2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
22 * Paul `Rusty' Russell properly handle non-linear skbs
23 * Harald Welte don't use nfcache
27 #define KMSG_COMPONENT "IPVS"
28 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
30 #include <linux/module.h>
31 #include <linux/kernel.h>
33 #include <linux/tcp.h>
34 #include <linux/sctp.h>
35 #include <linux/icmp.h>
40 #include <net/icmp.h> /* for icmp_send */
41 #include <net/route.h>
43 #include <linux/netfilter.h>
44 #include <linux/netfilter_ipv4.h>
46 #ifdef CONFIG_IP_VS_IPV6
48 #include <linux/netfilter_ipv6.h>
51 #include <net/ip_vs.h>
54 EXPORT_SYMBOL(register_ip_vs_scheduler);
55 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
56 EXPORT_SYMBOL(ip_vs_skb_replace);
57 EXPORT_SYMBOL(ip_vs_proto_name);
58 EXPORT_SYMBOL(ip_vs_conn_new);
59 EXPORT_SYMBOL(ip_vs_conn_in_get);
60 EXPORT_SYMBOL(ip_vs_conn_out_get);
61 #ifdef CONFIG_IP_VS_PROTO_TCP
62 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
64 EXPORT_SYMBOL(ip_vs_conn_put);
65 #ifdef CONFIG_IP_VS_DEBUG
66 EXPORT_SYMBOL(ip_vs_get_debug_level);
70 /* ID used in ICMP lookups */
71 #define icmp_id(icmph) (((icmph)->un).echo.id)
72 #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
74 const char *ip_vs_proto_name(unsigned proto)
89 #ifdef CONFIG_IP_VS_IPV6
94 sprintf(buf, "IP_%d", proto);
99 void ip_vs_init_hash_table(struct list_head *table, int rows)
102 INIT_LIST_HEAD(&table[rows]);
106 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
108 struct ip_vs_dest *dest = cp->dest;
109 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
110 spin_lock(&dest->stats.lock);
111 dest->stats.ustats.inpkts++;
112 dest->stats.ustats.inbytes += skb->len;
113 spin_unlock(&dest->stats.lock);
115 spin_lock(&dest->svc->stats.lock);
116 dest->svc->stats.ustats.inpkts++;
117 dest->svc->stats.ustats.inbytes += skb->len;
118 spin_unlock(&dest->svc->stats.lock);
120 spin_lock(&ip_vs_stats.lock);
121 ip_vs_stats.ustats.inpkts++;
122 ip_vs_stats.ustats.inbytes += skb->len;
123 spin_unlock(&ip_vs_stats.lock);
129 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
131 struct ip_vs_dest *dest = cp->dest;
132 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
133 spin_lock(&dest->stats.lock);
134 dest->stats.ustats.outpkts++;
135 dest->stats.ustats.outbytes += skb->len;
136 spin_unlock(&dest->stats.lock);
138 spin_lock(&dest->svc->stats.lock);
139 dest->svc->stats.ustats.outpkts++;
140 dest->svc->stats.ustats.outbytes += skb->len;
141 spin_unlock(&dest->svc->stats.lock);
143 spin_lock(&ip_vs_stats.lock);
144 ip_vs_stats.ustats.outpkts++;
145 ip_vs_stats.ustats.outbytes += skb->len;
146 spin_unlock(&ip_vs_stats.lock);
152 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
154 spin_lock(&cp->dest->stats.lock);
155 cp->dest->stats.ustats.conns++;
156 spin_unlock(&cp->dest->stats.lock);
158 spin_lock(&svc->stats.lock);
159 svc->stats.ustats.conns++;
160 spin_unlock(&svc->stats.lock);
162 spin_lock(&ip_vs_stats.lock);
163 ip_vs_stats.ustats.conns++;
164 spin_unlock(&ip_vs_stats.lock);
169 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
170 const struct sk_buff *skb,
171 struct ip_vs_protocol *pp)
173 if (unlikely(!pp->state_transition))
175 return pp->state_transition(cp, direction, skb, pp);
180 * IPVS persistent scheduling function
181 * It creates a connection entry according to its template if exists,
182 * or selects a server and creates a connection entry plus a template.
183 * Locking: we are svc user (svc->refcnt), so we hold all dests too
184 * Protocols supported: TCP, UDP
186 static struct ip_vs_conn *
187 ip_vs_sched_persist(struct ip_vs_service *svc,
188 const struct sk_buff *skb,
191 struct ip_vs_conn *cp = NULL;
192 struct ip_vs_iphdr iph;
193 struct ip_vs_dest *dest;
194 struct ip_vs_conn *ct;
195 __be16 dport; /* destination port to forward */
196 union nf_inet_addr snet; /* source network of the client,
199 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
201 /* Mask saddr with the netmask to adjust template granularity */
202 #ifdef CONFIG_IP_VS_IPV6
203 if (svc->af == AF_INET6)
204 ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask);
207 snet.ip = iph.saddr.ip & svc->netmask;
209 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
211 IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(ports[0]),
212 IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(ports[1]),
213 IP_VS_DBG_ADDR(svc->af, &snet));
216 * As far as we know, FTP is a very complicated network protocol, and
217 * it uses control connection and data connections. For active FTP,
218 * FTP server initialize data connection to the client, its source port
219 * is often 20. For passive FTP, FTP server tells the clients the port
220 * that it passively listens to, and the client issues the data
221 * connection. In the tunneling or direct routing mode, the load
222 * balancer is on the client-to-server half of connection, the port
223 * number is unknown to the load balancer. So, a conn template like
224 * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
225 * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
226 * is created for other persistent services.
228 if (ports[1] == svc->port) {
229 /* Check if a template already exists */
230 if (svc->port != FTPPORT)
231 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
232 &iph.daddr, ports[1]);
234 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
237 if (!ct || !ip_vs_check_template(ct)) {
239 * No template found or the dest of the connection
240 * template is not available.
242 dest = svc->scheduler->schedule(svc, skb);
244 IP_VS_DBG(1, "p-schedule: no dest found.\n");
249 * Create a template like <protocol,caddr,0,
250 * vaddr,vport,daddr,dport> for non-ftp service,
251 * and <protocol,caddr,0,vaddr,0,daddr,0>
254 if (svc->port != FTPPORT)
255 ct = ip_vs_conn_new(svc->af, iph.protocol,
259 &dest->addr, dest->port,
260 IP_VS_CONN_F_TEMPLATE,
263 ct = ip_vs_conn_new(svc->af, iph.protocol,
267 IP_VS_CONN_F_TEMPLATE,
272 ct->timeout = svc->timeout;
274 /* set destination with the found template */
280 * Note: persistent fwmark-based services and persistent
281 * port zero service are handled here.
282 * fwmark template: <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
283 * port zero template: <protocol,caddr,0,vaddr,0,daddr,0>
286 union nf_inet_addr fwmark = {
287 .ip = htonl(svc->fwmark)
290 ct = ip_vs_ct_in_get(svc->af, IPPROTO_IP, &snet, 0,
293 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
296 if (!ct || !ip_vs_check_template(ct)) {
298 * If it is not persistent port zero, return NULL,
299 * otherwise create a connection template.
304 dest = svc->scheduler->schedule(svc, skb);
306 IP_VS_DBG(1, "p-schedule: no dest found.\n");
311 * Create a template according to the service
314 union nf_inet_addr fwmark = {
315 .ip = htonl(svc->fwmark)
318 ct = ip_vs_conn_new(svc->af, IPPROTO_IP,
322 IP_VS_CONN_F_TEMPLATE,
325 ct = ip_vs_conn_new(svc->af, iph.protocol,
329 IP_VS_CONN_F_TEMPLATE,
334 ct->timeout = svc->timeout;
336 /* set destination with the found template */
343 * Create a new connection according to the template
345 cp = ip_vs_conn_new(svc->af, iph.protocol,
346 &iph.saddr, ports[0],
347 &iph.daddr, ports[1],
359 ip_vs_control_add(cp, ct);
362 ip_vs_conn_stats(cp, svc);
368 * IPVS main scheduling function
369 * It selects a server according to the virtual service, and
370 * creates a connection entry.
371 * Protocols supported: TCP, UDP
374 ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
376 struct ip_vs_conn *cp = NULL;
377 struct ip_vs_iphdr iph;
378 struct ip_vs_dest *dest;
379 __be16 _ports[2], *pptr;
381 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
382 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
389 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
390 return ip_vs_sched_persist(svc, skb, pptr);
393 * Non-persistent service
395 if (!svc->fwmark && pptr[1] != svc->port) {
397 pr_err("Schedule: port zero only supported "
398 "in persistent services, "
399 "check your ipvs configuration\n");
403 dest = svc->scheduler->schedule(svc, skb);
405 IP_VS_DBG(1, "Schedule: no dest found.\n");
410 * Create a connection entry.
412 cp = ip_vs_conn_new(svc->af, iph.protocol,
415 &dest->addr, dest->port ? dest->port : pptr[1],
421 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
422 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
424 IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport),
425 IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport),
426 IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport),
427 cp->flags, atomic_read(&cp->refcnt));
429 ip_vs_conn_stats(cp, svc);
435 * Pass or drop the packet.
436 * Called by ip_vs_in, when the virtual service is available but
437 * no destination is available for a new connection.
439 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
440 struct ip_vs_protocol *pp)
442 __be16 _ports[2], *pptr;
443 struct ip_vs_iphdr iph;
445 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
447 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
449 ip_vs_service_put(svc);
453 #ifdef CONFIG_IP_VS_IPV6
454 if (svc->af == AF_INET6)
455 unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
458 unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
460 /* if it is fwmark-based service, the cache_bypass sysctl is up
461 and the destination is a non-local unicast, then create
462 a cache_bypass connection entry */
463 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
465 struct ip_vs_conn *cp;
466 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
468 ip_vs_service_put(svc);
470 /* create a new connection entry */
471 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
472 cp = ip_vs_conn_new(svc->af, iph.protocol,
482 ip_vs_in_stats(cp, skb);
485 cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
487 /* transmit the first SYN packet */
488 ret = cp->packet_xmit(skb, cp, pp);
489 /* do not touch skb anymore */
491 atomic_inc(&cp->in_pkts);
497 * When the virtual ftp service is presented, packets destined
498 * for other services on the VIP may get here (except services
499 * listed in the ipvs table), pass the packets, because it is
500 * not ipvs job to decide to drop the packets.
502 if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) {
503 ip_vs_service_put(svc);
507 ip_vs_service_put(svc);
510 * Notify the client that the destination is unreachable, and
511 * release the socket buffer.
512 * Since it is in IP layer, the TCP socket is not actually
513 * created, the TCP RST packet cannot be sent, instead that
514 * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
516 #ifdef CONFIG_IP_VS_IPV6
517 if (svc->af == AF_INET6)
518 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
521 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
528 * It is hooked before NF_IP_PRI_NAT_SRC at the NF_INET_POST_ROUTING
529 * chain, and is used for VS/NAT.
530 * It detects packets for VS/NAT connections and sends the packets
531 * immediately. This can avoid that iptable_nat mangles the packets
534 static unsigned int ip_vs_post_routing(unsigned int hooknum,
536 const struct net_device *in,
537 const struct net_device *out,
538 int (*okfn)(struct sk_buff *))
540 if (!skb->ipvs_property)
542 /* The packet was sent from IPVS, exit this chain */
546 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
548 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
551 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
553 int err = ip_defrag(skb, user);
556 ip_send_check(ip_hdr(skb));
561 #ifdef CONFIG_IP_VS_IPV6
562 static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
564 /* TODO IPv6: Find out what to do here for IPv6 */
570 * Packet has been made sufficiently writable in caller
571 * - inout: 1=in->out, 0=out->in
573 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
574 struct ip_vs_conn *cp, int inout)
576 struct iphdr *iph = ip_hdr(skb);
577 unsigned int icmp_offset = iph->ihl*4;
578 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
580 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
583 iph->saddr = cp->vaddr.ip;
585 ciph->daddr = cp->vaddr.ip;
588 iph->daddr = cp->daddr.ip;
590 ciph->saddr = cp->daddr.ip;
594 /* the TCP/UDP/SCTP port */
595 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
596 IPPROTO_SCTP == ciph->protocol) {
597 __be16 *ports = (void *)ciph + ciph->ihl*4;
600 ports[1] = cp->vport;
602 ports[0] = cp->dport;
605 /* And finally the ICMP checksum */
607 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
608 skb->ip_summed = CHECKSUM_UNNECESSARY;
611 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
612 "Forwarding altered outgoing ICMP");
614 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
615 "Forwarding altered incoming ICMP");
618 #ifdef CONFIG_IP_VS_IPV6
619 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
620 struct ip_vs_conn *cp, int inout)
622 struct ipv6hdr *iph = ipv6_hdr(skb);
623 unsigned int icmp_offset = sizeof(struct ipv6hdr);
624 struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) +
626 struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1);
629 iph->saddr = cp->vaddr.in6;
630 ciph->daddr = cp->vaddr.in6;
632 iph->daddr = cp->daddr.in6;
633 ciph->saddr = cp->daddr.in6;
636 /* the TCP/UDP/SCTP port */
637 if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr ||
638 IPPROTO_SCTP == ciph->nexthdr) {
639 __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr);
642 ports[1] = cp->vport;
644 ports[0] = cp->dport;
647 /* And finally the ICMP checksum */
648 icmph->icmp6_cksum = 0;
649 /* TODO IPv6: is this correct for ICMPv6? */
650 ip_vs_checksum_complete(skb, icmp_offset);
651 skb->ip_summed = CHECKSUM_UNNECESSARY;
654 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
655 "Forwarding altered outgoing ICMPv6");
657 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
658 "Forwarding altered incoming ICMPv6");
662 /* Handle relevant response ICMP messages - forward to the right
663 * destination host. Used for NAT and local client.
665 static int handle_response_icmp(int af, struct sk_buff *skb,
666 union nf_inet_addr *snet,
667 __u8 protocol, struct ip_vs_conn *cp,
668 struct ip_vs_protocol *pp,
669 unsigned int offset, unsigned int ihl)
671 unsigned int verdict = NF_DROP;
673 if (IP_VS_FWD_METHOD(cp) != 0) {
674 pr_err("shouldn't reach here, because the box is on the "
675 "half connection in the tun/dr module.\n");
678 /* Ensure the checksum is correct */
679 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
680 /* Failed checksum! */
681 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
682 IP_VS_DBG_ADDR(af, snet));
686 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
687 IPPROTO_SCTP == protocol)
688 offset += 2 * sizeof(__u16);
689 if (!skb_make_writable(skb, offset))
692 #ifdef CONFIG_IP_VS_IPV6
694 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
697 ip_vs_nat_icmp(skb, pp, cp, 1);
699 /* do the statistics and put it back */
700 ip_vs_out_stats(cp, skb);
702 skb->ipvs_property = 1;
706 __ip_vs_conn_put(cp);
712 * Handle ICMP messages in the inside-to-outside direction (outgoing).
713 * Find any that might be relevant, check against existing connections.
714 * Currently handles error types - unreachable, quench, ttl exceeded.
716 static int ip_vs_out_icmp(struct sk_buff *skb, int *related)
719 struct icmphdr _icmph, *ic;
720 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
721 struct ip_vs_iphdr ciph;
722 struct ip_vs_conn *cp;
723 struct ip_vs_protocol *pp;
724 unsigned int offset, ihl;
725 union nf_inet_addr snet;
729 /* reassemble IP fragments */
730 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
731 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
736 offset = ihl = iph->ihl * 4;
737 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
741 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
742 ic->type, ntohs(icmp_id(ic)),
743 &iph->saddr, &iph->daddr);
746 * Work through seeing if this is for us.
747 * These checks are supposed to be in an order that means easy
748 * things are checked first to speed up processing.... however
749 * this means that some packets will manage to get a long way
750 * down this stack and then be rejected, but that's life.
752 if ((ic->type != ICMP_DEST_UNREACH) &&
753 (ic->type != ICMP_SOURCE_QUENCH) &&
754 (ic->type != ICMP_TIME_EXCEEDED)) {
759 /* Now find the contained IP header */
760 offset += sizeof(_icmph);
761 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
763 return NF_ACCEPT; /* The packet looks wrong, ignore */
765 pp = ip_vs_proto_get(cih->protocol);
769 /* Is the embedded protocol header present? */
770 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
774 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMP for");
776 offset += cih->ihl * 4;
778 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
779 /* The embedded headers contain source and dest in reverse order */
780 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
784 snet.ip = iph->saddr;
785 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
789 #ifdef CONFIG_IP_VS_IPV6
790 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related)
793 struct icmp6hdr _icmph, *ic;
794 struct ipv6hdr _ciph, *cih; /* The ip header contained
796 struct ip_vs_iphdr ciph;
797 struct ip_vs_conn *cp;
798 struct ip_vs_protocol *pp;
800 union nf_inet_addr snet;
804 /* reassemble IP fragments */
805 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
806 if (ip_vs_gather_frags_v6(skb, IP_DEFRAG_VS_OUT))
811 offset = sizeof(struct ipv6hdr);
812 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
816 IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) %pI6->%pI6\n",
817 ic->icmp6_type, ntohs(icmpv6_id(ic)),
818 &iph->saddr, &iph->daddr);
821 * Work through seeing if this is for us.
822 * These checks are supposed to be in an order that means easy
823 * things are checked first to speed up processing.... however
824 * this means that some packets will manage to get a long way
825 * down this stack and then be rejected, but that's life.
827 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
828 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
829 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
834 /* Now find the contained IP header */
835 offset += sizeof(_icmph);
836 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
838 return NF_ACCEPT; /* The packet looks wrong, ignore */
840 pp = ip_vs_proto_get(cih->nexthdr);
844 /* Is the embedded protocol header present? */
845 /* TODO: we don't support fragmentation at the moment anyways */
846 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
849 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMPv6 for");
851 offset += sizeof(struct ipv6hdr);
853 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
854 /* The embedded headers contain source and dest in reverse order */
855 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
859 ipv6_addr_copy(&snet.in6, &iph->saddr);
860 return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
861 pp, offset, sizeof(struct ipv6hdr));
866 * Check if sctp chunc is ABORT chunk
868 static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
870 sctp_chunkhdr_t *sch, schunk;
871 sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
872 sizeof(schunk), &schunk);
875 if (sch->type == SCTP_CID_ABORT)
880 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
882 struct tcphdr _tcph, *th;
884 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
890 /* Handle response packets: rewrite addresses and send away...
891 * Used for NAT and local client.
894 handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
895 struct ip_vs_conn *cp, int ihl)
897 IP_VS_DBG_PKT(11, pp, skb, 0, "Outgoing packet");
899 if (!skb_make_writable(skb, ihl))
902 /* mangle the packet */
903 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp))
906 #ifdef CONFIG_IP_VS_IPV6
908 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
912 ip_hdr(skb)->saddr = cp->vaddr.ip;
913 ip_send_check(ip_hdr(skb));
916 /* For policy routing, packets originating from this
917 * machine itself may be routed differently to packets
918 * passing through. We want this packet to be routed as
919 * if it came from this machine itself. So re-compute
920 * the routing information.
922 #ifdef CONFIG_IP_VS_IPV6
923 if (af == AF_INET6) {
924 if (ip6_route_me_harder(skb) != 0)
928 if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
931 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
933 ip_vs_out_stats(cp, skb);
934 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
937 skb->ipvs_property = 1;
949 * It is hooked at the NF_INET_FORWARD chain, used only for VS/NAT.
950 * Check if outgoing packet belongs to the established ip_vs_conn.
953 ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
954 const struct net_device *in, const struct net_device *out,
955 int (*okfn)(struct sk_buff *))
957 struct ip_vs_iphdr iph;
958 struct ip_vs_protocol *pp;
959 struct ip_vs_conn *cp;
964 af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
966 if (skb->ipvs_property)
969 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
970 #ifdef CONFIG_IP_VS_IPV6
971 if (af == AF_INET6) {
972 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
973 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
977 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
981 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
982 int related, verdict = ip_vs_out_icmp(skb, &related);
986 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
989 pp = ip_vs_proto_get(iph.protocol);
993 /* reassemble IP fragments */
994 #ifdef CONFIG_IP_VS_IPV6
995 if (af == AF_INET6) {
996 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
997 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
1002 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1006 if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) &&
1007 !pp->dont_defrag)) {
1008 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
1011 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1015 * Check if the packet belongs to an existing entry
1017 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1019 if (unlikely(!cp)) {
1020 if (sysctl_ip_vs_nat_icmp_send &&
1021 (pp->protocol == IPPROTO_TCP ||
1022 pp->protocol == IPPROTO_UDP ||
1023 pp->protocol == IPPROTO_SCTP)) {
1024 __be16 _ports[2], *pptr;
1026 pptr = skb_header_pointer(skb, iph.len,
1027 sizeof(_ports), _ports);
1029 return NF_ACCEPT; /* Not for me */
1030 if (ip_vs_lookup_real_service(af, iph.protocol,
1034 * Notify the real server: there is no
1035 * existing entry if it is not RST
1036 * packet or not TCP packet.
1038 if ((iph.protocol != IPPROTO_TCP &&
1039 iph.protocol != IPPROTO_SCTP)
1040 || ((iph.protocol == IPPROTO_TCP
1041 && !is_tcp_reset(skb, iph.len))
1042 || (iph.protocol == IPPROTO_SCTP
1043 && !is_sctp_abort(skb,
1045 #ifdef CONFIG_IP_VS_IPV6
1048 ICMPV6_DEST_UNREACH,
1049 ICMPV6_PORT_UNREACH,
1055 ICMP_PORT_UNREACH, 0);
1060 IP_VS_DBG_PKT(12, pp, skb, 0,
1061 "packet continues traversal as normal");
1065 return handle_response(af, skb, pp, cp, iph.len);
1070 * Handle ICMP messages in the outside-to-inside direction (incoming).
1071 * Find any that might be relevant, check against existing connections,
1072 * forward to the right destination host if relevant.
1073 * Currently handles error types - unreachable, quench, ttl exceeded.
1076 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1079 struct icmphdr _icmph, *ic;
1080 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
1081 struct ip_vs_iphdr ciph;
1082 struct ip_vs_conn *cp;
1083 struct ip_vs_protocol *pp;
1084 unsigned int offset, ihl, verdict;
1085 union nf_inet_addr snet;
1089 /* reassemble IP fragments */
1090 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
1091 if (ip_vs_gather_frags(skb, hooknum == NF_INET_LOCAL_IN ?
1092 IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD))
1097 offset = ihl = iph->ihl * 4;
1098 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1102 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1103 ic->type, ntohs(icmp_id(ic)),
1104 &iph->saddr, &iph->daddr);
1107 * Work through seeing if this is for us.
1108 * These checks are supposed to be in an order that means easy
1109 * things are checked first to speed up processing.... however
1110 * this means that some packets will manage to get a long way
1111 * down this stack and then be rejected, but that's life.
1113 if ((ic->type != ICMP_DEST_UNREACH) &&
1114 (ic->type != ICMP_SOURCE_QUENCH) &&
1115 (ic->type != ICMP_TIME_EXCEEDED)) {
1120 /* Now find the contained IP header */
1121 offset += sizeof(_icmph);
1122 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1124 return NF_ACCEPT; /* The packet looks wrong, ignore */
1126 pp = ip_vs_proto_get(cih->protocol);
1130 /* Is the embedded protocol header present? */
1131 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1135 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMP for");
1137 offset += cih->ihl * 4;
1139 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
1140 /* The embedded headers contain source and dest in reverse order */
1141 cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);
1143 /* The packet could also belong to a local client */
1144 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
1146 snet.ip = iph->saddr;
1147 return handle_response_icmp(AF_INET, skb, &snet,
1148 cih->protocol, cp, pp,
1156 /* Ensure the checksum is correct */
1157 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1158 /* Failed checksum! */
1159 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1164 /* do the statistics and put it back */
1165 ip_vs_in_stats(cp, skb);
1166 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
1167 offset += 2 * sizeof(__u16);
1168 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
1169 /* do not touch skb anymore */
1172 __ip_vs_conn_put(cp);
1177 #ifdef CONFIG_IP_VS_IPV6
1179 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
1181 struct ipv6hdr *iph;
1182 struct icmp6hdr _icmph, *ic;
1183 struct ipv6hdr _ciph, *cih; /* The ip header contained
1185 struct ip_vs_iphdr ciph;
1186 struct ip_vs_conn *cp;
1187 struct ip_vs_protocol *pp;
1188 unsigned int offset, verdict;
1189 union nf_inet_addr snet;
1193 /* reassemble IP fragments */
1194 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1195 if (ip_vs_gather_frags_v6(skb, hooknum == NF_INET_LOCAL_IN ?
1201 iph = ipv6_hdr(skb);
1202 offset = sizeof(struct ipv6hdr);
1203 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1207 IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) %pI6->%pI6\n",
1208 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1209 &iph->saddr, &iph->daddr);
1212 * Work through seeing if this is for us.
1213 * These checks are supposed to be in an order that means easy
1214 * things are checked first to speed up processing.... however
1215 * this means that some packets will manage to get a long way
1216 * down this stack and then be rejected, but that's life.
1218 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
1219 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
1220 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
1225 /* Now find the contained IP header */
1226 offset += sizeof(_icmph);
1227 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1229 return NF_ACCEPT; /* The packet looks wrong, ignore */
1231 pp = ip_vs_proto_get(cih->nexthdr);
1235 /* Is the embedded protocol header present? */
1236 /* TODO: we don't support fragmentation at the moment anyways */
1237 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
1240 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMPv6 for");
1242 offset += sizeof(struct ipv6hdr);
1244 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
1245 /* The embedded headers contain source and dest in reverse order */
1246 cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);
1248 /* The packet could also belong to a local client */
1249 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
1251 ipv6_addr_copy(&snet.in6, &iph->saddr);
1252 return handle_response_icmp(AF_INET6, skb, &snet,
1255 sizeof(struct ipv6hdr));
1262 /* do the statistics and put it back */
1263 ip_vs_in_stats(cp, skb);
1264 if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
1265 IPPROTO_SCTP == cih->nexthdr)
1266 offset += 2 * sizeof(__u16);
1267 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
1268 /* do not touch skb anymore */
1270 __ip_vs_conn_put(cp);
1278 * Check if it's for virtual services, look it up,
1279 * and send it on its way...
1282 ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
1283 const struct net_device *in, const struct net_device *out,
1284 int (*okfn)(struct sk_buff *))
1286 struct ip_vs_iphdr iph;
1287 struct ip_vs_protocol *pp;
1288 struct ip_vs_conn *cp;
1289 int ret, restart, af, pkts;
1291 af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
1293 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1296 * Big tappo: only PACKET_HOST, including loopback for local client
1297 * Don't handle local packets on IPv6 for now
1299 if (unlikely(skb->pkt_type != PACKET_HOST)) {
1300 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s ignored\n",
1303 IP_VS_DBG_ADDR(af, &iph.daddr));
1307 #ifdef CONFIG_IP_VS_IPV6
1308 if (af == AF_INET6) {
1309 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1310 int related, verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
1314 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1318 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1319 int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
1323 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1326 /* Protocol supported? */
1327 pp = ip_vs_proto_get(iph.protocol);
1332 * Check if the packet belongs to an existing connection entry
1334 cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);
1336 if (unlikely(!cp)) {
1339 /* For local client packets, it could be a response */
1340 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1342 return handle_response(af, skb, pp, cp, iph.len);
1344 if (!pp->conn_schedule(af, skb, pp, &v, &cp))
1348 if (unlikely(!cp)) {
1349 /* sorry, all this trouble for a no-hit :) */
1350 IP_VS_DBG_PKT(12, pp, skb, 0,
1351 "packet continues traversal as normal");
1355 IP_VS_DBG_PKT(11, pp, skb, 0, "Incoming packet");
1357 /* Check the server status */
1358 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1359 /* the destination server is not available */
1361 if (sysctl_ip_vs_expire_nodest_conn) {
1362 /* try to expire the connection immediately */
1363 ip_vs_conn_expire_now(cp);
1365 /* don't restart its timer, and silently
1367 __ip_vs_conn_put(cp);
1371 ip_vs_in_stats(cp, skb);
1372 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
1373 if (cp->packet_xmit)
1374 ret = cp->packet_xmit(skb, cp, pp);
1375 /* do not touch skb anymore */
1377 IP_VS_DBG_RL("warning: packet_xmit is null");
1381 /* Increase its packet counter and check if it is needed
1382 * to be synchronized
1384 * Sync connection if it is about to close to
1385 * encorage the standby servers to update the connections timeout
1387 pkts = atomic_add_return(1, &cp->in_pkts);
1388 if (af == AF_INET && (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1389 cp->protocol == IPPROTO_SCTP) {
1390 if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
1391 (atomic_read(&cp->in_pkts) %
1392 sysctl_ip_vs_sync_threshold[1]
1393 == sysctl_ip_vs_sync_threshold[0])) ||
1394 (cp->old_state != cp->state &&
1395 ((cp->state == IP_VS_SCTP_S_CLOSED) ||
1396 (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||
1397 (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) {
1398 ip_vs_sync_conn(cp);
1403 if (af == AF_INET &&
1404 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1405 (((cp->protocol != IPPROTO_TCP ||
1406 cp->state == IP_VS_TCP_S_ESTABLISHED) &&
1407 (pkts % sysctl_ip_vs_sync_threshold[1]
1408 == sysctl_ip_vs_sync_threshold[0])) ||
1409 ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
1410 ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
1411 (cp->state == IP_VS_TCP_S_CLOSE) ||
1412 (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
1413 (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
1414 ip_vs_sync_conn(cp);
1416 cp->old_state = cp->state;
1424 * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1425 * related packets destined for 0.0.0.0/0.
1426 * When fwmark-based virtual service is used, such as transparent
1427 * cache cluster, TCP packets can be marked and routed to ip_vs_in,
1428 * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1429 * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1430 * and send them to ip_vs_in_icmp.
1433 ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1434 const struct net_device *in, const struct net_device *out,
1435 int (*okfn)(struct sk_buff *))
1439 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1442 return ip_vs_in_icmp(skb, &r, hooknum);
1445 #ifdef CONFIG_IP_VS_IPV6
1447 ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1448 const struct net_device *in, const struct net_device *out,
1449 int (*okfn)(struct sk_buff *))
1453 if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
1456 return ip_vs_in_icmp_v6(skb, &r, hooknum);
1461 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1462 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1463 * or VS/NAT(change destination), so that filtering rules can be
1464 * applied to IPVS. */
1467 .owner = THIS_MODULE,
1469 .hooknum = NF_INET_LOCAL_IN,
1472 /* After packet filtering, change source only for VS/NAT */
1475 .owner = THIS_MODULE,
1477 .hooknum = NF_INET_FORWARD,
1480 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1481 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1483 .hook = ip_vs_forward_icmp,
1484 .owner = THIS_MODULE,
1486 .hooknum = NF_INET_FORWARD,
1489 /* Before the netfilter connection tracking, exit from POST_ROUTING */
1491 .hook = ip_vs_post_routing,
1492 .owner = THIS_MODULE,
1494 .hooknum = NF_INET_POST_ROUTING,
1495 .priority = NF_IP_PRI_NAT_SRC-1,
1497 #ifdef CONFIG_IP_VS_IPV6
1498 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1499 * or VS/NAT(change destination), so that filtering rules can be
1500 * applied to IPVS. */
1503 .owner = THIS_MODULE,
1505 .hooknum = NF_INET_LOCAL_IN,
1508 /* After packet filtering, change source only for VS/NAT */
1511 .owner = THIS_MODULE,
1513 .hooknum = NF_INET_FORWARD,
1516 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1517 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1519 .hook = ip_vs_forward_icmp_v6,
1520 .owner = THIS_MODULE,
1522 .hooknum = NF_INET_FORWARD,
1525 /* Before the netfilter connection tracking, exit from POST_ROUTING */
1527 .hook = ip_vs_post_routing,
1528 .owner = THIS_MODULE,
1530 .hooknum = NF_INET_POST_ROUTING,
1531 .priority = NF_IP6_PRI_NAT_SRC-1,
1538 * Initialize IP Virtual Server
1540 static int __init ip_vs_init(void)
1544 ip_vs_estimator_init();
1546 ret = ip_vs_control_init();
1548 pr_err("can't setup control.\n");
1549 goto cleanup_estimator;
1552 ip_vs_protocol_init();
1554 ret = ip_vs_app_init();
1556 pr_err("can't setup application helper.\n");
1557 goto cleanup_protocol;
1560 ret = ip_vs_conn_init();
1562 pr_err("can't setup connection table.\n");
1566 ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1568 pr_err("can't register hooks.\n");
1572 pr_info("ipvs loaded.\n");
1576 ip_vs_conn_cleanup();
1578 ip_vs_app_cleanup();
1580 ip_vs_protocol_cleanup();
1581 ip_vs_control_cleanup();
1583 ip_vs_estimator_cleanup();
1587 static void __exit ip_vs_cleanup(void)
1589 nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1590 ip_vs_conn_cleanup();
1591 ip_vs_app_cleanup();
1592 ip_vs_protocol_cleanup();
1593 ip_vs_control_cleanup();
1594 ip_vs_estimator_cleanup();
1595 pr_info("ipvs unloaded.\n");
1598 module_init(ip_vs_init);
1599 module_exit(ip_vs_cleanup);
1600 MODULE_LICENSE("GPL");
projects / ~andy / linux / blob