2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/types.h>
24 #include <linux/capability.h>
26 #include <linux/sysctl.h>
27 #include <linux/proc_fs.h>
28 #include <linux/workqueue.h>
29 #include <linux/swap.h>
30 #include <linux/seq_file.h>
32 #include <linux/netfilter.h>
33 #include <linux/netfilter_ipv4.h>
34 #include <linux/mutex.h>
36 #include <net/net_namespace.h>
38 #include <net/route.h>
41 #include <asm/uaccess.h>
43 #include <net/ip_vs.h>
45 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
46 static DEFINE_MUTEX(__ip_vs_mutex);
48 /* lock for service table */
49 static DEFINE_RWLOCK(__ip_vs_svc_lock);
51 /* lock for table with the real services */
52 static DEFINE_RWLOCK(__ip_vs_rs_lock);
54 /* lock for state and timeout tables */
55 static DEFINE_RWLOCK(__ip_vs_securetcp_lock);
57 /* lock for drop entry handling */
58 static DEFINE_SPINLOCK(__ip_vs_dropentry_lock);
60 /* lock for drop packet handling */
61 static DEFINE_SPINLOCK(__ip_vs_droppacket_lock);
63 /* 1/rate drop and drop-entry variables */
64 int ip_vs_drop_rate = 0;
65 int ip_vs_drop_counter = 0;
66 static atomic_t ip_vs_dropentry = ATOMIC_INIT(0);
68 /* number of virtual services */
69 static int ip_vs_num_services = 0;
71 /* sysctl variables */
72 static int sysctl_ip_vs_drop_entry = 0;
73 static int sysctl_ip_vs_drop_packet = 0;
74 static int sysctl_ip_vs_secure_tcp = 0;
75 static int sysctl_ip_vs_amemthresh = 1024;
76 static int sysctl_ip_vs_am_droprate = 10;
77 int sysctl_ip_vs_cache_bypass = 0;
78 int sysctl_ip_vs_expire_nodest_conn = 0;
79 int sysctl_ip_vs_expire_quiescent_template = 0;
80 int sysctl_ip_vs_sync_threshold[2] = { 3, 50 };
81 int sysctl_ip_vs_nat_icmp_send = 0;
84 #ifdef CONFIG_IP_VS_DEBUG
85 static int sysctl_ip_vs_debug_level = 0;
87 int ip_vs_get_debug_level(void)
89 return sysctl_ip_vs_debug_level;
94 * update_defense_level is called from keventd and from sysctl,
95 * so it needs to protect itself from softirqs
97 static void update_defense_level(void)
100 static int old_secure_tcp = 0;
105 /* we only count free and buffered memory (in pages) */
107 availmem = i.freeram + i.bufferram;
108 /* however in linux 2.5 the i.bufferram is total page cache size,
110 /* si_swapinfo(&i); */
111 /* availmem = availmem - (i.totalswap - i.freeswap); */
113 nomem = (availmem < sysctl_ip_vs_amemthresh);
118 spin_lock(&__ip_vs_dropentry_lock);
119 switch (sysctl_ip_vs_drop_entry) {
121 atomic_set(&ip_vs_dropentry, 0);
125 atomic_set(&ip_vs_dropentry, 1);
126 sysctl_ip_vs_drop_entry = 2;
128 atomic_set(&ip_vs_dropentry, 0);
133 atomic_set(&ip_vs_dropentry, 1);
135 atomic_set(&ip_vs_dropentry, 0);
136 sysctl_ip_vs_drop_entry = 1;
140 atomic_set(&ip_vs_dropentry, 1);
143 spin_unlock(&__ip_vs_dropentry_lock);
146 spin_lock(&__ip_vs_droppacket_lock);
147 switch (sysctl_ip_vs_drop_packet) {
153 ip_vs_drop_rate = ip_vs_drop_counter
154 = sysctl_ip_vs_amemthresh /
155 (sysctl_ip_vs_amemthresh-availmem);
156 sysctl_ip_vs_drop_packet = 2;
163 ip_vs_drop_rate = ip_vs_drop_counter
164 = sysctl_ip_vs_amemthresh /
165 (sysctl_ip_vs_amemthresh-availmem);
168 sysctl_ip_vs_drop_packet = 1;
172 ip_vs_drop_rate = sysctl_ip_vs_am_droprate;
175 spin_unlock(&__ip_vs_droppacket_lock);
178 write_lock(&__ip_vs_securetcp_lock);
179 switch (sysctl_ip_vs_secure_tcp) {
181 if (old_secure_tcp >= 2)
186 if (old_secure_tcp < 2)
188 sysctl_ip_vs_secure_tcp = 2;
190 if (old_secure_tcp >= 2)
196 if (old_secure_tcp < 2)
199 if (old_secure_tcp >= 2)
201 sysctl_ip_vs_secure_tcp = 1;
205 if (old_secure_tcp < 2)
209 old_secure_tcp = sysctl_ip_vs_secure_tcp;
211 ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
212 write_unlock(&__ip_vs_securetcp_lock);
219 * Timer for checking the defense
221 #define DEFENSE_TIMER_PERIOD 1*HZ
222 static void defense_work_handler(struct work_struct *work);
223 static DECLARE_DELAYED_WORK(defense_work, defense_work_handler);
225 static void defense_work_handler(struct work_struct *work)
227 update_defense_level();
228 if (atomic_read(&ip_vs_dropentry))
229 ip_vs_random_dropentry();
231 schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
235 ip_vs_use_count_inc(void)
237 return try_module_get(THIS_MODULE);
241 ip_vs_use_count_dec(void)
243 module_put(THIS_MODULE);
248 * Hash table: for virtual service lookups
250 #define IP_VS_SVC_TAB_BITS 8
251 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
252 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
254 /* the service table hashed by <protocol, addr, port> */
255 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
256 /* the service table hashed by fwmark */
257 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
260 * Hash table: for real service lookups
262 #define IP_VS_RTAB_BITS 4
263 #define IP_VS_RTAB_SIZE (1 << IP_VS_RTAB_BITS)
264 #define IP_VS_RTAB_MASK (IP_VS_RTAB_SIZE - 1)
266 static struct list_head ip_vs_rtable[IP_VS_RTAB_SIZE];
269 * Trash for destinations
271 static LIST_HEAD(ip_vs_dest_trash);
274 * FTP & NULL virtual service counters
276 static atomic_t ip_vs_ftpsvc_counter = ATOMIC_INIT(0);
277 static atomic_t ip_vs_nullsvc_counter = ATOMIC_INIT(0);
281 * Returns hash value for virtual service
283 static __inline__ unsigned
284 ip_vs_svc_hashkey(unsigned proto, __be32 addr, __be16 port)
286 register unsigned porth = ntohs(port);
288 return (proto^ntohl(addr)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
289 & IP_VS_SVC_TAB_MASK;
293 * Returns hash value of fwmark for virtual service lookup
295 static __inline__ unsigned ip_vs_svc_fwm_hashkey(__u32 fwmark)
297 return fwmark & IP_VS_SVC_TAB_MASK;
301 * Hashes a service in the ip_vs_svc_table by <proto,addr,port>
302 * or in the ip_vs_svc_fwm_table by fwmark.
303 * Should be called with locked tables.
305 static int ip_vs_svc_hash(struct ip_vs_service *svc)
309 if (svc->flags & IP_VS_SVC_F_HASHED) {
310 IP_VS_ERR("ip_vs_svc_hash(): request for already hashed, "
311 "called from %p\n", __builtin_return_address(0));
315 if (svc->fwmark == 0) {
317 * Hash it by <protocol,addr,port> in ip_vs_svc_table
319 hash = ip_vs_svc_hashkey(svc->protocol, svc->addr, svc->port);
320 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
323 * Hash it by fwmark in ip_vs_svc_fwm_table
325 hash = ip_vs_svc_fwm_hashkey(svc->fwmark);
326 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
329 svc->flags |= IP_VS_SVC_F_HASHED;
330 /* increase its refcnt because it is referenced by the svc table */
331 atomic_inc(&svc->refcnt);
337 * Unhashes a service from ip_vs_svc_table/ip_vs_svc_fwm_table.
338 * Should be called with locked tables.
340 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
342 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
343 IP_VS_ERR("ip_vs_svc_unhash(): request for unhash flagged, "
344 "called from %p\n", __builtin_return_address(0));
348 if (svc->fwmark == 0) {
349 /* Remove it from the ip_vs_svc_table table */
350 list_del(&svc->s_list);
352 /* Remove it from the ip_vs_svc_fwm_table table */
353 list_del(&svc->f_list);
356 svc->flags &= ~IP_VS_SVC_F_HASHED;
357 atomic_dec(&svc->refcnt);
363 * Get service by {proto,addr,port} in the service table.
365 static __inline__ struct ip_vs_service *
366 __ip_vs_service_get(__u16 protocol, __be32 vaddr, __be16 vport)
369 struct ip_vs_service *svc;
371 /* Check for "full" addressed entries */
372 hash = ip_vs_svc_hashkey(protocol, vaddr, vport);
374 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
375 if ((svc->addr == vaddr)
376 && (svc->port == vport)
377 && (svc->protocol == protocol)) {
379 atomic_inc(&svc->usecnt);
389 * Get service by {fwmark} in the service table.
391 static __inline__ struct ip_vs_service *__ip_vs_svc_fwm_get(__u32 fwmark)
394 struct ip_vs_service *svc;
396 /* Check for fwmark addressed entries */
397 hash = ip_vs_svc_fwm_hashkey(fwmark);
399 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
400 if (svc->fwmark == fwmark) {
402 atomic_inc(&svc->usecnt);
410 struct ip_vs_service *
411 ip_vs_service_get(__u32 fwmark, __u16 protocol, __be32 vaddr, __be16 vport)
413 struct ip_vs_service *svc;
415 read_lock(&__ip_vs_svc_lock);
418 * Check the table hashed by fwmark first
420 if (fwmark && (svc = __ip_vs_svc_fwm_get(fwmark)))
424 * Check the table hashed by <protocol,addr,port>
425 * for "full" addressed entries
427 svc = __ip_vs_service_get(protocol, vaddr, vport);
430 && protocol == IPPROTO_TCP
431 && atomic_read(&ip_vs_ftpsvc_counter)
432 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
434 * Check if ftp service entry exists, the packet
435 * might belong to FTP data connections.
437 svc = __ip_vs_service_get(protocol, vaddr, FTPPORT);
441 && atomic_read(&ip_vs_nullsvc_counter)) {
443 * Check if the catch-all port (port zero) exists
445 svc = __ip_vs_service_get(protocol, vaddr, 0);
449 read_unlock(&__ip_vs_svc_lock);
451 IP_VS_DBG(9, "lookup service: fwm %u %s %u.%u.%u.%u:%u %s\n",
452 fwmark, ip_vs_proto_name(protocol),
453 NIPQUAD(vaddr), ntohs(vport),
454 svc?"hit":"not hit");
461 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
463 atomic_inc(&svc->refcnt);
468 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
470 struct ip_vs_service *svc = dest->svc;
473 if (atomic_dec_and_test(&svc->refcnt))
479 * Returns hash value for real service
481 static __inline__ unsigned ip_vs_rs_hashkey(__be32 addr, __be16 port)
483 register unsigned porth = ntohs(port);
485 return (ntohl(addr)^(porth>>IP_VS_RTAB_BITS)^porth)
490 * Hashes ip_vs_dest in ip_vs_rtable by <proto,addr,port>.
491 * should be called with locked tables.
493 static int ip_vs_rs_hash(struct ip_vs_dest *dest)
497 if (!list_empty(&dest->d_list)) {
502 * Hash by proto,addr,port,
503 * which are the parameters of the real service.
505 hash = ip_vs_rs_hashkey(dest->addr, dest->port);
506 list_add(&dest->d_list, &ip_vs_rtable[hash]);
512 * UNhashes ip_vs_dest from ip_vs_rtable.
513 * should be called with locked tables.
515 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
518 * Remove it from the ip_vs_rtable table.
520 if (!list_empty(&dest->d_list)) {
521 list_del(&dest->d_list);
522 INIT_LIST_HEAD(&dest->d_list);
529 * Lookup real service by <proto,addr,port> in the real service table.
532 ip_vs_lookup_real_service(__u16 protocol, __be32 daddr, __be16 dport)
535 struct ip_vs_dest *dest;
538 * Check for "full" addressed entries
539 * Return the first found entry
541 hash = ip_vs_rs_hashkey(daddr, dport);
543 read_lock(&__ip_vs_rs_lock);
544 list_for_each_entry(dest, &ip_vs_rtable[hash], d_list) {
545 if ((dest->addr == daddr)
546 && (dest->port == dport)
547 && ((dest->protocol == protocol) ||
550 read_unlock(&__ip_vs_rs_lock);
554 read_unlock(&__ip_vs_rs_lock);
560 * Lookup destination by {addr,port} in the given service
562 static struct ip_vs_dest *
563 ip_vs_lookup_dest(struct ip_vs_service *svc, __be32 daddr, __be16 dport)
565 struct ip_vs_dest *dest;
568 * Find the destination for the given service
570 list_for_each_entry(dest, &svc->destinations, n_list) {
571 if ((dest->addr == daddr) && (dest->port == dport)) {
581 * Find destination by {daddr,dport,vaddr,protocol}
582 * Cretaed to be used in ip_vs_process_message() in
583 * the backup synchronization daemon. It finds the
584 * destination to be bound to the received connection
587 * ip_vs_lookup_real_service() looked promissing, but
588 * seems not working as expected.
590 struct ip_vs_dest *ip_vs_find_dest(__be32 daddr, __be16 dport,
591 __be32 vaddr, __be16 vport, __u16 protocol)
593 struct ip_vs_dest *dest;
594 struct ip_vs_service *svc;
596 svc = ip_vs_service_get(0, protocol, vaddr, vport);
599 dest = ip_vs_lookup_dest(svc, daddr, dport);
601 atomic_inc(&dest->refcnt);
602 ip_vs_service_put(svc);
607 * Lookup dest by {svc,addr,port} in the destination trash.
608 * The destination trash is used to hold the destinations that are removed
609 * from the service table but are still referenced by some conn entries.
610 * The reason to add the destination trash is when the dest is temporary
611 * down (either by administrator or by monitor program), the dest can be
612 * picked back from the trash, the remaining connections to the dest can
613 * continue, and the counting information of the dest is also useful for
616 static struct ip_vs_dest *
617 ip_vs_trash_get_dest(struct ip_vs_service *svc, __be32 daddr, __be16 dport)
619 struct ip_vs_dest *dest, *nxt;
622 * Find the destination in trash
624 list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
625 IP_VS_DBG(3, "Destination %u/%u.%u.%u.%u:%u still in trash, "
628 NIPQUAD(dest->addr), ntohs(dest->port),
629 atomic_read(&dest->refcnt));
630 if (dest->addr == daddr &&
631 dest->port == dport &&
632 dest->vfwmark == svc->fwmark &&
633 dest->protocol == svc->protocol &&
635 (dest->vaddr == svc->addr &&
636 dest->vport == svc->port))) {
642 * Try to purge the destination from trash if not referenced
644 if (atomic_read(&dest->refcnt) == 1) {
645 IP_VS_DBG(3, "Removing destination %u/%u.%u.%u.%u:%u "
648 NIPQUAD(dest->addr), ntohs(dest->port));
649 list_del(&dest->n_list);
650 ip_vs_dst_reset(dest);
651 __ip_vs_unbind_svc(dest);
661 * Clean up all the destinations in the trash
662 * Called by the ip_vs_control_cleanup()
664 * When the ip_vs_control_clearup is activated by ipvs module exit,
665 * the service tables must have been flushed and all the connections
666 * are expired, and the refcnt of each destination in the trash must
667 * be 1, so we simply release them here.
669 static void ip_vs_trash_cleanup(void)
671 struct ip_vs_dest *dest, *nxt;
673 list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
674 list_del(&dest->n_list);
675 ip_vs_dst_reset(dest);
676 __ip_vs_unbind_svc(dest);
683 ip_vs_zero_stats(struct ip_vs_stats *stats)
685 spin_lock_bh(&stats->lock);
686 memset(stats, 0, (char *)&stats->lock - (char *)stats);
687 spin_unlock_bh(&stats->lock);
688 ip_vs_zero_estimator(stats);
692 * Update a destination in the given service
695 __ip_vs_update_dest(struct ip_vs_service *svc,
696 struct ip_vs_dest *dest, struct ip_vs_dest_user *udest)
700 /* set the weight and the flags */
701 atomic_set(&dest->weight, udest->weight);
702 conn_flags = udest->conn_flags | IP_VS_CONN_F_INACTIVE;
704 /* check if local node and update the flags */
705 if (inet_addr_type(&init_net, udest->addr) == RTN_LOCAL) {
706 conn_flags = (conn_flags & ~IP_VS_CONN_F_FWD_MASK)
707 | IP_VS_CONN_F_LOCALNODE;
710 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
711 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != 0) {
712 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
715 * Put the real service in ip_vs_rtable if not present.
716 * For now only for NAT!
718 write_lock_bh(&__ip_vs_rs_lock);
720 write_unlock_bh(&__ip_vs_rs_lock);
722 atomic_set(&dest->conn_flags, conn_flags);
724 /* bind the service */
726 __ip_vs_bind_svc(dest, svc);
728 if (dest->svc != svc) {
729 __ip_vs_unbind_svc(dest);
730 ip_vs_zero_stats(&dest->stats);
731 __ip_vs_bind_svc(dest, svc);
735 /* set the dest status flags */
736 dest->flags |= IP_VS_DEST_F_AVAILABLE;
738 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
739 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
740 dest->u_threshold = udest->u_threshold;
741 dest->l_threshold = udest->l_threshold;
746 * Create a destination for the given service
749 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest,
750 struct ip_vs_dest **dest_p)
752 struct ip_vs_dest *dest;
757 atype = inet_addr_type(&init_net, udest->addr);
758 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
761 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_ATOMIC);
763 IP_VS_ERR("ip_vs_new_dest: kmalloc failed.\n");
767 dest->protocol = svc->protocol;
768 dest->vaddr = svc->addr;
769 dest->vport = svc->port;
770 dest->vfwmark = svc->fwmark;
771 dest->addr = udest->addr;
772 dest->port = udest->port;
774 atomic_set(&dest->activeconns, 0);
775 atomic_set(&dest->inactconns, 0);
776 atomic_set(&dest->persistconns, 0);
777 atomic_set(&dest->refcnt, 0);
779 INIT_LIST_HEAD(&dest->d_list);
780 spin_lock_init(&dest->dst_lock);
781 spin_lock_init(&dest->stats.lock);
782 __ip_vs_update_dest(svc, dest, udest);
783 ip_vs_new_estimator(&dest->stats);
793 * Add a destination into an existing service
796 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest)
798 struct ip_vs_dest *dest;
799 __be32 daddr = udest->addr;
800 __be16 dport = udest->port;
805 if (udest->weight < 0) {
806 IP_VS_ERR("ip_vs_add_dest(): server weight less than zero\n");
810 if (udest->l_threshold > udest->u_threshold) {
811 IP_VS_ERR("ip_vs_add_dest(): lower threshold is higher than "
812 "upper threshold\n");
817 * Check if the dest already exists in the list
819 dest = ip_vs_lookup_dest(svc, daddr, dport);
821 IP_VS_DBG(1, "ip_vs_add_dest(): dest already exists\n");
826 * Check if the dest already exists in the trash and
827 * is from the same service
829 dest = ip_vs_trash_get_dest(svc, daddr, dport);
831 IP_VS_DBG(3, "Get destination %u.%u.%u.%u:%u from trash, "
832 "dest->refcnt=%d, service %u/%u.%u.%u.%u:%u\n",
833 NIPQUAD(daddr), ntohs(dport),
834 atomic_read(&dest->refcnt),
836 NIPQUAD(dest->vaddr),
838 __ip_vs_update_dest(svc, dest, udest);
841 * Get the destination from the trash
843 list_del(&dest->n_list);
845 ip_vs_new_estimator(&dest->stats);
847 write_lock_bh(&__ip_vs_svc_lock);
850 * Wait until all other svc users go away.
852 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
854 list_add(&dest->n_list, &svc->destinations);
857 /* call the update_service function of its scheduler */
858 svc->scheduler->update_service(svc);
860 write_unlock_bh(&__ip_vs_svc_lock);
865 * Allocate and initialize the dest structure
867 ret = ip_vs_new_dest(svc, udest, &dest);
873 * Add the dest entry into the list
875 atomic_inc(&dest->refcnt);
877 write_lock_bh(&__ip_vs_svc_lock);
880 * Wait until all other svc users go away.
882 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
884 list_add(&dest->n_list, &svc->destinations);
887 /* call the update_service function of its scheduler */
888 svc->scheduler->update_service(svc);
890 write_unlock_bh(&__ip_vs_svc_lock);
899 * Edit a destination in the given service
902 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest)
904 struct ip_vs_dest *dest;
905 __be32 daddr = udest->addr;
906 __be16 dport = udest->port;
910 if (udest->weight < 0) {
911 IP_VS_ERR("ip_vs_edit_dest(): server weight less than zero\n");
915 if (udest->l_threshold > udest->u_threshold) {
916 IP_VS_ERR("ip_vs_edit_dest(): lower threshold is higher than "
917 "upper threshold\n");
922 * Lookup the destination list
924 dest = ip_vs_lookup_dest(svc, daddr, dport);
926 IP_VS_DBG(1, "ip_vs_edit_dest(): dest doesn't exist\n");
930 __ip_vs_update_dest(svc, dest, udest);
932 write_lock_bh(&__ip_vs_svc_lock);
934 /* Wait until all other svc users go away */
935 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
937 /* call the update_service, because server weight may be changed */
938 svc->scheduler->update_service(svc);
940 write_unlock_bh(&__ip_vs_svc_lock);
949 * Delete a destination (must be already unlinked from the service)
951 static void __ip_vs_del_dest(struct ip_vs_dest *dest)
953 ip_vs_kill_estimator(&dest->stats);
956 * Remove it from the d-linked list with the real services.
958 write_lock_bh(&__ip_vs_rs_lock);
959 ip_vs_rs_unhash(dest);
960 write_unlock_bh(&__ip_vs_rs_lock);
963 * Decrease the refcnt of the dest, and free the dest
964 * if nobody refers to it (refcnt=0). Otherwise, throw
965 * the destination into the trash.
967 if (atomic_dec_and_test(&dest->refcnt)) {
968 ip_vs_dst_reset(dest);
969 /* simply decrease svc->refcnt here, let the caller check
970 and release the service if nobody refers to it.
971 Only user context can release destination and service,
972 and only one user context can update virtual service at a
973 time, so the operation here is OK */
974 atomic_dec(&dest->svc->refcnt);
977 IP_VS_DBG(3, "Moving dest %u.%u.%u.%u:%u into trash, "
979 NIPQUAD(dest->addr), ntohs(dest->port),
980 atomic_read(&dest->refcnt));
981 list_add(&dest->n_list, &ip_vs_dest_trash);
982 atomic_inc(&dest->refcnt);
988 * Unlink a destination from the given service
990 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
991 struct ip_vs_dest *dest,
994 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
997 * Remove it from the d-linked destination list.
999 list_del(&dest->n_list);
1003 * Call the update_service function of its scheduler
1005 svc->scheduler->update_service(svc);
1011 * Delete a destination server in the given service
1014 ip_vs_del_dest(struct ip_vs_service *svc,struct ip_vs_dest_user *udest)
1016 struct ip_vs_dest *dest;
1017 __be32 daddr = udest->addr;
1018 __be16 dport = udest->port;
1022 dest = ip_vs_lookup_dest(svc, daddr, dport);
1024 IP_VS_DBG(1, "ip_vs_del_dest(): destination not found!\n");
1028 write_lock_bh(&__ip_vs_svc_lock);
1031 * Wait until all other svc users go away.
1033 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1036 * Unlink dest from the service
1038 __ip_vs_unlink_dest(svc, dest, 1);
1040 write_unlock_bh(&__ip_vs_svc_lock);
1043 * Delete the destination
1045 __ip_vs_del_dest(dest);
1054 * Add a service into the service hash table
1057 ip_vs_add_service(struct ip_vs_service_user *u, struct ip_vs_service **svc_p)
1060 struct ip_vs_scheduler *sched = NULL;
1061 struct ip_vs_service *svc = NULL;
1063 /* increase the module use count */
1064 ip_vs_use_count_inc();
1066 /* Lookup the scheduler by 'u->sched_name' */
1067 sched = ip_vs_scheduler_get(u->sched_name);
1068 if (sched == NULL) {
1069 IP_VS_INFO("Scheduler module ip_vs_%s not found\n",
1075 svc = kzalloc(sizeof(struct ip_vs_service), GFP_ATOMIC);
1077 IP_VS_DBG(1, "ip_vs_add_service: kmalloc failed.\n");
1082 /* I'm the first user of the service */
1083 atomic_set(&svc->usecnt, 1);
1084 atomic_set(&svc->refcnt, 0);
1086 svc->protocol = u->protocol;
1087 svc->addr = u->addr;
1088 svc->port = u->port;
1089 svc->fwmark = u->fwmark;
1090 svc->flags = u->flags;
1091 svc->timeout = u->timeout * HZ;
1092 svc->netmask = u->netmask;
1094 INIT_LIST_HEAD(&svc->destinations);
1095 rwlock_init(&svc->sched_lock);
1096 spin_lock_init(&svc->stats.lock);
1098 /* Bind the scheduler */
1099 ret = ip_vs_bind_scheduler(svc, sched);
1104 /* Update the virtual service counters */
1105 if (svc->port == FTPPORT)
1106 atomic_inc(&ip_vs_ftpsvc_counter);
1107 else if (svc->port == 0)
1108 atomic_inc(&ip_vs_nullsvc_counter);
1110 ip_vs_new_estimator(&svc->stats);
1111 ip_vs_num_services++;
1113 /* Hash the service into the service table */
1114 write_lock_bh(&__ip_vs_svc_lock);
1115 ip_vs_svc_hash(svc);
1116 write_unlock_bh(&__ip_vs_svc_lock);
1124 ip_vs_unbind_scheduler(svc);
1127 ip_vs_app_inc_put(svc->inc);
1132 ip_vs_scheduler_put(sched);
1135 /* decrease the module use count */
1136 ip_vs_use_count_dec();
1143 * Edit a service and bind it with a new scheduler
1146 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user *u)
1148 struct ip_vs_scheduler *sched, *old_sched;
1152 * Lookup the scheduler, by 'u->sched_name'
1154 sched = ip_vs_scheduler_get(u->sched_name);
1155 if (sched == NULL) {
1156 IP_VS_INFO("Scheduler module ip_vs_%s not found\n",
1162 write_lock_bh(&__ip_vs_svc_lock);
1165 * Wait until all other svc users go away.
1167 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1170 * Set the flags and timeout value
1172 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1173 svc->timeout = u->timeout * HZ;
1174 svc->netmask = u->netmask;
1176 old_sched = svc->scheduler;
1177 if (sched != old_sched) {
1179 * Unbind the old scheduler
1181 if ((ret = ip_vs_unbind_scheduler(svc))) {
1187 * Bind the new scheduler
1189 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1191 * If ip_vs_bind_scheduler fails, restore the old
1193 * The main reason of failure is out of memory.
1195 * The question is if the old scheduler can be
1196 * restored all the time. TODO: if it cannot be
1197 * restored some time, we must delete the service,
1198 * otherwise the system may crash.
1200 ip_vs_bind_scheduler(svc, old_sched);
1207 write_unlock_bh(&__ip_vs_svc_lock);
1210 ip_vs_scheduler_put(old_sched);
1217 * Delete a service from the service list
1218 * - The service must be unlinked, unlocked and not referenced!
1219 * - We are called under _bh lock
1221 static void __ip_vs_del_service(struct ip_vs_service *svc)
1223 struct ip_vs_dest *dest, *nxt;
1224 struct ip_vs_scheduler *old_sched;
1226 ip_vs_num_services--;
1227 ip_vs_kill_estimator(&svc->stats);
1229 /* Unbind scheduler */
1230 old_sched = svc->scheduler;
1231 ip_vs_unbind_scheduler(svc);
1233 ip_vs_scheduler_put(old_sched);
1235 /* Unbind app inc */
1237 ip_vs_app_inc_put(svc->inc);
1242 * Unlink the whole destination list
1244 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1245 __ip_vs_unlink_dest(svc, dest, 0);
1246 __ip_vs_del_dest(dest);
1250 * Update the virtual service counters
1252 if (svc->port == FTPPORT)
1253 atomic_dec(&ip_vs_ftpsvc_counter);
1254 else if (svc->port == 0)
1255 atomic_dec(&ip_vs_nullsvc_counter);
1258 * Free the service if nobody refers to it
1260 if (atomic_read(&svc->refcnt) == 0)
1263 /* decrease the module use count */
1264 ip_vs_use_count_dec();
1268 * Delete a service from the service list
1270 static int ip_vs_del_service(struct ip_vs_service *svc)
1276 * Unhash it from the service table
1278 write_lock_bh(&__ip_vs_svc_lock);
1280 ip_vs_svc_unhash(svc);
1283 * Wait until all the svc users go away.
1285 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 1);
1287 __ip_vs_del_service(svc);
1289 write_unlock_bh(&__ip_vs_svc_lock);
1296 * Flush all the virtual services
1298 static int ip_vs_flush(void)
1301 struct ip_vs_service *svc, *nxt;
1304 * Flush the service table hashed by <protocol,addr,port>
1306 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1307 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx], s_list) {
1308 write_lock_bh(&__ip_vs_svc_lock);
1309 ip_vs_svc_unhash(svc);
1311 * Wait until all the svc users go away.
1313 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1314 __ip_vs_del_service(svc);
1315 write_unlock_bh(&__ip_vs_svc_lock);
1320 * Flush the service table hashed by fwmark
1322 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1323 list_for_each_entry_safe(svc, nxt,
1324 &ip_vs_svc_fwm_table[idx], f_list) {
1325 write_lock_bh(&__ip_vs_svc_lock);
1326 ip_vs_svc_unhash(svc);
1328 * Wait until all the svc users go away.
1330 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1331 __ip_vs_del_service(svc);
1332 write_unlock_bh(&__ip_vs_svc_lock);
1341 * Zero counters in a service or all services
1343 static int ip_vs_zero_service(struct ip_vs_service *svc)
1345 struct ip_vs_dest *dest;
1347 write_lock_bh(&__ip_vs_svc_lock);
1348 list_for_each_entry(dest, &svc->destinations, n_list) {
1349 ip_vs_zero_stats(&dest->stats);
1351 ip_vs_zero_stats(&svc->stats);
1352 write_unlock_bh(&__ip_vs_svc_lock);
1356 static int ip_vs_zero_all(void)
1359 struct ip_vs_service *svc;
1361 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1362 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1363 ip_vs_zero_service(svc);
1367 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1368 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1369 ip_vs_zero_service(svc);
1373 ip_vs_zero_stats(&ip_vs_stats);
1379 proc_do_defense_mode(ctl_table *table, int write, struct file * filp,
1380 void __user *buffer, size_t *lenp, loff_t *ppos)
1382 int *valp = table->data;
1386 rc = proc_dointvec(table, write, filp, buffer, lenp, ppos);
1387 if (write && (*valp != val)) {
1388 if ((*valp < 0) || (*valp > 3)) {
1389 /* Restore the correct value */
1392 update_defense_level();
1400 proc_do_sync_threshold(ctl_table *table, int write, struct file *filp,
1401 void __user *buffer, size_t *lenp, loff_t *ppos)
1403 int *valp = table->data;
1407 /* backup the value first */
1408 memcpy(val, valp, sizeof(val));
1410 rc = proc_dointvec(table, write, filp, buffer, lenp, ppos);
1411 if (write && (valp[0] < 0 || valp[1] < 0 || valp[0] >= valp[1])) {
1412 /* Restore the correct value */
1413 memcpy(valp, val, sizeof(val));
1420 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1423 static struct ctl_table vs_vars[] = {
1425 .procname = "amemthresh",
1426 .data = &sysctl_ip_vs_amemthresh,
1427 .maxlen = sizeof(int),
1429 .proc_handler = &proc_dointvec,
1431 #ifdef CONFIG_IP_VS_DEBUG
1433 .procname = "debug_level",
1434 .data = &sysctl_ip_vs_debug_level,
1435 .maxlen = sizeof(int),
1437 .proc_handler = &proc_dointvec,
1441 .procname = "am_droprate",
1442 .data = &sysctl_ip_vs_am_droprate,
1443 .maxlen = sizeof(int),
1445 .proc_handler = &proc_dointvec,
1448 .procname = "drop_entry",
1449 .data = &sysctl_ip_vs_drop_entry,
1450 .maxlen = sizeof(int),
1452 .proc_handler = &proc_do_defense_mode,
1455 .procname = "drop_packet",
1456 .data = &sysctl_ip_vs_drop_packet,
1457 .maxlen = sizeof(int),
1459 .proc_handler = &proc_do_defense_mode,
1462 .procname = "secure_tcp",
1463 .data = &sysctl_ip_vs_secure_tcp,
1464 .maxlen = sizeof(int),
1466 .proc_handler = &proc_do_defense_mode,
1470 .procname = "timeout_established",
1471 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1472 .maxlen = sizeof(int),
1474 .proc_handler = &proc_dointvec_jiffies,
1477 .procname = "timeout_synsent",
1478 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1479 .maxlen = sizeof(int),
1481 .proc_handler = &proc_dointvec_jiffies,
1484 .procname = "timeout_synrecv",
1485 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1486 .maxlen = sizeof(int),
1488 .proc_handler = &proc_dointvec_jiffies,
1491 .procname = "timeout_finwait",
1492 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1493 .maxlen = sizeof(int),
1495 .proc_handler = &proc_dointvec_jiffies,
1498 .procname = "timeout_timewait",
1499 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1500 .maxlen = sizeof(int),
1502 .proc_handler = &proc_dointvec_jiffies,
1505 .procname = "timeout_close",
1506 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1507 .maxlen = sizeof(int),
1509 .proc_handler = &proc_dointvec_jiffies,
1512 .procname = "timeout_closewait",
1513 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1514 .maxlen = sizeof(int),
1516 .proc_handler = &proc_dointvec_jiffies,
1519 .procname = "timeout_lastack",
1520 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1521 .maxlen = sizeof(int),
1523 .proc_handler = &proc_dointvec_jiffies,
1526 .procname = "timeout_listen",
1527 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1528 .maxlen = sizeof(int),
1530 .proc_handler = &proc_dointvec_jiffies,
1533 .procname = "timeout_synack",
1534 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1535 .maxlen = sizeof(int),
1537 .proc_handler = &proc_dointvec_jiffies,
1540 .procname = "timeout_udp",
1541 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1542 .maxlen = sizeof(int),
1544 .proc_handler = &proc_dointvec_jiffies,
1547 .procname = "timeout_icmp",
1548 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1549 .maxlen = sizeof(int),
1551 .proc_handler = &proc_dointvec_jiffies,
1555 .procname = "cache_bypass",
1556 .data = &sysctl_ip_vs_cache_bypass,
1557 .maxlen = sizeof(int),
1559 .proc_handler = &proc_dointvec,
1562 .procname = "expire_nodest_conn",
1563 .data = &sysctl_ip_vs_expire_nodest_conn,
1564 .maxlen = sizeof(int),
1566 .proc_handler = &proc_dointvec,
1569 .procname = "expire_quiescent_template",
1570 .data = &sysctl_ip_vs_expire_quiescent_template,
1571 .maxlen = sizeof(int),
1573 .proc_handler = &proc_dointvec,
1576 .procname = "sync_threshold",
1577 .data = &sysctl_ip_vs_sync_threshold,
1578 .maxlen = sizeof(sysctl_ip_vs_sync_threshold),
1580 .proc_handler = &proc_do_sync_threshold,
1583 .procname = "nat_icmp_send",
1584 .data = &sysctl_ip_vs_nat_icmp_send,
1585 .maxlen = sizeof(int),
1587 .proc_handler = &proc_dointvec,
1592 struct ctl_path net_vs_ctl_path[] = {
1593 { .procname = "net", .ctl_name = CTL_NET, },
1594 { .procname = "ipv4", .ctl_name = NET_IPV4, },
1595 { .procname = "vs", },
1598 EXPORT_SYMBOL_GPL(net_vs_ctl_path);
1600 static struct ctl_table_header * sysctl_header;
1602 #ifdef CONFIG_PROC_FS
1605 struct list_head *table;
1610 * Write the contents of the VS rule table to a PROCfs file.
1611 * (It is kept just for backward compatibility)
1613 static inline const char *ip_vs_fwd_name(unsigned flags)
1615 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1616 case IP_VS_CONN_F_LOCALNODE:
1618 case IP_VS_CONN_F_TUNNEL:
1620 case IP_VS_CONN_F_DROUTE:
1628 /* Get the Nth entry in the two lists */
1629 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1631 struct ip_vs_iter *iter = seq->private;
1633 struct ip_vs_service *svc;
1635 /* look in hash by protocol */
1636 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1637 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1639 iter->table = ip_vs_svc_table;
1646 /* keep looking in fwmark */
1647 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1648 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1650 iter->table = ip_vs_svc_fwm_table;
1660 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1663 read_lock_bh(&__ip_vs_svc_lock);
1664 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1668 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1670 struct list_head *e;
1671 struct ip_vs_iter *iter;
1672 struct ip_vs_service *svc;
1675 if (v == SEQ_START_TOKEN)
1676 return ip_vs_info_array(seq,0);
1679 iter = seq->private;
1681 if (iter->table == ip_vs_svc_table) {
1682 /* next service in table hashed by protocol */
1683 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
1684 return list_entry(e, struct ip_vs_service, s_list);
1687 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
1688 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
1694 iter->table = ip_vs_svc_fwm_table;
1699 /* next service in hashed by fwmark */
1700 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
1701 return list_entry(e, struct ip_vs_service, f_list);
1704 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
1705 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
1713 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
1715 read_unlock_bh(&__ip_vs_svc_lock);
1719 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
1721 if (v == SEQ_START_TOKEN) {
1723 "IP Virtual Server version %d.%d.%d (size=%d)\n",
1724 NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE);
1726 "Prot LocalAddress:Port Scheduler Flags\n");
1728 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
1730 const struct ip_vs_service *svc = v;
1731 const struct ip_vs_iter *iter = seq->private;
1732 const struct ip_vs_dest *dest;
1734 if (iter->table == ip_vs_svc_table)
1735 seq_printf(seq, "%s %08X:%04X %s ",
1736 ip_vs_proto_name(svc->protocol),
1739 svc->scheduler->name);
1741 seq_printf(seq, "FWM %08X %s ",
1742 svc->fwmark, svc->scheduler->name);
1744 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
1745 seq_printf(seq, "persistent %d %08X\n",
1747 ntohl(svc->netmask));
1749 seq_putc(seq, '\n');
1751 list_for_each_entry(dest, &svc->destinations, n_list) {
1753 " -> %08X:%04X %-7s %-6d %-10d %-10d\n",
1754 ntohl(dest->addr), ntohs(dest->port),
1755 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
1756 atomic_read(&dest->weight),
1757 atomic_read(&dest->activeconns),
1758 atomic_read(&dest->inactconns));
1764 static const struct seq_operations ip_vs_info_seq_ops = {
1765 .start = ip_vs_info_seq_start,
1766 .next = ip_vs_info_seq_next,
1767 .stop = ip_vs_info_seq_stop,
1768 .show = ip_vs_info_seq_show,
1771 static int ip_vs_info_open(struct inode *inode, struct file *file)
1773 return seq_open_private(file, &ip_vs_info_seq_ops,
1774 sizeof(struct ip_vs_iter));
1777 static const struct file_operations ip_vs_info_fops = {
1778 .owner = THIS_MODULE,
1779 .open = ip_vs_info_open,
1781 .llseek = seq_lseek,
1782 .release = seq_release_private,
1787 struct ip_vs_stats ip_vs_stats;
1789 #ifdef CONFIG_PROC_FS
1790 static int ip_vs_stats_show(struct seq_file *seq, void *v)
1793 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
1795 " Total Incoming Outgoing Incoming Outgoing\n");
1797 " Conns Packets Packets Bytes Bytes\n");
1799 spin_lock_bh(&ip_vs_stats.lock);
1800 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", ip_vs_stats.conns,
1801 ip_vs_stats.inpkts, ip_vs_stats.outpkts,
1802 (unsigned long long) ip_vs_stats.inbytes,
1803 (unsigned long long) ip_vs_stats.outbytes);
1805 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
1807 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
1808 seq_printf(seq,"%8X %8X %8X %16X %16X\n",
1813 ip_vs_stats.outbps);
1814 spin_unlock_bh(&ip_vs_stats.lock);
1819 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
1821 return single_open(file, ip_vs_stats_show, NULL);
1824 static const struct file_operations ip_vs_stats_fops = {
1825 .owner = THIS_MODULE,
1826 .open = ip_vs_stats_seq_open,
1828 .llseek = seq_lseek,
1829 .release = single_release,
1835 * Set timeout values for tcp tcpfin udp in the timeout_table.
1837 static int ip_vs_set_timeout(struct ip_vs_timeout_user *u)
1839 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
1844 #ifdef CONFIG_IP_VS_PROTO_TCP
1845 if (u->tcp_timeout) {
1846 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED]
1847 = u->tcp_timeout * HZ;
1850 if (u->tcp_fin_timeout) {
1851 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT]
1852 = u->tcp_fin_timeout * HZ;
1856 #ifdef CONFIG_IP_VS_PROTO_UDP
1857 if (u->udp_timeout) {
1858 ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL]
1859 = u->udp_timeout * HZ;
1866 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
1867 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
1868 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
1869 sizeof(struct ip_vs_dest_user))
1870 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
1871 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
1872 #define MAX_ARG_LEN SVCDEST_ARG_LEN
1874 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
1875 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
1876 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
1877 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
1878 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
1879 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
1880 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
1881 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
1882 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
1883 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
1884 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
1885 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
1889 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1892 unsigned char arg[MAX_ARG_LEN];
1893 struct ip_vs_service_user *usvc;
1894 struct ip_vs_service *svc;
1895 struct ip_vs_dest_user *udest;
1897 if (!capable(CAP_NET_ADMIN))
1900 if (len != set_arglen[SET_CMDID(cmd)]) {
1901 IP_VS_ERR("set_ctl: len %u != %u\n",
1902 len, set_arglen[SET_CMDID(cmd)]);
1906 if (copy_from_user(arg, user, len) != 0)
1909 /* increase the module use count */
1910 ip_vs_use_count_inc();
1912 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
1917 if (cmd == IP_VS_SO_SET_FLUSH) {
1918 /* Flush the virtual service */
1919 ret = ip_vs_flush();
1921 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
1922 /* Set timeout values for (tcp tcpfin udp) */
1923 ret = ip_vs_set_timeout((struct ip_vs_timeout_user *)arg);
1925 } else if (cmd == IP_VS_SO_SET_STARTDAEMON) {
1926 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
1927 ret = start_sync_thread(dm->state, dm->mcast_ifn, dm->syncid);
1929 } else if (cmd == IP_VS_SO_SET_STOPDAEMON) {
1930 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
1931 ret = stop_sync_thread(dm->state);
1935 usvc = (struct ip_vs_service_user *)arg;
1936 udest = (struct ip_vs_dest_user *)(usvc + 1);
1938 if (cmd == IP_VS_SO_SET_ZERO) {
1939 /* if no service address is set, zero counters in all */
1940 if (!usvc->fwmark && !usvc->addr && !usvc->port) {
1941 ret = ip_vs_zero_all();
1946 /* Check for valid protocol: TCP or UDP, even for fwmark!=0 */
1947 if (usvc->protocol!=IPPROTO_TCP && usvc->protocol!=IPPROTO_UDP) {
1948 IP_VS_ERR("set_ctl: invalid protocol: %d %d.%d.%d.%d:%d %s\n",
1949 usvc->protocol, NIPQUAD(usvc->addr),
1950 ntohs(usvc->port), usvc->sched_name);
1955 /* Lookup the exact service by <protocol, addr, port> or fwmark */
1956 if (usvc->fwmark == 0)
1957 svc = __ip_vs_service_get(usvc->protocol,
1958 usvc->addr, usvc->port);
1960 svc = __ip_vs_svc_fwm_get(usvc->fwmark);
1962 if (cmd != IP_VS_SO_SET_ADD
1963 && (svc == NULL || svc->protocol != usvc->protocol)) {
1969 case IP_VS_SO_SET_ADD:
1973 ret = ip_vs_add_service(usvc, &svc);
1975 case IP_VS_SO_SET_EDIT:
1976 ret = ip_vs_edit_service(svc, usvc);
1978 case IP_VS_SO_SET_DEL:
1979 ret = ip_vs_del_service(svc);
1983 case IP_VS_SO_SET_ZERO:
1984 ret = ip_vs_zero_service(svc);
1986 case IP_VS_SO_SET_ADDDEST:
1987 ret = ip_vs_add_dest(svc, udest);
1989 case IP_VS_SO_SET_EDITDEST:
1990 ret = ip_vs_edit_dest(svc, udest);
1992 case IP_VS_SO_SET_DELDEST:
1993 ret = ip_vs_del_dest(svc, udest);
2000 ip_vs_service_put(svc);
2003 mutex_unlock(&__ip_vs_mutex);
2005 /* decrease the module use count */
2006 ip_vs_use_count_dec();
2013 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
2015 spin_lock_bh(&src->lock);
2016 memcpy(dst, src, (char*)&src->lock - (char*)src);
2017 spin_unlock_bh(&src->lock);
2021 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2023 dst->protocol = src->protocol;
2024 dst->addr = src->addr;
2025 dst->port = src->port;
2026 dst->fwmark = src->fwmark;
2027 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2028 dst->flags = src->flags;
2029 dst->timeout = src->timeout / HZ;
2030 dst->netmask = src->netmask;
2031 dst->num_dests = src->num_dests;
2032 ip_vs_copy_stats(&dst->stats, &src->stats);
2036 __ip_vs_get_service_entries(const struct ip_vs_get_services *get,
2037 struct ip_vs_get_services __user *uptr)
2040 struct ip_vs_service *svc;
2041 struct ip_vs_service_entry entry;
2044 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2045 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2046 if (count >= get->num_services)
2048 memset(&entry, 0, sizeof(entry));
2049 ip_vs_copy_service(&entry, svc);
2050 if (copy_to_user(&uptr->entrytable[count],
2051 &entry, sizeof(entry))) {
2059 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2060 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2061 if (count >= get->num_services)
2063 memset(&entry, 0, sizeof(entry));
2064 ip_vs_copy_service(&entry, svc);
2065 if (copy_to_user(&uptr->entrytable[count],
2066 &entry, sizeof(entry))) {
2078 __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
2079 struct ip_vs_get_dests __user *uptr)
2081 struct ip_vs_service *svc;
2085 svc = __ip_vs_svc_fwm_get(get->fwmark);
2087 svc = __ip_vs_service_get(get->protocol,
2088 get->addr, get->port);
2091 struct ip_vs_dest *dest;
2092 struct ip_vs_dest_entry entry;
2094 list_for_each_entry(dest, &svc->destinations, n_list) {
2095 if (count >= get->num_dests)
2098 entry.addr = dest->addr;
2099 entry.port = dest->port;
2100 entry.conn_flags = atomic_read(&dest->conn_flags);
2101 entry.weight = atomic_read(&dest->weight);
2102 entry.u_threshold = dest->u_threshold;
2103 entry.l_threshold = dest->l_threshold;
2104 entry.activeconns = atomic_read(&dest->activeconns);
2105 entry.inactconns = atomic_read(&dest->inactconns);
2106 entry.persistconns = atomic_read(&dest->persistconns);
2107 ip_vs_copy_stats(&entry.stats, &dest->stats);
2108 if (copy_to_user(&uptr->entrytable[count],
2109 &entry, sizeof(entry))) {
2115 ip_vs_service_put(svc);
2122 __ip_vs_get_timeouts(struct ip_vs_timeout_user *u)
2124 #ifdef CONFIG_IP_VS_PROTO_TCP
2126 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2127 u->tcp_fin_timeout =
2128 ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2130 #ifdef CONFIG_IP_VS_PROTO_UDP
2132 ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2137 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2138 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2139 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2140 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2141 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2142 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2143 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2145 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2146 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2147 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2148 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2149 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2150 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2151 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2152 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2156 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2158 unsigned char arg[128];
2161 if (!capable(CAP_NET_ADMIN))
2164 if (*len < get_arglen[GET_CMDID(cmd)]) {
2165 IP_VS_ERR("get_ctl: len %u < %u\n",
2166 *len, get_arglen[GET_CMDID(cmd)]);
2170 if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
2173 if (mutex_lock_interruptible(&__ip_vs_mutex))
2174 return -ERESTARTSYS;
2177 case IP_VS_SO_GET_VERSION:
2181 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2182 NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE);
2183 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2187 *len = strlen(buf)+1;
2191 case IP_VS_SO_GET_INFO:
2193 struct ip_vs_getinfo info;
2194 info.version = IP_VS_VERSION_CODE;
2195 info.size = IP_VS_CONN_TAB_SIZE;
2196 info.num_services = ip_vs_num_services;
2197 if (copy_to_user(user, &info, sizeof(info)) != 0)
2202 case IP_VS_SO_GET_SERVICES:
2204 struct ip_vs_get_services *get;
2207 get = (struct ip_vs_get_services *)arg;
2208 size = sizeof(*get) +
2209 sizeof(struct ip_vs_service_entry) * get->num_services;
2211 IP_VS_ERR("length: %u != %u\n", *len, size);
2215 ret = __ip_vs_get_service_entries(get, user);
2219 case IP_VS_SO_GET_SERVICE:
2221 struct ip_vs_service_entry *entry;
2222 struct ip_vs_service *svc;
2224 entry = (struct ip_vs_service_entry *)arg;
2226 svc = __ip_vs_svc_fwm_get(entry->fwmark);
2228 svc = __ip_vs_service_get(entry->protocol,
2229 entry->addr, entry->port);
2231 ip_vs_copy_service(entry, svc);
2232 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2234 ip_vs_service_put(svc);
2240 case IP_VS_SO_GET_DESTS:
2242 struct ip_vs_get_dests *get;
2245 get = (struct ip_vs_get_dests *)arg;
2246 size = sizeof(*get) +
2247 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2249 IP_VS_ERR("length: %u != %u\n", *len, size);
2253 ret = __ip_vs_get_dest_entries(get, user);
2257 case IP_VS_SO_GET_TIMEOUT:
2259 struct ip_vs_timeout_user t;
2261 __ip_vs_get_timeouts(&t);
2262 if (copy_to_user(user, &t, sizeof(t)) != 0)
2267 case IP_VS_SO_GET_DAEMON:
2269 struct ip_vs_daemon_user d[2];
2271 memset(&d, 0, sizeof(d));
2272 if (ip_vs_sync_state & IP_VS_STATE_MASTER) {
2273 d[0].state = IP_VS_STATE_MASTER;
2274 strlcpy(d[0].mcast_ifn, ip_vs_master_mcast_ifn, sizeof(d[0].mcast_ifn));
2275 d[0].syncid = ip_vs_master_syncid;
2277 if (ip_vs_sync_state & IP_VS_STATE_BACKUP) {
2278 d[1].state = IP_VS_STATE_BACKUP;
2279 strlcpy(d[1].mcast_ifn, ip_vs_backup_mcast_ifn, sizeof(d[1].mcast_ifn));
2280 d[1].syncid = ip_vs_backup_syncid;
2282 if (copy_to_user(user, &d, sizeof(d)) != 0)
2292 mutex_unlock(&__ip_vs_mutex);
2297 static struct nf_sockopt_ops ip_vs_sockopts = {
2299 .set_optmin = IP_VS_BASE_CTL,
2300 .set_optmax = IP_VS_SO_SET_MAX+1,
2301 .set = do_ip_vs_set_ctl,
2302 .get_optmin = IP_VS_BASE_CTL,
2303 .get_optmax = IP_VS_SO_GET_MAX+1,
2304 .get = do_ip_vs_get_ctl,
2305 .owner = THIS_MODULE,
2309 int __init ip_vs_control_init(void)
2316 ret = nf_register_sockopt(&ip_vs_sockopts);
2318 IP_VS_ERR("cannot register sockopt.\n");
2322 proc_net_fops_create(&init_net, "ip_vs", 0, &ip_vs_info_fops);
2323 proc_net_fops_create(&init_net, "ip_vs_stats",0, &ip_vs_stats_fops);
2325 sysctl_header = register_sysctl_paths(net_vs_ctl_path, vs_vars);
2327 /* Initialize ip_vs_svc_table, ip_vs_svc_fwm_table, ip_vs_rtable */
2328 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2329 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
2330 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
2332 for(idx = 0; idx < IP_VS_RTAB_SIZE; idx++) {
2333 INIT_LIST_HEAD(&ip_vs_rtable[idx]);
2336 memset(&ip_vs_stats, 0, sizeof(ip_vs_stats));
2337 spin_lock_init(&ip_vs_stats.lock);
2338 ip_vs_new_estimator(&ip_vs_stats);
2340 /* Hook the defense timer */
2341 schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
2348 void ip_vs_control_cleanup(void)
2351 ip_vs_trash_cleanup();
2352 cancel_rearming_delayed_work(&defense_work);
2353 cancel_work_sync(&defense_work.work);
2354 ip_vs_kill_estimator(&ip_vs_stats);
2355 unregister_sysctl_table(sysctl_header);
2356 proc_net_remove(&init_net, "ip_vs_stats");
2357 proc_net_remove(&init_net, "ip_vs");
2358 nf_unregister_sockopt(&ip_vs_sockopts);
git://bbs.cooldavid.org / net-next-2.6.git / blob