2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the Netfilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese,
18 * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms
22 * Paul `Rusty' Russell properly handle non-linear skbs
23 * Harald Welte don't use nfcache
27 #include <linux/module.h>
28 #include <linux/kernel.h>
30 #include <linux/tcp.h>
31 #include <linux/icmp.h>
36 #include <net/icmp.h> /* for icmp_send */
37 #include <net/route.h>
39 #include <linux/netfilter.h>
40 #include <linux/netfilter_ipv4.h>
42 #ifdef CONFIG_IP_VS_IPV6
44 #include <linux/netfilter_ipv6.h>
47 #include <net/ip_vs.h>
50 EXPORT_SYMBOL(register_ip_vs_scheduler);
51 EXPORT_SYMBOL(unregister_ip_vs_scheduler);
52 EXPORT_SYMBOL(ip_vs_skb_replace);
53 EXPORT_SYMBOL(ip_vs_proto_name);
54 EXPORT_SYMBOL(ip_vs_conn_new);
55 EXPORT_SYMBOL(ip_vs_conn_in_get);
56 EXPORT_SYMBOL(ip_vs_conn_out_get);
57 #ifdef CONFIG_IP_VS_PROTO_TCP
58 EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
60 EXPORT_SYMBOL(ip_vs_conn_put);
61 #ifdef CONFIG_IP_VS_DEBUG
62 EXPORT_SYMBOL(ip_vs_get_debug_level);
66 /* ID used in ICMP lookups */
67 #define icmp_id(icmph) (((icmph)->un).echo.id)
68 #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
70 const char *ip_vs_proto_name(unsigned proto)
83 #ifdef CONFIG_IP_VS_IPV6
88 sprintf(buf, "IP_%d", proto);
93 void ip_vs_init_hash_table(struct list_head *table, int rows)
96 INIT_LIST_HEAD(&table[rows]);
100 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
102 struct ip_vs_dest *dest = cp->dest;
103 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
104 spin_lock(&dest->stats.lock);
105 dest->stats.inpkts++;
106 dest->stats.inbytes += skb->len;
107 spin_unlock(&dest->stats.lock);
109 spin_lock(&dest->svc->stats.lock);
110 dest->svc->stats.inpkts++;
111 dest->svc->stats.inbytes += skb->len;
112 spin_unlock(&dest->svc->stats.lock);
114 spin_lock(&ip_vs_stats.lock);
115 ip_vs_stats.inpkts++;
116 ip_vs_stats.inbytes += skb->len;
117 spin_unlock(&ip_vs_stats.lock);
123 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
125 struct ip_vs_dest *dest = cp->dest;
126 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
127 spin_lock(&dest->stats.lock);
128 dest->stats.outpkts++;
129 dest->stats.outbytes += skb->len;
130 spin_unlock(&dest->stats.lock);
132 spin_lock(&dest->svc->stats.lock);
133 dest->svc->stats.outpkts++;
134 dest->svc->stats.outbytes += skb->len;
135 spin_unlock(&dest->svc->stats.lock);
137 spin_lock(&ip_vs_stats.lock);
138 ip_vs_stats.outpkts++;
139 ip_vs_stats.outbytes += skb->len;
140 spin_unlock(&ip_vs_stats.lock);
146 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
148 spin_lock(&cp->dest->stats.lock);
149 cp->dest->stats.conns++;
150 spin_unlock(&cp->dest->stats.lock);
152 spin_lock(&svc->stats.lock);
154 spin_unlock(&svc->stats.lock);
156 spin_lock(&ip_vs_stats.lock);
158 spin_unlock(&ip_vs_stats.lock);
163 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
164 const struct sk_buff *skb,
165 struct ip_vs_protocol *pp)
167 if (unlikely(!pp->state_transition))
169 return pp->state_transition(cp, direction, skb, pp);
174 * IPVS persistent scheduling function
175 * It creates a connection entry according to its template if exists,
176 * or selects a server and creates a connection entry plus a template.
177 * Locking: we are svc user (svc->refcnt), so we hold all dests too
178 * Protocols supported: TCP, UDP
180 static struct ip_vs_conn *
181 ip_vs_sched_persist(struct ip_vs_service *svc,
182 const struct sk_buff *skb,
185 struct ip_vs_conn *cp = NULL;
186 struct ip_vs_iphdr iph;
187 struct ip_vs_dest *dest;
188 struct ip_vs_conn *ct;
189 __be16 dport; /* destination port to forward */
190 union nf_inet_addr snet; /* source network of the client,
193 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
195 /* Mask saddr with the netmask to adjust template granularity */
196 #ifdef CONFIG_IP_VS_IPV6
197 if (svc->af == AF_INET6)
198 ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask);
201 snet.ip = iph.saddr.ip & svc->netmask;
203 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
205 IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(ports[0]),
206 IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(ports[1]),
207 IP_VS_DBG_ADDR(svc->af, &snet));
210 * As far as we know, FTP is a very complicated network protocol, and
211 * it uses control connection and data connections. For active FTP,
212 * FTP server initialize data connection to the client, its source port
213 * is often 20. For passive FTP, FTP server tells the clients the port
214 * that it passively listens to, and the client issues the data
215 * connection. In the tunneling or direct routing mode, the load
216 * balancer is on the client-to-server half of connection, the port
217 * number is unknown to the load balancer. So, a conn template like
218 * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP
219 * service, and a template like <caddr, 0, vaddr, vport, daddr, dport>
220 * is created for other persistent services.
222 if (ports[1] == svc->port) {
223 /* Check if a template already exists */
224 if (svc->port != FTPPORT)
225 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
226 &iph.daddr, ports[1]);
228 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
231 if (!ct || !ip_vs_check_template(ct)) {
233 * No template found or the dest of the connection
234 * template is not available.
236 dest = svc->scheduler->schedule(svc, skb);
238 IP_VS_DBG(1, "p-schedule: no dest found.\n");
243 * Create a template like <protocol,caddr,0,
244 * vaddr,vport,daddr,dport> for non-ftp service,
245 * and <protocol,caddr,0,vaddr,0,daddr,0>
248 if (svc->port != FTPPORT)
249 ct = ip_vs_conn_new(svc->af, iph.protocol,
253 &dest->addr, dest->port,
254 IP_VS_CONN_F_TEMPLATE,
257 ct = ip_vs_conn_new(svc->af, iph.protocol,
261 IP_VS_CONN_F_TEMPLATE,
266 ct->timeout = svc->timeout;
268 /* set destination with the found template */
274 * Note: persistent fwmark-based services and persistent
275 * port zero service are handled here.
276 * fwmark template: <IPPROTO_IP,caddr,0,fwmark,0,daddr,0>
277 * port zero template: <protocol,caddr,0,vaddr,0,daddr,0>
280 union nf_inet_addr fwmark = {
281 .all = { 0, 0, 0, htonl(svc->fwmark) }
284 ct = ip_vs_ct_in_get(svc->af, IPPROTO_IP, &snet, 0,
287 ct = ip_vs_ct_in_get(svc->af, iph.protocol, &snet, 0,
290 if (!ct || !ip_vs_check_template(ct)) {
292 * If it is not persistent port zero, return NULL,
293 * otherwise create a connection template.
298 dest = svc->scheduler->schedule(svc, skb);
300 IP_VS_DBG(1, "p-schedule: no dest found.\n");
305 * Create a template according to the service
308 union nf_inet_addr fwmark = {
309 .all = { 0, 0, 0, htonl(svc->fwmark) }
312 ct = ip_vs_conn_new(svc->af, IPPROTO_IP,
316 IP_VS_CONN_F_TEMPLATE,
319 ct = ip_vs_conn_new(svc->af, iph.protocol,
323 IP_VS_CONN_F_TEMPLATE,
328 ct->timeout = svc->timeout;
330 /* set destination with the found template */
337 * Create a new connection according to the template
339 cp = ip_vs_conn_new(svc->af, iph.protocol,
340 &iph.saddr, ports[0],
341 &iph.daddr, ports[1],
353 ip_vs_control_add(cp, ct);
356 ip_vs_conn_stats(cp, svc);
362 * IPVS main scheduling function
363 * It selects a server according to the virtual service, and
364 * creates a connection entry.
365 * Protocols supported: TCP, UDP
368 ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
370 struct ip_vs_conn *cp = NULL;
371 struct ip_vs_iphdr iph;
372 struct ip_vs_dest *dest;
373 __be16 _ports[2], *pptr;
375 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
376 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
383 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
384 return ip_vs_sched_persist(svc, skb, pptr);
387 * Non-persistent service
389 if (!svc->fwmark && pptr[1] != svc->port) {
391 IP_VS_ERR("Schedule: port zero only supported "
392 "in persistent services, "
393 "check your ipvs configuration\n");
397 dest = svc->scheduler->schedule(svc, skb);
399 IP_VS_DBG(1, "Schedule: no dest found.\n");
404 * Create a connection entry.
406 cp = ip_vs_conn_new(svc->af, iph.protocol,
409 &dest->addr, dest->port ? dest->port : pptr[1],
415 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
416 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
418 IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport),
419 IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport),
420 IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport),
421 cp->flags, atomic_read(&cp->refcnt));
423 ip_vs_conn_stats(cp, svc);
429 * Pass or drop the packet.
430 * Called by ip_vs_in, when the virtual service is available but
431 * no destination is available for a new connection.
433 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
434 struct ip_vs_protocol *pp)
436 __be16 _ports[2], *pptr;
437 struct ip_vs_iphdr iph;
439 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
441 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
443 ip_vs_service_put(svc);
447 #ifdef CONFIG_IP_VS_IPV6
448 if (svc->af == AF_INET6)
449 unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
452 unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
454 /* if it is fwmark-based service, the cache_bypass sysctl is up
455 and the destination is a non-local unicast, then create
456 a cache_bypass connection entry */
457 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
459 struct ip_vs_conn *cp;
461 ip_vs_service_put(svc);
463 /* create a new connection entry */
464 IP_VS_DBG(6, "ip_vs_leave: create a cache_bypass entry\n");
465 cp = ip_vs_conn_new(svc->af, iph.protocol,
475 ip_vs_in_stats(cp, skb);
478 cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
480 /* transmit the first SYN packet */
481 ret = cp->packet_xmit(skb, cp, pp);
482 /* do not touch skb anymore */
484 atomic_inc(&cp->in_pkts);
490 * When the virtual ftp service is presented, packets destined
491 * for other services on the VIP may get here (except services
492 * listed in the ipvs table), pass the packets, because it is
493 * not ipvs job to decide to drop the packets.
495 if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) {
496 ip_vs_service_put(svc);
500 ip_vs_service_put(svc);
503 * Notify the client that the destination is unreachable, and
504 * release the socket buffer.
505 * Since it is in IP layer, the TCP socket is not actually
506 * created, the TCP RST packet cannot be sent, instead that
507 * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ
509 #ifdef CONFIG_IP_VS_IPV6
510 if (svc->af == AF_INET6)
511 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0,
515 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
522 * It is hooked before NF_IP_PRI_NAT_SRC at the NF_INET_POST_ROUTING
523 * chain, and is used for VS/NAT.
524 * It detects packets for VS/NAT connections and sends the packets
525 * immediately. This can avoid that iptable_nat mangles the packets
528 static unsigned int ip_vs_post_routing(unsigned int hooknum,
530 const struct net_device *in,
531 const struct net_device *out,
532 int (*okfn)(struct sk_buff *))
534 if (!skb->ipvs_property)
536 /* The packet was sent from IPVS, exit this chain */
540 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
542 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
545 static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
547 int err = ip_defrag(skb, user);
550 ip_send_check(ip_hdr(skb));
555 #ifdef CONFIG_IP_VS_IPV6
556 static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
558 /* TODO IPv6: Find out what to do here for IPv6 */
564 * Packet has been made sufficiently writable in caller
565 * - inout: 1=in->out, 0=out->in
567 void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
568 struct ip_vs_conn *cp, int inout)
570 struct iphdr *iph = ip_hdr(skb);
571 unsigned int icmp_offset = iph->ihl*4;
572 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
574 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
577 iph->saddr = cp->vaddr.ip;
579 ciph->daddr = cp->vaddr.ip;
582 iph->daddr = cp->daddr.ip;
584 ciph->saddr = cp->daddr.ip;
588 /* the TCP/UDP port */
589 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol) {
590 __be16 *ports = (void *)ciph + ciph->ihl*4;
593 ports[1] = cp->vport;
595 ports[0] = cp->dport;
598 /* And finally the ICMP checksum */
600 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
601 skb->ip_summed = CHECKSUM_UNNECESSARY;
604 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
605 "Forwarding altered outgoing ICMP");
607 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
608 "Forwarding altered incoming ICMP");
611 #ifdef CONFIG_IP_VS_IPV6
612 void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
613 struct ip_vs_conn *cp, int inout)
615 struct ipv6hdr *iph = ipv6_hdr(skb);
616 unsigned int icmp_offset = sizeof(struct ipv6hdr);
617 struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) +
619 struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1);
622 iph->saddr = cp->vaddr.in6;
623 ciph->daddr = cp->vaddr.in6;
625 iph->daddr = cp->daddr.in6;
626 ciph->saddr = cp->daddr.in6;
629 /* the TCP/UDP port */
630 if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr) {
631 __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr);
634 ports[1] = cp->vport;
636 ports[0] = cp->dport;
639 /* And finally the ICMP checksum */
640 icmph->icmp6_cksum = 0;
641 /* TODO IPv6: is this correct for ICMPv6? */
642 ip_vs_checksum_complete(skb, icmp_offset);
643 skb->ip_summed = CHECKSUM_UNNECESSARY;
646 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
647 "Forwarding altered outgoing ICMPv6");
649 IP_VS_DBG_PKT(11, pp, skb, (void *)ciph - (void *)iph,
650 "Forwarding altered incoming ICMPv6");
654 /* Handle relevant response ICMP messages - forward to the right
655 * destination host. Used for NAT and local client.
657 static int handle_response_icmp(int af, struct sk_buff *skb,
658 union nf_inet_addr *snet,
659 __u8 protocol, struct ip_vs_conn *cp,
660 struct ip_vs_protocol *pp,
661 unsigned int offset, unsigned int ihl)
663 unsigned int verdict = NF_DROP;
665 if (IP_VS_FWD_METHOD(cp) != 0) {
666 IP_VS_ERR("shouldn't reach here, because the box is on the "
667 "half connection in the tun/dr module.\n");
670 /* Ensure the checksum is correct */
671 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
672 /* Failed checksum! */
673 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
674 IP_VS_DBG_ADDR(af, snet));
678 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol)
679 offset += 2 * sizeof(__u16);
680 if (!skb_make_writable(skb, offset))
683 #ifdef CONFIG_IP_VS_IPV6
685 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
688 ip_vs_nat_icmp(skb, pp, cp, 1);
690 /* do the statistics and put it back */
691 ip_vs_out_stats(cp, skb);
693 skb->ipvs_property = 1;
697 __ip_vs_conn_put(cp);
703 * Handle ICMP messages in the inside-to-outside direction (outgoing).
704 * Find any that might be relevant, check against existing connections.
705 * Currently handles error types - unreachable, quench, ttl exceeded.
707 static int ip_vs_out_icmp(struct sk_buff *skb, int *related)
710 struct icmphdr _icmph, *ic;
711 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
712 struct ip_vs_iphdr ciph;
713 struct ip_vs_conn *cp;
714 struct ip_vs_protocol *pp;
715 unsigned int offset, ihl;
716 union nf_inet_addr snet;
720 /* reassemble IP fragments */
721 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
722 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
727 offset = ihl = iph->ihl * 4;
728 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
732 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %u.%u.%u.%u->%u.%u.%u.%u\n",
733 ic->type, ntohs(icmp_id(ic)),
734 NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
737 * Work through seeing if this is for us.
738 * These checks are supposed to be in an order that means easy
739 * things are checked first to speed up processing.... however
740 * this means that some packets will manage to get a long way
741 * down this stack and then be rejected, but that's life.
743 if ((ic->type != ICMP_DEST_UNREACH) &&
744 (ic->type != ICMP_SOURCE_QUENCH) &&
745 (ic->type != ICMP_TIME_EXCEEDED)) {
750 /* Now find the contained IP header */
751 offset += sizeof(_icmph);
752 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
754 return NF_ACCEPT; /* The packet looks wrong, ignore */
756 pp = ip_vs_proto_get(cih->protocol);
760 /* Is the embedded protocol header present? */
761 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
765 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMP for");
767 offset += cih->ihl * 4;
769 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
770 /* The embedded headers contain source and dest in reverse order */
771 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
775 snet.ip = iph->saddr;
776 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
780 #ifdef CONFIG_IP_VS_IPV6
781 static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related)
784 struct icmp6hdr _icmph, *ic;
785 struct ipv6hdr _ciph, *cih; /* The ip header contained
787 struct ip_vs_iphdr ciph;
788 struct ip_vs_conn *cp;
789 struct ip_vs_protocol *pp;
791 union nf_inet_addr snet;
795 /* reassemble IP fragments */
796 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
797 if (ip_vs_gather_frags_v6(skb, IP_DEFRAG_VS_OUT))
802 offset = sizeof(struct ipv6hdr);
803 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
807 IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) " NIP6_FMT "->" NIP6_FMT "\n",
808 ic->icmp6_type, ntohs(icmpv6_id(ic)),
809 NIP6(iph->saddr), NIP6(iph->daddr));
812 * Work through seeing if this is for us.
813 * These checks are supposed to be in an order that means easy
814 * things are checked first to speed up processing.... however
815 * this means that some packets will manage to get a long way
816 * down this stack and then be rejected, but that's life.
818 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
819 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
820 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
825 /* Now find the contained IP header */
826 offset += sizeof(_icmph);
827 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
829 return NF_ACCEPT; /* The packet looks wrong, ignore */
831 pp = ip_vs_proto_get(cih->nexthdr);
835 /* Is the embedded protocol header present? */
836 /* TODO: we don't support fragmentation at the moment anyways */
837 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
840 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking outgoing ICMPv6 for");
842 offset += sizeof(struct ipv6hdr);
844 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
845 /* The embedded headers contain source and dest in reverse order */
846 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
850 snet.in6 = iph->saddr;
851 return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
852 pp, offset, sizeof(struct ipv6hdr));
856 static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
858 struct tcphdr _tcph, *th;
860 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
866 /* Handle response packets: rewrite addresses and send away...
867 * Used for NAT and local client.
870 handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
871 struct ip_vs_conn *cp, int ihl)
873 IP_VS_DBG_PKT(11, pp, skb, 0, "Outgoing packet");
875 if (!skb_make_writable(skb, ihl))
878 /* mangle the packet */
879 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp))
882 #ifdef CONFIG_IP_VS_IPV6
884 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
888 ip_hdr(skb)->saddr = cp->vaddr.ip;
889 ip_send_check(ip_hdr(skb));
892 /* For policy routing, packets originating from this
893 * machine itself may be routed differently to packets
894 * passing through. We want this packet to be routed as
895 * if it came from this machine itself. So re-compute
896 * the routing information.
898 #ifdef CONFIG_IP_VS_IPV6
899 if (af == AF_INET6) {
900 if (ip6_route_me_harder(skb) != 0)
904 if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
907 /* For policy routing, packets originating from this
908 * machine itself may be routed differently to packets
909 * passing through. We want this packet to be routed as
910 * if it came from this machine itself. So re-compute
911 * the routing information.
913 if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
916 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
918 ip_vs_out_stats(cp, skb);
919 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
922 skb->ipvs_property = 1;
934 * It is hooked at the NF_INET_FORWARD chain, used only for VS/NAT.
935 * Check if outgoing packet belongs to the established ip_vs_conn.
938 ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
939 const struct net_device *in, const struct net_device *out,
940 int (*okfn)(struct sk_buff *))
942 struct ip_vs_iphdr iph;
943 struct ip_vs_protocol *pp;
944 struct ip_vs_conn *cp;
949 af = (skb->protocol == __constant_htons(ETH_P_IP)) ? AF_INET : AF_INET6;
951 if (skb->ipvs_property)
954 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
955 #ifdef CONFIG_IP_VS_IPV6
956 if (af == AF_INET6) {
957 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
958 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
962 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
966 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
967 int related, verdict = ip_vs_out_icmp(skb, &related);
971 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
974 pp = ip_vs_proto_get(iph.protocol);
978 /* reassemble IP fragments */
979 #ifdef CONFIG_IP_VS_IPV6
980 if (af == AF_INET6) {
981 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
982 int related, verdict = ip_vs_out_icmp_v6(skb, &related);
987 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
991 if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) &&
993 if (ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT))
996 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1000 * Check if the packet belongs to an existing entry
1002 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1004 if (unlikely(!cp)) {
1005 if (sysctl_ip_vs_nat_icmp_send &&
1006 (pp->protocol == IPPROTO_TCP ||
1007 pp->protocol == IPPROTO_UDP)) {
1008 __be16 _ports[2], *pptr;
1010 pptr = skb_header_pointer(skb, iph.len,
1011 sizeof(_ports), _ports);
1013 return NF_ACCEPT; /* Not for me */
1014 if (ip_vs_lookup_real_service(af, iph.protocol,
1018 * Notify the real server: there is no
1019 * existing entry if it is not RST
1020 * packet or not TCP packet.
1022 if (iph.protocol != IPPROTO_TCP
1023 || !is_tcp_reset(skb, iph.len)) {
1024 #ifdef CONFIG_IP_VS_IPV6
1027 ICMPV6_DEST_UNREACH,
1028 ICMPV6_PORT_UNREACH,
1034 ICMP_PORT_UNREACH, 0);
1039 IP_VS_DBG_PKT(12, pp, skb, 0,
1040 "packet continues traversal as normal");
1044 return handle_response(af, skb, pp, cp, iph.len);
1049 * Handle ICMP messages in the outside-to-inside direction (incoming).
1050 * Find any that might be relevant, check against existing connections,
1051 * forward to the right destination host if relevant.
1052 * Currently handles error types - unreachable, quench, ttl exceeded.
1055 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
1058 struct icmphdr _icmph, *ic;
1059 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
1060 struct ip_vs_iphdr ciph;
1061 struct ip_vs_conn *cp;
1062 struct ip_vs_protocol *pp;
1063 unsigned int offset, ihl, verdict;
1064 union nf_inet_addr snet;
1068 /* reassemble IP fragments */
1069 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
1070 if (ip_vs_gather_frags(skb, hooknum == NF_INET_LOCAL_IN ?
1071 IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD))
1076 offset = ihl = iph->ihl * 4;
1077 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1081 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %u.%u.%u.%u->%u.%u.%u.%u\n",
1082 ic->type, ntohs(icmp_id(ic)),
1083 NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
1086 * Work through seeing if this is for us.
1087 * These checks are supposed to be in an order that means easy
1088 * things are checked first to speed up processing.... however
1089 * this means that some packets will manage to get a long way
1090 * down this stack and then be rejected, but that's life.
1092 if ((ic->type != ICMP_DEST_UNREACH) &&
1093 (ic->type != ICMP_SOURCE_QUENCH) &&
1094 (ic->type != ICMP_TIME_EXCEEDED)) {
1099 /* Now find the contained IP header */
1100 offset += sizeof(_icmph);
1101 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1103 return NF_ACCEPT; /* The packet looks wrong, ignore */
1105 pp = ip_vs_proto_get(cih->protocol);
1109 /* Is the embedded protocol header present? */
1110 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1114 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMP for");
1116 offset += cih->ihl * 4;
1118 ip_vs_fill_iphdr(AF_INET, cih, &ciph);
1119 /* The embedded headers contain source and dest in reverse order */
1120 cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);
1122 /* The packet could also belong to a local client */
1123 cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
1125 snet.ip = iph->saddr;
1126 return handle_response_icmp(AF_INET, skb, &snet,
1127 cih->protocol, cp, pp,
1135 /* Ensure the checksum is correct */
1136 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1137 /* Failed checksum! */
1138 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %d.%d.%d.%d!\n",
1139 NIPQUAD(iph->saddr));
1143 /* do the statistics and put it back */
1144 ip_vs_in_stats(cp, skb);
1145 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
1146 offset += 2 * sizeof(__u16);
1147 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
1148 /* do not touch skb anymore */
1151 __ip_vs_conn_put(cp);
1156 #ifdef CONFIG_IP_VS_IPV6
1158 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
1160 struct ipv6hdr *iph;
1161 struct icmp6hdr _icmph, *ic;
1162 struct ipv6hdr _ciph, *cih; /* The ip header contained
1164 struct ip_vs_iphdr ciph;
1165 struct ip_vs_conn *cp;
1166 struct ip_vs_protocol *pp;
1167 unsigned int offset, verdict;
1168 union nf_inet_addr snet;
1172 /* reassemble IP fragments */
1173 if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) {
1174 if (ip_vs_gather_frags_v6(skb, hooknum == NF_INET_LOCAL_IN ?
1180 iph = ipv6_hdr(skb);
1181 offset = sizeof(struct ipv6hdr);
1182 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1186 IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) " NIP6_FMT "->" NIP6_FMT "\n",
1187 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1188 NIP6(iph->saddr), NIP6(iph->daddr));
1191 * Work through seeing if this is for us.
1192 * These checks are supposed to be in an order that means easy
1193 * things are checked first to speed up processing.... however
1194 * this means that some packets will manage to get a long way
1195 * down this stack and then be rejected, but that's life.
1197 if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) &&
1198 (ic->icmp6_type != ICMPV6_PKT_TOOBIG) &&
1199 (ic->icmp6_type != ICMPV6_TIME_EXCEED)) {
1204 /* Now find the contained IP header */
1205 offset += sizeof(_icmph);
1206 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1208 return NF_ACCEPT; /* The packet looks wrong, ignore */
1210 pp = ip_vs_proto_get(cih->nexthdr);
1214 /* Is the embedded protocol header present? */
1215 /* TODO: we don't support fragmentation at the moment anyways */
1216 if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag))
1219 IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMPv6 for");
1221 offset += sizeof(struct ipv6hdr);
1223 ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
1224 /* The embedded headers contain source and dest in reverse order */
1225 cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);
1227 /* The packet could also belong to a local client */
1228 cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
1230 snet.in6 = iph->saddr;
1231 return handle_response_icmp(AF_INET6, skb, &snet,
1234 sizeof(struct ipv6hdr));
1241 /* do the statistics and put it back */
1242 ip_vs_in_stats(cp, skb);
1243 if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr)
1244 offset += 2 * sizeof(__u16);
1245 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
1246 /* do not touch skb anymore */
1248 __ip_vs_conn_put(cp);
1256 * Check if it's for virtual services, look it up,
1257 * and send it on its way...
1260 ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
1261 const struct net_device *in, const struct net_device *out,
1262 int (*okfn)(struct sk_buff *))
1264 struct ip_vs_iphdr iph;
1265 struct ip_vs_protocol *pp;
1266 struct ip_vs_conn *cp;
1267 int ret, restart, af;
1269 af = (skb->protocol == __constant_htons(ETH_P_IP)) ? AF_INET : AF_INET6;
1271 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1274 * Big tappo: only PACKET_HOST, including loopback for local client
1275 * Don't handle local packets on IPv6 for now
1277 if (unlikely(skb->pkt_type != PACKET_HOST)) {
1278 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s ignored\n",
1281 IP_VS_DBG_ADDR(af, &iph.daddr));
1285 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1286 int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
1290 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1293 /* Protocol supported? */
1294 pp = ip_vs_proto_get(iph.protocol);
1299 * Check if the packet belongs to an existing connection entry
1301 cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);
1303 if (unlikely(!cp)) {
1306 /* For local client packets, it could be a response */
1307 cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
1309 return handle_response(af, skb, pp, cp, iph.len);
1311 if (!pp->conn_schedule(af, skb, pp, &v, &cp))
1315 if (unlikely(!cp)) {
1316 /* sorry, all this trouble for a no-hit :) */
1317 IP_VS_DBG_PKT(12, pp, skb, 0,
1318 "packet continues traversal as normal");
1322 IP_VS_DBG_PKT(11, pp, skb, 0, "Incoming packet");
1324 /* Check the server status */
1325 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1326 /* the destination server is not available */
1328 if (sysctl_ip_vs_expire_nodest_conn) {
1329 /* try to expire the connection immediately */
1330 ip_vs_conn_expire_now(cp);
1332 /* don't restart its timer, and silently
1334 __ip_vs_conn_put(cp);
1338 ip_vs_in_stats(cp, skb);
1339 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
1340 if (cp->packet_xmit)
1341 ret = cp->packet_xmit(skb, cp, pp);
1342 /* do not touch skb anymore */
1344 IP_VS_DBG_RL("warning: packet_xmit is null");
1348 /* Increase its packet counter and check if it is needed
1349 * to be synchronized
1351 * Sync connection if it is about to close to
1352 * encorage the standby servers to update the connections timeout
1354 atomic_inc(&cp->in_pkts);
1355 if (af == AF_INET &&
1356 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
1357 (((cp->protocol != IPPROTO_TCP ||
1358 cp->state == IP_VS_TCP_S_ESTABLISHED) &&
1359 (atomic_read(&cp->in_pkts) % sysctl_ip_vs_sync_threshold[1]
1360 == sysctl_ip_vs_sync_threshold[0])) ||
1361 ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
1362 ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
1363 (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
1364 (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
1365 ip_vs_sync_conn(cp);
1366 cp->old_state = cp->state;
1374 * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1375 * related packets destined for 0.0.0.0/0.
1376 * When fwmark-based virtual service is used, such as transparent
1377 * cache cluster, TCP packets can be marked and routed to ip_vs_in,
1378 * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1379 * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1380 * and send them to ip_vs_in_icmp.
1383 ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1384 const struct net_device *in, const struct net_device *out,
1385 int (*okfn)(struct sk_buff *))
1389 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1392 return ip_vs_in_icmp(skb, &r, hooknum);
1395 #ifdef CONFIG_IP_VS_IPV6
1397 ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1398 const struct net_device *in, const struct net_device *out,
1399 int (*okfn)(struct sk_buff *))
1403 if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
1406 return ip_vs_in_icmp_v6(skb, &r, hooknum);
1411 static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1412 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1413 * or VS/NAT(change destination), so that filtering rules can be
1414 * applied to IPVS. */
1417 .owner = THIS_MODULE,
1419 .hooknum = NF_INET_LOCAL_IN,
1422 /* After packet filtering, change source only for VS/NAT */
1425 .owner = THIS_MODULE,
1427 .hooknum = NF_INET_FORWARD,
1430 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1431 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1433 .hook = ip_vs_forward_icmp,
1434 .owner = THIS_MODULE,
1436 .hooknum = NF_INET_FORWARD,
1439 /* Before the netfilter connection tracking, exit from POST_ROUTING */
1441 .hook = ip_vs_post_routing,
1442 .owner = THIS_MODULE,
1444 .hooknum = NF_INET_POST_ROUTING,
1445 .priority = NF_IP_PRI_NAT_SRC-1,
1447 #ifdef CONFIG_IP_VS_IPV6
1448 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1449 * or VS/NAT(change destination), so that filtering rules can be
1450 * applied to IPVS. */
1453 .owner = THIS_MODULE,
1455 .hooknum = NF_INET_LOCAL_IN,
1458 /* After packet filtering, change source only for VS/NAT */
1461 .owner = THIS_MODULE,
1463 .hooknum = NF_INET_FORWARD,
1466 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1467 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
1469 .hook = ip_vs_forward_icmp_v6,
1470 .owner = THIS_MODULE,
1472 .hooknum = NF_INET_FORWARD,
1475 /* Before the netfilter connection tracking, exit from POST_ROUTING */
1477 .hook = ip_vs_post_routing,
1478 .owner = THIS_MODULE,
1480 .hooknum = NF_INET_POST_ROUTING,
1481 .priority = NF_IP6_PRI_NAT_SRC-1,
1488 * Initialize IP Virtual Server
1490 static int __init ip_vs_init(void)
1494 ip_vs_estimator_init();
1496 ret = ip_vs_control_init();
1498 IP_VS_ERR("can't setup control.\n");
1499 goto cleanup_estimator;
1502 ip_vs_protocol_init();
1504 ret = ip_vs_app_init();
1506 IP_VS_ERR("can't setup application helper.\n");
1507 goto cleanup_protocol;
1510 ret = ip_vs_conn_init();
1512 IP_VS_ERR("can't setup connection table.\n");
1516 ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1518 IP_VS_ERR("can't register hooks.\n");
1522 IP_VS_INFO("ipvs loaded.\n");
1526 ip_vs_conn_cleanup();
1528 ip_vs_app_cleanup();
1530 ip_vs_protocol_cleanup();
1531 ip_vs_control_cleanup();
1533 ip_vs_estimator_cleanup();
1537 static void __exit ip_vs_cleanup(void)
1539 nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
1540 ip_vs_conn_cleanup();
1541 ip_vs_app_cleanup();
1542 ip_vs_protocol_cleanup();
1543 ip_vs_control_cleanup();
1544 ip_vs_estimator_cleanup();
1545 IP_VS_INFO("ipvs unloaded.\n");
1548 module_init(ip_vs_init);
1549 module_exit(ip_vs_cleanup);
1550 MODULE_LICENSE("GPL");