2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
22 * Paul `Rusty' Russell properly handle non-linear skbs
23 * Harald Welte don't use nfcache
27 #define KMSG_COMPONENT "IPVS"
28 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
30 #include <linux/module.h>
31 #include <linux/kernel.h>
33 #include <linux/tcp.h>
34 #include <linux/sctp.h>
35 #include <linux/icmp.h>
36 #include <linux/slab.h>
41 #include <net/icmp.h> /* for icmp_send */
42 #include <net/route.h>
44 #include <linux/netfilter.h>
45 #include <linux/netfilter_ipv4.h>
47 #ifdef CONFIG_IP_VS_IPV6
49 #include <linux/netfilter_ipv6.h>
52 #include <net/ip_vs.h>
55 EXPORT_SYMBOL(register_ip_vs_scheduler);
56 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
57 EXPORT_SYMBOL(ip_vs_proto_name);
58 EXPORT_SYMBOL(ip_vs_conn_new);
59 EXPORT_SYMBOL(ip_vs_conn_in_get);
60 EXPORT_SYMBOL(ip_vs_conn_out_get);
61 #ifdef CONFIG_IP_VS_PROTO_TCP
62 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
64 EXPORT_SYMBOL(ip_vs_conn_put);
65 #ifdef CONFIG_IP_VS_DEBUG
66 EXPORT_SYMBOL(ip_vs_get_debug_level);
70 /* ID used in ICMP lookups */
71 #define icmp_id(icmph) (((icmph)->un).echo.id)
72 #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
74 const char *ip_vs_proto_name(unsigned proto)
89 #ifdef CONFIG_IP_VS_IPV6
94 sprintf(buf, "IP_%d", proto);
99 void ip_vs_init_hash_table(struct list_head *table, int rows)
102 INIT_LIST_HEAD(&table[rows]);
106 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
108 struct ip_vs_dest *dest = cp->dest;
109 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
110 spin_lock(&dest->stats.lock);
111 dest->stats.ustats.inpkts++;
112 dest->stats.ustats.inbytes += skb->len;
113 spin_unlock(&dest->stats.lock);
115 spin_lock(&dest->svc->stats.lock);
116 dest->svc->stats.ustats.inpkts++;
117 dest->svc->stats.ustats.inbytes += skb->len;
118 spin_unlock(&dest->svc->stats.lock);
120 spin_lock(&ip_vs_stats.lock);
121 ip_vs_stats.ustats.inpkts++;
122 ip_vs_stats.ustats.inbytes += skb->len;
123 spin_unlock(&ip_vs_stats.lock);
129 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
131 struct ip_vs_dest *dest = cp->dest;
132 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
133 spin_lock(&dest->stats.lock);
134 dest->stats.ustats.outpkts++;
135 dest->stats.ustats.outbytes += skb->len;
136 spin_unlock(&dest->stats.lock);
138 spin_lock(&dest->svc->stats.lock);
139 dest->svc->stats.ustats.outpkts++;
140 dest->svc->stats.ustats.outbytes += skb->len;
141 spin_unlock(&dest->svc->stats.lock);
143 spin_lock(&ip_vs_stats.lock);
144 ip_vs_stats.ustats.outpkts++;
145 ip_vs_stats.ustats.outbytes += skb->len;
146 spin_unlock(&ip_vs_stats.lock);
152 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
154 spin_lock(&cp->dest->stats.lock);
155 cp->dest->stats.ustats.conns++;
156 spin_unlock(&cp->dest->stats.lock);
158 spin_lock(&svc->stats.lock);
159 svc->stats.ustats.conns++;
160 spin_unlock(&svc->stats.lock);
162 spin_lock(&ip_vs_stats.lock);
163 ip_vs_stats.ustats.conns++;
164 spin_unlock(&ip_vs_stats.lock);
169 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
170 const struct sk_buff *skb,
171 struct ip_vs_protocol *pp)
173 if (unlikely(!pp->state_transition))
175 return pp->state_transition(cp, direction, skb, pp);
180 * IPVS persistent scheduling function
181 * It creates a connection entry according to its template if exists,
182 * or selects a server and creates a connection entry plus a template.
183 * Locking: we are svc user (svc->refcnt), so we hold all dests too
184 * Protocols supported: TCP, UDP
186 static struct ip_vs_conn *
187 ip_vs_sched_persist(struct ip_vs_service *svc,
188 const struct sk_buff *skb,
191 struct ip_vs_conn *cp = NULL;
192 struct ip_vs_iphdr iph;
193 struct ip_vs_dest *dest;
194 struct ip_vs_conn *ct;
195 __be16 dport; /* destination port to forward */
197 union nf_inet_addr snet; /* source network of the client,
200 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
202 /* Mask saddr with the netmask to adjust template granularity */
203 #ifdef CONFIG_IP_VS_IPV6
204 if (svc->af == AF_INET6)
205 ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask);
208 snet.ip = iph.saddr.ip & svc->netmask;
210 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
212 IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(ports[0]),
213 IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(ports[1]),
214 IP_VS_DBG_ADDR(svc->af, &snet));
217 * As far as we know, FTP is a very complicated network protocol, and
218 * it uses control connection and data connections. For active FTP,
219 * FTP server initialize data connection to the client, its source port
220 * is often 20. For passive FTP, FTP server tells the clients the port
221 * that it passively listens to, and the client issues the data
222 * connection. In the tunneling or direct routing mode, the load
223 * balancer is on the client-to-server half of connection, the port
224 * number is unknown to the load balancer. So, a conn template like
225 * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
226 * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
227 * is created for other persistent services.
229 if (ports[1] == svc->port) {
230 /* Check if a template already exists */
231 if (svc->port != FTPPORT)
232 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
233 &iph.daddr, ports[1]);
235 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
238 if (!ct || !ip_vs_check_template(ct)) {
240 * No template found or the dest of the connection
241 * template is not available.
243 dest = svc->scheduler->schedule(svc, skb);
245 IP_VS_DBG(1, "p-schedule: no dest found.\n");
250 * Create a template like <protocol,caddr,0,
251 * vaddr,vport,daddr,dport> for non-ftp service,
252 * and <protocol,caddr,0,vaddr,0,daddr,0>
255 if (svc->port != FTPPORT)
256 ct = ip_vs_conn_new(svc->af, iph.protocol,
260 &dest->addr, dest->port,
261 IP_VS_CONN_F_TEMPLATE,
264 ct = ip_vs_conn_new(svc->af, iph.protocol,
268 IP_VS_CONN_F_TEMPLATE,
273 ct->timeout = svc->timeout;
275 /* set destination with the found template */
281 * Note: persistent fwmark-based services and persistent
282 * port zero service are handled here.
283 * fwmark template: <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
284 * port zero template: <protocol,caddr,0,vaddr,0,daddr,0>
287 union nf_inet_addr fwmark = {
288 .ip = htonl(svc->fwmark)
291 ct = ip_vs_ct_in_get(svc->af, IPPROTO_IP, &snet, 0,
294 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
297 if (!ct || !ip_vs_check_template(ct)) {
299 * If it is not persistent port zero, return NULL,
300 * otherwise create a connection template.
305 dest = svc->scheduler->schedule(svc, skb);
307 IP_VS_DBG(1, "p-schedule: no dest found.\n");
312 * Create a template according to the service
315 union nf_inet_addr fwmark = {
316 .ip = htonl(svc->fwmark)
319 ct = ip_vs_conn_new(svc->af, IPPROTO_IP,
323 IP_VS_CONN_F_TEMPLATE,
326 ct = ip_vs_conn_new(svc->af, iph.protocol,
330 IP_VS_CONN_F_TEMPLATE,
335 ct->timeout = svc->timeout;
337 /* set destination with the found template */
343 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
344 && iph.protocol == IPPROTO_UDP)?
345 IP_VS_CONN_F_ONE_PACKET : 0;
348 * Create a new connection according to the template
350 cp = ip_vs_conn_new(svc->af, iph.protocol,
351 &iph.saddr, ports[0],
352 &iph.daddr, ports[1],
364 ip_vs_control_add(cp, ct);
367 ip_vs_conn_stats(cp, svc);
373 * IPVS main scheduling function
374 * It selects a server according to the virtual service, and
375 * creates a connection entry.
376 * Protocols supported: TCP, UDP
379 ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
381 struct ip_vs_conn *cp = NULL;
382 struct ip_vs_iphdr iph;
383 struct ip_vs_dest *dest;
384 __be16 _ports[2], *pptr, flags;
386 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
387 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
394 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
395 return ip_vs_sched_persist(svc, skb, pptr);
398 * Non-persistent service
400 if (!svc->fwmark && pptr[1] != svc->port) {
402 pr_err("Schedule: port zero only supported "
403 "in persistent services, "
404 "check your ipvs configuration\n");
408 dest = svc->scheduler->schedule(svc, skb);
410 IP_VS_DBG(1, "Schedule: no dest found.\n");
414 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
415 && iph.protocol == IPPROTO_UDP)?
416 IP_VS_CONN_F_ONE_PACKET : 0;
419 * Create a connection entry.
421 cp = ip_vs_conn_new(svc->af, iph.protocol,
424 &dest->addr, dest->port ? dest->port : pptr[1],
430 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
431 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
433 IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport),
434 IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport),
435 IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport),
436 cp->flags, atomic_read(&cp->refcnt));
438 ip_vs_conn_stats(cp, svc);
444 * Pass or drop the packet.
445 * Called by ip_vs_in, when the virtual service is available but
446 * no destination is available for a new connection.
448 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
449 struct ip_vs_protocol *pp)
451 __be16 _ports[2], *pptr;
452 struct ip_vs_iphdr iph;
454 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
456 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
458 ip_vs_service_put(svc);
462 #ifdef CONFIG_IP_VS_IPV6
463 if (svc->af == AF_INET6)
464 unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
467 unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
469 /* if it is fwmark-based service, the cache_bypass sysctl is up
470 and the destination is a non-local unicast, then create
471 a cache_bypass connection entry */
472 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
474 struct ip_vs_conn *cp;
475 __u16 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
476 iph.protocol == IPPROTO_UDP)?
477 IP_VS_CONN_F_ONE_PACKET : 0;
478 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
480 ip_vs_service_put(svc);
482 /* create a new connection entry */
483 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
484 cp = ip_vs_conn_new(svc->af, iph.protocol,
488 IP_VS_CONN_F_BYPASS | flags,
494 ip_vs_in_stats(cp, skb);
497 cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
499 /* transmit the first SYN packet */
500 ret = cp->packet_xmit(skb, cp, pp);
501 /* do not touch skb anymore */
503 atomic_inc(&cp->in_pkts);
509 * When the virtual ftp service is presented, packets destined
510 * for other services on the VIP may get here (except services
511 * listed in the ipvs table), pass the packets, because it is
512 * not ipvs job to decide to drop the packets.
514 if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) {
515 ip_vs_service_put(svc);
519 ip_vs_service_put(svc);
522 * Notify the client that the destination is unreachable, and
523 * release the socket buffer.
524 * Since it is in IP layer, the TCP socket is not actually
525 * created, the TCP RST packet cannot be sent, instead that
526 * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
528 #ifdef CONFIG_IP_VS_IPV6
529 if (svc->af == AF_INET6)
530 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
533 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
538 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
540 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
543 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
545 int err = ip_defrag(skb, user);
548 ip_send_check(ip_hdr(skb));
553 #ifdef CONFIG_IP_VS_IPV6
554 static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
556 /* TODO IPv6: Find out what to do here for IPv6 */
562 * Packet has been made sufficiently writable in caller
563 * - inout: 1=in->out, 0=out->in
565 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
566 struct ip_vs_conn *cp, int inout)
568 struct iphdr *iph = ip_hdr(skb);
569 unsigned int icmp_offset = iph->ihl*4;
570 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
572 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
575 iph->saddr = cp->vaddr.ip;
577 ciph->daddr = cp->vaddr.ip;
580 iph->daddr = cp->daddr.ip;
582 ciph->saddr = cp->daddr.ip;
586 /* the TCP/UDP/SCTP port */
587 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
588 IPPROTO_SCTP == ciph->protocol) {
589 __be16 *ports = (void *)ciph + ciph->ihl*4;
592 ports[1] = cp->vport;
594 ports[0] = cp->dport;
597 /* And finally the ICMP checksum */
599 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
600 skb->ip_summed = CHECKSUM_UNNECESSARY;
603 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
604 "Forwarding altered outgoing ICMP");
606 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
607 "Forwarding altered incoming ICMP");
610 #ifdef CONFIG_IP_VS_IPV6
611 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
612 struct ip_vs_conn *cp, int inout)
614 struct ipv6hdr *iph = ipv6_hdr(skb);
615 unsigned int icmp_offset = sizeof(struct ipv6hdr);
616 struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) +
618 struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1);
621 iph->saddr = cp->vaddr.in6;
622 ciph->daddr = cp->vaddr.in6;
624 iph->daddr = cp->daddr.in6;
625 ciph->saddr = cp->daddr.in6;
628 /* the TCP/UDP/SCTP port */
629 if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr ||
630 IPPROTO_SCTP == ciph->nexthdr) {
631 __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr);
634 ports[1] = cp->vport;
636 ports[0] = cp->dport;
639 /* And finally the ICMP checksum */
640 icmph->icmp6_cksum = 0;
641 /* TODO IPv6: is this correct for ICMPv6? */
642 ip_vs_checksum_complete(skb, icmp_offset);
643 skb->ip_summed = CHECKSUM_UNNECESSARY;
646 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
647 "Forwarding altered outgoing ICMPv6");
649 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
650 "Forwarding altered incoming ICMPv6");
654 /* Handle relevant response ICMP messages - forward to the right
655 * destination host. Used for NAT and local client.
657 static int handle_response_icmp(int af, struct sk_buff *skb,
658 union nf_inet_addr *snet,
659 __u8 protocol, struct ip_vs_conn *cp,
660 struct ip_vs_protocol *pp,
661 unsigned int offset, unsigned int ihl)
663 unsigned int verdict = NF_DROP;
665 if (IP_VS_FWD_METHOD(cp) != 0) {
666 pr_err("shouldn't reach here, because the box is on the "
667 "half connection in the tun/dr module.\n");
670 /* Ensure the checksum is correct */
671 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
672 /* Failed checksum! */
673 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
674 IP_VS_DBG_ADDR(af, snet));
678 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
679 IPPROTO_SCTP == protocol)
680 offset += 2 * sizeof(__u16);
681 if (!skb_make_writable(skb, offset))
684 #ifdef CONFIG_IP_VS_IPV6
686 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
689 ip_vs_nat_icmp(skb, pp, cp, 1);
691 /* do the statistics and put it back */
692 ip_vs_out_stats(cp, skb);
694 skb->ipvs_property = 1;
698 __ip_vs_conn_put(cp);
704 * Handle ICMP messages in the inside-to-outside direction (outgoing).
705 * Find any that might be relevant, check against existing connections.
706 * Currently handles error types - unreachable, quench, ttl exceeded.
708 static int ip_vs_out_icmp(struct sk_buff *skb, int *related)
711 struct icmphdr _icmph, *ic;
712 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
713 struct ip_vs_iphdr ciph;
714 struct ip_vs_conn *cp;
715 struct ip_vs_protocol *pp;
716 unsigned int offset, ihl;
717 union nf_inet_addr snet;
721 /* reassemble IP fragments */
722 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
723 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
728 offset = ihl = iph->ihl * 4;
729 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
733 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
734 ic->type, ntohs(icmp_id(ic)),
735 &iph->saddr, &iph->daddr);
738 * Work through seeing if this is for us.
739 * These checks are supposed to be in an order that means easy
740 * things are checked first to speed up processing.... however
741 * this means that some packets will manage to get a long way
742 * down this stack and then be rejected, but that's life.
744 if ((ic->type != ICMP_DEST_UNREACH) &&
745 (ic->type != ICMP_SOURCE_QUENCH) &&
746 (ic->type != ICMP_TIME_EXCEEDED)) {
751 /* Now find the contained IP header */
752 offset += sizeof(_icmph);
753 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
755 return NF_ACCEPT; /* The packet looks wrong, ignore */
757 pp = ip_vs_proto_get(cih->protocol);
761 /* Is the embedded protocol header present? */
762 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
766 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMP for");
768 offset += cih->ihl * 4;
770 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
771 /* The embedded headers contain source and dest in reverse order */
772 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
776 snet.ip = iph->saddr;
777 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
781 #ifdef CONFIG_IP_VS_IPV6
782 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related)
785 struct icmp6hdr _icmph, *ic;
786 struct ipv6hdr _ciph, *cih; /* The ip header contained
788 struct ip_vs_iphdr ciph;
789 struct ip_vs_conn *cp;
790 struct ip_vs_protocol *pp;
792 union nf_inet_addr snet;
796 /* reassemble IP fragments */
797 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
798 if (ip_vs_gather_frags_v6(skb, IP_DEFRAG_VS_OUT))
803 offset = sizeof(struct ipv6hdr);
804 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
808 IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) %pI6->%pI6\n",
809 ic->icmp6_type, ntohs(icmpv6_id(ic)),
810 &iph->saddr, &iph->daddr);
813 * Work through seeing if this is for us.
814 * These checks are supposed to be in an order that means easy
815 * things are checked first to speed up processing.... however
816 * this means that some packets will manage to get a long way
817 * down this stack and then be rejected, but that's life.
819 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
820 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
821 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
826 /* Now find the contained IP header */
827 offset += sizeof(_icmph);
828 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
830 return NF_ACCEPT; /* The packet looks wrong, ignore */
832 pp = ip_vs_proto_get(cih->nexthdr);
836 /* Is the embedded protocol header present? */
837 /* TODO: we don't support fragmentation at the moment anyways */
838 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
841 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMPv6 for");
843 offset += sizeof(struct ipv6hdr);
845 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
846 /* The embedded headers contain source and dest in reverse order */
847 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
851 ipv6_addr_copy(&snet.in6, &iph->saddr);
852 return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
853 pp, offset, sizeof(struct ipv6hdr));
858 * Check if sctp chunc is ABORT chunk
860 static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
862 sctp_chunkhdr_t *sch, schunk;
863 sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
864 sizeof(schunk), &schunk);
867 if (sch->type == SCTP_CID_ABORT)
872 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
874 struct tcphdr _tcph, *th;
876 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
882 /* Handle response packets: rewrite addresses and send away...
883 * Used for NAT and local client.
886 handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
887 struct ip_vs_conn *cp, int ihl)
889 IP_VS_DBG_PKT(11, pp, skb, 0, "Outgoing packet");
891 if (!skb_make_writable(skb, ihl))
894 /* mangle the packet */
895 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp))
898 #ifdef CONFIG_IP_VS_IPV6
900 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
904 ip_hdr(skb)->saddr = cp->vaddr.ip;
905 ip_send_check(ip_hdr(skb));
908 /* For policy routing, packets originating from this
909 * machine itself may be routed differently to packets
910 * passing through. We want this packet to be routed as
911 * if it came from this machine itself. So re-compute
912 * the routing information.
914 #ifdef CONFIG_IP_VS_IPV6
915 if (af == AF_INET6) {
916 if (ip6_route_me_harder(skb) != 0)
920 if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
923 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
925 ip_vs_out_stats(cp, skb);
926 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
927 ip_vs_update_conntrack(skb, cp, 0);
930 skb->ipvs_property = 1;
942 * It is hooked at the NF_INET_FORWARD chain, used only for VS/NAT.
943 * Check if outgoing packet belongs to the established ip_vs_conn.
946 ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
947 const struct net_device *in, const struct net_device *out,
948 int (*okfn)(struct sk_buff *))
950 struct ip_vs_iphdr iph;
951 struct ip_vs_protocol *pp;
952 struct ip_vs_conn *cp;
957 af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
959 if (skb->ipvs_property)
962 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
963 #ifdef CONFIG_IP_VS_IPV6
964 if (af == AF_INET6) {
965 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
966 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
970 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
974 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
975 int related, verdict = ip_vs_out_icmp(skb, &related);
979 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
982 pp = ip_vs_proto_get(iph.protocol);
986 /* reassemble IP fragments */
987 #ifdef CONFIG_IP_VS_IPV6
988 if (af == AF_INET6) {
989 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
990 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
995 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
999 if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) &&
1000 !pp->dont_defrag)) {
1001 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
1004 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1008 * Check if the packet belongs to an existing entry
1010 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1012 if (unlikely(!cp)) {
1013 if (sysctl_ip_vs_nat_icmp_send &&
1014 (pp->protocol == IPPROTO_TCP ||
1015 pp->protocol == IPPROTO_UDP ||
1016 pp->protocol == IPPROTO_SCTP)) {
1017 __be16 _ports[2], *pptr;
1019 pptr = skb_header_pointer(skb, iph.len,
1020 sizeof(_ports), _ports);
1022 return NF_ACCEPT; /* Not for me */
1023 if (ip_vs_lookup_real_service(af, iph.protocol,
1027 * Notify the real server: there is no
1028 * existing entry if it is not RST
1029 * packet or not TCP packet.
1031 if ((iph.protocol != IPPROTO_TCP &&
1032 iph.protocol != IPPROTO_SCTP)
1033 || ((iph.protocol == IPPROTO_TCP
1034 && !is_tcp_reset(skb, iph.len))
1035 || (iph.protocol == IPPROTO_SCTP
1036 && !is_sctp_abort(skb,
1038 #ifdef CONFIG_IP_VS_IPV6
1041 ICMPV6_DEST_UNREACH,
1042 ICMPV6_PORT_UNREACH,
1048 ICMP_PORT_UNREACH, 0);
1053 IP_VS_DBG_PKT(12, pp, skb, 0,
1054 "packet continues traversal as normal");
1058 return handle_response(af, skb, pp, cp, iph.len);
1063 * Handle ICMP messages in the outside-to-inside direction (incoming).
1064 * Find any that might be relevant, check against existing connections,
1065 * forward to the right destination host if relevant.
1066 * Currently handles error types - unreachable, quench, ttl exceeded.
1069 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1072 struct icmphdr _icmph, *ic;
1073 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
1074 struct ip_vs_iphdr ciph;
1075 struct ip_vs_conn *cp;
1076 struct ip_vs_protocol *pp;
1077 unsigned int offset, ihl, verdict;
1078 union nf_inet_addr snet;
1082 /* reassemble IP fragments */
1083 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
1084 if (ip_vs_gather_frags(skb, hooknum == NF_INET_LOCAL_IN ?
1085 IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD))
1090 offset = ihl = iph->ihl * 4;
1091 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1095 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1096 ic->type, ntohs(icmp_id(ic)),
1097 &iph->saddr, &iph->daddr);
1100 * Work through seeing if this is for us.
1101 * These checks are supposed to be in an order that means easy
1102 * things are checked first to speed up processing.... however
1103 * this means that some packets will manage to get a long way
1104 * down this stack and then be rejected, but that's life.
1106 if ((ic->type != ICMP_DEST_UNREACH) &&
1107 (ic->type != ICMP_SOURCE_QUENCH) &&
1108 (ic->type != ICMP_TIME_EXCEEDED)) {
1113 /* Now find the contained IP header */
1114 offset += sizeof(_icmph);
1115 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1117 return NF_ACCEPT; /* The packet looks wrong, ignore */
1119 pp = ip_vs_proto_get(cih->protocol);
1123 /* Is the embedded protocol header present? */
1124 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1128 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMP for");
1130 offset += cih->ihl * 4;
1132 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
1133 /* The embedded headers contain source and dest in reverse order */
1134 cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);
1136 /* The packet could also belong to a local client */
1137 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
1139 snet.ip = iph->saddr;
1140 return handle_response_icmp(AF_INET, skb, &snet,
1141 cih->protocol, cp, pp,
1149 /* Ensure the checksum is correct */
1150 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1151 /* Failed checksum! */
1152 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1157 /* do the statistics and put it back */
1158 ip_vs_in_stats(cp, skb);
1159 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
1160 offset += 2 * sizeof(__u16);
1161 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
1162 /* do not touch skb anymore */
1165 __ip_vs_conn_put(cp);
1170 #ifdef CONFIG_IP_VS_IPV6
1172 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
1174 struct ipv6hdr *iph;
1175 struct icmp6hdr _icmph, *ic;
1176 struct ipv6hdr _ciph, *cih; /* The ip header contained
1178 struct ip_vs_iphdr ciph;
1179 struct ip_vs_conn *cp;
1180 struct ip_vs_protocol *pp;
1181 unsigned int offset, verdict;
1182 union nf_inet_addr snet;
1186 /* reassemble IP fragments */
1187 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1188 if (ip_vs_gather_frags_v6(skb, hooknum == NF_INET_LOCAL_IN ?
1194 iph = ipv6_hdr(skb);
1195 offset = sizeof(struct ipv6hdr);
1196 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1200 IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) %pI6->%pI6\n",
1201 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1202 &iph->saddr, &iph->daddr);
1205 * Work through seeing if this is for us.
1206 * These checks are supposed to be in an order that means easy
1207 * things are checked first to speed up processing.... however
1208 * this means that some packets will manage to get a long way
1209 * down this stack and then be rejected, but that's life.
1211 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
1212 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
1213 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
1218 /* Now find the contained IP header */
1219 offset += sizeof(_icmph);
1220 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1222 return NF_ACCEPT; /* The packet looks wrong, ignore */
1224 pp = ip_vs_proto_get(cih->nexthdr);
1228 /* Is the embedded protocol header present? */
1229 /* TODO: we don't support fragmentation at the moment anyways */
1230 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
1233 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMPv6 for");
1235 offset += sizeof(struct ipv6hdr);
1237 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
1238 /* The embedded headers contain source and dest in reverse order */
1239 cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);
1241 /* The packet could also belong to a local client */
1242 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
1244 ipv6_addr_copy(&snet.in6, &iph->saddr);
1245 return handle_response_icmp(AF_INET6, skb, &snet,
1248 sizeof(struct ipv6hdr));
1255 /* do the statistics and put it back */
1256 ip_vs_in_stats(cp, skb);
1257 if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
1258 IPPROTO_SCTP == cih->nexthdr)
1259 offset += 2 * sizeof(__u16);
1260 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
1261 /* do not touch skb anymore */
1263 __ip_vs_conn_put(cp);
1271 * Check if it's for virtual services, look it up,
1272 * and send it on its way...
1275 ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
1276 const struct net_device *in, const struct net_device *out,
1277 int (*okfn)(struct sk_buff *))
1279 struct ip_vs_iphdr iph;
1280 struct ip_vs_protocol *pp;
1281 struct ip_vs_conn *cp;
1282 int ret, restart, af, pkts;
1284 af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
1286 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1289 * Big tappo: only PACKET_HOST, including loopback for local client
1290 * Don't handle local packets on IPv6 for now
1292 if (unlikely(skb->pkt_type != PACKET_HOST)) {
1293 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s ignored\n",
1296 IP_VS_DBG_ADDR(af, &iph.daddr));
1300 #ifdef CONFIG_IP_VS_IPV6
1301 if (af == AF_INET6) {
1302 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1303 int related, verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
1307 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1311 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1312 int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
1316 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1319 /* Protocol supported? */
1320 pp = ip_vs_proto_get(iph.protocol);
1325 * Check if the packet belongs to an existing connection entry
1327 cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);
1329 if (unlikely(!cp)) {
1332 /* For local client packets, it could be a response */
1333 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1335 return handle_response(af, skb, pp, cp, iph.len);
1337 if (!pp->conn_schedule(af, skb, pp, &v, &cp))
1341 if (unlikely(!cp)) {
1342 /* sorry, all this trouble for a no-hit :) */
1343 IP_VS_DBG_PKT(12, pp, skb, 0,
1344 "packet continues traversal as normal");
1348 IP_VS_DBG_PKT(11, pp, skb, 0, "Incoming packet");
1350 /* Check the server status */
1351 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1352 /* the destination server is not available */
1354 if (sysctl_ip_vs_expire_nodest_conn) {
1355 /* try to expire the connection immediately */
1356 ip_vs_conn_expire_now(cp);
1358 /* don't restart its timer, and silently
1360 __ip_vs_conn_put(cp);
1364 ip_vs_in_stats(cp, skb);
1365 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
1366 if (cp->packet_xmit)
1367 ret = cp->packet_xmit(skb, cp, pp);
1368 /* do not touch skb anymore */
1370 IP_VS_DBG_RL("warning: packet_xmit is null");
1374 /* Increase its packet counter and check if it is needed
1375 * to be synchronized
1377 * Sync connection if it is about to close to
1378 * encorage the standby servers to update the connections timeout
1380 pkts = atomic_add_return(1, &cp->in_pkts);
1381 if (af == AF_INET && (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1382 cp->protocol == IPPROTO_SCTP) {
1383 if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
1384 (atomic_read(&cp->in_pkts) %
1385 sysctl_ip_vs_sync_threshold[1]
1386 == sysctl_ip_vs_sync_threshold[0])) ||
1387 (cp->old_state != cp->state &&
1388 ((cp->state == IP_VS_SCTP_S_CLOSED) ||
1389 (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||
1390 (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) {
1391 ip_vs_sync_conn(cp);
1396 if (af == AF_INET &&
1397 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1398 (((cp->protocol != IPPROTO_TCP ||
1399 cp->state == IP_VS_TCP_S_ESTABLISHED) &&
1400 (pkts % sysctl_ip_vs_sync_threshold[1]
1401 == sysctl_ip_vs_sync_threshold[0])) ||
1402 ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
1403 ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
1404 (cp->state == IP_VS_TCP_S_CLOSE) ||
1405 (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
1406 (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
1407 ip_vs_sync_conn(cp);
1409 cp->old_state = cp->state;
1417 * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1418 * related packets destined for 0.0.0.0/0.
1419 * When fwmark-based virtual service is used, such as transparent
1420 * cache cluster, TCP packets can be marked and routed to ip_vs_in,
1421 * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1422 * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1423 * and send them to ip_vs_in_icmp.
1426 ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1427 const struct net_device *in, const struct net_device *out,
1428 int (*okfn)(struct sk_buff *))
1432 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1435 return ip_vs_in_icmp(skb, &r, hooknum);
1438 #ifdef CONFIG_IP_VS_IPV6
1440 ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1441 const struct net_device *in, const struct net_device *out,
1442 int (*okfn)(struct sk_buff *))
1446 if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
1449 return ip_vs_in_icmp_v6(skb, &r, hooknum);
1454 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1455 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1456 * or VS/NAT(change destination), so that filtering rules can be
1457 * applied to IPVS. */
1460 .owner = THIS_MODULE,
1462 .hooknum = NF_INET_LOCAL_IN,
1465 /* After packet filtering, change source only for VS/NAT */
1468 .owner = THIS_MODULE,
1470 .hooknum = NF_INET_FORWARD,
1473 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1474 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1476 .hook = ip_vs_forward_icmp,
1477 .owner = THIS_MODULE,
1479 .hooknum = NF_INET_FORWARD,
1482 #ifdef CONFIG_IP_VS_IPV6
1483 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1484 * or VS/NAT(change destination), so that filtering rules can be
1485 * applied to IPVS. */
1488 .owner = THIS_MODULE,
1490 .hooknum = NF_INET_LOCAL_IN,
1493 /* After packet filtering, change source only for VS/NAT */
1496 .owner = THIS_MODULE,
1498 .hooknum = NF_INET_FORWARD,
1501 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1502 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1504 .hook = ip_vs_forward_icmp_v6,
1505 .owner = THIS_MODULE,
1507 .hooknum = NF_INET_FORWARD,
1515 * Initialize IP Virtual Server
1517 static int __init ip_vs_init(void)
1521 ip_vs_estimator_init();
1523 ret = ip_vs_control_init();
1525 pr_err("can't setup control.\n");
1526 goto cleanup_estimator;
1529 ip_vs_protocol_init();
1531 ret = ip_vs_app_init();
1533 pr_err("can't setup application helper.\n");
1534 goto cleanup_protocol;
1537 ret = ip_vs_conn_init();
1539 pr_err("can't setup connection table.\n");
1543 ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1545 pr_err("can't register hooks.\n");
1549 pr_info("ipvs loaded.\n");
1553 ip_vs_conn_cleanup();
1555 ip_vs_app_cleanup();
1557 ip_vs_protocol_cleanup();
1558 ip_vs_control_cleanup();
1560 ip_vs_estimator_cleanup();
1564 static void __exit ip_vs_cleanup(void)
1566 nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1567 ip_vs_conn_cleanup();
1568 ip_vs_app_cleanup();
1569 ip_vs_protocol_cleanup();
1570 ip_vs_control_cleanup();
1571 ip_vs_estimator_cleanup();
1572 pr_info("ipvs unloaded.\n");
1575 module_init(ip_vs_init);
1576 module_exit(ip_vs_cleanup);
1577 MODULE_LICENSE("GPL");
git://bbs.cooldavid.org / net-next-2.6.git / blob