2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
19 * and others. Many code here is taken from IP MASQ code of kernel 2.2.
25 #define KMSG_COMPONENT "IPVS"
26 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
28 #include <linux/interrupt.h>
30 #include <linux/net.h>
31 #include <linux/kernel.h>
32 #include <linux/module.h>
33 #include <linux/vmalloc.h>
34 #include <linux/proc_fs.h> /* for proc_net_* */
35 #include <linux/slab.h>
36 #include <linux/seq_file.h>
37 #include <linux/jhash.h>
38 #include <linux/random.h>
40 #include <net/net_namespace.h>
41 #include <net/ip_vs.h>
44 #ifndef CONFIG_IP_VS_TAB_BITS
45 #define CONFIG_IP_VS_TAB_BITS 12
49 * Connection hash size. Default is what was selected at compile time.
51 static int ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS;
52 module_param_named(conn_tab_bits, ip_vs_conn_tab_bits, int, 0444);
53 MODULE_PARM_DESC(conn_tab_bits, "Set connections' hash size");
55 /* size and mask values */
56 int ip_vs_conn_tab_size __read_mostly;
57 static int ip_vs_conn_tab_mask __read_mostly;
60 * Connection hash table: for input and output packets lookups of IPVS
62 static struct hlist_head *ip_vs_conn_tab __read_mostly;
64 /* SLAB cache for IPVS connections */
65 static struct kmem_cache *ip_vs_conn_cachep __read_mostly;
67 /* counter for no client port connections */
68 static atomic_t ip_vs_conn_no_cport_cnt = ATOMIC_INIT(0);
70 /* random value for IPVS connection hash */
71 static unsigned int ip_vs_conn_rnd __read_mostly;
74 * Fine locking granularity for big connection hash table
76 #define CT_LOCKARRAY_BITS 5
77 #define CT_LOCKARRAY_SIZE (1<<CT_LOCKARRAY_BITS)
78 #define CT_LOCKARRAY_MASK (CT_LOCKARRAY_SIZE-1)
80 struct ip_vs_aligned_lock
83 } __attribute__((__aligned__(SMP_CACHE_BYTES)));
85 /* lock array for conn table */
86 static struct ip_vs_aligned_lock
87 __ip_vs_conntbl_lock_array[CT_LOCKARRAY_SIZE] __cacheline_aligned;
89 static inline void ct_read_lock(unsigned int key)
91 read_lock(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
94 static inline void ct_read_unlock(unsigned int key)
96 read_unlock(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
99 static inline void ct_write_lock(unsigned int key)
101 write_lock(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
104 static inline void ct_write_unlock(unsigned int key)
106 write_unlock(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
109 static inline void ct_read_lock_bh(unsigned int key)
111 read_lock_bh(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
114 static inline void ct_read_unlock_bh(unsigned int key)
116 read_unlock_bh(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
119 static inline void ct_write_lock_bh(unsigned int key)
121 write_lock_bh(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
124 static inline void ct_write_unlock_bh(unsigned int key)
126 write_unlock_bh(&__ip_vs_conntbl_lock_array[key&CT_LOCKARRAY_MASK].l);
131 * Returns hash value for IPVS connection entry
133 static unsigned int ip_vs_conn_hashkey(struct net *net, int af, unsigned int proto,
134 const union nf_inet_addr *addr,
137 #ifdef CONFIG_IP_VS_IPV6
139 return (jhash_3words(jhash(addr, 16, ip_vs_conn_rnd),
140 (__force u32)port, proto, ip_vs_conn_rnd) ^
141 ((size_t)net>>8)) & ip_vs_conn_tab_mask;
143 return (jhash_3words((__force u32)addr->ip, (__force u32)port, proto,
145 ((size_t)net>>8)) & ip_vs_conn_tab_mask;
148 static unsigned int ip_vs_conn_hashkey_param(const struct ip_vs_conn_param *p,
151 const union nf_inet_addr *addr;
154 if (p->pe_data && p->pe->hashkey_raw)
155 return p->pe->hashkey_raw(p, ip_vs_conn_rnd, inverse) &
158 if (likely(!inverse)) {
166 return ip_vs_conn_hashkey(p->net, p->af, p->protocol, addr, port);
169 static unsigned int ip_vs_conn_hashkey_conn(const struct ip_vs_conn *cp)
171 struct ip_vs_conn_param p;
173 ip_vs_conn_fill_param(ip_vs_conn_net(cp), cp->af, cp->protocol,
174 &cp->caddr, cp->cport, NULL, 0, &p);
178 p.pe_data = cp->pe_data;
179 p.pe_data_len = cp->pe_data_len;
182 return ip_vs_conn_hashkey_param(&p, false);
186 * Hashes ip_vs_conn in ip_vs_conn_tab by netns,proto,addr,port.
187 * returns bool success.
189 static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
194 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
197 /* Hash by protocol, client address and port */
198 hash = ip_vs_conn_hashkey_conn(cp);
201 spin_lock(&cp->lock);
203 if (!(cp->flags & IP_VS_CONN_F_HASHED)) {
204 hlist_add_head(&cp->c_list, &ip_vs_conn_tab[hash]);
205 cp->flags |= IP_VS_CONN_F_HASHED;
206 atomic_inc(&cp->refcnt);
209 pr_err("%s(): request for already hashed, called from %pF\n",
210 __func__, __builtin_return_address(0));
214 spin_unlock(&cp->lock);
215 ct_write_unlock(hash);
222 * UNhashes ip_vs_conn from ip_vs_conn_tab.
223 * returns bool success.
225 static inline int ip_vs_conn_unhash(struct ip_vs_conn *cp)
230 /* unhash it and decrease its reference counter */
231 hash = ip_vs_conn_hashkey_conn(cp);
234 spin_lock(&cp->lock);
236 if (cp->flags & IP_VS_CONN_F_HASHED) {
237 hlist_del(&cp->c_list);
238 cp->flags &= ~IP_VS_CONN_F_HASHED;
239 atomic_dec(&cp->refcnt);
244 spin_unlock(&cp->lock);
245 ct_write_unlock(hash);
252 * Gets ip_vs_conn associated with supplied parameters in the ip_vs_conn_tab.
253 * Called for pkts coming from OUTside-to-INside.
254 * p->caddr, p->cport: pkt source address (foreign host)
255 * p->vaddr, p->vport: pkt dest address (load balancer)
257 static inline struct ip_vs_conn *
258 __ip_vs_conn_in_get(const struct ip_vs_conn_param *p)
261 struct ip_vs_conn *cp;
262 struct hlist_node *n;
264 hash = ip_vs_conn_hashkey_param(p, false);
268 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
269 if (cp->af == p->af &&
270 p->cport == cp->cport && p->vport == cp->vport &&
271 ip_vs_addr_equal(p->af, p->caddr, &cp->caddr) &&
272 ip_vs_addr_equal(p->af, p->vaddr, &cp->vaddr) &&
273 ((!p->cport) ^ (!(cp->flags & IP_VS_CONN_F_NO_CPORT))) &&
274 p->protocol == cp->protocol &&
275 ip_vs_conn_net_eq(cp, p->net)) {
277 atomic_inc(&cp->refcnt);
278 ct_read_unlock(hash);
283 ct_read_unlock(hash);
288 struct ip_vs_conn *ip_vs_conn_in_get(const struct ip_vs_conn_param *p)
290 struct ip_vs_conn *cp;
292 cp = __ip_vs_conn_in_get(p);
293 if (!cp && atomic_read(&ip_vs_conn_no_cport_cnt)) {
294 struct ip_vs_conn_param cport_zero_p = *p;
295 cport_zero_p.cport = 0;
296 cp = __ip_vs_conn_in_get(&cport_zero_p);
299 IP_VS_DBG_BUF(9, "lookup/in %s %s:%d->%s:%d %s\n",
300 ip_vs_proto_name(p->protocol),
301 IP_VS_DBG_ADDR(p->af, p->caddr), ntohs(p->cport),
302 IP_VS_DBG_ADDR(p->af, p->vaddr), ntohs(p->vport),
303 cp ? "hit" : "not hit");
309 ip_vs_conn_fill_param_proto(int af, const struct sk_buff *skb,
310 const struct ip_vs_iphdr *iph,
311 unsigned int proto_off, int inverse,
312 struct ip_vs_conn_param *p)
314 __be16 _ports[2], *pptr;
315 struct net *net = skb_net(skb);
317 pptr = skb_header_pointer(skb, proto_off, sizeof(_ports), _ports);
321 if (likely(!inverse))
322 ip_vs_conn_fill_param(net, af, iph->protocol, &iph->saddr,
323 pptr[0], &iph->daddr, pptr[1], p);
325 ip_vs_conn_fill_param(net, af, iph->protocol, &iph->daddr,
326 pptr[1], &iph->saddr, pptr[0], p);
331 ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
332 const struct ip_vs_iphdr *iph,
333 unsigned int proto_off, int inverse)
335 struct ip_vs_conn_param p;
337 if (ip_vs_conn_fill_param_proto(af, skb, iph, proto_off, inverse, &p))
340 return ip_vs_conn_in_get(&p);
342 EXPORT_SYMBOL_GPL(ip_vs_conn_in_get_proto);
344 /* Get reference to connection template */
345 struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p)
348 struct ip_vs_conn *cp;
349 struct hlist_node *n;
351 hash = ip_vs_conn_hashkey_param(p, false);
355 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
356 if (!ip_vs_conn_net_eq(cp, p->net))
358 if (p->pe_data && p->pe->ct_match) {
359 if (p->pe == cp->pe && p->pe->ct_match(p, cp))
364 if (cp->af == p->af &&
365 ip_vs_addr_equal(p->af, p->caddr, &cp->caddr) &&
366 /* protocol should only be IPPROTO_IP if
367 * p->vaddr is a fwmark */
368 ip_vs_addr_equal(p->protocol == IPPROTO_IP ? AF_UNSPEC :
369 p->af, p->vaddr, &cp->vaddr) &&
370 p->cport == cp->cport && p->vport == cp->vport &&
371 cp->flags & IP_VS_CONN_F_TEMPLATE &&
372 p->protocol == cp->protocol)
379 atomic_inc(&cp->refcnt);
380 ct_read_unlock(hash);
382 IP_VS_DBG_BUF(9, "template lookup/in %s %s:%d->%s:%d %s\n",
383 ip_vs_proto_name(p->protocol),
384 IP_VS_DBG_ADDR(p->af, p->caddr), ntohs(p->cport),
385 IP_VS_DBG_ADDR(p->af, p->vaddr), ntohs(p->vport),
386 cp ? "hit" : "not hit");
391 /* Gets ip_vs_conn associated with supplied parameters in the ip_vs_conn_tab.
392 * Called for pkts coming from inside-to-OUTside.
393 * p->caddr, p->cport: pkt source address (inside host)
394 * p->vaddr, p->vport: pkt dest address (foreign host) */
395 struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p)
398 struct ip_vs_conn *cp, *ret=NULL;
399 struct hlist_node *n;
402 * Check for "full" addressed entries
404 hash = ip_vs_conn_hashkey_param(p, true);
408 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
409 if (cp->af == p->af &&
410 p->vport == cp->cport && p->cport == cp->dport &&
411 ip_vs_addr_equal(p->af, p->vaddr, &cp->caddr) &&
412 ip_vs_addr_equal(p->af, p->caddr, &cp->daddr) &&
413 p->protocol == cp->protocol &&
414 ip_vs_conn_net_eq(cp, p->net)) {
416 atomic_inc(&cp->refcnt);
422 ct_read_unlock(hash);
424 IP_VS_DBG_BUF(9, "lookup/out %s %s:%d->%s:%d %s\n",
425 ip_vs_proto_name(p->protocol),
426 IP_VS_DBG_ADDR(p->af, p->caddr), ntohs(p->cport),
427 IP_VS_DBG_ADDR(p->af, p->vaddr), ntohs(p->vport),
428 ret ? "hit" : "not hit");
434 ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,
435 const struct ip_vs_iphdr *iph,
436 unsigned int proto_off, int inverse)
438 struct ip_vs_conn_param p;
440 if (ip_vs_conn_fill_param_proto(af, skb, iph, proto_off, inverse, &p))
443 return ip_vs_conn_out_get(&p);
445 EXPORT_SYMBOL_GPL(ip_vs_conn_out_get_proto);
448 * Put back the conn and restart its timer with its timeout
450 void ip_vs_conn_put(struct ip_vs_conn *cp)
452 unsigned long t = (cp->flags & IP_VS_CONN_F_ONE_PACKET) ?
454 mod_timer(&cp->timer, jiffies+t);
456 __ip_vs_conn_put(cp);
461 * Fill a no_client_port connection with a client port number
463 void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport)
465 if (ip_vs_conn_unhash(cp)) {
466 spin_lock(&cp->lock);
467 if (cp->flags & IP_VS_CONN_F_NO_CPORT) {
468 atomic_dec(&ip_vs_conn_no_cport_cnt);
469 cp->flags &= ~IP_VS_CONN_F_NO_CPORT;
472 spin_unlock(&cp->lock);
474 /* hash on new dport */
481 * Bind a connection entry with the corresponding packet_xmit.
482 * Called by ip_vs_conn_new.
484 static inline void ip_vs_bind_xmit(struct ip_vs_conn *cp)
486 switch (IP_VS_FWD_METHOD(cp)) {
487 case IP_VS_CONN_F_MASQ:
488 cp->packet_xmit = ip_vs_nat_xmit;
491 case IP_VS_CONN_F_TUNNEL:
492 cp->packet_xmit = ip_vs_tunnel_xmit;
495 case IP_VS_CONN_F_DROUTE:
496 cp->packet_xmit = ip_vs_dr_xmit;
499 case IP_VS_CONN_F_LOCALNODE:
500 cp->packet_xmit = ip_vs_null_xmit;
503 case IP_VS_CONN_F_BYPASS:
504 cp->packet_xmit = ip_vs_bypass_xmit;
509 #ifdef CONFIG_IP_VS_IPV6
510 static inline void ip_vs_bind_xmit_v6(struct ip_vs_conn *cp)
512 switch (IP_VS_FWD_METHOD(cp)) {
513 case IP_VS_CONN_F_MASQ:
514 cp->packet_xmit = ip_vs_nat_xmit_v6;
517 case IP_VS_CONN_F_TUNNEL:
518 cp->packet_xmit = ip_vs_tunnel_xmit_v6;
521 case IP_VS_CONN_F_DROUTE:
522 cp->packet_xmit = ip_vs_dr_xmit_v6;
525 case IP_VS_CONN_F_LOCALNODE:
526 cp->packet_xmit = ip_vs_null_xmit;
529 case IP_VS_CONN_F_BYPASS:
530 cp->packet_xmit = ip_vs_bypass_xmit_v6;
537 static inline int ip_vs_dest_totalconns(struct ip_vs_dest *dest)
539 return atomic_read(&dest->activeconns)
540 + atomic_read(&dest->inactconns);
544 * Bind a connection entry with a virtual service destination
545 * Called just after a new connection entry is created.
548 ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
550 unsigned int conn_flags;
553 /* if dest is NULL, then return directly */
557 /* Increase the refcnt counter of the dest */
558 atomic_inc(&dest->refcnt);
560 conn_flags = atomic_read(&dest->conn_flags);
561 if (cp->protocol != IPPROTO_UDP)
562 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
564 /* Bind with the destination and its corresponding transmitter */
565 if (flags & IP_VS_CONN_F_SYNC) {
566 /* if the connection is not template and is created
567 * by sync, preserve the activity flag.
569 if (!(flags & IP_VS_CONN_F_TEMPLATE))
570 conn_flags &= ~IP_VS_CONN_F_INACTIVE;
571 /* connections inherit forwarding method from dest */
572 flags &= ~(IP_VS_CONN_F_FWD_MASK | IP_VS_CONN_F_NOOUTPUT);
578 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
579 "d:%s:%d fwd:%c s:%u conn->flags:%X conn->refcnt:%d "
581 ip_vs_proto_name(cp->protocol),
582 IP_VS_DBG_ADDR(cp->af, &cp->caddr), ntohs(cp->cport),
583 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), ntohs(cp->vport),
584 IP_VS_DBG_ADDR(cp->af, &cp->daddr), ntohs(cp->dport),
585 ip_vs_fwd_tag(cp), cp->state,
586 cp->flags, atomic_read(&cp->refcnt),
587 atomic_read(&dest->refcnt));
589 /* Update the connection counters */
590 if (!(flags & IP_VS_CONN_F_TEMPLATE)) {
591 /* It is a normal connection, so modify the counters
592 * according to the flags, later the protocol can
593 * update them on state change
595 if (!(flags & IP_VS_CONN_F_INACTIVE))
596 atomic_inc(&dest->activeconns);
598 atomic_inc(&dest->inactconns);
600 /* It is a persistent connection/template, so increase
601 the persistent connection counter */
602 atomic_inc(&dest->persistconns);
605 if (dest->u_threshold != 0 &&
606 ip_vs_dest_totalconns(dest) >= dest->u_threshold)
607 dest->flags |= IP_VS_DEST_F_OVERLOAD;
612 * Check if there is a destination for the connection, if so
613 * bind the connection to the destination.
615 struct ip_vs_dest *ip_vs_try_bind_dest(struct ip_vs_conn *cp)
617 struct ip_vs_dest *dest;
619 dest = ip_vs_find_dest(ip_vs_conn_net(cp), cp->af, &cp->daddr,
620 cp->dport, &cp->vaddr, cp->vport,
621 cp->protocol, cp->fwmark, cp->flags);
623 struct ip_vs_proto_data *pd;
625 spin_lock(&cp->lock);
627 spin_unlock(&cp->lock);
631 /* Applications work depending on the forwarding method
632 * but better to reassign them always when binding dest */
634 ip_vs_unbind_app(cp);
636 ip_vs_bind_dest(cp, dest);
637 spin_unlock(&cp->lock);
639 /* Update its packet transmitter */
640 cp->packet_xmit = NULL;
641 #ifdef CONFIG_IP_VS_IPV6
642 if (cp->af == AF_INET6)
643 ip_vs_bind_xmit_v6(cp);
648 pd = ip_vs_proto_data_get(ip_vs_conn_net(cp), cp->protocol);
649 if (pd && atomic_read(&pd->appcnt))
650 ip_vs_bind_app(cp, pd->pp);
657 * Unbind a connection entry with its VS destination
658 * Called by the ip_vs_conn_expire function.
660 static inline void ip_vs_unbind_dest(struct ip_vs_conn *cp)
662 struct ip_vs_dest *dest = cp->dest;
667 IP_VS_DBG_BUF(7, "Unbind-dest %s c:%s:%d v:%s:%d "
668 "d:%s:%d fwd:%c s:%u conn->flags:%X conn->refcnt:%d "
670 ip_vs_proto_name(cp->protocol),
671 IP_VS_DBG_ADDR(cp->af, &cp->caddr), ntohs(cp->cport),
672 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), ntohs(cp->vport),
673 IP_VS_DBG_ADDR(cp->af, &cp->daddr), ntohs(cp->dport),
674 ip_vs_fwd_tag(cp), cp->state,
675 cp->flags, atomic_read(&cp->refcnt),
676 atomic_read(&dest->refcnt));
678 /* Update the connection counters */
679 if (!(cp->flags & IP_VS_CONN_F_TEMPLATE)) {
680 /* It is a normal connection, so decrease the inactconns
681 or activeconns counter */
682 if (cp->flags & IP_VS_CONN_F_INACTIVE) {
683 atomic_dec(&dest->inactconns);
685 atomic_dec(&dest->activeconns);
688 /* It is a persistent connection/template, so decrease
689 the persistent connection counter */
690 atomic_dec(&dest->persistconns);
693 if (dest->l_threshold != 0) {
694 if (ip_vs_dest_totalconns(dest) < dest->l_threshold)
695 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
696 } else if (dest->u_threshold != 0) {
697 if (ip_vs_dest_totalconns(dest) * 4 < dest->u_threshold * 3)
698 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
700 if (dest->flags & IP_VS_DEST_F_OVERLOAD)
701 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
705 * Simply decrease the refcnt of the dest, because the
706 * dest will be either in service's destination list
709 atomic_dec(&dest->refcnt);
712 static int expire_quiescent_template(struct netns_ipvs *ipvs,
713 struct ip_vs_dest *dest)
716 return ipvs->sysctl_expire_quiescent_template &&
717 (atomic_read(&dest->weight) == 0);
724 * Checking if the destination of a connection template is available.
725 * If available, return 1, otherwise invalidate this connection
726 * template and return 0.
728 int ip_vs_check_template(struct ip_vs_conn *ct)
730 struct ip_vs_dest *dest = ct->dest;
731 struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(ct));
734 * Checking the dest server status.
736 if ((dest == NULL) ||
737 !(dest->flags & IP_VS_DEST_F_AVAILABLE) ||
738 expire_quiescent_template(ipvs, dest)) {
739 IP_VS_DBG_BUF(9, "check_template: dest not available for "
740 "protocol %s s:%s:%d v:%s:%d "
742 ip_vs_proto_name(ct->protocol),
743 IP_VS_DBG_ADDR(ct->af, &ct->caddr),
745 IP_VS_DBG_ADDR(ct->af, &ct->vaddr),
747 IP_VS_DBG_ADDR(ct->af, &ct->daddr),
751 * Invalidate the connection template
753 if (ct->vport != htons(0xffff)) {
754 if (ip_vs_conn_unhash(ct)) {
755 ct->dport = htons(0xffff);
756 ct->vport = htons(0xffff);
763 * Simply decrease the refcnt of the template,
764 * don't restart its timer.
766 atomic_dec(&ct->refcnt);
772 static void ip_vs_conn_expire(unsigned long data)
774 struct ip_vs_conn *cp = (struct ip_vs_conn *)data;
775 struct net *net = ip_vs_conn_net(cp);
776 struct netns_ipvs *ipvs = net_ipvs(net);
783 atomic_inc(&cp->refcnt);
786 * do I control anybody?
788 if (atomic_read(&cp->n_control))
792 * unhash it if it is hashed in the conn table
794 if (!ip_vs_conn_unhash(cp) && !(cp->flags & IP_VS_CONN_F_ONE_PACKET))
798 * refcnt==1 implies I'm the only one referrer
800 if (likely(atomic_read(&cp->refcnt) == 1)) {
801 /* delete the timer if it is activated by other users */
802 if (timer_pending(&cp->timer))
803 del_timer(&cp->timer);
805 /* does anybody control me? */
807 ip_vs_control_del(cp);
809 if (cp->flags & IP_VS_CONN_F_NFCT) {
810 ip_vs_conn_drop_conntrack(cp);
811 /* Do not access conntracks during subsys cleanup
812 * because nf_conntrack_find_get can not be used after
813 * conntrack cleanup for the net.
817 ip_vs_conn_drop_conntrack(cp);
820 ip_vs_pe_put(cp->pe);
822 if (unlikely(cp->app != NULL))
823 ip_vs_unbind_app(cp);
824 ip_vs_unbind_dest(cp);
825 if (cp->flags & IP_VS_CONN_F_NO_CPORT)
826 atomic_dec(&ip_vs_conn_no_cport_cnt);
827 atomic_dec(&ipvs->conn_count);
829 kmem_cache_free(ip_vs_conn_cachep, cp);
833 /* hash it back to the table */
837 IP_VS_DBG(7, "delayed: conn->refcnt-1=%d conn->n_control=%d\n",
838 atomic_read(&cp->refcnt)-1,
839 atomic_read(&cp->n_control));
841 if (ipvs->sync_state & IP_VS_STATE_MASTER)
842 ip_vs_sync_conn(net, cp, sysctl_sync_threshold(ipvs));
848 void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
850 if (del_timer(&cp->timer))
851 mod_timer(&cp->timer, jiffies);
856 * Create a new connection entry and hash it into the ip_vs_conn_tab
859 ip_vs_conn_new(const struct ip_vs_conn_param *p,
860 const union nf_inet_addr *daddr, __be16 dport, unsigned int flags,
861 struct ip_vs_dest *dest, __u32 fwmark)
863 struct ip_vs_conn *cp;
864 struct netns_ipvs *ipvs = net_ipvs(p->net);
865 struct ip_vs_proto_data *pd = ip_vs_proto_data_get(p->net,
868 cp = kmem_cache_zalloc(ip_vs_conn_cachep, GFP_ATOMIC);
870 IP_VS_ERR_RL("%s(): no memory\n", __func__);
874 INIT_HLIST_NODE(&cp->c_list);
875 setup_timer(&cp->timer, ip_vs_conn_expire, (unsigned long)cp);
876 ip_vs_conn_net_set(cp, p->net);
878 cp->protocol = p->protocol;
879 ip_vs_addr_copy(p->af, &cp->caddr, p->caddr);
880 cp->cport = p->cport;
881 ip_vs_addr_copy(p->af, &cp->vaddr, p->vaddr);
882 cp->vport = p->vport;
883 /* proto should only be IPPROTO_IP if d_addr is a fwmark */
884 ip_vs_addr_copy(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
889 if (flags & IP_VS_CONN_F_TEMPLATE && p->pe) {
892 cp->pe_data = p->pe_data;
893 cp->pe_data_len = p->pe_data_len;
895 spin_lock_init(&cp->lock);
898 * Set the entry is referenced by the current thread before hashing
899 * it in the table, so that other thread run ip_vs_random_dropentry
900 * but cannot drop this entry.
902 atomic_set(&cp->refcnt, 1);
904 atomic_set(&cp->n_control, 0);
905 atomic_set(&cp->in_pkts, 0);
907 atomic_inc(&ipvs->conn_count);
908 if (flags & IP_VS_CONN_F_NO_CPORT)
909 atomic_inc(&ip_vs_conn_no_cport_cnt);
911 /* Bind the connection with a destination server */
912 ip_vs_bind_dest(cp, dest);
914 /* Set its state and timeout */
917 cp->sync_endtime = jiffies & ~3UL;
919 /* Bind its packet transmitter */
920 #ifdef CONFIG_IP_VS_IPV6
921 if (p->af == AF_INET6)
922 ip_vs_bind_xmit_v6(cp);
927 if (unlikely(pd && atomic_read(&pd->appcnt)))
928 ip_vs_bind_app(cp, pd->pp);
931 * Allow conntrack to be preserved. By default, conntrack
932 * is created and destroyed for every packet.
933 * Sometimes keeping conntrack can be useful for
934 * IP_VS_CONN_F_ONE_PACKET too.
937 if (ip_vs_conntrack_enabled(ipvs))
938 cp->flags |= IP_VS_CONN_F_NFCT;
940 /* Hash it in the ip_vs_conn_tab finally */
947 * /proc/net/ip_vs_conn entries
949 #ifdef CONFIG_PROC_FS
950 struct ip_vs_iter_state {
951 struct seq_net_private p;
952 struct hlist_head *l;
955 static void *ip_vs_conn_array(struct seq_file *seq, loff_t pos)
958 struct ip_vs_conn *cp;
959 struct ip_vs_iter_state *iter = seq->private;
960 struct hlist_node *n;
962 for (idx = 0; idx < ip_vs_conn_tab_size; idx++) {
963 ct_read_lock_bh(idx);
964 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[idx], c_list) {
966 iter->l = &ip_vs_conn_tab[idx];
970 ct_read_unlock_bh(idx);
976 static void *ip_vs_conn_seq_start(struct seq_file *seq, loff_t *pos)
978 struct ip_vs_iter_state *iter = seq->private;
981 return *pos ? ip_vs_conn_array(seq, *pos - 1) :SEQ_START_TOKEN;
984 static void *ip_vs_conn_seq_next(struct seq_file *seq, void *v, loff_t *pos)
986 struct ip_vs_conn *cp = v;
987 struct ip_vs_iter_state *iter = seq->private;
988 struct hlist_node *e;
989 struct hlist_head *l = iter->l;
993 if (v == SEQ_START_TOKEN)
994 return ip_vs_conn_array(seq, 0);
996 /* more on same hash chain? */
997 if ((e = cp->c_list.next))
998 return hlist_entry(e, struct ip_vs_conn, c_list);
1000 idx = l - ip_vs_conn_tab;
1001 ct_read_unlock_bh(idx);
1003 while (++idx < ip_vs_conn_tab_size) {
1004 ct_read_lock_bh(idx);
1005 hlist_for_each_entry(cp, e, &ip_vs_conn_tab[idx], c_list) {
1006 iter->l = &ip_vs_conn_tab[idx];
1009 ct_read_unlock_bh(idx);
1015 static void ip_vs_conn_seq_stop(struct seq_file *seq, void *v)
1017 struct ip_vs_iter_state *iter = seq->private;
1018 struct hlist_head *l = iter->l;
1021 ct_read_unlock_bh(l - ip_vs_conn_tab);
1024 static int ip_vs_conn_seq_show(struct seq_file *seq, void *v)
1027 if (v == SEQ_START_TOKEN)
1029 "Pro FromIP FPrt ToIP TPrt DestIP DPrt State Expires PEName PEData\n");
1031 const struct ip_vs_conn *cp = v;
1032 struct net *net = seq_file_net(seq);
1033 char pe_data[IP_VS_PENAME_MAXLEN + IP_VS_PEDATA_MAXLEN + 3];
1036 if (!ip_vs_conn_net_eq(cp, net))
1040 len = strlen(cp->pe->name);
1041 memcpy(pe_data + 1, cp->pe->name, len);
1042 pe_data[len + 1] = ' ';
1044 len += cp->pe->show_pe_data(cp, pe_data + len);
1046 pe_data[len] = '\0';
1048 #ifdef CONFIG_IP_VS_IPV6
1049 if (cp->af == AF_INET6)
1050 seq_printf(seq, "%-3s %pI6 %04X %pI6 %04X "
1051 "%pI6 %04X %-11s %7lu%s\n",
1052 ip_vs_proto_name(cp->protocol),
1053 &cp->caddr.in6, ntohs(cp->cport),
1054 &cp->vaddr.in6, ntohs(cp->vport),
1055 &cp->daddr.in6, ntohs(cp->dport),
1056 ip_vs_state_name(cp->protocol, cp->state),
1057 (cp->timer.expires-jiffies)/HZ, pe_data);
1061 "%-3s %08X %04X %08X %04X"
1062 " %08X %04X %-11s %7lu%s\n",
1063 ip_vs_proto_name(cp->protocol),
1064 ntohl(cp->caddr.ip), ntohs(cp->cport),
1065 ntohl(cp->vaddr.ip), ntohs(cp->vport),
1066 ntohl(cp->daddr.ip), ntohs(cp->dport),
1067 ip_vs_state_name(cp->protocol, cp->state),
1068 (cp->timer.expires-jiffies)/HZ, pe_data);
1073 static const struct seq_operations ip_vs_conn_seq_ops = {
1074 .start = ip_vs_conn_seq_start,
1075 .next = ip_vs_conn_seq_next,
1076 .stop = ip_vs_conn_seq_stop,
1077 .show = ip_vs_conn_seq_show,
1080 static int ip_vs_conn_open(struct inode *inode, struct file *file)
1082 return seq_open_net(inode, file, &ip_vs_conn_seq_ops,
1083 sizeof(struct ip_vs_iter_state));
1086 static const struct file_operations ip_vs_conn_fops = {
1087 .owner = THIS_MODULE,
1088 .open = ip_vs_conn_open,
1090 .llseek = seq_lseek,
1091 .release = seq_release_net,
1094 static const char *ip_vs_origin_name(unsigned int flags)
1096 if (flags & IP_VS_CONN_F_SYNC)
1102 static int ip_vs_conn_sync_seq_show(struct seq_file *seq, void *v)
1105 if (v == SEQ_START_TOKEN)
1107 "Pro FromIP FPrt ToIP TPrt DestIP DPrt State Origin Expires\n");
1109 const struct ip_vs_conn *cp = v;
1110 struct net *net = seq_file_net(seq);
1112 if (!ip_vs_conn_net_eq(cp, net))
1115 #ifdef CONFIG_IP_VS_IPV6
1116 if (cp->af == AF_INET6)
1117 seq_printf(seq, "%-3s %pI6 %04X %pI6 %04X %pI6 %04X %-11s %-6s %7lu\n",
1118 ip_vs_proto_name(cp->protocol),
1119 &cp->caddr.in6, ntohs(cp->cport),
1120 &cp->vaddr.in6, ntohs(cp->vport),
1121 &cp->daddr.in6, ntohs(cp->dport),
1122 ip_vs_state_name(cp->protocol, cp->state),
1123 ip_vs_origin_name(cp->flags),
1124 (cp->timer.expires-jiffies)/HZ);
1128 "%-3s %08X %04X %08X %04X "
1129 "%08X %04X %-11s %-6s %7lu\n",
1130 ip_vs_proto_name(cp->protocol),
1131 ntohl(cp->caddr.ip), ntohs(cp->cport),
1132 ntohl(cp->vaddr.ip), ntohs(cp->vport),
1133 ntohl(cp->daddr.ip), ntohs(cp->dport),
1134 ip_vs_state_name(cp->protocol, cp->state),
1135 ip_vs_origin_name(cp->flags),
1136 (cp->timer.expires-jiffies)/HZ);
1141 static const struct seq_operations ip_vs_conn_sync_seq_ops = {
1142 .start = ip_vs_conn_seq_start,
1143 .next = ip_vs_conn_seq_next,
1144 .stop = ip_vs_conn_seq_stop,
1145 .show = ip_vs_conn_sync_seq_show,
1148 static int ip_vs_conn_sync_open(struct inode *inode, struct file *file)
1150 return seq_open_net(inode, file, &ip_vs_conn_sync_seq_ops,
1151 sizeof(struct ip_vs_iter_state));
1154 static const struct file_operations ip_vs_conn_sync_fops = {
1155 .owner = THIS_MODULE,
1156 .open = ip_vs_conn_sync_open,
1158 .llseek = seq_lseek,
1159 .release = seq_release_net,
1166 * Randomly drop connection entries before running out of memory
1168 static inline int todrop_entry(struct ip_vs_conn *cp)
1171 * The drop rate array needs tuning for real environments.
1172 * Called from timer bh only => no locking
1174 static const char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8};
1175 static char todrop_counter[9] = {0};
1178 /* if the conn entry hasn't lasted for 60 seconds, don't drop it.
1179 This will leave enough time for normal connection to get
1181 if (time_before(cp->timeout + jiffies, cp->timer.expires + 60*HZ))
1184 /* Don't drop the entry if its number of incoming packets is not
1185 located in [0, 8] */
1186 i = atomic_read(&cp->in_pkts);
1187 if (i > 8 || i < 0) return 0;
1189 if (!todrop_rate[i]) return 0;
1190 if (--todrop_counter[i] > 0) return 0;
1192 todrop_counter[i] = todrop_rate[i];
1196 /* Called from keventd and must protect itself from softirqs */
1197 void ip_vs_random_dropentry(struct net *net)
1200 struct ip_vs_conn *cp;
1203 * Randomly scan 1/32 of the whole table every second
1205 for (idx = 0; idx < (ip_vs_conn_tab_size>>5); idx++) {
1206 unsigned int hash = net_random() & ip_vs_conn_tab_mask;
1207 struct hlist_node *n;
1210 * Lock is actually needed in this loop.
1212 ct_write_lock_bh(hash);
1214 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
1215 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
1216 /* connection template */
1218 if (!ip_vs_conn_net_eq(cp, net))
1220 if (cp->protocol == IPPROTO_TCP) {
1222 case IP_VS_TCP_S_SYN_RECV:
1223 case IP_VS_TCP_S_SYNACK:
1226 case IP_VS_TCP_S_ESTABLISHED:
1227 if (todrop_entry(cp))
1235 if (!todrop_entry(cp))
1239 IP_VS_DBG(4, "del connection\n");
1240 ip_vs_conn_expire_now(cp);
1242 IP_VS_DBG(4, "del conn template\n");
1243 ip_vs_conn_expire_now(cp->control);
1246 ct_write_unlock_bh(hash);
1252 * Flush all the connection entries in the ip_vs_conn_tab
1254 static void ip_vs_conn_flush(struct net *net)
1257 struct ip_vs_conn *cp;
1258 struct netns_ipvs *ipvs = net_ipvs(net);
1261 for (idx = 0; idx < ip_vs_conn_tab_size; idx++) {
1262 struct hlist_node *n;
1265 * Lock is actually needed in this loop.
1267 ct_write_lock_bh(idx);
1269 hlist_for_each_entry(cp, n, &ip_vs_conn_tab[idx], c_list) {
1270 if (!ip_vs_conn_net_eq(cp, net))
1272 IP_VS_DBG(4, "del connection\n");
1273 ip_vs_conn_expire_now(cp);
1275 IP_VS_DBG(4, "del conn template\n");
1276 ip_vs_conn_expire_now(cp->control);
1279 ct_write_unlock_bh(idx);
1282 /* the counter may be not NULL, because maybe some conn entries
1283 are run by slow timer handler or unhashed but still referred */
1284 if (atomic_read(&ipvs->conn_count) != 0) {
1290 * per netns init and exit
1292 int __net_init ip_vs_conn_net_init(struct net *net)
1294 struct netns_ipvs *ipvs = net_ipvs(net);
1296 atomic_set(&ipvs->conn_count, 0);
1298 proc_net_fops_create(net, "ip_vs_conn", 0, &ip_vs_conn_fops);
1299 proc_net_fops_create(net, "ip_vs_conn_sync", 0, &ip_vs_conn_sync_fops);
1303 void __net_exit ip_vs_conn_net_cleanup(struct net *net)
1305 /* flush all the connection entries first */
1306 ip_vs_conn_flush(net);
1307 proc_net_remove(net, "ip_vs_conn");
1308 proc_net_remove(net, "ip_vs_conn_sync");
1311 int __init ip_vs_conn_init(void)
1315 /* Compute size and mask */
1316 ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits;
1317 ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1;
1320 * Allocate the connection hash table and initialize its list heads
1322 ip_vs_conn_tab = vmalloc(ip_vs_conn_tab_size * sizeof(*ip_vs_conn_tab));
1323 if (!ip_vs_conn_tab)
1326 /* Allocate ip_vs_conn slab cache */
1327 ip_vs_conn_cachep = kmem_cache_create("ip_vs_conn",
1328 sizeof(struct ip_vs_conn), 0,
1329 SLAB_HWCACHE_ALIGN, NULL);
1330 if (!ip_vs_conn_cachep) {
1331 vfree(ip_vs_conn_tab);
1335 pr_info("Connection hash table configured "
1336 "(size=%d, memory=%ldKbytes)\n",
1337 ip_vs_conn_tab_size,
1338 (long)(ip_vs_conn_tab_size*sizeof(struct list_head))/1024);
1339 IP_VS_DBG(0, "Each connection entry needs %Zd bytes at least\n",
1340 sizeof(struct ip_vs_conn));
1342 for (idx = 0; idx < ip_vs_conn_tab_size; idx++)
1343 INIT_HLIST_HEAD(&ip_vs_conn_tab[idx]);
1345 for (idx = 0; idx < CT_LOCKARRAY_SIZE; idx++) {
1346 rwlock_init(&__ip_vs_conntbl_lock_array[idx].l);
1349 /* calculate the random value for connection hash */
1350 get_random_bytes(&ip_vs_conn_rnd, sizeof(ip_vs_conn_rnd));
1355 void ip_vs_conn_cleanup(void)
1357 /* Release the empty cache */
1358 kmem_cache_destroy(ip_vs_conn_cachep);
1359 vfree(ip_vs_conn_tab);
projects / ~andy / linux / blob