]> bbs.cooldavid.org Git - net-next-2.6.git/blobdiff - net/netfilter/ipvs/ip_vs_ctl.c
git://bbs.cooldavid.org / net-next-2.6.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ipvs: make rerouting optional with snat_reroute
[net-next-2.6.git] / net / netfilter / ipvs / ip_vs_ctl.c
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 0f0c079c422a03f87616a1c1df76c0e387245a9e..e637cd0384b1d17a0e8b610dd9fdd9b8e16fc294 100644 (file)
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -61,7 +61,7 @@ static DEFINE_RWLOCK(__ip_vs_svc_lock);
 static DEFINE_RWLOCK(__ip_vs_rs_lock);
 
 /* lock for state and timeout tables */
-static DEFINE_RWLOCK(__ip_vs_securetcp_lock);
+static DEFINE_SPINLOCK(ip_vs_securetcp_lock);
 
 /* lock for drop entry handling */
 static DEFINE_SPINLOCK(__ip_vs_dropentry_lock);
@@ -88,6 +88,10 @@ int sysctl_ip_vs_expire_nodest_conn = 0;
 int sysctl_ip_vs_expire_quiescent_template = 0;
 int sysctl_ip_vs_sync_threshold[2] = { 3, 50 };
 int sysctl_ip_vs_nat_icmp_send = 0;
+#ifdef CONFIG_IP_VS_NFCT
+int sysctl_ip_vs_conntrack;
+#endif
+int sysctl_ip_vs_snat_reroute = 1;
 
 
 #ifdef CONFIG_IP_VS_DEBUG
@@ -204,7 +208,7 @@ static void update_defense_level(void)
        spin_unlock(&__ip_vs_droppacket_lock);
 
        /* secure_tcp */
-       write_lock(&__ip_vs_securetcp_lock);
+       spin_lock(&ip_vs_securetcp_lock);
        switch (sysctl_ip_vs_secure_tcp) {
        case 0:
                if (old_secure_tcp >= 2)
@@ -238,7 +242,7 @@ static void update_defense_level(void)
        old_secure_tcp = sysctl_ip_vs_secure_tcp;
        if (to_change >= 0)
                ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
-       write_unlock(&__ip_vs_securetcp_lock);
+       spin_unlock(&ip_vs_securetcp_lock);
 
        local_bh_enable();
 }
@@ -765,7 +769,8 @@ __ip_vs_update_dest(struct ip_vs_service *svc,
 
        /* set the weight and the flags */
        atomic_set(&dest->weight, udest->weight);
-       conn_flags = udest->conn_flags | IP_VS_CONN_F_INACTIVE;
+       conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
+       conn_flags |= IP_VS_CONN_F_INACTIVE;
 
        /* check if local node and update the flags */
 #ifdef CONFIG_IP_VS_IPV6
@@ -782,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc,
                }
 
        /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
-       if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != 0) {
+       if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
                conn_flags |= IP_VS_CONN_F_NOOUTPUT;
        } else {
                /*
@@ -843,7 +848,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
                        return -EINVAL;
        }
 
-       dest = kzalloc(sizeof(struct ip_vs_dest), GFP_ATOMIC);
+       dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
        if (dest == NULL) {
                pr_err("%s(): no memory.\n", __func__);
                return -ENOMEM;
@@ -1177,7 +1182,7 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
        }
 #endif
 
-       svc = kzalloc(sizeof(struct ip_vs_service), GFP_ATOMIC);
+       svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
        if (svc == NULL) {
                IP_VS_DBG(1, "%s(): no memory\n", __func__);
                ret = -ENOMEM;
@@ -1579,6 +1584,15 @@ static struct ctl_table vs_vars[] = {
                .mode           = 0644,
                .proc_handler   = proc_do_defense_mode,
        },
+#ifdef CONFIG_IP_VS_NFCT
+       {
+               .procname       = "conntrack",
+               .data           = &sysctl_ip_vs_conntrack,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
+#endif
        {
                .procname       = "secure_tcp",
                .data           = &sysctl_ip_vs_secure_tcp,
@@ -1586,6 +1600,13 @@ static struct ctl_table vs_vars[] = {
                .mode           = 0644,
                .proc_handler   = proc_do_defense_mode,
        },
+       {
+               .procname       = "snat_reroute",
+               .data           = &sysctl_ip_vs_snat_reroute,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
 #if 0
        {
                .procname       = "timeout_established",
@@ -2155,7 +2176,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        if (cmd != IP_VS_SO_SET_ADD
            && (svc == NULL || svc->protocol != usvc.protocol)) {
                ret = -ESRCH;
-               goto out_unlock;
+               goto out_drop_service;
        }
 
        switch (cmd) {
@@ -2189,6 +2210,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
                ret = -EINVAL;
        }
 
+out_drop_service:
        if (svc)
                ip_vs_service_put(svc);
 
Clone of davem's net-next-2.6 tree