2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/types.h>
24 #include <linux/capability.h>
26 #include <linux/sysctl.h>
27 #include <linux/proc_fs.h>
28 #include <linux/workqueue.h>
29 #include <linux/swap.h>
30 #include <linux/seq_file.h>
32 #include <linux/netfilter.h>
33 #include <linux/netfilter_ipv4.h>
34 #include <linux/mutex.h>
36 #include <net/net_namespace.h>
38 #include <net/route.h>
40 #include <net/genetlink.h>
42 #include <asm/uaccess.h>
44 #include <net/ip_vs.h>
46 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
47 static DEFINE_MUTEX(__ip_vs_mutex);
49 /* lock for service table */
50 static DEFINE_RWLOCK(__ip_vs_svc_lock);
52 /* lock for table with the real services */
53 static DEFINE_RWLOCK(__ip_vs_rs_lock);
55 /* lock for state and timeout tables */
56 static DEFINE_RWLOCK(__ip_vs_securetcp_lock);
58 /* lock for drop entry handling */
59 static DEFINE_SPINLOCK(__ip_vs_dropentry_lock);
61 /* lock for drop packet handling */
62 static DEFINE_SPINLOCK(__ip_vs_droppacket_lock);
64 /* 1/rate drop and drop-entry variables */
65 int ip_vs_drop_rate = 0;
66 int ip_vs_drop_counter = 0;
67 static atomic_t ip_vs_dropentry = ATOMIC_INIT(0);
69 /* number of virtual services */
70 static int ip_vs_num_services = 0;
72 /* sysctl variables */
73 static int sysctl_ip_vs_drop_entry = 0;
74 static int sysctl_ip_vs_drop_packet = 0;
75 static int sysctl_ip_vs_secure_tcp = 0;
76 static int sysctl_ip_vs_amemthresh = 1024;
77 static int sysctl_ip_vs_am_droprate = 10;
78 int sysctl_ip_vs_cache_bypass = 0;
79 int sysctl_ip_vs_expire_nodest_conn = 0;
80 int sysctl_ip_vs_expire_quiescent_template = 0;
81 int sysctl_ip_vs_sync_threshold[2] = { 3, 50 };
82 int sysctl_ip_vs_nat_icmp_send = 0;
85 #ifdef CONFIG_IP_VS_DEBUG
86 static int sysctl_ip_vs_debug_level = 0;
88 int ip_vs_get_debug_level(void)
90 return sysctl_ip_vs_debug_level;
95 * update_defense_level is called from keventd and from sysctl,
96 * so it needs to protect itself from softirqs
98 static void update_defense_level(void)
101 static int old_secure_tcp = 0;
106 /* we only count free and buffered memory (in pages) */
108 availmem = i.freeram + i.bufferram;
109 /* however in linux 2.5 the i.bufferram is total page cache size,
111 /* si_swapinfo(&i); */
112 /* availmem = availmem - (i.totalswap - i.freeswap); */
114 nomem = (availmem < sysctl_ip_vs_amemthresh);
119 spin_lock(&__ip_vs_dropentry_lock);
120 switch (sysctl_ip_vs_drop_entry) {
122 atomic_set(&ip_vs_dropentry, 0);
126 atomic_set(&ip_vs_dropentry, 1);
127 sysctl_ip_vs_drop_entry = 2;
129 atomic_set(&ip_vs_dropentry, 0);
134 atomic_set(&ip_vs_dropentry, 1);
136 atomic_set(&ip_vs_dropentry, 0);
137 sysctl_ip_vs_drop_entry = 1;
141 atomic_set(&ip_vs_dropentry, 1);
144 spin_unlock(&__ip_vs_dropentry_lock);
147 spin_lock(&__ip_vs_droppacket_lock);
148 switch (sysctl_ip_vs_drop_packet) {
154 ip_vs_drop_rate = ip_vs_drop_counter
155 = sysctl_ip_vs_amemthresh /
156 (sysctl_ip_vs_amemthresh-availmem);
157 sysctl_ip_vs_drop_packet = 2;
164 ip_vs_drop_rate = ip_vs_drop_counter
165 = sysctl_ip_vs_amemthresh /
166 (sysctl_ip_vs_amemthresh-availmem);
169 sysctl_ip_vs_drop_packet = 1;
173 ip_vs_drop_rate = sysctl_ip_vs_am_droprate;
176 spin_unlock(&__ip_vs_droppacket_lock);
179 write_lock(&__ip_vs_securetcp_lock);
180 switch (sysctl_ip_vs_secure_tcp) {
182 if (old_secure_tcp >= 2)
187 if (old_secure_tcp < 2)
189 sysctl_ip_vs_secure_tcp = 2;
191 if (old_secure_tcp >= 2)
197 if (old_secure_tcp < 2)
200 if (old_secure_tcp >= 2)
202 sysctl_ip_vs_secure_tcp = 1;
206 if (old_secure_tcp < 2)
210 old_secure_tcp = sysctl_ip_vs_secure_tcp;
212 ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
213 write_unlock(&__ip_vs_securetcp_lock);
220 * Timer for checking the defense
222 #define DEFENSE_TIMER_PERIOD 1*HZ
223 static void defense_work_handler(struct work_struct *work);
224 static DECLARE_DELAYED_WORK(defense_work, defense_work_handler);
226 static void defense_work_handler(struct work_struct *work)
228 update_defense_level();
229 if (atomic_read(&ip_vs_dropentry))
230 ip_vs_random_dropentry();
232 schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
236 ip_vs_use_count_inc(void)
238 return try_module_get(THIS_MODULE);
242 ip_vs_use_count_dec(void)
244 module_put(THIS_MODULE);
249 * Hash table: for virtual service lookups
251 #define IP_VS_SVC_TAB_BITS 8
252 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
253 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
255 /* the service table hashed by <protocol, addr, port> */
256 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
257 /* the service table hashed by fwmark */
258 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
261 * Hash table: for real service lookups
263 #define IP_VS_RTAB_BITS 4
264 #define IP_VS_RTAB_SIZE (1 << IP_VS_RTAB_BITS)
265 #define IP_VS_RTAB_MASK (IP_VS_RTAB_SIZE - 1)
267 static struct list_head ip_vs_rtable[IP_VS_RTAB_SIZE];
270 * Trash for destinations
272 static LIST_HEAD(ip_vs_dest_trash);
275 * FTP & NULL virtual service counters
277 static atomic_t ip_vs_ftpsvc_counter = ATOMIC_INIT(0);
278 static atomic_t ip_vs_nullsvc_counter = ATOMIC_INIT(0);
282 * Returns hash value for virtual service
284 static __inline__ unsigned
285 ip_vs_svc_hashkey(unsigned proto, __be32 addr, __be16 port)
287 register unsigned porth = ntohs(port);
289 return (proto^ntohl(addr)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
290 & IP_VS_SVC_TAB_MASK;
294 * Returns hash value of fwmark for virtual service lookup
296 static __inline__ unsigned ip_vs_svc_fwm_hashkey(__u32 fwmark)
298 return fwmark & IP_VS_SVC_TAB_MASK;
302 * Hashes a service in the ip_vs_svc_table by <proto,addr,port>
303 * or in the ip_vs_svc_fwm_table by fwmark.
304 * Should be called with locked tables.
306 static int ip_vs_svc_hash(struct ip_vs_service *svc)
310 if (svc->flags & IP_VS_SVC_F_HASHED) {
311 IP_VS_ERR("ip_vs_svc_hash(): request for already hashed, "
312 "called from %p\n", __builtin_return_address(0));
316 if (svc->fwmark == 0) {
318 * Hash it by <protocol,addr,port> in ip_vs_svc_table
320 hash = ip_vs_svc_hashkey(svc->protocol, svc->addr.ip,
322 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
325 * Hash it by fwmark in ip_vs_svc_fwm_table
327 hash = ip_vs_svc_fwm_hashkey(svc->fwmark);
328 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
331 svc->flags |= IP_VS_SVC_F_HASHED;
332 /* increase its refcnt because it is referenced by the svc table */
333 atomic_inc(&svc->refcnt);
339 * Unhashes a service from ip_vs_svc_table/ip_vs_svc_fwm_table.
340 * Should be called with locked tables.
342 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
344 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
345 IP_VS_ERR("ip_vs_svc_unhash(): request for unhash flagged, "
346 "called from %p\n", __builtin_return_address(0));
350 if (svc->fwmark == 0) {
351 /* Remove it from the ip_vs_svc_table table */
352 list_del(&svc->s_list);
354 /* Remove it from the ip_vs_svc_fwm_table table */
355 list_del(&svc->f_list);
358 svc->flags &= ~IP_VS_SVC_F_HASHED;
359 atomic_dec(&svc->refcnt);
365 * Get service by {proto,addr,port} in the service table.
367 static __inline__ struct ip_vs_service *
368 __ip_vs_service_get(__u16 protocol, __be32 vaddr, __be16 vport)
371 struct ip_vs_service *svc;
373 /* Check for "full" addressed entries */
374 hash = ip_vs_svc_hashkey(protocol, vaddr, vport);
376 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
377 if ((svc->addr.ip == vaddr)
378 && (svc->port == vport)
379 && (svc->protocol == protocol)) {
381 atomic_inc(&svc->usecnt);
391 * Get service by {fwmark} in the service table.
393 static __inline__ struct ip_vs_service *__ip_vs_svc_fwm_get(__u32 fwmark)
396 struct ip_vs_service *svc;
398 /* Check for fwmark addressed entries */
399 hash = ip_vs_svc_fwm_hashkey(fwmark);
401 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
402 if (svc->fwmark == fwmark) {
404 atomic_inc(&svc->usecnt);
412 struct ip_vs_service *
413 ip_vs_service_get(__u32 fwmark, __u16 protocol, __be32 vaddr, __be16 vport)
415 struct ip_vs_service *svc;
417 read_lock(&__ip_vs_svc_lock);
420 * Check the table hashed by fwmark first
422 if (fwmark && (svc = __ip_vs_svc_fwm_get(fwmark)))
426 * Check the table hashed by <protocol,addr,port>
427 * for "full" addressed entries
429 svc = __ip_vs_service_get(protocol, vaddr, vport);
432 && protocol == IPPROTO_TCP
433 && atomic_read(&ip_vs_ftpsvc_counter)
434 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
436 * Check if ftp service entry exists, the packet
437 * might belong to FTP data connections.
439 svc = __ip_vs_service_get(protocol, vaddr, FTPPORT);
443 && atomic_read(&ip_vs_nullsvc_counter)) {
445 * Check if the catch-all port (port zero) exists
447 svc = __ip_vs_service_get(protocol, vaddr, 0);
451 read_unlock(&__ip_vs_svc_lock);
453 IP_VS_DBG(9, "lookup service: fwm %u %s %u.%u.%u.%u:%u %s\n",
454 fwmark, ip_vs_proto_name(protocol),
455 NIPQUAD(vaddr), ntohs(vport),
456 svc?"hit":"not hit");
463 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
465 atomic_inc(&svc->refcnt);
470 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
472 struct ip_vs_service *svc = dest->svc;
475 if (atomic_dec_and_test(&svc->refcnt))
481 * Returns hash value for real service
483 static __inline__ unsigned ip_vs_rs_hashkey(__be32 addr, __be16 port)
485 register unsigned porth = ntohs(port);
487 return (ntohl(addr)^(porth>>IP_VS_RTAB_BITS)^porth)
492 * Hashes ip_vs_dest in ip_vs_rtable by <proto,addr,port>.
493 * should be called with locked tables.
495 static int ip_vs_rs_hash(struct ip_vs_dest *dest)
499 if (!list_empty(&dest->d_list)) {
504 * Hash by proto,addr,port,
505 * which are the parameters of the real service.
507 hash = ip_vs_rs_hashkey(dest->addr.ip, dest->port);
508 list_add(&dest->d_list, &ip_vs_rtable[hash]);
514 * UNhashes ip_vs_dest from ip_vs_rtable.
515 * should be called with locked tables.
517 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
520 * Remove it from the ip_vs_rtable table.
522 if (!list_empty(&dest->d_list)) {
523 list_del(&dest->d_list);
524 INIT_LIST_HEAD(&dest->d_list);
531 * Lookup real service by <proto,addr,port> in the real service table.
534 ip_vs_lookup_real_service(__u16 protocol, __be32 daddr, __be16 dport)
537 struct ip_vs_dest *dest;
540 * Check for "full" addressed entries
541 * Return the first found entry
543 hash = ip_vs_rs_hashkey(daddr, dport);
545 read_lock(&__ip_vs_rs_lock);
546 list_for_each_entry(dest, &ip_vs_rtable[hash], d_list) {
547 if ((dest->addr.ip == daddr)
548 && (dest->port == dport)
549 && ((dest->protocol == protocol) ||
552 read_unlock(&__ip_vs_rs_lock);
556 read_unlock(&__ip_vs_rs_lock);
562 * Lookup destination by {addr,port} in the given service
564 static struct ip_vs_dest *
565 ip_vs_lookup_dest(struct ip_vs_service *svc, __be32 daddr, __be16 dport)
567 struct ip_vs_dest *dest;
570 * Find the destination for the given service
572 list_for_each_entry(dest, &svc->destinations, n_list) {
573 if ((dest->addr.ip == daddr) && (dest->port == dport)) {
583 * Find destination by {daddr,dport,vaddr,protocol}
584 * Cretaed to be used in ip_vs_process_message() in
585 * the backup synchronization daemon. It finds the
586 * destination to be bound to the received connection
589 * ip_vs_lookup_real_service() looked promissing, but
590 * seems not working as expected.
592 struct ip_vs_dest *ip_vs_find_dest(__be32 daddr, __be16 dport,
593 __be32 vaddr, __be16 vport, __u16 protocol)
595 struct ip_vs_dest *dest;
596 struct ip_vs_service *svc;
598 svc = ip_vs_service_get(0, protocol, vaddr, vport);
601 dest = ip_vs_lookup_dest(svc, daddr, dport);
603 atomic_inc(&dest->refcnt);
604 ip_vs_service_put(svc);
609 * Lookup dest by {svc,addr,port} in the destination trash.
610 * The destination trash is used to hold the destinations that are removed
611 * from the service table but are still referenced by some conn entries.
612 * The reason to add the destination trash is when the dest is temporary
613 * down (either by administrator or by monitor program), the dest can be
614 * picked back from the trash, the remaining connections to the dest can
615 * continue, and the counting information of the dest is also useful for
618 static struct ip_vs_dest *
619 ip_vs_trash_get_dest(struct ip_vs_service *svc, __be32 daddr, __be16 dport)
621 struct ip_vs_dest *dest, *nxt;
624 * Find the destination in trash
626 list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
627 IP_VS_DBG(3, "Destination %u/%u.%u.%u.%u:%u still in trash, "
630 NIPQUAD(dest->addr.ip), ntohs(dest->port),
631 atomic_read(&dest->refcnt));
632 if (dest->addr.ip == daddr &&
633 dest->port == dport &&
634 dest->vfwmark == svc->fwmark &&
635 dest->protocol == svc->protocol &&
637 (dest->vaddr.ip == svc->addr.ip &&
638 dest->vport == svc->port))) {
644 * Try to purge the destination from trash if not referenced
646 if (atomic_read(&dest->refcnt) == 1) {
647 IP_VS_DBG(3, "Removing destination %u/%u.%u.%u.%u:%u "
650 NIPQUAD(dest->addr.ip), ntohs(dest->port));
651 list_del(&dest->n_list);
652 ip_vs_dst_reset(dest);
653 __ip_vs_unbind_svc(dest);
663 * Clean up all the destinations in the trash
664 * Called by the ip_vs_control_cleanup()
666 * When the ip_vs_control_clearup is activated by ipvs module exit,
667 * the service tables must have been flushed and all the connections
668 * are expired, and the refcnt of each destination in the trash must
669 * be 1, so we simply release them here.
671 static void ip_vs_trash_cleanup(void)
673 struct ip_vs_dest *dest, *nxt;
675 list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
676 list_del(&dest->n_list);
677 ip_vs_dst_reset(dest);
678 __ip_vs_unbind_svc(dest);
685 ip_vs_zero_stats(struct ip_vs_stats *stats)
687 spin_lock_bh(&stats->lock);
701 ip_vs_zero_estimator(stats);
703 spin_unlock_bh(&stats->lock);
707 * Update a destination in the given service
710 __ip_vs_update_dest(struct ip_vs_service *svc,
711 struct ip_vs_dest *dest, struct ip_vs_dest_user *udest)
715 /* set the weight and the flags */
716 atomic_set(&dest->weight, udest->weight);
717 conn_flags = udest->conn_flags | IP_VS_CONN_F_INACTIVE;
719 /* check if local node and update the flags */
720 if (inet_addr_type(&init_net, udest->addr) == RTN_LOCAL) {
721 conn_flags = (conn_flags & ~IP_VS_CONN_F_FWD_MASK)
722 | IP_VS_CONN_F_LOCALNODE;
725 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
726 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != 0) {
727 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
730 * Put the real service in ip_vs_rtable if not present.
731 * For now only for NAT!
733 write_lock_bh(&__ip_vs_rs_lock);
735 write_unlock_bh(&__ip_vs_rs_lock);
737 atomic_set(&dest->conn_flags, conn_flags);
739 /* bind the service */
741 __ip_vs_bind_svc(dest, svc);
743 if (dest->svc != svc) {
744 __ip_vs_unbind_svc(dest);
745 ip_vs_zero_stats(&dest->stats);
746 __ip_vs_bind_svc(dest, svc);
750 /* set the dest status flags */
751 dest->flags |= IP_VS_DEST_F_AVAILABLE;
753 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
754 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
755 dest->u_threshold = udest->u_threshold;
756 dest->l_threshold = udest->l_threshold;
761 * Create a destination for the given service
764 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest,
765 struct ip_vs_dest **dest_p)
767 struct ip_vs_dest *dest;
772 atype = inet_addr_type(&init_net, udest->addr);
773 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
776 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_ATOMIC);
778 IP_VS_ERR("ip_vs_new_dest: kmalloc failed.\n");
782 dest->protocol = svc->protocol;
783 dest->vaddr.ip = svc->addr.ip;
784 dest->vport = svc->port;
785 dest->vfwmark = svc->fwmark;
786 dest->addr.ip = udest->addr;
787 dest->port = udest->port;
789 atomic_set(&dest->activeconns, 0);
790 atomic_set(&dest->inactconns, 0);
791 atomic_set(&dest->persistconns, 0);
792 atomic_set(&dest->refcnt, 0);
794 INIT_LIST_HEAD(&dest->d_list);
795 spin_lock_init(&dest->dst_lock);
796 spin_lock_init(&dest->stats.lock);
797 __ip_vs_update_dest(svc, dest, udest);
798 ip_vs_new_estimator(&dest->stats);
808 * Add a destination into an existing service
811 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest)
813 struct ip_vs_dest *dest;
814 __be32 daddr = udest->addr;
815 __be16 dport = udest->port;
820 if (udest->weight < 0) {
821 IP_VS_ERR("ip_vs_add_dest(): server weight less than zero\n");
825 if (udest->l_threshold > udest->u_threshold) {
826 IP_VS_ERR("ip_vs_add_dest(): lower threshold is higher than "
827 "upper threshold\n");
832 * Check if the dest already exists in the list
834 dest = ip_vs_lookup_dest(svc, daddr, dport);
836 IP_VS_DBG(1, "ip_vs_add_dest(): dest already exists\n");
841 * Check if the dest already exists in the trash and
842 * is from the same service
844 dest = ip_vs_trash_get_dest(svc, daddr, dport);
846 IP_VS_DBG(3, "Get destination %u.%u.%u.%u:%u from trash, "
847 "dest->refcnt=%d, service %u/%u.%u.%u.%u:%u\n",
848 NIPQUAD(daddr), ntohs(dport),
849 atomic_read(&dest->refcnt),
851 NIPQUAD(dest->vaddr.ip),
853 __ip_vs_update_dest(svc, dest, udest);
856 * Get the destination from the trash
858 list_del(&dest->n_list);
860 ip_vs_new_estimator(&dest->stats);
862 write_lock_bh(&__ip_vs_svc_lock);
865 * Wait until all other svc users go away.
867 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
869 list_add(&dest->n_list, &svc->destinations);
872 /* call the update_service function of its scheduler */
873 if (svc->scheduler->update_service)
874 svc->scheduler->update_service(svc);
876 write_unlock_bh(&__ip_vs_svc_lock);
881 * Allocate and initialize the dest structure
883 ret = ip_vs_new_dest(svc, udest, &dest);
889 * Add the dest entry into the list
891 atomic_inc(&dest->refcnt);
893 write_lock_bh(&__ip_vs_svc_lock);
896 * Wait until all other svc users go away.
898 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
900 list_add(&dest->n_list, &svc->destinations);
903 /* call the update_service function of its scheduler */
904 if (svc->scheduler->update_service)
905 svc->scheduler->update_service(svc);
907 write_unlock_bh(&__ip_vs_svc_lock);
916 * Edit a destination in the given service
919 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest)
921 struct ip_vs_dest *dest;
922 __be32 daddr = udest->addr;
923 __be16 dport = udest->port;
927 if (udest->weight < 0) {
928 IP_VS_ERR("ip_vs_edit_dest(): server weight less than zero\n");
932 if (udest->l_threshold > udest->u_threshold) {
933 IP_VS_ERR("ip_vs_edit_dest(): lower threshold is higher than "
934 "upper threshold\n");
939 * Lookup the destination list
941 dest = ip_vs_lookup_dest(svc, daddr, dport);
943 IP_VS_DBG(1, "ip_vs_edit_dest(): dest doesn't exist\n");
947 __ip_vs_update_dest(svc, dest, udest);
949 write_lock_bh(&__ip_vs_svc_lock);
951 /* Wait until all other svc users go away */
952 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
954 /* call the update_service, because server weight may be changed */
955 if (svc->scheduler->update_service)
956 svc->scheduler->update_service(svc);
958 write_unlock_bh(&__ip_vs_svc_lock);
967 * Delete a destination (must be already unlinked from the service)
969 static void __ip_vs_del_dest(struct ip_vs_dest *dest)
971 ip_vs_kill_estimator(&dest->stats);
974 * Remove it from the d-linked list with the real services.
976 write_lock_bh(&__ip_vs_rs_lock);
977 ip_vs_rs_unhash(dest);
978 write_unlock_bh(&__ip_vs_rs_lock);
981 * Decrease the refcnt of the dest, and free the dest
982 * if nobody refers to it (refcnt=0). Otherwise, throw
983 * the destination into the trash.
985 if (atomic_dec_and_test(&dest->refcnt)) {
986 ip_vs_dst_reset(dest);
987 /* simply decrease svc->refcnt here, let the caller check
988 and release the service if nobody refers to it.
989 Only user context can release destination and service,
990 and only one user context can update virtual service at a
991 time, so the operation here is OK */
992 atomic_dec(&dest->svc->refcnt);
995 IP_VS_DBG(3, "Moving dest %u.%u.%u.%u:%u into trash, "
997 NIPQUAD(dest->addr.ip), ntohs(dest->port),
998 atomic_read(&dest->refcnt));
999 list_add(&dest->n_list, &ip_vs_dest_trash);
1000 atomic_inc(&dest->refcnt);
1006 * Unlink a destination from the given service
1008 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1009 struct ip_vs_dest *dest,
1012 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1015 * Remove it from the d-linked destination list.
1017 list_del(&dest->n_list);
1021 * Call the update_service function of its scheduler
1023 if (svcupd && svc->scheduler->update_service)
1024 svc->scheduler->update_service(svc);
1029 * Delete a destination server in the given service
1032 ip_vs_del_dest(struct ip_vs_service *svc,struct ip_vs_dest_user *udest)
1034 struct ip_vs_dest *dest;
1035 __be32 daddr = udest->addr;
1036 __be16 dport = udest->port;
1040 dest = ip_vs_lookup_dest(svc, daddr, dport);
1042 IP_VS_DBG(1, "ip_vs_del_dest(): destination not found!\n");
1046 write_lock_bh(&__ip_vs_svc_lock);
1049 * Wait until all other svc users go away.
1051 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1054 * Unlink dest from the service
1056 __ip_vs_unlink_dest(svc, dest, 1);
1058 write_unlock_bh(&__ip_vs_svc_lock);
1061 * Delete the destination
1063 __ip_vs_del_dest(dest);
1072 * Add a service into the service hash table
1075 ip_vs_add_service(struct ip_vs_service_user *u, struct ip_vs_service **svc_p)
1078 struct ip_vs_scheduler *sched = NULL;
1079 struct ip_vs_service *svc = NULL;
1081 /* increase the module use count */
1082 ip_vs_use_count_inc();
1084 /* Lookup the scheduler by 'u->sched_name' */
1085 sched = ip_vs_scheduler_get(u->sched_name);
1086 if (sched == NULL) {
1087 IP_VS_INFO("Scheduler module ip_vs_%s not found\n",
1093 svc = kzalloc(sizeof(struct ip_vs_service), GFP_ATOMIC);
1095 IP_VS_DBG(1, "ip_vs_add_service: kmalloc failed.\n");
1100 /* I'm the first user of the service */
1101 atomic_set(&svc->usecnt, 1);
1102 atomic_set(&svc->refcnt, 0);
1104 svc->protocol = u->protocol;
1105 svc->addr.ip = u->addr;
1106 svc->port = u->port;
1107 svc->fwmark = u->fwmark;
1108 svc->flags = u->flags;
1109 svc->timeout = u->timeout * HZ;
1110 svc->netmask = u->netmask;
1112 INIT_LIST_HEAD(&svc->destinations);
1113 rwlock_init(&svc->sched_lock);
1114 spin_lock_init(&svc->stats.lock);
1116 /* Bind the scheduler */
1117 ret = ip_vs_bind_scheduler(svc, sched);
1122 /* Update the virtual service counters */
1123 if (svc->port == FTPPORT)
1124 atomic_inc(&ip_vs_ftpsvc_counter);
1125 else if (svc->port == 0)
1126 atomic_inc(&ip_vs_nullsvc_counter);
1128 ip_vs_new_estimator(&svc->stats);
1129 ip_vs_num_services++;
1131 /* Hash the service into the service table */
1132 write_lock_bh(&__ip_vs_svc_lock);
1133 ip_vs_svc_hash(svc);
1134 write_unlock_bh(&__ip_vs_svc_lock);
1142 ip_vs_unbind_scheduler(svc);
1145 ip_vs_app_inc_put(svc->inc);
1150 ip_vs_scheduler_put(sched);
1153 /* decrease the module use count */
1154 ip_vs_use_count_dec();
1161 * Edit a service and bind it with a new scheduler
1164 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user *u)
1166 struct ip_vs_scheduler *sched, *old_sched;
1170 * Lookup the scheduler, by 'u->sched_name'
1172 sched = ip_vs_scheduler_get(u->sched_name);
1173 if (sched == NULL) {
1174 IP_VS_INFO("Scheduler module ip_vs_%s not found\n",
1180 write_lock_bh(&__ip_vs_svc_lock);
1183 * Wait until all other svc users go away.
1185 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1188 * Set the flags and timeout value
1190 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1191 svc->timeout = u->timeout * HZ;
1192 svc->netmask = u->netmask;
1194 old_sched = svc->scheduler;
1195 if (sched != old_sched) {
1197 * Unbind the old scheduler
1199 if ((ret = ip_vs_unbind_scheduler(svc))) {
1205 * Bind the new scheduler
1207 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1209 * If ip_vs_bind_scheduler fails, restore the old
1211 * The main reason of failure is out of memory.
1213 * The question is if the old scheduler can be
1214 * restored all the time. TODO: if it cannot be
1215 * restored some time, we must delete the service,
1216 * otherwise the system may crash.
1218 ip_vs_bind_scheduler(svc, old_sched);
1225 write_unlock_bh(&__ip_vs_svc_lock);
1228 ip_vs_scheduler_put(old_sched);
1235 * Delete a service from the service list
1236 * - The service must be unlinked, unlocked and not referenced!
1237 * - We are called under _bh lock
1239 static void __ip_vs_del_service(struct ip_vs_service *svc)
1241 struct ip_vs_dest *dest, *nxt;
1242 struct ip_vs_scheduler *old_sched;
1244 ip_vs_num_services--;
1245 ip_vs_kill_estimator(&svc->stats);
1247 /* Unbind scheduler */
1248 old_sched = svc->scheduler;
1249 ip_vs_unbind_scheduler(svc);
1251 ip_vs_scheduler_put(old_sched);
1253 /* Unbind app inc */
1255 ip_vs_app_inc_put(svc->inc);
1260 * Unlink the whole destination list
1262 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1263 __ip_vs_unlink_dest(svc, dest, 0);
1264 __ip_vs_del_dest(dest);
1268 * Update the virtual service counters
1270 if (svc->port == FTPPORT)
1271 atomic_dec(&ip_vs_ftpsvc_counter);
1272 else if (svc->port == 0)
1273 atomic_dec(&ip_vs_nullsvc_counter);
1276 * Free the service if nobody refers to it
1278 if (atomic_read(&svc->refcnt) == 0)
1281 /* decrease the module use count */
1282 ip_vs_use_count_dec();
1286 * Delete a service from the service list
1288 static int ip_vs_del_service(struct ip_vs_service *svc)
1294 * Unhash it from the service table
1296 write_lock_bh(&__ip_vs_svc_lock);
1298 ip_vs_svc_unhash(svc);
1301 * Wait until all the svc users go away.
1303 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1305 __ip_vs_del_service(svc);
1307 write_unlock_bh(&__ip_vs_svc_lock);
1314 * Flush all the virtual services
1316 static int ip_vs_flush(void)
1319 struct ip_vs_service *svc, *nxt;
1322 * Flush the service table hashed by <protocol,addr,port>
1324 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1325 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx], s_list) {
1326 write_lock_bh(&__ip_vs_svc_lock);
1327 ip_vs_svc_unhash(svc);
1329 * Wait until all the svc users go away.
1331 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1332 __ip_vs_del_service(svc);
1333 write_unlock_bh(&__ip_vs_svc_lock);
1338 * Flush the service table hashed by fwmark
1340 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1341 list_for_each_entry_safe(svc, nxt,
1342 &ip_vs_svc_fwm_table[idx], f_list) {
1343 write_lock_bh(&__ip_vs_svc_lock);
1344 ip_vs_svc_unhash(svc);
1346 * Wait until all the svc users go away.
1348 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1349 __ip_vs_del_service(svc);
1350 write_unlock_bh(&__ip_vs_svc_lock);
1359 * Zero counters in a service or all services
1361 static int ip_vs_zero_service(struct ip_vs_service *svc)
1363 struct ip_vs_dest *dest;
1365 write_lock_bh(&__ip_vs_svc_lock);
1366 list_for_each_entry(dest, &svc->destinations, n_list) {
1367 ip_vs_zero_stats(&dest->stats);
1369 ip_vs_zero_stats(&svc->stats);
1370 write_unlock_bh(&__ip_vs_svc_lock);
1374 static int ip_vs_zero_all(void)
1377 struct ip_vs_service *svc;
1379 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1380 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1381 ip_vs_zero_service(svc);
1385 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1386 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1387 ip_vs_zero_service(svc);
1391 ip_vs_zero_stats(&ip_vs_stats);
1397 proc_do_defense_mode(ctl_table *table, int write, struct file * filp,
1398 void __user *buffer, size_t *lenp, loff_t *ppos)
1400 int *valp = table->data;
1404 rc = proc_dointvec(table, write, filp, buffer, lenp, ppos);
1405 if (write && (*valp != val)) {
1406 if ((*valp < 0) || (*valp > 3)) {
1407 /* Restore the correct value */
1410 update_defense_level();
1418 proc_do_sync_threshold(ctl_table *table, int write, struct file *filp,
1419 void __user *buffer, size_t *lenp, loff_t *ppos)
1421 int *valp = table->data;
1425 /* backup the value first */
1426 memcpy(val, valp, sizeof(val));
1428 rc = proc_dointvec(table, write, filp, buffer, lenp, ppos);
1429 if (write && (valp[0] < 0 || valp[1] < 0 || valp[0] >= valp[1])) {
1430 /* Restore the correct value */
1431 memcpy(valp, val, sizeof(val));
1438 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1441 static struct ctl_table vs_vars[] = {
1443 .procname = "amemthresh",
1444 .data = &sysctl_ip_vs_amemthresh,
1445 .maxlen = sizeof(int),
1447 .proc_handler = &proc_dointvec,
1449 #ifdef CONFIG_IP_VS_DEBUG
1451 .procname = "debug_level",
1452 .data = &sysctl_ip_vs_debug_level,
1453 .maxlen = sizeof(int),
1455 .proc_handler = &proc_dointvec,
1459 .procname = "am_droprate",
1460 .data = &sysctl_ip_vs_am_droprate,
1461 .maxlen = sizeof(int),
1463 .proc_handler = &proc_dointvec,
1466 .procname = "drop_entry",
1467 .data = &sysctl_ip_vs_drop_entry,
1468 .maxlen = sizeof(int),
1470 .proc_handler = &proc_do_defense_mode,
1473 .procname = "drop_packet",
1474 .data = &sysctl_ip_vs_drop_packet,
1475 .maxlen = sizeof(int),
1477 .proc_handler = &proc_do_defense_mode,
1480 .procname = "secure_tcp",
1481 .data = &sysctl_ip_vs_secure_tcp,
1482 .maxlen = sizeof(int),
1484 .proc_handler = &proc_do_defense_mode,
1488 .procname = "timeout_established",
1489 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1490 .maxlen = sizeof(int),
1492 .proc_handler = &proc_dointvec_jiffies,
1495 .procname = "timeout_synsent",
1496 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1497 .maxlen = sizeof(int),
1499 .proc_handler = &proc_dointvec_jiffies,
1502 .procname = "timeout_synrecv",
1503 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1504 .maxlen = sizeof(int),
1506 .proc_handler = &proc_dointvec_jiffies,
1509 .procname = "timeout_finwait",
1510 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1511 .maxlen = sizeof(int),
1513 .proc_handler = &proc_dointvec_jiffies,
1516 .procname = "timeout_timewait",
1517 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1518 .maxlen = sizeof(int),
1520 .proc_handler = &proc_dointvec_jiffies,
1523 .procname = "timeout_close",
1524 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1525 .maxlen = sizeof(int),
1527 .proc_handler = &proc_dointvec_jiffies,
1530 .procname = "timeout_closewait",
1531 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1532 .maxlen = sizeof(int),
1534 .proc_handler = &proc_dointvec_jiffies,
1537 .procname = "timeout_lastack",
1538 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1539 .maxlen = sizeof(int),
1541 .proc_handler = &proc_dointvec_jiffies,
1544 .procname = "timeout_listen",
1545 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1546 .maxlen = sizeof(int),
1548 .proc_handler = &proc_dointvec_jiffies,
1551 .procname = "timeout_synack",
1552 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1553 .maxlen = sizeof(int),
1555 .proc_handler = &proc_dointvec_jiffies,
1558 .procname = "timeout_udp",
1559 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1560 .maxlen = sizeof(int),
1562 .proc_handler = &proc_dointvec_jiffies,
1565 .procname = "timeout_icmp",
1566 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1567 .maxlen = sizeof(int),
1569 .proc_handler = &proc_dointvec_jiffies,
1573 .procname = "cache_bypass",
1574 .data = &sysctl_ip_vs_cache_bypass,
1575 .maxlen = sizeof(int),
1577 .proc_handler = &proc_dointvec,
1580 .procname = "expire_nodest_conn",
1581 .data = &sysctl_ip_vs_expire_nodest_conn,
1582 .maxlen = sizeof(int),
1584 .proc_handler = &proc_dointvec,
1587 .procname = "expire_quiescent_template",
1588 .data = &sysctl_ip_vs_expire_quiescent_template,
1589 .maxlen = sizeof(int),
1591 .proc_handler = &proc_dointvec,
1594 .procname = "sync_threshold",
1595 .data = &sysctl_ip_vs_sync_threshold,
1596 .maxlen = sizeof(sysctl_ip_vs_sync_threshold),
1598 .proc_handler = &proc_do_sync_threshold,
1601 .procname = "nat_icmp_send",
1602 .data = &sysctl_ip_vs_nat_icmp_send,
1603 .maxlen = sizeof(int),
1605 .proc_handler = &proc_dointvec,
1610 const struct ctl_path net_vs_ctl_path[] = {
1611 { .procname = "net", .ctl_name = CTL_NET, },
1612 { .procname = "ipv4", .ctl_name = NET_IPV4, },
1613 { .procname = "vs", },
1616 EXPORT_SYMBOL_GPL(net_vs_ctl_path);
1618 static struct ctl_table_header * sysctl_header;
1620 #ifdef CONFIG_PROC_FS
1623 struct list_head *table;
1628 * Write the contents of the VS rule table to a PROCfs file.
1629 * (It is kept just for backward compatibility)
1631 static inline const char *ip_vs_fwd_name(unsigned flags)
1633 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1634 case IP_VS_CONN_F_LOCALNODE:
1636 case IP_VS_CONN_F_TUNNEL:
1638 case IP_VS_CONN_F_DROUTE:
1646 /* Get the Nth entry in the two lists */
1647 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1649 struct ip_vs_iter *iter = seq->private;
1651 struct ip_vs_service *svc;
1653 /* look in hash by protocol */
1654 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1655 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1657 iter->table = ip_vs_svc_table;
1664 /* keep looking in fwmark */
1665 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1666 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1668 iter->table = ip_vs_svc_fwm_table;
1678 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1681 read_lock_bh(&__ip_vs_svc_lock);
1682 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1686 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1688 struct list_head *e;
1689 struct ip_vs_iter *iter;
1690 struct ip_vs_service *svc;
1693 if (v == SEQ_START_TOKEN)
1694 return ip_vs_info_array(seq,0);
1697 iter = seq->private;
1699 if (iter->table == ip_vs_svc_table) {
1700 /* next service in table hashed by protocol */
1701 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
1702 return list_entry(e, struct ip_vs_service, s_list);
1705 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
1706 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
1712 iter->table = ip_vs_svc_fwm_table;
1717 /* next service in hashed by fwmark */
1718 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
1719 return list_entry(e, struct ip_vs_service, f_list);
1722 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
1723 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
1731 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
1733 read_unlock_bh(&__ip_vs_svc_lock);
1737 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
1739 if (v == SEQ_START_TOKEN) {
1741 "IP Virtual Server version %d.%d.%d (size=%d)\n",
1742 NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE);
1744 "Prot LocalAddress:Port Scheduler Flags\n");
1746 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
1748 const struct ip_vs_service *svc = v;
1749 const struct ip_vs_iter *iter = seq->private;
1750 const struct ip_vs_dest *dest;
1752 if (iter->table == ip_vs_svc_table)
1753 seq_printf(seq, "%s %08X:%04X %s ",
1754 ip_vs_proto_name(svc->protocol),
1755 ntohl(svc->addr.ip),
1757 svc->scheduler->name);
1759 seq_printf(seq, "FWM %08X %s ",
1760 svc->fwmark, svc->scheduler->name);
1762 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
1763 seq_printf(seq, "persistent %d %08X\n",
1765 ntohl(svc->netmask));
1767 seq_putc(seq, '\n');
1769 list_for_each_entry(dest, &svc->destinations, n_list) {
1771 " -> %08X:%04X %-7s %-6d %-10d %-10d\n",
1772 ntohl(dest->addr.ip), ntohs(dest->port),
1773 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
1774 atomic_read(&dest->weight),
1775 atomic_read(&dest->activeconns),
1776 atomic_read(&dest->inactconns));
1782 static const struct seq_operations ip_vs_info_seq_ops = {
1783 .start = ip_vs_info_seq_start,
1784 .next = ip_vs_info_seq_next,
1785 .stop = ip_vs_info_seq_stop,
1786 .show = ip_vs_info_seq_show,
1789 static int ip_vs_info_open(struct inode *inode, struct file *file)
1791 return seq_open_private(file, &ip_vs_info_seq_ops,
1792 sizeof(struct ip_vs_iter));
1795 static const struct file_operations ip_vs_info_fops = {
1796 .owner = THIS_MODULE,
1797 .open = ip_vs_info_open,
1799 .llseek = seq_lseek,
1800 .release = seq_release_private,
1805 struct ip_vs_stats ip_vs_stats = {
1806 .lock = __SPIN_LOCK_UNLOCKED(ip_vs_stats.lock),
1809 #ifdef CONFIG_PROC_FS
1810 static int ip_vs_stats_show(struct seq_file *seq, void *v)
1813 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
1815 " Total Incoming Outgoing Incoming Outgoing\n");
1817 " Conns Packets Packets Bytes Bytes\n");
1819 spin_lock_bh(&ip_vs_stats.lock);
1820 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", ip_vs_stats.conns,
1821 ip_vs_stats.inpkts, ip_vs_stats.outpkts,
1822 (unsigned long long) ip_vs_stats.inbytes,
1823 (unsigned long long) ip_vs_stats.outbytes);
1825 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
1827 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
1828 seq_printf(seq,"%8X %8X %8X %16X %16X\n",
1833 ip_vs_stats.outbps);
1834 spin_unlock_bh(&ip_vs_stats.lock);
1839 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
1841 return single_open(file, ip_vs_stats_show, NULL);
1844 static const struct file_operations ip_vs_stats_fops = {
1845 .owner = THIS_MODULE,
1846 .open = ip_vs_stats_seq_open,
1848 .llseek = seq_lseek,
1849 .release = single_release,
1855 * Set timeout values for tcp tcpfin udp in the timeout_table.
1857 static int ip_vs_set_timeout(struct ip_vs_timeout_user *u)
1859 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
1864 #ifdef CONFIG_IP_VS_PROTO_TCP
1865 if (u->tcp_timeout) {
1866 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED]
1867 = u->tcp_timeout * HZ;
1870 if (u->tcp_fin_timeout) {
1871 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT]
1872 = u->tcp_fin_timeout * HZ;
1876 #ifdef CONFIG_IP_VS_PROTO_UDP
1877 if (u->udp_timeout) {
1878 ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL]
1879 = u->udp_timeout * HZ;
1886 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
1887 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
1888 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
1889 sizeof(struct ip_vs_dest_user))
1890 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
1891 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
1892 #define MAX_ARG_LEN SVCDEST_ARG_LEN
1894 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
1895 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
1896 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
1897 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
1898 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
1899 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
1900 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
1901 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
1902 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
1903 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
1904 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
1905 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
1909 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1912 unsigned char arg[MAX_ARG_LEN];
1913 struct ip_vs_service_user *usvc;
1914 struct ip_vs_service *svc;
1915 struct ip_vs_dest_user *udest;
1917 if (!capable(CAP_NET_ADMIN))
1920 if (len != set_arglen[SET_CMDID(cmd)]) {
1921 IP_VS_ERR("set_ctl: len %u != %u\n",
1922 len, set_arglen[SET_CMDID(cmd)]);
1926 if (copy_from_user(arg, user, len) != 0)
1929 /* increase the module use count */
1930 ip_vs_use_count_inc();
1932 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
1937 if (cmd == IP_VS_SO_SET_FLUSH) {
1938 /* Flush the virtual service */
1939 ret = ip_vs_flush();
1941 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
1942 /* Set timeout values for (tcp tcpfin udp) */
1943 ret = ip_vs_set_timeout((struct ip_vs_timeout_user *)arg);
1945 } else if (cmd == IP_VS_SO_SET_STARTDAEMON) {
1946 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
1947 ret = start_sync_thread(dm->state, dm->mcast_ifn, dm->syncid);
1949 } else if (cmd == IP_VS_SO_SET_STOPDAEMON) {
1950 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
1951 ret = stop_sync_thread(dm->state);
1955 usvc = (struct ip_vs_service_user *)arg;
1956 udest = (struct ip_vs_dest_user *)(usvc + 1);
1958 if (cmd == IP_VS_SO_SET_ZERO) {
1959 /* if no service address is set, zero counters in all */
1960 if (!usvc->fwmark && !usvc->addr && !usvc->port) {
1961 ret = ip_vs_zero_all();
1966 /* Check for valid protocol: TCP or UDP, even for fwmark!=0 */
1967 if (usvc->protocol!=IPPROTO_TCP && usvc->protocol!=IPPROTO_UDP) {
1968 IP_VS_ERR("set_ctl: invalid protocol: %d %d.%d.%d.%d:%d %s\n",
1969 usvc->protocol, NIPQUAD(usvc->addr),
1970 ntohs(usvc->port), usvc->sched_name);
1975 /* Lookup the exact service by <protocol, addr, port> or fwmark */
1976 if (usvc->fwmark == 0)
1977 svc = __ip_vs_service_get(usvc->protocol,
1978 usvc->addr, usvc->port);
1980 svc = __ip_vs_svc_fwm_get(usvc->fwmark);
1982 if (cmd != IP_VS_SO_SET_ADD
1983 && (svc == NULL || svc->protocol != usvc->protocol)) {
1989 case IP_VS_SO_SET_ADD:
1993 ret = ip_vs_add_service(usvc, &svc);
1995 case IP_VS_SO_SET_EDIT:
1996 ret = ip_vs_edit_service(svc, usvc);
1998 case IP_VS_SO_SET_DEL:
1999 ret = ip_vs_del_service(svc);
2003 case IP_VS_SO_SET_ZERO:
2004 ret = ip_vs_zero_service(svc);
2006 case IP_VS_SO_SET_ADDDEST:
2007 ret = ip_vs_add_dest(svc, udest);
2009 case IP_VS_SO_SET_EDITDEST:
2010 ret = ip_vs_edit_dest(svc, udest);
2012 case IP_VS_SO_SET_DELDEST:
2013 ret = ip_vs_del_dest(svc, udest);
2020 ip_vs_service_put(svc);
2023 mutex_unlock(&__ip_vs_mutex);
2025 /* decrease the module use count */
2026 ip_vs_use_count_dec();
2033 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
2035 spin_lock_bh(&src->lock);
2036 memcpy(dst, src, (char*)&src->lock - (char*)src);
2037 spin_unlock_bh(&src->lock);
2041 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2043 dst->protocol = src->protocol;
2044 dst->addr = src->addr.ip;
2045 dst->port = src->port;
2046 dst->fwmark = src->fwmark;
2047 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2048 dst->flags = src->flags;
2049 dst->timeout = src->timeout / HZ;
2050 dst->netmask = src->netmask;
2051 dst->num_dests = src->num_dests;
2052 ip_vs_copy_stats(&dst->stats, &src->stats);
2056 __ip_vs_get_service_entries(const struct ip_vs_get_services *get,
2057 struct ip_vs_get_services __user *uptr)
2060 struct ip_vs_service *svc;
2061 struct ip_vs_service_entry entry;
2064 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2065 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2066 if (count >= get->num_services)
2068 memset(&entry, 0, sizeof(entry));
2069 ip_vs_copy_service(&entry, svc);
2070 if (copy_to_user(&uptr->entrytable[count],
2071 &entry, sizeof(entry))) {
2079 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2080 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2081 if (count >= get->num_services)
2083 memset(&entry, 0, sizeof(entry));
2084 ip_vs_copy_service(&entry, svc);
2085 if (copy_to_user(&uptr->entrytable[count],
2086 &entry, sizeof(entry))) {
2098 __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
2099 struct ip_vs_get_dests __user *uptr)
2101 struct ip_vs_service *svc;
2105 svc = __ip_vs_svc_fwm_get(get->fwmark);
2107 svc = __ip_vs_service_get(get->protocol,
2108 get->addr, get->port);
2111 struct ip_vs_dest *dest;
2112 struct ip_vs_dest_entry entry;
2114 list_for_each_entry(dest, &svc->destinations, n_list) {
2115 if (count >= get->num_dests)
2118 entry.addr = dest->addr.ip;
2119 entry.port = dest->port;
2120 entry.conn_flags = atomic_read(&dest->conn_flags);
2121 entry.weight = atomic_read(&dest->weight);
2122 entry.u_threshold = dest->u_threshold;
2123 entry.l_threshold = dest->l_threshold;
2124 entry.activeconns = atomic_read(&dest->activeconns);
2125 entry.inactconns = atomic_read(&dest->inactconns);
2126 entry.persistconns = atomic_read(&dest->persistconns);
2127 ip_vs_copy_stats(&entry.stats, &dest->stats);
2128 if (copy_to_user(&uptr->entrytable[count],
2129 &entry, sizeof(entry))) {
2135 ip_vs_service_put(svc);
2142 __ip_vs_get_timeouts(struct ip_vs_timeout_user *u)
2144 #ifdef CONFIG_IP_VS_PROTO_TCP
2146 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2147 u->tcp_fin_timeout =
2148 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2150 #ifdef CONFIG_IP_VS_PROTO_UDP
2152 ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2157 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2158 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2159 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2160 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2161 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2162 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2163 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2165 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2166 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2167 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2168 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2169 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2170 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2171 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2172 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2176 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2178 unsigned char arg[128];
2181 if (!capable(CAP_NET_ADMIN))
2184 if (*len < get_arglen[GET_CMDID(cmd)]) {
2185 IP_VS_ERR("get_ctl: len %u < %u\n",
2186 *len, get_arglen[GET_CMDID(cmd)]);
2190 if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
2193 if (mutex_lock_interruptible(&__ip_vs_mutex))
2194 return -ERESTARTSYS;
2197 case IP_VS_SO_GET_VERSION:
2201 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2202 NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE);
2203 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2207 *len = strlen(buf)+1;
2211 case IP_VS_SO_GET_INFO:
2213 struct ip_vs_getinfo info;
2214 info.version = IP_VS_VERSION_CODE;
2215 info.size = IP_VS_CONN_TAB_SIZE;
2216 info.num_services = ip_vs_num_services;
2217 if (copy_to_user(user, &info, sizeof(info)) != 0)
2222 case IP_VS_SO_GET_SERVICES:
2224 struct ip_vs_get_services *get;
2227 get = (struct ip_vs_get_services *)arg;
2228 size = sizeof(*get) +
2229 sizeof(struct ip_vs_service_entry) * get->num_services;
2231 IP_VS_ERR("length: %u != %u\n", *len, size);
2235 ret = __ip_vs_get_service_entries(get, user);
2239 case IP_VS_SO_GET_SERVICE:
2241 struct ip_vs_service_entry *entry;
2242 struct ip_vs_service *svc;
2244 entry = (struct ip_vs_service_entry *)arg;
2246 svc = __ip_vs_svc_fwm_get(entry->fwmark);
2248 svc = __ip_vs_service_get(entry->protocol,
2249 entry->addr, entry->port);
2251 ip_vs_copy_service(entry, svc);
2252 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2254 ip_vs_service_put(svc);
2260 case IP_VS_SO_GET_DESTS:
2262 struct ip_vs_get_dests *get;
2265 get = (struct ip_vs_get_dests *)arg;
2266 size = sizeof(*get) +
2267 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2269 IP_VS_ERR("length: %u != %u\n", *len, size);
2273 ret = __ip_vs_get_dest_entries(get, user);
2277 case IP_VS_SO_GET_TIMEOUT:
2279 struct ip_vs_timeout_user t;
2281 __ip_vs_get_timeouts(&t);
2282 if (copy_to_user(user, &t, sizeof(t)) != 0)
2287 case IP_VS_SO_GET_DAEMON:
2289 struct ip_vs_daemon_user d[2];
2291 memset(&d, 0, sizeof(d));
2292 if (ip_vs_sync_state & IP_VS_STATE_MASTER) {
2293 d[0].state = IP_VS_STATE_MASTER;
2294 strlcpy(d[0].mcast_ifn, ip_vs_master_mcast_ifn, sizeof(d[0].mcast_ifn));
2295 d[0].syncid = ip_vs_master_syncid;
2297 if (ip_vs_sync_state & IP_VS_STATE_BACKUP) {
2298 d[1].state = IP_VS_STATE_BACKUP;
2299 strlcpy(d[1].mcast_ifn, ip_vs_backup_mcast_ifn, sizeof(d[1].mcast_ifn));
2300 d[1].syncid = ip_vs_backup_syncid;
2302 if (copy_to_user(user, &d, sizeof(d)) != 0)
2312 mutex_unlock(&__ip_vs_mutex);
2317 static struct nf_sockopt_ops ip_vs_sockopts = {
2319 .set_optmin = IP_VS_BASE_CTL,
2320 .set_optmax = IP_VS_SO_SET_MAX+1,
2321 .set = do_ip_vs_set_ctl,
2322 .get_optmin = IP_VS_BASE_CTL,
2323 .get_optmax = IP_VS_SO_GET_MAX+1,
2324 .get = do_ip_vs_get_ctl,
2325 .owner = THIS_MODULE,
2329 * Generic Netlink interface
2332 /* IPVS genetlink family */
2333 static struct genl_family ip_vs_genl_family = {
2334 .id = GENL_ID_GENERATE,
2336 .name = IPVS_GENL_NAME,
2337 .version = IPVS_GENL_VERSION,
2338 .maxattr = IPVS_CMD_MAX,
2341 /* Policy used for first-level command attributes */
2342 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2343 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2344 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2345 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2346 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2347 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2348 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2351 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2352 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2353 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2354 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2355 .len = IP_VS_IFNAME_MAXLEN },
2356 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2359 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2360 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2361 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2362 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2363 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2364 .len = sizeof(union nf_inet_addr) },
2365 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2366 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2367 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2368 .len = IP_VS_SCHEDNAME_MAXLEN },
2369 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2370 .len = sizeof(struct ip_vs_flags) },
2371 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2372 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2373 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2376 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2377 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2378 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2379 .len = sizeof(union nf_inet_addr) },
2380 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2381 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2382 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2383 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2384 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2385 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2386 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2387 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2388 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2391 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2392 struct ip_vs_stats *stats)
2394 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2398 spin_lock_bh(&stats->lock);
2400 NLA_PUT_U32(skb, IPVS_STATS_ATTR_CONNS, stats->conns);
2401 NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPKTS, stats->inpkts);
2402 NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPKTS, stats->outpkts);
2403 NLA_PUT_U64(skb, IPVS_STATS_ATTR_INBYTES, stats->inbytes);
2404 NLA_PUT_U64(skb, IPVS_STATS_ATTR_OUTBYTES, stats->outbytes);
2405 NLA_PUT_U32(skb, IPVS_STATS_ATTR_CPS, stats->cps);
2406 NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPPS, stats->inpps);
2407 NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPPS, stats->outpps);
2408 NLA_PUT_U32(skb, IPVS_STATS_ATTR_INBPS, stats->inbps);
2409 NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTBPS, stats->outbps);
2411 spin_unlock_bh(&stats->lock);
2413 nla_nest_end(skb, nl_stats);
2418 spin_unlock_bh(&stats->lock);
2419 nla_nest_cancel(skb, nl_stats);
2423 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2424 struct ip_vs_service *svc)
2426 struct nlattr *nl_service;
2427 struct ip_vs_flags flags = { .flags = svc->flags,
2430 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2434 NLA_PUT_U16(skb, IPVS_SVC_ATTR_AF, AF_INET);
2437 NLA_PUT_U32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark);
2439 NLA_PUT_U16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol);
2440 NLA_PUT(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr);
2441 NLA_PUT_U16(skb, IPVS_SVC_ATTR_PORT, svc->port);
2444 NLA_PUT_STRING(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name);
2445 NLA_PUT(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags);
2446 NLA_PUT_U32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ);
2447 NLA_PUT_U32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask);
2449 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2450 goto nla_put_failure;
2452 nla_nest_end(skb, nl_service);
2457 nla_nest_cancel(skb, nl_service);
2461 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2462 struct ip_vs_service *svc,
2463 struct netlink_callback *cb)
2467 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
2468 &ip_vs_genl_family, NLM_F_MULTI,
2469 IPVS_CMD_NEW_SERVICE);
2473 if (ip_vs_genl_fill_service(skb, svc) < 0)
2474 goto nla_put_failure;
2476 return genlmsg_end(skb, hdr);
2479 genlmsg_cancel(skb, hdr);
2483 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2484 struct netlink_callback *cb)
2487 int start = cb->args[0];
2488 struct ip_vs_service *svc;
2490 mutex_lock(&__ip_vs_mutex);
2491 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2492 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2495 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2497 goto nla_put_failure;
2502 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2503 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2506 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2508 goto nla_put_failure;
2514 mutex_unlock(&__ip_vs_mutex);
2520 static int ip_vs_genl_parse_service(struct ip_vs_service_user *usvc,
2521 struct nlattr *nla, int full_entry)
2523 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
2524 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
2526 /* Parse mandatory identifying service fields first */
2528 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
2531 nla_af = attrs[IPVS_SVC_ATTR_AF];
2532 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
2533 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
2534 nla_port = attrs[IPVS_SVC_ATTR_PORT];
2535 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
2537 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
2540 /* For now, only support IPv4 */
2541 if (nla_get_u16(nla_af) != AF_INET)
2542 return -EAFNOSUPPORT;
2545 usvc->protocol = IPPROTO_TCP;
2546 usvc->fwmark = nla_get_u32(nla_fwmark);
2548 usvc->protocol = nla_get_u16(nla_protocol);
2549 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
2550 usvc->port = nla_get_u16(nla_port);
2554 /* If a full entry was requested, check for the additional fields */
2556 struct nlattr *nla_sched, *nla_flags, *nla_timeout,
2558 struct ip_vs_flags flags;
2559 struct ip_vs_service *svc;
2561 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
2562 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
2563 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
2564 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
2566 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
2569 nla_memcpy(&flags, nla_flags, sizeof(flags));
2571 /* prefill flags from service if it already exists */
2573 svc = __ip_vs_svc_fwm_get(usvc->fwmark);
2575 svc = __ip_vs_service_get(usvc->protocol, usvc->addr,
2578 usvc->flags = svc->flags;
2579 ip_vs_service_put(svc);
2583 /* set new flags from userland */
2584 usvc->flags = (usvc->flags & ~flags.mask) |
2585 (flags.flags & flags.mask);
2587 strlcpy(usvc->sched_name, nla_data(nla_sched),
2588 sizeof(usvc->sched_name));
2589 usvc->timeout = nla_get_u32(nla_timeout);
2590 usvc->netmask = nla_get_u32(nla_netmask);
2596 static struct ip_vs_service *ip_vs_genl_find_service(struct nlattr *nla)
2598 struct ip_vs_service_user usvc;
2601 ret = ip_vs_genl_parse_service(&usvc, nla, 0);
2603 return ERR_PTR(ret);
2606 return __ip_vs_svc_fwm_get(usvc.fwmark);
2608 return __ip_vs_service_get(usvc.protocol, usvc.addr,
2612 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
2614 struct nlattr *nl_dest;
2616 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
2620 NLA_PUT(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr);
2621 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
2623 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
2624 atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
2625 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
2626 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
2627 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
2628 NLA_PUT_U32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
2629 atomic_read(&dest->activeconns));
2630 NLA_PUT_U32(skb, IPVS_DEST_ATTR_INACT_CONNS,
2631 atomic_read(&dest->inactconns));
2632 NLA_PUT_U32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
2633 atomic_read(&dest->persistconns));
2635 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
2636 goto nla_put_failure;
2638 nla_nest_end(skb, nl_dest);
2643 nla_nest_cancel(skb, nl_dest);
2647 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
2648 struct netlink_callback *cb)
2652 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
2653 &ip_vs_genl_family, NLM_F_MULTI,
2658 if (ip_vs_genl_fill_dest(skb, dest) < 0)
2659 goto nla_put_failure;
2661 return genlmsg_end(skb, hdr);
2664 genlmsg_cancel(skb, hdr);
2668 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
2669 struct netlink_callback *cb)
2672 int start = cb->args[0];
2673 struct ip_vs_service *svc;
2674 struct ip_vs_dest *dest;
2675 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
2677 mutex_lock(&__ip_vs_mutex);
2679 /* Try to find the service for which to dump destinations */
2680 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
2681 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
2684 svc = ip_vs_genl_find_service(attrs[IPVS_CMD_ATTR_SERVICE]);
2685 if (IS_ERR(svc) || svc == NULL)
2688 /* Dump the destinations */
2689 list_for_each_entry(dest, &svc->destinations, n_list) {
2692 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
2694 goto nla_put_failure;
2700 ip_vs_service_put(svc);
2703 mutex_unlock(&__ip_vs_mutex);
2708 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user *udest,
2709 struct nlattr *nla, int full_entry)
2711 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
2712 struct nlattr *nla_addr, *nla_port;
2714 /* Parse mandatory identifying destination fields first */
2716 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
2719 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
2720 nla_port = attrs[IPVS_DEST_ATTR_PORT];
2722 if (!(nla_addr && nla_port))
2725 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
2726 udest->port = nla_get_u16(nla_port);
2728 /* If a full entry was requested, check for the additional fields */
2730 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
2733 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
2734 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
2735 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
2736 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
2738 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
2741 udest->conn_flags = nla_get_u32(nla_fwd)
2742 & IP_VS_CONN_F_FWD_MASK;
2743 udest->weight = nla_get_u32(nla_weight);
2744 udest->u_threshold = nla_get_u32(nla_u_thresh);
2745 udest->l_threshold = nla_get_u32(nla_l_thresh);
2751 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
2752 const char *mcast_ifn, __be32 syncid)
2754 struct nlattr *nl_daemon;
2756 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
2760 NLA_PUT_U32(skb, IPVS_DAEMON_ATTR_STATE, state);
2761 NLA_PUT_STRING(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn);
2762 NLA_PUT_U32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid);
2764 nla_nest_end(skb, nl_daemon);
2769 nla_nest_cancel(skb, nl_daemon);
2773 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
2774 const char *mcast_ifn, __be32 syncid,
2775 struct netlink_callback *cb)
2778 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
2779 &ip_vs_genl_family, NLM_F_MULTI,
2780 IPVS_CMD_NEW_DAEMON);
2784 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
2785 goto nla_put_failure;
2787 return genlmsg_end(skb, hdr);
2790 genlmsg_cancel(skb, hdr);
2794 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
2795 struct netlink_callback *cb)
2797 mutex_lock(&__ip_vs_mutex);
2798 if ((ip_vs_sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
2799 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
2800 ip_vs_master_mcast_ifn,
2801 ip_vs_master_syncid, cb) < 0)
2802 goto nla_put_failure;
2807 if ((ip_vs_sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
2808 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
2809 ip_vs_backup_mcast_ifn,
2810 ip_vs_backup_syncid, cb) < 0)
2811 goto nla_put_failure;
2817 mutex_unlock(&__ip_vs_mutex);
2822 static int ip_vs_genl_new_daemon(struct nlattr **attrs)
2824 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
2825 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
2826 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
2829 return start_sync_thread(nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
2830 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
2831 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
2834 static int ip_vs_genl_del_daemon(struct nlattr **attrs)
2836 if (!attrs[IPVS_DAEMON_ATTR_STATE])
2839 return stop_sync_thread(nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
2842 static int ip_vs_genl_set_config(struct nlattr **attrs)
2844 struct ip_vs_timeout_user t;
2846 __ip_vs_get_timeouts(&t);
2848 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
2849 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
2851 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
2853 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
2855 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
2856 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
2858 return ip_vs_set_timeout(&t);
2861 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
2863 struct ip_vs_service *svc = NULL;
2864 struct ip_vs_service_user usvc;
2865 struct ip_vs_dest_user udest;
2867 int need_full_svc = 0, need_full_dest = 0;
2869 cmd = info->genlhdr->cmd;
2871 mutex_lock(&__ip_vs_mutex);
2873 if (cmd == IPVS_CMD_FLUSH) {
2874 ret = ip_vs_flush();
2876 } else if (cmd == IPVS_CMD_SET_CONFIG) {
2877 ret = ip_vs_genl_set_config(info->attrs);
2879 } else if (cmd == IPVS_CMD_NEW_DAEMON ||
2880 cmd == IPVS_CMD_DEL_DAEMON) {
2882 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
2884 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
2885 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
2886 info->attrs[IPVS_CMD_ATTR_DAEMON],
2887 ip_vs_daemon_policy)) {
2892 if (cmd == IPVS_CMD_NEW_DAEMON)
2893 ret = ip_vs_genl_new_daemon(daemon_attrs);
2895 ret = ip_vs_genl_del_daemon(daemon_attrs);
2897 } else if (cmd == IPVS_CMD_ZERO &&
2898 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
2899 ret = ip_vs_zero_all();
2903 /* All following commands require a service argument, so check if we
2904 * received a valid one. We need a full service specification when
2905 * adding / editing a service. Only identifying members otherwise. */
2906 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
2909 ret = ip_vs_genl_parse_service(&usvc,
2910 info->attrs[IPVS_CMD_ATTR_SERVICE],
2915 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2916 if (usvc.fwmark == 0)
2917 svc = __ip_vs_service_get(usvc.protocol, usvc.addr, usvc.port);
2919 svc = __ip_vs_svc_fwm_get(usvc.fwmark);
2921 /* Unless we're adding a new service, the service must already exist */
2922 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
2927 /* Destination commands require a valid destination argument. For
2928 * adding / editing a destination, we need a full destination
2930 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
2931 cmd == IPVS_CMD_DEL_DEST) {
2932 if (cmd != IPVS_CMD_DEL_DEST)
2935 ret = ip_vs_genl_parse_dest(&udest,
2936 info->attrs[IPVS_CMD_ATTR_DEST],
2943 case IPVS_CMD_NEW_SERVICE:
2945 ret = ip_vs_add_service(&usvc, &svc);
2949 case IPVS_CMD_SET_SERVICE:
2950 ret = ip_vs_edit_service(svc, &usvc);
2952 case IPVS_CMD_DEL_SERVICE:
2953 ret = ip_vs_del_service(svc);
2955 case IPVS_CMD_NEW_DEST:
2956 ret = ip_vs_add_dest(svc, &udest);
2958 case IPVS_CMD_SET_DEST:
2959 ret = ip_vs_edit_dest(svc, &udest);
2961 case IPVS_CMD_DEL_DEST:
2962 ret = ip_vs_del_dest(svc, &udest);
2965 ret = ip_vs_zero_service(svc);
2973 ip_vs_service_put(svc);
2974 mutex_unlock(&__ip_vs_mutex);
2979 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
2981 struct sk_buff *msg;
2983 int ret, cmd, reply_cmd;
2985 cmd = info->genlhdr->cmd;
2987 if (cmd == IPVS_CMD_GET_SERVICE)
2988 reply_cmd = IPVS_CMD_NEW_SERVICE;
2989 else if (cmd == IPVS_CMD_GET_INFO)
2990 reply_cmd = IPVS_CMD_SET_INFO;
2991 else if (cmd == IPVS_CMD_GET_CONFIG)
2992 reply_cmd = IPVS_CMD_SET_CONFIG;
2994 IP_VS_ERR("unknown Generic Netlink command\n");
2998 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3002 mutex_lock(&__ip_vs_mutex);
3004 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3006 goto nla_put_failure;
3009 case IPVS_CMD_GET_SERVICE:
3011 struct ip_vs_service *svc;
3013 svc = ip_vs_genl_find_service(info->attrs[IPVS_CMD_ATTR_SERVICE]);
3018 ret = ip_vs_genl_fill_service(msg, svc);
3019 ip_vs_service_put(svc);
3021 goto nla_put_failure;
3030 case IPVS_CMD_GET_CONFIG:
3032 struct ip_vs_timeout_user t;
3034 __ip_vs_get_timeouts(&t);
3035 #ifdef CONFIG_IP_VS_PROTO_TCP
3036 NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP, t.tcp_timeout);
3037 NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3040 #ifdef CONFIG_IP_VS_PROTO_UDP
3041 NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout);
3047 case IPVS_CMD_GET_INFO:
3048 NLA_PUT_U32(msg, IPVS_INFO_ATTR_VERSION, IP_VS_VERSION_CODE);
3049 NLA_PUT_U32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3050 IP_VS_CONN_TAB_SIZE);
3054 genlmsg_end(msg, reply);
3055 ret = genlmsg_unicast(msg, info->snd_pid);
3059 IP_VS_ERR("not enough space in Netlink message\n");
3065 mutex_unlock(&__ip_vs_mutex);
3071 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3073 .cmd = IPVS_CMD_NEW_SERVICE,
3074 .flags = GENL_ADMIN_PERM,
3075 .policy = ip_vs_cmd_policy,
3076 .doit = ip_vs_genl_set_cmd,
3079 .cmd = IPVS_CMD_SET_SERVICE,
3080 .flags = GENL_ADMIN_PERM,
3081 .policy = ip_vs_cmd_policy,
3082 .doit = ip_vs_genl_set_cmd,
3085 .cmd = IPVS_CMD_DEL_SERVICE,
3086 .flags = GENL_ADMIN_PERM,
3087 .policy = ip_vs_cmd_policy,
3088 .doit = ip_vs_genl_set_cmd,
3091 .cmd = IPVS_CMD_GET_SERVICE,
3092 .flags = GENL_ADMIN_PERM,
3093 .doit = ip_vs_genl_get_cmd,
3094 .dumpit = ip_vs_genl_dump_services,
3095 .policy = ip_vs_cmd_policy,
3098 .cmd = IPVS_CMD_NEW_DEST,
3099 .flags = GENL_ADMIN_PERM,
3100 .policy = ip_vs_cmd_policy,
3101 .doit = ip_vs_genl_set_cmd,
3104 .cmd = IPVS_CMD_SET_DEST,
3105 .flags = GENL_ADMIN_PERM,
3106 .policy = ip_vs_cmd_policy,
3107 .doit = ip_vs_genl_set_cmd,
3110 .cmd = IPVS_CMD_DEL_DEST,
3111 .flags = GENL_ADMIN_PERM,
3112 .policy = ip_vs_cmd_policy,
3113 .doit = ip_vs_genl_set_cmd,
3116 .cmd = IPVS_CMD_GET_DEST,
3117 .flags = GENL_ADMIN_PERM,
3118 .policy = ip_vs_cmd_policy,
3119 .dumpit = ip_vs_genl_dump_dests,
3122 .cmd = IPVS_CMD_NEW_DAEMON,
3123 .flags = GENL_ADMIN_PERM,
3124 .policy = ip_vs_cmd_policy,
3125 .doit = ip_vs_genl_set_cmd,
3128 .cmd = IPVS_CMD_DEL_DAEMON,
3129 .flags = GENL_ADMIN_PERM,
3130 .policy = ip_vs_cmd_policy,
3131 .doit = ip_vs_genl_set_cmd,
3134 .cmd = IPVS_CMD_GET_DAEMON,
3135 .flags = GENL_ADMIN_PERM,
3136 .dumpit = ip_vs_genl_dump_daemons,
3139 .cmd = IPVS_CMD_SET_CONFIG,
3140 .flags = GENL_ADMIN_PERM,
3141 .policy = ip_vs_cmd_policy,
3142 .doit = ip_vs_genl_set_cmd,
3145 .cmd = IPVS_CMD_GET_CONFIG,
3146 .flags = GENL_ADMIN_PERM,
3147 .doit = ip_vs_genl_get_cmd,
3150 .cmd = IPVS_CMD_GET_INFO,
3151 .flags = GENL_ADMIN_PERM,
3152 .doit = ip_vs_genl_get_cmd,
3155 .cmd = IPVS_CMD_ZERO,
3156 .flags = GENL_ADMIN_PERM,
3157 .policy = ip_vs_cmd_policy,
3158 .doit = ip_vs_genl_set_cmd,
3161 .cmd = IPVS_CMD_FLUSH,
3162 .flags = GENL_ADMIN_PERM,
3163 .doit = ip_vs_genl_set_cmd,
3167 static int __init ip_vs_genl_register(void)
3171 ret = genl_register_family(&ip_vs_genl_family);
3175 for (i = 0; i < ARRAY_SIZE(ip_vs_genl_ops); i++) {
3176 ret = genl_register_ops(&ip_vs_genl_family, &ip_vs_genl_ops[i]);
3183 genl_unregister_family(&ip_vs_genl_family);
3187 static void ip_vs_genl_unregister(void)
3189 genl_unregister_family(&ip_vs_genl_family);
3192 /* End of Generic Netlink interface definitions */
3195 int __init ip_vs_control_init(void)
3202 ret = nf_register_sockopt(&ip_vs_sockopts);
3204 IP_VS_ERR("cannot register sockopt.\n");
3208 ret = ip_vs_genl_register();
3210 IP_VS_ERR("cannot register Generic Netlink interface.\n");
3211 nf_unregister_sockopt(&ip_vs_sockopts);
3215 proc_net_fops_create(&init_net, "ip_vs", 0, &ip_vs_info_fops);
3216 proc_net_fops_create(&init_net, "ip_vs_stats",0, &ip_vs_stats_fops);
3218 sysctl_header = register_sysctl_paths(net_vs_ctl_path, vs_vars);
3220 /* Initialize ip_vs_svc_table, ip_vs_svc_fwm_table, ip_vs_rtable */
3221 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3222 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3223 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3225 for(idx = 0; idx < IP_VS_RTAB_SIZE; idx++) {
3226 INIT_LIST_HEAD(&ip_vs_rtable[idx]);
3229 ip_vs_new_estimator(&ip_vs_stats);
3231 /* Hook the defense timer */
3232 schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
3239 void ip_vs_control_cleanup(void)
3242 ip_vs_trash_cleanup();
3243 cancel_rearming_delayed_work(&defense_work);
3244 cancel_work_sync(&defense_work.work);
3245 ip_vs_kill_estimator(&ip_vs_stats);
3246 unregister_sysctl_table(sysctl_header);
3247 proc_net_remove(&init_net, "ip_vs_stats");
3248 proc_net_remove(&init_net, "ip_vs");
3249 ip_vs_genl_unregister();
3250 nf_unregister_sockopt(&ip_vs_sockopts);