1
2
3
4
5
6
7
8
9
10
11
12#define KMSG_COMPONENT "IPVS"
13#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
14
15#include <linux/in.h>
16#include <linux/ip.h>
17#include <linux/kernel.h>
18#include <linux/netfilter.h>
19#include <linux/netfilter_ipv4.h>
20#include <linux/udp.h>
21#include <linux/indirect_call_wrapper.h>
22
23#include <net/ip_vs.h>
24#include <net/ip.h>
25#include <net/ip6_checksum.h>
26
27static int
28udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
29
30static int
31udp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
32 struct ip_vs_proto_data *pd,
33 int *verdict, struct ip_vs_conn **cpp,
34 struct ip_vs_iphdr *iph)
35{
36 struct ip_vs_service *svc;
37 struct udphdr _udph, *uh;
38 __be16 _ports[2], *ports = NULL;
39
40 if (likely(!ip_vs_iph_icmp(iph))) {
41
42 uh = skb_header_pointer(skb, iph->len, sizeof(_udph), &_udph);
43 if (uh)
44 ports = &uh->source;
45 } else {
46 ports = skb_header_pointer(
47 skb, iph->len, sizeof(_ports), &_ports);
48 }
49
50 if (!ports) {
51 *verdict = NF_DROP;
52 return 0;
53 }
54
55 if (likely(!ip_vs_iph_inverse(iph)))
56 svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
57 &iph->daddr, ports[1]);
58 else
59 svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
60 &iph->saddr, ports[0]);
61
62 if (svc) {
63 int ignored;
64
65 if (ip_vs_todrop(ipvs)) {
66
67
68
69
70 *verdict = NF_DROP;
71 return 0;
72 }
73
74
75
76
77
78 *cpp = ip_vs_schedule(svc, skb, pd, &ignored, iph);
79 if (!*cpp && ignored <= 0) {
80 if (!ignored)
81 *verdict = ip_vs_leave(svc, skb, pd, iph);
82 else
83 *verdict = NF_DROP;
84 return 0;
85 }
86 }
87
88 return 1;
89}
90
91
92static inline void
93udp_fast_csum_update(int af, struct udphdr *uhdr,
94 const union nf_inet_addr *oldip,
95 const union nf_inet_addr *newip,
96 __be16 oldport, __be16 newport)
97{
98#ifdef CONFIG_IP_VS_IPV6
99 if (af == AF_INET6)
100 uhdr->check =
101 csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6,
102 ip_vs_check_diff2(oldport, newport,
103 ~csum_unfold(uhdr->check))));
104 else
105#endif
106 uhdr->check =
107 csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip,
108 ip_vs_check_diff2(oldport, newport,
109 ~csum_unfold(uhdr->check))));
110 if (!uhdr->check)
111 uhdr->check = CSUM_MANGLED_0;
112}
113
114static inline void
115udp_partial_csum_update(int af, struct udphdr *uhdr,
116 const union nf_inet_addr *oldip,
117 const union nf_inet_addr *newip,
118 __be16 oldlen, __be16 newlen)
119{
120#ifdef CONFIG_IP_VS_IPV6
121 if (af == AF_INET6)
122 uhdr->check =
123 ~csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6,
124 ip_vs_check_diff2(oldlen, newlen,
125 csum_unfold(uhdr->check))));
126 else
127#endif
128 uhdr->check =
129 ~csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip,
130 ip_vs_check_diff2(oldlen, newlen,
131 csum_unfold(uhdr->check))));
132}
133
134
135INDIRECT_CALLABLE_SCOPE int
136udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
137 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
138{
139 struct udphdr *udph;
140 unsigned int udphoff = iph->len;
141 bool payload_csum = false;
142 int oldlen;
143
144#ifdef CONFIG_IP_VS_IPV6
145 if (cp->af == AF_INET6 && iph->fragoffs)
146 return 1;
147#endif
148 oldlen = skb->len - udphoff;
149
150
151 if (skb_ensure_writable(skb, udphoff + sizeof(*udph)))
152 return 0;
153
154 if (unlikely(cp->app != NULL)) {
155 int ret;
156
157
158 if (!udp_csum_check(cp->af, skb, pp))
159 return 0;
160
161
162
163
164 if (!(ret = ip_vs_app_pkt_out(cp, skb, iph)))
165 return 0;
166
167 if (ret == 1)
168 oldlen = skb->len - udphoff;
169 else
170 payload_csum = true;
171 }
172
173 udph = (void *)skb_network_header(skb) + udphoff;
174 udph->source = cp->vport;
175
176
177
178
179 if (skb->ip_summed == CHECKSUM_PARTIAL) {
180 udp_partial_csum_update(cp->af, udph, &cp->daddr, &cp->vaddr,
181 htons(oldlen),
182 htons(skb->len - udphoff));
183 } else if (!payload_csum && (udph->check != 0)) {
184
185 udp_fast_csum_update(cp->af, udph, &cp->daddr, &cp->vaddr,
186 cp->dport, cp->vport);
187 if (skb->ip_summed == CHECKSUM_COMPLETE)
188 skb->ip_summed = cp->app ?
189 CHECKSUM_UNNECESSARY : CHECKSUM_NONE;
190 } else {
191
192 udph->check = 0;
193 skb->csum = skb_checksum(skb, udphoff, skb->len - udphoff, 0);
194#ifdef CONFIG_IP_VS_IPV6
195 if (cp->af == AF_INET6)
196 udph->check = csum_ipv6_magic(&cp->vaddr.in6,
197 &cp->caddr.in6,
198 skb->len - udphoff,
199 cp->protocol, skb->csum);
200 else
201#endif
202 udph->check = csum_tcpudp_magic(cp->vaddr.ip,
203 cp->caddr.ip,
204 skb->len - udphoff,
205 cp->protocol,
206 skb->csum);
207 if (udph->check == 0)
208 udph->check = CSUM_MANGLED_0;
209 skb->ip_summed = CHECKSUM_UNNECESSARY;
210 IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%zd)\n",
211 pp->name, udph->check,
212 (char*)&(udph->check) - (char*)udph);
213 }
214 return 1;
215}
216
217
218static int
219udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
220 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
221{
222 struct udphdr *udph;
223 unsigned int udphoff = iph->len;
224 bool payload_csum = false;
225 int oldlen;
226
227#ifdef CONFIG_IP_VS_IPV6
228 if (cp->af == AF_INET6 && iph->fragoffs)
229 return 1;
230#endif
231 oldlen = skb->len - udphoff;
232
233
234 if (skb_ensure_writable(skb, udphoff + sizeof(*udph)))
235 return 0;
236
237 if (unlikely(cp->app != NULL)) {
238 int ret;
239
240
241 if (!udp_csum_check(cp->af, skb, pp))
242 return 0;
243
244
245
246
247
248 if (!(ret = ip_vs_app_pkt_in(cp, skb, iph)))
249 return 0;
250
251 if (ret == 1)
252 oldlen = skb->len - udphoff;
253 else
254 payload_csum = true;
255 }
256
257 udph = (void *)skb_network_header(skb) + udphoff;
258 udph->dest = cp->dport;
259
260
261
262
263 if (skb->ip_summed == CHECKSUM_PARTIAL) {
264 udp_partial_csum_update(cp->af, udph, &cp->vaddr, &cp->daddr,
265 htons(oldlen),
266 htons(skb->len - udphoff));
267 } else if (!payload_csum && (udph->check != 0)) {
268
269 udp_fast_csum_update(cp->af, udph, &cp->vaddr, &cp->daddr,
270 cp->vport, cp->dport);
271 if (skb->ip_summed == CHECKSUM_COMPLETE)
272 skb->ip_summed = cp->app ?
273 CHECKSUM_UNNECESSARY : CHECKSUM_NONE;
274 } else {
275
276 udph->check = 0;
277 skb->csum = skb_checksum(skb, udphoff, skb->len - udphoff, 0);
278#ifdef CONFIG_IP_VS_IPV6
279 if (cp->af == AF_INET6)
280 udph->check = csum_ipv6_magic(&cp->caddr.in6,
281 &cp->daddr.in6,
282 skb->len - udphoff,
283 cp->protocol, skb->csum);
284 else
285#endif
286 udph->check = csum_tcpudp_magic(cp->caddr.ip,
287 cp->daddr.ip,
288 skb->len - udphoff,
289 cp->protocol,
290 skb->csum);
291 if (udph->check == 0)
292 udph->check = CSUM_MANGLED_0;
293 skb->ip_summed = CHECKSUM_UNNECESSARY;
294 }
295 return 1;
296}
297
298
299static int
300udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
301{
302 struct udphdr _udph, *uh;
303 unsigned int udphoff;
304
305#ifdef CONFIG_IP_VS_IPV6
306 if (af == AF_INET6)
307 udphoff = sizeof(struct ipv6hdr);
308 else
309#endif
310 udphoff = ip_hdrlen(skb);
311
312 uh = skb_header_pointer(skb, udphoff, sizeof(_udph), &_udph);
313 if (uh == NULL)
314 return 0;
315
316 if (uh->check != 0) {
317 switch (skb->ip_summed) {
318 case CHECKSUM_NONE:
319 skb->csum = skb_checksum(skb, udphoff,
320 skb->len - udphoff, 0);
321 fallthrough;
322 case CHECKSUM_COMPLETE:
323#ifdef CONFIG_IP_VS_IPV6
324 if (af == AF_INET6) {
325 if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
326 &ipv6_hdr(skb)->daddr,
327 skb->len - udphoff,
328 ipv6_hdr(skb)->nexthdr,
329 skb->csum)) {
330 IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
331 "Failed checksum for");
332 return 0;
333 }
334 } else
335#endif
336 if (csum_tcpudp_magic(ip_hdr(skb)->saddr,
337 ip_hdr(skb)->daddr,
338 skb->len - udphoff,
339 ip_hdr(skb)->protocol,
340 skb->csum)) {
341 IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
342 "Failed checksum for");
343 return 0;
344 }
345 break;
346 default:
347
348 break;
349 }
350 }
351 return 1;
352}
353
354static inline __u16 udp_app_hashkey(__be16 port)
355{
356 return (((__force u16)port >> UDP_APP_TAB_BITS) ^ (__force u16)port)
357 & UDP_APP_TAB_MASK;
358}
359
360
361static int udp_register_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc)
362{
363 struct ip_vs_app *i;
364 __u16 hash;
365 __be16 port = inc->port;
366 int ret = 0;
367 struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
368
369 hash = udp_app_hashkey(port);
370
371 list_for_each_entry(i, &ipvs->udp_apps[hash], p_list) {
372 if (i->port == port) {
373 ret = -EEXIST;
374 goto out;
375 }
376 }
377 list_add_rcu(&inc->p_list, &ipvs->udp_apps[hash]);
378 atomic_inc(&pd->appcnt);
379
380 out:
381 return ret;
382}
383
384
385static void
386udp_unregister_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc)
387{
388 struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
389
390 atomic_dec(&pd->appcnt);
391 list_del_rcu(&inc->p_list);
392}
393
394
395static int udp_app_conn_bind(struct ip_vs_conn *cp)
396{
397 struct netns_ipvs *ipvs = cp->ipvs;
398 int hash;
399 struct ip_vs_app *inc;
400 int result = 0;
401
402
403 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
404 return 0;
405
406
407 hash = udp_app_hashkey(cp->vport);
408
409 list_for_each_entry_rcu(inc, &ipvs->udp_apps[hash], p_list) {
410 if (inc->port == cp->vport) {
411 if (unlikely(!ip_vs_app_inc_get(inc)))
412 break;
413
414 IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->"
415 "%s:%u to app %s on port %u\n",
416 __func__,
417 IP_VS_DBG_ADDR(cp->af, &cp->caddr),
418 ntohs(cp->cport),
419 IP_VS_DBG_ADDR(cp->af, &cp->vaddr),
420 ntohs(cp->vport),
421 inc->name, ntohs(inc->port));
422
423 cp->app = inc;
424 if (inc->init_conn)
425 result = inc->init_conn(inc, cp);
426 break;
427 }
428 }
429
430 return result;
431}
432
433
434static const int udp_timeouts[IP_VS_UDP_S_LAST+1] = {
435 [IP_VS_UDP_S_NORMAL] = 5*60*HZ,
436 [IP_VS_UDP_S_LAST] = 2*HZ,
437};
438
439static const char *const udp_state_name_table[IP_VS_UDP_S_LAST+1] = {
440 [IP_VS_UDP_S_NORMAL] = "UDP",
441 [IP_VS_UDP_S_LAST] = "BUG!",
442};
443
444static const char * udp_state_name(int state)
445{
446 if (state >= IP_VS_UDP_S_LAST)
447 return "ERR!";
448 return udp_state_name_table[state] ? udp_state_name_table[state] : "?";
449}
450
451static void
452udp_state_transition(struct ip_vs_conn *cp, int direction,
453 const struct sk_buff *skb,
454 struct ip_vs_proto_data *pd)
455{
456 if (unlikely(!pd)) {
457 pr_err("UDP no ns data\n");
458 return;
459 }
460
461 cp->timeout = pd->timeout_table[IP_VS_UDP_S_NORMAL];
462 if (direction == IP_VS_DIR_OUTPUT)
463 ip_vs_control_assure_ct(cp);
464}
465
466static int __udp_init(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd)
467{
468 ip_vs_init_hash_table(ipvs->udp_apps, UDP_APP_TAB_SIZE);
469 pd->timeout_table = ip_vs_create_timeout_table((int *)udp_timeouts,
470 sizeof(udp_timeouts));
471 if (!pd->timeout_table)
472 return -ENOMEM;
473 return 0;
474}
475
476static void __udp_exit(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd)
477{
478 kfree(pd->timeout_table);
479}
480
481
482struct ip_vs_protocol ip_vs_protocol_udp = {
483 .name = "UDP",
484 .protocol = IPPROTO_UDP,
485 .num_states = IP_VS_UDP_S_LAST,
486 .dont_defrag = 0,
487 .init = NULL,
488 .exit = NULL,
489 .init_netns = __udp_init,
490 .exit_netns = __udp_exit,
491 .conn_schedule = udp_conn_schedule,
492 .conn_in_get = ip_vs_conn_in_get_proto,
493 .conn_out_get = ip_vs_conn_out_get_proto,
494 .snat_handler = udp_snat_handler,
495 .dnat_handler = udp_dnat_handler,
496 .state_transition = udp_state_transition,
497 .state_name = udp_state_name,
498 .register_app = udp_register_app,
499 .unregister_app = udp_unregister_app,
500 .app_conn_bind = udp_app_conn_bind,
501 .debug_packet = ip_vs_tcpudp_debug_packet,
502 .timeout_change = NULL,
503};
504
