~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netfilter/ipvs/ip_vs_core.c

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * IPVS         An implementation of the IP virtual server support for the
  3  *              LINUX operating system.  IPVS is now implemented as a module
  4  *              over the Netfilter framework. IPVS can be used to build a
  5  *              high-performance and highly available server based on a
  6  *              cluster of servers.
  7  *
  8  * Authors:     Wensong Zhang <wensong@linuxvirtualserver.org>
  9  *              Peter Kese <peter.kese@ijs.si>
 10  *              Julian Anastasov <ja@ssi.bg>
 11  *
 12  *              This program is free software; you can redistribute it and/or
 13  *              modify it under the terms of the GNU General Public License
 14  *              as published by the Free Software Foundation; either version
 15  *              2 of the License, or (at your option) any later version.
 16  *
 17  * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
 18  * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
 19  * and others.
 20  *
 21  * Changes:
 22  *      Paul `Rusty' Russell            properly handle non-linear skbs
 23  *      Harald Welte                    don't use nfcache
 24  *
 25  */
 26 
 27 #define KMSG_COMPONENT "IPVS"
 28 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
 29 
 30 #include <linux/module.h>
 31 #include <linux/kernel.h>
 32 #include <linux/ip.h>
 33 #include <linux/tcp.h>
 34 #include <linux/sctp.h>
 35 #include <linux/icmp.h>
 36 #include <linux/slab.h>
 37 
 38 #include <net/ip.h>
 39 #include <net/tcp.h>
 40 #include <net/udp.h>
 41 #include <net/icmp.h>                   /* for icmp_send */
 42 #include <net/route.h>
 43 #include <net/ip6_checksum.h>
 44 #include <net/netns/generic.h>          /* net_generic() */
 45 
 46 #include <linux/netfilter.h>
 47 #include <linux/netfilter_ipv4.h>
 48 
 49 #ifdef CONFIG_IP_VS_IPV6
 50 #include <net/ipv6.h>
 51 #include <linux/netfilter_ipv6.h>
 52 #include <net/ip6_route.h>
 53 #endif
 54 
 55 #include <net/ip_vs.h>
 56 
 57 
 58 EXPORT_SYMBOL(register_ip_vs_scheduler);
 59 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
 60 EXPORT_SYMBOL(ip_vs_proto_name);
 61 EXPORT_SYMBOL(ip_vs_conn_new);
 62 EXPORT_SYMBOL(ip_vs_conn_in_get);
 63 EXPORT_SYMBOL(ip_vs_conn_out_get);
 64 #ifdef CONFIG_IP_VS_PROTO_TCP
 65 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
 66 #endif
 67 EXPORT_SYMBOL(ip_vs_conn_put);
 68 #ifdef CONFIG_IP_VS_DEBUG
 69 EXPORT_SYMBOL(ip_vs_get_debug_level);
 70 #endif
 71 
 72 static int ip_vs_net_id __read_mostly;
 73 /* netns cnt used for uniqueness */
 74 static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0);
 75 
 76 /* ID used in ICMP lookups */
 77 #define icmp_id(icmph)          (((icmph)->un).echo.id)
 78 #define icmpv6_id(icmph)        (icmph->icmp6_dataun.u_echo.identifier)
 79 
 80 const char *ip_vs_proto_name(unsigned int proto)
 81 {
 82         static char buf[20];
 83 
 84         switch (proto) {
 85         case IPPROTO_IP:
 86                 return "IP";
 87         case IPPROTO_UDP:
 88                 return "UDP";
 89         case IPPROTO_TCP:
 90                 return "TCP";
 91         case IPPROTO_SCTP:
 92                 return "SCTP";
 93         case IPPROTO_ICMP:
 94                 return "ICMP";
 95 #ifdef CONFIG_IP_VS_IPV6
 96         case IPPROTO_ICMPV6:
 97                 return "ICMPv6";
 98 #endif
 99         default:
100                 sprintf(buf, "IP_%u", proto);
101                 return buf;
102         }
103 }
104 
105 void ip_vs_init_hash_table(struct list_head *table, int rows)
106 {
107         while (--rows >= 0)
108                 INIT_LIST_HEAD(&table[rows]);
109 }
110 
111 static inline void
112 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
113 {
114         struct ip_vs_dest *dest = cp->dest;
115         struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
116 
117         if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
118                 struct ip_vs_cpu_stats *s;
119                 struct ip_vs_service *svc;
120 
121                 s = this_cpu_ptr(dest->stats.cpustats);
122                 s->ustats.inpkts++;
123                 u64_stats_update_begin(&s->syncp);
124                 s->ustats.inbytes += skb->len;
125                 u64_stats_update_end(&s->syncp);
126 
127                 rcu_read_lock();
128                 svc = rcu_dereference(dest->svc);
129                 s = this_cpu_ptr(svc->stats.cpustats);
130                 s->ustats.inpkts++;
131                 u64_stats_update_begin(&s->syncp);
132                 s->ustats.inbytes += skb->len;
133                 u64_stats_update_end(&s->syncp);
134                 rcu_read_unlock();
135 
136                 s = this_cpu_ptr(ipvs->tot_stats.cpustats);
137                 s->ustats.inpkts++;
138                 u64_stats_update_begin(&s->syncp);
139                 s->ustats.inbytes += skb->len;
140                 u64_stats_update_end(&s->syncp);
141         }
142 }
143 
144 
145 static inline void
146 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
147 {
148         struct ip_vs_dest *dest = cp->dest;
149         struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
150 
151         if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
152                 struct ip_vs_cpu_stats *s;
153                 struct ip_vs_service *svc;
154 
155                 s = this_cpu_ptr(dest->stats.cpustats);
156                 s->ustats.outpkts++;
157                 u64_stats_update_begin(&s->syncp);
158                 s->ustats.outbytes += skb->len;
159                 u64_stats_update_end(&s->syncp);
160 
161                 rcu_read_lock();
162                 svc = rcu_dereference(dest->svc);
163                 s = this_cpu_ptr(svc->stats.cpustats);
164                 s->ustats.outpkts++;
165                 u64_stats_update_begin(&s->syncp);
166                 s->ustats.outbytes += skb->len;
167                 u64_stats_update_end(&s->syncp);
168                 rcu_read_unlock();
169 
170                 s = this_cpu_ptr(ipvs->tot_stats.cpustats);
171                 s->ustats.outpkts++;
172                 u64_stats_update_begin(&s->syncp);
173                 s->ustats.outbytes += skb->len;
174                 u64_stats_update_end(&s->syncp);
175         }
176 }
177 
178 
179 static inline void
180 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
181 {
182         struct netns_ipvs *ipvs = net_ipvs(svc->net);
183         struct ip_vs_cpu_stats *s;
184 
185         s = this_cpu_ptr(cp->dest->stats.cpustats);
186         s->ustats.conns++;
187 
188         s = this_cpu_ptr(svc->stats.cpustats);
189         s->ustats.conns++;
190 
191         s = this_cpu_ptr(ipvs->tot_stats.cpustats);
192         s->ustats.conns++;
193 }
194 
195 
196 static inline void
197 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
198                 const struct sk_buff *skb,
199                 struct ip_vs_proto_data *pd)
200 {
201         if (likely(pd->pp->state_transition))
202                 pd->pp->state_transition(cp, direction, skb, pd);
203 }
204 
205 static inline int
206 ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
207                               struct sk_buff *skb, int protocol,
208                               const union nf_inet_addr *caddr, __be16 cport,
209                               const union nf_inet_addr *vaddr, __be16 vport,
210                               struct ip_vs_conn_param *p)
211 {
212         ip_vs_conn_fill_param(svc->net, svc->af, protocol, caddr, cport, vaddr,
213                               vport, p);
214         p->pe = rcu_dereference(svc->pe);
215         if (p->pe && p->pe->fill_param)
216                 return p->pe->fill_param(p, skb);
217 
218         return 0;
219 }
220 
221 /*
222  *  IPVS persistent scheduling function
223  *  It creates a connection entry according to its template if exists,
224  *  or selects a server and creates a connection entry plus a template.
225  *  Locking: we are svc user (svc->refcnt), so we hold all dests too
226  *  Protocols supported: TCP, UDP
227  */
228 static struct ip_vs_conn *
229 ip_vs_sched_persist(struct ip_vs_service *svc,
230                     struct sk_buff *skb, __be16 src_port, __be16 dst_port,
231                     int *ignored, struct ip_vs_iphdr *iph)
232 {
233         struct ip_vs_conn *cp = NULL;
234         struct ip_vs_dest *dest;
235         struct ip_vs_conn *ct;
236         __be16 dport = 0;               /* destination port to forward */
237         unsigned int flags;
238         struct ip_vs_conn_param param;
239         const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };
240         union nf_inet_addr snet;        /* source network of the client,
241                                            after masking */
242 
243         /* Mask saddr with the netmask to adjust template granularity */
244 #ifdef CONFIG_IP_VS_IPV6
245         if (svc->af == AF_INET6)
246                 ipv6_addr_prefix(&snet.in6, &iph->saddr.in6,
247                                  (__force __u32) svc->netmask);
248         else
249 #endif
250                 snet.ip = iph->saddr.ip & svc->netmask;
251 
252         IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
253                       "mnet %s\n",
254                       IP_VS_DBG_ADDR(svc->af, &iph->saddr), ntohs(src_port),
255                       IP_VS_DBG_ADDR(svc->af, &iph->daddr), ntohs(dst_port),
256                       IP_VS_DBG_ADDR(svc->af, &snet));
257 
258         /*
259          * As far as we know, FTP is a very complicated network protocol, and
260          * it uses control connection and data connections. For active FTP,
261          * FTP server initialize data connection to the client, its source port
262          * is often 20. For passive FTP, FTP server tells the clients the port
263          * that it passively listens to,  and the client issues the data
264          * connection. In the tunneling or direct routing mode, the load
265          * balancer is on the client-to-server half of connection, the port
266          * number is unknown to the load balancer. So, a conn template like
267          * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
268          * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
269          * is created for other persistent services.
270          */
271         {
272                 int protocol = iph->protocol;
273                 const union nf_inet_addr *vaddr = &iph->daddr;
274                 __be16 vport = 0;
275 
276                 if (dst_port == svc->port) {
277                         /* non-FTP template:
278                          * <protocol, caddr, 0, vaddr, vport, daddr, dport>
279                          * FTP template:
280                          * <protocol, caddr, 0, vaddr, 0, daddr, 0>
281                          */
282                         if (svc->port != FTPPORT)
283                                 vport = dst_port;
284                 } else {
285                         /* Note: persistent fwmark-based services and
286                          * persistent port zero service are handled here.
287                          * fwmark template:
288                          * <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
289                          * port zero template:
290                          * <protocol,caddr,0,vaddr,0,daddr,0>
291                          */
292                         if (svc->fwmark) {
293                                 protocol = IPPROTO_IP;
294                                 vaddr = &fwmark;
295                         }
296                 }
297                 /* return *ignored = -1 so NF_DROP can be used */
298                 if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
299                                                   vaddr, vport, &param) < 0) {
300                         *ignored = -1;
301                         return NULL;
302                 }
303         }
304 
305         /* Check if a template already exists */
306         ct = ip_vs_ct_in_get(&param);
307         if (!ct || !ip_vs_check_template(ct)) {
308                 struct ip_vs_scheduler *sched;
309 
310                 /*
311                  * No template found or the dest of the connection
312                  * template is not available.
313                  * return *ignored=0 i.e. ICMP and NF_DROP
314                  */
315                 sched = rcu_dereference(svc->scheduler);
316                 if (sched) {
317                         /* read svc->sched_data after svc->scheduler */
318                         smp_rmb();
319                         dest = sched->schedule(svc, skb, iph);
320                 } else {
321                         dest = NULL;
322                 }
323                 if (!dest) {
324                         IP_VS_DBG(1, "p-schedule: no dest found.\n");
325                         kfree(param.pe_data);
326                         *ignored = 0;
327                         return NULL;
328                 }
329 
330                 if (dst_port == svc->port && svc->port != FTPPORT)
331                         dport = dest->port;
332 
333                 /* Create a template
334                  * This adds param.pe_data to the template,
335                  * and thus param.pe_data will be destroyed
336                  * when the template expires */
337                 ct = ip_vs_conn_new(&param, dest->af, &dest->addr, dport,
338                                     IP_VS_CONN_F_TEMPLATE, dest, skb->mark);
339                 if (ct == NULL) {
340                         kfree(param.pe_data);
341                         *ignored = -1;
342                         return NULL;
343                 }
344 
345                 ct->timeout = svc->timeout;
346         } else {
347                 /* set destination with the found template */
348                 dest = ct->dest;
349                 kfree(param.pe_data);
350         }
351 
352         dport = dst_port;
353         if (dport == svc->port && dest->port)
354                 dport = dest->port;
355 
356         flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
357                  && iph->protocol == IPPROTO_UDP) ?
358                 IP_VS_CONN_F_ONE_PACKET : 0;
359 
360         /*
361          *    Create a new connection according to the template
362          */
363         ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol, &iph->saddr,
364                               src_port, &iph->daddr, dst_port, &param);
365 
366         cp = ip_vs_conn_new(&param, dest->af, &dest->addr, dport, flags, dest,
367                             skb->mark);
368         if (cp == NULL) {
369                 ip_vs_conn_put(ct);
370                 *ignored = -1;
371                 return NULL;
372         }
373 
374         /*
375          *    Add its control
376          */
377         ip_vs_control_add(cp, ct);
378         ip_vs_conn_put(ct);
379 
380         ip_vs_conn_stats(cp, svc);
381         return cp;
382 }
383 
384 
385 /*
386  *  IPVS main scheduling function
387  *  It selects a server according to the virtual service, and
388  *  creates a connection entry.
389  *  Protocols supported: TCP, UDP
390  *
391  *  Usage of *ignored
392  *
393  * 1 :   protocol tried to schedule (eg. on SYN), found svc but the
394  *       svc/scheduler decides that this packet should be accepted with
395  *       NF_ACCEPT because it must not be scheduled.
396  *
397  * 0 :   scheduler can not find destination, so try bypass or
398  *       return ICMP and then NF_DROP (ip_vs_leave).
399  *
400  * -1 :  scheduler tried to schedule but fatal error occurred, eg.
401  *       ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param
402  *       failure such as missing Call-ID, ENOMEM on skb_linearize
403  *       or pe_data. In this case we should return NF_DROP without
404  *       any attempts to send ICMP with ip_vs_leave.
405  */
406 struct ip_vs_conn *
407 ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
408                struct ip_vs_proto_data *pd, int *ignored,
409                struct ip_vs_iphdr *iph)
410 {
411         struct ip_vs_protocol *pp = pd->pp;
412         struct ip_vs_conn *cp = NULL;
413         struct ip_vs_scheduler *sched;
414         struct ip_vs_dest *dest;
415         __be16 _ports[2], *pptr;
416         unsigned int flags;
417 
418         *ignored = 1;
419         /*
420          * IPv6 frags, only the first hit here.
421          */
422         pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph);
423         if (pptr == NULL)
424                 return NULL;
425 
426         /*
427          * FTPDATA needs this check when using local real server.
428          * Never schedule Active FTPDATA connections from real server.
429          * For LVS-NAT they must be already created. For other methods
430          * with persistence the connection is created on SYN+ACK.
431          */
432         if (pptr[0] == FTPDATA) {
433                 IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,
434                               "Not scheduling FTPDATA");
435                 return NULL;
436         }
437 
438         /*
439          *    Do not schedule replies from local real server.
440          */
441         if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
442             (cp = pp->conn_in_get(svc->af, skb, iph, 1))) {
443                 IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,
444                               "Not scheduling reply for existing connection");
445                 __ip_vs_conn_put(cp);
446                 return NULL;
447         }
448 
449         /*
450          *    Persistent service
451          */
452         if (svc->flags & IP_VS_SVC_F_PERSISTENT)
453                 return ip_vs_sched_persist(svc, skb, pptr[0], pptr[1], ignored,
454                                            iph);
455 
456         *ignored = 0;
457 
458         /*
459          *    Non-persistent service
460          */
461         if (!svc->fwmark && pptr[1] != svc->port) {
462                 if (!svc->port)
463                         pr_err("Schedule: port zero only supported "
464                                "in persistent services, "
465                                "check your ipvs configuration\n");
466                 return NULL;
467         }
468 
469         sched = rcu_dereference(svc->scheduler);
470         if (sched) {
471                 /* read svc->sched_data after svc->scheduler */
472                 smp_rmb();
473                 dest = sched->schedule(svc, skb, iph);
474         } else {
475                 dest = NULL;
476         }
477         if (dest == NULL) {
478                 IP_VS_DBG(1, "Schedule: no dest found.\n");
479                 return NULL;
480         }
481 
482         flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
483                  && iph->protocol == IPPROTO_UDP) ?
484                 IP_VS_CONN_F_ONE_PACKET : 0;
485 
486         /*
487          *    Create a connection entry.
488          */
489         {
490                 struct ip_vs_conn_param p;
491 
492                 ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol,
493                                       &iph->saddr, pptr[0], &iph->daddr,
494                                       pptr[1], &p);
495                 cp = ip_vs_conn_new(&p, dest->af, &dest->addr,
496                                     dest->port ? dest->port : pptr[1],
497                                     flags, dest, skb->mark);
498                 if (!cp) {
499                         *ignored = -1;
500                         return NULL;
501                 }
502         }
503 
504         IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
505                       "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
506                       ip_vs_fwd_tag(cp),
507                       IP_VS_DBG_ADDR(cp->af, &cp->caddr), ntohs(cp->cport),
508                       IP_VS_DBG_ADDR(cp->af, &cp->vaddr), ntohs(cp->vport),
509                       IP_VS_DBG_ADDR(cp->daf, &cp->daddr), ntohs(cp->dport),
510                       cp->flags, atomic_read(&cp->refcnt));
511 
512         ip_vs_conn_stats(cp, svc);
513         return cp;
514 }
515 
516 
517 /*
518  *  Pass or drop the packet.
519  *  Called by ip_vs_in, when the virtual service is available but
520  *  no destination is available for a new connection.
521  */
522 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
523                 struct ip_vs_proto_data *pd, struct ip_vs_iphdr *iph)
524 {
525         __be16 _ports[2], *pptr;
526 #ifdef CONFIG_SYSCTL
527         struct net *net;
528         struct netns_ipvs *ipvs;
529         int unicast;
530 #endif
531 
532         pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph);
533         if (pptr == NULL) {
534                 return NF_DROP;
535         }
536 
537 #ifdef CONFIG_SYSCTL
538         net = skb_net(skb);
539 
540 #ifdef CONFIG_IP_VS_IPV6
541         if (svc->af == AF_INET6)
542                 unicast = ipv6_addr_type(&iph->daddr.in6) & IPV6_ADDR_UNICAST;
543         else
544 #endif
545                 unicast = (inet_addr_type(net, iph->daddr.ip) == RTN_UNICAST);
546 
547         /* if it is fwmark-based service, the cache_bypass sysctl is up
548            and the destination is a non-local unicast, then create
549            a cache_bypass connection entry */
550         ipvs = net_ipvs(net);
551         if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) {
552                 int ret;
553                 struct ip_vs_conn *cp;
554                 unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
555                                       iph->protocol == IPPROTO_UDP) ?
556                                       IP_VS_CONN_F_ONE_PACKET : 0;
557                 union nf_inet_addr daddr =  { .all = { 0, 0, 0, 0 } };
558 
559                 /* create a new connection entry */
560                 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
561                 {
562                         struct ip_vs_conn_param p;
563                         ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol,
564                                               &iph->saddr, pptr[0],
565                                               &iph->daddr, pptr[1], &p);
566                         cp = ip_vs_conn_new(&p, svc->af, &daddr, 0,
567                                             IP_VS_CONN_F_BYPASS | flags,
568                                             NULL, skb->mark);
569                         if (!cp)
570                                 return NF_DROP;
571                 }
572 
573                 /* statistics */
574                 ip_vs_in_stats(cp, skb);
575 
576                 /* set state */
577                 ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
578 
579                 /* transmit the first SYN packet */
580                 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
581                 /* do not touch skb anymore */
582 
583                 atomic_inc(&cp->in_pkts);
584                 ip_vs_conn_put(cp);
585                 return ret;
586         }
587 #endif
588 
589         /*
590          * When the virtual ftp service is presented, packets destined
591          * for other services on the VIP may get here (except services
592          * listed in the ipvs table), pass the packets, because it is
593          * not ipvs job to decide to drop the packets.
594          */
595         if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT))
596                 return NF_ACCEPT;
597 
598         /*
599          * Notify the client that the destination is unreachable, and
600          * release the socket buffer.
601          * Since it is in IP layer, the TCP socket is not actually
602          * created, the TCP RST packet cannot be sent, instead that
603          * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
604          */
605 #ifdef CONFIG_IP_VS_IPV6
606         if (svc->af == AF_INET6) {
607                 if (!skb->dev) {
608                         struct net *net_ = dev_net(skb_dst(skb)->dev);
609 
610                         skb->dev = net_->loopback_dev;
611                 }
612                 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
613         } else
614 #endif
615                 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
616 
617         return NF_DROP;
618 }
619 
620 #ifdef CONFIG_SYSCTL
621 
622 static int sysctl_snat_reroute(struct sk_buff *skb)
623 {
624         struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
625         return ipvs->sysctl_snat_reroute;
626 }
627 
628 static int sysctl_nat_icmp_send(struct net *net)
629 {
630         struct netns_ipvs *ipvs = net_ipvs(net);
631         return ipvs->sysctl_nat_icmp_send;
632 }
633 
634 static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs)
635 {
636         return ipvs->sysctl_expire_nodest_conn;
637 }
638 
639 #else
640 
641 static int sysctl_snat_reroute(struct sk_buff *skb) { return 0; }
642 static int sysctl_nat_icmp_send(struct net *net) { return 0; }
643 static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) { return 0; }
644 
645 #endif
646 
647 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
648 {
649         return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
650 }
651 
652 static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum)
653 {
654         if (NF_INET_LOCAL_IN == hooknum)
655                 return IP_DEFRAG_VS_IN;
656         if (NF_INET_FORWARD == hooknum)
657                 return IP_DEFRAG_VS_FWD;
658         return IP_DEFRAG_VS_OUT;
659 }
660 
661 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
662 {
663         int err;
664 
665         local_bh_disable();
666         err = ip_defrag(skb, user);
667         local_bh_enable();
668         if (!err)
669                 ip_send_check(ip_hdr(skb));
670 
671         return err;
672 }
673 
674 static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
675 {
676 #ifdef CONFIG_IP_VS_IPV6
677         if (af == AF_INET6) {
678                 if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
679                         return 1;
680         } else
681 #endif
682                 if ((sysctl_snat_reroute(skb) ||
683                      skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
684                     ip_route_me_harder(skb, RTN_LOCAL) != 0)
685                         return 1;
686 
687         return 0;
688 }
689 
690 /*
691  * Packet has been made sufficiently writable in caller
692  * - inout: 1=in->out, 0=out->in
693  */
694 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
695                     struct ip_vs_conn *cp, int inout)
696 {
697         struct iphdr *iph        = ip_hdr(skb);
698         unsigned int icmp_offset = iph->ihl*4;
699         struct icmphdr *icmph    = (struct icmphdr *)(skb_network_header(skb) +
700                                                       icmp_offset);
701         struct iphdr *ciph       = (struct iphdr *)(icmph + 1);
702 
703         if (inout) {
704                 iph->saddr = cp->vaddr.ip;
705                 ip_send_check(iph);
706                 ciph->daddr = cp->vaddr.ip;
707                 ip_send_check(ciph);
708         } else {
709                 iph->daddr = cp->daddr.ip;
710                 ip_send_check(iph);
711                 ciph->saddr = cp->daddr.ip;
712                 ip_send_check(ciph);
713         }
714 
715         /* the TCP/UDP/SCTP port */
716         if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
717             IPPROTO_SCTP == ciph->protocol) {
718                 __be16 *ports = (void *)ciph + ciph->ihl*4;
719 
720                 if (inout)
721                         ports[1] = cp->vport;
722                 else
723                         ports[0] = cp->dport;
724         }
725 
726         /* And finally the ICMP checksum */
727         icmph->checksum = 0;
728         icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
729         skb->ip_summed = CHECKSUM_UNNECESSARY;
730 
731         if (inout)
732                 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
733                         "Forwarding altered outgoing ICMP");
734         else
735                 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
736                         "Forwarding altered incoming ICMP");
737 }
738 
739 #ifdef CONFIG_IP_VS_IPV6
740 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
741                     struct ip_vs_conn *cp, int inout)
742 {
743         struct ipv6hdr *iph      = ipv6_hdr(skb);
744         unsigned int icmp_offset = 0;
745         unsigned int offs        = 0; /* header offset*/
746         int protocol;
747         struct icmp6hdr *icmph;
748         struct ipv6hdr *ciph;
749         unsigned short fragoffs;
750 
751         ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL);
752         icmph = (struct icmp6hdr *)(skb_network_header(skb) + icmp_offset);
753         offs = icmp_offset + sizeof(struct icmp6hdr);
754         ciph = (struct ipv6hdr *)(skb_network_header(skb) + offs);
755 
756         protocol = ipv6_find_hdr(skb, &offs, -1, &fragoffs, NULL);
757 
758         if (inout) {
759                 iph->saddr = cp->vaddr.in6;
760                 ciph->daddr = cp->vaddr.in6;
761         } else {
762                 iph->daddr = cp->daddr.in6;
763                 ciph->saddr = cp->daddr.in6;
764         }
765 
766         /* the TCP/UDP/SCTP port */
767         if (!fragoffs && (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
768                           IPPROTO_SCTP == protocol)) {
769                 __be16 *ports = (void *)(skb_network_header(skb) + offs);
770 
771                 IP_VS_DBG(11, "%s() changed port %d to %d\n", __func__,
772                               ntohs(inout ? ports[1] : ports[0]),
773                               ntohs(inout ? cp->vport : cp->dport));
774                 if (inout)
775                         ports[1] = cp->vport;
776                 else
777                         ports[0] = cp->dport;
778         }
779 
780         /* And finally the ICMP checksum */
781         icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr,
782                                               skb->len - icmp_offset,
783                                               IPPROTO_ICMPV6, 0);
784         skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset;
785         skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
786         skb->ip_summed = CHECKSUM_PARTIAL;
787 
788         if (inout)
789                 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
790                               (void *)ciph - (void *)iph,
791                               "Forwarding altered outgoing ICMPv6");
792         else
793                 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
794                               (void *)ciph - (void *)iph,
795                               "Forwarding altered incoming ICMPv6");
796 }
797 #endif
798 
799 /* Handle relevant response ICMP messages - forward to the right
800  * destination host.
801  */
802 static int handle_response_icmp(int af, struct sk_buff *skb,
803                                 union nf_inet_addr *snet,
804                                 __u8 protocol, struct ip_vs_conn *cp,
805                                 struct ip_vs_protocol *pp,
806                                 unsigned int offset, unsigned int ihl)
807 {
808         unsigned int verdict = NF_DROP;
809 
810         if (IP_VS_FWD_METHOD(cp) != 0) {
811                 pr_err("shouldn't reach here, because the box is on the "
812                        "half connection in the tun/dr module.\n");
813         }
814 
815         /* Ensure the checksum is correct */
816         if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
817                 /* Failed checksum! */
818                 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
819                               IP_VS_DBG_ADDR(af, snet));
820                 goto out;
821         }
822 
823         if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
824             IPPROTO_SCTP == protocol)
825                 offset += 2 * sizeof(__u16);
826         if (!skb_make_writable(skb, offset))
827                 goto out;
828 
829 #ifdef CONFIG_IP_VS_IPV6
830         if (af == AF_INET6)
831                 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
832         else
833 #endif
834                 ip_vs_nat_icmp(skb, pp, cp, 1);
835 
836         if (ip_vs_route_me_harder(af, skb))
837                 goto out;
838 
839         /* do the statistics and put it back */
840         ip_vs_out_stats(cp, skb);
841 
842         skb->ipvs_property = 1;
843         if (!(cp->flags & IP_VS_CONN_F_NFCT))
844                 ip_vs_notrack(skb);
845         else
846                 ip_vs_update_conntrack(skb, cp, 0);
847         verdict = NF_ACCEPT;
848 
849 out:
850         __ip_vs_conn_put(cp);
851 
852         return verdict;
853 }
854 
855 /*
856  *      Handle ICMP messages in the inside-to-outside direction (outgoing).
857  *      Find any that might be relevant, check against existing connections.
858  *      Currently handles error types - unreachable, quench, ttl exceeded.
859  */
860 static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
861                           unsigned int hooknum)
862 {
863         struct iphdr *iph;
864         struct icmphdr  _icmph, *ic;
865         struct iphdr    _ciph, *cih;    /* The ip header contained within the ICMP */
866         struct ip_vs_iphdr ciph;
867         struct ip_vs_conn *cp;
868         struct ip_vs_protocol *pp;
869         unsigned int offset, ihl;
870         union nf_inet_addr snet;
871 
872         *related = 1;
873 
874         /* reassemble IP fragments */
875         if (ip_is_fragment(ip_hdr(skb))) {
876                 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
877                         return NF_STOLEN;
878         }
879 
880         iph = ip_hdr(skb);
881         offset = ihl = iph->ihl * 4;
882         ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
883         if (ic == NULL)
884                 return NF_DROP;
885 
886         IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
887                   ic->type, ntohs(icmp_id(ic)),
888                   &iph->saddr, &iph->daddr);
889 
890         /*
891          * Work through seeing if this is for us.
892          * These checks are supposed to be in an order that means easy
893          * things are checked first to speed up processing.... however
894          * this means that some packets will manage to get a long way
895          * down this stack and then be rejected, but that's life.
896          */
897         if ((ic->type != ICMP_DEST_UNREACH) &&
898             (ic->type != ICMP_SOURCE_QUENCH) &&
899             (ic->type != ICMP_TIME_EXCEEDED)) {
900                 *related = 0;
901                 return NF_ACCEPT;
902         }
903 
904         /* Now find the contained IP header */
905         offset += sizeof(_icmph);
906         cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
907         if (cih == NULL)
908                 return NF_ACCEPT; /* The packet looks wrong, ignore */
909 
910         pp = ip_vs_proto_get(cih->protocol);
911         if (!pp)
912                 return NF_ACCEPT;
913 
914         /* Is the embedded protocol header present? */
915         if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
916                      pp->dont_defrag))
917                 return NF_ACCEPT;
918 
919         IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
920                       "Checking outgoing ICMP for");
921 
922         ip_vs_fill_ip4hdr(cih, &ciph);
923         ciph.len += offset;
924         /* The embedded headers contain source and dest in reverse order */
925         cp = pp->conn_out_get(AF_INET, skb, &ciph, 1);
926         if (!cp)
927                 return NF_ACCEPT;
928 
929         snet.ip = iph->saddr;
930         return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
931                                     pp, ciph.len, ihl);
932 }
933 
934 #ifdef CONFIG_IP_VS_IPV6
935 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
936                              unsigned int hooknum, struct ip_vs_iphdr *ipvsh)
937 {
938         struct icmp6hdr _icmph, *ic;
939         struct ipv6hdr _ip6h, *ip6h; /* The ip header contained within ICMP */
940         struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};/*Contained IP */
941         struct ip_vs_conn *cp;
942         struct ip_vs_protocol *pp;
943         union nf_inet_addr snet;
944         unsigned int writable;
945 
946         *related = 1;
947         ic = frag_safe_skb_hp(skb, ipvsh->len, sizeof(_icmph), &_icmph, ipvsh);
948         if (ic == NULL)
949                 return NF_DROP;
950 
951         /*
952          * Work through seeing if this is for us.
953          * These checks are supposed to be in an order that means easy
954          * things are checked first to speed up processing.... however
955          * this means that some packets will manage to get a long way
956          * down this stack and then be rejected, but that's life.
957          */
958         if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) {
959                 *related = 0;
960                 return NF_ACCEPT;
961         }
962         /* Fragment header that is before ICMP header tells us that:
963          * it's not an error message since they can't be fragmented.
964          */
965         if (ipvsh->flags & IP6_FH_F_FRAG)
966                 return NF_DROP;
967 
968         IP_VS_DBG(8, "Outgoing ICMPv6 (%d,%d) %pI6c->%pI6c\n",
969                   ic->icmp6_type, ntohs(icmpv6_id(ic)),
970                   &ipvsh->saddr, &ipvsh->daddr);
971 
972         /* Now find the contained IP header */
973         ciph.len = ipvsh->len + sizeof(_icmph);
974         ip6h = skb_header_pointer(skb, ciph.len, sizeof(_ip6h), &_ip6h);
975         if (ip6h == NULL)
976                 return NF_ACCEPT; /* The packet looks wrong, ignore */
977         ciph.saddr.in6 = ip6h->saddr; /* conn_out_get() handles reverse order */
978         ciph.daddr.in6 = ip6h->daddr;
979         /* skip possible IPv6 exthdrs of contained IPv6 packet */
980         ciph.protocol = ipv6_find_hdr(skb, &ciph.len, -1, &ciph.fragoffs, NULL);
981         if (ciph.protocol < 0)
982                 return NF_ACCEPT; /* Contained IPv6 hdr looks wrong, ignore */
983 
984         pp = ip_vs_proto_get(ciph.protocol);
985         if (!pp)
986                 return NF_ACCEPT;
987 
988         /* The embedded headers contain source and dest in reverse order */
989         cp = pp->conn_out_get(AF_INET6, skb, &ciph, 1);
990         if (!cp)
991                 return NF_ACCEPT;
992 
993         snet.in6 = ciph.saddr.in6;
994         writable = ciph.len;
995         return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
996                                     pp, writable, sizeof(struct ipv6hdr));
997 }
998 #endif
999 
1000 /*
1001  * Check if sctp chunc is ABORT chunk
1002  */
1003 static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
1004 {
1005         sctp_chunkhdr_t *sch, schunk;
1006         sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
1007                         sizeof(schunk), &schunk);
1008         if (sch == NULL)
1009                 return 0;
1010         if (sch->type == SCTP_CID_ABORT)
1011                 return 1;
1012         return 0;
1013 }
1014 
1015 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
1016 {
1017         struct tcphdr _tcph, *th;
1018 
1019         th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
1020         if (th == NULL)
1021                 return 0;
1022         return th->rst;
1023 }
1024 
1025 static inline bool is_new_conn(const struct sk_buff *skb,
1026                                struct ip_vs_iphdr *iph)
1027 {
1028         switch (iph->protocol) {
1029         case IPPROTO_TCP: {
1030                 struct tcphdr _tcph, *th;
1031 
1032                 th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
1033                 if (th == NULL)
1034                         return false;
1035                 return th->syn;
1036         }
1037         case IPPROTO_SCTP: {
1038                 sctp_chunkhdr_t *sch, schunk;
1039 
1040                 sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t),
1041                                          sizeof(schunk), &schunk);
1042                 if (sch == NULL)
1043                         return false;
1044                 return sch->type == SCTP_CID_INIT;
1045         }
1046         default:
1047                 return false;
1048         }
1049 }
1050 
1051 /* Handle response packets: rewrite addresses and send away...
1052  */
1053 static unsigned int
1054 handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
1055                 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
1056 {
1057         struct ip_vs_protocol *pp = pd->pp;
1058 
1059         IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet");
1060 
1061         if (!skb_make_writable(skb, iph->len))
1062                 goto drop;
1063 
1064         /* mangle the packet */
1065         if (pp->snat_handler && !pp->snat_handler(skb, pp, cp, iph))
1066                 goto drop;
1067 
1068 #ifdef CONFIG_IP_VS_IPV6
1069         if (af == AF_INET6)
1070                 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
1071         else
1072 #endif
1073         {
1074                 ip_hdr(skb)->saddr = cp->vaddr.ip;
1075                 ip_send_check(ip_hdr(skb));
1076         }
1077 
1078         /*
1079          * nf_iterate does not expect change in the skb->dst->dev.
1080          * It looks like it is not fatal to enable this code for hooks
1081          * where our handlers are at the end of the chain list and
1082          * when all next handlers use skb->dst->dev and not outdev.
1083          * It will definitely route properly the inout NAT traffic
1084          * when multiple paths are used.
1085          */
1086 
1087         /* For policy routing, packets originating from this
1088          * machine itself may be routed differently to packets
1089          * passing through.  We want this packet to be routed as
1090          * if it came from this machine itself.  So re-compute
1091          * the routing information.
1092          */
1093         if (ip_vs_route_me_harder(af, skb))
1094                 goto drop;
1095 
1096         IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
1097 
1098         ip_vs_out_stats(cp, skb);
1099         ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd);
1100         skb->ipvs_property = 1;
1101         if (!(cp->flags & IP_VS_CONN_F_NFCT))
1102                 ip_vs_notrack(skb);
1103         else
1104                 ip_vs_update_conntrack(skb, cp, 0);
1105         ip_vs_conn_put(cp);
1106 
1107         LeaveFunction(11);
1108         return NF_ACCEPT;
1109 
1110 drop:
1111         ip_vs_conn_put(cp);
1112         kfree_skb(skb);
1113         LeaveFunction(11);
1114         return NF_STOLEN;
1115 }
1116 
1117 /*
1118  *      Check if outgoing packet belongs to the established ip_vs_conn.
1119  */
1120 static unsigned int
1121 ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
1122 {
1123         struct net *net = NULL;
1124         struct ip_vs_iphdr iph;
1125         struct ip_vs_protocol *pp;
1126         struct ip_vs_proto_data *pd;
1127         struct ip_vs_conn *cp;
1128 
1129         EnterFunction(11);
1130 
1131         /* Already marked as IPVS request or reply? */
1132         if (skb->ipvs_property)
1133                 return NF_ACCEPT;
1134 
1135         /* Bad... Do not break raw sockets */
1136         if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1137                      af == AF_INET)) {
1138                 struct sock *sk = skb->sk;
1139                 struct inet_sock *inet = inet_sk(skb->sk);
1140 
1141                 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1142                         return NF_ACCEPT;
1143         }
1144 
1145         if (unlikely(!skb_dst(skb)))
1146                 return NF_ACCEPT;
1147 
1148         net = skb_net(skb);
1149         if (!net_ipvs(net)->enable)
1150                 return NF_ACCEPT;
1151 
1152         ip_vs_fill_iph_skb(af, skb, &iph);
1153 #ifdef CONFIG_IP_VS_IPV6
1154         if (af == AF_INET6) {
1155                 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1156                         int related;
1157                         int verdict = ip_vs_out_icmp_v6(skb, &related,
1158                                                         hooknum, &iph);
1159 
1160                         if (related)
1161                                 return verdict;
1162                 }
1163         } else
1164 #endif
1165                 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1166                         int related;
1167                         int verdict = ip_vs_out_icmp(skb, &related, hooknum);
1168 
1169                         if (related)
1170                                 return verdict;
1171                 }
1172 
1173         pd = ip_vs_proto_data_get(net, iph.protocol);
1174         if (unlikely(!pd))
1175                 return NF_ACCEPT;
1176         pp = pd->pp;
1177 
1178         /* reassemble IP fragments */
1179 #ifdef CONFIG_IP_VS_IPV6
1180         if (af == AF_INET)
1181 #endif
1182                 if (unlikely(ip_is_fragment(ip_hdr(skb)) && !pp->dont_defrag)) {
1183                         if (ip_vs_gather_frags(skb,
1184                                                ip_vs_defrag_user(hooknum)))
1185                                 return NF_STOLEN;
1186 
1187                         ip_vs_fill_ip4hdr(skb_network_header(skb), &iph);
1188                 }
1189 
1190         /*
1191          * Check if the packet belongs to an existing entry
1192          */
1193         cp = pp->conn_out_get(af, skb, &iph, 0);
1194 
1195         if (likely(cp))
1196                 return handle_response(af, skb, pd, cp, &iph);
1197         if (sysctl_nat_icmp_send(net) &&
1198             (pp->protocol == IPPROTO_TCP ||
1199              pp->protocol == IPPROTO_UDP ||
1200              pp->protocol == IPPROTO_SCTP)) {
1201                 __be16 _ports[2], *pptr;
1202 
1203                 pptr = frag_safe_skb_hp(skb, iph.len,
1204                                          sizeof(_ports), _ports, &iph);
1205                 if (pptr == NULL)
1206                         return NF_ACCEPT;       /* Not for me */
1207                 if (ip_vs_has_real_service(net, af, iph.protocol, &iph.saddr,
1208                                            pptr[0])) {
1209                         /*
1210                          * Notify the real server: there is no
1211                          * existing entry if it is not RST
1212                          * packet or not TCP packet.
1213                          */
1214                         if ((iph.protocol != IPPROTO_TCP &&
1215                              iph.protocol != IPPROTO_SCTP)
1216                              || ((iph.protocol == IPPROTO_TCP
1217                                   && !is_tcp_reset(skb, iph.len))
1218                                  || (iph.protocol == IPPROTO_SCTP
1219                                         && !is_sctp_abort(skb,
1220                                                 iph.len)))) {
1221 #ifdef CONFIG_IP_VS_IPV6
1222                                 if (af == AF_INET6) {
1223                                         if (!skb->dev)
1224                                                 skb->dev = net->loopback_dev;
1225                                         icmpv6_send(skb,
1226                                                     ICMPV6_DEST_UNREACH,
1227                                                     ICMPV6_PORT_UNREACH,
1228                                                     0);
1229                                 } else
1230 #endif
1231                                         icmp_send(skb,
1232                                                   ICMP_DEST_UNREACH,
1233                                                   ICMP_PORT_UNREACH, 0);
1234                                 return NF_DROP;
1235                         }
1236                 }
1237         }
1238         IP_VS_DBG_PKT(12, af, pp, skb, 0,
1239                       "ip_vs_out: packet continues traversal as normal");
1240         return NF_ACCEPT;
1241 }
1242 
1243 /*
1244  *      It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1245  *      used only for VS/NAT.
1246  *      Check if packet is reply for established ip_vs_conn.
1247  */
1248 static unsigned int
1249 ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
1250              const struct net_device *in, const struct net_device *out,
1251              int (*okfn)(struct sk_buff *))
1252 {
1253         return ip_vs_out(ops->hooknum, skb, AF_INET);
1254 }
1255 
1256 /*
1257  *      It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1258  *      Check if packet is reply for established ip_vs_conn.
1259  */
1260 static unsigned int
1261 ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
1262                    const struct net_device *in, const struct net_device *out,
1263                    int (*okfn)(struct sk_buff *))
1264 {
1265         return ip_vs_out(ops->hooknum, skb, AF_INET);
1266 }
1267 
1268 #ifdef CONFIG_IP_VS_IPV6
1269 
1270 /*
1271  *      It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain,
1272  *      used only for VS/NAT.
1273  *      Check if packet is reply for established ip_vs_conn.
1274  */
1275 static unsigned int
1276 ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
1277              const struct net_device *in, const struct net_device *out,
1278              int (*okfn)(struct sk_buff *))
1279 {
1280         return ip_vs_out(ops->hooknum, skb, AF_INET6);
1281 }
1282 
1283 /*
1284  *      It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT.
1285  *      Check if packet is reply for established ip_vs_conn.
1286  */
1287 static unsigned int
1288 ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
1289                    const struct net_device *in, const struct net_device *out,
1290                    int (*okfn)(struct sk_buff *))
1291 {
1292         return ip_vs_out(ops->hooknum, skb, AF_INET6);
1293 }
1294 
1295 #endif
1296 
1297 /*
1298  *      Handle ICMP messages in the outside-to-inside direction (incoming).
1299  *      Find any that might be relevant, check against existing connections,
1300  *      forward to the right destination host if relevant.
1301  *      Currently handles error types - unreachable, quench, ttl exceeded.
1302  */
1303 static int
1304 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1305 {
1306         struct net *net = NULL;
1307         struct iphdr *iph;
1308         struct icmphdr  _icmph, *ic;
1309         struct iphdr    _ciph, *cih;    /* The ip header contained within the ICMP */
1310         struct ip_vs_iphdr ciph;
1311         struct ip_vs_conn *cp;
1312         struct ip_vs_protocol *pp;
1313         struct ip_vs_proto_data *pd;
1314         unsigned int offset, offset2, ihl, verdict;
1315         bool ipip;
1316 
1317         *related = 1;
1318 
1319         /* reassemble IP fragments */
1320         if (ip_is_fragment(ip_hdr(skb))) {
1321                 if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum)))
1322                         return NF_STOLEN;
1323         }
1324 
1325         iph = ip_hdr(skb);
1326         offset = ihl = iph->ihl * 4;
1327         ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1328         if (ic == NULL)
1329                 return NF_DROP;
1330 
1331         IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1332                   ic->type, ntohs(icmp_id(ic)),
1333                   &iph->saddr, &iph->daddr);
1334 
1335         /*
1336          * Work through seeing if this is for us.
1337          * These checks are supposed to be in an order that means easy
1338          * things are checked first to speed up processing.... however
1339          * this means that some packets will manage to get a long way
1340          * down this stack and then be rejected, but that's life.
1341          */
1342         if ((ic->type != ICMP_DEST_UNREACH) &&
1343             (ic->type != ICMP_SOURCE_QUENCH) &&
1344             (ic->type != ICMP_TIME_EXCEEDED)) {
1345                 *related = 0;
1346                 return NF_ACCEPT;
1347         }
1348 
1349         /* Now find the contained IP header */
1350         offset += sizeof(_icmph);
1351         cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1352         if (cih == NULL)
1353                 return NF_ACCEPT; /* The packet looks wrong, ignore */
1354 
1355         net = skb_net(skb);
1356 
1357         /* Special case for errors for IPIP packets */
1358         ipip = false;
1359         if (cih->protocol == IPPROTO_IPIP) {
1360                 if (unlikely(cih->frag_off & htons(IP_OFFSET)))
1361                         return NF_ACCEPT;
1362                 /* Error for our IPIP must arrive at LOCAL_IN */
1363                 if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL))
1364                         return NF_ACCEPT;
1365                 offset += cih->ihl * 4;
1366                 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1367                 if (cih == NULL)
1368                         return NF_ACCEPT; /* The packet looks wrong, ignore */
1369                 ipip = true;
1370         }
1371 
1372         pd = ip_vs_proto_data_get(net, cih->protocol);
1373         if (!pd)
1374                 return NF_ACCEPT;
1375         pp = pd->pp;
1376 
1377         /* Is the embedded protocol header present? */
1378         if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1379                      pp->dont_defrag))
1380                 return NF_ACCEPT;
1381 
1382         IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
1383                       "Checking incoming ICMP for");
1384 
1385         offset2 = offset;
1386         ip_vs_fill_ip4hdr(cih, &ciph);
1387         ciph.len += offset;
1388         offset = ciph.len;
1389         /* The embedded headers contain source and dest in reverse order.
1390          * For IPIP this is error for request, not for reply.
1391          */
1392         cp = pp->conn_in_get(AF_INET, skb, &ciph, ipip ? 0 : 1);
1393         if (!cp)
1394                 return NF_ACCEPT;
1395 
1396         verdict = NF_DROP;
1397 
1398         /* Ensure the checksum is correct */
1399         if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1400                 /* Failed checksum! */
1401                 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1402                           &iph->saddr);
1403                 goto out;
1404         }
1405 
1406         if (ipip) {
1407                 __be32 info = ic->un.gateway;
1408                 __u8 type = ic->type;
1409                 __u8 code = ic->code;
1410 
1411                 /* Update the MTU */
1412                 if (ic->type == ICMP_DEST_UNREACH &&
1413                     ic->code == ICMP_FRAG_NEEDED) {
1414                         struct ip_vs_dest *dest = cp->dest;
1415                         u32 mtu = ntohs(ic->un.frag.mtu);
1416                         __be16 frag_off = cih->frag_off;
1417 
1418                         /* Strip outer IP and ICMP, go to IPIP header */
1419                         if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
1420                                 goto ignore_ipip;
1421                         offset2 -= ihl + sizeof(_icmph);
1422                         skb_reset_network_header(skb);
1423                         IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
1424                                 &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
1425                         ipv4_update_pmtu(skb, dev_net(skb->dev),
1426                                          mtu, 0, 0, 0, 0);
1427                         /* Client uses PMTUD? */
1428                         if (!(frag_off & htons(IP_DF)))
1429                                 goto ignore_ipip;
1430                         /* Prefer the resulting PMTU */
1431                         if (dest) {
1432                                 struct ip_vs_dest_dst *dest_dst;
1433 
1434                                 rcu_read_lock();
1435                                 dest_dst = rcu_dereference(dest->dest_dst);
1436                                 if (dest_dst)
1437                                         mtu = dst_mtu(dest_dst->dst_cache);
1438                                 rcu_read_unlock();
1439                         }
1440                         if (mtu > 68 + sizeof(struct iphdr))
1441                                 mtu -= sizeof(struct iphdr);
1442                         info = htonl(mtu);
1443                 }
1444                 /* Strip outer IP, ICMP and IPIP, go to IP header of
1445                  * original request.
1446                  */
1447                 if (pskb_pull(skb, offset2) == NULL)
1448                         goto ignore_ipip;
1449                 skb_reset_network_header(skb);
1450                 IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
1451                         &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
1452                         type, code, ntohl(info));
1453                 icmp_send(skb, type, code, info);
1454                 /* ICMP can be shorter but anyways, account it */
1455                 ip_vs_out_stats(cp, skb);
1456 
1457 ignore_ipip:
1458                 consume_skb(skb);
1459                 verdict = NF_STOLEN;
1460                 goto out;
1461         }
1462 
1463         /* do the statistics and put it back */
1464         ip_vs_in_stats(cp, skb);
1465         if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
1466             IPPROTO_SCTP == cih->protocol)
1467                 offset += 2 * sizeof(__u16);
1468         verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
1469 
1470 out:
1471         __ip_vs_conn_put(cp);
1472 
1473         return verdict;
1474 }
1475 
1476 #ifdef CONFIG_IP_VS_IPV6
1477 static int ip_vs_in_icmp_v6(struct sk_buff *skb, int *related,
1478                             unsigned int hooknum, struct ip_vs_iphdr *iph)
1479 {
1480         struct net *net = NULL;
1481         struct ipv6hdr _ip6h, *ip6h;
1482         struct icmp6hdr _icmph, *ic;
1483         struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};/*Contained IP */
1484         struct ip_vs_conn *cp;
1485         struct ip_vs_protocol *pp;
1486         struct ip_vs_proto_data *pd;
1487         unsigned int offs_ciph, writable, verdict;
1488 
1489         *related = 1;
1490 
1491         ic = frag_safe_skb_hp(skb, iph->len, sizeof(_icmph), &_icmph, iph);
1492         if (ic == NULL)
1493                 return NF_DROP;
1494 
1495         /*
1496          * Work through seeing if this is for us.
1497          * These checks are supposed to be in an order that means easy
1498          * things are checked first to speed up processing.... however
1499          * this means that some packets will manage to get a long way
1500          * down this stack and then be rejected, but that's life.
1501          */
1502         if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) {
1503                 *related = 0;
1504                 return NF_ACCEPT;
1505         }
1506         /* Fragment header that is before ICMP header tells us that:
1507          * it's not an error message since they can't be fragmented.
1508          */
1509         if (iph->flags & IP6_FH_F_FRAG)
1510                 return NF_DROP;
1511 
1512         IP_VS_DBG(8, "Incoming ICMPv6 (%d,%d) %pI6c->%pI6c\n",
1513                   ic->icmp6_type, ntohs(icmpv6_id(ic)),
1514                   &iph->saddr, &iph->daddr);
1515 
1516         /* Now find the contained IP header */
1517         ciph.len = iph->len + sizeof(_icmph);
1518         offs_ciph = ciph.len; /* Save ip header offset */
1519         ip6h = skb_header_pointer(skb, ciph.len, sizeof(_ip6h), &_ip6h);
1520         if (ip6h == NULL)
1521                 return NF_ACCEPT; /* The packet looks wrong, ignore */
1522         ciph.saddr.in6 = ip6h->saddr; /* conn_in_get() handles reverse order */
1523         ciph.daddr.in6 = ip6h->daddr;
1524         /* skip possible IPv6 exthdrs of contained IPv6 packet */
1525         ciph.protocol = ipv6_find_hdr(skb, &ciph.len, -1, &ciph.fragoffs, NULL);
1526         if (ciph.protocol < 0)
1527                 return NF_ACCEPT; /* Contained IPv6 hdr looks wrong, ignore */
1528 
1529         net = skb_net(skb);
1530         pd = ip_vs_proto_data_get(net, ciph.protocol);
1531         if (!pd)
1532                 return NF_ACCEPT;
1533         pp = pd->pp;
1534 
1535         /* Cannot handle fragmented embedded protocol */
1536         if (ciph.fragoffs)
1537                 return NF_ACCEPT;
1538 
1539         IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offs_ciph,
1540                       "Checking incoming ICMPv6 for");
1541 
1542         /* The embedded headers contain source and dest in reverse order
1543          * if not from localhost
1544          */
1545         cp = pp->conn_in_get(AF_INET6, skb, &ciph,
1546                              (hooknum == NF_INET_LOCAL_OUT) ? 0 : 1);
1547 
1548         if (!cp)
1549                 return NF_ACCEPT;
1550         /* VS/TUN, VS/DR and LOCALNODE just let it go */
1551         if ((hooknum == NF_INET_LOCAL_OUT) &&
1552             (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)) {
1553                 __ip_vs_conn_put(cp);
1554                 return NF_ACCEPT;
1555         }
1556 
1557         /* do the statistics and put it back */
1558         ip_vs_in_stats(cp, skb);
1559 
1560         /* Need to mangle contained IPv6 header in ICMPv6 packet */
1561         writable = ciph.len;
1562         if (IPPROTO_TCP == ciph.protocol || IPPROTO_UDP == ciph.protocol ||
1563             IPPROTO_SCTP == ciph.protocol)
1564                 writable += 2 * sizeof(__u16); /* Also mangle ports */
1565 
1566         verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, writable, hooknum, &ciph);
1567 
1568         __ip_vs_conn_put(cp);
1569 
1570         return verdict;
1571 }
1572 #endif
1573 
1574 
1575 /*
1576  *      Check if it's for virtual services, look it up,
1577  *      and send it on its way...
1578  */
1579 static unsigned int
1580 ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
1581 {
1582         struct net *net;
1583         struct ip_vs_iphdr iph;
1584         struct ip_vs_protocol *pp;
1585         struct ip_vs_proto_data *pd;
1586         struct ip_vs_conn *cp;
1587         int ret, pkts;
1588         struct netns_ipvs *ipvs;
1589 
1590         /* Already marked as IPVS request or reply? */
1591         if (skb->ipvs_property)
1592                 return NF_ACCEPT;
1593 
1594         /*
1595          *      Big tappo:
1596          *      - remote client: only PACKET_HOST
1597          *      - route: used for struct net when skb->dev is unset
1598          */
1599         if (unlikely((skb->pkt_type != PACKET_HOST &&
1600                       hooknum != NF_INET_LOCAL_OUT) ||
1601                      !skb_dst(skb))) {
1602                 ip_vs_fill_iph_skb(af, skb, &iph);
1603                 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s"
1604                               " ignored in hook %u\n",
1605                               skb->pkt_type, iph.protocol,
1606                               IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
1607                 return NF_ACCEPT;
1608         }
1609         /* ipvs enabled in this netns ? */
1610         net = skb_net(skb);
1611         ipvs = net_ipvs(net);
1612         if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
1613                 return NF_ACCEPT;
1614 
1615         ip_vs_fill_iph_skb(af, skb, &iph);
1616 
1617         /* Bad... Do not break raw sockets */
1618         if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
1619                      af == AF_INET)) {
1620                 struct sock *sk = skb->sk;
1621                 struct inet_sock *inet = inet_sk(skb->sk);
1622 
1623                 if (inet && sk->sk_family == PF_INET && inet->nodefrag)
1624                         return NF_ACCEPT;
1625         }
1626 
1627 #ifdef CONFIG_IP_VS_IPV6
1628         if (af == AF_INET6) {
1629                 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1630                         int related;
1631                         int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum,
1632                                                        &iph);
1633 
1634                         if (related)
1635                                 return verdict;
1636                 }
1637         } else
1638 #endif
1639                 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1640                         int related;
1641                         int verdict = ip_vs_in_icmp(skb, &related, hooknum);
1642 
1643                         if (related)
1644                                 return verdict;
1645                 }
1646 
1647         /* Protocol supported? */
1648         pd = ip_vs_proto_data_get(net, iph.protocol);
1649         if (unlikely(!pd))
1650                 return NF_ACCEPT;
1651         pp = pd->pp;
1652         /*
1653          * Check if the packet belongs to an existing connection entry
1654          */
1655         cp = pp->conn_in_get(af, skb, &iph, 0);
1656 
1657         if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest &&
1658             unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs &&
1659             is_new_conn(skb, &iph)) {
1660                 ip_vs_conn_expire_now(cp);
1661                 __ip_vs_conn_put(cp);
1662                 cp = NULL;
1663         }
1664 
1665         if (unlikely(!cp) && !iph.fragoffs) {
1666                 /* No (second) fragments need to enter here, as nf_defrag_ipv6
1667                  * replayed fragment zero will already have created the cp
1668                  */
1669                 int v;
1670 
1671                 /* Schedule and create new connection entry into &cp */
1672                 if (!pp->conn_schedule(af, skb, pd, &v, &cp, &iph))
1673                         return v;
1674         }
1675 
1676         if (unlikely(!cp)) {
1677                 /* sorry, all this trouble for a no-hit :) */
1678                 IP_VS_DBG_PKT(12, af, pp, skb, 0,
1679                               "ip_vs_in: packet continues traversal as normal");
1680                 if (iph.fragoffs) {
1681                         /* Fragment that couldn't be mapped to a conn entry
1682                          * is missing module nf_defrag_ipv6
1683                          */
1684                         IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
1685                         IP_VS_DBG_PKT(7, af, pp, skb, 0, "unhandled fragment");
1686                 }
1687                 return NF_ACCEPT;
1688         }
1689 
1690         IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
1691         /* Check the server status */
1692         if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1693                 /* the destination server is not available */
1694 
1695                 __u32 flags = cp->flags;
1696 
1697                 /* when timer already started, silently drop the packet.*/
1698                 if (timer_pending(&cp->timer))
1699                         __ip_vs_conn_put(cp);
1700                 else
1701                         ip_vs_conn_put(cp);
1702 
1703                 if (sysctl_expire_nodest_conn(ipvs) &&
1704                     !(flags & IP_VS_CONN_F_ONE_PACKET)) {
1705                         /* try to expire the connection immediately */
1706                         ip_vs_conn_expire_now(cp);
1707                 }
1708 
1709                 return NF_DROP;
1710         }
1711 
1712         ip_vs_in_stats(cp, skb);
1713         ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
1714         if (cp->packet_xmit)
1715                 ret = cp->packet_xmit(skb, cp, pp, &iph);
1716                 /* do not touch skb anymore */
1717         else {
1718                 IP_VS_DBG_RL("warning: packet_xmit is null");
1719                 ret = NF_ACCEPT;
1720         }
1721 
1722         /* Increase its packet counter and check if it is needed
1723          * to be synchronized
1724          *
1725          * Sync connection if it is about to close to
1726          * encorage the standby servers to update the connections timeout
1727          *
1728          * For ONE_PKT let ip_vs_sync_conn() do the filter work.
1729          */
1730 
1731         if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
1732                 pkts = sysctl_sync_threshold(ipvs);
1733         else
1734                 pkts = atomic_add_return(1, &cp->in_pkts);
1735 
1736         if (ipvs->sync_state & IP_VS_STATE_MASTER)
1737                 ip_vs_sync_conn(net, cp, pkts);
1738 
1739         ip_vs_conn_put(cp);
1740         return ret;
1741 }
1742 
1743 /*
1744  *      AF_INET handler in NF_INET_LOCAL_IN chain
1745  *      Schedule and forward packets from remote clients
1746  */
1747 static unsigned int
1748 ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
1749                       const struct net_device *in,
1750                       const struct net_device *out,
1751                       int (*okfn)(struct sk_buff *))
1752 {
1753         return ip_vs_in(ops->hooknum, skb, AF_INET);
1754 }
1755 
1756 /*
1757  *      AF_INET handler in NF_INET_LOCAL_OUT chain
1758  *      Schedule and forward packets from local clients
1759  */
1760 static unsigned int
1761 ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
1762                      const struct net_device *in, const struct net_device *out,
1763                      int (*okfn)(struct sk_buff *))
1764 {
1765         return ip_vs_in(ops->hooknum, skb, AF_INET);
1766 }
1767 
1768 #ifdef CONFIG_IP_VS_IPV6
1769 
1770 /*
1771  *      AF_INET6 handler in NF_INET_LOCAL_IN chain
1772  *      Schedule and forward packets from remote clients
1773  */
1774 static unsigned int
1775 ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
1776                       const struct net_device *in,
1777                       const struct net_device *out,
1778                       int (*okfn)(struct sk_buff *))
1779 {
1780         return ip_vs_in(ops->hooknum, skb, AF_INET6);
1781 }
1782 
1783 /*
1784  *      AF_INET6 handler in NF_INET_LOCAL_OUT chain
1785  *      Schedule and forward packets from local clients
1786  */
1787 static unsigned int
1788 ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
1789                      const struct net_device *in, const struct net_device *out,
1790                      int (*okfn)(struct sk_buff *))
1791 {
1792         return ip_vs_in(ops->hooknum, skb, AF_INET6);
1793 }
1794 
1795 #endif
1796 
1797 
1798 /*
1799  *      It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1800  *      related packets destined for 0.0.0.0/0.
1801  *      When fwmark-based virtual service is used, such as transparent
1802  *      cache cluster, TCP packets can be marked and routed to ip_vs_in,
1803  *      but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1804  *      sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1805  *      and send them to ip_vs_in_icmp.
1806  */
1807 static unsigned int
1808 ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
1809                    const struct net_device *in, const struct net_device *out,
1810                    int (*okfn)(struct sk_buff *))
1811 {
1812         int r;
1813         struct net *net;
1814         struct netns_ipvs *ipvs;
1815 
1816         if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1817                 return NF_ACCEPT;
1818 
1819         /* ipvs enabled in this netns ? */
1820         net = skb_net(skb);
1821         ipvs = net_ipvs(net);
1822         if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
1823                 return NF_ACCEPT;
1824 
1825         return ip_vs_in_icmp(skb, &r, ops->hooknum);
1826 }
1827 
1828 #ifdef CONFIG_IP_VS_IPV6
1829 static unsigned int
1830 ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb,
1831                       const struct net_device *in, const struct net_device *out,
1832                       int (*okfn)(struct sk_buff *))
1833 {
1834         int r;
1835         struct net *net;
1836         struct netns_ipvs *ipvs;
1837         struct ip_vs_iphdr iphdr;
1838 
1839         ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
1840         if (iphdr.protocol != IPPROTO_ICMPV6)
1841                 return NF_ACCEPT;
1842 
1843         /* ipvs enabled in this netns ? */
1844         net = skb_net(skb);
1845         ipvs = net_ipvs(net);
1846         if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
1847                 return NF_ACCEPT;
1848 
1849         return ip_vs_in_icmp_v6(skb, &r, ops->hooknum, &iphdr);
1850 }
1851 #endif
1852 
1853 
1854 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1855         /* After packet filtering, change source only for VS/NAT */
1856         {
1857                 .hook           = ip_vs_reply4,
1858                 .owner          = THIS_MODULE,
1859                 .pf             = NFPROTO_IPV4,
1860                 .hooknum        = NF_INET_LOCAL_IN,
1861                 .priority       = NF_IP_PRI_NAT_SRC - 2,
1862         },
1863         /* After packet filtering, forward packet through VS/DR, VS/TUN,
1864          * or VS/NAT(change destination), so that filtering rules can be
1865          * applied to IPVS. */
1866         {
1867                 .hook           = ip_vs_remote_request4,
1868                 .owner          = THIS_MODULE,
1869                 .pf             = NFPROTO_IPV4,
1870                 .hooknum        = NF_INET_LOCAL_IN,
1871                 .priority       = NF_IP_PRI_NAT_SRC - 1,
1872         },
1873         /* Before ip_vs_in, change source only for VS/NAT */
1874         {
1875                 .hook           = ip_vs_local_reply4,
1876                 .owner          = THIS_MODULE,
1877                 .pf             = NFPROTO_IPV4,
1878                 .hooknum        = NF_INET_LOCAL_OUT,
1879                 .priority       = NF_IP_PRI_NAT_DST + 1,
1880         },
1881         /* After mangle, schedule and forward local requests */
1882         {
1883                 .hook           = ip_vs_local_request4,
1884                 .owner          = THIS_MODULE,
1885                 .pf             = NFPROTO_IPV4,
1886                 .hooknum        = NF_INET_LOCAL_OUT,
1887                 .priority       = NF_IP_PRI_NAT_DST + 2,
1888         },
1889         /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1890          * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1891         {
1892                 .hook           = ip_vs_forward_icmp,
1893                 .owner          = THIS_MODULE,
1894                 .pf             = NFPROTO_IPV4,
1895                 .hooknum        = NF_INET_FORWARD,
1896                 .priority       = 99,
1897         },
1898         /* After packet filtering, change source only for VS/NAT */
1899         {
1900                 .hook           = ip_vs_reply4,
1901                 .owner          = THIS_MODULE,
1902                 .pf             = NFPROTO_IPV4,
1903                 .hooknum        = NF_INET_FORWARD,
1904                 .priority       = 100,
1905         },
1906 #ifdef CONFIG_IP_VS_IPV6
1907         /* After packet filtering, change source only for VS/NAT */
1908         {
1909                 .hook           = ip_vs_reply6,
1910                 .owner          = THIS_MODULE,
1911                 .pf             = NFPROTO_IPV6,
1912                 .hooknum        = NF_INET_LOCAL_IN,
1913                 .priority       = NF_IP6_PRI_NAT_SRC - 2,
1914         },
1915         /* After packet filtering, forward packet through VS/DR, VS/TUN,
1916          * or VS/NAT(change destination), so that filtering rules can be
1917          * applied to IPVS. */
1918         {
1919                 .hook           = ip_vs_remote_request6,
1920                 .owner          = THIS_MODULE,
1921                 .pf             = NFPROTO_IPV6,
1922                 .hooknum        = NF_INET_LOCAL_IN,
1923                 .priority       = NF_IP6_PRI_NAT_SRC - 1,
1924         },
1925         /* Before ip_vs_in, change source only for VS/NAT */
1926         {
1927                 .hook           = ip_vs_local_reply6,
1928                 .owner          = THIS_MODULE,
1929                 .pf             = NFPROTO_IPV6,
1930                 .hooknum        = NF_INET_LOCAL_OUT,
1931                 .priority       = NF_IP6_PRI_NAT_DST + 1,
1932         },
1933         /* After mangle, schedule and forward local requests */
1934         {
1935                 .hook           = ip_vs_local_request6,
1936                 .owner          = THIS_MODULE,
1937                 .pf             = NFPROTO_IPV6,
1938                 .hooknum        = NF_INET_LOCAL_OUT,
1939                 .priority       = NF_IP6_PRI_NAT_DST + 2,
1940         },
1941         /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1942          * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1943         {
1944                 .hook           = ip_vs_forward_icmp_v6,
1945                 .owner          = THIS_MODULE,
1946                 .pf             = NFPROTO_IPV6,
1947                 .hooknum        = NF_INET_FORWARD,
1948                 .priority       = 99,
1949         },
1950         /* After packet filtering, change source only for VS/NAT */
1951         {
1952                 .hook           = ip_vs_reply6,
1953                 .owner          = THIS_MODULE,
1954                 .pf             = NFPROTO_IPV6,
1955                 .hooknum        = NF_INET_FORWARD,
1956                 .priority       = 100,
1957         },
1958 #endif
1959 };
1960 /*
1961  *      Initialize IP Virtual Server netns mem.
1962  */
1963 static int __net_init __ip_vs_init(struct net *net)
1964 {
1965         struct netns_ipvs *ipvs;
1966 
1967         ipvs = net_generic(net, ip_vs_net_id);
1968         if (ipvs == NULL)
1969                 return -ENOMEM;
1970 
1971         /* Hold the beast until a service is registerd */
1972         ipvs->enable = 0;
1973         ipvs->net = net;
1974         /* Counters used for creating unique names */
1975         ipvs->gen = atomic_read(&ipvs_netns_cnt);
1976         atomic_inc(&ipvs_netns_cnt);
1977         net->ipvs = ipvs;
1978 
1979         if (ip_vs_estimator_net_init(net) < 0)
1980                 goto estimator_fail;
1981 
1982         if (ip_vs_control_net_init(net) < 0)
1983                 goto control_fail;
1984 
1985         if (ip_vs_protocol_net_init(net) < 0)
1986                 goto protocol_fail;
1987 
1988         if (ip_vs_app_net_init(net) < 0)
1989                 goto app_fail;
1990 
1991         if (ip_vs_conn_net_init(net) < 0)
1992                 goto conn_fail;
1993 
1994         if (ip_vs_sync_net_init(net) < 0)
1995                 goto sync_fail;
1996 
1997         printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n",
1998                          sizeof(struct netns_ipvs), ipvs->gen);
1999         return 0;
2000 /*
2001  * Error handling
2002  */
2003 
2004 sync_fail:
2005         ip_vs_conn_net_cleanup(net);
2006 conn_fail:
2007         ip_vs_app_net_cleanup(net);
2008 app_fail:
2009         ip_vs_protocol_net_cleanup(net);
2010 protocol_fail:
2011         ip_vs_control_net_cleanup(net);
2012 control_fail:
2013         ip_vs_estimator_net_cleanup(net);
2014 estimator_fail:
2015         net->ipvs = NULL;
2016         return -ENOMEM;
2017 }
2018 
2019 static void __net_exit __ip_vs_cleanup(struct net *net)
2020 {
2021         ip_vs_service_net_cleanup(net); /* ip_vs_flush() with locks */
2022         ip_vs_conn_net_cleanup(net);
2023         ip_vs_app_net_cleanup(net);
2024         ip_vs_protocol_net_cleanup(net);
2025         ip_vs_control_net_cleanup(net);
2026         ip_vs_estimator_net_cleanup(net);
2027         IP_VS_DBG(2, "ipvs netns %d released\n", net_ipvs(net)->gen);
2028         net->ipvs = NULL;
2029 }
2030 
2031 static void __net_exit __ip_vs_dev_cleanup(struct net *net)
2032 {
2033         EnterFunction(2);
2034         net_ipvs(net)->enable = 0;      /* Disable packet reception */
2035         smp_wmb();
2036         ip_vs_sync_net_cleanup(net);
2037         LeaveFunction(2);
2038 }
2039 
2040 static struct pernet_operations ipvs_core_ops = {
2041         .init = __ip_vs_init,
2042         .exit = __ip_vs_cleanup,
2043         .id   = &ip_vs_net_id,
2044         .size = sizeof(struct netns_ipvs),
2045 };
2046 
2047 static struct pernet_operations ipvs_core_dev_ops = {
2048         .exit = __ip_vs_dev_cleanup,
2049 };
2050 
2051 /*
2052  *      Initialize IP Virtual Server
2053  */
2054 static int __init ip_vs_init(void)
2055 {
2056         int ret;
2057 
2058         ret = ip_vs_control_init();
2059         if (ret < 0) {
2060                 pr_err("can't setup control.\n");
2061                 goto exit;
2062         }
2063 
2064         ip_vs_protocol_init();
2065 
2066         ret = ip_vs_conn_init();
2067         if (ret < 0) {
2068                 pr_err("can't setup connection table.\n");
2069                 goto cleanup_protocol;
2070         }
2071 
2072         ret = register_pernet_subsys(&ipvs_core_ops);   /* Alloc ip_vs struct */
2073         if (ret < 0)
2074                 goto cleanup_conn;
2075 
2076         ret = register_pernet_device(&ipvs_core_dev_ops);
2077         if (ret < 0)
2078                 goto cleanup_sub;
2079 
2080         ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
2081         if (ret < 0) {
2082                 pr_err("can't register hooks.\n");
2083                 goto cleanup_dev;
2084         }
2085 
2086         ret = ip_vs_register_nl_ioctl();
2087         if (ret < 0) {
2088                 pr_err("can't register netlink/ioctl.\n");
2089                 goto cleanup_hooks;
2090         }
2091 
2092         pr_info("ipvs loaded.\n");
2093 
2094         return ret;
2095 
2096 cleanup_hooks:
2097         nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
2098 cleanup_dev:
2099         unregister_pernet_device(&ipvs_core_dev_ops);
2100 cleanup_sub:
2101         unregister_pernet_subsys(&ipvs_core_ops);
2102 cleanup_conn:
2103         ip_vs_conn_cleanup();
2104 cleanup_protocol:
2105         ip_vs_protocol_cleanup();
2106         ip_vs_control_cleanup();
2107 exit:
2108         return ret;
2109 }
2110 
2111 static void __exit ip_vs_cleanup(void)
2112 {
2113         ip_vs_unregister_nl_ioctl();
2114         nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
2115         unregister_pernet_device(&ipvs_core_dev_ops);
2116         unregister_pernet_subsys(&ipvs_core_ops);       /* free ip_vs struct */
2117         ip_vs_conn_cleanup();
2118         ip_vs_protocol_cleanup();
2119         ip_vs_control_cleanup();
2120         pr_info("ipvs unloaded.\n");
2121 }
2122 
2123 module_init(ip_vs_init);
2124 module_exit(ip_vs_cleanup);
2125 MODULE_LICENSE("GPL");
2126 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp