2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* lock for service table */
59 static DEFINE_RWLOCK(__ip_vs_svc_lock);
61 /* sysctl variables */
63 #ifdef CONFIG_IP_VS_DEBUG
64 static int sysctl_ip_vs_debug_level = 0;
66 int ip_vs_get_debug_level(void)
68 return sysctl_ip_vs_debug_level;
74 static void __ip_vs_del_service(struct ip_vs_service *svc);
77 #ifdef CONFIG_IP_VS_IPV6
78 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
79 static bool __ip_vs_addr_is_local_v6(struct net *net,
80 const struct in6_addr *addr)
85 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
88 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
97 * update_defense_level is called from keventd and from sysctl,
98 * so it needs to protect itself from softirqs
100 static void update_defense_level(struct netns_ipvs *ipvs)
103 static int old_secure_tcp = 0;
108 /* we only count free and buffered memory (in pages) */
110 availmem = i.freeram + i.bufferram;
111 /* however in linux 2.5 the i.bufferram is total page cache size,
113 /* si_swapinfo(&i); */
114 /* availmem = availmem - (i.totalswap - i.freeswap); */
116 nomem = (availmem < ipvs->sysctl_amemthresh);
121 spin_lock(&ipvs->dropentry_lock);
122 switch (ipvs->sysctl_drop_entry) {
124 atomic_set(&ipvs->dropentry, 0);
128 atomic_set(&ipvs->dropentry, 1);
129 ipvs->sysctl_drop_entry = 2;
131 atomic_set(&ipvs->dropentry, 0);
136 atomic_set(&ipvs->dropentry, 1);
138 atomic_set(&ipvs->dropentry, 0);
139 ipvs->sysctl_drop_entry = 1;
143 atomic_set(&ipvs->dropentry, 1);
146 spin_unlock(&ipvs->dropentry_lock);
149 spin_lock(&ipvs->droppacket_lock);
150 switch (ipvs->sysctl_drop_packet) {
156 ipvs->drop_rate = ipvs->drop_counter
157 = ipvs->sysctl_amemthresh /
158 (ipvs->sysctl_amemthresh-availmem);
159 ipvs->sysctl_drop_packet = 2;
166 ipvs->drop_rate = ipvs->drop_counter
167 = ipvs->sysctl_amemthresh /
168 (ipvs->sysctl_amemthresh-availmem);
171 ipvs->sysctl_drop_packet = 1;
175 ipvs->drop_rate = ipvs->sysctl_am_droprate;
178 spin_unlock(&ipvs->droppacket_lock);
181 spin_lock(&ipvs->securetcp_lock);
182 switch (ipvs->sysctl_secure_tcp) {
184 if (old_secure_tcp >= 2)
189 if (old_secure_tcp < 2)
191 ipvs->sysctl_secure_tcp = 2;
193 if (old_secure_tcp >= 2)
199 if (old_secure_tcp < 2)
202 if (old_secure_tcp >= 2)
204 ipvs->sysctl_secure_tcp = 1;
208 if (old_secure_tcp < 2)
212 old_secure_tcp = ipvs->sysctl_secure_tcp;
214 ip_vs_protocol_timeout_change(ipvs,
215 ipvs->sysctl_secure_tcp > 1);
216 spin_unlock(&ipvs->securetcp_lock);
223 * Timer for checking the defense
225 #define DEFENSE_TIMER_PERIOD 1*HZ
227 static void defense_work_handler(struct work_struct *work)
229 struct netns_ipvs *ipvs =
230 container_of(work, struct netns_ipvs, defense_work.work);
232 update_defense_level(ipvs);
233 if (atomic_read(&ipvs->dropentry))
234 ip_vs_random_dropentry(ipvs->net);
235 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
240 ip_vs_use_count_inc(void)
242 return try_module_get(THIS_MODULE);
246 ip_vs_use_count_dec(void)
248 module_put(THIS_MODULE);
253 * Hash table: for virtual service lookups
255 #define IP_VS_SVC_TAB_BITS 8
256 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
257 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
259 /* the service table hashed by <protocol, addr, port> */
260 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
261 /* the service table hashed by fwmark */
262 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
266 * Returns hash value for virtual service
268 static inline unsigned int
269 ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
270 const union nf_inet_addr *addr, __be16 port)
272 register unsigned int porth = ntohs(port);
273 __be32 addr_fold = addr->ip;
275 #ifdef CONFIG_IP_VS_IPV6
277 addr_fold = addr->ip6[0]^addr->ip6[1]^
278 addr->ip6[2]^addr->ip6[3];
280 addr_fold ^= ((size_t)net>>8);
282 return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
283 & IP_VS_SVC_TAB_MASK;
287 * Returns hash value of fwmark for virtual service lookup
289 static inline unsigned int ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
291 return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
295 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
296 * or in the ip_vs_svc_fwm_table by fwmark.
297 * Should be called with locked tables.
299 static int ip_vs_svc_hash(struct ip_vs_service *svc)
303 if (svc->flags & IP_VS_SVC_F_HASHED) {
304 pr_err("%s(): request for already hashed, called from %pF\n",
305 __func__, __builtin_return_address(0));
309 if (svc->fwmark == 0) {
311 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
313 hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
314 &svc->addr, svc->port);
315 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
318 * Hash it by fwmark in svc_fwm_table
320 hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
321 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
324 svc->flags |= IP_VS_SVC_F_HASHED;
325 /* increase its refcnt because it is referenced by the svc table */
326 atomic_inc(&svc->refcnt);
332 * Unhashes a service from svc_table / svc_fwm_table.
333 * Should be called with locked tables.
335 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
337 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
338 pr_err("%s(): request for unhash flagged, called from %pF\n",
339 __func__, __builtin_return_address(0));
343 if (svc->fwmark == 0) {
344 /* Remove it from the svc_table table */
345 list_del(&svc->s_list);
347 /* Remove it from the svc_fwm_table table */
348 list_del(&svc->f_list);
351 svc->flags &= ~IP_VS_SVC_F_HASHED;
352 atomic_dec(&svc->refcnt);
358 * Get service by {netns, proto,addr,port} in the service table.
360 static inline struct ip_vs_service *
361 __ip_vs_service_find(struct net *net, int af, __u16 protocol,
362 const union nf_inet_addr *vaddr, __be16 vport)
365 struct ip_vs_service *svc;
367 /* Check for "full" addressed entries */
368 hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
370 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
372 && ip_vs_addr_equal(af, &svc->addr, vaddr)
373 && (svc->port == vport)
374 && (svc->protocol == protocol)
375 && net_eq(svc->net, net)) {
386 * Get service by {fwmark} in the service table.
388 static inline struct ip_vs_service *
389 __ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
392 struct ip_vs_service *svc;
394 /* Check for fwmark addressed entries */
395 hash = ip_vs_svc_fwm_hashkey(net, fwmark);
397 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
398 if (svc->fwmark == fwmark && svc->af == af
399 && net_eq(svc->net, net)) {
408 struct ip_vs_service *
409 ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
410 const union nf_inet_addr *vaddr, __be16 vport)
412 struct ip_vs_service *svc;
413 struct netns_ipvs *ipvs = net_ipvs(net);
415 read_lock(&__ip_vs_svc_lock);
418 * Check the table hashed by fwmark first
421 svc = __ip_vs_svc_fwm_find(net, af, fwmark);
427 * Check the table hashed by <protocol,addr,port>
428 * for "full" addressed entries
430 svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
433 && protocol == IPPROTO_TCP
434 && atomic_read(&ipvs->ftpsvc_counter)
435 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
437 * Check if ftp service entry exists, the packet
438 * might belong to FTP data connections.
440 svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
444 && atomic_read(&ipvs->nullsvc_counter)) {
446 * Check if the catch-all port (port zero) exists
448 svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
453 atomic_inc(&svc->usecnt);
454 read_unlock(&__ip_vs_svc_lock);
456 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
457 fwmark, ip_vs_proto_name(protocol),
458 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
459 svc ? "hit" : "not hit");
466 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
468 atomic_inc(&svc->refcnt);
473 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
475 struct ip_vs_service *svc = dest->svc;
478 if (atomic_dec_and_test(&svc->refcnt)) {
479 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
481 IP_VS_DBG_ADDR(svc->af, &svc->addr),
482 ntohs(svc->port), atomic_read(&svc->usecnt));
483 free_percpu(svc->stats.cpustats);
490 * Returns hash value for real service
492 static inline unsigned int ip_vs_rs_hashkey(int af,
493 const union nf_inet_addr *addr,
496 register unsigned int porth = ntohs(port);
497 __be32 addr_fold = addr->ip;
499 #ifdef CONFIG_IP_VS_IPV6
501 addr_fold = addr->ip6[0]^addr->ip6[1]^
502 addr->ip6[2]^addr->ip6[3];
505 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
510 * Hashes ip_vs_dest in rs_table by <proto,addr,port>.
511 * should be called with locked tables.
513 static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
517 if (!list_empty(&dest->d_list)) {
522 * Hash by proto,addr,port,
523 * which are the parameters of the real service.
525 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
527 list_add(&dest->d_list, &ipvs->rs_table[hash]);
533 * UNhashes ip_vs_dest from rs_table.
534 * should be called with locked tables.
536 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
539 * Remove it from the rs_table table.
541 if (!list_empty(&dest->d_list)) {
542 list_del_init(&dest->d_list);
549 * Lookup real service by <proto,addr,port> in the real service table.
552 ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
553 const union nf_inet_addr *daddr,
556 struct netns_ipvs *ipvs = net_ipvs(net);
558 struct ip_vs_dest *dest;
561 * Check for "full" addressed entries
562 * Return the first found entry
564 hash = ip_vs_rs_hashkey(af, daddr, dport);
566 read_lock(&ipvs->rs_lock);
567 list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
569 && ip_vs_addr_equal(af, &dest->addr, daddr)
570 && (dest->port == dport)
571 && ((dest->protocol == protocol) ||
574 read_unlock(&ipvs->rs_lock);
578 read_unlock(&ipvs->rs_lock);
584 * Lookup destination by {addr,port} in the given service
586 static struct ip_vs_dest *
587 ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
590 struct ip_vs_dest *dest;
593 * Find the destination for the given service
595 list_for_each_entry(dest, &svc->destinations, n_list) {
596 if ((dest->af == svc->af)
597 && ip_vs_addr_equal(svc->af, &dest->addr, daddr)
598 && (dest->port == dport)) {
608 * Find destination by {daddr,dport,vaddr,protocol}
609 * Cretaed to be used in ip_vs_process_message() in
610 * the backup synchronization daemon. It finds the
611 * destination to be bound to the received connection
614 * ip_vs_lookup_real_service() looked promissing, but
615 * seems not working as expected.
617 struct ip_vs_dest *ip_vs_find_dest(struct net *net, int af,
618 const union nf_inet_addr *daddr,
620 const union nf_inet_addr *vaddr,
621 __be16 vport, __u16 protocol, __u32 fwmark,
624 struct ip_vs_dest *dest;
625 struct ip_vs_service *svc;
628 svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
631 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
633 dest = ip_vs_lookup_dest(svc, daddr, port);
635 dest = ip_vs_lookup_dest(svc, daddr, port ^ dport);
637 atomic_inc(&dest->refcnt);
638 ip_vs_service_put(svc);
643 * Lookup dest by {svc,addr,port} in the destination trash.
644 * The destination trash is used to hold the destinations that are removed
645 * from the service table but are still referenced by some conn entries.
646 * The reason to add the destination trash is when the dest is temporary
647 * down (either by administrator or by monitor program), the dest can be
648 * picked back from the trash, the remaining connections to the dest can
649 * continue, and the counting information of the dest is also useful for
652 static struct ip_vs_dest *
653 ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
656 struct ip_vs_dest *dest, *nxt;
657 struct netns_ipvs *ipvs = net_ipvs(svc->net);
660 * Find the destination in trash
662 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
663 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
666 IP_VS_DBG_ADDR(svc->af, &dest->addr),
668 atomic_read(&dest->refcnt));
669 if (dest->af == svc->af &&
670 ip_vs_addr_equal(svc->af, &dest->addr, daddr) &&
671 dest->port == dport &&
672 dest->vfwmark == svc->fwmark &&
673 dest->protocol == svc->protocol &&
675 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
676 dest->vport == svc->port))) {
682 * Try to purge the destination from trash if not referenced
684 if (atomic_read(&dest->refcnt) == 1) {
685 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u "
688 IP_VS_DBG_ADDR(svc->af, &dest->addr),
690 list_del(&dest->n_list);
691 ip_vs_dst_reset(dest);
692 __ip_vs_unbind_svc(dest);
693 free_percpu(dest->stats.cpustats);
703 * Clean up all the destinations in the trash
704 * Called by the ip_vs_control_cleanup()
706 * When the ip_vs_control_clearup is activated by ipvs module exit,
707 * the service tables must have been flushed and all the connections
708 * are expired, and the refcnt of each destination in the trash must
709 * be 1, so we simply release them here.
711 static void ip_vs_trash_cleanup(struct net *net)
713 struct ip_vs_dest *dest, *nxt;
714 struct netns_ipvs *ipvs = net_ipvs(net);
716 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
717 list_del(&dest->n_list);
718 ip_vs_dst_reset(dest);
719 __ip_vs_unbind_svc(dest);
720 free_percpu(dest->stats.cpustats);
726 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
728 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
730 spin_lock_bh(&src->lock);
732 IP_VS_SHOW_STATS_COUNTER(conns);
733 IP_VS_SHOW_STATS_COUNTER(inpkts);
734 IP_VS_SHOW_STATS_COUNTER(outpkts);
735 IP_VS_SHOW_STATS_COUNTER(inbytes);
736 IP_VS_SHOW_STATS_COUNTER(outbytes);
738 ip_vs_read_estimator(dst, src);
740 spin_unlock_bh(&src->lock);
744 ip_vs_zero_stats(struct ip_vs_stats *stats)
746 spin_lock_bh(&stats->lock);
748 /* get current counters as zero point, rates are zeroed */
750 #define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
752 IP_VS_ZERO_STATS_COUNTER(conns);
753 IP_VS_ZERO_STATS_COUNTER(inpkts);
754 IP_VS_ZERO_STATS_COUNTER(outpkts);
755 IP_VS_ZERO_STATS_COUNTER(inbytes);
756 IP_VS_ZERO_STATS_COUNTER(outbytes);
758 ip_vs_zero_estimator(stats);
760 spin_unlock_bh(&stats->lock);
764 * Update a destination in the given service
767 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
768 struct ip_vs_dest_user_kern *udest, int add)
770 struct netns_ipvs *ipvs = net_ipvs(svc->net);
773 /* set the weight and the flags */
774 atomic_set(&dest->weight, udest->weight);
775 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
776 conn_flags |= IP_VS_CONN_F_INACTIVE;
778 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
779 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
780 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
783 * Put the real service in rs_table if not present.
784 * For now only for NAT!
786 write_lock_bh(&ipvs->rs_lock);
787 ip_vs_rs_hash(ipvs, dest);
788 write_unlock_bh(&ipvs->rs_lock);
790 atomic_set(&dest->conn_flags, conn_flags);
792 /* bind the service */
794 __ip_vs_bind_svc(dest, svc);
796 if (dest->svc != svc) {
797 __ip_vs_unbind_svc(dest);
798 ip_vs_zero_stats(&dest->stats);
799 __ip_vs_bind_svc(dest, svc);
803 /* set the dest status flags */
804 dest->flags |= IP_VS_DEST_F_AVAILABLE;
806 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
807 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
808 dest->u_threshold = udest->u_threshold;
809 dest->l_threshold = udest->l_threshold;
811 spin_lock_bh(&dest->dst_lock);
812 ip_vs_dst_reset(dest);
813 spin_unlock_bh(&dest->dst_lock);
816 ip_vs_start_estimator(svc->net, &dest->stats);
818 write_lock_bh(&__ip_vs_svc_lock);
820 /* Wait until all other svc users go away */
821 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
824 list_add(&dest->n_list, &svc->destinations);
828 /* call the update_service, because server weight may be changed */
829 if (svc->scheduler->update_service)
830 svc->scheduler->update_service(svc);
832 write_unlock_bh(&__ip_vs_svc_lock);
837 * Create a destination for the given service
840 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
841 struct ip_vs_dest **dest_p)
843 struct ip_vs_dest *dest;
848 #ifdef CONFIG_IP_VS_IPV6
849 if (svc->af == AF_INET6) {
850 atype = ipv6_addr_type(&udest->addr.in6);
851 if ((!(atype & IPV6_ADDR_UNICAST) ||
852 atype & IPV6_ADDR_LINKLOCAL) &&
853 !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
858 atype = inet_addr_type(svc->net, udest->addr.ip);
859 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
863 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
867 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
868 if (!dest->stats.cpustats)
872 dest->protocol = svc->protocol;
873 dest->vaddr = svc->addr;
874 dest->vport = svc->port;
875 dest->vfwmark = svc->fwmark;
876 ip_vs_addr_copy(svc->af, &dest->addr, &udest->addr);
877 dest->port = udest->port;
879 atomic_set(&dest->activeconns, 0);
880 atomic_set(&dest->inactconns, 0);
881 atomic_set(&dest->persistconns, 0);
882 atomic_set(&dest->refcnt, 1);
884 INIT_LIST_HEAD(&dest->d_list);
885 spin_lock_init(&dest->dst_lock);
886 spin_lock_init(&dest->stats.lock);
887 __ip_vs_update_dest(svc, dest, udest, 1);
901 * Add a destination into an existing service
904 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
906 struct ip_vs_dest *dest;
907 union nf_inet_addr daddr;
908 __be16 dport = udest->port;
913 if (udest->weight < 0) {
914 pr_err("%s(): server weight less than zero\n", __func__);
918 if (udest->l_threshold > udest->u_threshold) {
919 pr_err("%s(): lower threshold is higher than upper threshold\n",
924 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
927 * Check if the dest already exists in the list
929 dest = ip_vs_lookup_dest(svc, &daddr, dport);
932 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
937 * Check if the dest already exists in the trash and
938 * is from the same service
940 dest = ip_vs_trash_get_dest(svc, &daddr, dport);
943 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
944 "dest->refcnt=%d, service %u/%s:%u\n",
945 IP_VS_DBG_ADDR(svc->af, &daddr), ntohs(dport),
946 atomic_read(&dest->refcnt),
948 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
952 * Get the destination from the trash
954 list_del(&dest->n_list);
956 __ip_vs_update_dest(svc, dest, udest, 1);
960 * Allocate and initialize the dest structure
962 ret = ip_vs_new_dest(svc, udest, &dest);
971 * Edit a destination in the given service
974 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
976 struct ip_vs_dest *dest;
977 union nf_inet_addr daddr;
978 __be16 dport = udest->port;
982 if (udest->weight < 0) {
983 pr_err("%s(): server weight less than zero\n", __func__);
987 if (udest->l_threshold > udest->u_threshold) {
988 pr_err("%s(): lower threshold is higher than upper threshold\n",
993 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
996 * Lookup the destination list
998 dest = ip_vs_lookup_dest(svc, &daddr, dport);
1001 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1005 __ip_vs_update_dest(svc, dest, udest, 0);
1013 * Delete a destination (must be already unlinked from the service)
1015 static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
1017 struct netns_ipvs *ipvs = net_ipvs(net);
1019 ip_vs_stop_estimator(net, &dest->stats);
1022 * Remove it from the d-linked list with the real services.
1024 write_lock_bh(&ipvs->rs_lock);
1025 ip_vs_rs_unhash(dest);
1026 write_unlock_bh(&ipvs->rs_lock);
1029 * Decrease the refcnt of the dest, and free the dest
1030 * if nobody refers to it (refcnt=0). Otherwise, throw
1031 * the destination into the trash.
1033 if (atomic_dec_and_test(&dest->refcnt)) {
1034 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u\n",
1036 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1038 ip_vs_dst_reset(dest);
1039 /* simply decrease svc->refcnt here, let the caller check
1040 and release the service if nobody refers to it.
1041 Only user context can release destination and service,
1042 and only one user context can update virtual service at a
1043 time, so the operation here is OK */
1044 atomic_dec(&dest->svc->refcnt);
1045 free_percpu(dest->stats.cpustats);
1048 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
1049 "dest->refcnt=%d\n",
1050 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1052 atomic_read(&dest->refcnt));
1053 list_add(&dest->n_list, &ipvs->dest_trash);
1054 atomic_inc(&dest->refcnt);
1060 * Unlink a destination from the given service
1062 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1063 struct ip_vs_dest *dest,
1066 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1069 * Remove it from the d-linked destination list.
1071 list_del(&dest->n_list);
1075 * Call the update_service function of its scheduler
1077 if (svcupd && svc->scheduler->update_service)
1078 svc->scheduler->update_service(svc);
1083 * Delete a destination server in the given service
1086 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1088 struct ip_vs_dest *dest;
1089 __be16 dport = udest->port;
1093 dest = ip_vs_lookup_dest(svc, &udest->addr, dport);
1096 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1100 write_lock_bh(&__ip_vs_svc_lock);
1103 * Wait until all other svc users go away.
1105 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1108 * Unlink dest from the service
1110 __ip_vs_unlink_dest(svc, dest, 1);
1112 write_unlock_bh(&__ip_vs_svc_lock);
1115 * Delete the destination
1117 __ip_vs_del_dest(svc->net, dest);
1126 * Add a service into the service hash table
1129 ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1130 struct ip_vs_service **svc_p)
1133 struct ip_vs_scheduler *sched = NULL;
1134 struct ip_vs_pe *pe = NULL;
1135 struct ip_vs_service *svc = NULL;
1136 struct netns_ipvs *ipvs = net_ipvs(net);
1138 /* increase the module use count */
1139 ip_vs_use_count_inc();
1141 /* Lookup the scheduler by 'u->sched_name' */
1142 sched = ip_vs_scheduler_get(u->sched_name);
1143 if (sched == NULL) {
1144 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1149 if (u->pe_name && *u->pe_name) {
1150 pe = ip_vs_pe_getbyname(u->pe_name);
1152 pr_info("persistence engine module ip_vs_pe_%s "
1153 "not found\n", u->pe_name);
1159 #ifdef CONFIG_IP_VS_IPV6
1160 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1166 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1168 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1172 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1173 if (!svc->stats.cpustats) {
1178 /* I'm the first user of the service */
1179 atomic_set(&svc->usecnt, 0);
1180 atomic_set(&svc->refcnt, 0);
1183 svc->protocol = u->protocol;
1184 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1185 svc->port = u->port;
1186 svc->fwmark = u->fwmark;
1187 svc->flags = u->flags;
1188 svc->timeout = u->timeout * HZ;
1189 svc->netmask = u->netmask;
1192 INIT_LIST_HEAD(&svc->destinations);
1193 rwlock_init(&svc->sched_lock);
1194 spin_lock_init(&svc->stats.lock);
1196 /* Bind the scheduler */
1197 ret = ip_vs_bind_scheduler(svc, sched);
1202 /* Bind the ct retriever */
1203 ip_vs_bind_pe(svc, pe);
1206 /* Update the virtual service counters */
1207 if (svc->port == FTPPORT)
1208 atomic_inc(&ipvs->ftpsvc_counter);
1209 else if (svc->port == 0)
1210 atomic_inc(&ipvs->nullsvc_counter);
1212 ip_vs_start_estimator(net, &svc->stats);
1214 /* Count only IPv4 services for old get/setsockopt interface */
1215 if (svc->af == AF_INET)
1216 ipvs->num_services++;
1218 /* Hash the service into the service table */
1219 write_lock_bh(&__ip_vs_svc_lock);
1220 ip_vs_svc_hash(svc);
1221 write_unlock_bh(&__ip_vs_svc_lock);
1224 /* Now there is a service - full throttle */
1231 ip_vs_unbind_scheduler(svc);
1234 ip_vs_app_inc_put(svc->inc);
1237 if (svc->stats.cpustats)
1238 free_percpu(svc->stats.cpustats);
1241 ip_vs_scheduler_put(sched);
1244 /* decrease the module use count */
1245 ip_vs_use_count_dec();
1252 * Edit a service and bind it with a new scheduler
1255 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1257 struct ip_vs_scheduler *sched, *old_sched;
1258 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1262 * Lookup the scheduler, by 'u->sched_name'
1264 sched = ip_vs_scheduler_get(u->sched_name);
1265 if (sched == NULL) {
1266 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1271 if (u->pe_name && *u->pe_name) {
1272 pe = ip_vs_pe_getbyname(u->pe_name);
1274 pr_info("persistence engine module ip_vs_pe_%s "
1275 "not found\n", u->pe_name);
1282 #ifdef CONFIG_IP_VS_IPV6
1283 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1289 write_lock_bh(&__ip_vs_svc_lock);
1292 * Wait until all other svc users go away.
1294 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1297 * Set the flags and timeout value
1299 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1300 svc->timeout = u->timeout * HZ;
1301 svc->netmask = u->netmask;
1303 old_sched = svc->scheduler;
1304 if (sched != old_sched) {
1306 * Unbind the old scheduler
1308 if ((ret = ip_vs_unbind_scheduler(svc))) {
1314 * Bind the new scheduler
1316 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1318 * If ip_vs_bind_scheduler fails, restore the old
1320 * The main reason of failure is out of memory.
1322 * The question is if the old scheduler can be
1323 * restored all the time. TODO: if it cannot be
1324 * restored some time, we must delete the service,
1325 * otherwise the system may crash.
1327 ip_vs_bind_scheduler(svc, old_sched);
1335 ip_vs_unbind_pe(svc);
1336 ip_vs_bind_pe(svc, pe);
1340 write_unlock_bh(&__ip_vs_svc_lock);
1342 ip_vs_scheduler_put(old_sched);
1343 ip_vs_pe_put(old_pe);
1349 * Delete a service from the service list
1350 * - The service must be unlinked, unlocked and not referenced!
1351 * - We are called under _bh lock
1353 static void __ip_vs_del_service(struct ip_vs_service *svc)
1355 struct ip_vs_dest *dest, *nxt;
1356 struct ip_vs_scheduler *old_sched;
1357 struct ip_vs_pe *old_pe;
1358 struct netns_ipvs *ipvs = net_ipvs(svc->net);
1360 pr_info("%s: enter\n", __func__);
1362 /* Count only IPv4 services for old get/setsockopt interface */
1363 if (svc->af == AF_INET)
1364 ipvs->num_services--;
1366 ip_vs_stop_estimator(svc->net, &svc->stats);
1368 /* Unbind scheduler */
1369 old_sched = svc->scheduler;
1370 ip_vs_unbind_scheduler(svc);
1371 ip_vs_scheduler_put(old_sched);
1373 /* Unbind persistence engine */
1375 ip_vs_unbind_pe(svc);
1376 ip_vs_pe_put(old_pe);
1378 /* Unbind app inc */
1380 ip_vs_app_inc_put(svc->inc);
1385 * Unlink the whole destination list
1387 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1388 __ip_vs_unlink_dest(svc, dest, 0);
1389 __ip_vs_del_dest(svc->net, dest);
1393 * Update the virtual service counters
1395 if (svc->port == FTPPORT)
1396 atomic_dec(&ipvs->ftpsvc_counter);
1397 else if (svc->port == 0)
1398 atomic_dec(&ipvs->nullsvc_counter);
1401 * Free the service if nobody refers to it
1403 if (atomic_read(&svc->refcnt) == 0) {
1404 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
1406 IP_VS_DBG_ADDR(svc->af, &svc->addr),
1407 ntohs(svc->port), atomic_read(&svc->usecnt));
1408 free_percpu(svc->stats.cpustats);
1412 /* decrease the module use count */
1413 ip_vs_use_count_dec();
1417 * Unlink a service from list and try to delete it if its refcnt reached 0
1419 static void ip_vs_unlink_service(struct ip_vs_service *svc)
1422 * Unhash it from the service table
1424 write_lock_bh(&__ip_vs_svc_lock);
1426 ip_vs_svc_unhash(svc);
1429 * Wait until all the svc users go away.
1431 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1433 __ip_vs_del_service(svc);
1435 write_unlock_bh(&__ip_vs_svc_lock);
1439 * Delete a service from the service list
1441 static int ip_vs_del_service(struct ip_vs_service *svc)
1445 ip_vs_unlink_service(svc);
1452 * Flush all the virtual services
1454 static int ip_vs_flush(struct net *net)
1457 struct ip_vs_service *svc, *nxt;
1460 * Flush the service table hashed by <netns,protocol,addr,port>
1462 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1463 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
1465 if (net_eq(svc->net, net))
1466 ip_vs_unlink_service(svc);
1471 * Flush the service table hashed by fwmark
1473 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1474 list_for_each_entry_safe(svc, nxt,
1475 &ip_vs_svc_fwm_table[idx], f_list) {
1476 if (net_eq(svc->net, net))
1477 ip_vs_unlink_service(svc);
1485 * Delete service by {netns} in the service table.
1486 * Called by __ip_vs_cleanup()
1488 void ip_vs_service_net_cleanup(struct net *net)
1491 /* Check for "full" addressed entries */
1492 mutex_lock(&__ip_vs_mutex);
1494 mutex_unlock(&__ip_vs_mutex);
1498 * Release dst hold by dst_cache
1501 __ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
1503 spin_lock_bh(&dest->dst_lock);
1504 if (dest->dst_cache && dest->dst_cache->dev == dev) {
1505 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1507 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1509 atomic_read(&dest->refcnt));
1510 ip_vs_dst_reset(dest);
1512 spin_unlock_bh(&dest->dst_lock);
1516 * Netdev event receiver
1517 * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
1518 * a device that is "unregister" it must be released.
1520 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1523 struct net_device *dev = ptr;
1524 struct net *net = dev_net(dev);
1525 struct netns_ipvs *ipvs = net_ipvs(net);
1526 struct ip_vs_service *svc;
1527 struct ip_vs_dest *dest;
1530 if (event != NETDEV_UNREGISTER || !ipvs)
1532 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1534 mutex_lock(&__ip_vs_mutex);
1535 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1536 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1537 if (net_eq(svc->net, net)) {
1538 list_for_each_entry(dest, &svc->destinations,
1540 __ip_vs_dev_reset(dest, dev);
1545 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1546 if (net_eq(svc->net, net)) {
1547 list_for_each_entry(dest, &svc->destinations,
1549 __ip_vs_dev_reset(dest, dev);
1556 list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
1557 __ip_vs_dev_reset(dest, dev);
1559 mutex_unlock(&__ip_vs_mutex);
1565 * Zero counters in a service or all services
1567 static int ip_vs_zero_service(struct ip_vs_service *svc)
1569 struct ip_vs_dest *dest;
1571 write_lock_bh(&__ip_vs_svc_lock);
1572 list_for_each_entry(dest, &svc->destinations, n_list) {
1573 ip_vs_zero_stats(&dest->stats);
1575 ip_vs_zero_stats(&svc->stats);
1576 write_unlock_bh(&__ip_vs_svc_lock);
1580 static int ip_vs_zero_all(struct net *net)
1583 struct ip_vs_service *svc;
1585 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1586 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1587 if (net_eq(svc->net, net))
1588 ip_vs_zero_service(svc);
1592 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1593 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1594 if (net_eq(svc->net, net))
1595 ip_vs_zero_service(svc);
1599 ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
1603 #ifdef CONFIG_SYSCTL
1606 static int three = 3;
1609 proc_do_defense_mode(ctl_table *table, int write,
1610 void __user *buffer, size_t *lenp, loff_t *ppos)
1612 struct net *net = current->nsproxy->net_ns;
1613 int *valp = table->data;
1617 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1618 if (write && (*valp != val)) {
1619 if ((*valp < 0) || (*valp > 3)) {
1620 /* Restore the correct value */
1623 update_defense_level(net_ipvs(net));
1630 proc_do_sync_threshold(ctl_table *table, int write,
1631 void __user *buffer, size_t *lenp, loff_t *ppos)
1633 int *valp = table->data;
1637 /* backup the value first */
1638 memcpy(val, valp, sizeof(val));
1640 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1641 if (write && (valp[0] < 0 || valp[1] < 0 ||
1642 (valp[0] >= valp[1] && valp[1]))) {
1643 /* Restore the correct value */
1644 memcpy(valp, val, sizeof(val));
1650 proc_do_sync_mode(ctl_table *table, int write,
1651 void __user *buffer, size_t *lenp, loff_t *ppos)
1653 int *valp = table->data;
1657 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1658 if (write && (*valp != val)) {
1659 if ((*valp < 0) || (*valp > 1)) {
1660 /* Restore the correct value */
1668 proc_do_sync_ports(ctl_table *table, int write,
1669 void __user *buffer, size_t *lenp, loff_t *ppos)
1671 int *valp = table->data;
1675 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1676 if (write && (*valp != val)) {
1677 if (*valp < 1 || !is_power_of_2(*valp)) {
1678 /* Restore the correct value */
1686 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1687 * Do not change order or insert new entries without
1688 * align with netns init in ip_vs_control_net_init()
1691 static struct ctl_table vs_vars[] = {
1693 .procname = "amemthresh",
1694 .maxlen = sizeof(int),
1696 .proc_handler = proc_dointvec,
1699 .procname = "am_droprate",
1700 .maxlen = sizeof(int),
1702 .proc_handler = proc_dointvec,
1705 .procname = "drop_entry",
1706 .maxlen = sizeof(int),
1708 .proc_handler = proc_do_defense_mode,
1711 .procname = "drop_packet",
1712 .maxlen = sizeof(int),
1714 .proc_handler = proc_do_defense_mode,
1716 #ifdef CONFIG_IP_VS_NFCT
1718 .procname = "conntrack",
1719 .maxlen = sizeof(int),
1721 .proc_handler = &proc_dointvec,
1725 .procname = "secure_tcp",
1726 .maxlen = sizeof(int),
1728 .proc_handler = proc_do_defense_mode,
1731 .procname = "snat_reroute",
1732 .maxlen = sizeof(int),
1734 .proc_handler = &proc_dointvec,
1737 .procname = "sync_version",
1738 .maxlen = sizeof(int),
1740 .proc_handler = &proc_do_sync_mode,
1743 .procname = "sync_ports",
1744 .maxlen = sizeof(int),
1746 .proc_handler = &proc_do_sync_ports,
1749 .procname = "sync_qlen_max",
1750 .maxlen = sizeof(int),
1752 .proc_handler = proc_dointvec,
1755 .procname = "sync_sock_size",
1756 .maxlen = sizeof(int),
1758 .proc_handler = proc_dointvec,
1761 .procname = "cache_bypass",
1762 .maxlen = sizeof(int),
1764 .proc_handler = proc_dointvec,
1767 .procname = "expire_nodest_conn",
1768 .maxlen = sizeof(int),
1770 .proc_handler = proc_dointvec,
1773 .procname = "expire_quiescent_template",
1774 .maxlen = sizeof(int),
1776 .proc_handler = proc_dointvec,
1779 .procname = "sync_threshold",
1781 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1783 .proc_handler = proc_do_sync_threshold,
1786 .procname = "sync_refresh_period",
1787 .maxlen = sizeof(int),
1789 .proc_handler = proc_dointvec_jiffies,
1792 .procname = "sync_retries",
1793 .maxlen = sizeof(int),
1795 .proc_handler = proc_dointvec_minmax,
1800 .procname = "nat_icmp_send",
1801 .maxlen = sizeof(int),
1803 .proc_handler = proc_dointvec,
1806 .procname = "pmtu_disc",
1807 .maxlen = sizeof(int),
1809 .proc_handler = proc_dointvec,
1811 #ifdef CONFIG_IP_VS_DEBUG
1813 .procname = "debug_level",
1814 .data = &sysctl_ip_vs_debug_level,
1815 .maxlen = sizeof(int),
1817 .proc_handler = proc_dointvec,
1822 .procname = "timeout_established",
1823 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1824 .maxlen = sizeof(int),
1826 .proc_handler = proc_dointvec_jiffies,
1829 .procname = "timeout_synsent",
1830 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1831 .maxlen = sizeof(int),
1833 .proc_handler = proc_dointvec_jiffies,
1836 .procname = "timeout_synrecv",
1837 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1838 .maxlen = sizeof(int),
1840 .proc_handler = proc_dointvec_jiffies,
1843 .procname = "timeout_finwait",
1844 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1845 .maxlen = sizeof(int),
1847 .proc_handler = proc_dointvec_jiffies,
1850 .procname = "timeout_timewait",
1851 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1852 .maxlen = sizeof(int),
1854 .proc_handler = proc_dointvec_jiffies,
1857 .procname = "timeout_close",
1858 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1859 .maxlen = sizeof(int),
1861 .proc_handler = proc_dointvec_jiffies,
1864 .procname = "timeout_closewait",
1865 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1866 .maxlen = sizeof(int),
1868 .proc_handler = proc_dointvec_jiffies,
1871 .procname = "timeout_lastack",
1872 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1873 .maxlen = sizeof(int),
1875 .proc_handler = proc_dointvec_jiffies,
1878 .procname = "timeout_listen",
1879 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1880 .maxlen = sizeof(int),
1882 .proc_handler = proc_dointvec_jiffies,
1885 .procname = "timeout_synack",
1886 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1887 .maxlen = sizeof(int),
1889 .proc_handler = proc_dointvec_jiffies,
1892 .procname = "timeout_udp",
1893 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1894 .maxlen = sizeof(int),
1896 .proc_handler = proc_dointvec_jiffies,
1899 .procname = "timeout_icmp",
1900 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1901 .maxlen = sizeof(int),
1903 .proc_handler = proc_dointvec_jiffies,
1911 #ifdef CONFIG_PROC_FS
1914 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1915 struct list_head *table;
1920 * Write the contents of the VS rule table to a PROCfs file.
1921 * (It is kept just for backward compatibility)
1923 static inline const char *ip_vs_fwd_name(unsigned int flags)
1925 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1926 case IP_VS_CONN_F_LOCALNODE:
1928 case IP_VS_CONN_F_TUNNEL:
1930 case IP_VS_CONN_F_DROUTE:
1938 /* Get the Nth entry in the two lists */
1939 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1941 struct net *net = seq_file_net(seq);
1942 struct ip_vs_iter *iter = seq->private;
1944 struct ip_vs_service *svc;
1946 /* look in hash by protocol */
1947 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1948 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1949 if (net_eq(svc->net, net) && pos-- == 0) {
1950 iter->table = ip_vs_svc_table;
1957 /* keep looking in fwmark */
1958 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1959 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1960 if (net_eq(svc->net, net) && pos-- == 0) {
1961 iter->table = ip_vs_svc_fwm_table;
1971 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1972 __acquires(__ip_vs_svc_lock)
1975 read_lock_bh(&__ip_vs_svc_lock);
1976 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1980 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1982 struct list_head *e;
1983 struct ip_vs_iter *iter;
1984 struct ip_vs_service *svc;
1987 if (v == SEQ_START_TOKEN)
1988 return ip_vs_info_array(seq,0);
1991 iter = seq->private;
1993 if (iter->table == ip_vs_svc_table) {
1994 /* next service in table hashed by protocol */
1995 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
1996 return list_entry(e, struct ip_vs_service, s_list);
1999 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2000 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
2006 iter->table = ip_vs_svc_fwm_table;
2011 /* next service in hashed by fwmark */
2012 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
2013 return list_entry(e, struct ip_vs_service, f_list);
2016 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2017 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
2025 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2026 __releases(__ip_vs_svc_lock)
2028 read_unlock_bh(&__ip_vs_svc_lock);
2032 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2034 if (v == SEQ_START_TOKEN) {
2036 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2037 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2039 "Prot LocalAddress:Port Scheduler Flags\n");
2041 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2043 const struct ip_vs_service *svc = v;
2044 const struct ip_vs_iter *iter = seq->private;
2045 const struct ip_vs_dest *dest;
2047 if (iter->table == ip_vs_svc_table) {
2048 #ifdef CONFIG_IP_VS_IPV6
2049 if (svc->af == AF_INET6)
2050 seq_printf(seq, "%s [%pI6]:%04X %s ",
2051 ip_vs_proto_name(svc->protocol),
2054 svc->scheduler->name);
2057 seq_printf(seq, "%s %08X:%04X %s %s ",
2058 ip_vs_proto_name(svc->protocol),
2059 ntohl(svc->addr.ip),
2061 svc->scheduler->name,
2062 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2064 seq_printf(seq, "FWM %08X %s %s",
2065 svc->fwmark, svc->scheduler->name,
2066 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2069 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2070 seq_printf(seq, "persistent %d %08X\n",
2072 ntohl(svc->netmask));
2074 seq_putc(seq, '\n');
2076 list_for_each_entry(dest, &svc->destinations, n_list) {
2077 #ifdef CONFIG_IP_VS_IPV6
2078 if (dest->af == AF_INET6)
2081 " %-7s %-6d %-10d %-10d\n",
2084 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2085 atomic_read(&dest->weight),
2086 atomic_read(&dest->activeconns),
2087 atomic_read(&dest->inactconns));
2092 "%-7s %-6d %-10d %-10d\n",
2093 ntohl(dest->addr.ip),
2095 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2096 atomic_read(&dest->weight),
2097 atomic_read(&dest->activeconns),
2098 atomic_read(&dest->inactconns));
2105 static const struct seq_operations ip_vs_info_seq_ops = {
2106 .start = ip_vs_info_seq_start,
2107 .next = ip_vs_info_seq_next,
2108 .stop = ip_vs_info_seq_stop,
2109 .show = ip_vs_info_seq_show,
2112 static int ip_vs_info_open(struct inode *inode, struct file *file)
2114 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2115 sizeof(struct ip_vs_iter));
2118 static const struct file_operations ip_vs_info_fops = {
2119 .owner = THIS_MODULE,
2120 .open = ip_vs_info_open,
2122 .llseek = seq_lseek,
2123 .release = seq_release_net,
2126 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2128 struct net *net = seq_file_single_net(seq);
2129 struct ip_vs_stats_user show;
2131 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2133 " Total Incoming Outgoing Incoming Outgoing\n");
2135 " Conns Packets Packets Bytes Bytes\n");
2137 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2138 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
2139 show.inpkts, show.outpkts,
2140 (unsigned long long) show.inbytes,
2141 (unsigned long long) show.outbytes);
2143 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2145 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2146 seq_printf(seq, "%8X %8X %8X %16X %16X\n",
2147 show.cps, show.inpps, show.outpps,
2148 show.inbps, show.outbps);
2153 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2155 return single_open_net(inode, file, ip_vs_stats_show);
2158 static const struct file_operations ip_vs_stats_fops = {
2159 .owner = THIS_MODULE,
2160 .open = ip_vs_stats_seq_open,
2162 .llseek = seq_lseek,
2163 .release = single_release_net,
2166 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2168 struct net *net = seq_file_single_net(seq);
2169 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2170 struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
2171 struct ip_vs_stats_user rates;
2174 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2176 " Total Incoming Outgoing Incoming Outgoing\n");
2178 "CPU Conns Packets Packets Bytes Bytes\n");
2180 for_each_possible_cpu(i) {
2181 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2183 __u64 inbytes, outbytes;
2186 start = u64_stats_fetch_begin_bh(&u->syncp);
2187 inbytes = u->ustats.inbytes;
2188 outbytes = u->ustats.outbytes;
2189 } while (u64_stats_fetch_retry_bh(&u->syncp, start));
2191 seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
2192 i, u->ustats.conns, u->ustats.inpkts,
2193 u->ustats.outpkts, (__u64)inbytes,
2197 spin_lock_bh(&tot_stats->lock);
2199 seq_printf(seq, " ~ %8X %8X %8X %16LX %16LX\n\n",
2200 tot_stats->ustats.conns, tot_stats->ustats.inpkts,
2201 tot_stats->ustats.outpkts,
2202 (unsigned long long) tot_stats->ustats.inbytes,
2203 (unsigned long long) tot_stats->ustats.outbytes);
2205 ip_vs_read_estimator(&rates, tot_stats);
2207 spin_unlock_bh(&tot_stats->lock);
2209 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2211 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2212 seq_printf(seq, " %8X %8X %8X %16X %16X\n",
2222 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2224 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2227 static const struct file_operations ip_vs_stats_percpu_fops = {
2228 .owner = THIS_MODULE,
2229 .open = ip_vs_stats_percpu_seq_open,
2231 .llseek = seq_lseek,
2232 .release = single_release_net,
2237 * Set timeout values for tcp tcpfin udp in the timeout_table.
2239 static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
2241 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2242 struct ip_vs_proto_data *pd;
2245 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2250 #ifdef CONFIG_IP_VS_PROTO_TCP
2251 if (u->tcp_timeout) {
2252 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2253 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2254 = u->tcp_timeout * HZ;
2257 if (u->tcp_fin_timeout) {
2258 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2259 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2260 = u->tcp_fin_timeout * HZ;
2264 #ifdef CONFIG_IP_VS_PROTO_UDP
2265 if (u->udp_timeout) {
2266 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2267 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2268 = u->udp_timeout * HZ;
2275 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2276 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
2277 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
2278 sizeof(struct ip_vs_dest_user))
2279 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2280 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
2281 #define MAX_ARG_LEN SVCDEST_ARG_LEN
2283 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
2284 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
2285 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
2286 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
2287 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
2288 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
2289 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
2290 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
2291 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
2292 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
2293 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
2294 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
2297 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2298 struct ip_vs_service_user *usvc_compat)
2300 memset(usvc, 0, sizeof(*usvc));
2303 usvc->protocol = usvc_compat->protocol;
2304 usvc->addr.ip = usvc_compat->addr;
2305 usvc->port = usvc_compat->port;
2306 usvc->fwmark = usvc_compat->fwmark;
2308 /* Deep copy of sched_name is not needed here */
2309 usvc->sched_name = usvc_compat->sched_name;
2311 usvc->flags = usvc_compat->flags;
2312 usvc->timeout = usvc_compat->timeout;
2313 usvc->netmask = usvc_compat->netmask;
2316 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2317 struct ip_vs_dest_user *udest_compat)
2319 memset(udest, 0, sizeof(*udest));
2321 udest->addr.ip = udest_compat->addr;
2322 udest->port = udest_compat->port;
2323 udest->conn_flags = udest_compat->conn_flags;
2324 udest->weight = udest_compat->weight;
2325 udest->u_threshold = udest_compat->u_threshold;
2326 udest->l_threshold = udest_compat->l_threshold;
2330 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2332 struct net *net = sock_net(sk);
2334 unsigned char arg[MAX_ARG_LEN];
2335 struct ip_vs_service_user *usvc_compat;
2336 struct ip_vs_service_user_kern usvc;
2337 struct ip_vs_service *svc;
2338 struct ip_vs_dest_user *udest_compat;
2339 struct ip_vs_dest_user_kern udest;
2340 struct netns_ipvs *ipvs = net_ipvs(net);
2342 if (!capable(CAP_NET_ADMIN))
2345 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2347 if (len < 0 || len > MAX_ARG_LEN)
2349 if (len != set_arglen[SET_CMDID(cmd)]) {
2350 pr_err("set_ctl: len %u != %u\n",
2351 len, set_arglen[SET_CMDID(cmd)]);
2355 if (copy_from_user(arg, user, len) != 0)
2358 /* increase the module use count */
2359 ip_vs_use_count_inc();
2361 /* Handle daemons since they have another lock */
2362 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2363 cmd == IP_VS_SO_SET_STOPDAEMON) {
2364 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2366 if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2370 if (cmd == IP_VS_SO_SET_STARTDAEMON)
2371 ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2374 ret = stop_sync_thread(net, dm->state);
2375 mutex_unlock(&ipvs->sync_mutex);
2379 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2384 if (cmd == IP_VS_SO_SET_FLUSH) {
2385 /* Flush the virtual service */
2386 ret = ip_vs_flush(net);
2388 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2389 /* Set timeout values for (tcp tcpfin udp) */
2390 ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2394 usvc_compat = (struct ip_vs_service_user *)arg;
2395 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2397 /* We only use the new structs internally, so copy userspace compat
2398 * structs to extended internal versions */
2399 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2400 ip_vs_copy_udest_compat(&udest, udest_compat);
2402 if (cmd == IP_VS_SO_SET_ZERO) {
2403 /* if no service address is set, zero counters in all */
2404 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2405 ret = ip_vs_zero_all(net);
2410 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2411 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2412 usvc.protocol != IPPROTO_SCTP) {
2413 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2414 usvc.protocol, &usvc.addr.ip,
2415 ntohs(usvc.port), usvc.sched_name);
2420 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2421 if (usvc.fwmark == 0)
2422 svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
2423 &usvc.addr, usvc.port);
2425 svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
2427 if (cmd != IP_VS_SO_SET_ADD
2428 && (svc == NULL || svc->protocol != usvc.protocol)) {
2434 case IP_VS_SO_SET_ADD:
2438 ret = ip_vs_add_service(net, &usvc, &svc);
2440 case IP_VS_SO_SET_EDIT:
2441 ret = ip_vs_edit_service(svc, &usvc);
2443 case IP_VS_SO_SET_DEL:
2444 ret = ip_vs_del_service(svc);
2448 case IP_VS_SO_SET_ZERO:
2449 ret = ip_vs_zero_service(svc);
2451 case IP_VS_SO_SET_ADDDEST:
2452 ret = ip_vs_add_dest(svc, &udest);
2454 case IP_VS_SO_SET_EDITDEST:
2455 ret = ip_vs_edit_dest(svc, &udest);
2457 case IP_VS_SO_SET_DELDEST:
2458 ret = ip_vs_del_dest(svc, &udest);
2465 mutex_unlock(&__ip_vs_mutex);
2467 /* decrease the module use count */
2468 ip_vs_use_count_dec();
2475 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2477 dst->protocol = src->protocol;
2478 dst->addr = src->addr.ip;
2479 dst->port = src->port;
2480 dst->fwmark = src->fwmark;
2481 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2482 dst->flags = src->flags;
2483 dst->timeout = src->timeout / HZ;
2484 dst->netmask = src->netmask;
2485 dst->num_dests = src->num_dests;
2486 ip_vs_copy_stats(&dst->stats, &src->stats);
2490 __ip_vs_get_service_entries(struct net *net,
2491 const struct ip_vs_get_services *get,
2492 struct ip_vs_get_services __user *uptr)
2495 struct ip_vs_service *svc;
2496 struct ip_vs_service_entry entry;
2499 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2500 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2501 /* Only expose IPv4 entries to old interface */
2502 if (svc->af != AF_INET || !net_eq(svc->net, net))
2505 if (count >= get->num_services)
2507 memset(&entry, 0, sizeof(entry));
2508 ip_vs_copy_service(&entry, svc);
2509 if (copy_to_user(&uptr->entrytable[count],
2510 &entry, sizeof(entry))) {
2518 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2519 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2520 /* Only expose IPv4 entries to old interface */
2521 if (svc->af != AF_INET || !net_eq(svc->net, net))
2524 if (count >= get->num_services)
2526 memset(&entry, 0, sizeof(entry));
2527 ip_vs_copy_service(&entry, svc);
2528 if (copy_to_user(&uptr->entrytable[count],
2529 &entry, sizeof(entry))) {
2541 __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2542 struct ip_vs_get_dests __user *uptr)
2544 struct ip_vs_service *svc;
2545 union nf_inet_addr addr = { .ip = get->addr };
2549 svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
2551 svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
2556 struct ip_vs_dest *dest;
2557 struct ip_vs_dest_entry entry;
2559 list_for_each_entry(dest, &svc->destinations, n_list) {
2560 if (count >= get->num_dests)
2563 entry.addr = dest->addr.ip;
2564 entry.port = dest->port;
2565 entry.conn_flags = atomic_read(&dest->conn_flags);
2566 entry.weight = atomic_read(&dest->weight);
2567 entry.u_threshold = dest->u_threshold;
2568 entry.l_threshold = dest->l_threshold;
2569 entry.activeconns = atomic_read(&dest->activeconns);
2570 entry.inactconns = atomic_read(&dest->inactconns);
2571 entry.persistconns = atomic_read(&dest->persistconns);
2572 ip_vs_copy_stats(&entry.stats, &dest->stats);
2573 if (copy_to_user(&uptr->entrytable[count],
2574 &entry, sizeof(entry))) {
2586 __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2588 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2589 struct ip_vs_proto_data *pd;
2592 #ifdef CONFIG_IP_VS_PROTO_TCP
2593 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2594 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2595 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2597 #ifdef CONFIG_IP_VS_PROTO_UDP
2598 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2600 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2605 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2606 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2607 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2608 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2609 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2610 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2611 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2613 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2614 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2615 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2616 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2617 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2618 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2619 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2620 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2624 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2626 unsigned char arg[128];
2628 unsigned int copylen;
2629 struct net *net = sock_net(sk);
2630 struct netns_ipvs *ipvs = net_ipvs(net);
2633 if (!capable(CAP_NET_ADMIN))
2636 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2639 if (*len < get_arglen[GET_CMDID(cmd)]) {
2640 pr_err("get_ctl: len %u < %u\n",
2641 *len, get_arglen[GET_CMDID(cmd)]);
2645 copylen = get_arglen[GET_CMDID(cmd)];
2649 if (copy_from_user(arg, user, copylen) != 0)
2652 * Handle daemons first since it has its own locking
2654 if (cmd == IP_VS_SO_GET_DAEMON) {
2655 struct ip_vs_daemon_user d[2];
2657 memset(&d, 0, sizeof(d));
2658 if (mutex_lock_interruptible(&ipvs->sync_mutex))
2659 return -ERESTARTSYS;
2661 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2662 d[0].state = IP_VS_STATE_MASTER;
2663 strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2664 sizeof(d[0].mcast_ifn));
2665 d[0].syncid = ipvs->master_syncid;
2667 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2668 d[1].state = IP_VS_STATE_BACKUP;
2669 strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2670 sizeof(d[1].mcast_ifn));
2671 d[1].syncid = ipvs->backup_syncid;
2673 if (copy_to_user(user, &d, sizeof(d)) != 0)
2675 mutex_unlock(&ipvs->sync_mutex);
2679 if (mutex_lock_interruptible(&__ip_vs_mutex))
2680 return -ERESTARTSYS;
2683 case IP_VS_SO_GET_VERSION:
2687 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2688 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2689 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2693 *len = strlen(buf)+1;
2697 case IP_VS_SO_GET_INFO:
2699 struct ip_vs_getinfo info;
2700 info.version = IP_VS_VERSION_CODE;
2701 info.size = ip_vs_conn_tab_size;
2702 info.num_services = ipvs->num_services;
2703 if (copy_to_user(user, &info, sizeof(info)) != 0)
2708 case IP_VS_SO_GET_SERVICES:
2710 struct ip_vs_get_services *get;
2713 get = (struct ip_vs_get_services *)arg;
2714 size = sizeof(*get) +
2715 sizeof(struct ip_vs_service_entry) * get->num_services;
2717 pr_err("length: %u != %u\n", *len, size);
2721 ret = __ip_vs_get_service_entries(net, get, user);
2725 case IP_VS_SO_GET_SERVICE:
2727 struct ip_vs_service_entry *entry;
2728 struct ip_vs_service *svc;
2729 union nf_inet_addr addr;
2731 entry = (struct ip_vs_service_entry *)arg;
2732 addr.ip = entry->addr;
2734 svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
2736 svc = __ip_vs_service_find(net, AF_INET,
2737 entry->protocol, &addr,
2740 ip_vs_copy_service(entry, svc);
2741 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2748 case IP_VS_SO_GET_DESTS:
2750 struct ip_vs_get_dests *get;
2753 get = (struct ip_vs_get_dests *)arg;
2754 size = sizeof(*get) +
2755 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2757 pr_err("length: %u != %u\n", *len, size);
2761 ret = __ip_vs_get_dest_entries(net, get, user);
2765 case IP_VS_SO_GET_TIMEOUT:
2767 struct ip_vs_timeout_user t;
2769 memset(&t, 0, sizeof(t));
2770 __ip_vs_get_timeouts(net, &t);
2771 if (copy_to_user(user, &t, sizeof(t)) != 0)
2781 mutex_unlock(&__ip_vs_mutex);
2786 static struct nf_sockopt_ops ip_vs_sockopts = {
2788 .set_optmin = IP_VS_BASE_CTL,
2789 .set_optmax = IP_VS_SO_SET_MAX+1,
2790 .set = do_ip_vs_set_ctl,
2791 .get_optmin = IP_VS_BASE_CTL,
2792 .get_optmax = IP_VS_SO_GET_MAX+1,
2793 .get = do_ip_vs_get_ctl,
2794 .owner = THIS_MODULE,
2798 * Generic Netlink interface
2801 /* IPVS genetlink family */
2802 static struct genl_family ip_vs_genl_family = {
2803 .id = GENL_ID_GENERATE,
2805 .name = IPVS_GENL_NAME,
2806 .version = IPVS_GENL_VERSION,
2807 .maxattr = IPVS_CMD_MAX,
2808 .netnsok = true, /* Make ipvsadm to work on netns */
2811 /* Policy used for first-level command attributes */
2812 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2813 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2814 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2815 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2816 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2817 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2818 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2821 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2822 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2823 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2824 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2825 .len = IP_VS_IFNAME_MAXLEN },
2826 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2829 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2830 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2831 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2832 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2833 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2834 .len = sizeof(union nf_inet_addr) },
2835 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2836 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2837 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2838 .len = IP_VS_SCHEDNAME_MAXLEN },
2839 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2840 .len = IP_VS_PENAME_MAXLEN },
2841 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2842 .len = sizeof(struct ip_vs_flags) },
2843 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2844 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2845 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2848 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2849 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2850 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2851 .len = sizeof(union nf_inet_addr) },
2852 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2853 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2854 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2855 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2856 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2857 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2858 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2859 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2860 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2863 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2864 struct ip_vs_stats *stats)
2866 struct ip_vs_stats_user ustats;
2867 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2871 ip_vs_copy_stats(&ustats, stats);
2873 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns) ||
2874 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts) ||
2875 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts) ||
2876 nla_put_u64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes) ||
2877 nla_put_u64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes) ||
2878 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, ustats.cps) ||
2879 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps) ||
2880 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps) ||
2881 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps) ||
2882 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps))
2883 goto nla_put_failure;
2884 nla_nest_end(skb, nl_stats);
2889 nla_nest_cancel(skb, nl_stats);
2893 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2894 struct ip_vs_service *svc)
2896 struct nlattr *nl_service;
2897 struct ip_vs_flags flags = { .flags = svc->flags,
2900 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2904 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2905 goto nla_put_failure;
2907 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2908 goto nla_put_failure;
2910 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
2911 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
2912 nla_put_u16(skb, IPVS_SVC_ATTR_PORT, svc->port))
2913 goto nla_put_failure;
2916 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name) ||
2918 nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, svc->pe->name)) ||
2919 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
2920 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
2921 nla_put_u32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
2922 goto nla_put_failure;
2923 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2924 goto nla_put_failure;
2926 nla_nest_end(skb, nl_service);
2931 nla_nest_cancel(skb, nl_service);
2935 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2936 struct ip_vs_service *svc,
2937 struct netlink_callback *cb)
2941 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2942 &ip_vs_genl_family, NLM_F_MULTI,
2943 IPVS_CMD_NEW_SERVICE);
2947 if (ip_vs_genl_fill_service(skb, svc) < 0)
2948 goto nla_put_failure;
2950 return genlmsg_end(skb, hdr);
2953 genlmsg_cancel(skb, hdr);
2957 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2958 struct netlink_callback *cb)
2961 int start = cb->args[0];
2962 struct ip_vs_service *svc;
2963 struct net *net = skb_sknet(skb);
2965 mutex_lock(&__ip_vs_mutex);
2966 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2967 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2968 if (++idx <= start || !net_eq(svc->net, net))
2970 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2972 goto nla_put_failure;
2977 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2978 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2979 if (++idx <= start || !net_eq(svc->net, net))
2981 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2983 goto nla_put_failure;
2989 mutex_unlock(&__ip_vs_mutex);
2995 static int ip_vs_genl_parse_service(struct net *net,
2996 struct ip_vs_service_user_kern *usvc,
2997 struct nlattr *nla, int full_entry,
2998 struct ip_vs_service **ret_svc)
3000 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3001 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3002 struct ip_vs_service *svc;
3004 /* Parse mandatory identifying service fields first */
3006 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3009 nla_af = attrs[IPVS_SVC_ATTR_AF];
3010 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3011 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3012 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3013 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3015 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3018 memset(usvc, 0, sizeof(*usvc));
3020 usvc->af = nla_get_u16(nla_af);
3021 #ifdef CONFIG_IP_VS_IPV6
3022 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3024 if (usvc->af != AF_INET)
3026 return -EAFNOSUPPORT;
3029 usvc->protocol = IPPROTO_TCP;
3030 usvc->fwmark = nla_get_u32(nla_fwmark);
3032 usvc->protocol = nla_get_u16(nla_protocol);
3033 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3034 usvc->port = nla_get_u16(nla_port);
3039 svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
3041 svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
3042 &usvc->addr, usvc->port);
3045 /* If a full entry was requested, check for the additional fields */
3047 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3049 struct ip_vs_flags flags;
3051 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3052 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3053 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3054 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3055 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3057 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3060 nla_memcpy(&flags, nla_flags, sizeof(flags));
3062 /* prefill flags from service if it already exists */
3064 usvc->flags = svc->flags;
3066 /* set new flags from userland */
3067 usvc->flags = (usvc->flags & ~flags.mask) |
3068 (flags.flags & flags.mask);
3069 usvc->sched_name = nla_data(nla_sched);
3070 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3071 usvc->timeout = nla_get_u32(nla_timeout);
3072 usvc->netmask = nla_get_u32(nla_netmask);
3078 static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
3081 struct ip_vs_service_user_kern usvc;
3082 struct ip_vs_service *svc;
3085 ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
3086 return ret ? ERR_PTR(ret) : svc;
3089 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3091 struct nlattr *nl_dest;
3093 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3097 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3098 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3099 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3100 (atomic_read(&dest->conn_flags) &
3101 IP_VS_CONN_F_FWD_MASK)) ||
3102 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3103 atomic_read(&dest->weight)) ||
3104 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3105 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3106 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3107 atomic_read(&dest->activeconns)) ||
3108 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3109 atomic_read(&dest->inactconns)) ||
3110 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3111 atomic_read(&dest->persistconns)))
3112 goto nla_put_failure;
3113 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
3114 goto nla_put_failure;
3116 nla_nest_end(skb, nl_dest);
3121 nla_nest_cancel(skb, nl_dest);
3125 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3126 struct netlink_callback *cb)
3130 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3131 &ip_vs_genl_family, NLM_F_MULTI,
3136 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3137 goto nla_put_failure;
3139 return genlmsg_end(skb, hdr);
3142 genlmsg_cancel(skb, hdr);
3146 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3147 struct netlink_callback *cb)
3150 int start = cb->args[0];
3151 struct ip_vs_service *svc;
3152 struct ip_vs_dest *dest;
3153 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3154 struct net *net = skb_sknet(skb);
3156 mutex_lock(&__ip_vs_mutex);
3158 /* Try to find the service for which to dump destinations */
3159 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3160 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3164 svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
3165 if (IS_ERR(svc) || svc == NULL)
3168 /* Dump the destinations */
3169 list_for_each_entry(dest, &svc->destinations, n_list) {
3172 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3174 goto nla_put_failure;
3182 mutex_unlock(&__ip_vs_mutex);
3187 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3188 struct nlattr *nla, int full_entry)
3190 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3191 struct nlattr *nla_addr, *nla_port;
3193 /* Parse mandatory identifying destination fields first */
3195 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3198 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3199 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3201 if (!(nla_addr && nla_port))
3204 memset(udest, 0, sizeof(*udest));
3206 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3207 udest->port = nla_get_u16(nla_port);
3209 /* If a full entry was requested, check for the additional fields */
3211 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3214 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3215 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3216 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3217 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3219 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3222 udest->conn_flags = nla_get_u32(nla_fwd)
3223 & IP_VS_CONN_F_FWD_MASK;
3224 udest->weight = nla_get_u32(nla_weight);
3225 udest->u_threshold = nla_get_u32(nla_u_thresh);
3226 udest->l_threshold = nla_get_u32(nla_l_thresh);
3232 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
3233 const char *mcast_ifn, __be32 syncid)
3235 struct nlattr *nl_daemon;
3237 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3241 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3242 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn) ||
3243 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid))
3244 goto nla_put_failure;
3245 nla_nest_end(skb, nl_daemon);
3250 nla_nest_cancel(skb, nl_daemon);
3254 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
3255 const char *mcast_ifn, __be32 syncid,
3256 struct netlink_callback *cb)
3259 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3260 &ip_vs_genl_family, NLM_F_MULTI,
3261 IPVS_CMD_NEW_DAEMON);
3265 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
3266 goto nla_put_failure;
3268 return genlmsg_end(skb, hdr);
3271 genlmsg_cancel(skb, hdr);
3275 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3276 struct netlink_callback *cb)
3278 struct net *net = skb_sknet(skb);
3279 struct netns_ipvs *ipvs = net_ipvs(net);
3281 mutex_lock(&ipvs->sync_mutex);
3282 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3283 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3284 ipvs->master_mcast_ifn,
3285 ipvs->master_syncid, cb) < 0)
3286 goto nla_put_failure;
3291 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3292 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3293 ipvs->backup_mcast_ifn,
3294 ipvs->backup_syncid, cb) < 0)
3295 goto nla_put_failure;
3301 mutex_unlock(&ipvs->sync_mutex);
3306 static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
3308 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3309 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3310 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3313 return start_sync_thread(net,
3314 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
3315 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3316 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
3319 static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
3321 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3324 return stop_sync_thread(net,
3325 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3328 static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
3330 struct ip_vs_timeout_user t;
3332 __ip_vs_get_timeouts(net, &t);
3334 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3335 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3337 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3339 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3341 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3342 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3344 return ip_vs_set_timeout(net, &t);
3347 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3351 struct netns_ipvs *ipvs;
3353 net = skb_sknet(skb);
3354 ipvs = net_ipvs(net);
3355 cmd = info->genlhdr->cmd;
3357 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3358 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3360 mutex_lock(&ipvs->sync_mutex);
3361 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3362 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3363 info->attrs[IPVS_CMD_ATTR_DAEMON],
3364 ip_vs_daemon_policy)) {
3369 if (cmd == IPVS_CMD_NEW_DAEMON)
3370 ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3372 ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3374 mutex_unlock(&ipvs->sync_mutex);
3379 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3381 struct ip_vs_service *svc = NULL;
3382 struct ip_vs_service_user_kern usvc;
3383 struct ip_vs_dest_user_kern udest;
3385 int need_full_svc = 0, need_full_dest = 0;
3388 net = skb_sknet(skb);
3389 cmd = info->genlhdr->cmd;
3391 mutex_lock(&__ip_vs_mutex);
3393 if (cmd == IPVS_CMD_FLUSH) {
3394 ret = ip_vs_flush(net);
3396 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3397 ret = ip_vs_genl_set_config(net, info->attrs);
3399 } else if (cmd == IPVS_CMD_ZERO &&
3400 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3401 ret = ip_vs_zero_all(net);
3405 /* All following commands require a service argument, so check if we
3406 * received a valid one. We need a full service specification when
3407 * adding / editing a service. Only identifying members otherwise. */
3408 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3411 ret = ip_vs_genl_parse_service(net, &usvc,
3412 info->attrs[IPVS_CMD_ATTR_SERVICE],
3413 need_full_svc, &svc);
3417 /* Unless we're adding a new service, the service must already exist */
3418 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3423 /* Destination commands require a valid destination argument. For
3424 * adding / editing a destination, we need a full destination
3426 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3427 cmd == IPVS_CMD_DEL_DEST) {
3428 if (cmd != IPVS_CMD_DEL_DEST)
3431 ret = ip_vs_genl_parse_dest(&udest,
3432 info->attrs[IPVS_CMD_ATTR_DEST],
3439 case IPVS_CMD_NEW_SERVICE:
3441 ret = ip_vs_add_service(net, &usvc, &svc);
3445 case IPVS_CMD_SET_SERVICE:
3446 ret = ip_vs_edit_service(svc, &usvc);
3448 case IPVS_CMD_DEL_SERVICE:
3449 ret = ip_vs_del_service(svc);
3450 /* do not use svc, it can be freed */
3452 case IPVS_CMD_NEW_DEST:
3453 ret = ip_vs_add_dest(svc, &udest);
3455 case IPVS_CMD_SET_DEST:
3456 ret = ip_vs_edit_dest(svc, &udest);
3458 case IPVS_CMD_DEL_DEST:
3459 ret = ip_vs_del_dest(svc, &udest);
3462 ret = ip_vs_zero_service(svc);
3469 mutex_unlock(&__ip_vs_mutex);
3474 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3476 struct sk_buff *msg;
3478 int ret, cmd, reply_cmd;
3481 net = skb_sknet(skb);
3482 cmd = info->genlhdr->cmd;
3484 if (cmd == IPVS_CMD_GET_SERVICE)
3485 reply_cmd = IPVS_CMD_NEW_SERVICE;
3486 else if (cmd == IPVS_CMD_GET_INFO)
3487 reply_cmd = IPVS_CMD_SET_INFO;
3488 else if (cmd == IPVS_CMD_GET_CONFIG)
3489 reply_cmd = IPVS_CMD_SET_CONFIG;
3491 pr_err("unknown Generic Netlink command\n");
3495 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3499 mutex_lock(&__ip_vs_mutex);
3501 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3503 goto nla_put_failure;
3506 case IPVS_CMD_GET_SERVICE:
3508 struct ip_vs_service *svc;
3510 svc = ip_vs_genl_find_service(net,
3511 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3516 ret = ip_vs_genl_fill_service(msg, svc);
3518 goto nla_put_failure;
3527 case IPVS_CMD_GET_CONFIG:
3529 struct ip_vs_timeout_user t;
3531 __ip_vs_get_timeouts(net, &t);
3532 #ifdef CONFIG_IP_VS_PROTO_TCP
3533 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3535 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3537 goto nla_put_failure;
3539 #ifdef CONFIG_IP_VS_PROTO_UDP
3540 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3541 goto nla_put_failure;
3547 case IPVS_CMD_GET_INFO:
3548 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3549 IP_VS_VERSION_CODE) ||
3550 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3551 ip_vs_conn_tab_size))
3552 goto nla_put_failure;
3556 genlmsg_end(msg, reply);
3557 ret = genlmsg_reply(msg, info);
3561 pr_err("not enough space in Netlink message\n");
3567 mutex_unlock(&__ip_vs_mutex);
3573 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3575 .cmd = IPVS_CMD_NEW_SERVICE,
3576 .flags = GENL_ADMIN_PERM,
3577 .policy = ip_vs_cmd_policy,
3578 .doit = ip_vs_genl_set_cmd,
3581 .cmd = IPVS_CMD_SET_SERVICE,
3582 .flags = GENL_ADMIN_PERM,
3583 .policy = ip_vs_cmd_policy,
3584 .doit = ip_vs_genl_set_cmd,
3587 .cmd = IPVS_CMD_DEL_SERVICE,
3588 .flags = GENL_ADMIN_PERM,
3589 .policy = ip_vs_cmd_policy,
3590 .doit = ip_vs_genl_set_cmd,
3593 .cmd = IPVS_CMD_GET_SERVICE,
3594 .flags = GENL_ADMIN_PERM,
3595 .doit = ip_vs_genl_get_cmd,
3596 .dumpit = ip_vs_genl_dump_services,
3597 .policy = ip_vs_cmd_policy,
3600 .cmd = IPVS_CMD_NEW_DEST,
3601 .flags = GENL_ADMIN_PERM,
3602 .policy = ip_vs_cmd_policy,
3603 .doit = ip_vs_genl_set_cmd,
3606 .cmd = IPVS_CMD_SET_DEST,
3607 .flags = GENL_ADMIN_PERM,
3608 .policy = ip_vs_cmd_policy,
3609 .doit = ip_vs_genl_set_cmd,
3612 .cmd = IPVS_CMD_DEL_DEST,
3613 .flags = GENL_ADMIN_PERM,
3614 .policy = ip_vs_cmd_policy,
3615 .doit = ip_vs_genl_set_cmd,
3618 .cmd = IPVS_CMD_GET_DEST,
3619 .flags = GENL_ADMIN_PERM,
3620 .policy = ip_vs_cmd_policy,
3621 .dumpit = ip_vs_genl_dump_dests,
3624 .cmd = IPVS_CMD_NEW_DAEMON,
3625 .flags = GENL_ADMIN_PERM,
3626 .policy = ip_vs_cmd_policy,
3627 .doit = ip_vs_genl_set_daemon,
3630 .cmd = IPVS_CMD_DEL_DAEMON,
3631 .flags = GENL_ADMIN_PERM,
3632 .policy = ip_vs_cmd_policy,
3633 .doit = ip_vs_genl_set_daemon,
3636 .cmd = IPVS_CMD_GET_DAEMON,
3637 .flags = GENL_ADMIN_PERM,
3638 .dumpit = ip_vs_genl_dump_daemons,
3641 .cmd = IPVS_CMD_SET_CONFIG,
3642 .flags = GENL_ADMIN_PERM,
3643 .policy = ip_vs_cmd_policy,
3644 .doit = ip_vs_genl_set_cmd,
3647 .cmd = IPVS_CMD_GET_CONFIG,
3648 .flags = GENL_ADMIN_PERM,
3649 .doit = ip_vs_genl_get_cmd,
3652 .cmd = IPVS_CMD_GET_INFO,
3653 .flags = GENL_ADMIN_PERM,
3654 .doit = ip_vs_genl_get_cmd,
3657 .cmd = IPVS_CMD_ZERO,
3658 .flags = GENL_ADMIN_PERM,
3659 .policy = ip_vs_cmd_policy,
3660 .doit = ip_vs_genl_set_cmd,
3663 .cmd = IPVS_CMD_FLUSH,
3664 .flags = GENL_ADMIN_PERM,
3665 .doit = ip_vs_genl_set_cmd,
3669 static int __init ip_vs_genl_register(void)
3671 return genl_register_family_with_ops(&ip_vs_genl_family,
3672 ip_vs_genl_ops, ARRAY_SIZE(ip_vs_genl_ops));
3675 static void ip_vs_genl_unregister(void)
3677 genl_unregister_family(&ip_vs_genl_family);
3680 /* End of Generic Netlink interface definitions */
3683 * per netns intit/exit func.
3685 #ifdef CONFIG_SYSCTL
3686 static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3689 struct netns_ipvs *ipvs = net_ipvs(net);
3690 struct ctl_table *tbl;
3692 atomic_set(&ipvs->dropentry, 0);
3693 spin_lock_init(&ipvs->dropentry_lock);
3694 spin_lock_init(&ipvs->droppacket_lock);
3695 spin_lock_init(&ipvs->securetcp_lock);
3697 if (!net_eq(net, &init_net)) {
3698 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3703 /* Initialize sysctl defaults */
3705 ipvs->sysctl_amemthresh = 1024;
3706 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3707 ipvs->sysctl_am_droprate = 10;
3708 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3709 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3710 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3711 #ifdef CONFIG_IP_VS_NFCT
3712 tbl[idx++].data = &ipvs->sysctl_conntrack;
3714 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3715 ipvs->sysctl_snat_reroute = 1;
3716 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3717 ipvs->sysctl_sync_ver = 1;
3718 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3719 ipvs->sysctl_sync_ports = 1;
3720 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3721 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3722 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3723 ipvs->sysctl_sync_sock_size = 0;
3724 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3725 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3726 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3727 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3728 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3729 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3730 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3731 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3732 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3733 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3734 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3735 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3736 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3737 ipvs->sysctl_pmtu_disc = 1;
3738 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3741 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3742 if (ipvs->sysctl_hdr == NULL) {
3743 if (!net_eq(net, &init_net))
3747 ip_vs_start_estimator(net, &ipvs->tot_stats);
3748 ipvs->sysctl_tbl = tbl;
3749 /* Schedule defense work */
3750 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3751 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3756 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
3758 struct netns_ipvs *ipvs = net_ipvs(net);
3760 cancel_delayed_work_sync(&ipvs->defense_work);
3761 cancel_work_sync(&ipvs->defense_work.work);
3762 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3767 static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
3768 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
3772 static struct notifier_block ip_vs_dst_notifier = {
3773 .notifier_call = ip_vs_dst_event,
3776 int __net_init ip_vs_control_net_init(struct net *net)
3779 struct netns_ipvs *ipvs = net_ipvs(net);
3781 rwlock_init(&ipvs->rs_lock);
3783 /* Initialize rs_table */
3784 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
3785 INIT_LIST_HEAD(&ipvs->rs_table[idx]);
3787 INIT_LIST_HEAD(&ipvs->dest_trash);
3788 atomic_set(&ipvs->ftpsvc_counter, 0);
3789 atomic_set(&ipvs->nullsvc_counter, 0);
3792 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
3793 if (!ipvs->tot_stats.cpustats)
3796 spin_lock_init(&ipvs->tot_stats.lock);
3798 proc_net_fops_create(net, "ip_vs", 0, &ip_vs_info_fops);
3799 proc_net_fops_create(net, "ip_vs_stats", 0, &ip_vs_stats_fops);
3800 proc_net_fops_create(net, "ip_vs_stats_percpu", 0,
3801 &ip_vs_stats_percpu_fops);
3803 if (ip_vs_control_net_init_sysctl(net))
3809 free_percpu(ipvs->tot_stats.cpustats);
3813 void __net_exit ip_vs_control_net_cleanup(struct net *net)
3815 struct netns_ipvs *ipvs = net_ipvs(net);
3817 ip_vs_trash_cleanup(net);
3818 ip_vs_stop_estimator(net, &ipvs->tot_stats);
3819 ip_vs_control_net_cleanup_sysctl(net);
3820 proc_net_remove(net, "ip_vs_stats_percpu");
3821 proc_net_remove(net, "ip_vs_stats");
3822 proc_net_remove(net, "ip_vs");
3823 free_percpu(ipvs->tot_stats.cpustats);
3826 int __init ip_vs_register_nl_ioctl(void)
3830 ret = nf_register_sockopt(&ip_vs_sockopts);
3832 pr_err("cannot register sockopt.\n");
3836 ret = ip_vs_genl_register();
3838 pr_err("cannot register Generic Netlink interface.\n");
3844 nf_unregister_sockopt(&ip_vs_sockopts);
3849 void ip_vs_unregister_nl_ioctl(void)
3851 ip_vs_genl_unregister();
3852 nf_unregister_sockopt(&ip_vs_sockopts);
3855 int __init ip_vs_control_init(void)
3862 /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
3863 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3864 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3865 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3868 smp_wmb(); /* Do we really need it now ? */
3870 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
3879 void ip_vs_control_cleanup(void)
3882 unregister_netdevice_notifier(&ip_vs_dst_notifier);
projects / ~andy / linux / blob