2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
16 #include <linux/kernel.h>
17 #include <linux/tcp.h> /* for tcphdr */
19 #include <net/tcp.h> /* for csum_tcpudp_magic */
21 #include <net/icmp.h> /* for icmp_send */
22 #include <net/route.h> /* for ip_route_output */
24 #include <net/ip6_route.h>
25 #include <linux/icmpv6.h>
26 #include <linux/netfilter.h>
27 #include <linux/netfilter_ipv4.h>
29 #include <net/ip_vs.h>
33 * Destination cache to speed up outgoing route lookup
36 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst)
38 struct dst_entry *old_dst;
40 old_dst = dest->dst_cache;
41 dest->dst_cache = dst;
42 dest->dst_rtos = rtos;
46 static inline struct dst_entry *
47 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos, u32 cookie)
49 struct dst_entry *dst = dest->dst_cache;
54 || (dest->af == AF_INET && rtos != dest->dst_rtos)) &&
55 dst->ops->check(dst, cookie) == NULL) {
56 dest->dst_cache = NULL;
64 static struct rtable *
65 __ip_vs_get_out_rt(struct ip_vs_conn *cp, u32 rtos)
67 struct rtable *rt; /* Route to the other host */
68 struct ip_vs_dest *dest = cp->dest;
71 spin_lock(&dest->dst_lock);
72 if (!(rt = (struct rtable *)
73 __ip_vs_dst_check(dest, rtos, 0))) {
78 .daddr = dest->addr.ip,
83 if (ip_route_output_key(&init_net, &rt, &fl)) {
84 spin_unlock(&dest->dst_lock);
85 IP_VS_DBG_RL("ip_route_output error, "
86 "dest: %u.%u.%u.%u\n",
87 NIPQUAD(dest->addr.ip));
90 __ip_vs_dst_set(dest, rtos, dst_clone(&rt->u.dst));
91 IP_VS_DBG(10, "new dst %u.%u.%u.%u, refcnt=%d, rtos=%X\n",
92 NIPQUAD(dest->addr.ip),
93 atomic_read(&rt->u.dst.__refcnt), rtos);
95 spin_unlock(&dest->dst_lock);
101 .daddr = cp->daddr.ip,
106 if (ip_route_output_key(&init_net, &rt, &fl)) {
107 IP_VS_DBG_RL("ip_route_output error, dest: "
108 "%u.%u.%u.%u\n", NIPQUAD(cp->daddr.ip));
116 #ifdef CONFIG_IP_VS_IPV6
117 static struct rt6_info *
118 __ip_vs_get_out_rt_v6(struct ip_vs_conn *cp)
120 struct rt6_info *rt; /* Route to the other host */
121 struct ip_vs_dest *dest = cp->dest;
124 spin_lock(&dest->dst_lock);
125 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0, 0);
131 .daddr = dest->addr.in6,
140 rt = (struct rt6_info *)ip6_route_output(&init_net,
143 spin_unlock(&dest->dst_lock);
144 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n",
148 __ip_vs_dst_set(dest, 0, dst_clone(&rt->u.dst));
149 IP_VS_DBG(10, "new dst %pI6, refcnt=%d\n",
151 atomic_read(&rt->u.dst.__refcnt));
153 spin_unlock(&dest->dst_lock);
159 .daddr = cp->daddr.in6,
161 .s6_addr32 = { 0, 0, 0, 0 },
167 rt = (struct rt6_info *)ip6_route_output(&init_net, NULL, &fl);
169 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n",
181 * Release dest->dst_cache before a dest is removed
184 ip_vs_dst_reset(struct ip_vs_dest *dest)
186 struct dst_entry *old_dst;
188 old_dst = dest->dst_cache;
189 dest->dst_cache = NULL;
190 dst_release(old_dst);
193 #define IP_VS_XMIT(pf, skb, rt) \
195 (skb)->ipvs_property = 1; \
196 skb_forward_csum(skb); \
197 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
198 (rt)->u.dst.dev, dst_output); \
203 * NULL transmitter (do nothing except return NF_ACCEPT)
206 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
207 struct ip_vs_protocol *pp)
209 /* we do not touch skb and do not need pskb ptr */
216 * Let packets bypass the destination when the destination is not
217 * available, it may be only used in transparent cache cluster.
220 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
221 struct ip_vs_protocol *pp)
223 struct rtable *rt; /* Route to the other host */
224 struct iphdr *iph = ip_hdr(skb);
233 .tos = RT_TOS(tos), } },
238 if (ip_route_output_key(&init_net, &rt, &fl)) {
239 IP_VS_DBG_RL("ip_vs_bypass_xmit(): ip_route_output error, "
240 "dest: %u.%u.%u.%u\n", NIPQUAD(iph->daddr));
245 mtu = dst_mtu(&rt->u.dst);
246 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
248 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
249 IP_VS_DBG_RL("ip_vs_bypass_xmit(): frag needed\n");
254 * Call ip_send_check because we are not sure it is called
255 * after ip_defrag. Is copy-on-write needed?
257 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
261 ip_send_check(ip_hdr(skb));
264 dst_release(skb->dst);
265 skb->dst = &rt->u.dst;
267 /* Another hack: avoid icmp_send in ip_fragment */
270 IP_VS_XMIT(PF_INET, skb, rt);
276 dst_link_failure(skb);
283 #ifdef CONFIG_IP_VS_IPV6
285 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
286 struct ip_vs_protocol *pp)
288 struct rt6_info *rt; /* Route to the other host */
289 struct ipv6hdr *iph = ipv6_hdr(skb);
296 .saddr = { .s6_addr32 = {0, 0, 0, 0} }, } },
301 rt = (struct rt6_info *)ip6_route_output(&init_net, NULL, &fl);
303 IP_VS_DBG_RL("ip_vs_bypass_xmit_v6(): ip6_route_output error, dest: %pI6\n",
309 mtu = dst_mtu(&rt->u.dst);
310 if (skb->len > mtu) {
311 dst_release(&rt->u.dst);
312 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
313 IP_VS_DBG_RL("ip_vs_bypass_xmit_v6(): frag needed\n");
318 * Call ip_send_check because we are not sure it is called
319 * after ip_defrag. Is copy-on-write needed?
321 skb = skb_share_check(skb, GFP_ATOMIC);
322 if (unlikely(skb == NULL)) {
323 dst_release(&rt->u.dst);
328 dst_release(skb->dst);
329 skb->dst = &rt->u.dst;
331 /* Another hack: avoid icmp_send in ip_fragment */
334 IP_VS_XMIT(PF_INET6, skb, rt);
340 dst_link_failure(skb);
349 * NAT transmitter (only for outside-to-inside nat forwarding)
350 * Not used for related ICMP
353 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
354 struct ip_vs_protocol *pp)
356 struct rtable *rt; /* Route to the other host */
358 struct iphdr *iph = ip_hdr(skb);
362 /* check if it is a connection of no-client-port */
363 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
365 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
368 ip_vs_conn_fill_cport(cp, *p);
369 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
372 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(iph->tos))))
376 mtu = dst_mtu(&rt->u.dst);
377 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
379 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
380 IP_VS_DBG_RL_PKT(0, pp, skb, 0, "ip_vs_nat_xmit(): frag needed for");
384 /* copy-on-write the packet before mangling it */
385 if (!skb_make_writable(skb, sizeof(struct iphdr)))
388 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
392 dst_release(skb->dst);
393 skb->dst = &rt->u.dst;
395 /* mangle the packet */
396 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
398 ip_hdr(skb)->daddr = cp->daddr.ip;
399 ip_send_check(ip_hdr(skb));
401 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
403 /* FIXME: when application helper enlarges the packet and the length
404 is larger than the MTU of outgoing device, there will be still
407 /* Another hack: avoid icmp_send in ip_fragment */
410 IP_VS_XMIT(PF_INET, skb, rt);
416 dst_link_failure(skb);
426 #ifdef CONFIG_IP_VS_IPV6
428 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
429 struct ip_vs_protocol *pp)
431 struct rt6_info *rt; /* Route to the other host */
436 /* check if it is a connection of no-client-port */
437 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
439 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
443 ip_vs_conn_fill_cport(cp, *p);
444 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
447 rt = __ip_vs_get_out_rt_v6(cp);
452 mtu = dst_mtu(&rt->u.dst);
453 if (skb->len > mtu) {
454 dst_release(&rt->u.dst);
455 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
456 IP_VS_DBG_RL_PKT(0, pp, skb, 0,
457 "ip_vs_nat_xmit_v6(): frag needed for");
461 /* copy-on-write the packet before mangling it */
462 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
465 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
469 dst_release(skb->dst);
470 skb->dst = &rt->u.dst;
472 /* mangle the packet */
473 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
475 ipv6_hdr(skb)->daddr = cp->daddr.in6;
477 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
479 /* FIXME: when application helper enlarges the packet and the length
480 is larger than the MTU of outgoing device, there will be still
483 /* Another hack: avoid icmp_send in ip_fragment */
486 IP_VS_XMIT(PF_INET6, skb, rt);
492 dst_link_failure(skb);
498 dst_release(&rt->u.dst);
505 * IP Tunneling transmitter
507 * This function encapsulates the packet in a new IP packet, its
508 * destination will be set to cp->daddr. Most code of this function
509 * is taken from ipip.c.
511 * It is used in VS/TUN cluster. The load balancer selects a real
512 * server from a cluster based on a scheduling algorithm,
513 * encapsulates the request packet and forwards it to the selected
514 * server. For example, all real servers are configured with
515 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
516 * the encapsulated packet, it will decapsulate the packet, processe
517 * the request and return the response packets directly to the client
518 * without passing the load balancer. This can greatly increase the
519 * scalability of virtual server.
521 * Used for ANY protocol
524 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
525 struct ip_vs_protocol *pp)
527 struct rtable *rt; /* Route to the other host */
528 struct net_device *tdev; /* Device to other host */
529 struct iphdr *old_iph = ip_hdr(skb);
530 u8 tos = old_iph->tos;
531 __be16 df = old_iph->frag_off;
532 sk_buff_data_t old_transport_header = skb->transport_header;
533 struct iphdr *iph; /* Our new IP header */
534 unsigned int max_headroom; /* The extra header space needed */
539 if (skb->protocol != htons(ETH_P_IP)) {
540 IP_VS_DBG_RL("ip_vs_tunnel_xmit(): protocol error, "
541 "ETH_P_IP: %d, skb protocol: %d\n",
542 htons(ETH_P_IP), skb->protocol);
546 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(tos))))
549 tdev = rt->u.dst.dev;
551 mtu = dst_mtu(&rt->u.dst) - sizeof(struct iphdr);
554 IP_VS_DBG_RL("ip_vs_tunnel_xmit(): mtu less than 68\n");
558 skb->dst->ops->update_pmtu(skb->dst, mtu);
560 df |= (old_iph->frag_off & htons(IP_DF));
562 if ((old_iph->frag_off & htons(IP_DF))
563 && mtu < ntohs(old_iph->tot_len)) {
564 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
566 IP_VS_DBG_RL("ip_vs_tunnel_xmit(): frag needed\n");
571 * Okay, now see if we can stuff it in the buffer as-is.
573 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
575 if (skb_headroom(skb) < max_headroom
576 || skb_cloned(skb) || skb_shared(skb)) {
577 struct sk_buff *new_skb =
578 skb_realloc_headroom(skb, max_headroom);
582 IP_VS_ERR_RL("ip_vs_tunnel_xmit(): no memory\n");
587 old_iph = ip_hdr(skb);
590 skb->transport_header = old_transport_header;
592 /* fix old IP header checksum */
593 ip_send_check(old_iph);
595 skb_push(skb, sizeof(struct iphdr));
596 skb_reset_network_header(skb);
597 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
600 dst_release(skb->dst);
601 skb->dst = &rt->u.dst;
604 * Push down and install the IPIP header.
608 iph->ihl = sizeof(struct iphdr)>>2;
610 iph->protocol = IPPROTO_IPIP;
612 iph->daddr = rt->rt_dst;
613 iph->saddr = rt->rt_src;
614 iph->ttl = old_iph->ttl;
615 ip_select_ident(iph, &rt->u.dst, NULL);
617 /* Another hack: avoid icmp_send in ip_fragment */
627 dst_link_failure(skb);
634 #ifdef CONFIG_IP_VS_IPV6
636 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
637 struct ip_vs_protocol *pp)
639 struct rt6_info *rt; /* Route to the other host */
640 struct net_device *tdev; /* Device to other host */
641 struct ipv6hdr *old_iph = ipv6_hdr(skb);
642 sk_buff_data_t old_transport_header = skb->transport_header;
643 struct ipv6hdr *iph; /* Our new IP header */
644 unsigned int max_headroom; /* The extra header space needed */
649 if (skb->protocol != htons(ETH_P_IPV6)) {
650 IP_VS_DBG_RL("ip_vs_tunnel_xmit_v6(): protocol error, "
651 "ETH_P_IPV6: %d, skb protocol: %d\n",
652 htons(ETH_P_IPV6), skb->protocol);
656 rt = __ip_vs_get_out_rt_v6(cp);
660 tdev = rt->u.dst.dev;
662 mtu = dst_mtu(&rt->u.dst) - sizeof(struct ipv6hdr);
663 /* TODO IPv6: do we need this check in IPv6? */
665 dst_release(&rt->u.dst);
666 IP_VS_DBG_RL("ip_vs_tunnel_xmit_v6(): mtu less than 1280\n");
670 skb->dst->ops->update_pmtu(skb->dst, mtu);
672 if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
673 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
674 dst_release(&rt->u.dst);
675 IP_VS_DBG_RL("ip_vs_tunnel_xmit_v6(): frag needed\n");
680 * Okay, now see if we can stuff it in the buffer as-is.
682 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
684 if (skb_headroom(skb) < max_headroom
685 || skb_cloned(skb) || skb_shared(skb)) {
686 struct sk_buff *new_skb =
687 skb_realloc_headroom(skb, max_headroom);
689 dst_release(&rt->u.dst);
691 IP_VS_ERR_RL("ip_vs_tunnel_xmit_v6(): no memory\n");
696 old_iph = ipv6_hdr(skb);
699 skb->transport_header = old_transport_header;
701 skb_push(skb, sizeof(struct ipv6hdr));
702 skb_reset_network_header(skb);
703 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
706 dst_release(skb->dst);
707 skb->dst = &rt->u.dst;
710 * Push down and install the IPIP header.
714 iph->nexthdr = IPPROTO_IPV6;
715 iph->payload_len = old_iph->payload_len + sizeof(old_iph);
716 iph->priority = old_iph->priority;
717 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
718 iph->daddr = rt->rt6i_dst.addr;
719 iph->saddr = cp->vaddr.in6; /* rt->rt6i_src.addr; */
720 iph->hop_limit = old_iph->hop_limit;
722 /* Another hack: avoid icmp_send in ip_fragment */
732 dst_link_failure(skb);
742 * Direct Routing transmitter
743 * Used for ANY protocol
746 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
747 struct ip_vs_protocol *pp)
749 struct rtable *rt; /* Route to the other host */
750 struct iphdr *iph = ip_hdr(skb);
755 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(iph->tos))))
759 mtu = dst_mtu(&rt->u.dst);
760 if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
761 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
763 IP_VS_DBG_RL("ip_vs_dr_xmit(): frag needed\n");
768 * Call ip_send_check because we are not sure it is called
769 * after ip_defrag. Is copy-on-write needed?
771 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
775 ip_send_check(ip_hdr(skb));
778 dst_release(skb->dst);
779 skb->dst = &rt->u.dst;
781 /* Another hack: avoid icmp_send in ip_fragment */
784 IP_VS_XMIT(PF_INET, skb, rt);
790 dst_link_failure(skb);
797 #ifdef CONFIG_IP_VS_IPV6
799 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
800 struct ip_vs_protocol *pp)
802 struct rt6_info *rt; /* Route to the other host */
807 rt = __ip_vs_get_out_rt_v6(cp);
812 mtu = dst_mtu(&rt->u.dst);
813 if (skb->len > mtu) {
814 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
815 dst_release(&rt->u.dst);
816 IP_VS_DBG_RL("ip_vs_dr_xmit_v6(): frag needed\n");
821 * Call ip_send_check because we are not sure it is called
822 * after ip_defrag. Is copy-on-write needed?
824 skb = skb_share_check(skb, GFP_ATOMIC);
825 if (unlikely(skb == NULL)) {
826 dst_release(&rt->u.dst);
831 dst_release(skb->dst);
832 skb->dst = &rt->u.dst;
834 /* Another hack: avoid icmp_send in ip_fragment */
837 IP_VS_XMIT(PF_INET6, skb, rt);
843 dst_link_failure(skb);
853 * ICMP packet transmitter
854 * called by the ip_vs_in_icmp
857 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
858 struct ip_vs_protocol *pp, int offset)
860 struct rtable *rt; /* Route to the other host */
866 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
867 forwarded directly here, because there is no need to
868 translate address/port back */
869 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
871 rc = cp->packet_xmit(skb, cp, pp);
874 /* do not touch skb anymore */
875 atomic_inc(&cp->in_pkts);
880 * mangle and send the packet here (only for VS/NAT)
883 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(ip_hdr(skb)->tos))))
887 mtu = dst_mtu(&rt->u.dst);
888 if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
890 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
891 IP_VS_DBG_RL("ip_vs_in_icmp(): frag needed\n");
895 /* copy-on-write the packet before mangling it */
896 if (!skb_make_writable(skb, offset))
899 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
902 /* drop the old route when skb is not shared */
903 dst_release(skb->dst);
904 skb->dst = &rt->u.dst;
906 ip_vs_nat_icmp(skb, pp, cp, 0);
908 /* Another hack: avoid icmp_send in ip_fragment */
911 IP_VS_XMIT(PF_INET, skb, rt);
917 dst_link_failure(skb);
929 #ifdef CONFIG_IP_VS_IPV6
931 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
932 struct ip_vs_protocol *pp, int offset)
934 struct rt6_info *rt; /* Route to the other host */
940 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
941 forwarded directly here, because there is no need to
942 translate address/port back */
943 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
945 rc = cp->packet_xmit(skb, cp, pp);
948 /* do not touch skb anymore */
949 atomic_inc(&cp->in_pkts);
954 * mangle and send the packet here (only for VS/NAT)
957 rt = __ip_vs_get_out_rt_v6(cp);
962 mtu = dst_mtu(&rt->u.dst);
963 if (skb->len > mtu) {
964 dst_release(&rt->u.dst);
965 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
966 IP_VS_DBG_RL("ip_vs_in_icmp(): frag needed\n");
970 /* copy-on-write the packet before mangling it */
971 if (!skb_make_writable(skb, offset))
974 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
977 /* drop the old route when skb is not shared */
978 dst_release(skb->dst);
979 skb->dst = &rt->u.dst;
981 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
983 /* Another hack: avoid icmp_send in ip_fragment */
986 IP_VS_XMIT(PF_INET6, skb, rt);
992 dst_link_failure(skb);
1000 dst_release(&rt->u.dst);