-client-port */
633 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
635 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
639 ip_vs_conn_fill_cport(cp, *p);
640 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
643 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
646 local = __ip_vs_is_local_route6(rt);
648 * Avoid duplicate tuple in reply direction for NAT traffic
649 * to local address when connection is sync-ed
651 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
652 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
653 enum ip_conntrack_info ctinfo;
654 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
656 if (ct && !nf_ct_is_untracked(ct)) {
657 IP_VS_DBG_RL_PKT(10, pp, skb, 0,
658 "ip_vs_nat_xmit_v6(): "
659 "stopping DNAT to local address");
665 /* From world but DNAT to loopback address? */
666 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
667 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
668 IP_VS_DBG_RL_PKT(1, pp, skb, 0,
669 "ip_vs_nat_xmit_v6(): "
670 "stopping DNAT to loopback address");
675 mtu = dst_mtu(&rt->dst);
676 if (skb->len > mtu) {
678 struct net *net = dev_net(skb_dst(skb)->dev);
680 skb->dev = net->loopback_dev;
682 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
683 IP_VS_DBG_RL_PKT(0, pp, skb, 0,
684 "ip_vs_nat_xmit_v6(): frag needed for");
688 /* copy-on-write the packet before mangling it */
689 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
692 if (skb_cow(skb, rt->dst.dev->hard_header_len))
695 /* mangle the packet */
696 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
698 ipv6_addr_copy(&ipv6_hdr(skb)->daddr, &cp->daddr.in6);
700 if (!local || !skb->dev) {
701 /* drop the old route when skb is not shared */
703 skb_dst_set(skb, &rt->dst);
705 /* destined to loopback, do we need to change route? */
706 dst_release(&rt->dst);
709 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
711 /* FIXME: when application helper enlarges the packet and the length
712 is larger than the MTU of outgoing device, there will be still
715 /* Another hack: avoid icmp_send in ip_fragment */
718 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
724 dst_link_failure(skb);
730 dst_release(&rt->dst);
737 * IP Tunneling transmitter
739 * This function encapsulates the packet in a new IP packet, its
740 * destination will be set to cp->daddr. Most code of this function
741 * is taken from ipip.c.
743 * It is used in VS/TUN cluster. The load balancer selects a real
744 * server from a cluster based on a scheduling algorithm,
745 * encapsulates the request packet and forwards it to the selected
746 * server. For example, all real servers are configured with
747 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
748 * the encapsulated packet, it will decapsulate the packet, processe
749 * the request and return the response packets directly to the client
750 * without passing the load balancer. This can greatly increase the
751 * scalability of virtual server.
753 * Used for ANY protocol
756 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
757 struct ip_vs_protocol *pp)
759 struct rtable *rt; /* Route to the other host */
760 struct net_device *tdev; /* Device to other host */
761 struct iphdr *old_iph = ip_hdr(skb);
762 u8 tos = old_iph->tos;
763 __be16 df = old_iph->frag_off;
764 struct iphdr *iph; /* Our new IP header */
765 unsigned int max_headroom; /* The extra header space needed */
771 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
774 if (rt->rt_flags & RTCF_LOCAL) {
776 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
781 mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr);
783 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
787 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
789 df |= (old_iph->frag_off & htons(IP_DF));
791 if ((old_iph->frag_off & htons(IP_DF))
792 && mtu < ntohs(old_iph->tot_len)) {
793 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
794 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
799 * Okay, now see if we can stuff it in the buffer as-is.
801 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
803 if (skb_headroom(skb) < max_headroom
804 || skb_cloned(skb) || skb_shared(skb)) {
805 struct sk_buff *new_skb =
806 skb_realloc_headroom(skb, max_headroom);
810 IP_VS_ERR_RL("%s(): no memory\n", __func__);
815 old_iph = ip_hdr(skb);
818 skb->transport_header = skb->network_header;
820 /* fix old IP header checksum */
821 ip_send_check(old_iph);
823 skb_push(skb, sizeof(struct iphdr));
824 skb_reset_network_header(skb);
825 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
829 skb_dst_set(skb, &rt->dst);
832 * Push down and install the IPIP header.
836 iph->ihl = sizeof(struct iphdr)>>2;
838 iph->protocol = IPPROTO_IPIP;
840 iph->daddr = rt->rt_dst;
841 iph->saddr = rt->rt_src;
842 iph->ttl = old_iph->ttl;
843 ip_select_ident(iph, &rt->dst, NULL);
845 /* Another hack: avoid icmp_send in ip_fragment */
848 ret = IP_VS_XMIT_TUNNEL(skb, cp);
849 if (ret == NF_ACCEPT)
851 else if (ret == NF_DROP)
859 dst_link_failure(skb);
869 #ifdef CONFIG_IP_VS_IPV6
871 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
872 struct ip_vs_protocol *pp)
874 struct rt6_info *rt; /* Route to the other host */
875 struct in6_addr saddr; /* Source for tunnel */
876 struct net_device *tdev; /* Device to other host */
877 struct ipv6hdr *old_iph = ipv6_hdr(skb);
878 struct ipv6hdr *iph; /* Our new IP header */
879 unsigned int max_headroom; /* The extra header space needed */
885 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
888 if (__ip_vs_is_local_route6(rt)) {
889 dst_release(&rt->dst);
890 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
895 mtu = dst_mtu(&rt->dst) - sizeof(struct ipv6hdr);
896 if (mtu < IPV6_MIN_MTU) {
897 IP_VS_DBG_RL("%s(): mtu less than %d\n", __func__,
902 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
904 if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
906 struct net *net = dev_net(skb_dst(skb)->dev);
908 skb->dev = net->loopback_dev;
910 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
911 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
916 * Okay, now see if we can stuff it in the buffer as-is.
918 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
920 if (skb_headroom(skb) < max_headroom
921 || skb_cloned(skb) || skb_shared(skb)) {
922 struct sk_buff *new_skb =
923 skb_realloc_headroom(skb, max_headroom);
925 dst_release(&rt->dst);
927 IP_VS_ERR_RL("%s(): no memory\n", __func__);
932 old_iph = ipv6_hdr(skb);
935 skb->transport_header = skb->network_header;
937 skb_push(skb, sizeof(struct ipv6hdr));
938 skb_reset_network_header(skb);
939 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
943 skb_dst_set(skb, &rt->dst);
946 * Push down and install the IPIP header.
950 iph->nexthdr = IPPROTO_IPV6;
951 iph->payload_len = old_iph->payload_len;
952 be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
953 iph->priority = old_iph->priority;
954 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
955 ipv6_addr_copy(&iph->daddr, &cp->daddr.in6);
956 ipv6_addr_copy(&iph->saddr, &saddr);
957 iph->hop_limit = old_iph->hop_limit;
959 /* Another hack: avoid icmp_send in ip_fragment */
962 ret = IP_VS_XMIT_TUNNEL(skb, cp);
963 if (ret == NF_ACCEPT)
965 else if (ret == NF_DROP)
973 dst_link_failure(skb);
979 dst_release(&rt->dst);
986 * Direct Routing transmitter
987 * Used for ANY protocol
990 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
991 struct ip_vs_protocol *pp)
993 struct rtable *rt; /* Route to the other host */
994 struct iphdr *iph = ip_hdr(skb);
999 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1000 RT_TOS(iph->tos), 1|2)))
1002 if (rt->rt_flags & RTCF_LOCAL) {
1004 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
1008 mtu = dst_mtu(&rt->dst);
1009 if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
1010 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
1012 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1017 * Call ip_send_check because we are not sure it is called
1018 * after ip_defrag. Is copy-on-write needed?
1020 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
1024 ip_send_check(ip_hdr(skb));
1026 /* drop old route */
1028 skb_dst_set(skb, &rt->dst);
1030 /* Another hack: avoid icmp_send in ip_fragment */
1033 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
1039 dst_link_failure(skb);
1046 #ifdef CONFIG_IP_VS_IPV6
1048 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1049 struct ip_vs_protocol *pp)
1051 struct rt6_info *rt; /* Route to the other host */
1056 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1059 if (__ip_vs_is_local_route6(rt)) {
1060 dst_release(&rt->dst);
1061 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
1065 mtu = dst_mtu(&rt->dst);
1066 if (skb->len > mtu) {
1068 struct net *net = dev_net(skb_dst(skb)->dev);
1070 skb->dev = net->loopback_dev;
1072 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1073 dst_release(&rt->dst);
1074 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1079 * Call ip_send_check because we are not sure it is called
1080 * after ip_defrag. Is copy-on-write needed?
1082 skb = skb_share_check(skb, GFP_ATOMIC);
1083 if (unlikely(skb == NULL)) {
1084 dst_release(&rt->dst);
1088 /* drop old route */
1090 skb_dst_set(skb, &rt->dst);
1092 /* Another hack: avoid icmp_send in ip_fragment */
1095 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
1101 dst_link_failure(skb);
1111 * ICMP packet transmitter
1112 * called by the ip_vs_in_icmp
1115 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
1116 struct ip_vs_protocol *pp, int offset)
1118 struct rtable *rt; /* Route to the other host */
1125 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1126 forwarded directly here, because there is no need to
1127 translate address/port back */
1128 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1129 if (cp->packet_xmit)
1130 rc = cp->packet_xmit(skb, cp, pp);
1133 /* do not touch skb anymore */
1134 atomic_inc(&cp->in_pkts);
1139 * mangle and send the packet here (only for VS/NAT)
1142 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1143 RT_TOS(ip_hdr(skb)->tos), 1|2|4)))
1145 local = rt->rt_flags & RTCF_LOCAL;
1148 * Avoid duplicate tuple in reply direction for NAT traffic
1149 * to local address when connection is sync-ed
1151 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1152 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1153 enum ip_conntrack_info ctinfo;
1154 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1156 if (ct && !nf_ct_is_untracked(ct)) {
1157 IP_VS_DBG(10, "%s(): "
1158 "stopping DNAT to local address %pI4\n",
1159 __func__, &cp->daddr.ip);
1165 /* From world but DNAT to loopback address? */
1166 if (local && ipv4_is_loopback(rt->rt_dst) && skb_rtable(skb)->fl.iif) {
1167 IP_VS_DBG(1, "%s(): "
1168 "stopping DNAT to loopback %pI4\n",
1169 __func__, &cp->daddr.ip);
1174 mtu = dst_mtu(&rt->dst);
1175 if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
1176 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
1177 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1181 /* copy-on-write the packet before mangling it */
1182 if (!skb_make_writable(skb, offset))
1185 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1188 ip_vs_nat_icmp(skb, pp, cp, 0);
1191 /* drop the old route when skb is not shared */
1193 skb_dst_set(skb, &rt->dst);
1197 * Some IPv4 replies get local address from routes,
1198 * not from iph, so while we DNAT after routing
1199 * we need this second input/output route.
1201 if (!__ip_vs_reroute_locally(skb))
1205 /* Another hack: avoid icmp_send in ip_fragment */
1208 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
1214 dst_link_failure(skb);
1226 #ifdef CONFIG_IP_VS_IPV6
1228 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1229 struct ip_vs_protocol *pp, int offset)
1231 struct rt6_info *rt; /* Route to the other host */
1238 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1239 forwarded directly here, because there is no need to
1240 translate address/port back */
1241 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1242 if (cp->packet_xmit)
1243 rc = cp->packet_xmit(skb, cp, pp);
1246 /* do not touch skb anymore */
1247 atomic_inc(&cp->in_pkts);
1252 * mangle and send the packet here (only for VS/NAT)
1255 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1259 local = __ip_vs_is_local_route6(rt);
1261 * Avoid duplicate tuple in reply direction for NAT traffic
1262 * to local address when connection is sync-ed
1264 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1265 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1266 enum ip_conntrack_info ctinfo;
1267 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1269 if (ct && !nf_ct_is_untracked(ct)) {
1270 IP_VS_DBG(10, "%s(): "
1271 "stopping DNAT to local address %pI6\n",
1272 __func__, &cp->daddr.in6);
1278 /* From world but DNAT to loopback address? */
1279 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
1280 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
1281 IP_VS_DBG(1, "%s(): "
1282 "stopping DNAT to loopback %pI6\n",
1283 __func__, &cp->daddr.in6);
1288 mtu = dst_mtu(&rt->dst);
1289 if (skb->len > mtu) {
1291 struct net *net = dev_net(skb_dst(skb)->dev);
1293 skb->dev = net->loopback_dev;
1295 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1296 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1300 /* copy-on-write the packet before mangling it */
1301 if (!skb_make_writable(skb, offset))
1304 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1307 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
1309 if (!local || !skb->dev) {
1310 /* drop the old route when skb is not shared */
1312 skb_dst_set(skb, &rt->dst);
1314 /* destined to loopback, do we need to change route? */
1315 dst_release(&rt->dst);
1318 /* Another hack: avoid icmp_send in ip_fragment */
1321 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
1327 dst_link_failure(skb);
1335 dst_release(&rt->dst);
git.openpandora.org / pandora-kernel.git / blob