2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
14 * Description of forwarding methods:
15 * - all transmitters are called from LOCAL_IN (remote clients) and
16 * LOCAL_OUT (local clients) but for ICMP can be called from FORWARD
17 * - not all connections have destination server, for example,
18 * connections in backup server when fwmark is used
19 * - bypass connections use daddr from packet
21 * - skb->dev is NULL, skb->protocol is not set (both are set in POST_ROUTING)
22 * - skb->pkt_type is not set yet
23 * - the only place where we can see skb->sk != NULL
26 #define KMSG_COMPONENT "IPVS"
27 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
29 #include <linux/kernel.h>
30 #include <linux/slab.h>
31 #include <linux/tcp.h> /* for tcphdr */
33 #include <net/tcp.h> /* for csum_tcpudp_magic */
35 #include <net/icmp.h> /* for icmp_send */
36 #include <net/route.h> /* for ip_route_output */
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <linux/icmpv6.h>
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv4.h>
44 #include <net/ip_vs.h>
48 * Destination cache to speed up outgoing route lookup
51 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst,
54 struct dst_entry *old_dst;
56 old_dst = dest->dst_cache;
57 dest->dst_cache = dst;
58 dest->dst_rtos = rtos;
59 dest->dst_cookie = dst_cookie;
63 static inline struct dst_entry *
64 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
66 struct dst_entry *dst = dest->dst_cache;
70 if ((dst->obsolete || rtos != dest->dst_rtos) &&
71 dst->ops->check(dst, dest->dst_cookie) == NULL) {
72 dest->dst_cache = NULL;
81 * Get route to destination or remote server
82 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
83 * &4=Allow redirect from remote daddr to local
85 static struct rtable *
86 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
87 __be32 daddr, u32 rtos, int rt_mode)
89 struct net *net = dev_net(skb_dst(skb)->dev);
90 struct rtable *rt; /* Route to the other host */
91 struct rtable *ort; /* Original route */
95 spin_lock(&dest->dst_lock);
96 if (!(rt = (struct rtable *)
97 __ip_vs_dst_check(dest, rtos))) {
102 .daddr = dest->addr.ip,
107 if (ip_route_output_key(net, &rt, &fl)) {
108 spin_unlock(&dest->dst_lock);
109 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
113 __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
114 IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
116 atomic_read(&rt->dst.__refcnt), rtos);
118 spin_unlock(&dest->dst_lock);
129 if (ip_route_output_key(net, &rt, &fl)) {
130 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
136 local = rt->rt_flags & RTCF_LOCAL;
137 if (!((local ? 1 : 2) & rt_mode)) {
138 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
139 (rt->rt_flags & RTCF_LOCAL) ?
140 "local":"non-local", &rt->rt_dst);
144 if (local && !(rt_mode & 4) && !((ort = skb_rtable(skb)) &&
145 ort->rt_flags & RTCF_LOCAL)) {
146 IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
147 "requires NAT method, dest: %pI4\n",
148 &ip_hdr(skb)->daddr, &rt->rt_dst);
152 if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
153 IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
154 "to non-local address, dest: %pI4\n",
155 &ip_hdr(skb)->saddr, &rt->rt_dst);
163 /* Reroute packet to local IPv4 stack after DNAT */
165 __ip_vs_reroute_locally(struct sk_buff *skb)
167 struct rtable *rt = skb_rtable(skb);
168 struct net_device *dev = rt->dst.dev;
169 struct net *net = dev_net(dev);
170 struct iphdr *iph = ip_hdr(skb);
173 unsigned long orefdst = skb->_skb_refdst;
175 if (ip_route_input(skb, iph->daddr, iph->saddr,
178 refdst_drop(orefdst);
186 .tos = RT_TOS(iph->tos),
193 if (ip_route_output_key(net, &rt, &fl))
195 if (!(rt->rt_flags & RTCF_LOCAL)) {
199 /* Drop old route. */
201 skb_dst_set(skb, &rt->dst);
206 #ifdef CONFIG_IP_VS_IPV6
208 static inline int __ip_vs_is_local_route6(struct rt6_info *rt)
210 return rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK;
213 static struct dst_entry *
214 __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
215 struct in6_addr *ret_saddr, int do_xfrm)
217 struct dst_entry *dst;
227 dst = ip6_route_output(net, NULL, &fl);
232 if (ipv6_addr_any(&fl.fl6_src) &&
233 ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
234 &fl.fl6_dst, 0, &fl.fl6_src) < 0)
236 if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0)
238 ipv6_addr_copy(ret_saddr, &fl.fl6_src);
243 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n", daddr);
248 * Get route to destination or remote server
249 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
250 * &4=Allow redirect from remote daddr to local
252 static struct rt6_info *
253 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
254 struct in6_addr *daddr, struct in6_addr *ret_saddr,
255 int do_xfrm, int rt_mode)
257 struct net *net = dev_net(skb_dst(skb)->dev);
258 struct rt6_info *rt; /* Route to the other host */
259 struct rt6_info *ort; /* Original route */
260 struct dst_entry *dst;
264 spin_lock(&dest->dst_lock);
265 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0);
269 dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
273 spin_unlock(&dest->dst_lock);
276 rt = (struct rt6_info *) dst;
277 cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
278 __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
279 IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
280 &dest->addr.in6, &dest->dst_saddr,
281 atomic_read(&rt->dst.__refcnt));
284 ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
285 spin_unlock(&dest->dst_lock);
287 dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
290 rt = (struct rt6_info *) dst;
293 local = __ip_vs_is_local_route6(rt);
294 if (!((local ? 1 : 2) & rt_mode)) {
295 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
296 local ? "local":"non-local", daddr);
297 dst_release(&rt->dst);
300 if (local && !(rt_mode & 4) &&
301 !((ort = (struct rt6_info *) skb_dst(skb)) &&
302 __ip_vs_is_local_route6(ort))) {
303 IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
304 "requires NAT method, dest: %pI6\n",
305 &ipv6_hdr(skb)->daddr, daddr);
306 dst_release(&rt->dst);
309 if (unlikely(!local && (!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
310 ipv6_addr_type(&ipv6_hdr(skb)->saddr) &
311 IPV6_ADDR_LOOPBACK)) {
312 IP_VS_DBG_RL("Stopping traffic from loopback address %pI6 "
313 "to non-local address, dest: %pI6\n",
314 &ipv6_hdr(skb)->saddr, daddr);
315 dst_release(&rt->dst);
325 * Release dest->dst_cache before a dest is removed
328 ip_vs_dst_reset(struct ip_vs_dest *dest)
330 struct dst_entry *old_dst;
332 old_dst = dest->dst_cache;
333 dest->dst_cache = NULL;
334 dst_release(old_dst);
337 #define IP_VS_XMIT_TUNNEL(skb, cp) \
339 int __ret = NF_ACCEPT; \
341 (skb)->ipvs_property = 1; \
342 if (unlikely((cp)->flags & IP_VS_CONN_F_NFCT)) \
343 __ret = ip_vs_confirm_conntrack(skb, cp); \
344 if (__ret == NF_ACCEPT) { \
346 skb_forward_csum(skb); \
351 #define IP_VS_XMIT_NAT(pf, skb, cp, local) \
353 (skb)->ipvs_property = 1; \
354 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
355 ip_vs_notrack(skb); \
357 ip_vs_update_conntrack(skb, cp, 1); \
360 skb_forward_csum(skb); \
361 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
362 skb_dst(skb)->dev, dst_output); \
365 #define IP_VS_XMIT(pf, skb, cp, local) \
367 (skb)->ipvs_property = 1; \
368 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
369 ip_vs_notrack(skb); \
372 skb_forward_csum(skb); \
373 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
374 skb_dst(skb)->dev, dst_output); \
379 * NULL transmitter (do nothing except return NF_ACCEPT)
382 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
383 struct ip_vs_protocol *pp)
385 /* we do not touch skb and do not need pskb ptr */
386 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
392 * Let packets bypass the destination when the destination is not
393 * available, it may be only used in transparent cache cluster.
396 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
397 struct ip_vs_protocol *pp)
399 struct rtable *rt; /* Route to the other host */
400 struct iphdr *iph = ip_hdr(skb);
405 if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr,
406 RT_TOS(iph->tos), 2)))
410 mtu = dst_mtu(&rt->dst);
411 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
413 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
414 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
419 * Call ip_send_check because we are not sure it is called
420 * after ip_defrag. Is copy-on-write needed?
422 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
426 ip_send_check(ip_hdr(skb));
430 skb_dst_set(skb, &rt->dst);
432 /* Another hack: avoid icmp_send in ip_fragment */
435 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
441 dst_link_failure(skb);
448 #ifdef CONFIG_IP_VS_IPV6
450 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
451 struct ip_vs_protocol *pp)
453 struct rt6_info *rt; /* Route to the other host */
454 struct ipv6hdr *iph = ipv6_hdr(skb);
459 if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
463 mtu = dst_mtu(&rt->dst);
464 if (skb->len > mtu) {
466 struct net *net = dev_net(skb_dst(skb)->dev);
468 skb->dev = net->loopback_dev;
470 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
471 dst_release(&rt->dst);
472 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
477 * Call ip_send_check because we are not sure it is called
478 * after ip_defrag. Is copy-on-write needed?
480 skb = skb_share_check(skb, GFP_ATOMIC);
481 if (unlikely(skb == NULL)) {
482 dst_release(&rt->dst);
488 skb_dst_set(skb, &rt->dst);
490 /* Another hack: avoid icmp_send in ip_fragment */
493 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
499 dst_link_failure(skb);
508 * NAT transmitter (only for outside-to-inside nat forwarding)
509 * Not used for related ICMP
512 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
513 struct ip_vs_protocol *pp)
515 struct rtable *rt; /* Route to the other host */
517 struct iphdr *iph = ip_hdr(skb);
522 /* check if it is a connection of no-client-port */
523 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
525 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
528 ip_vs_conn_fill_cport(cp, *p);
529 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
532 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
533 RT_TOS(iph->tos), 1|2|4)))
535 local = rt->rt_flags & RTCF_LOCAL;
537 * Avoid duplicate tuple in reply direction for NAT traffic
538 * to local address when connection is sync-ed
540 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
541 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
542 enum ip_conntrack_info ctinfo;
543 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
545 if (ct && !nf_ct_is_untracked(ct)) {
546 IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, 0,
548 "stopping DNAT to local address");
554 /* From world but DNAT to loopback address? */
555 if (local && ipv4_is_loopback(rt->rt_dst) && skb_rtable(skb)->fl.iif) {
556 IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
557 "stopping DNAT to loopback address");
562 mtu = dst_mtu(&rt->dst);
563 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
564 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
565 IP_VS_DBG_RL_PKT(0, AF_INET, pp, skb, 0,
566 "ip_vs_nat_xmit(): frag needed for");
570 /* copy-on-write the packet before mangling it */
571 if (!skb_make_writable(skb, sizeof(struct iphdr)))
574 if (skb_cow(skb, rt->dst.dev->hard_header_len))
577 /* mangle the packet */
578 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
580 ip_hdr(skb)->daddr = cp->daddr.ip;
581 ip_send_check(ip_hdr(skb));
586 skb_dst_set(skb, &rt->dst);
590 * Some IPv4 replies get local address from routes,
591 * not from iph, so while we DNAT after routing
592 * we need this second input/output route.
594 if (!__ip_vs_reroute_locally(skb))
598 IP_VS_DBG_PKT(10, AF_INET, pp, skb, 0, "After DNAT");
600 /* FIXME: when application helper enlarges the packet and the length
601 is larger than the MTU of outgoing device, there will be still
604 /* Another hack: avoid icmp_send in ip_fragment */
607 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
613 dst_link_failure(skb);
623 #ifdef CONFIG_IP_VS_IPV6
625 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
626 struct ip_vs_protocol *pp)
628 struct rt6_info *rt; /* Route to the other host */
634 /* check if it is a connection of no-client-port */
635 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
637 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
641 ip_vs_conn_fill_cport(cp, *p);
642 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
645 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
648 local = __ip_vs_is_local_route6(rt);
650 * Avoid duplicate tuple in reply direction for NAT traffic
651 * to local address when connection is sync-ed
653 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
654 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
655 enum ip_conntrack_info ctinfo;
656 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
658 if (ct && !nf_ct_is_untracked(ct)) {
659 IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, 0,
660 "ip_vs_nat_xmit_v6(): "
661 "stopping DNAT to local address");
667 /* From world but DNAT to loopback address? */
668 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
669 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
670 IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, 0,
671 "ip_vs_nat_xmit_v6(): "
672 "stopping DNAT to loopback address");
677 mtu = dst_mtu(&rt->dst);
678 if (skb->len > mtu) {
680 struct net *net = dev_net(skb_dst(skb)->dev);
682 skb->dev = net->loopback_dev;
684 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
685 IP_VS_DBG_RL_PKT(0, AF_INET6, pp, skb, 0,
686 "ip_vs_nat_xmit_v6(): frag needed for");
690 /* copy-on-write the packet before mangling it */
691 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
694 if (skb_cow(skb, rt->dst.dev->hard_header_len))
697 /* mangle the packet */
698 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
700 ipv6_addr_copy(&ipv6_hdr(skb)->daddr, &cp->daddr.in6);
702 if (!local || !skb->dev) {
703 /* drop the old route when skb is not shared */
705 skb_dst_set(skb, &rt->dst);
707 /* destined to loopback, do we need to change route? */
708 dst_release(&rt->dst);
711 IP_VS_DBG_PKT(10, AF_INET6, pp, skb, 0, "After DNAT");
713 /* FIXME: when application helper enlarges the packet and the length
714 is larger than the MTU of outgoing device, there will be still
717 /* Another hack: avoid icmp_send in ip_fragment */
720 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
726 dst_link_failure(skb);
732 dst_release(&rt->dst);
739 * IP Tunneling transmitter
741 * This function encapsulates the packet in a new IP packet, its
742 * destination will be set to cp->daddr. Most code of this function
743 * is taken from ipip.c.
745 * It is used in VS/TUN cluster. The load balancer selects a real
746 * server from a cluster based on a scheduling algorithm,
747 * encapsulates the request packet and forwards it to the selected
748 * server. For example, all real servers are configured with
749 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
750 * the encapsulated packet, it will decapsulate the packet, processe
751 * the request and return the response packets directly to the client
752 * without passing the load balancer. This can greatly increase the
753 * scalability of virtual server.
755 * Used for ANY protocol
758 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
759 struct ip_vs_protocol *pp)
761 struct rtable *rt; /* Route to the other host */
762 struct net_device *tdev; /* Device to other host */
763 struct iphdr *old_iph = ip_hdr(skb);
764 u8 tos = old_iph->tos;
765 __be16 df = old_iph->frag_off;
766 struct iphdr *iph; /* Our new IP header */
767 unsigned int max_headroom; /* The extra header space needed */
773 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
776 if (rt->rt_flags & RTCF_LOCAL) {
778 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
783 mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr);
785 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
789 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
791 df |= (old_iph->frag_off & htons(IP_DF));
793 if ((old_iph->frag_off & htons(IP_DF))
794 && mtu < ntohs(old_iph->tot_len)) {
795 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
796 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
801 * Okay, now see if we can stuff it in the buffer as-is.
803 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
805 if (skb_headroom(skb) < max_headroom
806 || skb_cloned(skb) || skb_shared(skb)) {
807 struct sk_buff *new_skb =
808 skb_realloc_headroom(skb, max_headroom);
812 IP_VS_ERR_RL("%s(): no memory\n", __func__);
817 old_iph = ip_hdr(skb);
820 skb->transport_header = skb->network_header;
822 /* fix old IP header checksum */
823 ip_send_check(old_iph);
825 skb_push(skb, sizeof(struct iphdr));
826 skb_reset_network_header(skb);
827 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
831 skb_dst_set(skb, &rt->dst);
834 * Push down and install the IPIP header.
838 iph->ihl = sizeof(struct iphdr)>>2;
840 iph->protocol = IPPROTO_IPIP;
842 iph->daddr = rt->rt_dst;
843 iph->saddr = rt->rt_src;
844 iph->ttl = old_iph->ttl;
845 ip_select_ident(iph, &rt->dst, NULL);
847 /* Another hack: avoid icmp_send in ip_fragment */
850 ret = IP_VS_XMIT_TUNNEL(skb, cp);
851 if (ret == NF_ACCEPT)
853 else if (ret == NF_DROP)
861 dst_link_failure(skb);
871 #ifdef CONFIG_IP_VS_IPV6
873 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
874 struct ip_vs_protocol *pp)
876 struct rt6_info *rt; /* Route to the other host */
877 struct in6_addr saddr; /* Source for tunnel */
878 struct net_device *tdev; /* Device to other host */
879 struct ipv6hdr *old_iph = ipv6_hdr(skb);
880 struct ipv6hdr *iph; /* Our new IP header */
881 unsigned int max_headroom; /* The extra header space needed */
887 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
890 if (__ip_vs_is_local_route6(rt)) {
891 dst_release(&rt->dst);
892 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
897 mtu = dst_mtu(&rt->dst) - sizeof(struct ipv6hdr);
898 if (mtu < IPV6_MIN_MTU) {
899 IP_VS_DBG_RL("%s(): mtu less than %d\n", __func__,
904 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
906 if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
908 struct net *net = dev_net(skb_dst(skb)->dev);
910 skb->dev = net->loopback_dev;
912 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
913 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
918 * Okay, now see if we can stuff it in the buffer as-is.
920 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
922 if (skb_headroom(skb) < max_headroom
923 || skb_cloned(skb) || skb_shared(skb)) {
924 struct sk_buff *new_skb =
925 skb_realloc_headroom(skb, max_headroom);
927 dst_release(&rt->dst);
929 IP_VS_ERR_RL("%s(): no memory\n", __func__);
934 old_iph = ipv6_hdr(skb);
937 skb->transport_header = skb->network_header;
939 skb_push(skb, sizeof(struct ipv6hdr));
940 skb_reset_network_header(skb);
941 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
945 skb_dst_set(skb, &rt->dst);
948 * Push down and install the IPIP header.
952 iph->nexthdr = IPPROTO_IPV6;
953 iph->payload_len = old_iph->payload_len;
954 be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
955 iph->priority = old_iph->priority;
956 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
957 ipv6_addr_copy(&iph->daddr, &cp->daddr.in6);
958 ipv6_addr_copy(&iph->saddr, &saddr);
959 iph->hop_limit = old_iph->hop_limit;
961 /* Another hack: avoid icmp_send in ip_fragment */
964 ret = IP_VS_XMIT_TUNNEL(skb, cp);
965 if (ret == NF_ACCEPT)
967 else if (ret == NF_DROP)
975 dst_link_failure(skb);
981 dst_release(&rt->dst);
988 * Direct Routing transmitter
989 * Used for ANY protocol
992 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
993 struct ip_vs_protocol *pp)
995 struct rtable *rt; /* Route to the other host */
996 struct iphdr *iph = ip_hdr(skb);
1001 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1002 RT_TOS(iph->tos), 1|2)))
1004 if (rt->rt_flags & RTCF_LOCAL) {
1006 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
1010 mtu = dst_mtu(&rt->dst);
1011 if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
1012 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
1014 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1019 * Call ip_send_check because we are not sure it is called
1020 * after ip_defrag. Is copy-on-write needed?
1022 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
1026 ip_send_check(ip_hdr(skb));
1028 /* drop old route */
1030 skb_dst_set(skb, &rt->dst);
1032 /* Another hack: avoid icmp_send in ip_fragment */
1035 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
1041 dst_link_failure(skb);
1048 #ifdef CONFIG_IP_VS_IPV6
1050 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1051 struct ip_vs_protocol *pp)
1053 struct rt6_info *rt; /* Route to the other host */
1058 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1061 if (__ip_vs_is_local_route6(rt)) {
1062 dst_release(&rt->dst);
1063 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
1067 mtu = dst_mtu(&rt->dst);
1068 if (skb->len > mtu) {
1070 struct net *net = dev_net(skb_dst(skb)->dev);
1072 skb->dev = net->loopback_dev;
1074 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1075 dst_release(&rt->dst);
1076 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1081 * Call ip_send_check because we are not sure it is called
1082 * after ip_defrag. Is copy-on-write needed?
1084 skb = skb_share_check(skb, GFP_ATOMIC);
1085 if (unlikely(skb == NULL)) {
1086 dst_release(&rt->dst);
1090 /* drop old route */
1092 skb_dst_set(skb, &rt->dst);
1094 /* Another hack: avoid icmp_send in ip_fragment */
1097 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
1103 dst_link_failure(skb);
1113 * ICMP packet transmitter
1114 * called by the ip_vs_in_icmp
1117 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
1118 struct ip_vs_protocol *pp, int offset)
1120 struct rtable *rt; /* Route to the other host */
1127 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1128 forwarded directly here, because there is no need to
1129 translate address/port back */
1130 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1131 if (cp->packet_xmit)
1132 rc = cp->packet_xmit(skb, cp, pp);
1135 /* do not touch skb anymore */
1136 atomic_inc(&cp->in_pkts);
1141 * mangle and send the packet here (only for VS/NAT)
1144 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1145 RT_TOS(ip_hdr(skb)->tos), 1|2|4)))
1147 local = rt->rt_flags & RTCF_LOCAL;
1150 * Avoid duplicate tuple in reply direction for NAT traffic
1151 * to local address when connection is sync-ed
1153 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1154 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1155 enum ip_conntrack_info ctinfo;
1156 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1158 if (ct && !nf_ct_is_untracked(ct)) {
1159 IP_VS_DBG(10, "%s(): "
1160 "stopping DNAT to local address %pI4\n",
1161 __func__, &cp->daddr.ip);
1167 /* From world but DNAT to loopback address? */
1168 if (local && ipv4_is_loopback(rt->rt_dst) && skb_rtable(skb)->fl.iif) {
1169 IP_VS_DBG(1, "%s(): "
1170 "stopping DNAT to loopback %pI4\n",
1171 __func__, &cp->daddr.ip);
1176 mtu = dst_mtu(&rt->dst);
1177 if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
1178 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
1179 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1183 /* copy-on-write the packet before mangling it */
1184 if (!skb_make_writable(skb, offset))
1187 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1190 ip_vs_nat_icmp(skb, pp, cp, 0);
1193 /* drop the old route when skb is not shared */
1195 skb_dst_set(skb, &rt->dst);
1199 * Some IPv4 replies get local address from routes,
1200 * not from iph, so while we DNAT after routing
1201 * we need this second input/output route.
1203 if (!__ip_vs_reroute_locally(skb))
1207 /* Another hack: avoid icmp_send in ip_fragment */
1210 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
1216 dst_link_failure(skb);
1228 #ifdef CONFIG_IP_VS_IPV6
1230 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1231 struct ip_vs_protocol *pp, int offset)
1233 struct rt6_info *rt; /* Route to the other host */
1240 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1241 forwarded directly here, because there is no need to
1242 translate address/port back */
1243 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1244 if (cp->packet_xmit)
1245 rc = cp->packet_xmit(skb, cp, pp);
1248 /* do not touch skb anymore */
1249 atomic_inc(&cp->in_pkts);
1254 * mangle and send the packet here (only for VS/NAT)
1257 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1261 local = __ip_vs_is_local_route6(rt);
1263 * Avoid duplicate tuple in reply direction for NAT traffic
1264 * to local address when connection is sync-ed
1266 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1267 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1268 enum ip_conntrack_info ctinfo;
1269 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1271 if (ct && !nf_ct_is_untracked(ct)) {
1272 IP_VS_DBG(10, "%s(): "
1273 "stopping DNAT to local address %pI6\n",
1274 __func__, &cp->daddr.in6);
1280 /* From world but DNAT to loopback address? */
1281 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
1282 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
1283 IP_VS_DBG(1, "%s(): "
1284 "stopping DNAT to loopback %pI6\n",
1285 __func__, &cp->daddr.in6);
1290 mtu = dst_mtu(&rt->dst);
1291 if (skb->len > mtu) {
1293 struct net *net = dev_net(skb_dst(skb)->dev);
1295 skb->dev = net->loopback_dev;
1297 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1298 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1302 /* copy-on-write the packet before mangling it */
1303 if (!skb_make_writable(skb, offset))
1306 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1309 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
1311 if (!local || !skb->dev) {
1312 /* drop the old route when skb is not shared */
1314 skb_dst_set(skb, &rt->dst);
1316 /* destined to loopback, do we need to change route? */
1317 dst_release(&rt->dst);
1320 /* Another hack: avoid icmp_send in ip_fragment */
1323 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
1329 dst_link_failure(skb);
1337 dst_release(&rt->dst);
git://bbs.cooldavid.org / net-next-2.6.git / blob