Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * IPVS An implementation of the IP virtual server support for the | |
3 | * LINUX operating system. IPVS is now implemented as a module | |
4 | * over the Netfilter framework. IPVS can be used to build a | |
5 | * high-performance and highly available server based on a | |
6 | * cluster of servers. | |
7 | * | |
1da177e4 LT |
8 | * Authors: Wensong Zhang <wensong@linuxvirtualserver.org> |
9 | * Peter Kese <peter.kese@ijs.si> | |
10 | * Julian Anastasov <ja@ssi.bg> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or | |
13 | * modify it under the terms of the GNU General Public License | |
14 | * as published by the Free Software Foundation; either version | |
15 | * 2 of the License, or (at your option) any later version. | |
16 | * | |
17 | * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese, | |
18 | * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms | |
19 | * and others. | |
20 | * | |
21 | * Changes: | |
22 | * Paul `Rusty' Russell properly handle non-linear skbs | |
6869c4d8 | 23 | * Harald Welte don't use nfcache |
1da177e4 LT |
24 | * |
25 | */ | |
26 | ||
9aada7ac HE |
27 | #define KMSG_COMPONENT "IPVS" |
28 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
29 | ||
1da177e4 LT |
30 | #include <linux/module.h> |
31 | #include <linux/kernel.h> | |
32 | #include <linux/ip.h> | |
33 | #include <linux/tcp.h> | |
2906f66a | 34 | #include <linux/sctp.h> |
1da177e4 | 35 | #include <linux/icmp.h> |
5a0e3ad6 | 36 | #include <linux/slab.h> |
1da177e4 LT |
37 | |
38 | #include <net/ip.h> | |
39 | #include <net/tcp.h> | |
40 | #include <net/udp.h> | |
41 | #include <net/icmp.h> /* for icmp_send */ | |
42 | #include <net/route.h> | |
2c70b519 | 43 | #include <net/ip6_checksum.h> |
61b1ab45 | 44 | #include <net/netns/generic.h> /* net_generic() */ |
1da177e4 LT |
45 | |
46 | #include <linux/netfilter.h> | |
47 | #include <linux/netfilter_ipv4.h> | |
48 | ||
2a3b791e JV |
49 | #ifdef CONFIG_IP_VS_IPV6 |
50 | #include <net/ipv6.h> | |
51 | #include <linux/netfilter_ipv6.h> | |
489fdeda | 52 | #include <net/ip6_route.h> |
2a3b791e JV |
53 | #endif |
54 | ||
1da177e4 LT |
55 | #include <net/ip_vs.h> |
56 | ||
57 | ||
58 | EXPORT_SYMBOL(register_ip_vs_scheduler); | |
59 | EXPORT_SYMBOL(unregister_ip_vs_scheduler); | |
1da177e4 LT |
60 | EXPORT_SYMBOL(ip_vs_proto_name); |
61 | EXPORT_SYMBOL(ip_vs_conn_new); | |
62 | EXPORT_SYMBOL(ip_vs_conn_in_get); | |
63 | EXPORT_SYMBOL(ip_vs_conn_out_get); | |
64 | #ifdef CONFIG_IP_VS_PROTO_TCP | |
65 | EXPORT_SYMBOL(ip_vs_tcp_conn_listen); | |
66 | #endif | |
67 | EXPORT_SYMBOL(ip_vs_conn_put); | |
68 | #ifdef CONFIG_IP_VS_DEBUG | |
69 | EXPORT_SYMBOL(ip_vs_get_debug_level); | |
70 | #endif | |
1da177e4 | 71 | |
b962abdc | 72 | static int ip_vs_net_id __read_mostly; |
61b1ab45 HS |
73 | /* netns cnt used for uniqueness */ |
74 | static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0); | |
1da177e4 LT |
75 | |
76 | /* ID used in ICMP lookups */ | |
77 | #define icmp_id(icmph) (((icmph)->un).echo.id) | |
2a3b791e | 78 | #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier) |
1da177e4 | 79 | |
95c96174 | 80 | const char *ip_vs_proto_name(unsigned int proto) |
1da177e4 LT |
81 | { |
82 | static char buf[20]; | |
83 | ||
84 | switch (proto) { | |
85 | case IPPROTO_IP: | |
86 | return "IP"; | |
87 | case IPPROTO_UDP: | |
88 | return "UDP"; | |
89 | case IPPROTO_TCP: | |
90 | return "TCP"; | |
2906f66a VMR |
91 | case IPPROTO_SCTP: |
92 | return "SCTP"; | |
1da177e4 LT |
93 | case IPPROTO_ICMP: |
94 | return "ICMP"; | |
2a3b791e JV |
95 | #ifdef CONFIG_IP_VS_IPV6 |
96 | case IPPROTO_ICMPV6: | |
97 | return "ICMPv6"; | |
98 | #endif | |
1da177e4 | 99 | default: |
1404c3ab | 100 | sprintf(buf, "IP_%u", proto); |
1da177e4 LT |
101 | return buf; |
102 | } | |
103 | } | |
104 | ||
105 | void ip_vs_init_hash_table(struct list_head *table, int rows) | |
106 | { | |
107 | while (--rows >= 0) | |
108 | INIT_LIST_HEAD(&table[rows]); | |
109 | } | |
110 | ||
111 | static inline void | |
112 | ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb) | |
113 | { | |
114 | struct ip_vs_dest *dest = cp->dest; | |
b17fc996 HS |
115 | struct netns_ipvs *ipvs = net_ipvs(skb_net(skb)); |
116 | ||
1da177e4 | 117 | if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) { |
b17fc996 | 118 | struct ip_vs_cpu_stats *s; |
bcbde4c0 | 119 | struct ip_vs_service *svc; |
b17fc996 HS |
120 | |
121 | s = this_cpu_ptr(dest->stats.cpustats); | |
122 | s->ustats.inpkts++; | |
123 | u64_stats_update_begin(&s->syncp); | |
124 | s->ustats.inbytes += skb->len; | |
125 | u64_stats_update_end(&s->syncp); | |
126 | ||
bcbde4c0 JA |
127 | rcu_read_lock(); |
128 | svc = rcu_dereference(dest->svc); | |
129 | s = this_cpu_ptr(svc->stats.cpustats); | |
b17fc996 HS |
130 | s->ustats.inpkts++; |
131 | u64_stats_update_begin(&s->syncp); | |
132 | s->ustats.inbytes += skb->len; | |
133 | u64_stats_update_end(&s->syncp); | |
bcbde4c0 | 134 | rcu_read_unlock(); |
b17fc996 | 135 | |
2a0751af | 136 | s = this_cpu_ptr(ipvs->tot_stats.cpustats); |
b17fc996 HS |
137 | s->ustats.inpkts++; |
138 | u64_stats_update_begin(&s->syncp); | |
139 | s->ustats.inbytes += skb->len; | |
140 | u64_stats_update_end(&s->syncp); | |
1da177e4 LT |
141 | } |
142 | } | |
143 | ||
144 | ||
145 | static inline void | |
146 | ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb) | |
147 | { | |
148 | struct ip_vs_dest *dest = cp->dest; | |
b17fc996 HS |
149 | struct netns_ipvs *ipvs = net_ipvs(skb_net(skb)); |
150 | ||
1da177e4 | 151 | if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) { |
b17fc996 | 152 | struct ip_vs_cpu_stats *s; |
bcbde4c0 | 153 | struct ip_vs_service *svc; |
b17fc996 HS |
154 | |
155 | s = this_cpu_ptr(dest->stats.cpustats); | |
156 | s->ustats.outpkts++; | |
157 | u64_stats_update_begin(&s->syncp); | |
158 | s->ustats.outbytes += skb->len; | |
159 | u64_stats_update_end(&s->syncp); | |
160 | ||
bcbde4c0 JA |
161 | rcu_read_lock(); |
162 | svc = rcu_dereference(dest->svc); | |
163 | s = this_cpu_ptr(svc->stats.cpustats); | |
b17fc996 HS |
164 | s->ustats.outpkts++; |
165 | u64_stats_update_begin(&s->syncp); | |
166 | s->ustats.outbytes += skb->len; | |
167 | u64_stats_update_end(&s->syncp); | |
bcbde4c0 | 168 | rcu_read_unlock(); |
b17fc996 | 169 | |
2a0751af | 170 | s = this_cpu_ptr(ipvs->tot_stats.cpustats); |
b17fc996 HS |
171 | s->ustats.outpkts++; |
172 | u64_stats_update_begin(&s->syncp); | |
173 | s->ustats.outbytes += skb->len; | |
174 | u64_stats_update_end(&s->syncp); | |
1da177e4 LT |
175 | } |
176 | } | |
177 | ||
178 | ||
179 | static inline void | |
180 | ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc) | |
181 | { | |
b17fc996 HS |
182 | struct netns_ipvs *ipvs = net_ipvs(svc->net); |
183 | struct ip_vs_cpu_stats *s; | |
1da177e4 | 184 | |
b17fc996 HS |
185 | s = this_cpu_ptr(cp->dest->stats.cpustats); |
186 | s->ustats.conns++; | |
1da177e4 | 187 | |
b17fc996 HS |
188 | s = this_cpu_ptr(svc->stats.cpustats); |
189 | s->ustats.conns++; | |
190 | ||
2a0751af | 191 | s = this_cpu_ptr(ipvs->tot_stats.cpustats); |
b17fc996 | 192 | s->ustats.conns++; |
1da177e4 LT |
193 | } |
194 | ||
195 | ||
4a516f11 | 196 | static inline void |
1da177e4 LT |
197 | ip_vs_set_state(struct ip_vs_conn *cp, int direction, |
198 | const struct sk_buff *skb, | |
9330419d | 199 | struct ip_vs_proto_data *pd) |
1da177e4 | 200 | { |
4a516f11 SH |
201 | if (likely(pd->pp->state_transition)) |
202 | pd->pp->state_transition(cp, direction, skb, pd); | |
1da177e4 LT |
203 | } |
204 | ||
a5959d53 | 205 | static inline int |
85999283 SH |
206 | ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc, |
207 | struct sk_buff *skb, int protocol, | |
208 | const union nf_inet_addr *caddr, __be16 cport, | |
209 | const union nf_inet_addr *vaddr, __be16 vport, | |
210 | struct ip_vs_conn_param *p) | |
211 | { | |
6e67e586 HS |
212 | ip_vs_conn_fill_param(svc->net, svc->af, protocol, caddr, cport, vaddr, |
213 | vport, p); | |
ceec4c38 | 214 | p->pe = rcu_dereference(svc->pe); |
85999283 | 215 | if (p->pe && p->pe->fill_param) |
a5959d53 HS |
216 | return p->pe->fill_param(p, skb); |
217 | ||
218 | return 0; | |
85999283 | 219 | } |
1da177e4 | 220 | |
1da177e4 LT |
221 | /* |
222 | * IPVS persistent scheduling function | |
223 | * It creates a connection entry according to its template if exists, | |
224 | * or selects a server and creates a connection entry plus a template. | |
225 | * Locking: we are svc user (svc->refcnt), so we hold all dests too | |
226 | * Protocols supported: TCP, UDP | |
227 | */ | |
228 | static struct ip_vs_conn * | |
229 | ip_vs_sched_persist(struct ip_vs_service *svc, | |
d4383f04 JDB |
230 | struct sk_buff *skb, __be16 src_port, __be16 dst_port, |
231 | int *ignored, struct ip_vs_iphdr *iph) | |
1da177e4 LT |
232 | { |
233 | struct ip_vs_conn *cp = NULL; | |
1da177e4 LT |
234 | struct ip_vs_dest *dest; |
235 | struct ip_vs_conn *ct; | |
5b57a98c | 236 | __be16 dport = 0; /* destination port to forward */ |
3575792e | 237 | unsigned int flags; |
f11017ec | 238 | struct ip_vs_conn_param param; |
e0aac52e | 239 | const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) }; |
28364a59 JV |
240 | union nf_inet_addr snet; /* source network of the client, |
241 | after masking */ | |
cd17f9ed | 242 | |
1da177e4 | 243 | /* Mask saddr with the netmask to adjust template granularity */ |
cd17f9ed JV |
244 | #ifdef CONFIG_IP_VS_IPV6 |
245 | if (svc->af == AF_INET6) | |
0a925864 JA |
246 | ipv6_addr_prefix(&snet.in6, &iph->saddr.in6, |
247 | (__force __u32) svc->netmask); | |
cd17f9ed JV |
248 | else |
249 | #endif | |
d4383f04 | 250 | snet.ip = iph->saddr.ip & svc->netmask; |
1da177e4 | 251 | |
cd17f9ed JV |
252 | IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u " |
253 | "mnet %s\n", | |
d4383f04 JDB |
254 | IP_VS_DBG_ADDR(svc->af, &iph->saddr), ntohs(src_port), |
255 | IP_VS_DBG_ADDR(svc->af, &iph->daddr), ntohs(dst_port), | |
cd17f9ed | 256 | IP_VS_DBG_ADDR(svc->af, &snet)); |
1da177e4 LT |
257 | |
258 | /* | |
259 | * As far as we know, FTP is a very complicated network protocol, and | |
260 | * it uses control connection and data connections. For active FTP, | |
261 | * FTP server initialize data connection to the client, its source port | |
262 | * is often 20. For passive FTP, FTP server tells the clients the port | |
263 | * that it passively listens to, and the client issues the data | |
264 | * connection. In the tunneling or direct routing mode, the load | |
265 | * balancer is on the client-to-server half of connection, the port | |
266 | * number is unknown to the load balancer. So, a conn template like | |
267 | * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP | |
268 | * service, and a template like <caddr, 0, vaddr, vport, daddr, dport> | |
269 | * is created for other persistent services. | |
270 | */ | |
5b57a98c | 271 | { |
d4383f04 JDB |
272 | int protocol = iph->protocol; |
273 | const union nf_inet_addr *vaddr = &iph->daddr; | |
f11017ec SH |
274 | __be16 vport = 0; |
275 | ||
ce144f24 | 276 | if (dst_port == svc->port) { |
5b57a98c SH |
277 | /* non-FTP template: |
278 | * <protocol, caddr, 0, vaddr, vport, daddr, dport> | |
279 | * FTP template: | |
280 | * <protocol, caddr, 0, vaddr, 0, daddr, 0> | |
1da177e4 LT |
281 | */ |
282 | if (svc->port != FTPPORT) | |
ce144f24 | 283 | vport = dst_port; |
1da177e4 | 284 | } else { |
5b57a98c SH |
285 | /* Note: persistent fwmark-based services and |
286 | * persistent port zero service are handled here. | |
287 | * fwmark template: | |
288 | * <IPPROTO_IP,caddr,0,fwmark,0,daddr,0> | |
289 | * port zero template: | |
290 | * <protocol,caddr,0,vaddr,0,daddr,0> | |
1da177e4 | 291 | */ |
28364a59 | 292 | if (svc->fwmark) { |
5b57a98c SH |
293 | protocol = IPPROTO_IP; |
294 | vaddr = &fwmark; | |
295 | } | |
1da177e4 | 296 | } |
a5959d53 HS |
297 | /* return *ignored = -1 so NF_DROP can be used */ |
298 | if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0, | |
299 | vaddr, vport, ¶m) < 0) { | |
300 | *ignored = -1; | |
301 | return NULL; | |
302 | } | |
1da177e4 LT |
303 | } |
304 | ||
5b57a98c | 305 | /* Check if a template already exists */ |
f11017ec | 306 | ct = ip_vs_ct_in_get(¶m); |
5b57a98c | 307 | if (!ct || !ip_vs_check_template(ct)) { |
ceec4c38 JA |
308 | struct ip_vs_scheduler *sched; |
309 | ||
a5959d53 HS |
310 | /* |
311 | * No template found or the dest of the connection | |
5b57a98c | 312 | * template is not available. |
a5959d53 | 313 | * return *ignored=0 i.e. ICMP and NF_DROP |
5b57a98c | 314 | */ |
ceec4c38 | 315 | sched = rcu_dereference(svc->scheduler); |
bba54de5 | 316 | dest = sched->schedule(svc, skb, iph); |
5b57a98c SH |
317 | if (!dest) { |
318 | IP_VS_DBG(1, "p-schedule: no dest found.\n"); | |
85999283 | 319 | kfree(param.pe_data); |
a5959d53 | 320 | *ignored = 0; |
5b57a98c SH |
321 | return NULL; |
322 | } | |
323 | ||
ce144f24 | 324 | if (dst_port == svc->port && svc->port != FTPPORT) |
5b57a98c SH |
325 | dport = dest->port; |
326 | ||
85999283 SH |
327 | /* Create a template |
328 | * This adds param.pe_data to the template, | |
329 | * and thus param.pe_data will be destroyed | |
330 | * when the template expires */ | |
ba38528a | 331 | ct = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport, |
0e051e68 | 332 | IP_VS_CONN_F_TEMPLATE, dest, skb->mark); |
85999283 SH |
333 | if (ct == NULL) { |
334 | kfree(param.pe_data); | |
a5959d53 | 335 | *ignored = -1; |
5b57a98c | 336 | return NULL; |
85999283 | 337 | } |
5b57a98c SH |
338 | |
339 | ct->timeout = svc->timeout; | |
85999283 | 340 | } else { |
5b57a98c SH |
341 | /* set destination with the found template */ |
342 | dest = ct->dest; | |
85999283 SH |
343 | kfree(param.pe_data); |
344 | } | |
5b57a98c | 345 | |
ce144f24 | 346 | dport = dst_port; |
5b57a98c SH |
347 | if (dport == svc->port && dest->port) |
348 | dport = dest->port; | |
349 | ||
26ec037f | 350 | flags = (svc->flags & IP_VS_SVC_F_ONEPACKET |
d4383f04 | 351 | && iph->protocol == IPPROTO_UDP) ? |
26ec037f NC |
352 | IP_VS_CONN_F_ONE_PACKET : 0; |
353 | ||
1da177e4 LT |
354 | /* |
355 | * Create a new connection according to the template | |
356 | */ | |
d4383f04 JDB |
357 | ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol, &iph->saddr, |
358 | src_port, &iph->daddr, dst_port, ¶m); | |
ce144f24 | 359 | |
ba38528a AG |
360 | cp = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport, flags, dest, |
361 | skb->mark); | |
1da177e4 LT |
362 | if (cp == NULL) { |
363 | ip_vs_conn_put(ct); | |
a5959d53 | 364 | *ignored = -1; |
1da177e4 LT |
365 | return NULL; |
366 | } | |
367 | ||
368 | /* | |
369 | * Add its control | |
370 | */ | |
371 | ip_vs_control_add(cp, ct); | |
372 | ip_vs_conn_put(ct); | |
373 | ||
374 | ip_vs_conn_stats(cp, svc); | |
375 | return cp; | |
376 | } | |
377 | ||
378 | ||
379 | /* | |
380 | * IPVS main scheduling function | |
381 | * It selects a server according to the virtual service, and | |
382 | * creates a connection entry. | |
383 | * Protocols supported: TCP, UDP | |
a5959d53 HS |
384 | * |
385 | * Usage of *ignored | |
386 | * | |
387 | * 1 : protocol tried to schedule (eg. on SYN), found svc but the | |
388 | * svc/scheduler decides that this packet should be accepted with | |
389 | * NF_ACCEPT because it must not be scheduled. | |
390 | * | |
391 | * 0 : scheduler can not find destination, so try bypass or | |
392 | * return ICMP and then NF_DROP (ip_vs_leave). | |
393 | * | |
394 | * -1 : scheduler tried to schedule but fatal error occurred, eg. | |
395 | * ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param | |
396 | * failure such as missing Call-ID, ENOMEM on skb_linearize | |
397 | * or pe_data. In this case we should return NF_DROP without | |
398 | * any attempts to send ICMP with ip_vs_leave. | |
1da177e4 LT |
399 | */ |
400 | struct ip_vs_conn * | |
190ecd27 | 401 | ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb, |
d4383f04 JDB |
402 | struct ip_vs_proto_data *pd, int *ignored, |
403 | struct ip_vs_iphdr *iph) | |
1da177e4 | 404 | { |
9330419d | 405 | struct ip_vs_protocol *pp = pd->pp; |
1da177e4 | 406 | struct ip_vs_conn *cp = NULL; |
ceec4c38 | 407 | struct ip_vs_scheduler *sched; |
1da177e4 | 408 | struct ip_vs_dest *dest; |
3575792e JA |
409 | __be16 _ports[2], *pptr; |
410 | unsigned int flags; | |
1da177e4 | 411 | |
190ecd27 | 412 | *ignored = 1; |
2f74713d JDB |
413 | /* |
414 | * IPv6 frags, only the first hit here. | |
415 | */ | |
d4383f04 | 416 | pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph); |
1da177e4 LT |
417 | if (pptr == NULL) |
418 | return NULL; | |
419 | ||
190ecd27 JA |
420 | /* |
421 | * FTPDATA needs this check when using local real server. | |
422 | * Never schedule Active FTPDATA connections from real server. | |
423 | * For LVS-NAT they must be already created. For other methods | |
424 | * with persistence the connection is created on SYN+ACK. | |
425 | */ | |
426 | if (pptr[0] == FTPDATA) { | |
0d79641a JA |
427 | IP_VS_DBG_PKT(12, svc->af, pp, skb, 0, |
428 | "Not scheduling FTPDATA"); | |
190ecd27 JA |
429 | return NULL; |
430 | } | |
431 | ||
432 | /* | |
a5959d53 | 433 | * Do not schedule replies from local real server. |
190ecd27 JA |
434 | */ |
435 | if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) && | |
d4383f04 | 436 | (cp = pp->conn_in_get(svc->af, skb, iph, 1))) { |
0d79641a | 437 | IP_VS_DBG_PKT(12, svc->af, pp, skb, 0, |
190ecd27 JA |
438 | "Not scheduling reply for existing connection"); |
439 | __ip_vs_conn_put(cp); | |
440 | return NULL; | |
441 | } | |
442 | ||
1da177e4 LT |
443 | /* |
444 | * Persistent service | |
445 | */ | |
a5959d53 | 446 | if (svc->flags & IP_VS_SVC_F_PERSISTENT) |
d4383f04 JDB |
447 | return ip_vs_sched_persist(svc, skb, pptr[0], pptr[1], ignored, |
448 | iph); | |
a5959d53 HS |
449 | |
450 | *ignored = 0; | |
1da177e4 LT |
451 | |
452 | /* | |
453 | * Non-persistent service | |
454 | */ | |
455 | if (!svc->fwmark && pptr[1] != svc->port) { | |
456 | if (!svc->port) | |
1e3e238e HE |
457 | pr_err("Schedule: port zero only supported " |
458 | "in persistent services, " | |
459 | "check your ipvs configuration\n"); | |
1da177e4 LT |
460 | return NULL; |
461 | } | |
462 | ||
ceec4c38 | 463 | sched = rcu_dereference(svc->scheduler); |
bba54de5 | 464 | dest = sched->schedule(svc, skb, iph); |
1da177e4 LT |
465 | if (dest == NULL) { |
466 | IP_VS_DBG(1, "Schedule: no dest found.\n"); | |
467 | return NULL; | |
468 | } | |
469 | ||
26ec037f | 470 | flags = (svc->flags & IP_VS_SVC_F_ONEPACKET |
d4383f04 | 471 | && iph->protocol == IPPROTO_UDP) ? |
26ec037f NC |
472 | IP_VS_CONN_F_ONE_PACKET : 0; |
473 | ||
1da177e4 LT |
474 | /* |
475 | * Create a connection entry. | |
476 | */ | |
f11017ec SH |
477 | { |
478 | struct ip_vs_conn_param p; | |
6e67e586 | 479 | |
d4383f04 JDB |
480 | ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol, |
481 | &iph->saddr, pptr[0], &iph->daddr, | |
482 | pptr[1], &p); | |
ba38528a | 483 | cp = ip_vs_conn_new(&p, dest->af, &dest->addr, |
f11017ec | 484 | dest->port ? dest->port : pptr[1], |
0e051e68 | 485 | flags, dest, skb->mark); |
a5959d53 HS |
486 | if (!cp) { |
487 | *ignored = -1; | |
f11017ec | 488 | return NULL; |
a5959d53 | 489 | } |
f11017ec | 490 | } |
1da177e4 | 491 | |
cd17f9ed JV |
492 | IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u " |
493 | "d:%s:%u conn->flags:%X conn->refcnt:%d\n", | |
494 | ip_vs_fwd_tag(cp), | |
495 | IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport), | |
496 | IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport), | |
497 | IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport), | |
498 | cp->flags, atomic_read(&cp->refcnt)); | |
1da177e4 LT |
499 | |
500 | ip_vs_conn_stats(cp, svc); | |
501 | return cp; | |
502 | } | |
503 | ||
504 | ||
505 | /* | |
506 | * Pass or drop the packet. | |
507 | * Called by ip_vs_in, when the virtual service is available but | |
508 | * no destination is available for a new connection. | |
509 | */ | |
510 | int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, | |
d4383f04 | 511 | struct ip_vs_proto_data *pd, struct ip_vs_iphdr *iph) |
1da177e4 | 512 | { |
014d730d | 513 | __be16 _ports[2], *pptr; |
a7a86b86 SH |
514 | #ifdef CONFIG_SYSCTL |
515 | struct net *net; | |
516 | struct netns_ipvs *ipvs; | |
2a3b791e | 517 | int unicast; |
a7a86b86 | 518 | #endif |
9330419d | 519 | |
d4383f04 | 520 | pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph); |
1da177e4 | 521 | if (pptr == NULL) { |
1da177e4 LT |
522 | return NF_DROP; |
523 | } | |
a7a86b86 SH |
524 | |
525 | #ifdef CONFIG_SYSCTL | |
4a98480b | 526 | net = skb_net(skb); |
1da177e4 | 527 | |
2a3b791e JV |
528 | #ifdef CONFIG_IP_VS_IPV6 |
529 | if (svc->af == AF_INET6) | |
d4383f04 | 530 | unicast = ipv6_addr_type(&iph->daddr.in6) & IPV6_ADDR_UNICAST; |
2a3b791e JV |
531 | else |
532 | #endif | |
d4383f04 | 533 | unicast = (inet_addr_type(net, iph->daddr.ip) == RTN_UNICAST); |
2a3b791e | 534 | |
1da177e4 | 535 | /* if it is fwmark-based service, the cache_bypass sysctl is up |
2a3b791e | 536 | and the destination is a non-local unicast, then create |
1da177e4 | 537 | a cache_bypass connection entry */ |
4a98480b | 538 | ipvs = net_ipvs(net); |
a0840e2e | 539 | if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) { |
ad542ced | 540 | int ret; |
1da177e4 | 541 | struct ip_vs_conn *cp; |
3575792e | 542 | unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET && |
d4383f04 | 543 | iph->protocol == IPPROTO_UDP) ? |
3575792e | 544 | IP_VS_CONN_F_ONE_PACKET : 0; |
dff630dd | 545 | union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } }; |
1da177e4 | 546 | |
1da177e4 | 547 | /* create a new connection entry */ |
1e3e238e | 548 | IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__); |
f11017ec SH |
549 | { |
550 | struct ip_vs_conn_param p; | |
d4383f04 JDB |
551 | ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol, |
552 | &iph->saddr, pptr[0], | |
553 | &iph->daddr, pptr[1], &p); | |
ba38528a | 554 | cp = ip_vs_conn_new(&p, svc->af, &daddr, 0, |
f11017ec | 555 | IP_VS_CONN_F_BYPASS | flags, |
0e051e68 | 556 | NULL, skb->mark); |
f11017ec SH |
557 | if (!cp) |
558 | return NF_DROP; | |
559 | } | |
1da177e4 LT |
560 | |
561 | /* statistics */ | |
562 | ip_vs_in_stats(cp, skb); | |
563 | ||
564 | /* set state */ | |
4a516f11 | 565 | ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd); |
1da177e4 LT |
566 | |
567 | /* transmit the first SYN packet */ | |
d4383f04 | 568 | ret = cp->packet_xmit(skb, cp, pd->pp, iph); |
1da177e4 LT |
569 | /* do not touch skb anymore */ |
570 | ||
571 | atomic_inc(&cp->in_pkts); | |
572 | ip_vs_conn_put(cp); | |
573 | return ret; | |
574 | } | |
a7a86b86 | 575 | #endif |
1da177e4 LT |
576 | |
577 | /* | |
578 | * When the virtual ftp service is presented, packets destined | |
579 | * for other services on the VIP may get here (except services | |
580 | * listed in the ipvs table), pass the packets, because it is | |
581 | * not ipvs job to decide to drop the packets. | |
582 | */ | |
ceec4c38 | 583 | if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) |
1da177e4 | 584 | return NF_ACCEPT; |
1da177e4 LT |
585 | |
586 | /* | |
587 | * Notify the client that the destination is unreachable, and | |
588 | * release the socket buffer. | |
589 | * Since it is in IP layer, the TCP socket is not actually | |
590 | * created, the TCP RST packet cannot be sent, instead that | |
591 | * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ | |
592 | */ | |
2a3b791e | 593 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f JA |
594 | if (svc->af == AF_INET6) { |
595 | if (!skb->dev) { | |
9fd0fa7a | 596 | struct net *net_ = dev_net(skb_dst(skb)->dev); |
cb59155f | 597 | |
9fd0fa7a | 598 | skb->dev = net_->loopback_dev; |
cb59155f | 599 | } |
3ffe533c | 600 | icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); |
cb59155f | 601 | } else |
2a3b791e JV |
602 | #endif |
603 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
604 | ||
1da177e4 LT |
605 | return NF_DROP; |
606 | } | |
607 | ||
84b3cee3 SH |
608 | #ifdef CONFIG_SYSCTL |
609 | ||
610 | static int sysctl_snat_reroute(struct sk_buff *skb) | |
611 | { | |
612 | struct netns_ipvs *ipvs = net_ipvs(skb_net(skb)); | |
613 | return ipvs->sysctl_snat_reroute; | |
614 | } | |
615 | ||
0cfa558e SH |
616 | static int sysctl_nat_icmp_send(struct net *net) |
617 | { | |
618 | struct netns_ipvs *ipvs = net_ipvs(net); | |
619 | return ipvs->sysctl_nat_icmp_send; | |
620 | } | |
621 | ||
71a8ab6c SH |
622 | static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) |
623 | { | |
624 | return ipvs->sysctl_expire_nodest_conn; | |
625 | } | |
626 | ||
84b3cee3 SH |
627 | #else |
628 | ||
629 | static int sysctl_snat_reroute(struct sk_buff *skb) { return 0; } | |
0cfa558e | 630 | static int sysctl_nat_icmp_send(struct net *net) { return 0; } |
71a8ab6c | 631 | static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) { return 0; } |
84b3cee3 SH |
632 | |
633 | #endif | |
634 | ||
b1550f22 | 635 | __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset) |
1da177e4 | 636 | { |
d3bc23e7 | 637 | return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0)); |
1da177e4 LT |
638 | } |
639 | ||
1ca5bb54 JA |
640 | static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum) |
641 | { | |
642 | if (NF_INET_LOCAL_IN == hooknum) | |
643 | return IP_DEFRAG_VS_IN; | |
644 | if (NF_INET_FORWARD == hooknum) | |
645 | return IP_DEFRAG_VS_FWD; | |
646 | return IP_DEFRAG_VS_OUT; | |
647 | } | |
648 | ||
776c729e | 649 | static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user) |
1da177e4 | 650 | { |
ac69269a | 651 | int err; |
776c729e | 652 | |
ac69269a JA |
653 | local_bh_disable(); |
654 | err = ip_defrag(skb, user); | |
655 | local_bh_enable(); | |
776c729e | 656 | if (!err) |
eddc9ec5 | 657 | ip_send_check(ip_hdr(skb)); |
776c729e HX |
658 | |
659 | return err; | |
1da177e4 LT |
660 | } |
661 | ||
ba4fd7e9 SH |
662 | static int ip_vs_route_me_harder(int af, struct sk_buff *skb) |
663 | { | |
ba4fd7e9 SH |
664 | #ifdef CONFIG_IP_VS_IPV6 |
665 | if (af == AF_INET6) { | |
84b3cee3 | 666 | if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) |
ba4fd7e9 SH |
667 | return 1; |
668 | } else | |
669 | #endif | |
84b3cee3 | 670 | if ((sysctl_snat_reroute(skb) || |
ba4fd7e9 SH |
671 | skb_rtable(skb)->rt_flags & RTCF_LOCAL) && |
672 | ip_route_me_harder(skb, RTN_LOCAL) != 0) | |
673 | return 1; | |
674 | ||
675 | return 0; | |
676 | } | |
677 | ||
1da177e4 LT |
678 | /* |
679 | * Packet has been made sufficiently writable in caller | |
680 | * - inout: 1=in->out, 0=out->in | |
681 | */ | |
682 | void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp, | |
683 | struct ip_vs_conn *cp, int inout) | |
684 | { | |
eddc9ec5 | 685 | struct iphdr *iph = ip_hdr(skb); |
1da177e4 | 686 | unsigned int icmp_offset = iph->ihl*4; |
d56f90a7 ACM |
687 | struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) + |
688 | icmp_offset); | |
1da177e4 LT |
689 | struct iphdr *ciph = (struct iphdr *)(icmph + 1); |
690 | ||
691 | if (inout) { | |
e7ade46a | 692 | iph->saddr = cp->vaddr.ip; |
1da177e4 | 693 | ip_send_check(iph); |
e7ade46a | 694 | ciph->daddr = cp->vaddr.ip; |
1da177e4 LT |
695 | ip_send_check(ciph); |
696 | } else { | |
e7ade46a | 697 | iph->daddr = cp->daddr.ip; |
1da177e4 | 698 | ip_send_check(iph); |
e7ade46a | 699 | ciph->saddr = cp->daddr.ip; |
1da177e4 LT |
700 | ip_send_check(ciph); |
701 | } | |
702 | ||
2906f66a VMR |
703 | /* the TCP/UDP/SCTP port */ |
704 | if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol || | |
705 | IPPROTO_SCTP == ciph->protocol) { | |
014d730d | 706 | __be16 *ports = (void *)ciph + ciph->ihl*4; |
1da177e4 LT |
707 | |
708 | if (inout) | |
709 | ports[1] = cp->vport; | |
710 | else | |
711 | ports[0] = cp->dport; | |
712 | } | |
713 | ||
714 | /* And finally the ICMP checksum */ | |
715 | icmph->checksum = 0; | |
716 | icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset); | |
717 | skb->ip_summed = CHECKSUM_UNNECESSARY; | |
718 | ||
719 | if (inout) | |
0d79641a | 720 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph, |
1da177e4 LT |
721 | "Forwarding altered outgoing ICMP"); |
722 | else | |
0d79641a | 723 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph, |
1da177e4 LT |
724 | "Forwarding altered incoming ICMP"); |
725 | } | |
726 | ||
b3cdd2a7 JV |
727 | #ifdef CONFIG_IP_VS_IPV6 |
728 | void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp, | |
729 | struct ip_vs_conn *cp, int inout) | |
730 | { | |
731 | struct ipv6hdr *iph = ipv6_hdr(skb); | |
63dca2c0 JDB |
732 | unsigned int icmp_offset = 0; |
733 | unsigned int offs = 0; /* header offset*/ | |
734 | int protocol; | |
735 | struct icmp6hdr *icmph; | |
736 | struct ipv6hdr *ciph; | |
737 | unsigned short fragoffs; | |
738 | ||
739 | ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL); | |
740 | icmph = (struct icmp6hdr *)(skb_network_header(skb) + icmp_offset); | |
741 | offs = icmp_offset + sizeof(struct icmp6hdr); | |
742 | ciph = (struct ipv6hdr *)(skb_network_header(skb) + offs); | |
743 | ||
744 | protocol = ipv6_find_hdr(skb, &offs, -1, &fragoffs, NULL); | |
b3cdd2a7 JV |
745 | |
746 | if (inout) { | |
747 | iph->saddr = cp->vaddr.in6; | |
748 | ciph->daddr = cp->vaddr.in6; | |
749 | } else { | |
750 | iph->daddr = cp->daddr.in6; | |
751 | ciph->saddr = cp->daddr.in6; | |
752 | } | |
753 | ||
2906f66a | 754 | /* the TCP/UDP/SCTP port */ |
63dca2c0 JDB |
755 | if (!fragoffs && (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol || |
756 | IPPROTO_SCTP == protocol)) { | |
757 | __be16 *ports = (void *)(skb_network_header(skb) + offs); | |
b3cdd2a7 | 758 | |
63dca2c0 JDB |
759 | IP_VS_DBG(11, "%s() changed port %d to %d\n", __func__, |
760 | ntohs(inout ? ports[1] : ports[0]), | |
761 | ntohs(inout ? cp->vport : cp->dport)); | |
b3cdd2a7 JV |
762 | if (inout) |
763 | ports[1] = cp->vport; | |
764 | else | |
765 | ports[0] = cp->dport; | |
766 | } | |
767 | ||
768 | /* And finally the ICMP checksum */ | |
8870f842 SH |
769 | icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr, |
770 | skb->len - icmp_offset, | |
771 | IPPROTO_ICMPV6, 0); | |
772 | skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset; | |
773 | skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum); | |
774 | skb->ip_summed = CHECKSUM_PARTIAL; | |
b3cdd2a7 JV |
775 | |
776 | if (inout) | |
0d79641a JA |
777 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, |
778 | (void *)ciph - (void *)iph, | |
779 | "Forwarding altered outgoing ICMPv6"); | |
b3cdd2a7 | 780 | else |
0d79641a JA |
781 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, |
782 | (void *)ciph - (void *)iph, | |
783 | "Forwarding altered incoming ICMPv6"); | |
b3cdd2a7 JV |
784 | } |
785 | #endif | |
786 | ||
4856c84c | 787 | /* Handle relevant response ICMP messages - forward to the right |
6cb90db5 | 788 | * destination host. |
4856c84c | 789 | */ |
f2428ed5 SH |
790 | static int handle_response_icmp(int af, struct sk_buff *skb, |
791 | union nf_inet_addr *snet, | |
792 | __u8 protocol, struct ip_vs_conn *cp, | |
4856c84c MT |
793 | struct ip_vs_protocol *pp, |
794 | unsigned int offset, unsigned int ihl) | |
795 | { | |
796 | unsigned int verdict = NF_DROP; | |
797 | ||
798 | if (IP_VS_FWD_METHOD(cp) != 0) { | |
1e3e238e HE |
799 | pr_err("shouldn't reach here, because the box is on the " |
800 | "half connection in the tun/dr module.\n"); | |
4856c84c MT |
801 | } |
802 | ||
803 | /* Ensure the checksum is correct */ | |
804 | if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { | |
805 | /* Failed checksum! */ | |
f2428ed5 SH |
806 | IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n", |
807 | IP_VS_DBG_ADDR(af, snet)); | |
4856c84c MT |
808 | goto out; |
809 | } | |
810 | ||
2906f66a VMR |
811 | if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol || |
812 | IPPROTO_SCTP == protocol) | |
4856c84c MT |
813 | offset += 2 * sizeof(__u16); |
814 | if (!skb_make_writable(skb, offset)) | |
815 | goto out; | |
816 | ||
f2428ed5 SH |
817 | #ifdef CONFIG_IP_VS_IPV6 |
818 | if (af == AF_INET6) | |
819 | ip_vs_nat_icmp_v6(skb, pp, cp, 1); | |
820 | else | |
821 | #endif | |
822 | ip_vs_nat_icmp(skb, pp, cp, 1); | |
4856c84c | 823 | |
ba4fd7e9 SH |
824 | if (ip_vs_route_me_harder(af, skb)) |
825 | goto out; | |
f5a41847 | 826 | |
4856c84c MT |
827 | /* do the statistics and put it back */ |
828 | ip_vs_out_stats(cp, skb); | |
829 | ||
cf356d69 | 830 | skb->ipvs_property = 1; |
f4bc17cd | 831 | if (!(cp->flags & IP_VS_CONN_F_NFCT)) |
cf356d69 | 832 | ip_vs_notrack(skb); |
f4bc17cd JA |
833 | else |
834 | ip_vs_update_conntrack(skb, cp, 0); | |
4856c84c MT |
835 | verdict = NF_ACCEPT; |
836 | ||
837 | out: | |
838 | __ip_vs_conn_put(cp); | |
839 | ||
840 | return verdict; | |
841 | } | |
842 | ||
1da177e4 LT |
843 | /* |
844 | * Handle ICMP messages in the inside-to-outside direction (outgoing). | |
4856c84c | 845 | * Find any that might be relevant, check against existing connections. |
1da177e4 | 846 | * Currently handles error types - unreachable, quench, ttl exceeded. |
1da177e4 | 847 | */ |
1ca5bb54 JA |
848 | static int ip_vs_out_icmp(struct sk_buff *skb, int *related, |
849 | unsigned int hooknum) | |
1da177e4 | 850 | { |
1da177e4 LT |
851 | struct iphdr *iph; |
852 | struct icmphdr _icmph, *ic; | |
853 | struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */ | |
51ef348b | 854 | struct ip_vs_iphdr ciph; |
1da177e4 LT |
855 | struct ip_vs_conn *cp; |
856 | struct ip_vs_protocol *pp; | |
4856c84c | 857 | unsigned int offset, ihl; |
f2428ed5 | 858 | union nf_inet_addr snet; |
1da177e4 LT |
859 | |
860 | *related = 1; | |
861 | ||
862 | /* reassemble IP fragments */ | |
56f8a75c | 863 | if (ip_is_fragment(ip_hdr(skb))) { |
1ca5bb54 | 864 | if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum))) |
1da177e4 | 865 | return NF_STOLEN; |
1da177e4 LT |
866 | } |
867 | ||
eddc9ec5 | 868 | iph = ip_hdr(skb); |
1da177e4 LT |
869 | offset = ihl = iph->ihl * 4; |
870 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
871 | if (ic == NULL) | |
872 | return NF_DROP; | |
873 | ||
14d5e834 | 874 | IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n", |
1da177e4 | 875 | ic->type, ntohs(icmp_id(ic)), |
14d5e834 | 876 | &iph->saddr, &iph->daddr); |
1da177e4 LT |
877 | |
878 | /* | |
879 | * Work through seeing if this is for us. | |
880 | * These checks are supposed to be in an order that means easy | |
881 | * things are checked first to speed up processing.... however | |
882 | * this means that some packets will manage to get a long way | |
883 | * down this stack and then be rejected, but that's life. | |
884 | */ | |
885 | if ((ic->type != ICMP_DEST_UNREACH) && | |
886 | (ic->type != ICMP_SOURCE_QUENCH) && | |
887 | (ic->type != ICMP_TIME_EXCEEDED)) { | |
888 | *related = 0; | |
889 | return NF_ACCEPT; | |
890 | } | |
891 | ||
892 | /* Now find the contained IP header */ | |
893 | offset += sizeof(_icmph); | |
894 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
895 | if (cih == NULL) | |
896 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
897 | ||
898 | pp = ip_vs_proto_get(cih->protocol); | |
899 | if (!pp) | |
900 | return NF_ACCEPT; | |
901 | ||
902 | /* Is the embedded protocol header present? */ | |
4412ec49 | 903 | if (unlikely(cih->frag_off & htons(IP_OFFSET) && |
1da177e4 LT |
904 | pp->dont_defrag)) |
905 | return NF_ACCEPT; | |
906 | ||
0d79641a JA |
907 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset, |
908 | "Checking outgoing ICMP for"); | |
1da177e4 | 909 | |
63dca2c0 JDB |
910 | ip_vs_fill_ip4hdr(cih, &ciph); |
911 | ciph.len += offset; | |
1da177e4 | 912 | /* The embedded headers contain source and dest in reverse order */ |
d4383f04 | 913 | cp = pp->conn_out_get(AF_INET, skb, &ciph, 1); |
1da177e4 LT |
914 | if (!cp) |
915 | return NF_ACCEPT; | |
916 | ||
f2428ed5 SH |
917 | snet.ip = iph->saddr; |
918 | return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, | |
63dca2c0 | 919 | pp, ciph.len, ihl); |
1da177e4 LT |
920 | } |
921 | ||
2a3b791e | 922 | #ifdef CONFIG_IP_VS_IPV6 |
1ca5bb54 | 923 | static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, |
d4383f04 | 924 | unsigned int hooknum, struct ip_vs_iphdr *ipvsh) |
2a3b791e | 925 | { |
2a3b791e | 926 | struct icmp6hdr _icmph, *ic; |
63dca2c0 JDB |
927 | struct ipv6hdr _ip6h, *ip6h; /* The ip header contained within ICMP */ |
928 | struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};/*Contained IP */ | |
2a3b791e JV |
929 | struct ip_vs_conn *cp; |
930 | struct ip_vs_protocol *pp; | |
f2428ed5 | 931 | union nf_inet_addr snet; |
63dca2c0 | 932 | unsigned int writable; |
2a3b791e | 933 | |
63dca2c0 | 934 | *related = 1; |
2f74713d | 935 | ic = frag_safe_skb_hp(skb, ipvsh->len, sizeof(_icmph), &_icmph, ipvsh); |
2a3b791e JV |
936 | if (ic == NULL) |
937 | return NF_DROP; | |
938 | ||
2a3b791e JV |
939 | /* |
940 | * Work through seeing if this is for us. | |
941 | * These checks are supposed to be in an order that means easy | |
942 | * things are checked first to speed up processing.... however | |
943 | * this means that some packets will manage to get a long way | |
944 | * down this stack and then be rejected, but that's life. | |
945 | */ | |
2fab8917 | 946 | if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) { |
2a3b791e JV |
947 | *related = 0; |
948 | return NF_ACCEPT; | |
949 | } | |
2f74713d JDB |
950 | /* Fragment header that is before ICMP header tells us that: |
951 | * it's not an error message since they can't be fragmented. | |
952 | */ | |
e7165030 | 953 | if (ipvsh->flags & IP6_FH_F_FRAG) |
2f74713d | 954 | return NF_DROP; |
2a3b791e | 955 | |
63dca2c0 JDB |
956 | IP_VS_DBG(8, "Outgoing ICMPv6 (%d,%d) %pI6c->%pI6c\n", |
957 | ic->icmp6_type, ntohs(icmpv6_id(ic)), | |
958 | &ipvsh->saddr, &ipvsh->daddr); | |
959 | ||
2a3b791e | 960 | /* Now find the contained IP header */ |
63dca2c0 JDB |
961 | ciph.len = ipvsh->len + sizeof(_icmph); |
962 | ip6h = skb_header_pointer(skb, ciph.len, sizeof(_ip6h), &_ip6h); | |
963 | if (ip6h == NULL) | |
2a3b791e | 964 | return NF_ACCEPT; /* The packet looks wrong, ignore */ |
63dca2c0 JDB |
965 | ciph.saddr.in6 = ip6h->saddr; /* conn_out_get() handles reverse order */ |
966 | ciph.daddr.in6 = ip6h->daddr; | |
967 | /* skip possible IPv6 exthdrs of contained IPv6 packet */ | |
968 | ciph.protocol = ipv6_find_hdr(skb, &ciph.len, -1, &ciph.fragoffs, NULL); | |
969 | if (ciph.protocol < 0) | |
970 | return NF_ACCEPT; /* Contained IPv6 hdr looks wrong, ignore */ | |
971 | ||
972 | pp = ip_vs_proto_get(ciph.protocol); | |
2a3b791e JV |
973 | if (!pp) |
974 | return NF_ACCEPT; | |
975 | ||
2a3b791e | 976 | /* The embedded headers contain source and dest in reverse order */ |
d4383f04 | 977 | cp = pp->conn_out_get(AF_INET6, skb, &ciph, 1); |
2a3b791e JV |
978 | if (!cp) |
979 | return NF_ACCEPT; | |
980 | ||
63dca2c0 JDB |
981 | snet.in6 = ciph.saddr.in6; |
982 | writable = ciph.len; | |
983 | return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, | |
984 | pp, writable, sizeof(struct ipv6hdr)); | |
2a3b791e JV |
985 | } |
986 | #endif | |
987 | ||
2906f66a VMR |
988 | /* |
989 | * Check if sctp chunc is ABORT chunk | |
990 | */ | |
991 | static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len) | |
992 | { | |
993 | sctp_chunkhdr_t *sch, schunk; | |
994 | sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t), | |
995 | sizeof(schunk), &schunk); | |
996 | if (sch == NULL) | |
997 | return 0; | |
998 | if (sch->type == SCTP_CID_ABORT) | |
999 | return 1; | |
1000 | return 0; | |
1001 | } | |
1002 | ||
2a3b791e | 1003 | static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len) |
1da177e4 LT |
1004 | { |
1005 | struct tcphdr _tcph, *th; | |
1006 | ||
2a3b791e | 1007 | th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph); |
1da177e4 LT |
1008 | if (th == NULL) |
1009 | return 0; | |
1010 | return th->rst; | |
1011 | } | |
1012 | ||
dc7b3eb9 GL |
1013 | static inline bool is_new_conn(const struct sk_buff *skb, |
1014 | struct ip_vs_iphdr *iph) | |
1015 | { | |
1016 | switch (iph->protocol) { | |
1017 | case IPPROTO_TCP: { | |
1018 | struct tcphdr _tcph, *th; | |
1019 | ||
1020 | th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph); | |
1021 | if (th == NULL) | |
1022 | return false; | |
1023 | return th->syn; | |
1024 | } | |
1025 | case IPPROTO_SCTP: { | |
1026 | sctp_chunkhdr_t *sch, schunk; | |
1027 | ||
1028 | sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t), | |
1029 | sizeof(schunk), &schunk); | |
1030 | if (sch == NULL) | |
1031 | return false; | |
1032 | return sch->type == SCTP_CID_INIT; | |
1033 | } | |
1034 | default: | |
1035 | return false; | |
1036 | } | |
1037 | } | |
1038 | ||
4856c84c | 1039 | /* Handle response packets: rewrite addresses and send away... |
4856c84c MT |
1040 | */ |
1041 | static unsigned int | |
9330419d | 1042 | handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, |
d4383f04 | 1043 | struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) |
4856c84c | 1044 | { |
9330419d HS |
1045 | struct ip_vs_protocol *pp = pd->pp; |
1046 | ||
0d79641a | 1047 | IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet"); |
4856c84c | 1048 | |
d4383f04 | 1049 | if (!skb_make_writable(skb, iph->len)) |
4856c84c MT |
1050 | goto drop; |
1051 | ||
1052 | /* mangle the packet */ | |
d4383f04 | 1053 | if (pp->snat_handler && !pp->snat_handler(skb, pp, cp, iph)) |
4856c84c MT |
1054 | goto drop; |
1055 | ||
1056 | #ifdef CONFIG_IP_VS_IPV6 | |
1057 | if (af == AF_INET6) | |
1058 | ipv6_hdr(skb)->saddr = cp->vaddr.in6; | |
1059 | else | |
1060 | #endif | |
1061 | { | |
1062 | ip_hdr(skb)->saddr = cp->vaddr.ip; | |
1063 | ip_send_check(ip_hdr(skb)); | |
1064 | } | |
1065 | ||
8a803040 JA |
1066 | /* |
1067 | * nf_iterate does not expect change in the skb->dst->dev. | |
1068 | * It looks like it is not fatal to enable this code for hooks | |
1069 | * where our handlers are at the end of the chain list and | |
1070 | * when all next handlers use skb->dst->dev and not outdev. | |
1071 | * It will definitely route properly the inout NAT traffic | |
1072 | * when multiple paths are used. | |
1073 | */ | |
1074 | ||
4856c84c MT |
1075 | /* For policy routing, packets originating from this |
1076 | * machine itself may be routed differently to packets | |
1077 | * passing through. We want this packet to be routed as | |
1078 | * if it came from this machine itself. So re-compute | |
1079 | * the routing information. | |
1080 | */ | |
ba4fd7e9 SH |
1081 | if (ip_vs_route_me_harder(af, skb)) |
1082 | goto drop; | |
4856c84c | 1083 | |
0d79641a | 1084 | IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); |
4856c84c MT |
1085 | |
1086 | ip_vs_out_stats(cp, skb); | |
9330419d | 1087 | ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd); |
cf356d69 | 1088 | skb->ipvs_property = 1; |
f4bc17cd | 1089 | if (!(cp->flags & IP_VS_CONN_F_NFCT)) |
cf356d69 | 1090 | ip_vs_notrack(skb); |
f4bc17cd JA |
1091 | else |
1092 | ip_vs_update_conntrack(skb, cp, 0); | |
4856c84c MT |
1093 | ip_vs_conn_put(cp); |
1094 | ||
4856c84c MT |
1095 | LeaveFunction(11); |
1096 | return NF_ACCEPT; | |
1097 | ||
1098 | drop: | |
1099 | ip_vs_conn_put(cp); | |
1100 | kfree_skb(skb); | |
f4bc17cd | 1101 | LeaveFunction(11); |
4856c84c MT |
1102 | return NF_STOLEN; |
1103 | } | |
1104 | ||
1da177e4 | 1105 | /* |
4856c84c | 1106 | * Check if outgoing packet belongs to the established ip_vs_conn. |
1da177e4 LT |
1107 | */ |
1108 | static unsigned int | |
fc604767 | 1109 | ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) |
1da177e4 | 1110 | { |
fc723250 | 1111 | struct net *net = NULL; |
51ef348b | 1112 | struct ip_vs_iphdr iph; |
1da177e4 | 1113 | struct ip_vs_protocol *pp; |
9330419d | 1114 | struct ip_vs_proto_data *pd; |
1da177e4 | 1115 | struct ip_vs_conn *cp; |
1da177e4 LT |
1116 | |
1117 | EnterFunction(11); | |
1118 | ||
fc604767 | 1119 | /* Already marked as IPVS request or reply? */ |
6869c4d8 | 1120 | if (skb->ipvs_property) |
1da177e4 LT |
1121 | return NF_ACCEPT; |
1122 | ||
fc604767 JA |
1123 | /* Bad... Do not break raw sockets */ |
1124 | if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT && | |
1125 | af == AF_INET)) { | |
1126 | struct sock *sk = skb->sk; | |
1127 | struct inet_sock *inet = inet_sk(skb->sk); | |
1128 | ||
1129 | if (inet && sk->sk_family == PF_INET && inet->nodefrag) | |
1130 | return NF_ACCEPT; | |
1131 | } | |
1132 | ||
1133 | if (unlikely(!skb_dst(skb))) | |
1134 | return NF_ACCEPT; | |
1135 | ||
fc723250 | 1136 | net = skb_net(skb); |
7a4f0761 HS |
1137 | if (!net_ipvs(net)->enable) |
1138 | return NF_ACCEPT; | |
1139 | ||
63dca2c0 | 1140 | ip_vs_fill_iph_skb(af, skb, &iph); |
2a3b791e JV |
1141 | #ifdef CONFIG_IP_VS_IPV6 |
1142 | if (af == AF_INET6) { | |
1143 | if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { | |
1ca5bb54 JA |
1144 | int related; |
1145 | int verdict = ip_vs_out_icmp_v6(skb, &related, | |
d4383f04 | 1146 | hooknum, &iph); |
1da177e4 | 1147 | |
f5a41847 | 1148 | if (related) |
2a3b791e | 1149 | return verdict; |
2a3b791e JV |
1150 | } |
1151 | } else | |
1152 | #endif | |
1153 | if (unlikely(iph.protocol == IPPROTO_ICMP)) { | |
1ca5bb54 JA |
1154 | int related; |
1155 | int verdict = ip_vs_out_icmp(skb, &related, hooknum); | |
2a3b791e | 1156 | |
f5a41847 | 1157 | if (related) |
2a3b791e | 1158 | return verdict; |
2a3b791e | 1159 | } |
1da177e4 | 1160 | |
9330419d HS |
1161 | pd = ip_vs_proto_data_get(net, iph.protocol); |
1162 | if (unlikely(!pd)) | |
1da177e4 | 1163 | return NF_ACCEPT; |
9330419d | 1164 | pp = pd->pp; |
1da177e4 LT |
1165 | |
1166 | /* reassemble IP fragments */ | |
2a3b791e | 1167 | #ifdef CONFIG_IP_VS_IPV6 |
63dca2c0 | 1168 | if (af == AF_INET) |
2a3b791e | 1169 | #endif |
56f8a75c | 1170 | if (unlikely(ip_is_fragment(ip_hdr(skb)) && !pp->dont_defrag)) { |
1ca5bb54 JA |
1171 | if (ip_vs_gather_frags(skb, |
1172 | ip_vs_defrag_user(hooknum))) | |
2a3b791e JV |
1173 | return NF_STOLEN; |
1174 | ||
63dca2c0 | 1175 | ip_vs_fill_ip4hdr(skb_network_header(skb), &iph); |
2a3b791e | 1176 | } |
1da177e4 LT |
1177 | |
1178 | /* | |
1179 | * Check if the packet belongs to an existing entry | |
1180 | */ | |
d4383f04 | 1181 | cp = pp->conn_out_get(af, skb, &iph, 0); |
1da177e4 | 1182 | |
cb59155f | 1183 | if (likely(cp)) |
d4383f04 | 1184 | return handle_response(af, skb, pd, cp, &iph); |
0cfa558e | 1185 | if (sysctl_nat_icmp_send(net) && |
cb59155f JA |
1186 | (pp->protocol == IPPROTO_TCP || |
1187 | pp->protocol == IPPROTO_UDP || | |
1188 | pp->protocol == IPPROTO_SCTP)) { | |
1189 | __be16 _ports[2], *pptr; | |
1190 | ||
2f74713d JDB |
1191 | pptr = frag_safe_skb_hp(skb, iph.len, |
1192 | sizeof(_ports), _ports, &iph); | |
cb59155f JA |
1193 | if (pptr == NULL) |
1194 | return NF_ACCEPT; /* Not for me */ | |
276472ea JA |
1195 | if (ip_vs_has_real_service(net, af, iph.protocol, &iph.saddr, |
1196 | pptr[0])) { | |
cb59155f JA |
1197 | /* |
1198 | * Notify the real server: there is no | |
1199 | * existing entry if it is not RST | |
1200 | * packet or not TCP packet. | |
1201 | */ | |
1202 | if ((iph.protocol != IPPROTO_TCP && | |
1203 | iph.protocol != IPPROTO_SCTP) | |
1204 | || ((iph.protocol == IPPROTO_TCP | |
1205 | && !is_tcp_reset(skb, iph.len)) | |
1206 | || (iph.protocol == IPPROTO_SCTP | |
1207 | && !is_sctp_abort(skb, | |
1208 | iph.len)))) { | |
2a3b791e | 1209 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f | 1210 | if (af == AF_INET6) { |
cb59155f JA |
1211 | if (!skb->dev) |
1212 | skb->dev = net->loopback_dev; | |
1213 | icmpv6_send(skb, | |
1214 | ICMPV6_DEST_UNREACH, | |
1215 | ICMPV6_PORT_UNREACH, | |
1216 | 0); | |
1217 | } else | |
2a3b791e | 1218 | #endif |
cb59155f JA |
1219 | icmp_send(skb, |
1220 | ICMP_DEST_UNREACH, | |
1221 | ICMP_PORT_UNREACH, 0); | |
1222 | return NF_DROP; | |
1da177e4 LT |
1223 | } |
1224 | } | |
1da177e4 | 1225 | } |
0d79641a | 1226 | IP_VS_DBG_PKT(12, af, pp, skb, 0, |
cb59155f JA |
1227 | "ip_vs_out: packet continues traversal as normal"); |
1228 | return NF_ACCEPT; | |
1da177e4 LT |
1229 | } |
1230 | ||
fc604767 | 1231 | /* |
cb59155f JA |
1232 | * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain, |
1233 | * used only for VS/NAT. | |
fc604767 JA |
1234 | * Check if packet is reply for established ip_vs_conn. |
1235 | */ | |
1236 | static unsigned int | |
795aa6ef | 1237 | ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb, |
fc604767 JA |
1238 | const struct net_device *in, const struct net_device *out, |
1239 | int (*okfn)(struct sk_buff *)) | |
1240 | { | |
795aa6ef | 1241 | return ip_vs_out(ops->hooknum, skb, AF_INET); |
fc604767 JA |
1242 | } |
1243 | ||
1244 | /* | |
1245 | * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT. | |
1246 | * Check if packet is reply for established ip_vs_conn. | |
1247 | */ | |
1248 | static unsigned int | |
795aa6ef | 1249 | ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb, |
fc604767 JA |
1250 | const struct net_device *in, const struct net_device *out, |
1251 | int (*okfn)(struct sk_buff *)) | |
1252 | { | |
795aa6ef | 1253 | return ip_vs_out(ops->hooknum, skb, AF_INET); |
fc604767 JA |
1254 | } |
1255 | ||
1256 | #ifdef CONFIG_IP_VS_IPV6 | |
1257 | ||
1258 | /* | |
cb59155f JA |
1259 | * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain, |
1260 | * used only for VS/NAT. | |
fc604767 JA |
1261 | * Check if packet is reply for established ip_vs_conn. |
1262 | */ | |
1263 | static unsigned int | |
795aa6ef | 1264 | ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb, |
fc604767 JA |
1265 | const struct net_device *in, const struct net_device *out, |
1266 | int (*okfn)(struct sk_buff *)) | |
1267 | { | |
795aa6ef | 1268 | return ip_vs_out(ops->hooknum, skb, AF_INET6); |
fc604767 JA |
1269 | } |
1270 | ||
1271 | /* | |
1272 | * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT. | |
1273 | * Check if packet is reply for established ip_vs_conn. | |
1274 | */ | |
1275 | static unsigned int | |
795aa6ef | 1276 | ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb, |
fc604767 JA |
1277 | const struct net_device *in, const struct net_device *out, |
1278 | int (*okfn)(struct sk_buff *)) | |
1279 | { | |
795aa6ef | 1280 | return ip_vs_out(ops->hooknum, skb, AF_INET6); |
fc604767 JA |
1281 | } |
1282 | ||
1283 | #endif | |
1da177e4 LT |
1284 | |
1285 | /* | |
1286 | * Handle ICMP messages in the outside-to-inside direction (incoming). | |
1287 | * Find any that might be relevant, check against existing connections, | |
1288 | * forward to the right destination host if relevant. | |
1289 | * Currently handles error types - unreachable, quench, ttl exceeded. | |
1290 | */ | |
e905a9ed | 1291 | static int |
3db05fea | 1292 | ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum) |
1da177e4 | 1293 | { |
9330419d | 1294 | struct net *net = NULL; |
1da177e4 LT |
1295 | struct iphdr *iph; |
1296 | struct icmphdr _icmph, *ic; | |
1297 | struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */ | |
51ef348b | 1298 | struct ip_vs_iphdr ciph; |
1da177e4 LT |
1299 | struct ip_vs_conn *cp; |
1300 | struct ip_vs_protocol *pp; | |
9330419d | 1301 | struct ip_vs_proto_data *pd; |
f2edb9f7 JA |
1302 | unsigned int offset, offset2, ihl, verdict; |
1303 | bool ipip; | |
1da177e4 LT |
1304 | |
1305 | *related = 1; | |
1306 | ||
1307 | /* reassemble IP fragments */ | |
56f8a75c | 1308 | if (ip_is_fragment(ip_hdr(skb))) { |
1ca5bb54 | 1309 | if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum))) |
1da177e4 | 1310 | return NF_STOLEN; |
1da177e4 LT |
1311 | } |
1312 | ||
eddc9ec5 | 1313 | iph = ip_hdr(skb); |
1da177e4 LT |
1314 | offset = ihl = iph->ihl * 4; |
1315 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
1316 | if (ic == NULL) | |
1317 | return NF_DROP; | |
1318 | ||
14d5e834 | 1319 | IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n", |
1da177e4 | 1320 | ic->type, ntohs(icmp_id(ic)), |
14d5e834 | 1321 | &iph->saddr, &iph->daddr); |
1da177e4 LT |
1322 | |
1323 | /* | |
1324 | * Work through seeing if this is for us. | |
1325 | * These checks are supposed to be in an order that means easy | |
1326 | * things are checked first to speed up processing.... however | |
1327 | * this means that some packets will manage to get a long way | |
1328 | * down this stack and then be rejected, but that's life. | |
1329 | */ | |
1330 | if ((ic->type != ICMP_DEST_UNREACH) && | |
1331 | (ic->type != ICMP_SOURCE_QUENCH) && | |
1332 | (ic->type != ICMP_TIME_EXCEEDED)) { | |
1333 | *related = 0; | |
1334 | return NF_ACCEPT; | |
1335 | } | |
1336 | ||
1337 | /* Now find the contained IP header */ | |
1338 | offset += sizeof(_icmph); | |
1339 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
1340 | if (cih == NULL) | |
1341 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
1342 | ||
9330419d | 1343 | net = skb_net(skb); |
7a4f0761 | 1344 | |
f2edb9f7 JA |
1345 | /* Special case for errors for IPIP packets */ |
1346 | ipip = false; | |
1347 | if (cih->protocol == IPPROTO_IPIP) { | |
1348 | if (unlikely(cih->frag_off & htons(IP_OFFSET))) | |
1349 | return NF_ACCEPT; | |
1350 | /* Error for our IPIP must arrive at LOCAL_IN */ | |
1351 | if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL)) | |
1352 | return NF_ACCEPT; | |
1353 | offset += cih->ihl * 4; | |
1354 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
1355 | if (cih == NULL) | |
1356 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
1357 | ipip = true; | |
1358 | } | |
1359 | ||
9330419d HS |
1360 | pd = ip_vs_proto_data_get(net, cih->protocol); |
1361 | if (!pd) | |
1da177e4 | 1362 | return NF_ACCEPT; |
9330419d | 1363 | pp = pd->pp; |
1da177e4 LT |
1364 | |
1365 | /* Is the embedded protocol header present? */ | |
4412ec49 | 1366 | if (unlikely(cih->frag_off & htons(IP_OFFSET) && |
1da177e4 LT |
1367 | pp->dont_defrag)) |
1368 | return NF_ACCEPT; | |
1369 | ||
0d79641a JA |
1370 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset, |
1371 | "Checking incoming ICMP for"); | |
1da177e4 | 1372 | |
f2edb9f7 | 1373 | offset2 = offset; |
63dca2c0 JDB |
1374 | ip_vs_fill_ip4hdr(cih, &ciph); |
1375 | ciph.len += offset; | |
1376 | offset = ciph.len; | |
f2edb9f7 JA |
1377 | /* The embedded headers contain source and dest in reverse order. |
1378 | * For IPIP this is error for request, not for reply. | |
1379 | */ | |
d4383f04 | 1380 | cp = pp->conn_in_get(AF_INET, skb, &ciph, ipip ? 0 : 1); |
6cb90db5 | 1381 | if (!cp) |
1da177e4 LT |
1382 | return NF_ACCEPT; |
1383 | ||
1384 | verdict = NF_DROP; | |
1385 | ||
1386 | /* Ensure the checksum is correct */ | |
60476372 | 1387 | if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { |
1da177e4 | 1388 | /* Failed checksum! */ |
14d5e834 HH |
1389 | IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n", |
1390 | &iph->saddr); | |
1da177e4 LT |
1391 | goto out; |
1392 | } | |
1393 | ||
f2edb9f7 JA |
1394 | if (ipip) { |
1395 | __be32 info = ic->un.gateway; | |
f44a5f45 PC |
1396 | __u8 type = ic->type; |
1397 | __u8 code = ic->code; | |
f2edb9f7 JA |
1398 | |
1399 | /* Update the MTU */ | |
1400 | if (ic->type == ICMP_DEST_UNREACH && | |
1401 | ic->code == ICMP_FRAG_NEEDED) { | |
1402 | struct ip_vs_dest *dest = cp->dest; | |
1403 | u32 mtu = ntohs(ic->un.frag.mtu); | |
f44a5f45 | 1404 | __be16 frag_off = cih->frag_off; |
f2edb9f7 JA |
1405 | |
1406 | /* Strip outer IP and ICMP, go to IPIP header */ | |
f44a5f45 PC |
1407 | if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL) |
1408 | goto ignore_ipip; | |
f2edb9f7 JA |
1409 | offset2 -= ihl + sizeof(_icmph); |
1410 | skb_reset_network_header(skb); | |
1411 | IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n", | |
1412 | &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu); | |
f2edb9f7 JA |
1413 | ipv4_update_pmtu(skb, dev_net(skb->dev), |
1414 | mtu, 0, 0, 0, 0); | |
f2edb9f7 | 1415 | /* Client uses PMTUD? */ |
f44a5f45 | 1416 | if (!(frag_off & htons(IP_DF))) |
f2edb9f7 JA |
1417 | goto ignore_ipip; |
1418 | /* Prefer the resulting PMTU */ | |
1419 | if (dest) { | |
026ace06 JA |
1420 | struct ip_vs_dest_dst *dest_dst; |
1421 | ||
1422 | rcu_read_lock(); | |
1423 | dest_dst = rcu_dereference(dest->dest_dst); | |
1424 | if (dest_dst) | |
1425 | mtu = dst_mtu(dest_dst->dst_cache); | |
1426 | rcu_read_unlock(); | |
f2edb9f7 JA |
1427 | } |
1428 | if (mtu > 68 + sizeof(struct iphdr)) | |
1429 | mtu -= sizeof(struct iphdr); | |
1430 | info = htonl(mtu); | |
1431 | } | |
1432 | /* Strip outer IP, ICMP and IPIP, go to IP header of | |
1433 | * original request. | |
1434 | */ | |
f44a5f45 PC |
1435 | if (pskb_pull(skb, offset2) == NULL) |
1436 | goto ignore_ipip; | |
f2edb9f7 JA |
1437 | skb_reset_network_header(skb); |
1438 | IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n", | |
1439 | &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, | |
f44a5f45 PC |
1440 | type, code, ntohl(info)); |
1441 | icmp_send(skb, type, code, info); | |
f2edb9f7 JA |
1442 | /* ICMP can be shorter but anyways, account it */ |
1443 | ip_vs_out_stats(cp, skb); | |
1444 | ||
1445 | ignore_ipip: | |
1446 | consume_skb(skb); | |
1447 | verdict = NF_STOLEN; | |
1448 | goto out; | |
1449 | } | |
1450 | ||
1da177e4 LT |
1451 | /* do the statistics and put it back */ |
1452 | ip_vs_in_stats(cp, skb); | |
06f3d7f9 JA |
1453 | if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol || |
1454 | IPPROTO_SCTP == cih->protocol) | |
1da177e4 | 1455 | offset += 2 * sizeof(__u16); |
d4383f04 | 1456 | verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph); |
1da177e4 | 1457 | |
552ad65a | 1458 | out: |
1da177e4 LT |
1459 | __ip_vs_conn_put(cp); |
1460 | ||
1461 | return verdict; | |
1462 | } | |
1463 | ||
2a3b791e | 1464 | #ifdef CONFIG_IP_VS_IPV6 |
d4383f04 JDB |
1465 | static int ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, |
1466 | unsigned int hooknum, struct ip_vs_iphdr *iph) | |
2a3b791e | 1467 | { |
9330419d | 1468 | struct net *net = NULL; |
63dca2c0 | 1469 | struct ipv6hdr _ip6h, *ip6h; |
2a3b791e | 1470 | struct icmp6hdr _icmph, *ic; |
63dca2c0 | 1471 | struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};/*Contained IP */ |
2a3b791e JV |
1472 | struct ip_vs_conn *cp; |
1473 | struct ip_vs_protocol *pp; | |
9330419d | 1474 | struct ip_vs_proto_data *pd; |
63dca2c0 | 1475 | unsigned int offs_ciph, writable, verdict; |
2a3b791e | 1476 | |
63dca2c0 | 1477 | *related = 1; |
2a3b791e | 1478 | |
2f74713d | 1479 | ic = frag_safe_skb_hp(skb, iph->len, sizeof(_icmph), &_icmph, iph); |
2a3b791e JV |
1480 | if (ic == NULL) |
1481 | return NF_DROP; | |
1482 | ||
2a3b791e JV |
1483 | /* |
1484 | * Work through seeing if this is for us. | |
1485 | * These checks are supposed to be in an order that means easy | |
1486 | * things are checked first to speed up processing.... however | |
1487 | * this means that some packets will manage to get a long way | |
1488 | * down this stack and then be rejected, but that's life. | |
1489 | */ | |
2fab8917 | 1490 | if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) { |
2a3b791e JV |
1491 | *related = 0; |
1492 | return NF_ACCEPT; | |
1493 | } | |
2f74713d JDB |
1494 | /* Fragment header that is before ICMP header tells us that: |
1495 | * it's not an error message since they can't be fragmented. | |
1496 | */ | |
e7165030 | 1497 | if (iph->flags & IP6_FH_F_FRAG) |
2f74713d | 1498 | return NF_DROP; |
2a3b791e | 1499 | |
63dca2c0 JDB |
1500 | IP_VS_DBG(8, "Incoming ICMPv6 (%d,%d) %pI6c->%pI6c\n", |
1501 | ic->icmp6_type, ntohs(icmpv6_id(ic)), | |
1502 | &iph->saddr, &iph->daddr); | |
1503 | ||
2a3b791e | 1504 | /* Now find the contained IP header */ |
63dca2c0 JDB |
1505 | ciph.len = iph->len + sizeof(_icmph); |
1506 | offs_ciph = ciph.len; /* Save ip header offset */ | |
1507 | ip6h = skb_header_pointer(skb, ciph.len, sizeof(_ip6h), &_ip6h); | |
1508 | if (ip6h == NULL) | |
2a3b791e | 1509 | return NF_ACCEPT; /* The packet looks wrong, ignore */ |
63dca2c0 JDB |
1510 | ciph.saddr.in6 = ip6h->saddr; /* conn_in_get() handles reverse order */ |
1511 | ciph.daddr.in6 = ip6h->daddr; | |
1512 | /* skip possible IPv6 exthdrs of contained IPv6 packet */ | |
1513 | ciph.protocol = ipv6_find_hdr(skb, &ciph.len, -1, &ciph.fragoffs, NULL); | |
1514 | if (ciph.protocol < 0) | |
1515 | return NF_ACCEPT; /* Contained IPv6 hdr looks wrong, ignore */ | |
2a3b791e | 1516 | |
9330419d | 1517 | net = skb_net(skb); |
63dca2c0 | 1518 | pd = ip_vs_proto_data_get(net, ciph.protocol); |
9330419d | 1519 | if (!pd) |
2a3b791e | 1520 | return NF_ACCEPT; |
9330419d | 1521 | pp = pd->pp; |
2a3b791e | 1522 | |
63dca2c0 JDB |
1523 | /* Cannot handle fragmented embedded protocol */ |
1524 | if (ciph.fragoffs) | |
2a3b791e JV |
1525 | return NF_ACCEPT; |
1526 | ||
63dca2c0 | 1527 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offs_ciph, |
0d79641a | 1528 | "Checking incoming ICMPv6 for"); |
2a3b791e | 1529 | |
2f74713d JDB |
1530 | /* The embedded headers contain source and dest in reverse order |
1531 | * if not from localhost | |
1532 | */ | |
d4383f04 | 1533 | cp = pp->conn_in_get(AF_INET6, skb, &ciph, |
2f74713d JDB |
1534 | (hooknum == NF_INET_LOCAL_OUT) ? 0 : 1); |
1535 | ||
6cb90db5 | 1536 | if (!cp) |
2a3b791e | 1537 | return NF_ACCEPT; |
2f74713d JDB |
1538 | /* VS/TUN, VS/DR and LOCALNODE just let it go */ |
1539 | if ((hooknum == NF_INET_LOCAL_OUT) && | |
1540 | (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)) { | |
1541 | __ip_vs_conn_put(cp); | |
1542 | return NF_ACCEPT; | |
1543 | } | |
2a3b791e | 1544 | |
2a3b791e JV |
1545 | /* do the statistics and put it back */ |
1546 | ip_vs_in_stats(cp, skb); | |
63dca2c0 JDB |
1547 | |
1548 | /* Need to mangle contained IPv6 header in ICMPv6 packet */ | |
1549 | writable = ciph.len; | |
1550 | if (IPPROTO_TCP == ciph.protocol || IPPROTO_UDP == ciph.protocol || | |
1551 | IPPROTO_SCTP == ciph.protocol) | |
1552 | writable += 2 * sizeof(__u16); /* Also mangle ports */ | |
1553 | ||
d4383f04 | 1554 | verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, writable, hooknum, &ciph); |
2a3b791e JV |
1555 | |
1556 | __ip_vs_conn_put(cp); | |
1557 | ||
1558 | return verdict; | |
1559 | } | |
1560 | #endif | |
1561 | ||
1562 | ||
1da177e4 LT |
1563 | /* |
1564 | * Check if it's for virtual services, look it up, | |
1565 | * and send it on its way... | |
1566 | */ | |
1567 | static unsigned int | |
cb59155f | 1568 | ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) |
1da177e4 | 1569 | { |
f131315f | 1570 | struct net *net; |
51ef348b | 1571 | struct ip_vs_iphdr iph; |
1da177e4 | 1572 | struct ip_vs_protocol *pp; |
9330419d | 1573 | struct ip_vs_proto_data *pd; |
1da177e4 | 1574 | struct ip_vs_conn *cp; |
4a516f11 | 1575 | int ret, pkts; |
f131315f | 1576 | struct netns_ipvs *ipvs; |
2a3b791e | 1577 | |
fc604767 JA |
1578 | /* Already marked as IPVS request or reply? */ |
1579 | if (skb->ipvs_property) | |
1580 | return NF_ACCEPT; | |
1581 | ||
1da177e4 | 1582 | /* |
cb59155f JA |
1583 | * Big tappo: |
1584 | * - remote client: only PACKET_HOST | |
1585 | * - route: used for struct net when skb->dev is unset | |
1da177e4 | 1586 | */ |
cb59155f JA |
1587 | if (unlikely((skb->pkt_type != PACKET_HOST && |
1588 | hooknum != NF_INET_LOCAL_OUT) || | |
1589 | !skb_dst(skb))) { | |
63dca2c0 | 1590 | ip_vs_fill_iph_skb(af, skb, &iph); |
cb59155f JA |
1591 | IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s" |
1592 | " ignored in hook %u\n", | |
1593 | skb->pkt_type, iph.protocol, | |
1594 | IP_VS_DBG_ADDR(af, &iph.daddr), hooknum); | |
1da177e4 LT |
1595 | return NF_ACCEPT; |
1596 | } | |
7a4f0761 HS |
1597 | /* ipvs enabled in this netns ? */ |
1598 | net = skb_net(skb); | |
0c12582f JA |
1599 | ipvs = net_ipvs(net); |
1600 | if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable)) | |
7a4f0761 HS |
1601 | return NF_ACCEPT; |
1602 | ||
63dca2c0 | 1603 | ip_vs_fill_iph_skb(af, skb, &iph); |
cb59155f JA |
1604 | |
1605 | /* Bad... Do not break raw sockets */ | |
1606 | if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT && | |
1607 | af == AF_INET)) { | |
1608 | struct sock *sk = skb->sk; | |
1609 | struct inet_sock *inet = inet_sk(skb->sk); | |
1610 | ||
1611 | if (inet && sk->sk_family == PF_INET && inet->nodefrag) | |
1612 | return NF_ACCEPT; | |
1613 | } | |
1da177e4 | 1614 | |
94b26551 JV |
1615 | #ifdef CONFIG_IP_VS_IPV6 |
1616 | if (af == AF_INET6) { | |
1617 | if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { | |
1ca5bb54 | 1618 | int related; |
d4383f04 JDB |
1619 | int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum, |
1620 | &iph); | |
1da177e4 | 1621 | |
94b26551 JV |
1622 | if (related) |
1623 | return verdict; | |
94b26551 JV |
1624 | } |
1625 | } else | |
1626 | #endif | |
1627 | if (unlikely(iph.protocol == IPPROTO_ICMP)) { | |
1ca5bb54 JA |
1628 | int related; |
1629 | int verdict = ip_vs_in_icmp(skb, &related, hooknum); | |
94b26551 JV |
1630 | |
1631 | if (related) | |
1632 | return verdict; | |
94b26551 | 1633 | } |
1da177e4 LT |
1634 | |
1635 | /* Protocol supported? */ | |
9330419d HS |
1636 | pd = ip_vs_proto_data_get(net, iph.protocol); |
1637 | if (unlikely(!pd)) | |
1da177e4 | 1638 | return NF_ACCEPT; |
9330419d | 1639 | pp = pd->pp; |
1da177e4 LT |
1640 | /* |
1641 | * Check if the packet belongs to an existing connection entry | |
1642 | */ | |
d4383f04 | 1643 | cp = pp->conn_in_get(af, skb, &iph, 0); |
dc7b3eb9 GL |
1644 | |
1645 | if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest && | |
1646 | unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs && | |
1647 | is_new_conn(skb, &iph)) { | |
1648 | ip_vs_conn_expire_now(cp); | |
1649 | __ip_vs_conn_put(cp); | |
1650 | cp = NULL; | |
1651 | } | |
1652 | ||
63dca2c0 | 1653 | if (unlikely(!cp) && !iph.fragoffs) { |
2f74713d JDB |
1654 | /* No (second) fragments need to enter here, as nf_defrag_ipv6 |
1655 | * replayed fragment zero will already have created the cp | |
1656 | */ | |
1da177e4 LT |
1657 | int v; |
1658 | ||
2f74713d | 1659 | /* Schedule and create new connection entry into &cp */ |
d4383f04 | 1660 | if (!pp->conn_schedule(af, skb, pd, &v, &cp, &iph)) |
1da177e4 LT |
1661 | return v; |
1662 | } | |
1663 | ||
1664 | if (unlikely(!cp)) { | |
1665 | /* sorry, all this trouble for a no-hit :) */ | |
0d79641a | 1666 | IP_VS_DBG_PKT(12, af, pp, skb, 0, |
cb59155f | 1667 | "ip_vs_in: packet continues traversal as normal"); |
6aafeef0 | 1668 | if (iph.fragoffs) { |
2f74713d | 1669 | /* Fragment that couldn't be mapped to a conn entry |
2f74713d JDB |
1670 | * is missing module nf_defrag_ipv6 |
1671 | */ | |
1672 | IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); | |
1673 | IP_VS_DBG_PKT(7, af, pp, skb, 0, "unhandled fragment"); | |
1674 | } | |
1da177e4 LT |
1675 | return NF_ACCEPT; |
1676 | } | |
1677 | ||
0d79641a | 1678 | IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet"); |
1da177e4 LT |
1679 | /* Check the server status */ |
1680 | if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { | |
1681 | /* the destination server is not available */ | |
1682 | ||
71a8ab6c | 1683 | if (sysctl_expire_nodest_conn(ipvs)) { |
1da177e4 LT |
1684 | /* try to expire the connection immediately */ |
1685 | ip_vs_conn_expire_now(cp); | |
1da177e4 | 1686 | } |
dc8103f2 JA |
1687 | /* don't restart its timer, and silently |
1688 | drop the packet. */ | |
1689 | __ip_vs_conn_put(cp); | |
1da177e4 LT |
1690 | return NF_DROP; |
1691 | } | |
1692 | ||
1693 | ip_vs_in_stats(cp, skb); | |
4a516f11 | 1694 | ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd); |
1da177e4 | 1695 | if (cp->packet_xmit) |
d4383f04 | 1696 | ret = cp->packet_xmit(skb, cp, pp, &iph); |
1da177e4 LT |
1697 | /* do not touch skb anymore */ |
1698 | else { | |
1699 | IP_VS_DBG_RL("warning: packet_xmit is null"); | |
1700 | ret = NF_ACCEPT; | |
1701 | } | |
1702 | ||
efac5276 RB |
1703 | /* Increase its packet counter and check if it is needed |
1704 | * to be synchronized | |
1705 | * | |
1706 | * Sync connection if it is about to close to | |
1707 | * encorage the standby servers to update the connections timeout | |
986a0757 HS |
1708 | * |
1709 | * For ONE_PKT let ip_vs_sync_conn() do the filter work. | |
efac5276 | 1710 | */ |
f131315f | 1711 | |
986a0757 | 1712 | if (cp->flags & IP_VS_CONN_F_ONE_PACKET) |
59e0350e | 1713 | pkts = sysctl_sync_threshold(ipvs); |
986a0757 HS |
1714 | else |
1715 | pkts = atomic_add_return(1, &cp->in_pkts); | |
1716 | ||
749c42b6 JA |
1717 | if (ipvs->sync_state & IP_VS_STATE_MASTER) |
1718 | ip_vs_sync_conn(net, cp, pkts); | |
1da177e4 LT |
1719 | |
1720 | ip_vs_conn_put(cp); | |
1721 | return ret; | |
1722 | } | |
1723 | ||
cb59155f JA |
1724 | /* |
1725 | * AF_INET handler in NF_INET_LOCAL_IN chain | |
1726 | * Schedule and forward packets from remote clients | |
1727 | */ | |
1728 | static unsigned int | |
795aa6ef | 1729 | ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb, |
cb59155f JA |
1730 | const struct net_device *in, |
1731 | const struct net_device *out, | |
1732 | int (*okfn)(struct sk_buff *)) | |
1733 | { | |
795aa6ef | 1734 | return ip_vs_in(ops->hooknum, skb, AF_INET); |
cb59155f JA |
1735 | } |
1736 | ||
1737 | /* | |
1738 | * AF_INET handler in NF_INET_LOCAL_OUT chain | |
1739 | * Schedule and forward packets from local clients | |
1740 | */ | |
1741 | static unsigned int | |
795aa6ef | 1742 | ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb, |
cb59155f JA |
1743 | const struct net_device *in, const struct net_device *out, |
1744 | int (*okfn)(struct sk_buff *)) | |
1745 | { | |
795aa6ef | 1746 | return ip_vs_in(ops->hooknum, skb, AF_INET); |
cb59155f JA |
1747 | } |
1748 | ||
1749 | #ifdef CONFIG_IP_VS_IPV6 | |
1750 | ||
1751 | /* | |
1752 | * AF_INET6 handler in NF_INET_LOCAL_IN chain | |
1753 | * Schedule and forward packets from remote clients | |
1754 | */ | |
1755 | static unsigned int | |
795aa6ef | 1756 | ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb, |
cb59155f JA |
1757 | const struct net_device *in, |
1758 | const struct net_device *out, | |
1759 | int (*okfn)(struct sk_buff *)) | |
1760 | { | |
795aa6ef | 1761 | return ip_vs_in(ops->hooknum, skb, AF_INET6); |
cb59155f JA |
1762 | } |
1763 | ||
1764 | /* | |
1765 | * AF_INET6 handler in NF_INET_LOCAL_OUT chain | |
1766 | * Schedule and forward packets from local clients | |
1767 | */ | |
1768 | static unsigned int | |
795aa6ef | 1769 | ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb, |
cb59155f JA |
1770 | const struct net_device *in, const struct net_device *out, |
1771 | int (*okfn)(struct sk_buff *)) | |
1772 | { | |
795aa6ef | 1773 | return ip_vs_in(ops->hooknum, skb, AF_INET6); |
cb59155f JA |
1774 | } |
1775 | ||
1776 | #endif | |
1777 | ||
1da177e4 LT |
1778 | |
1779 | /* | |
6e23ae2a | 1780 | * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP |
1da177e4 LT |
1781 | * related packets destined for 0.0.0.0/0. |
1782 | * When fwmark-based virtual service is used, such as transparent | |
1783 | * cache cluster, TCP packets can be marked and routed to ip_vs_in, | |
1784 | * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and | |
6e23ae2a | 1785 | * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain |
1da177e4 LT |
1786 | * and send them to ip_vs_in_icmp. |
1787 | */ | |
1788 | static unsigned int | |
795aa6ef | 1789 | ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb, |
1da177e4 LT |
1790 | const struct net_device *in, const struct net_device *out, |
1791 | int (*okfn)(struct sk_buff *)) | |
1792 | { | |
1793 | int r; | |
7a4f0761 | 1794 | struct net *net; |
0c12582f | 1795 | struct netns_ipvs *ipvs; |
1da177e4 | 1796 | |
3db05fea | 1797 | if (ip_hdr(skb)->protocol != IPPROTO_ICMP) |
1da177e4 LT |
1798 | return NF_ACCEPT; |
1799 | ||
7a4f0761 HS |
1800 | /* ipvs enabled in this netns ? */ |
1801 | net = skb_net(skb); | |
0c12582f JA |
1802 | ipvs = net_ipvs(net); |
1803 | if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable)) | |
7a4f0761 HS |
1804 | return NF_ACCEPT; |
1805 | ||
795aa6ef | 1806 | return ip_vs_in_icmp(skb, &r, ops->hooknum); |
1da177e4 LT |
1807 | } |
1808 | ||
2a3b791e JV |
1809 | #ifdef CONFIG_IP_VS_IPV6 |
1810 | static unsigned int | |
795aa6ef | 1811 | ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb, |
2a3b791e JV |
1812 | const struct net_device *in, const struct net_device *out, |
1813 | int (*okfn)(struct sk_buff *)) | |
1814 | { | |
1815 | int r; | |
7a4f0761 | 1816 | struct net *net; |
0c12582f | 1817 | struct netns_ipvs *ipvs; |
63dca2c0 | 1818 | struct ip_vs_iphdr iphdr; |
2a3b791e | 1819 | |
63dca2c0 JDB |
1820 | ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr); |
1821 | if (iphdr.protocol != IPPROTO_ICMPV6) | |
2a3b791e JV |
1822 | return NF_ACCEPT; |
1823 | ||
7a4f0761 HS |
1824 | /* ipvs enabled in this netns ? */ |
1825 | net = skb_net(skb); | |
0c12582f JA |
1826 | ipvs = net_ipvs(net); |
1827 | if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable)) | |
7a4f0761 HS |
1828 | return NF_ACCEPT; |
1829 | ||
795aa6ef | 1830 | return ip_vs_in_icmp_v6(skb, &r, ops->hooknum, &iphdr); |
2a3b791e JV |
1831 | } |
1832 | #endif | |
1833 | ||
1da177e4 | 1834 | |
1999414a | 1835 | static struct nf_hook_ops ip_vs_ops[] __read_mostly = { |
cb59155f JA |
1836 | /* After packet filtering, change source only for VS/NAT */ |
1837 | { | |
1838 | .hook = ip_vs_reply4, | |
1839 | .owner = THIS_MODULE, | |
4c809d63 | 1840 | .pf = NFPROTO_IPV4, |
cb59155f | 1841 | .hooknum = NF_INET_LOCAL_IN, |
afb523c5 | 1842 | .priority = NF_IP_PRI_NAT_SRC - 2, |
cb59155f | 1843 | }, |
41c5b317 PM |
1844 | /* After packet filtering, forward packet through VS/DR, VS/TUN, |
1845 | * or VS/NAT(change destination), so that filtering rules can be | |
1846 | * applied to IPVS. */ | |
1847 | { | |
cb59155f | 1848 | .hook = ip_vs_remote_request4, |
41c5b317 | 1849 | .owner = THIS_MODULE, |
4c809d63 | 1850 | .pf = NFPROTO_IPV4, |
cb59155f | 1851 | .hooknum = NF_INET_LOCAL_IN, |
afb523c5 | 1852 | .priority = NF_IP_PRI_NAT_SRC - 1, |
41c5b317 | 1853 | }, |
fc604767 | 1854 | /* Before ip_vs_in, change source only for VS/NAT */ |
41c5b317 | 1855 | { |
fc604767 | 1856 | .hook = ip_vs_local_reply4, |
41c5b317 | 1857 | .owner = THIS_MODULE, |
4c809d63 | 1858 | .pf = NFPROTO_IPV4, |
fc604767 | 1859 | .hooknum = NF_INET_LOCAL_OUT, |
afb523c5 | 1860 | .priority = NF_IP_PRI_NAT_DST + 1, |
41c5b317 | 1861 | }, |
cb59155f JA |
1862 | /* After mangle, schedule and forward local requests */ |
1863 | { | |
1864 | .hook = ip_vs_local_request4, | |
1865 | .owner = THIS_MODULE, | |
4c809d63 | 1866 | .pf = NFPROTO_IPV4, |
cb59155f | 1867 | .hooknum = NF_INET_LOCAL_OUT, |
afb523c5 | 1868 | .priority = NF_IP_PRI_NAT_DST + 2, |
cb59155f | 1869 | }, |
41c5b317 PM |
1870 | /* After packet filtering (but before ip_vs_out_icmp), catch icmp |
1871 | * destined for 0.0.0.0/0, which is for incoming IPVS connections */ | |
1872 | { | |
1873 | .hook = ip_vs_forward_icmp, | |
1874 | .owner = THIS_MODULE, | |
4c809d63 | 1875 | .pf = NFPROTO_IPV4, |
cb59155f JA |
1876 | .hooknum = NF_INET_FORWARD, |
1877 | .priority = 99, | |
41c5b317 | 1878 | }, |
fc604767 JA |
1879 | /* After packet filtering, change source only for VS/NAT */ |
1880 | { | |
1881 | .hook = ip_vs_reply4, | |
1882 | .owner = THIS_MODULE, | |
4c809d63 | 1883 | .pf = NFPROTO_IPV4, |
fc604767 JA |
1884 | .hooknum = NF_INET_FORWARD, |
1885 | .priority = 100, | |
1886 | }, | |
473b23d3 | 1887 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f JA |
1888 | /* After packet filtering, change source only for VS/NAT */ |
1889 | { | |
1890 | .hook = ip_vs_reply6, | |
1891 | .owner = THIS_MODULE, | |
4c809d63 | 1892 | .pf = NFPROTO_IPV6, |
cb59155f | 1893 | .hooknum = NF_INET_LOCAL_IN, |
afb523c5 | 1894 | .priority = NF_IP6_PRI_NAT_SRC - 2, |
cb59155f | 1895 | }, |
473b23d3 JV |
1896 | /* After packet filtering, forward packet through VS/DR, VS/TUN, |
1897 | * or VS/NAT(change destination), so that filtering rules can be | |
1898 | * applied to IPVS. */ | |
1899 | { | |
cb59155f | 1900 | .hook = ip_vs_remote_request6, |
473b23d3 | 1901 | .owner = THIS_MODULE, |
4c809d63 | 1902 | .pf = NFPROTO_IPV6, |
cb59155f | 1903 | .hooknum = NF_INET_LOCAL_IN, |
afb523c5 | 1904 | .priority = NF_IP6_PRI_NAT_SRC - 1, |
473b23d3 | 1905 | }, |
fc604767 | 1906 | /* Before ip_vs_in, change source only for VS/NAT */ |
473b23d3 | 1907 | { |
fc604767 | 1908 | .hook = ip_vs_local_reply6, |
473b23d3 | 1909 | .owner = THIS_MODULE, |
eb90b0c7 | 1910 | .pf = NFPROTO_IPV6, |
fc604767 | 1911 | .hooknum = NF_INET_LOCAL_OUT, |
afb523c5 | 1912 | .priority = NF_IP6_PRI_NAT_DST + 1, |
473b23d3 | 1913 | }, |
cb59155f JA |
1914 | /* After mangle, schedule and forward local requests */ |
1915 | { | |
1916 | .hook = ip_vs_local_request6, | |
1917 | .owner = THIS_MODULE, | |
4c809d63 | 1918 | .pf = NFPROTO_IPV6, |
cb59155f | 1919 | .hooknum = NF_INET_LOCAL_OUT, |
afb523c5 | 1920 | .priority = NF_IP6_PRI_NAT_DST + 2, |
cb59155f | 1921 | }, |
473b23d3 JV |
1922 | /* After packet filtering (but before ip_vs_out_icmp), catch icmp |
1923 | * destined for 0.0.0.0/0, which is for incoming IPVS connections */ | |
1924 | { | |
1925 | .hook = ip_vs_forward_icmp_v6, | |
1926 | .owner = THIS_MODULE, | |
4c809d63 | 1927 | .pf = NFPROTO_IPV6, |
cb59155f JA |
1928 | .hooknum = NF_INET_FORWARD, |
1929 | .priority = 99, | |
473b23d3 | 1930 | }, |
fc604767 JA |
1931 | /* After packet filtering, change source only for VS/NAT */ |
1932 | { | |
1933 | .hook = ip_vs_reply6, | |
1934 | .owner = THIS_MODULE, | |
4c809d63 | 1935 | .pf = NFPROTO_IPV6, |
fc604767 JA |
1936 | .hooknum = NF_INET_FORWARD, |
1937 | .priority = 100, | |
1938 | }, | |
473b23d3 | 1939 | #endif |
1da177e4 | 1940 | }; |
61b1ab45 HS |
1941 | /* |
1942 | * Initialize IP Virtual Server netns mem. | |
1943 | */ | |
1944 | static int __net_init __ip_vs_init(struct net *net) | |
1945 | { | |
1946 | struct netns_ipvs *ipvs; | |
1947 | ||
61b1ab45 | 1948 | ipvs = net_generic(net, ip_vs_net_id); |
0a9ee813 | 1949 | if (ipvs == NULL) |
61b1ab45 | 1950 | return -ENOMEM; |
0a9ee813 | 1951 | |
7a4f0761 HS |
1952 | /* Hold the beast until a service is registerd */ |
1953 | ipvs->enable = 0; | |
f6340ee0 | 1954 | ipvs->net = net; |
61b1ab45 HS |
1955 | /* Counters used for creating unique names */ |
1956 | ipvs->gen = atomic_read(&ipvs_netns_cnt); | |
1957 | atomic_inc(&ipvs_netns_cnt); | |
1958 | net->ipvs = ipvs; | |
7a4f0761 | 1959 | |
503cf15a | 1960 | if (ip_vs_estimator_net_init(net) < 0) |
7a4f0761 HS |
1961 | goto estimator_fail; |
1962 | ||
503cf15a | 1963 | if (ip_vs_control_net_init(net) < 0) |
7a4f0761 HS |
1964 | goto control_fail; |
1965 | ||
503cf15a | 1966 | if (ip_vs_protocol_net_init(net) < 0) |
7a4f0761 HS |
1967 | goto protocol_fail; |
1968 | ||
503cf15a | 1969 | if (ip_vs_app_net_init(net) < 0) |
7a4f0761 HS |
1970 | goto app_fail; |
1971 | ||
503cf15a | 1972 | if (ip_vs_conn_net_init(net) < 0) |
7a4f0761 HS |
1973 | goto conn_fail; |
1974 | ||
503cf15a | 1975 | if (ip_vs_sync_net_init(net) < 0) |
7a4f0761 HS |
1976 | goto sync_fail; |
1977 | ||
a870c8c5 | 1978 | printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n", |
61b1ab45 HS |
1979 | sizeof(struct netns_ipvs), ipvs->gen); |
1980 | return 0; | |
7a4f0761 HS |
1981 | /* |
1982 | * Error handling | |
1983 | */ | |
1984 | ||
1985 | sync_fail: | |
503cf15a | 1986 | ip_vs_conn_net_cleanup(net); |
7a4f0761 | 1987 | conn_fail: |
503cf15a | 1988 | ip_vs_app_net_cleanup(net); |
7a4f0761 | 1989 | app_fail: |
503cf15a | 1990 | ip_vs_protocol_net_cleanup(net); |
7a4f0761 | 1991 | protocol_fail: |
503cf15a | 1992 | ip_vs_control_net_cleanup(net); |
7a4f0761 | 1993 | control_fail: |
503cf15a | 1994 | ip_vs_estimator_net_cleanup(net); |
7a4f0761 | 1995 | estimator_fail: |
39f618b4 | 1996 | net->ipvs = NULL; |
7a4f0761 | 1997 | return -ENOMEM; |
61b1ab45 HS |
1998 | } |
1999 | ||
2000 | static void __net_exit __ip_vs_cleanup(struct net *net) | |
2001 | { | |
503cf15a HS |
2002 | ip_vs_service_net_cleanup(net); /* ip_vs_flush() with locks */ |
2003 | ip_vs_conn_net_cleanup(net); | |
2004 | ip_vs_app_net_cleanup(net); | |
2005 | ip_vs_protocol_net_cleanup(net); | |
2006 | ip_vs_control_net_cleanup(net); | |
2007 | ip_vs_estimator_net_cleanup(net); | |
1ae132b0 | 2008 | IP_VS_DBG(2, "ipvs netns %d released\n", net_ipvs(net)->gen); |
39f618b4 | 2009 | net->ipvs = NULL; |
61b1ab45 HS |
2010 | } |
2011 | ||
7a4f0761 HS |
2012 | static void __net_exit __ip_vs_dev_cleanup(struct net *net) |
2013 | { | |
2014 | EnterFunction(2); | |
2015 | net_ipvs(net)->enable = 0; /* Disable packet reception */ | |
8f4e0a18 | 2016 | smp_wmb(); |
503cf15a | 2017 | ip_vs_sync_net_cleanup(net); |
7a4f0761 HS |
2018 | LeaveFunction(2); |
2019 | } | |
2020 | ||
61b1ab45 HS |
2021 | static struct pernet_operations ipvs_core_ops = { |
2022 | .init = __ip_vs_init, | |
2023 | .exit = __ip_vs_cleanup, | |
2024 | .id = &ip_vs_net_id, | |
2025 | .size = sizeof(struct netns_ipvs), | |
2026 | }; | |
1da177e4 | 2027 | |
7a4f0761 HS |
2028 | static struct pernet_operations ipvs_core_dev_ops = { |
2029 | .exit = __ip_vs_dev_cleanup, | |
2030 | }; | |
2031 | ||
1da177e4 LT |
2032 | /* |
2033 | * Initialize IP Virtual Server | |
2034 | */ | |
2035 | static int __init ip_vs_init(void) | |
2036 | { | |
2037 | int ret; | |
2038 | ||
2039 | ret = ip_vs_control_init(); | |
2040 | if (ret < 0) { | |
1e3e238e | 2041 | pr_err("can't setup control.\n"); |
6c8f7949 | 2042 | goto exit; |
1da177e4 LT |
2043 | } |
2044 | ||
2045 | ip_vs_protocol_init(); | |
2046 | ||
1da177e4 LT |
2047 | ret = ip_vs_conn_init(); |
2048 | if (ret < 0) { | |
1e3e238e | 2049 | pr_err("can't setup connection table.\n"); |
6c8f7949 | 2050 | goto cleanup_protocol; |
61b1ab45 HS |
2051 | } |
2052 | ||
7a4f0761 HS |
2053 | ret = register_pernet_subsys(&ipvs_core_ops); /* Alloc ip_vs struct */ |
2054 | if (ret < 0) | |
6c8f7949 | 2055 | goto cleanup_conn; |
7a4f0761 HS |
2056 | |
2057 | ret = register_pernet_device(&ipvs_core_dev_ops); | |
2058 | if (ret < 0) | |
2059 | goto cleanup_sub; | |
2060 | ||
41c5b317 | 2061 | ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); |
1da177e4 | 2062 | if (ret < 0) { |
1e3e238e | 2063 | pr_err("can't register hooks.\n"); |
7a4f0761 | 2064 | goto cleanup_dev; |
1da177e4 LT |
2065 | } |
2066 | ||
8537de8a HS |
2067 | ret = ip_vs_register_nl_ioctl(); |
2068 | if (ret < 0) { | |
2069 | pr_err("can't register netlink/ioctl.\n"); | |
2070 | goto cleanup_hooks; | |
2071 | } | |
2072 | ||
1e3e238e | 2073 | pr_info("ipvs loaded.\n"); |
7a4f0761 | 2074 | |
1da177e4 LT |
2075 | return ret; |
2076 | ||
8537de8a HS |
2077 | cleanup_hooks: |
2078 | nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); | |
7a4f0761 HS |
2079 | cleanup_dev: |
2080 | unregister_pernet_device(&ipvs_core_dev_ops); | |
2081 | cleanup_sub: | |
2082 | unregister_pernet_subsys(&ipvs_core_ops); | |
552ad65a | 2083 | cleanup_conn: |
1da177e4 | 2084 | ip_vs_conn_cleanup(); |
552ad65a | 2085 | cleanup_protocol: |
1da177e4 LT |
2086 | ip_vs_protocol_cleanup(); |
2087 | ip_vs_control_cleanup(); | |
6c8f7949 | 2088 | exit: |
1da177e4 LT |
2089 | return ret; |
2090 | } | |
2091 | ||
2092 | static void __exit ip_vs_cleanup(void) | |
2093 | { | |
8537de8a | 2094 | ip_vs_unregister_nl_ioctl(); |
41c5b317 | 2095 | nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); |
7a4f0761 HS |
2096 | unregister_pernet_device(&ipvs_core_dev_ops); |
2097 | unregister_pernet_subsys(&ipvs_core_ops); /* free ip_vs struct */ | |
1da177e4 | 2098 | ip_vs_conn_cleanup(); |
1da177e4 LT |
2099 | ip_vs_protocol_cleanup(); |
2100 | ip_vs_control_cleanup(); | |
1e3e238e | 2101 | pr_info("ipvs unloaded.\n"); |
1da177e4 LT |
2102 | } |
2103 | ||
2104 | module_init(ip_vs_init); | |
2105 | module_exit(ip_vs_cleanup); | |
2106 | MODULE_LICENSE("GPL"); |