1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27#define KMSG_COMPONENT "IPVS"
28#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
29
30#include <linux/module.h>
31#include <linux/kernel.h>
32#include <linux/ip.h>
33#include <linux/tcp.h>
34#include <linux/sctp.h>
35#include <linux/icmp.h>
36#include <linux/slab.h>
37
38#include <net/ip.h>
39#include <net/tcp.h>
40#include <net/udp.h>
41#include <net/icmp.h>
42#include <net/route.h>
43#include <net/ip6_checksum.h>
44#include <net/netns/generic.h>
45
46#include <linux/netfilter.h>
47#include <linux/netfilter_ipv4.h>
48
49#ifdef CONFIG_IP_VS_IPV6
50#include <net/ipv6.h>
51#include <linux/netfilter_ipv6.h>
52#include <net/ip6_route.h>
53#endif
54
55#include <net/ip_vs.h>
56
57
58EXPORT_SYMBOL(register_ip_vs_scheduler);
59EXPORT_SYMBOL(unregister_ip_vs_scheduler);
60EXPORT_SYMBOL(ip_vs_proto_name);
61EXPORT_SYMBOL(ip_vs_conn_new);
62EXPORT_SYMBOL(ip_vs_conn_in_get);
63EXPORT_SYMBOL(ip_vs_conn_out_get);
64#ifdef CONFIG_IP_VS_PROTO_TCP
65EXPORT_SYMBOL(ip_vs_tcp_conn_listen);
66#endif
67EXPORT_SYMBOL(ip_vs_conn_put);
68#ifdef CONFIG_IP_VS_DEBUG
69EXPORT_SYMBOL(ip_vs_get_debug_level);
70#endif
71EXPORT_SYMBOL(ip_vs_new_conn_out);
72
73static unsigned int ip_vs_net_id __read_mostly;
74
75static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0);
76
77
78#define icmp_id(icmph) (((icmph)->un).echo.id)
79#define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier)
80
81const char *ip_vs_proto_name(unsigned int proto)
82{
83 static char buf[20];
84
85 switch (proto) {
86 case IPPROTO_IP:
87 return "IP";
88 case IPPROTO_UDP:
89 return "UDP";
90 case IPPROTO_TCP:
91 return "TCP";
92 case IPPROTO_SCTP:
93 return "SCTP";
94 case IPPROTO_ICMP:
95 return "ICMP";
96#ifdef CONFIG_IP_VS_IPV6
97 case IPPROTO_ICMPV6:
98 return "ICMPv6";
99#endif
100 default:
101 sprintf(buf, "IP_%u", proto);
102 return buf;
103 }
104}
105
106void ip_vs_init_hash_table(struct list_head *table, int rows)
107{
108 while (--rows >= 0)
109 INIT_LIST_HEAD(&table[rows]);
110}
111
112static inline void
113ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
114{
115 struct ip_vs_dest *dest = cp->dest;
116 struct netns_ipvs *ipvs = cp->ipvs;
117
118 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
119 struct ip_vs_cpu_stats *s;
120 struct ip_vs_service *svc;
121
122 s = this_cpu_ptr(dest->stats.cpustats);
123 u64_stats_update_begin(&s->syncp);
124 s->cnt.inpkts++;
125 s->cnt.inbytes += skb->len;
126 u64_stats_update_end(&s->syncp);
127
128 rcu_read_lock();
129 svc = rcu_dereference(dest->svc);
130 s = this_cpu_ptr(svc->stats.cpustats);
131 u64_stats_update_begin(&s->syncp);
132 s->cnt.inpkts++;
133 s->cnt.inbytes += skb->len;
134 u64_stats_update_end(&s->syncp);
135 rcu_read_unlock();
136
137 s = this_cpu_ptr(ipvs->tot_stats.cpustats);
138 u64_stats_update_begin(&s->syncp);
139 s->cnt.inpkts++;
140 s->cnt.inbytes += skb->len;
141 u64_stats_update_end(&s->syncp);
142 }
143}
144
145
146static inline void
147ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
148{
149 struct ip_vs_dest *dest = cp->dest;
150 struct netns_ipvs *ipvs = cp->ipvs;
151
152 if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
153 struct ip_vs_cpu_stats *s;
154 struct ip_vs_service *svc;
155
156 s = this_cpu_ptr(dest->stats.cpustats);
157 u64_stats_update_begin(&s->syncp);
158 s->cnt.outpkts++;
159 s->cnt.outbytes += skb->len;
160 u64_stats_update_end(&s->syncp);
161
162 rcu_read_lock();
163 svc = rcu_dereference(dest->svc);
164 s = this_cpu_ptr(svc->stats.cpustats);
165 u64_stats_update_begin(&s->syncp);
166 s->cnt.outpkts++;
167 s->cnt.outbytes += skb->len;
168 u64_stats_update_end(&s->syncp);
169 rcu_read_unlock();
170
171 s = this_cpu_ptr(ipvs->tot_stats.cpustats);
172 u64_stats_update_begin(&s->syncp);
173 s->cnt.outpkts++;
174 s->cnt.outbytes += skb->len;
175 u64_stats_update_end(&s->syncp);
176 }
177}
178
179
180static inline void
181ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
182{
183 struct netns_ipvs *ipvs = svc->ipvs;
184 struct ip_vs_cpu_stats *s;
185
186 s = this_cpu_ptr(cp->dest->stats.cpustats);
187 u64_stats_update_begin(&s->syncp);
188 s->cnt.conns++;
189 u64_stats_update_end(&s->syncp);
190
191 s = this_cpu_ptr(svc->stats.cpustats);
192 u64_stats_update_begin(&s->syncp);
193 s->cnt.conns++;
194 u64_stats_update_end(&s->syncp);
195
196 s = this_cpu_ptr(ipvs->tot_stats.cpustats);
197 u64_stats_update_begin(&s->syncp);
198 s->cnt.conns++;
199 u64_stats_update_end(&s->syncp);
200}
201
202
203static inline void
204ip_vs_set_state(struct ip_vs_conn *cp, int direction,
205 const struct sk_buff *skb,
206 struct ip_vs_proto_data *pd)
207{
208 if (likely(pd->pp->state_transition))
209 pd->pp->state_transition(cp, direction, skb, pd);
210}
211
212static inline int
213ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
214 struct sk_buff *skb, int protocol,
215 const union nf_inet_addr *caddr, __be16 cport,
216 const union nf_inet_addr *vaddr, __be16 vport,
217 struct ip_vs_conn_param *p)
218{
219 ip_vs_conn_fill_param(svc->ipvs, svc->af, protocol, caddr, cport, vaddr,
220 vport, p);
221 p->pe = rcu_dereference(svc->pe);
222 if (p->pe && p->pe->fill_param)
223 return p->pe->fill_param(p, skb);
224
225 return 0;
226}
227
228
229
230
231
232
233
234
235static struct ip_vs_conn *
236ip_vs_sched_persist(struct ip_vs_service *svc,
237 struct sk_buff *skb, __be16 src_port, __be16 dst_port,
238 int *ignored, struct ip_vs_iphdr *iph)
239{
240 struct ip_vs_conn *cp = NULL;
241 struct ip_vs_dest *dest;
242 struct ip_vs_conn *ct;
243 __be16 dport = 0;
244 unsigned int flags;
245 struct ip_vs_conn_param param;
246 const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };
247 union nf_inet_addr snet;
248
249 const union nf_inet_addr *src_addr, *dst_addr;
250
251 if (likely(!ip_vs_iph_inverse(iph))) {
252 src_addr = &iph->saddr;
253 dst_addr = &iph->daddr;
254 } else {
255 src_addr = &iph->daddr;
256 dst_addr = &iph->saddr;
257 }
258
259
260
261#ifdef CONFIG_IP_VS_IPV6
262 if (svc->af == AF_INET6)
263 ipv6_addr_prefix(&snet.in6, &src_addr->in6,
264 (__force __u32) svc->netmask);
265 else
266#endif
267 snet.ip = src_addr->ip & svc->netmask;
268
269 IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
270 "mnet %s\n",
271 IP_VS_DBG_ADDR(svc->af, src_addr), ntohs(src_port),
272 IP_VS_DBG_ADDR(svc->af, dst_addr), ntohs(dst_port),
273 IP_VS_DBG_ADDR(svc->af, &snet));
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288 {
289 int protocol = iph->protocol;
290 const union nf_inet_addr *vaddr = dst_addr;
291 __be16 vport = 0;
292
293 if (dst_port == svc->port) {
294
295
296
297
298
299 if (svc->port != FTPPORT)
300 vport = dst_port;
301 } else {
302
303
304
305
306
307
308
309 if (svc->fwmark) {
310 protocol = IPPROTO_IP;
311 vaddr = &fwmark;
312 }
313 }
314
315 if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
316 vaddr, vport, ¶m) < 0) {
317 *ignored = -1;
318 return NULL;
319 }
320 }
321
322
323 ct = ip_vs_ct_in_get(¶m);
324 if (!ct || !ip_vs_check_template(ct, NULL)) {
325 struct ip_vs_scheduler *sched;
326
327
328
329
330
331
332 sched = rcu_dereference(svc->scheduler);
333 if (sched) {
334
335 smp_rmb();
336 dest = sched->schedule(svc, skb, iph);
337 } else {
338 dest = NULL;
339 }
340 if (!dest) {
341 IP_VS_DBG(1, "p-schedule: no dest found.\n");
342 kfree(param.pe_data);
343 *ignored = 0;
344 return NULL;
345 }
346
347 if (dst_port == svc->port && svc->port != FTPPORT)
348 dport = dest->port;
349
350
351
352
353
354 ct = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport,
355 IP_VS_CONN_F_TEMPLATE, dest, skb->mark);
356 if (ct == NULL) {
357 kfree(param.pe_data);
358 *ignored = -1;
359 return NULL;
360 }
361
362 ct->timeout = svc->timeout;
363 } else {
364
365 dest = ct->dest;
366 kfree(param.pe_data);
367 }
368
369 dport = dst_port;
370 if (dport == svc->port && dest->port)
371 dport = dest->port;
372
373 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
374 && iph->protocol == IPPROTO_UDP) ?
375 IP_VS_CONN_F_ONE_PACKET : 0;
376
377
378
379
380 ip_vs_conn_fill_param(svc->ipvs, svc->af, iph->protocol, src_addr,
381 src_port, dst_addr, dst_port, ¶m);
382
383 cp = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport, flags, dest,
384 skb->mark);
385 if (cp == NULL) {
386 ip_vs_conn_put(ct);
387 *ignored = -1;
388 return NULL;
389 }
390
391
392
393
394 ip_vs_control_add(cp, ct);
395 ip_vs_conn_put(ct);
396
397 ip_vs_conn_stats(cp, svc);
398 return cp;
399}
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423struct ip_vs_conn *
424ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
425 struct ip_vs_proto_data *pd, int *ignored,
426 struct ip_vs_iphdr *iph)
427{
428 struct ip_vs_protocol *pp = pd->pp;
429 struct ip_vs_conn *cp = NULL;
430 struct ip_vs_scheduler *sched;
431 struct ip_vs_dest *dest;
432 __be16 _ports[2], *pptr, cport, vport;
433 const void *caddr, *vaddr;
434 unsigned int flags;
435
436 *ignored = 1;
437
438
439
440 pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph);
441 if (pptr == NULL)
442 return NULL;
443
444 if (likely(!ip_vs_iph_inverse(iph))) {
445 cport = pptr[0];
446 caddr = &iph->saddr;
447 vport = pptr[1];
448 vaddr = &iph->daddr;
449 } else {
450 cport = pptr[1];
451 caddr = &iph->daddr;
452 vport = pptr[0];
453 vaddr = &iph->saddr;
454 }
455
456
457
458
459
460
461
462 if (cport == FTPDATA) {
463 IP_VS_DBG_PKT(12, svc->af, pp, skb, iph->off,
464 "Not scheduling FTPDATA");
465 return NULL;
466 }
467
468
469
470
471 if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK)) {
472 iph->hdr_flags ^= IP_VS_HDR_INVERSE;
473 cp = pp->conn_in_get(svc->ipvs, svc->af, skb, iph);
474 iph->hdr_flags ^= IP_VS_HDR_INVERSE;
475
476 if (cp) {
477 IP_VS_DBG_PKT(12, svc->af, pp, skb, iph->off,
478 "Not scheduling reply for existing"
479 " connection");
480 __ip_vs_conn_put(cp);
481 return NULL;
482 }
483 }
484
485
486
487
488 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
489 return ip_vs_sched_persist(svc, skb, cport, vport, ignored,
490 iph);
491
492 *ignored = 0;
493
494
495
496
497 if (!svc->fwmark && vport != svc->port) {
498 if (!svc->port)
499 pr_err("Schedule: port zero only supported "
500 "in persistent services, "
501 "check your ipvs configuration\n");
502 return NULL;
503 }
504
505 sched = rcu_dereference(svc->scheduler);
506 if (sched) {
507
508 smp_rmb();
509 dest = sched->schedule(svc, skb, iph);
510 } else {
511 dest = NULL;
512 }
513 if (dest == NULL) {
514 IP_VS_DBG(1, "Schedule: no dest found.\n");
515 return NULL;
516 }
517
518 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
519 && iph->protocol == IPPROTO_UDP) ?
520 IP_VS_CONN_F_ONE_PACKET : 0;
521
522
523
524
525 {
526 struct ip_vs_conn_param p;
527
528 ip_vs_conn_fill_param(svc->ipvs, svc->af, iph->protocol,
529 caddr, cport, vaddr, vport, &p);
530 cp = ip_vs_conn_new(&p, dest->af, &dest->addr,
531 dest->port ? dest->port : vport,
532 flags, dest, skb->mark);
533 if (!cp) {
534 *ignored = -1;
535 return NULL;
536 }
537 }
538
539 IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
540 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
541 ip_vs_fwd_tag(cp),
542 IP_VS_DBG_ADDR(cp->af, &cp->caddr), ntohs(cp->cport),
543 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), ntohs(cp->vport),
544 IP_VS_DBG_ADDR(cp->daf, &cp->daddr), ntohs(cp->dport),
545 cp->flags, refcount_read(&cp->refcnt));
546
547 ip_vs_conn_stats(cp, svc);
548 return cp;
549}
550
551static inline int ip_vs_addr_is_unicast(struct net *net, int af,
552 union nf_inet_addr *addr)
553{
554#ifdef CONFIG_IP_VS_IPV6
555 if (af == AF_INET6)
556 return ipv6_addr_type(&addr->in6) & IPV6_ADDR_UNICAST;
557#endif
558 return (inet_addr_type(net, addr->ip) == RTN_UNICAST);
559}
560
561
562
563
564
565
566int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
567 struct ip_vs_proto_data *pd, struct ip_vs_iphdr *iph)
568{
569 __be16 _ports[2], *pptr, dport;
570 struct netns_ipvs *ipvs = svc->ipvs;
571 struct net *net = ipvs->net;
572
573 pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph);
574 if (!pptr)
575 return NF_DROP;
576 dport = likely(!ip_vs_iph_inverse(iph)) ? pptr[1] : pptr[0];
577
578
579
580
581 if (sysctl_cache_bypass(ipvs) && svc->fwmark &&
582 !(iph->hdr_flags & (IP_VS_HDR_INVERSE | IP_VS_HDR_ICMP)) &&
583 ip_vs_addr_is_unicast(net, svc->af, &iph->daddr)) {
584 int ret;
585 struct ip_vs_conn *cp;
586 unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
587 iph->protocol == IPPROTO_UDP) ?
588 IP_VS_CONN_F_ONE_PACKET : 0;
589 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
590
591
592 IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
593 {
594 struct ip_vs_conn_param p;
595 ip_vs_conn_fill_param(svc->ipvs, svc->af, iph->protocol,
596 &iph->saddr, pptr[0],
597 &iph->daddr, pptr[1], &p);
598 cp = ip_vs_conn_new(&p, svc->af, &daddr, 0,
599 IP_VS_CONN_F_BYPASS | flags,
600 NULL, skb->mark);
601 if (!cp)
602 return NF_DROP;
603 }
604
605
606 ip_vs_in_stats(cp, skb);
607
608
609 ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
610
611
612 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
613
614
615 if ((cp->flags & IP_VS_CONN_F_ONE_PACKET) && cp->control)
616 atomic_inc(&cp->control->in_pkts);
617 else
618 atomic_inc(&cp->in_pkts);
619 ip_vs_conn_put(cp);
620 return ret;
621 }
622
623
624
625
626
627
628
629 if (svc->port == FTPPORT && dport != FTPPORT)
630 return NF_ACCEPT;
631
632 if (unlikely(ip_vs_iph_icmp(iph)))
633 return NF_DROP;
634
635
636
637
638
639
640
641
642#ifdef CONFIG_IP_VS_IPV6
643 if (svc->af == AF_INET6) {
644 if (!skb->dev)
645 skb->dev = net->loopback_dev;
646 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
647 } else
648#endif
649 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
650
651 return NF_DROP;
652}
653
654#ifdef CONFIG_SYSCTL
655
656static int sysctl_snat_reroute(struct netns_ipvs *ipvs)
657{
658 return ipvs->sysctl_snat_reroute;
659}
660
661static int sysctl_nat_icmp_send(struct netns_ipvs *ipvs)
662{
663 return ipvs->sysctl_nat_icmp_send;
664}
665
666static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs)
667{
668 return ipvs->sysctl_expire_nodest_conn;
669}
670
671#else
672
673static int sysctl_snat_reroute(struct netns_ipvs *ipvs) { return 0; }
674static int sysctl_nat_icmp_send(struct netns_ipvs *ipvs) { return 0; }
675static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) { return 0; }
676
677#endif
678
679__sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
680{
681 return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
682}
683
684static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum)
685{
686 if (NF_INET_LOCAL_IN == hooknum)
687 return IP_DEFRAG_VS_IN;
688 if (NF_INET_FORWARD == hooknum)
689 return IP_DEFRAG_VS_FWD;
690 return IP_DEFRAG_VS_OUT;
691}
692
693static inline int ip_vs_gather_frags(struct netns_ipvs *ipvs,
694 struct sk_buff *skb, u_int32_t user)
695{
696 int err;
697
698 local_bh_disable();
699 err = ip_defrag(ipvs->net, skb, user);
700 local_bh_enable();
701 if (!err)
702 ip_send_check(ip_hdr(skb));
703
704 return err;
705}
706
707static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af,
708 struct sk_buff *skb, unsigned int hooknum)
709{
710 if (!sysctl_snat_reroute(ipvs))
711 return 0;
712
713 if (NF_INET_LOCAL_IN == hooknum)
714 return 0;
715#ifdef CONFIG_IP_VS_IPV6
716 if (af == AF_INET6) {
717 struct dst_entry *dst = skb_dst(skb);
718
719 if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
720 ip6_route_me_harder(ipvs->net, skb) != 0)
721 return 1;
722 } else
723#endif
724 if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
725 ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0)
726 return 1;
727
728 return 0;
729}
730
731
732
733
734
735void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp,
736 struct ip_vs_conn *cp, int inout)
737{
738 struct iphdr *iph = ip_hdr(skb);
739 unsigned int icmp_offset = iph->ihl*4;
740 struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) +
741 icmp_offset);
742 struct iphdr *ciph = (struct iphdr *)(icmph + 1);
743
744 if (inout) {
745 iph->saddr = cp->vaddr.ip;
746 ip_send_check(iph);
747 ciph->daddr = cp->vaddr.ip;
748 ip_send_check(ciph);
749 } else {
750 iph->daddr = cp->daddr.ip;
751 ip_send_check(iph);
752 ciph->saddr = cp->daddr.ip;
753 ip_send_check(ciph);
754 }
755
756
757 if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol ||
758 IPPROTO_SCTP == ciph->protocol) {
759 __be16 *ports = (void *)ciph + ciph->ihl*4;
760
761 if (inout)
762 ports[1] = cp->vport;
763 else
764 ports[0] = cp->dport;
765 }
766
767
768 icmph->checksum = 0;
769 icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset);
770 skb->ip_summed = CHECKSUM_UNNECESSARY;
771
772 if (inout)
773 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
774 "Forwarding altered outgoing ICMP");
775 else
776 IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph,
777 "Forwarding altered incoming ICMP");
778}
779
780#ifdef CONFIG_IP_VS_IPV6
781void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
782 struct ip_vs_conn *cp, int inout)
783{
784 struct ipv6hdr *iph = ipv6_hdr(skb);
785 unsigned int icmp_offset = 0;
786 unsigned int offs = 0;
787 int protocol;
788 struct icmp6hdr *icmph;
789 struct ipv6hdr *ciph;
790 unsigned short fragoffs;
791
792 ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL);
793 icmph = (struct icmp6hdr *)(skb_network_header(skb) + icmp_offset);
794 offs = icmp_offset + sizeof(struct icmp6hdr);
795 ciph = (struct ipv6hdr *)(skb_network_header(skb) + offs);
796
797 protocol = ipv6_find_hdr(skb, &offs, -1, &fragoffs, NULL);
798
799 if (inout) {
800 iph->saddr = cp->vaddr.in6;
801 ciph->daddr = cp->vaddr.in6;
802 } else {
803 iph->daddr = cp->daddr.in6;
804 ciph->saddr = cp->daddr.in6;
805 }
806
807
808 if (!fragoffs && (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
809 IPPROTO_SCTP == protocol)) {
810 __be16 *ports = (void *)(skb_network_header(skb) + offs);
811
812 IP_VS_DBG(11, "%s() changed port %d to %d\n", __func__,
813 ntohs(inout ? ports[1] : ports[0]),
814 ntohs(inout ? cp->vport : cp->dport));
815 if (inout)
816 ports[1] = cp->vport;
817 else
818 ports[0] = cp->dport;
819 }
820
821
822 icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr,
823 skb->len - icmp_offset,
824 IPPROTO_ICMPV6, 0);
825 skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset;
826 skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
827 skb->ip_summed = CHECKSUM_PARTIAL;
828
829 if (inout)
830 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
831 (void *)ciph - (void *)iph,
832 "Forwarding altered outgoing ICMPv6");
833 else
834 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
835 (void *)ciph - (void *)iph,
836 "Forwarding altered incoming ICMPv6");
837}
838#endif
839
840
841
842
843static int handle_response_icmp(int af, struct sk_buff *skb,
844 union nf_inet_addr *snet,
845 __u8 protocol, struct ip_vs_conn *cp,
846 struct ip_vs_protocol *pp,
847 unsigned int offset, unsigned int ihl,
848 unsigned int hooknum)
849{
850 unsigned int verdict = NF_DROP;
851
852 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
853 goto ignore_cp;
854
855
856 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
857
858 IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n",
859 IP_VS_DBG_ADDR(af, snet));
860 goto out;
861 }
862
863 if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol ||
864 IPPROTO_SCTP == protocol)
865 offset += 2 * sizeof(__u16);
866 if (!skb_make_writable(skb, offset))
867 goto out;
868
869#ifdef CONFIG_IP_VS_IPV6
870 if (af == AF_INET6)
871 ip_vs_nat_icmp_v6(skb, pp, cp, 1);
872 else
873#endif
874 ip_vs_nat_icmp(skb, pp, cp, 1);
875
876 if (ip_vs_route_me_harder(cp->ipvs, af, skb, hooknum))
877 goto out;
878
879
880 ip_vs_out_stats(cp, skb);
881
882 skb->ipvs_property = 1;
883 if (!(cp->flags & IP_VS_CONN_F_NFCT))
884 ip_vs_notrack(skb);
885 else
886 ip_vs_update_conntrack(skb, cp, 0);
887
888ignore_cp:
889 verdict = NF_ACCEPT;
890
891out:
892 __ip_vs_conn_put(cp);
893
894 return verdict;
895}
896
897
898
899
900
901
902static int ip_vs_out_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb,
903 int *related, unsigned int hooknum)
904{
905 struct iphdr *iph;
906 struct icmphdr _icmph, *ic;
907 struct iphdr _ciph, *cih;
908 struct ip_vs_iphdr ciph;
909 struct ip_vs_conn *cp;
910 struct ip_vs_protocol *pp;
911 unsigned int offset, ihl;
912 union nf_inet_addr snet;
913
914 *related = 1;
915
916
917 if (ip_is_fragment(ip_hdr(skb))) {
918 if (ip_vs_gather_frags(ipvs, skb, ip_vs_defrag_user(hooknum)))
919 return NF_STOLEN;
920 }
921
922 iph = ip_hdr(skb);
923 offset = ihl = iph->ihl * 4;
924 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
925 if (ic == NULL)
926 return NF_DROP;
927
928 IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n",
929 ic->type, ntohs(icmp_id(ic)),
930 &iph->saddr, &iph->daddr);
931
932
933
934
935
936
937
938
939 if ((ic->type != ICMP_DEST_UNREACH) &&
940 (ic->type != ICMP_SOURCE_QUENCH) &&
941 (ic->type != ICMP_TIME_EXCEEDED)) {
942 *related = 0;
943 return NF_ACCEPT;
944 }
945
946
947 offset += sizeof(_icmph);
948 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
949 if (cih == NULL)
950 return NF_ACCEPT;
951
952 pp = ip_vs_proto_get(cih->protocol);
953 if (!pp)
954 return NF_ACCEPT;
955
956
957 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
958 pp->dont_defrag))
959 return NF_ACCEPT;
960
961 IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
962 "Checking outgoing ICMP for");
963
964 ip_vs_fill_iph_skb_icmp(AF_INET, skb, offset, true, &ciph);
965
966
967 cp = pp->conn_out_get(ipvs, AF_INET, skb, &ciph);
968 if (!cp)
969 return NF_ACCEPT;
970
971 snet.ip = iph->saddr;
972 return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
973 pp, ciph.len, ihl, hooknum);
974}
975
976#ifdef CONFIG_IP_VS_IPV6
977static int ip_vs_out_icmp_v6(struct netns_ipvs *ipvs, struct sk_buff *skb,
978 int *related, unsigned int hooknum,
979 struct ip_vs_iphdr *ipvsh)
980{
981 struct icmp6hdr _icmph, *ic;
982 struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};
983 struct ip_vs_conn *cp;
984 struct ip_vs_protocol *pp;
985 union nf_inet_addr snet;
986 unsigned int offset;
987
988 *related = 1;
989 ic = frag_safe_skb_hp(skb, ipvsh->len, sizeof(_icmph), &_icmph, ipvsh);
990 if (ic == NULL)
991 return NF_DROP;
992
993
994
995
996
997
998
999
1000 if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) {
1001 *related = 0;
1002 return NF_ACCEPT;
1003 }
1004
1005
1006
1007 if (ipvsh->flags & IP6_FH_F_FRAG)
1008 return NF_DROP;
1009
1010 IP_VS_DBG(8, "Outgoing ICMPv6 (%d,%d) %pI6c->%pI6c\n",
1011 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1012 &ipvsh->saddr, &ipvsh->daddr);
1013
1014 if (!ip_vs_fill_iph_skb_icmp(AF_INET6, skb, ipvsh->len + sizeof(_icmph),
1015 true, &ciph))
1016 return NF_ACCEPT;
1017
1018 pp = ip_vs_proto_get(ciph.protocol);
1019 if (!pp)
1020 return NF_ACCEPT;
1021
1022
1023 cp = pp->conn_out_get(ipvs, AF_INET6, skb, &ciph);
1024 if (!cp)
1025 return NF_ACCEPT;
1026
1027 snet.in6 = ciph.saddr.in6;
1028 offset = ciph.len;
1029 return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
1030 pp, offset, sizeof(struct ipv6hdr),
1031 hooknum);
1032}
1033#endif
1034
1035
1036
1037
1038static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len)
1039{
1040 sctp_chunkhdr_t *sch, schunk;
1041 sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t),
1042 sizeof(schunk), &schunk);
1043 if (sch == NULL)
1044 return 0;
1045 if (sch->type == SCTP_CID_ABORT)
1046 return 1;
1047 return 0;
1048}
1049
1050static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
1051{
1052 struct tcphdr _tcph, *th;
1053
1054 th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph);
1055 if (th == NULL)
1056 return 0;
1057 return th->rst;
1058}
1059
1060static inline bool is_new_conn(const struct sk_buff *skb,
1061 struct ip_vs_iphdr *iph)
1062{
1063 switch (iph->protocol) {
1064 case IPPROTO_TCP: {
1065 struct tcphdr _tcph, *th;
1066
1067 th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
1068 if (th == NULL)
1069 return false;
1070 return th->syn;
1071 }
1072 case IPPROTO_SCTP: {
1073 sctp_chunkhdr_t *sch, schunk;
1074
1075 sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t),
1076 sizeof(schunk), &schunk);
1077 if (sch == NULL)
1078 return false;
1079 return sch->type == SCTP_CID_INIT;
1080 }
1081 default:
1082 return false;
1083 }
1084}
1085
1086static inline bool is_new_conn_expected(const struct ip_vs_conn *cp,
1087 int conn_reuse_mode)
1088{
1089
1090 if (cp->control)
1091 return false;
1092
1093 switch (cp->protocol) {
1094 case IPPROTO_TCP:
1095 return (cp->state == IP_VS_TCP_S_TIME_WAIT) ||
1096 (cp->state == IP_VS_TCP_S_CLOSE) ||
1097 ((conn_reuse_mode & 2) &&
1098 (cp->state == IP_VS_TCP_S_FIN_WAIT) &&
1099 (cp->flags & IP_VS_CONN_F_NOOUTPUT));
1100 case IPPROTO_SCTP:
1101 return cp->state == IP_VS_SCTP_S_CLOSED;
1102 default:
1103 return false;
1104 }
1105}
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115struct ip_vs_conn *ip_vs_new_conn_out(struct ip_vs_service *svc,
1116 struct ip_vs_dest *dest,
1117 struct sk_buff *skb,
1118 const struct ip_vs_iphdr *iph,
1119 __be16 dport,
1120 __be16 cport)
1121{
1122 struct ip_vs_conn_param param;
1123 struct ip_vs_conn *ct = NULL, *cp = NULL;
1124 const union nf_inet_addr *vaddr, *daddr, *caddr;
1125 union nf_inet_addr snet;
1126 __be16 vport;
1127 unsigned int flags;
1128
1129 EnterFunction(12);
1130 vaddr = &svc->addr;
1131 vport = svc->port;
1132 daddr = &iph->saddr;
1133 caddr = &iph->daddr;
1134
1135
1136 if (svc->fwmark)
1137 return NULL;
1138 if (!vport || !dport)
1139 return NULL;
1140
1141
1142 if (svc->flags & IP_VS_SVC_F_PERSISTENT) {
1143
1144#ifdef CONFIG_IP_VS_IPV6
1145 if (svc->af == AF_INET6)
1146 ipv6_addr_prefix(&snet.in6, &caddr->in6,
1147 (__force __u32)svc->netmask);
1148 else
1149#endif
1150 snet.ip = caddr->ip & svc->netmask;
1151
1152 if (ip_vs_conn_fill_param_persist(svc, skb, iph->protocol,
1153 &snet, 0, vaddr,
1154 vport, ¶m) < 0)
1155 return NULL;
1156 ct = ip_vs_ct_in_get(¶m);
1157
1158 if (!ct || !ip_vs_check_template(ct, dest)) {
1159 ct = ip_vs_conn_new(¶m, dest->af, daddr, dport,
1160 IP_VS_CONN_F_TEMPLATE, dest, 0);
1161 if (!ct) {
1162 kfree(param.pe_data);
1163 return NULL;
1164 }
1165 ct->timeout = svc->timeout;
1166 } else {
1167 kfree(param.pe_data);
1168 }
1169 }
1170
1171
1172 flags = ((svc->flags & IP_VS_SVC_F_ONEPACKET) &&
1173 iph->protocol == IPPROTO_UDP) ? IP_VS_CONN_F_ONE_PACKET : 0;
1174
1175 ip_vs_conn_fill_param(svc->ipvs, svc->af, iph->protocol,
1176 caddr, cport, vaddr, vport, ¶m);
1177 cp = ip_vs_conn_new(¶m, dest->af, daddr, dport, flags, dest, 0);
1178 if (!cp) {
1179 if (ct)
1180 ip_vs_conn_put(ct);
1181 return NULL;
1182 }
1183 if (ct) {
1184 ip_vs_control_add(cp, ct);
1185 ip_vs_conn_put(ct);
1186 }
1187 ip_vs_conn_stats(cp, svc);
1188
1189
1190 IP_VS_DBG_BUF(6, "New connection RS-initiated:%c c:%s:%u v:%s:%u "
1191 "d:%s:%u conn->flags:%X conn->refcnt:%d\n",
1192 ip_vs_fwd_tag(cp),
1193 IP_VS_DBG_ADDR(cp->af, &cp->caddr), ntohs(cp->cport),
1194 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), ntohs(cp->vport),
1195 IP_VS_DBG_ADDR(cp->af, &cp->daddr), ntohs(cp->dport),
1196 cp->flags, refcount_read(&cp->refcnt));
1197 LeaveFunction(12);
1198 return cp;
1199}
1200
1201
1202
1203
1204
1205
1206
1207
1208static struct ip_vs_conn *__ip_vs_rs_conn_out(unsigned int hooknum,
1209 struct netns_ipvs *ipvs,
1210 int af, struct sk_buff *skb,
1211 const struct ip_vs_iphdr *iph)
1212{
1213 struct ip_vs_dest *dest;
1214 struct ip_vs_conn *cp = NULL;
1215 __be16 _ports[2], *pptr;
1216
1217 if (hooknum == NF_INET_LOCAL_IN)
1218 return NULL;
1219
1220 pptr = frag_safe_skb_hp(skb, iph->len,
1221 sizeof(_ports), _ports, iph);
1222 if (!pptr)
1223 return NULL;
1224
1225 rcu_read_lock();
1226 dest = ip_vs_find_real_service(ipvs, af, iph->protocol,
1227 &iph->saddr, pptr[0]);
1228 if (dest) {
1229 struct ip_vs_service *svc;
1230 struct ip_vs_pe *pe;
1231
1232 svc = rcu_dereference(dest->svc);
1233 if (svc) {
1234 pe = rcu_dereference(svc->pe);
1235 if (pe && pe->conn_out)
1236 cp = pe->conn_out(svc, dest, skb, iph,
1237 pptr[0], pptr[1]);
1238 }
1239 }
1240 rcu_read_unlock();
1241
1242 return cp;
1243}
1244
1245
1246
1247static unsigned int
1248handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
1249 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph,
1250 unsigned int hooknum)
1251{
1252 struct ip_vs_protocol *pp = pd->pp;
1253
1254 IP_VS_DBG_PKT(11, af, pp, skb, iph->off, "Outgoing packet");
1255
1256 if (!skb_make_writable(skb, iph->len))
1257 goto drop;
1258
1259
1260 if (pp->snat_handler && !pp->snat_handler(skb, pp, cp, iph))
1261 goto drop;
1262
1263#ifdef CONFIG_IP_VS_IPV6
1264 if (af == AF_INET6)
1265 ipv6_hdr(skb)->saddr = cp->vaddr.in6;
1266 else
1267#endif
1268 {
1269 ip_hdr(skb)->saddr = cp->vaddr.ip;
1270 ip_send_check(ip_hdr(skb));
1271 }
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288 if (ip_vs_route_me_harder(cp->ipvs, af, skb, hooknum))
1289 goto drop;
1290
1291 IP_VS_DBG_PKT(10, af, pp, skb, iph->off, "After SNAT");
1292
1293 ip_vs_out_stats(cp, skb);
1294 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd);
1295 skb->ipvs_property = 1;
1296 if (!(cp->flags & IP_VS_CONN_F_NFCT))
1297 ip_vs_notrack(skb);
1298 else
1299 ip_vs_update_conntrack(skb, cp, 0);
1300 ip_vs_conn_put(cp);
1301
1302 LeaveFunction(11);
1303 return NF_ACCEPT;
1304
1305drop:
1306 ip_vs_conn_put(cp);
1307 kfree_skb(skb);
1308 LeaveFunction(11);
1309 return NF_STOLEN;
1310}
1311
1312
1313
1314
1315static unsigned int
1316ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int af)
1317{
1318 struct ip_vs_iphdr iph;
1319 struct ip_vs_protocol *pp;
1320 struct ip_vs_proto_data *pd;
1321 struct ip_vs_conn *cp;
1322 struct sock *sk;
1323
1324 EnterFunction(11);
1325
1326
1327 if (skb->ipvs_property)
1328 return NF_ACCEPT;
1329
1330 sk = skb_to_full_sk(skb);
1331
1332 if (unlikely(sk && hooknum == NF_INET_LOCAL_OUT &&
1333 af == AF_INET)) {
1334
1335 if (sk->sk_family == PF_INET && inet_sk(sk)->nodefrag)
1336 return NF_ACCEPT;
1337 }
1338
1339 if (unlikely(!skb_dst(skb)))
1340 return NF_ACCEPT;
1341
1342 if (!ipvs->enable)
1343 return NF_ACCEPT;
1344
1345 ip_vs_fill_iph_skb(af, skb, false, &iph);
1346#ifdef CONFIG_IP_VS_IPV6
1347 if (af == AF_INET6) {
1348 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1349 int related;
1350 int verdict = ip_vs_out_icmp_v6(ipvs, skb, &related,
1351 hooknum, &iph);
1352
1353 if (related)
1354 return verdict;
1355 }
1356 } else
1357#endif
1358 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1359 int related;
1360 int verdict = ip_vs_out_icmp(ipvs, skb, &related, hooknum);
1361
1362 if (related)
1363 return verdict;
1364 }
1365
1366 pd = ip_vs_proto_data_get(ipvs, iph.protocol);
1367 if (unlikely(!pd))
1368 return NF_ACCEPT;
1369 pp = pd->pp;
1370
1371
1372#ifdef CONFIG_IP_VS_IPV6
1373 if (af == AF_INET)
1374#endif
1375 if (unlikely(ip_is_fragment(ip_hdr(skb)) && !pp->dont_defrag)) {
1376 if (ip_vs_gather_frags(ipvs, skb,
1377 ip_vs_defrag_user(hooknum)))
1378 return NF_STOLEN;
1379
1380 ip_vs_fill_iph_skb(AF_INET, skb, false, &iph);
1381 }
1382
1383
1384
1385
1386 cp = pp->conn_out_get(ipvs, af, skb, &iph);
1387
1388 if (likely(cp)) {
1389 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
1390 goto ignore_cp;
1391 return handle_response(af, skb, pd, cp, &iph, hooknum);
1392 }
1393
1394
1395 if (atomic_read(&ipvs->conn_out_counter)) {
1396
1397
1398
1399
1400
1401 if (pp->protocol == IPPROTO_UDP) {
1402 cp = __ip_vs_rs_conn_out(hooknum, ipvs, af, skb, &iph);
1403 if (likely(cp))
1404 return handle_response(af, skb, pd, cp, &iph,
1405 hooknum);
1406 }
1407 }
1408
1409 if (sysctl_nat_icmp_send(ipvs) &&
1410 (pp->protocol == IPPROTO_TCP ||
1411 pp->protocol == IPPROTO_UDP ||
1412 pp->protocol == IPPROTO_SCTP)) {
1413 __be16 _ports[2], *pptr;
1414
1415 pptr = frag_safe_skb_hp(skb, iph.len,
1416 sizeof(_ports), _ports, &iph);
1417 if (pptr == NULL)
1418 return NF_ACCEPT;
1419 if (ip_vs_has_real_service(ipvs, af, iph.protocol, &iph.saddr,
1420 pptr[0])) {
1421
1422
1423
1424
1425
1426 if ((iph.protocol != IPPROTO_TCP &&
1427 iph.protocol != IPPROTO_SCTP)
1428 || ((iph.protocol == IPPROTO_TCP
1429 && !is_tcp_reset(skb, iph.len))
1430 || (iph.protocol == IPPROTO_SCTP
1431 && !is_sctp_abort(skb,
1432 iph.len)))) {
1433#ifdef CONFIG_IP_VS_IPV6
1434 if (af == AF_INET6) {
1435 if (!skb->dev)
1436 skb->dev = ipvs->net->loopback_dev;
1437 icmpv6_send(skb,
1438 ICMPV6_DEST_UNREACH,
1439 ICMPV6_PORT_UNREACH,
1440 0);
1441 } else
1442#endif
1443 icmp_send(skb,
1444 ICMP_DEST_UNREACH,
1445 ICMP_PORT_UNREACH, 0);
1446 return NF_DROP;
1447 }
1448 }
1449 }
1450
1451out:
1452 IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
1453 "ip_vs_out: packet continues traversal as normal");
1454 return NF_ACCEPT;
1455
1456ignore_cp:
1457 __ip_vs_conn_put(cp);
1458 goto out;
1459}
1460
1461
1462
1463
1464
1465
1466static unsigned int
1467ip_vs_reply4(void *priv, struct sk_buff *skb,
1468 const struct nf_hook_state *state)
1469{
1470 return ip_vs_out(net_ipvs(state->net), state->hook, skb, AF_INET);
1471}
1472
1473
1474
1475
1476
1477static unsigned int
1478ip_vs_local_reply4(void *priv, struct sk_buff *skb,
1479 const struct nf_hook_state *state)
1480{
1481 return ip_vs_out(net_ipvs(state->net), state->hook, skb, AF_INET);
1482}
1483
1484#ifdef CONFIG_IP_VS_IPV6
1485
1486
1487
1488
1489
1490
1491static unsigned int
1492ip_vs_reply6(void *priv, struct sk_buff *skb,
1493 const struct nf_hook_state *state)
1494{
1495 return ip_vs_out(net_ipvs(state->net), state->hook, skb, AF_INET6);
1496}
1497
1498
1499
1500
1501
1502static unsigned int
1503ip_vs_local_reply6(void *priv, struct sk_buff *skb,
1504 const struct nf_hook_state *state)
1505{
1506 return ip_vs_out(net_ipvs(state->net), state->hook, skb, AF_INET6);
1507}
1508
1509#endif
1510
1511static unsigned int
1512ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
1513 struct ip_vs_proto_data *pd,
1514 int *verdict, struct ip_vs_conn **cpp,
1515 struct ip_vs_iphdr *iph)
1516{
1517 struct ip_vs_protocol *pp = pd->pp;
1518
1519 if (!iph->fragoffs) {
1520
1521
1522
1523
1524
1525 if (!pp->conn_schedule(ipvs, af, skb, pd, verdict, cpp, iph))
1526 return 0;
1527 }
1528
1529 if (unlikely(!*cpp)) {
1530
1531 IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
1532 "ip_vs_in: packet continues traversal as normal");
1533 if (iph->fragoffs) {
1534
1535
1536
1537 IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
1538 IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
1539 "unhandled fragment");
1540 }
1541 *verdict = NF_ACCEPT;
1542 return 0;
1543 }
1544
1545 return 1;
1546}
1547
1548
1549
1550
1551
1552
1553
1554static int
1555ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
1556 unsigned int hooknum)
1557{
1558 struct iphdr *iph;
1559 struct icmphdr _icmph, *ic;
1560 struct iphdr _ciph, *cih;
1561 struct ip_vs_iphdr ciph;
1562 struct ip_vs_conn *cp;
1563 struct ip_vs_protocol *pp;
1564 struct ip_vs_proto_data *pd;
1565 unsigned int offset, offset2, ihl, verdict;
1566 bool ipip, new_cp = false;
1567
1568 *related = 1;
1569
1570
1571 if (ip_is_fragment(ip_hdr(skb))) {
1572 if (ip_vs_gather_frags(ipvs, skb, ip_vs_defrag_user(hooknum)))
1573 return NF_STOLEN;
1574 }
1575
1576 iph = ip_hdr(skb);
1577 offset = ihl = iph->ihl * 4;
1578 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
1579 if (ic == NULL)
1580 return NF_DROP;
1581
1582 IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n",
1583 ic->type, ntohs(icmp_id(ic)),
1584 &iph->saddr, &iph->daddr);
1585
1586
1587
1588
1589
1590
1591
1592
1593 if ((ic->type != ICMP_DEST_UNREACH) &&
1594 (ic->type != ICMP_SOURCE_QUENCH) &&
1595 (ic->type != ICMP_TIME_EXCEEDED)) {
1596 *related = 0;
1597 return NF_ACCEPT;
1598 }
1599
1600
1601 offset += sizeof(_icmph);
1602 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1603 if (cih == NULL)
1604 return NF_ACCEPT;
1605
1606
1607 ipip = false;
1608 if (cih->protocol == IPPROTO_IPIP) {
1609 if (unlikely(cih->frag_off & htons(IP_OFFSET)))
1610 return NF_ACCEPT;
1611
1612 if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL))
1613 return NF_ACCEPT;
1614 offset += cih->ihl * 4;
1615 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
1616 if (cih == NULL)
1617 return NF_ACCEPT;
1618 ipip = true;
1619 }
1620
1621 pd = ip_vs_proto_data_get(ipvs, cih->protocol);
1622 if (!pd)
1623 return NF_ACCEPT;
1624 pp = pd->pp;
1625
1626
1627 if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
1628 pp->dont_defrag))
1629 return NF_ACCEPT;
1630
1631 IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
1632 "Checking incoming ICMP for");
1633
1634 offset2 = offset;
1635 ip_vs_fill_iph_skb_icmp(AF_INET, skb, offset, !ipip, &ciph);
1636 offset = ciph.len;
1637
1638
1639
1640
1641 cp = pp->conn_in_get(ipvs, AF_INET, skb, &ciph);
1642
1643 if (!cp) {
1644 int v;
1645
1646 if (!sysctl_schedule_icmp(ipvs))
1647 return NF_ACCEPT;
1648
1649 if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
1650 return v;
1651 new_cp = true;
1652 }
1653
1654 verdict = NF_DROP;
1655
1656
1657 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
1658
1659 IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n",
1660 &iph->saddr);
1661 goto out;
1662 }
1663
1664 if (ipip) {
1665 __be32 info = ic->un.gateway;
1666 __u8 type = ic->type;
1667 __u8 code = ic->code;
1668
1669
1670 if (ic->type == ICMP_DEST_UNREACH &&
1671 ic->code == ICMP_FRAG_NEEDED) {
1672 struct ip_vs_dest *dest = cp->dest;
1673 u32 mtu = ntohs(ic->un.frag.mtu);
1674 __be16 frag_off = cih->frag_off;
1675
1676
1677 if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
1678 goto ignore_ipip;
1679 offset2 -= ihl + sizeof(_icmph);
1680 skb_reset_network_header(skb);
1681 IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
1682 &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
1683 ipv4_update_pmtu(skb, ipvs->net,
1684 mtu, 0, 0, 0, 0);
1685
1686 if (!(frag_off & htons(IP_DF)))
1687 goto ignore_ipip;
1688
1689 if (dest) {
1690 struct ip_vs_dest_dst *dest_dst;
1691
1692 rcu_read_lock();
1693 dest_dst = rcu_dereference(dest->dest_dst);
1694 if (dest_dst)
1695 mtu = dst_mtu(dest_dst->dst_cache);
1696 rcu_read_unlock();
1697 }
1698 if (mtu > 68 + sizeof(struct iphdr))
1699 mtu -= sizeof(struct iphdr);
1700 info = htonl(mtu);
1701 }
1702
1703
1704
1705 if (pskb_pull(skb, offset2) == NULL)
1706 goto ignore_ipip;
1707 skb_reset_network_header(skb);
1708 IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
1709 &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
1710 type, code, ntohl(info));
1711 icmp_send(skb, type, code, info);
1712
1713 ip_vs_out_stats(cp, skb);
1714
1715ignore_ipip:
1716 consume_skb(skb);
1717 verdict = NF_STOLEN;
1718 goto out;
1719 }
1720
1721
1722 ip_vs_in_stats(cp, skb);
1723 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
1724 IPPROTO_SCTP == cih->protocol)
1725 offset += 2 * sizeof(__u16);
1726 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
1727
1728out:
1729 if (likely(!new_cp))
1730 __ip_vs_conn_put(cp);
1731 else
1732 ip_vs_conn_put(cp);
1733
1734 return verdict;
1735}
1736
1737#ifdef CONFIG_IP_VS_IPV6
1738static int ip_vs_in_icmp_v6(struct netns_ipvs *ipvs, struct sk_buff *skb,
1739 int *related, unsigned int hooknum,
1740 struct ip_vs_iphdr *iph)
1741{
1742 struct icmp6hdr _icmph, *ic;
1743 struct ip_vs_iphdr ciph = {.flags = 0, .fragoffs = 0};
1744 struct ip_vs_conn *cp;
1745 struct ip_vs_protocol *pp;
1746 struct ip_vs_proto_data *pd;
1747 unsigned int offset, verdict;
1748 bool new_cp = false;
1749
1750 *related = 1;
1751
1752 ic = frag_safe_skb_hp(skb, iph->len, sizeof(_icmph), &_icmph, iph);
1753 if (ic == NULL)
1754 return NF_DROP;
1755
1756
1757
1758
1759
1760
1761
1762
1763 if (ic->icmp6_type & ICMPV6_INFOMSG_MASK) {
1764 *related = 0;
1765 return NF_ACCEPT;
1766 }
1767
1768
1769
1770 if (iph->flags & IP6_FH_F_FRAG)
1771 return NF_DROP;
1772
1773 IP_VS_DBG(8, "Incoming ICMPv6 (%d,%d) %pI6c->%pI6c\n",
1774 ic->icmp6_type, ntohs(icmpv6_id(ic)),
1775 &iph->saddr, &iph->daddr);
1776
1777 offset = iph->len + sizeof(_icmph);
1778 if (!ip_vs_fill_iph_skb_icmp(AF_INET6, skb, offset, true, &ciph))
1779 return NF_ACCEPT;
1780
1781 pd = ip_vs_proto_data_get(ipvs, ciph.protocol);
1782 if (!pd)
1783 return NF_ACCEPT;
1784 pp = pd->pp;
1785
1786
1787 if (ciph.fragoffs)
1788 return NF_ACCEPT;
1789
1790 IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offset,
1791 "Checking incoming ICMPv6 for");
1792
1793
1794
1795
1796 cp = pp->conn_in_get(ipvs, AF_INET6, skb, &ciph);
1797
1798 if (!cp) {
1799 int v;
1800
1801 if (!sysctl_schedule_icmp(ipvs))
1802 return NF_ACCEPT;
1803
1804 if (!ip_vs_try_to_schedule(ipvs, AF_INET6, skb, pd, &v, &cp, &ciph))
1805 return v;
1806
1807 new_cp = true;
1808 }
1809
1810
1811 if ((hooknum == NF_INET_LOCAL_OUT) &&
1812 (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)) {
1813 verdict = NF_ACCEPT;
1814 goto out;
1815 }
1816
1817
1818 ip_vs_in_stats(cp, skb);
1819
1820
1821 offset = ciph.len;
1822 if (IPPROTO_TCP == ciph.protocol || IPPROTO_UDP == ciph.protocol ||
1823 IPPROTO_SCTP == ciph.protocol)
1824 offset += 2 * sizeof(__u16);
1825
1826 verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset, hooknum, &ciph);
1827
1828out:
1829 if (likely(!new_cp))
1830 __ip_vs_conn_put(cp);
1831 else
1832 ip_vs_conn_put(cp);
1833
1834 return verdict;
1835}
1836#endif
1837
1838
1839
1840
1841
1842
1843static unsigned int
1844ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int af)
1845{
1846 struct ip_vs_iphdr iph;
1847 struct ip_vs_protocol *pp;
1848 struct ip_vs_proto_data *pd;
1849 struct ip_vs_conn *cp;
1850 int ret, pkts;
1851 int conn_reuse_mode;
1852 struct sock *sk;
1853
1854
1855 if (skb->ipvs_property)
1856 return NF_ACCEPT;
1857
1858
1859
1860
1861
1862
1863 if (unlikely((skb->pkt_type != PACKET_HOST &&
1864 hooknum != NF_INET_LOCAL_OUT) ||
1865 !skb_dst(skb))) {
1866 ip_vs_fill_iph_skb(af, skb, false, &iph);
1867 IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s"
1868 " ignored in hook %u\n",
1869 skb->pkt_type, iph.protocol,
1870 IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
1871 return NF_ACCEPT;
1872 }
1873
1874 if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
1875 return NF_ACCEPT;
1876
1877 ip_vs_fill_iph_skb(af, skb, false, &iph);
1878
1879
1880 sk = skb_to_full_sk(skb);
1881 if (unlikely(sk && hooknum == NF_INET_LOCAL_OUT &&
1882 af == AF_INET)) {
1883
1884 if (sk->sk_family == PF_INET && inet_sk(sk)->nodefrag)
1885 return NF_ACCEPT;
1886 }
1887
1888#ifdef CONFIG_IP_VS_IPV6
1889 if (af == AF_INET6) {
1890 if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
1891 int related;
1892 int verdict = ip_vs_in_icmp_v6(ipvs, skb, &related,
1893 hooknum, &iph);
1894
1895 if (related)
1896 return verdict;
1897 }
1898 } else
1899#endif
1900 if (unlikely(iph.protocol == IPPROTO_ICMP)) {
1901 int related;
1902 int verdict = ip_vs_in_icmp(ipvs, skb, &related,
1903 hooknum);
1904
1905 if (related)
1906 return verdict;
1907 }
1908
1909
1910 pd = ip_vs_proto_data_get(ipvs, iph.protocol);
1911 if (unlikely(!pd)) {
1912
1913
1914
1915
1916 if (sysctl_ignore_tunneled(ipvs))
1917 skb->ipvs_property = 1;
1918
1919 return NF_ACCEPT;
1920 }
1921 pp = pd->pp;
1922
1923
1924
1925 cp = pp->conn_in_get(ipvs, af, skb, &iph);
1926
1927 conn_reuse_mode = sysctl_conn_reuse_mode(ipvs);
1928 if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) {
1929 bool uses_ct = false, resched = false;
1930
1931 if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest &&
1932 unlikely(!atomic_read(&cp->dest->weight))) {
1933 resched = true;
1934 uses_ct = ip_vs_conn_uses_conntrack(cp, skb);
1935 } else if (is_new_conn_expected(cp, conn_reuse_mode)) {
1936 uses_ct = ip_vs_conn_uses_conntrack(cp, skb);
1937 if (!atomic_read(&cp->n_control)) {
1938 resched = true;
1939 } else {
1940
1941
1942
1943
1944 resched = !uses_ct;
1945 }
1946 }
1947
1948 if (resched) {
1949 if (!atomic_read(&cp->n_control))
1950 ip_vs_conn_expire_now(cp);
1951 __ip_vs_conn_put(cp);
1952 if (uses_ct)
1953 return NF_DROP;
1954 cp = NULL;
1955 }
1956 }
1957
1958 if (unlikely(!cp)) {
1959 int v;
1960
1961 if (!ip_vs_try_to_schedule(ipvs, af, skb, pd, &v, &cp, &iph))
1962 return v;
1963 }
1964
1965 IP_VS_DBG_PKT(11, af, pp, skb, iph.off, "Incoming packet");
1966
1967
1968 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1969
1970
1971 if (sysctl_expire_nodest_conn(ipvs)) {
1972
1973 ip_vs_conn_expire_now(cp);
1974 }
1975
1976
1977 __ip_vs_conn_put(cp);
1978 return NF_DROP;
1979 }
1980
1981 ip_vs_in_stats(cp, skb);
1982 ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
1983 if (cp->packet_xmit)
1984 ret = cp->packet_xmit(skb, cp, pp, &iph);
1985
1986 else {
1987 IP_VS_DBG_RL("warning: packet_xmit is null");
1988 ret = NF_ACCEPT;
1989 }
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
2001 pkts = sysctl_sync_threshold(ipvs);
2002 else
2003 pkts = atomic_add_return(1, &cp->in_pkts);
2004
2005 if (ipvs->sync_state & IP_VS_STATE_MASTER)
2006 ip_vs_sync_conn(ipvs, cp, pkts);
2007 else if ((cp->flags & IP_VS_CONN_F_ONE_PACKET) && cp->control)
2008
2009 atomic_inc(&cp->control->in_pkts);
2010
2011 ip_vs_conn_put(cp);
2012 return ret;
2013}
2014
2015
2016
2017
2018
2019static unsigned int
2020ip_vs_remote_request4(void *priv, struct sk_buff *skb,
2021 const struct nf_hook_state *state)
2022{
2023 return ip_vs_in(net_ipvs(state->net), state->hook, skb, AF_INET);
2024}
2025
2026
2027
2028
2029
2030static unsigned int
2031ip_vs_local_request4(void *priv, struct sk_buff *skb,
2032 const struct nf_hook_state *state)
2033{
2034 return ip_vs_in(net_ipvs(state->net), state->hook, skb, AF_INET);
2035}
2036
2037#ifdef CONFIG_IP_VS_IPV6
2038
2039
2040
2041
2042
2043static unsigned int
2044ip_vs_remote_request6(void *priv, struct sk_buff *skb,
2045 const struct nf_hook_state *state)
2046{
2047 return ip_vs_in(net_ipvs(state->net), state->hook, skb, AF_INET6);
2048}
2049
2050
2051
2052
2053
2054static unsigned int
2055ip_vs_local_request6(void *priv, struct sk_buff *skb,
2056 const struct nf_hook_state *state)
2057{
2058 return ip_vs_in(net_ipvs(state->net), state->hook, skb, AF_INET6);
2059}
2060
2061#endif
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073static unsigned int
2074ip_vs_forward_icmp(void *priv, struct sk_buff *skb,
2075 const struct nf_hook_state *state)
2076{
2077 int r;
2078 struct netns_ipvs *ipvs = net_ipvs(state->net);
2079
2080 if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
2081 return NF_ACCEPT;
2082
2083
2084 if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
2085 return NF_ACCEPT;
2086
2087 return ip_vs_in_icmp(ipvs, skb, &r, state->hook);
2088}
2089
2090#ifdef CONFIG_IP_VS_IPV6
2091static unsigned int
2092ip_vs_forward_icmp_v6(void *priv, struct sk_buff *skb,
2093 const struct nf_hook_state *state)
2094{
2095 int r;
2096 struct netns_ipvs *ipvs = net_ipvs(state->net);
2097 struct ip_vs_iphdr iphdr;
2098
2099 ip_vs_fill_iph_skb(AF_INET6, skb, false, &iphdr);
2100 if (iphdr.protocol != IPPROTO_ICMPV6)
2101 return NF_ACCEPT;
2102
2103
2104 if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
2105 return NF_ACCEPT;
2106
2107 return ip_vs_in_icmp_v6(ipvs, skb, &r, state->hook, &iphdr);
2108}
2109#endif
2110
2111
2112static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
2113
2114 {
2115 .hook = ip_vs_reply4,
2116 .pf = NFPROTO_IPV4,
2117 .hooknum = NF_INET_LOCAL_IN,
2118 .priority = NF_IP_PRI_NAT_SRC - 2,
2119 },
2120
2121
2122
2123 {
2124 .hook = ip_vs_remote_request4,
2125 .pf = NFPROTO_IPV4,
2126 .hooknum = NF_INET_LOCAL_IN,
2127 .priority = NF_IP_PRI_NAT_SRC - 1,
2128 },
2129
2130 {
2131 .hook = ip_vs_local_reply4,
2132 .pf = NFPROTO_IPV4,
2133 .hooknum = NF_INET_LOCAL_OUT,
2134 .priority = NF_IP_PRI_NAT_DST + 1,
2135 },
2136
2137 {
2138 .hook = ip_vs_local_request4,
2139 .pf = NFPROTO_IPV4,
2140 .hooknum = NF_INET_LOCAL_OUT,
2141 .priority = NF_IP_PRI_NAT_DST + 2,
2142 },
2143
2144
2145 {
2146 .hook = ip_vs_forward_icmp,
2147 .pf = NFPROTO_IPV4,
2148 .hooknum = NF_INET_FORWARD,
2149 .priority = 99,
2150 },
2151
2152 {
2153 .hook = ip_vs_reply4,
2154 .pf = NFPROTO_IPV4,
2155 .hooknum = NF_INET_FORWARD,
2156 .priority = 100,
2157 },
2158#ifdef CONFIG_IP_VS_IPV6
2159
2160 {
2161 .hook = ip_vs_reply6,
2162 .pf = NFPROTO_IPV6,
2163 .hooknum = NF_INET_LOCAL_IN,
2164 .priority = NF_IP6_PRI_NAT_SRC - 2,
2165 },
2166
2167
2168
2169 {
2170 .hook = ip_vs_remote_request6,
2171 .pf = NFPROTO_IPV6,
2172 .hooknum = NF_INET_LOCAL_IN,
2173 .priority = NF_IP6_PRI_NAT_SRC - 1,
2174 },
2175
2176 {
2177 .hook = ip_vs_local_reply6,
2178 .pf = NFPROTO_IPV6,
2179 .hooknum = NF_INET_LOCAL_OUT,
2180 .priority = NF_IP6_PRI_NAT_DST + 1,
2181 },
2182
2183 {
2184 .hook = ip_vs_local_request6,
2185 .pf = NFPROTO_IPV6,
2186 .hooknum = NF_INET_LOCAL_OUT,
2187 .priority = NF_IP6_PRI_NAT_DST + 2,
2188 },
2189
2190
2191 {
2192 .hook = ip_vs_forward_icmp_v6,
2193 .pf = NFPROTO_IPV6,
2194 .hooknum = NF_INET_FORWARD,
2195 .priority = 99,
2196 },
2197
2198 {
2199 .hook = ip_vs_reply6,
2200 .pf = NFPROTO_IPV6,
2201 .hooknum = NF_INET_FORWARD,
2202 .priority = 100,
2203 },
2204#endif
2205};
2206
2207
2208
2209static int __net_init __ip_vs_init(struct net *net)
2210{
2211 struct netns_ipvs *ipvs;
2212 int ret;
2213
2214 ipvs = net_generic(net, ip_vs_net_id);
2215 if (ipvs == NULL)
2216 return -ENOMEM;
2217
2218
2219 ipvs->enable = 0;
2220 ipvs->net = net;
2221
2222 ipvs->gen = atomic_read(&ipvs_netns_cnt);
2223 atomic_inc(&ipvs_netns_cnt);
2224 net->ipvs = ipvs;
2225
2226 if (ip_vs_estimator_net_init(ipvs) < 0)
2227 goto estimator_fail;
2228
2229 if (ip_vs_control_net_init(ipvs) < 0)
2230 goto control_fail;
2231
2232 if (ip_vs_protocol_net_init(ipvs) < 0)
2233 goto protocol_fail;
2234
2235 if (ip_vs_app_net_init(ipvs) < 0)
2236 goto app_fail;
2237
2238 if (ip_vs_conn_net_init(ipvs) < 0)
2239 goto conn_fail;
2240
2241 if (ip_vs_sync_net_init(ipvs) < 0)
2242 goto sync_fail;
2243
2244 ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
2245 if (ret < 0)
2246 goto hook_fail;
2247
2248 return 0;
2249
2250
2251
2252
2253hook_fail:
2254 ip_vs_sync_net_cleanup(ipvs);
2255sync_fail:
2256 ip_vs_conn_net_cleanup(ipvs);
2257conn_fail:
2258 ip_vs_app_net_cleanup(ipvs);
2259app_fail:
2260 ip_vs_protocol_net_cleanup(ipvs);
2261protocol_fail:
2262 ip_vs_control_net_cleanup(ipvs);
2263control_fail:
2264 ip_vs_estimator_net_cleanup(ipvs);
2265estimator_fail:
2266 net->ipvs = NULL;
2267 return -ENOMEM;
2268}
2269
2270static void __net_exit __ip_vs_cleanup(struct net *net)
2271{
2272 struct netns_ipvs *ipvs = net_ipvs(net);
2273
2274 nf_unregister_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
2275 ip_vs_service_net_cleanup(ipvs);
2276 ip_vs_conn_net_cleanup(ipvs);
2277 ip_vs_app_net_cleanup(ipvs);
2278 ip_vs_protocol_net_cleanup(ipvs);
2279 ip_vs_control_net_cleanup(ipvs);
2280 ip_vs_estimator_net_cleanup(ipvs);
2281 IP_VS_DBG(2, "ipvs netns %d released\n", ipvs->gen);
2282 net->ipvs = NULL;
2283}
2284
2285static void __net_exit __ip_vs_dev_cleanup(struct net *net)
2286{
2287 struct netns_ipvs *ipvs = net_ipvs(net);
2288 EnterFunction(2);
2289 ipvs->enable = 0;
2290 smp_wmb();
2291 ip_vs_sync_net_cleanup(ipvs);
2292 LeaveFunction(2);
2293}
2294
2295static struct pernet_operations ipvs_core_ops = {
2296 .init = __ip_vs_init,
2297 .exit = __ip_vs_cleanup,
2298 .id = &ip_vs_net_id,
2299 .size = sizeof(struct netns_ipvs),
2300};
2301
2302static struct pernet_operations ipvs_core_dev_ops = {
2303 .exit = __ip_vs_dev_cleanup,
2304};
2305
2306
2307
2308
2309static int __init ip_vs_init(void)
2310{
2311 int ret;
2312
2313 ret = ip_vs_control_init();
2314 if (ret < 0) {
2315 pr_err("can't setup control.\n");
2316 goto exit;
2317 }
2318
2319 ip_vs_protocol_init();
2320
2321 ret = ip_vs_conn_init();
2322 if (ret < 0) {
2323 pr_err("can't setup connection table.\n");
2324 goto cleanup_protocol;
2325 }
2326
2327 ret = register_pernet_subsys(&ipvs_core_ops);
2328 if (ret < 0)
2329 goto cleanup_conn;
2330
2331 ret = register_pernet_device(&ipvs_core_dev_ops);
2332 if (ret < 0)
2333 goto cleanup_sub;
2334
2335 ret = ip_vs_register_nl_ioctl();
2336 if (ret < 0) {
2337 pr_err("can't register netlink/ioctl.\n");
2338 goto cleanup_dev;
2339 }
2340
2341 pr_info("ipvs loaded.\n");
2342
2343 return ret;
2344
2345cleanup_dev:
2346 unregister_pernet_device(&ipvs_core_dev_ops);
2347cleanup_sub:
2348 unregister_pernet_subsys(&ipvs_core_ops);
2349cleanup_conn:
2350 ip_vs_conn_cleanup();
2351cleanup_protocol:
2352 ip_vs_protocol_cleanup();
2353 ip_vs_control_cleanup();
2354exit:
2355 return ret;
2356}
2357
2358static void __exit ip_vs_cleanup(void)
2359{
2360 ip_vs_unregister_nl_ioctl();
2361 unregister_pernet_device(&ipvs_core_dev_ops);
2362 unregister_pernet_subsys(&ipvs_core_ops);
2363 ip_vs_conn_cleanup();
2364 ip_vs_protocol_cleanup();
2365 ip_vs_control_cleanup();
2366 pr_info("ipvs unloaded.\n");
2367}
2368
2369module_init(ip_vs_init);
2370module_exit(ip_vs_cleanup);
2371MODULE_LICENSE("GPL");
2372
