Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * IPVS An implementation of the IP virtual server support for the | |
3 | * LINUX operating system. IPVS is now implemented as a module | |
4 | * over the Netfilter framework. IPVS can be used to build a | |
5 | * high-performance and highly available server based on a | |
6 | * cluster of servers. | |
7 | * | |
1da177e4 LT |
8 | * Authors: Wensong Zhang <wensong@linuxvirtualserver.org> |
9 | * Peter Kese <peter.kese@ijs.si> | |
10 | * Julian Anastasov <ja@ssi.bg> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or | |
13 | * modify it under the terms of the GNU General Public License | |
14 | * as published by the Free Software Foundation; either version | |
15 | * 2 of the License, or (at your option) any later version. | |
16 | * | |
17 | * The IPVS code for kernel 2.2 was done by Wensong Zhang and Peter Kese, | |
18 | * with changes/fixes from Julian Anastasov, Lars Marowsky-Bree, Horms | |
19 | * and others. | |
20 | * | |
21 | * Changes: | |
22 | * Paul `Rusty' Russell properly handle non-linear skbs | |
6869c4d8 | 23 | * Harald Welte don't use nfcache |
1da177e4 LT |
24 | * |
25 | */ | |
26 | ||
9aada7ac HE |
27 | #define KMSG_COMPONENT "IPVS" |
28 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
29 | ||
1da177e4 LT |
30 | #include <linux/module.h> |
31 | #include <linux/kernel.h> | |
32 | #include <linux/ip.h> | |
33 | #include <linux/tcp.h> | |
2906f66a | 34 | #include <linux/sctp.h> |
1da177e4 | 35 | #include <linux/icmp.h> |
5a0e3ad6 | 36 | #include <linux/slab.h> |
1da177e4 LT |
37 | |
38 | #include <net/ip.h> | |
39 | #include <net/tcp.h> | |
40 | #include <net/udp.h> | |
41 | #include <net/icmp.h> /* for icmp_send */ | |
42 | #include <net/route.h> | |
2c70b519 | 43 | #include <net/ip6_checksum.h> |
61b1ab45 | 44 | #include <net/netns/generic.h> /* net_generic() */ |
1da177e4 LT |
45 | |
46 | #include <linux/netfilter.h> | |
47 | #include <linux/netfilter_ipv4.h> | |
48 | ||
2a3b791e JV |
49 | #ifdef CONFIG_IP_VS_IPV6 |
50 | #include <net/ipv6.h> | |
51 | #include <linux/netfilter_ipv6.h> | |
489fdeda | 52 | #include <net/ip6_route.h> |
2a3b791e JV |
53 | #endif |
54 | ||
1da177e4 LT |
55 | #include <net/ip_vs.h> |
56 | ||
57 | ||
58 | EXPORT_SYMBOL(register_ip_vs_scheduler); | |
59 | EXPORT_SYMBOL(unregister_ip_vs_scheduler); | |
1da177e4 LT |
60 | EXPORT_SYMBOL(ip_vs_proto_name); |
61 | EXPORT_SYMBOL(ip_vs_conn_new); | |
62 | EXPORT_SYMBOL(ip_vs_conn_in_get); | |
63 | EXPORT_SYMBOL(ip_vs_conn_out_get); | |
64 | #ifdef CONFIG_IP_VS_PROTO_TCP | |
65 | EXPORT_SYMBOL(ip_vs_tcp_conn_listen); | |
66 | #endif | |
67 | EXPORT_SYMBOL(ip_vs_conn_put); | |
68 | #ifdef CONFIG_IP_VS_DEBUG | |
69 | EXPORT_SYMBOL(ip_vs_get_debug_level); | |
70 | #endif | |
1da177e4 | 71 | |
61b1ab45 HS |
72 | int ip_vs_net_id __read_mostly; |
73 | #ifdef IP_VS_GENERIC_NETNS | |
74 | EXPORT_SYMBOL(ip_vs_net_id); | |
75 | #endif | |
76 | /* netns cnt used for uniqueness */ | |
77 | static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0); | |
1da177e4 LT |
78 | |
79 | /* ID used in ICMP lookups */ | |
80 | #define icmp_id(icmph) (((icmph)->un).echo.id) | |
2a3b791e | 81 | #define icmpv6_id(icmph) (icmph->icmp6_dataun.u_echo.identifier) |
1da177e4 LT |
82 | |
83 | const char *ip_vs_proto_name(unsigned proto) | |
84 | { | |
85 | static char buf[20]; | |
86 | ||
87 | switch (proto) { | |
88 | case IPPROTO_IP: | |
89 | return "IP"; | |
90 | case IPPROTO_UDP: | |
91 | return "UDP"; | |
92 | case IPPROTO_TCP: | |
93 | return "TCP"; | |
2906f66a VMR |
94 | case IPPROTO_SCTP: |
95 | return "SCTP"; | |
1da177e4 LT |
96 | case IPPROTO_ICMP: |
97 | return "ICMP"; | |
2a3b791e JV |
98 | #ifdef CONFIG_IP_VS_IPV6 |
99 | case IPPROTO_ICMPV6: | |
100 | return "ICMPv6"; | |
101 | #endif | |
1da177e4 LT |
102 | default: |
103 | sprintf(buf, "IP_%d", proto); | |
104 | return buf; | |
105 | } | |
106 | } | |
107 | ||
108 | void ip_vs_init_hash_table(struct list_head *table, int rows) | |
109 | { | |
110 | while (--rows >= 0) | |
111 | INIT_LIST_HEAD(&table[rows]); | |
112 | } | |
113 | ||
114 | static inline void | |
115 | ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb) | |
116 | { | |
117 | struct ip_vs_dest *dest = cp->dest; | |
118 | if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) { | |
119 | spin_lock(&dest->stats.lock); | |
e9c0ce23 SW |
120 | dest->stats.ustats.inpkts++; |
121 | dest->stats.ustats.inbytes += skb->len; | |
1da177e4 LT |
122 | spin_unlock(&dest->stats.lock); |
123 | ||
124 | spin_lock(&dest->svc->stats.lock); | |
e9c0ce23 SW |
125 | dest->svc->stats.ustats.inpkts++; |
126 | dest->svc->stats.ustats.inbytes += skb->len; | |
1da177e4 LT |
127 | spin_unlock(&dest->svc->stats.lock); |
128 | ||
129 | spin_lock(&ip_vs_stats.lock); | |
e9c0ce23 SW |
130 | ip_vs_stats.ustats.inpkts++; |
131 | ip_vs_stats.ustats.inbytes += skb->len; | |
1da177e4 LT |
132 | spin_unlock(&ip_vs_stats.lock); |
133 | } | |
134 | } | |
135 | ||
136 | ||
137 | static inline void | |
138 | ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb) | |
139 | { | |
140 | struct ip_vs_dest *dest = cp->dest; | |
141 | if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) { | |
142 | spin_lock(&dest->stats.lock); | |
e9c0ce23 SW |
143 | dest->stats.ustats.outpkts++; |
144 | dest->stats.ustats.outbytes += skb->len; | |
1da177e4 LT |
145 | spin_unlock(&dest->stats.lock); |
146 | ||
147 | spin_lock(&dest->svc->stats.lock); | |
e9c0ce23 SW |
148 | dest->svc->stats.ustats.outpkts++; |
149 | dest->svc->stats.ustats.outbytes += skb->len; | |
1da177e4 LT |
150 | spin_unlock(&dest->svc->stats.lock); |
151 | ||
152 | spin_lock(&ip_vs_stats.lock); | |
e9c0ce23 SW |
153 | ip_vs_stats.ustats.outpkts++; |
154 | ip_vs_stats.ustats.outbytes += skb->len; | |
1da177e4 LT |
155 | spin_unlock(&ip_vs_stats.lock); |
156 | } | |
157 | } | |
158 | ||
159 | ||
160 | static inline void | |
161 | ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc) | |
162 | { | |
163 | spin_lock(&cp->dest->stats.lock); | |
e9c0ce23 | 164 | cp->dest->stats.ustats.conns++; |
1da177e4 LT |
165 | spin_unlock(&cp->dest->stats.lock); |
166 | ||
167 | spin_lock(&svc->stats.lock); | |
e9c0ce23 | 168 | svc->stats.ustats.conns++; |
1da177e4 LT |
169 | spin_unlock(&svc->stats.lock); |
170 | ||
171 | spin_lock(&ip_vs_stats.lock); | |
e9c0ce23 | 172 | ip_vs_stats.ustats.conns++; |
1da177e4 LT |
173 | spin_unlock(&ip_vs_stats.lock); |
174 | } | |
175 | ||
176 | ||
177 | static inline int | |
178 | ip_vs_set_state(struct ip_vs_conn *cp, int direction, | |
179 | const struct sk_buff *skb, | |
180 | struct ip_vs_protocol *pp) | |
181 | { | |
182 | if (unlikely(!pp->state_transition)) | |
183 | return 0; | |
184 | return pp->state_transition(cp, direction, skb, pp); | |
185 | } | |
186 | ||
a5959d53 | 187 | static inline int |
85999283 SH |
188 | ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc, |
189 | struct sk_buff *skb, int protocol, | |
190 | const union nf_inet_addr *caddr, __be16 cport, | |
191 | const union nf_inet_addr *vaddr, __be16 vport, | |
192 | struct ip_vs_conn_param *p) | |
193 | { | |
194 | ip_vs_conn_fill_param(svc->af, protocol, caddr, cport, vaddr, vport, p); | |
195 | p->pe = svc->pe; | |
196 | if (p->pe && p->pe->fill_param) | |
a5959d53 HS |
197 | return p->pe->fill_param(p, skb); |
198 | ||
199 | return 0; | |
85999283 | 200 | } |
1da177e4 | 201 | |
1da177e4 LT |
202 | /* |
203 | * IPVS persistent scheduling function | |
204 | * It creates a connection entry according to its template if exists, | |
205 | * or selects a server and creates a connection entry plus a template. | |
206 | * Locking: we are svc user (svc->refcnt), so we hold all dests too | |
207 | * Protocols supported: TCP, UDP | |
208 | */ | |
209 | static struct ip_vs_conn * | |
210 | ip_vs_sched_persist(struct ip_vs_service *svc, | |
85999283 | 211 | struct sk_buff *skb, |
a5959d53 | 212 | __be16 src_port, __be16 dst_port, int *ignored) |
1da177e4 LT |
213 | { |
214 | struct ip_vs_conn *cp = NULL; | |
28364a59 | 215 | struct ip_vs_iphdr iph; |
1da177e4 LT |
216 | struct ip_vs_dest *dest; |
217 | struct ip_vs_conn *ct; | |
5b57a98c | 218 | __be16 dport = 0; /* destination port to forward */ |
3575792e | 219 | unsigned int flags; |
f11017ec | 220 | struct ip_vs_conn_param param; |
28364a59 JV |
221 | union nf_inet_addr snet; /* source network of the client, |
222 | after masking */ | |
cd17f9ed JV |
223 | |
224 | ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph); | |
1da177e4 LT |
225 | |
226 | /* Mask saddr with the netmask to adjust template granularity */ | |
cd17f9ed JV |
227 | #ifdef CONFIG_IP_VS_IPV6 |
228 | if (svc->af == AF_INET6) | |
229 | ipv6_addr_prefix(&snet.in6, &iph.saddr.in6, svc->netmask); | |
230 | else | |
231 | #endif | |
232 | snet.ip = iph.saddr.ip & svc->netmask; | |
1da177e4 | 233 | |
cd17f9ed JV |
234 | IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u " |
235 | "mnet %s\n", | |
ce144f24 HS |
236 | IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(src_port), |
237 | IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(dst_port), | |
cd17f9ed | 238 | IP_VS_DBG_ADDR(svc->af, &snet)); |
1da177e4 LT |
239 | |
240 | /* | |
241 | * As far as we know, FTP is a very complicated network protocol, and | |
242 | * it uses control connection and data connections. For active FTP, | |
243 | * FTP server initialize data connection to the client, its source port | |
244 | * is often 20. For passive FTP, FTP server tells the clients the port | |
245 | * that it passively listens to, and the client issues the data | |
246 | * connection. In the tunneling or direct routing mode, the load | |
247 | * balancer is on the client-to-server half of connection, the port | |
248 | * number is unknown to the load balancer. So, a conn template like | |
249 | * <caddr, 0, vaddr, 0, daddr, 0> is created for persistent FTP | |
250 | * service, and a template like <caddr, 0, vaddr, vport, daddr, dport> | |
251 | * is created for other persistent services. | |
252 | */ | |
5b57a98c | 253 | { |
f11017ec SH |
254 | int protocol = iph.protocol; |
255 | const union nf_inet_addr *vaddr = &iph.daddr; | |
256 | const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) }; | |
257 | __be16 vport = 0; | |
258 | ||
ce144f24 | 259 | if (dst_port == svc->port) { |
5b57a98c SH |
260 | /* non-FTP template: |
261 | * <protocol, caddr, 0, vaddr, vport, daddr, dport> | |
262 | * FTP template: | |
263 | * <protocol, caddr, 0, vaddr, 0, daddr, 0> | |
1da177e4 LT |
264 | */ |
265 | if (svc->port != FTPPORT) | |
ce144f24 | 266 | vport = dst_port; |
1da177e4 | 267 | } else { |
5b57a98c SH |
268 | /* Note: persistent fwmark-based services and |
269 | * persistent port zero service are handled here. | |
270 | * fwmark template: | |
271 | * <IPPROTO_IP,caddr,0,fwmark,0,daddr,0> | |
272 | * port zero template: | |
273 | * <protocol,caddr,0,vaddr,0,daddr,0> | |
1da177e4 | 274 | */ |
28364a59 | 275 | if (svc->fwmark) { |
5b57a98c SH |
276 | protocol = IPPROTO_IP; |
277 | vaddr = &fwmark; | |
278 | } | |
1da177e4 | 279 | } |
a5959d53 HS |
280 | /* return *ignored = -1 so NF_DROP can be used */ |
281 | if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0, | |
282 | vaddr, vport, ¶m) < 0) { | |
283 | *ignored = -1; | |
284 | return NULL; | |
285 | } | |
1da177e4 LT |
286 | } |
287 | ||
5b57a98c | 288 | /* Check if a template already exists */ |
f11017ec | 289 | ct = ip_vs_ct_in_get(¶m); |
5b57a98c | 290 | if (!ct || !ip_vs_check_template(ct)) { |
a5959d53 HS |
291 | /* |
292 | * No template found or the dest of the connection | |
5b57a98c | 293 | * template is not available. |
a5959d53 | 294 | * return *ignored=0 i.e. ICMP and NF_DROP |
5b57a98c SH |
295 | */ |
296 | dest = svc->scheduler->schedule(svc, skb); | |
297 | if (!dest) { | |
298 | IP_VS_DBG(1, "p-schedule: no dest found.\n"); | |
85999283 | 299 | kfree(param.pe_data); |
a5959d53 | 300 | *ignored = 0; |
5b57a98c SH |
301 | return NULL; |
302 | } | |
303 | ||
ce144f24 | 304 | if (dst_port == svc->port && svc->port != FTPPORT) |
5b57a98c SH |
305 | dport = dest->port; |
306 | ||
85999283 SH |
307 | /* Create a template |
308 | * This adds param.pe_data to the template, | |
309 | * and thus param.pe_data will be destroyed | |
310 | * when the template expires */ | |
f11017ec | 311 | ct = ip_vs_conn_new(¶m, &dest->addr, dport, |
0e051e68 | 312 | IP_VS_CONN_F_TEMPLATE, dest, skb->mark); |
85999283 SH |
313 | if (ct == NULL) { |
314 | kfree(param.pe_data); | |
a5959d53 | 315 | *ignored = -1; |
5b57a98c | 316 | return NULL; |
85999283 | 317 | } |
5b57a98c SH |
318 | |
319 | ct->timeout = svc->timeout; | |
85999283 | 320 | } else { |
5b57a98c SH |
321 | /* set destination with the found template */ |
322 | dest = ct->dest; | |
85999283 SH |
323 | kfree(param.pe_data); |
324 | } | |
5b57a98c | 325 | |
ce144f24 | 326 | dport = dst_port; |
5b57a98c SH |
327 | if (dport == svc->port && dest->port) |
328 | dport = dest->port; | |
329 | ||
26ec037f NC |
330 | flags = (svc->flags & IP_VS_SVC_F_ONEPACKET |
331 | && iph.protocol == IPPROTO_UDP)? | |
332 | IP_VS_CONN_F_ONE_PACKET : 0; | |
333 | ||
1da177e4 LT |
334 | /* |
335 | * Create a new connection according to the template | |
336 | */ | |
ce144f24 HS |
337 | ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr, src_port, |
338 | &iph.daddr, dst_port, ¶m); | |
339 | ||
0e051e68 | 340 | cp = ip_vs_conn_new(¶m, &dest->addr, dport, flags, dest, skb->mark); |
1da177e4 LT |
341 | if (cp == NULL) { |
342 | ip_vs_conn_put(ct); | |
a5959d53 | 343 | *ignored = -1; |
1da177e4 LT |
344 | return NULL; |
345 | } | |
346 | ||
347 | /* | |
348 | * Add its control | |
349 | */ | |
350 | ip_vs_control_add(cp, ct); | |
351 | ip_vs_conn_put(ct); | |
352 | ||
353 | ip_vs_conn_stats(cp, svc); | |
354 | return cp; | |
355 | } | |
356 | ||
357 | ||
358 | /* | |
359 | * IPVS main scheduling function | |
360 | * It selects a server according to the virtual service, and | |
361 | * creates a connection entry. | |
362 | * Protocols supported: TCP, UDP | |
a5959d53 HS |
363 | * |
364 | * Usage of *ignored | |
365 | * | |
366 | * 1 : protocol tried to schedule (eg. on SYN), found svc but the | |
367 | * svc/scheduler decides that this packet should be accepted with | |
368 | * NF_ACCEPT because it must not be scheduled. | |
369 | * | |
370 | * 0 : scheduler can not find destination, so try bypass or | |
371 | * return ICMP and then NF_DROP (ip_vs_leave). | |
372 | * | |
373 | * -1 : scheduler tried to schedule but fatal error occurred, eg. | |
374 | * ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param | |
375 | * failure such as missing Call-ID, ENOMEM on skb_linearize | |
376 | * or pe_data. In this case we should return NF_DROP without | |
377 | * any attempts to send ICMP with ip_vs_leave. | |
1da177e4 LT |
378 | */ |
379 | struct ip_vs_conn * | |
190ecd27 JA |
380 | ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb, |
381 | struct ip_vs_protocol *pp, int *ignored) | |
1da177e4 LT |
382 | { |
383 | struct ip_vs_conn *cp = NULL; | |
28364a59 | 384 | struct ip_vs_iphdr iph; |
1da177e4 | 385 | struct ip_vs_dest *dest; |
3575792e JA |
386 | __be16 _ports[2], *pptr; |
387 | unsigned int flags; | |
1da177e4 | 388 | |
190ecd27 | 389 | *ignored = 1; |
28364a59 JV |
390 | ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph); |
391 | pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports); | |
1da177e4 LT |
392 | if (pptr == NULL) |
393 | return NULL; | |
394 | ||
190ecd27 JA |
395 | /* |
396 | * FTPDATA needs this check when using local real server. | |
397 | * Never schedule Active FTPDATA connections from real server. | |
398 | * For LVS-NAT they must be already created. For other methods | |
399 | * with persistence the connection is created on SYN+ACK. | |
400 | */ | |
401 | if (pptr[0] == FTPDATA) { | |
0d79641a JA |
402 | IP_VS_DBG_PKT(12, svc->af, pp, skb, 0, |
403 | "Not scheduling FTPDATA"); | |
190ecd27 JA |
404 | return NULL; |
405 | } | |
406 | ||
407 | /* | |
a5959d53 | 408 | * Do not schedule replies from local real server. |
190ecd27 JA |
409 | */ |
410 | if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) && | |
190ecd27 | 411 | (cp = pp->conn_in_get(svc->af, skb, pp, &iph, iph.len, 1))) { |
0d79641a | 412 | IP_VS_DBG_PKT(12, svc->af, pp, skb, 0, |
190ecd27 JA |
413 | "Not scheduling reply for existing connection"); |
414 | __ip_vs_conn_put(cp); | |
415 | return NULL; | |
416 | } | |
417 | ||
1da177e4 LT |
418 | /* |
419 | * Persistent service | |
420 | */ | |
a5959d53 HS |
421 | if (svc->flags & IP_VS_SVC_F_PERSISTENT) |
422 | return ip_vs_sched_persist(svc, skb, pptr[0], pptr[1], ignored); | |
423 | ||
424 | *ignored = 0; | |
1da177e4 LT |
425 | |
426 | /* | |
427 | * Non-persistent service | |
428 | */ | |
429 | if (!svc->fwmark && pptr[1] != svc->port) { | |
430 | if (!svc->port) | |
1e3e238e HE |
431 | pr_err("Schedule: port zero only supported " |
432 | "in persistent services, " | |
433 | "check your ipvs configuration\n"); | |
1da177e4 LT |
434 | return NULL; |
435 | } | |
436 | ||
437 | dest = svc->scheduler->schedule(svc, skb); | |
438 | if (dest == NULL) { | |
439 | IP_VS_DBG(1, "Schedule: no dest found.\n"); | |
440 | return NULL; | |
441 | } | |
442 | ||
26ec037f NC |
443 | flags = (svc->flags & IP_VS_SVC_F_ONEPACKET |
444 | && iph.protocol == IPPROTO_UDP)? | |
445 | IP_VS_CONN_F_ONE_PACKET : 0; | |
446 | ||
1da177e4 LT |
447 | /* |
448 | * Create a connection entry. | |
449 | */ | |
f11017ec SH |
450 | { |
451 | struct ip_vs_conn_param p; | |
452 | ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr, | |
453 | pptr[0], &iph.daddr, pptr[1], &p); | |
454 | cp = ip_vs_conn_new(&p, &dest->addr, | |
455 | dest->port ? dest->port : pptr[1], | |
0e051e68 | 456 | flags, dest, skb->mark); |
a5959d53 HS |
457 | if (!cp) { |
458 | *ignored = -1; | |
f11017ec | 459 | return NULL; |
a5959d53 | 460 | } |
f11017ec | 461 | } |
1da177e4 | 462 | |
cd17f9ed JV |
463 | IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u " |
464 | "d:%s:%u conn->flags:%X conn->refcnt:%d\n", | |
465 | ip_vs_fwd_tag(cp), | |
466 | IP_VS_DBG_ADDR(svc->af, &cp->caddr), ntohs(cp->cport), | |
467 | IP_VS_DBG_ADDR(svc->af, &cp->vaddr), ntohs(cp->vport), | |
468 | IP_VS_DBG_ADDR(svc->af, &cp->daddr), ntohs(cp->dport), | |
469 | cp->flags, atomic_read(&cp->refcnt)); | |
1da177e4 LT |
470 | |
471 | ip_vs_conn_stats(cp, svc); | |
472 | return cp; | |
473 | } | |
474 | ||
475 | ||
476 | /* | |
477 | * Pass or drop the packet. | |
478 | * Called by ip_vs_in, when the virtual service is available but | |
479 | * no destination is available for a new connection. | |
480 | */ | |
481 | int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, | |
482 | struct ip_vs_protocol *pp) | |
483 | { | |
014d730d | 484 | __be16 _ports[2], *pptr; |
28364a59 | 485 | struct ip_vs_iphdr iph; |
2a3b791e JV |
486 | int unicast; |
487 | ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph); | |
1da177e4 | 488 | |
28364a59 | 489 | pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports); |
1da177e4 LT |
490 | if (pptr == NULL) { |
491 | ip_vs_service_put(svc); | |
492 | return NF_DROP; | |
493 | } | |
494 | ||
2a3b791e JV |
495 | #ifdef CONFIG_IP_VS_IPV6 |
496 | if (svc->af == AF_INET6) | |
497 | unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST; | |
498 | else | |
499 | #endif | |
500 | unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST); | |
501 | ||
1da177e4 | 502 | /* if it is fwmark-based service, the cache_bypass sysctl is up |
2a3b791e | 503 | and the destination is a non-local unicast, then create |
1da177e4 | 504 | a cache_bypass connection entry */ |
2a3b791e | 505 | if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) { |
1da177e4 LT |
506 | int ret, cs; |
507 | struct ip_vs_conn *cp; | |
3575792e JA |
508 | unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET && |
509 | iph.protocol == IPPROTO_UDP)? | |
510 | IP_VS_CONN_F_ONE_PACKET : 0; | |
dff630dd | 511 | union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } }; |
1da177e4 LT |
512 | |
513 | ip_vs_service_put(svc); | |
514 | ||
515 | /* create a new connection entry */ | |
1e3e238e | 516 | IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__); |
f11017ec SH |
517 | { |
518 | struct ip_vs_conn_param p; | |
519 | ip_vs_conn_fill_param(svc->af, iph.protocol, | |
520 | &iph.saddr, pptr[0], | |
521 | &iph.daddr, pptr[1], &p); | |
522 | cp = ip_vs_conn_new(&p, &daddr, 0, | |
523 | IP_VS_CONN_F_BYPASS | flags, | |
0e051e68 | 524 | NULL, skb->mark); |
f11017ec SH |
525 | if (!cp) |
526 | return NF_DROP; | |
527 | } | |
1da177e4 LT |
528 | |
529 | /* statistics */ | |
530 | ip_vs_in_stats(cp, skb); | |
531 | ||
532 | /* set state */ | |
533 | cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp); | |
534 | ||
535 | /* transmit the first SYN packet */ | |
536 | ret = cp->packet_xmit(skb, cp, pp); | |
537 | /* do not touch skb anymore */ | |
538 | ||
539 | atomic_inc(&cp->in_pkts); | |
540 | ip_vs_conn_put(cp); | |
541 | return ret; | |
542 | } | |
543 | ||
544 | /* | |
545 | * When the virtual ftp service is presented, packets destined | |
546 | * for other services on the VIP may get here (except services | |
547 | * listed in the ipvs table), pass the packets, because it is | |
548 | * not ipvs job to decide to drop the packets. | |
549 | */ | |
550 | if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT)) { | |
551 | ip_vs_service_put(svc); | |
552 | return NF_ACCEPT; | |
553 | } | |
554 | ||
555 | ip_vs_service_put(svc); | |
556 | ||
557 | /* | |
558 | * Notify the client that the destination is unreachable, and | |
559 | * release the socket buffer. | |
560 | * Since it is in IP layer, the TCP socket is not actually | |
561 | * created, the TCP RST packet cannot be sent, instead that | |
562 | * ICMP_PORT_UNREACH is sent here no matter it is TCP/UDP. --WZ | |
563 | */ | |
2a3b791e | 564 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f JA |
565 | if (svc->af == AF_INET6) { |
566 | if (!skb->dev) { | |
567 | struct net *net = dev_net(skb_dst(skb)->dev); | |
568 | ||
569 | skb->dev = net->loopback_dev; | |
570 | } | |
3ffe533c | 571 | icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); |
cb59155f | 572 | } else |
2a3b791e JV |
573 | #endif |
574 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
575 | ||
1da177e4 LT |
576 | return NF_DROP; |
577 | } | |
578 | ||
b1550f22 | 579 | __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset) |
1da177e4 | 580 | { |
d3bc23e7 | 581 | return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0)); |
1da177e4 LT |
582 | } |
583 | ||
1ca5bb54 JA |
584 | static inline enum ip_defrag_users ip_vs_defrag_user(unsigned int hooknum) |
585 | { | |
586 | if (NF_INET_LOCAL_IN == hooknum) | |
587 | return IP_DEFRAG_VS_IN; | |
588 | if (NF_INET_FORWARD == hooknum) | |
589 | return IP_DEFRAG_VS_FWD; | |
590 | return IP_DEFRAG_VS_OUT; | |
591 | } | |
592 | ||
776c729e | 593 | static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user) |
1da177e4 | 594 | { |
776c729e HX |
595 | int err = ip_defrag(skb, user); |
596 | ||
597 | if (!err) | |
eddc9ec5 | 598 | ip_send_check(ip_hdr(skb)); |
776c729e HX |
599 | |
600 | return err; | |
1da177e4 LT |
601 | } |
602 | ||
2a3b791e JV |
603 | #ifdef CONFIG_IP_VS_IPV6 |
604 | static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user) | |
605 | { | |
606 | /* TODO IPv6: Find out what to do here for IPv6 */ | |
607 | return 0; | |
608 | } | |
609 | #endif | |
610 | ||
1da177e4 LT |
611 | /* |
612 | * Packet has been made sufficiently writable in caller | |
613 | * - inout: 1=in->out, 0=out->in | |
614 | */ | |
615 | void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp, | |
616 | struct ip_vs_conn *cp, int inout) | |
617 | { | |
eddc9ec5 | 618 | struct iphdr *iph = ip_hdr(skb); |
1da177e4 | 619 | unsigned int icmp_offset = iph->ihl*4; |
d56f90a7 ACM |
620 | struct icmphdr *icmph = (struct icmphdr *)(skb_network_header(skb) + |
621 | icmp_offset); | |
1da177e4 LT |
622 | struct iphdr *ciph = (struct iphdr *)(icmph + 1); |
623 | ||
624 | if (inout) { | |
e7ade46a | 625 | iph->saddr = cp->vaddr.ip; |
1da177e4 | 626 | ip_send_check(iph); |
e7ade46a | 627 | ciph->daddr = cp->vaddr.ip; |
1da177e4 LT |
628 | ip_send_check(ciph); |
629 | } else { | |
e7ade46a | 630 | iph->daddr = cp->daddr.ip; |
1da177e4 | 631 | ip_send_check(iph); |
e7ade46a | 632 | ciph->saddr = cp->daddr.ip; |
1da177e4 LT |
633 | ip_send_check(ciph); |
634 | } | |
635 | ||
2906f66a VMR |
636 | /* the TCP/UDP/SCTP port */ |
637 | if (IPPROTO_TCP == ciph->protocol || IPPROTO_UDP == ciph->protocol || | |
638 | IPPROTO_SCTP == ciph->protocol) { | |
014d730d | 639 | __be16 *ports = (void *)ciph + ciph->ihl*4; |
1da177e4 LT |
640 | |
641 | if (inout) | |
642 | ports[1] = cp->vport; | |
643 | else | |
644 | ports[0] = cp->dport; | |
645 | } | |
646 | ||
647 | /* And finally the ICMP checksum */ | |
648 | icmph->checksum = 0; | |
649 | icmph->checksum = ip_vs_checksum_complete(skb, icmp_offset); | |
650 | skb->ip_summed = CHECKSUM_UNNECESSARY; | |
651 | ||
652 | if (inout) | |
0d79641a | 653 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph, |
1da177e4 LT |
654 | "Forwarding altered outgoing ICMP"); |
655 | else | |
0d79641a | 656 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, (void *)ciph - (void *)iph, |
1da177e4 LT |
657 | "Forwarding altered incoming ICMP"); |
658 | } | |
659 | ||
b3cdd2a7 JV |
660 | #ifdef CONFIG_IP_VS_IPV6 |
661 | void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp, | |
662 | struct ip_vs_conn *cp, int inout) | |
663 | { | |
664 | struct ipv6hdr *iph = ipv6_hdr(skb); | |
665 | unsigned int icmp_offset = sizeof(struct ipv6hdr); | |
666 | struct icmp6hdr *icmph = (struct icmp6hdr *)(skb_network_header(skb) + | |
667 | icmp_offset); | |
668 | struct ipv6hdr *ciph = (struct ipv6hdr *)(icmph + 1); | |
669 | ||
670 | if (inout) { | |
671 | iph->saddr = cp->vaddr.in6; | |
672 | ciph->daddr = cp->vaddr.in6; | |
673 | } else { | |
674 | iph->daddr = cp->daddr.in6; | |
675 | ciph->saddr = cp->daddr.in6; | |
676 | } | |
677 | ||
2906f66a VMR |
678 | /* the TCP/UDP/SCTP port */ |
679 | if (IPPROTO_TCP == ciph->nexthdr || IPPROTO_UDP == ciph->nexthdr || | |
680 | IPPROTO_SCTP == ciph->nexthdr) { | |
b3cdd2a7 JV |
681 | __be16 *ports = (void *)ciph + sizeof(struct ipv6hdr); |
682 | ||
683 | if (inout) | |
684 | ports[1] = cp->vport; | |
685 | else | |
686 | ports[0] = cp->dport; | |
687 | } | |
688 | ||
689 | /* And finally the ICMP checksum */ | |
8870f842 SH |
690 | icmph->icmp6_cksum = ~csum_ipv6_magic(&iph->saddr, &iph->daddr, |
691 | skb->len - icmp_offset, | |
692 | IPPROTO_ICMPV6, 0); | |
693 | skb->csum_start = skb_network_header(skb) - skb->head + icmp_offset; | |
694 | skb->csum_offset = offsetof(struct icmp6hdr, icmp6_cksum); | |
695 | skb->ip_summed = CHECKSUM_PARTIAL; | |
b3cdd2a7 JV |
696 | |
697 | if (inout) | |
0d79641a JA |
698 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, |
699 | (void *)ciph - (void *)iph, | |
700 | "Forwarding altered outgoing ICMPv6"); | |
b3cdd2a7 | 701 | else |
0d79641a JA |
702 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, |
703 | (void *)ciph - (void *)iph, | |
704 | "Forwarding altered incoming ICMPv6"); | |
b3cdd2a7 JV |
705 | } |
706 | #endif | |
707 | ||
4856c84c MT |
708 | /* Handle relevant response ICMP messages - forward to the right |
709 | * destination host. Used for NAT and local client. | |
710 | */ | |
f2428ed5 SH |
711 | static int handle_response_icmp(int af, struct sk_buff *skb, |
712 | union nf_inet_addr *snet, | |
713 | __u8 protocol, struct ip_vs_conn *cp, | |
4856c84c MT |
714 | struct ip_vs_protocol *pp, |
715 | unsigned int offset, unsigned int ihl) | |
716 | { | |
717 | unsigned int verdict = NF_DROP; | |
718 | ||
719 | if (IP_VS_FWD_METHOD(cp) != 0) { | |
1e3e238e HE |
720 | pr_err("shouldn't reach here, because the box is on the " |
721 | "half connection in the tun/dr module.\n"); | |
4856c84c MT |
722 | } |
723 | ||
724 | /* Ensure the checksum is correct */ | |
725 | if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { | |
726 | /* Failed checksum! */ | |
f2428ed5 SH |
727 | IP_VS_DBG_BUF(1, "Forward ICMP: failed checksum from %s!\n", |
728 | IP_VS_DBG_ADDR(af, snet)); | |
4856c84c MT |
729 | goto out; |
730 | } | |
731 | ||
2906f66a VMR |
732 | if (IPPROTO_TCP == protocol || IPPROTO_UDP == protocol || |
733 | IPPROTO_SCTP == protocol) | |
4856c84c MT |
734 | offset += 2 * sizeof(__u16); |
735 | if (!skb_make_writable(skb, offset)) | |
736 | goto out; | |
737 | ||
f2428ed5 SH |
738 | #ifdef CONFIG_IP_VS_IPV6 |
739 | if (af == AF_INET6) | |
740 | ip_vs_nat_icmp_v6(skb, pp, cp, 1); | |
741 | else | |
742 | #endif | |
743 | ip_vs_nat_icmp(skb, pp, cp, 1); | |
4856c84c | 744 | |
f5a41847 JA |
745 | #ifdef CONFIG_IP_VS_IPV6 |
746 | if (af == AF_INET6) { | |
747 | if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0) | |
748 | goto out; | |
749 | } else | |
750 | #endif | |
751 | if ((sysctl_ip_vs_snat_reroute || | |
752 | skb_rtable(skb)->rt_flags & RTCF_LOCAL) && | |
753 | ip_route_me_harder(skb, RTN_LOCAL) != 0) | |
754 | goto out; | |
755 | ||
4856c84c MT |
756 | /* do the statistics and put it back */ |
757 | ip_vs_out_stats(cp, skb); | |
758 | ||
cf356d69 | 759 | skb->ipvs_property = 1; |
f4bc17cd | 760 | if (!(cp->flags & IP_VS_CONN_F_NFCT)) |
cf356d69 | 761 | ip_vs_notrack(skb); |
f4bc17cd JA |
762 | else |
763 | ip_vs_update_conntrack(skb, cp, 0); | |
4856c84c MT |
764 | verdict = NF_ACCEPT; |
765 | ||
766 | out: | |
767 | __ip_vs_conn_put(cp); | |
768 | ||
769 | return verdict; | |
770 | } | |
771 | ||
1da177e4 LT |
772 | /* |
773 | * Handle ICMP messages in the inside-to-outside direction (outgoing). | |
4856c84c | 774 | * Find any that might be relevant, check against existing connections. |
1da177e4 | 775 | * Currently handles error types - unreachable, quench, ttl exceeded. |
1da177e4 | 776 | */ |
1ca5bb54 JA |
777 | static int ip_vs_out_icmp(struct sk_buff *skb, int *related, |
778 | unsigned int hooknum) | |
1da177e4 | 779 | { |
1da177e4 LT |
780 | struct iphdr *iph; |
781 | struct icmphdr _icmph, *ic; | |
782 | struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */ | |
51ef348b | 783 | struct ip_vs_iphdr ciph; |
1da177e4 LT |
784 | struct ip_vs_conn *cp; |
785 | struct ip_vs_protocol *pp; | |
4856c84c | 786 | unsigned int offset, ihl; |
f2428ed5 | 787 | union nf_inet_addr snet; |
1da177e4 LT |
788 | |
789 | *related = 1; | |
790 | ||
791 | /* reassemble IP fragments */ | |
eddc9ec5 | 792 | if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) { |
1ca5bb54 | 793 | if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum))) |
1da177e4 | 794 | return NF_STOLEN; |
1da177e4 LT |
795 | } |
796 | ||
eddc9ec5 | 797 | iph = ip_hdr(skb); |
1da177e4 LT |
798 | offset = ihl = iph->ihl * 4; |
799 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
800 | if (ic == NULL) | |
801 | return NF_DROP; | |
802 | ||
14d5e834 | 803 | IP_VS_DBG(12, "Outgoing ICMP (%d,%d) %pI4->%pI4\n", |
1da177e4 | 804 | ic->type, ntohs(icmp_id(ic)), |
14d5e834 | 805 | &iph->saddr, &iph->daddr); |
1da177e4 LT |
806 | |
807 | /* | |
808 | * Work through seeing if this is for us. | |
809 | * These checks are supposed to be in an order that means easy | |
810 | * things are checked first to speed up processing.... however | |
811 | * this means that some packets will manage to get a long way | |
812 | * down this stack and then be rejected, but that's life. | |
813 | */ | |
814 | if ((ic->type != ICMP_DEST_UNREACH) && | |
815 | (ic->type != ICMP_SOURCE_QUENCH) && | |
816 | (ic->type != ICMP_TIME_EXCEEDED)) { | |
817 | *related = 0; | |
818 | return NF_ACCEPT; | |
819 | } | |
820 | ||
821 | /* Now find the contained IP header */ | |
822 | offset += sizeof(_icmph); | |
823 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
824 | if (cih == NULL) | |
825 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
826 | ||
827 | pp = ip_vs_proto_get(cih->protocol); | |
828 | if (!pp) | |
829 | return NF_ACCEPT; | |
830 | ||
831 | /* Is the embedded protocol header present? */ | |
4412ec49 | 832 | if (unlikely(cih->frag_off & htons(IP_OFFSET) && |
1da177e4 LT |
833 | pp->dont_defrag)) |
834 | return NF_ACCEPT; | |
835 | ||
0d79641a JA |
836 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset, |
837 | "Checking outgoing ICMP for"); | |
1da177e4 LT |
838 | |
839 | offset += cih->ihl * 4; | |
840 | ||
51ef348b | 841 | ip_vs_fill_iphdr(AF_INET, cih, &ciph); |
1da177e4 | 842 | /* The embedded headers contain source and dest in reverse order */ |
51ef348b | 843 | cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1); |
1da177e4 LT |
844 | if (!cp) |
845 | return NF_ACCEPT; | |
846 | ||
f2428ed5 SH |
847 | snet.ip = iph->saddr; |
848 | return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, | |
849 | pp, offset, ihl); | |
1da177e4 LT |
850 | } |
851 | ||
2a3b791e | 852 | #ifdef CONFIG_IP_VS_IPV6 |
1ca5bb54 JA |
853 | static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, |
854 | unsigned int hooknum) | |
2a3b791e JV |
855 | { |
856 | struct ipv6hdr *iph; | |
857 | struct icmp6hdr _icmph, *ic; | |
858 | struct ipv6hdr _ciph, *cih; /* The ip header contained | |
859 | within the ICMP */ | |
860 | struct ip_vs_iphdr ciph; | |
861 | struct ip_vs_conn *cp; | |
862 | struct ip_vs_protocol *pp; | |
f2428ed5 SH |
863 | unsigned int offset; |
864 | union nf_inet_addr snet; | |
2a3b791e JV |
865 | |
866 | *related = 1; | |
867 | ||
868 | /* reassemble IP fragments */ | |
869 | if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) { | |
1ca5bb54 | 870 | if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum))) |
2a3b791e JV |
871 | return NF_STOLEN; |
872 | } | |
873 | ||
874 | iph = ipv6_hdr(skb); | |
875 | offset = sizeof(struct ipv6hdr); | |
876 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
877 | if (ic == NULL) | |
878 | return NF_DROP; | |
879 | ||
5b095d98 | 880 | IP_VS_DBG(12, "Outgoing ICMPv6 (%d,%d) %pI6->%pI6\n", |
2a3b791e | 881 | ic->icmp6_type, ntohs(icmpv6_id(ic)), |
38ff4fa4 | 882 | &iph->saddr, &iph->daddr); |
2a3b791e JV |
883 | |
884 | /* | |
885 | * Work through seeing if this is for us. | |
886 | * These checks are supposed to be in an order that means easy | |
887 | * things are checked first to speed up processing.... however | |
888 | * this means that some packets will manage to get a long way | |
889 | * down this stack and then be rejected, but that's life. | |
890 | */ | |
891 | if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) && | |
892 | (ic->icmp6_type != ICMPV6_PKT_TOOBIG) && | |
893 | (ic->icmp6_type != ICMPV6_TIME_EXCEED)) { | |
894 | *related = 0; | |
895 | return NF_ACCEPT; | |
896 | } | |
897 | ||
898 | /* Now find the contained IP header */ | |
899 | offset += sizeof(_icmph); | |
900 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
901 | if (cih == NULL) | |
902 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
903 | ||
904 | pp = ip_vs_proto_get(cih->nexthdr); | |
905 | if (!pp) | |
906 | return NF_ACCEPT; | |
907 | ||
908 | /* Is the embedded protocol header present? */ | |
909 | /* TODO: we don't support fragmentation at the moment anyways */ | |
910 | if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag)) | |
911 | return NF_ACCEPT; | |
912 | ||
0d79641a JA |
913 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offset, |
914 | "Checking outgoing ICMPv6 for"); | |
2a3b791e JV |
915 | |
916 | offset += sizeof(struct ipv6hdr); | |
917 | ||
918 | ip_vs_fill_iphdr(AF_INET6, cih, &ciph); | |
919 | /* The embedded headers contain source and dest in reverse order */ | |
920 | cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1); | |
921 | if (!cp) | |
922 | return NF_ACCEPT; | |
923 | ||
178f5e49 | 924 | ipv6_addr_copy(&snet.in6, &iph->saddr); |
f2428ed5 SH |
925 | return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp, |
926 | pp, offset, sizeof(struct ipv6hdr)); | |
2a3b791e JV |
927 | } |
928 | #endif | |
929 | ||
2906f66a VMR |
930 | /* |
931 | * Check if sctp chunc is ABORT chunk | |
932 | */ | |
933 | static inline int is_sctp_abort(const struct sk_buff *skb, int nh_len) | |
934 | { | |
935 | sctp_chunkhdr_t *sch, schunk; | |
936 | sch = skb_header_pointer(skb, nh_len + sizeof(sctp_sctphdr_t), | |
937 | sizeof(schunk), &schunk); | |
938 | if (sch == NULL) | |
939 | return 0; | |
940 | if (sch->type == SCTP_CID_ABORT) | |
941 | return 1; | |
942 | return 0; | |
943 | } | |
944 | ||
2a3b791e | 945 | static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len) |
1da177e4 LT |
946 | { |
947 | struct tcphdr _tcph, *th; | |
948 | ||
2a3b791e | 949 | th = skb_header_pointer(skb, nh_len, sizeof(_tcph), &_tcph); |
1da177e4 LT |
950 | if (th == NULL) |
951 | return 0; | |
952 | return th->rst; | |
953 | } | |
954 | ||
4856c84c MT |
955 | /* Handle response packets: rewrite addresses and send away... |
956 | * Used for NAT and local client. | |
957 | */ | |
958 | static unsigned int | |
959 | handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp, | |
960 | struct ip_vs_conn *cp, int ihl) | |
961 | { | |
0d79641a | 962 | IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet"); |
4856c84c MT |
963 | |
964 | if (!skb_make_writable(skb, ihl)) | |
965 | goto drop; | |
966 | ||
967 | /* mangle the packet */ | |
968 | if (pp->snat_handler && !pp->snat_handler(skb, pp, cp)) | |
969 | goto drop; | |
970 | ||
971 | #ifdef CONFIG_IP_VS_IPV6 | |
972 | if (af == AF_INET6) | |
973 | ipv6_hdr(skb)->saddr = cp->vaddr.in6; | |
974 | else | |
975 | #endif | |
976 | { | |
977 | ip_hdr(skb)->saddr = cp->vaddr.ip; | |
978 | ip_send_check(ip_hdr(skb)); | |
979 | } | |
980 | ||
8a803040 JA |
981 | /* |
982 | * nf_iterate does not expect change in the skb->dst->dev. | |
983 | * It looks like it is not fatal to enable this code for hooks | |
984 | * where our handlers are at the end of the chain list and | |
985 | * when all next handlers use skb->dst->dev and not outdev. | |
986 | * It will definitely route properly the inout NAT traffic | |
987 | * when multiple paths are used. | |
988 | */ | |
989 | ||
4856c84c MT |
990 | /* For policy routing, packets originating from this |
991 | * machine itself may be routed differently to packets | |
992 | * passing through. We want this packet to be routed as | |
993 | * if it came from this machine itself. So re-compute | |
994 | * the routing information. | |
995 | */ | |
996 | #ifdef CONFIG_IP_VS_IPV6 | |
f5a41847 JA |
997 | if (af == AF_INET6) { |
998 | if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0) | |
999 | goto drop; | |
1000 | } else | |
4856c84c | 1001 | #endif |
f5a41847 JA |
1002 | if ((sysctl_ip_vs_snat_reroute || |
1003 | skb_rtable(skb)->rt_flags & RTCF_LOCAL) && | |
1004 | ip_route_me_harder(skb, RTN_LOCAL) != 0) | |
1005 | goto drop; | |
4856c84c | 1006 | |
0d79641a | 1007 | IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); |
4856c84c MT |
1008 | |
1009 | ip_vs_out_stats(cp, skb); | |
1010 | ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp); | |
cf356d69 | 1011 | skb->ipvs_property = 1; |
f4bc17cd | 1012 | if (!(cp->flags & IP_VS_CONN_F_NFCT)) |
cf356d69 | 1013 | ip_vs_notrack(skb); |
f4bc17cd JA |
1014 | else |
1015 | ip_vs_update_conntrack(skb, cp, 0); | |
4856c84c MT |
1016 | ip_vs_conn_put(cp); |
1017 | ||
4856c84c MT |
1018 | LeaveFunction(11); |
1019 | return NF_ACCEPT; | |
1020 | ||
1021 | drop: | |
1022 | ip_vs_conn_put(cp); | |
1023 | kfree_skb(skb); | |
f4bc17cd | 1024 | LeaveFunction(11); |
4856c84c MT |
1025 | return NF_STOLEN; |
1026 | } | |
1027 | ||
1da177e4 | 1028 | /* |
4856c84c | 1029 | * Check if outgoing packet belongs to the established ip_vs_conn. |
1da177e4 LT |
1030 | */ |
1031 | static unsigned int | |
fc604767 | 1032 | ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) |
1da177e4 | 1033 | { |
fc723250 | 1034 | struct net *net = NULL; |
51ef348b | 1035 | struct ip_vs_iphdr iph; |
1da177e4 LT |
1036 | struct ip_vs_protocol *pp; |
1037 | struct ip_vs_conn *cp; | |
1da177e4 LT |
1038 | |
1039 | EnterFunction(11); | |
1040 | ||
fc604767 | 1041 | /* Already marked as IPVS request or reply? */ |
6869c4d8 | 1042 | if (skb->ipvs_property) |
1da177e4 LT |
1043 | return NF_ACCEPT; |
1044 | ||
fc604767 JA |
1045 | /* Bad... Do not break raw sockets */ |
1046 | if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT && | |
1047 | af == AF_INET)) { | |
1048 | struct sock *sk = skb->sk; | |
1049 | struct inet_sock *inet = inet_sk(skb->sk); | |
1050 | ||
1051 | if (inet && sk->sk_family == PF_INET && inet->nodefrag) | |
1052 | return NF_ACCEPT; | |
1053 | } | |
1054 | ||
1055 | if (unlikely(!skb_dst(skb))) | |
1056 | return NF_ACCEPT; | |
1057 | ||
fc723250 | 1058 | net = skb_net(skb); |
2a3b791e JV |
1059 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); |
1060 | #ifdef CONFIG_IP_VS_IPV6 | |
1061 | if (af == AF_INET6) { | |
1062 | if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { | |
1ca5bb54 JA |
1063 | int related; |
1064 | int verdict = ip_vs_out_icmp_v6(skb, &related, | |
1065 | hooknum); | |
1da177e4 | 1066 | |
f5a41847 | 1067 | if (related) |
2a3b791e JV |
1068 | return verdict; |
1069 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1070 | } | |
1071 | } else | |
1072 | #endif | |
1073 | if (unlikely(iph.protocol == IPPROTO_ICMP)) { | |
1ca5bb54 JA |
1074 | int related; |
1075 | int verdict = ip_vs_out_icmp(skb, &related, hooknum); | |
2a3b791e | 1076 | |
f5a41847 | 1077 | if (related) |
2a3b791e JV |
1078 | return verdict; |
1079 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1080 | } | |
1da177e4 | 1081 | |
51ef348b | 1082 | pp = ip_vs_proto_get(iph.protocol); |
1da177e4 LT |
1083 | if (unlikely(!pp)) |
1084 | return NF_ACCEPT; | |
1085 | ||
1086 | /* reassemble IP fragments */ | |
2a3b791e JV |
1087 | #ifdef CONFIG_IP_VS_IPV6 |
1088 | if (af == AF_INET6) { | |
1ca5bb54 JA |
1089 | if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) { |
1090 | if (ip_vs_gather_frags_v6(skb, | |
1091 | ip_vs_defrag_user(hooknum))) | |
1092 | return NF_STOLEN; | |
2a3b791e | 1093 | } |
1ca5bb54 JA |
1094 | |
1095 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
2a3b791e JV |
1096 | } else |
1097 | #endif | |
1098 | if (unlikely(ip_hdr(skb)->frag_off & htons(IP_MF|IP_OFFSET) && | |
1099 | !pp->dont_defrag)) { | |
1ca5bb54 JA |
1100 | if (ip_vs_gather_frags(skb, |
1101 | ip_vs_defrag_user(hooknum))) | |
2a3b791e JV |
1102 | return NF_STOLEN; |
1103 | ||
1104 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1105 | } | |
1da177e4 LT |
1106 | |
1107 | /* | |
1108 | * Check if the packet belongs to an existing entry | |
1109 | */ | |
2a3b791e | 1110 | cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0); |
1da177e4 | 1111 | |
cb59155f JA |
1112 | if (likely(cp)) |
1113 | return handle_response(af, skb, pp, cp, iph.len); | |
1114 | if (sysctl_ip_vs_nat_icmp_send && | |
1115 | (pp->protocol == IPPROTO_TCP || | |
1116 | pp->protocol == IPPROTO_UDP || | |
1117 | pp->protocol == IPPROTO_SCTP)) { | |
1118 | __be16 _ports[2], *pptr; | |
1119 | ||
1120 | pptr = skb_header_pointer(skb, iph.len, | |
1121 | sizeof(_ports), _ports); | |
1122 | if (pptr == NULL) | |
1123 | return NF_ACCEPT; /* Not for me */ | |
fc723250 | 1124 | if (ip_vs_lookup_real_service(net, af, iph.protocol, |
cb59155f JA |
1125 | &iph.saddr, |
1126 | pptr[0])) { | |
1127 | /* | |
1128 | * Notify the real server: there is no | |
1129 | * existing entry if it is not RST | |
1130 | * packet or not TCP packet. | |
1131 | */ | |
1132 | if ((iph.protocol != IPPROTO_TCP && | |
1133 | iph.protocol != IPPROTO_SCTP) | |
1134 | || ((iph.protocol == IPPROTO_TCP | |
1135 | && !is_tcp_reset(skb, iph.len)) | |
1136 | || (iph.protocol == IPPROTO_SCTP | |
1137 | && !is_sctp_abort(skb, | |
1138 | iph.len)))) { | |
2a3b791e | 1139 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f JA |
1140 | if (af == AF_INET6) { |
1141 | struct net *net = | |
1142 | dev_net(skb_dst(skb)->dev); | |
1143 | ||
1144 | if (!skb->dev) | |
1145 | skb->dev = net->loopback_dev; | |
1146 | icmpv6_send(skb, | |
1147 | ICMPV6_DEST_UNREACH, | |
1148 | ICMPV6_PORT_UNREACH, | |
1149 | 0); | |
1150 | } else | |
2a3b791e | 1151 | #endif |
cb59155f JA |
1152 | icmp_send(skb, |
1153 | ICMP_DEST_UNREACH, | |
1154 | ICMP_PORT_UNREACH, 0); | |
1155 | return NF_DROP; | |
1da177e4 LT |
1156 | } |
1157 | } | |
1da177e4 | 1158 | } |
0d79641a | 1159 | IP_VS_DBG_PKT(12, af, pp, skb, 0, |
cb59155f JA |
1160 | "ip_vs_out: packet continues traversal as normal"); |
1161 | return NF_ACCEPT; | |
1da177e4 LT |
1162 | } |
1163 | ||
fc604767 | 1164 | /* |
cb59155f JA |
1165 | * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain, |
1166 | * used only for VS/NAT. | |
fc604767 JA |
1167 | * Check if packet is reply for established ip_vs_conn. |
1168 | */ | |
1169 | static unsigned int | |
1170 | ip_vs_reply4(unsigned int hooknum, struct sk_buff *skb, | |
1171 | const struct net_device *in, const struct net_device *out, | |
1172 | int (*okfn)(struct sk_buff *)) | |
1173 | { | |
1174 | return ip_vs_out(hooknum, skb, AF_INET); | |
1175 | } | |
1176 | ||
1177 | /* | |
1178 | * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT. | |
1179 | * Check if packet is reply for established ip_vs_conn. | |
1180 | */ | |
1181 | static unsigned int | |
1182 | ip_vs_local_reply4(unsigned int hooknum, struct sk_buff *skb, | |
1183 | const struct net_device *in, const struct net_device *out, | |
1184 | int (*okfn)(struct sk_buff *)) | |
1185 | { | |
1186 | unsigned int verdict; | |
1187 | ||
1188 | /* Disable BH in LOCAL_OUT until all places are fixed */ | |
1189 | local_bh_disable(); | |
1190 | verdict = ip_vs_out(hooknum, skb, AF_INET); | |
1191 | local_bh_enable(); | |
1192 | return verdict; | |
1193 | } | |
1194 | ||
1195 | #ifdef CONFIG_IP_VS_IPV6 | |
1196 | ||
1197 | /* | |
cb59155f JA |
1198 | * It is hooked at the NF_INET_FORWARD and NF_INET_LOCAL_IN chain, |
1199 | * used only for VS/NAT. | |
fc604767 JA |
1200 | * Check if packet is reply for established ip_vs_conn. |
1201 | */ | |
1202 | static unsigned int | |
1203 | ip_vs_reply6(unsigned int hooknum, struct sk_buff *skb, | |
1204 | const struct net_device *in, const struct net_device *out, | |
1205 | int (*okfn)(struct sk_buff *)) | |
1206 | { | |
1207 | return ip_vs_out(hooknum, skb, AF_INET6); | |
1208 | } | |
1209 | ||
1210 | /* | |
1211 | * It is hooked at the NF_INET_LOCAL_OUT chain, used only for VS/NAT. | |
1212 | * Check if packet is reply for established ip_vs_conn. | |
1213 | */ | |
1214 | static unsigned int | |
1215 | ip_vs_local_reply6(unsigned int hooknum, struct sk_buff *skb, | |
1216 | const struct net_device *in, const struct net_device *out, | |
1217 | int (*okfn)(struct sk_buff *)) | |
1218 | { | |
1219 | unsigned int verdict; | |
1220 | ||
1221 | /* Disable BH in LOCAL_OUT until all places are fixed */ | |
1222 | local_bh_disable(); | |
1223 | verdict = ip_vs_out(hooknum, skb, AF_INET6); | |
1224 | local_bh_enable(); | |
1225 | return verdict; | |
1226 | } | |
1227 | ||
1228 | #endif | |
1da177e4 LT |
1229 | |
1230 | /* | |
1231 | * Handle ICMP messages in the outside-to-inside direction (incoming). | |
1232 | * Find any that might be relevant, check against existing connections, | |
1233 | * forward to the right destination host if relevant. | |
1234 | * Currently handles error types - unreachable, quench, ttl exceeded. | |
1235 | */ | |
e905a9ed | 1236 | static int |
3db05fea | 1237 | ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum) |
1da177e4 | 1238 | { |
1da177e4 LT |
1239 | struct iphdr *iph; |
1240 | struct icmphdr _icmph, *ic; | |
1241 | struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */ | |
51ef348b | 1242 | struct ip_vs_iphdr ciph; |
1da177e4 LT |
1243 | struct ip_vs_conn *cp; |
1244 | struct ip_vs_protocol *pp; | |
1245 | unsigned int offset, ihl, verdict; | |
f2428ed5 | 1246 | union nf_inet_addr snet; |
1da177e4 LT |
1247 | |
1248 | *related = 1; | |
1249 | ||
1250 | /* reassemble IP fragments */ | |
eddc9ec5 | 1251 | if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) { |
1ca5bb54 | 1252 | if (ip_vs_gather_frags(skb, ip_vs_defrag_user(hooknum))) |
1da177e4 | 1253 | return NF_STOLEN; |
1da177e4 LT |
1254 | } |
1255 | ||
eddc9ec5 | 1256 | iph = ip_hdr(skb); |
1da177e4 LT |
1257 | offset = ihl = iph->ihl * 4; |
1258 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
1259 | if (ic == NULL) | |
1260 | return NF_DROP; | |
1261 | ||
14d5e834 | 1262 | IP_VS_DBG(12, "Incoming ICMP (%d,%d) %pI4->%pI4\n", |
1da177e4 | 1263 | ic->type, ntohs(icmp_id(ic)), |
14d5e834 | 1264 | &iph->saddr, &iph->daddr); |
1da177e4 LT |
1265 | |
1266 | /* | |
1267 | * Work through seeing if this is for us. | |
1268 | * These checks are supposed to be in an order that means easy | |
1269 | * things are checked first to speed up processing.... however | |
1270 | * this means that some packets will manage to get a long way | |
1271 | * down this stack and then be rejected, but that's life. | |
1272 | */ | |
1273 | if ((ic->type != ICMP_DEST_UNREACH) && | |
1274 | (ic->type != ICMP_SOURCE_QUENCH) && | |
1275 | (ic->type != ICMP_TIME_EXCEEDED)) { | |
1276 | *related = 0; | |
1277 | return NF_ACCEPT; | |
1278 | } | |
1279 | ||
1280 | /* Now find the contained IP header */ | |
1281 | offset += sizeof(_icmph); | |
1282 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
1283 | if (cih == NULL) | |
1284 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
1285 | ||
1286 | pp = ip_vs_proto_get(cih->protocol); | |
1287 | if (!pp) | |
1288 | return NF_ACCEPT; | |
1289 | ||
1290 | /* Is the embedded protocol header present? */ | |
4412ec49 | 1291 | if (unlikely(cih->frag_off & htons(IP_OFFSET) && |
1da177e4 LT |
1292 | pp->dont_defrag)) |
1293 | return NF_ACCEPT; | |
1294 | ||
0d79641a JA |
1295 | IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset, |
1296 | "Checking incoming ICMP for"); | |
1da177e4 LT |
1297 | |
1298 | offset += cih->ihl * 4; | |
1299 | ||
51ef348b | 1300 | ip_vs_fill_iphdr(AF_INET, cih, &ciph); |
1da177e4 | 1301 | /* The embedded headers contain source and dest in reverse order */ |
51ef348b | 1302 | cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1); |
4856c84c MT |
1303 | if (!cp) { |
1304 | /* The packet could also belong to a local client */ | |
1305 | cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1); | |
f2428ed5 SH |
1306 | if (cp) { |
1307 | snet.ip = iph->saddr; | |
1308 | return handle_response_icmp(AF_INET, skb, &snet, | |
1309 | cih->protocol, cp, pp, | |
4856c84c | 1310 | offset, ihl); |
f2428ed5 | 1311 | } |
1da177e4 | 1312 | return NF_ACCEPT; |
4856c84c | 1313 | } |
1da177e4 LT |
1314 | |
1315 | verdict = NF_DROP; | |
1316 | ||
1317 | /* Ensure the checksum is correct */ | |
60476372 | 1318 | if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { |
1da177e4 | 1319 | /* Failed checksum! */ |
14d5e834 HH |
1320 | IP_VS_DBG(1, "Incoming ICMP: failed checksum from %pI4!\n", |
1321 | &iph->saddr); | |
1da177e4 LT |
1322 | goto out; |
1323 | } | |
1324 | ||
1325 | /* do the statistics and put it back */ | |
1326 | ip_vs_in_stats(cp, skb); | |
1327 | if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol) | |
1328 | offset += 2 * sizeof(__u16); | |
1329 | verdict = ip_vs_icmp_xmit(skb, cp, pp, offset); | |
489fdeda JA |
1330 | /* LOCALNODE from FORWARD hook is not supported */ |
1331 | if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD && | |
1332 | skb_rtable(skb)->rt_flags & RTCF_LOCAL) { | |
1333 | IP_VS_DBG(1, "%s(): " | |
1334 | "local delivery to %pI4 but in FORWARD\n", | |
1335 | __func__, &skb_rtable(skb)->rt_dst); | |
1336 | verdict = NF_DROP; | |
1337 | } | |
1da177e4 LT |
1338 | |
1339 | out: | |
1340 | __ip_vs_conn_put(cp); | |
1341 | ||
1342 | return verdict; | |
1343 | } | |
1344 | ||
2a3b791e JV |
1345 | #ifdef CONFIG_IP_VS_IPV6 |
1346 | static int | |
1347 | ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum) | |
1348 | { | |
1349 | struct ipv6hdr *iph; | |
1350 | struct icmp6hdr _icmph, *ic; | |
1351 | struct ipv6hdr _ciph, *cih; /* The ip header contained | |
1352 | within the ICMP */ | |
1353 | struct ip_vs_iphdr ciph; | |
1354 | struct ip_vs_conn *cp; | |
1355 | struct ip_vs_protocol *pp; | |
1356 | unsigned int offset, verdict; | |
f2428ed5 | 1357 | union nf_inet_addr snet; |
489fdeda | 1358 | struct rt6_info *rt; |
2a3b791e JV |
1359 | |
1360 | *related = 1; | |
1361 | ||
1362 | /* reassemble IP fragments */ | |
1363 | if (ipv6_hdr(skb)->nexthdr == IPPROTO_FRAGMENT) { | |
1ca5bb54 | 1364 | if (ip_vs_gather_frags_v6(skb, ip_vs_defrag_user(hooknum))) |
2a3b791e JV |
1365 | return NF_STOLEN; |
1366 | } | |
1367 | ||
1368 | iph = ipv6_hdr(skb); | |
1369 | offset = sizeof(struct ipv6hdr); | |
1370 | ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph); | |
1371 | if (ic == NULL) | |
1372 | return NF_DROP; | |
1373 | ||
5b095d98 | 1374 | IP_VS_DBG(12, "Incoming ICMPv6 (%d,%d) %pI6->%pI6\n", |
2a3b791e | 1375 | ic->icmp6_type, ntohs(icmpv6_id(ic)), |
38ff4fa4 | 1376 | &iph->saddr, &iph->daddr); |
2a3b791e JV |
1377 | |
1378 | /* | |
1379 | * Work through seeing if this is for us. | |
1380 | * These checks are supposed to be in an order that means easy | |
1381 | * things are checked first to speed up processing.... however | |
1382 | * this means that some packets will manage to get a long way | |
1383 | * down this stack and then be rejected, but that's life. | |
1384 | */ | |
1385 | if ((ic->icmp6_type != ICMPV6_DEST_UNREACH) && | |
1386 | (ic->icmp6_type != ICMPV6_PKT_TOOBIG) && | |
1387 | (ic->icmp6_type != ICMPV6_TIME_EXCEED)) { | |
1388 | *related = 0; | |
1389 | return NF_ACCEPT; | |
1390 | } | |
1391 | ||
1392 | /* Now find the contained IP header */ | |
1393 | offset += sizeof(_icmph); | |
1394 | cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph); | |
1395 | if (cih == NULL) | |
1396 | return NF_ACCEPT; /* The packet looks wrong, ignore */ | |
1397 | ||
1398 | pp = ip_vs_proto_get(cih->nexthdr); | |
1399 | if (!pp) | |
1400 | return NF_ACCEPT; | |
1401 | ||
1402 | /* Is the embedded protocol header present? */ | |
1403 | /* TODO: we don't support fragmentation at the moment anyways */ | |
1404 | if (unlikely(cih->nexthdr == IPPROTO_FRAGMENT && pp->dont_defrag)) | |
1405 | return NF_ACCEPT; | |
1406 | ||
0d79641a JA |
1407 | IP_VS_DBG_PKT(11, AF_INET6, pp, skb, offset, |
1408 | "Checking incoming ICMPv6 for"); | |
2a3b791e JV |
1409 | |
1410 | offset += sizeof(struct ipv6hdr); | |
1411 | ||
1412 | ip_vs_fill_iphdr(AF_INET6, cih, &ciph); | |
1413 | /* The embedded headers contain source and dest in reverse order */ | |
1414 | cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1); | |
f2428ed5 SH |
1415 | if (!cp) { |
1416 | /* The packet could also belong to a local client */ | |
1417 | cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1); | |
1418 | if (cp) { | |
178f5e49 | 1419 | ipv6_addr_copy(&snet.in6, &iph->saddr); |
f2428ed5 SH |
1420 | return handle_response_icmp(AF_INET6, skb, &snet, |
1421 | cih->nexthdr, | |
1422 | cp, pp, offset, | |
1423 | sizeof(struct ipv6hdr)); | |
1424 | } | |
2a3b791e | 1425 | return NF_ACCEPT; |
f2428ed5 | 1426 | } |
2a3b791e JV |
1427 | |
1428 | verdict = NF_DROP; | |
1429 | ||
1430 | /* do the statistics and put it back */ | |
1431 | ip_vs_in_stats(cp, skb); | |
2906f66a VMR |
1432 | if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr || |
1433 | IPPROTO_SCTP == cih->nexthdr) | |
2a3b791e JV |
1434 | offset += 2 * sizeof(__u16); |
1435 | verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset); | |
489fdeda JA |
1436 | /* LOCALNODE from FORWARD hook is not supported */ |
1437 | if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD && | |
1438 | (rt = (struct rt6_info *) skb_dst(skb)) && | |
1439 | rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) { | |
1440 | IP_VS_DBG(1, "%s(): " | |
1441 | "local delivery to %pI6 but in FORWARD\n", | |
1442 | __func__, &rt->rt6i_dst); | |
1443 | verdict = NF_DROP; | |
1444 | } | |
2a3b791e JV |
1445 | |
1446 | __ip_vs_conn_put(cp); | |
1447 | ||
1448 | return verdict; | |
1449 | } | |
1450 | #endif | |
1451 | ||
1452 | ||
1da177e4 LT |
1453 | /* |
1454 | * Check if it's for virtual services, look it up, | |
1455 | * and send it on its way... | |
1456 | */ | |
1457 | static unsigned int | |
cb59155f | 1458 | ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) |
1da177e4 | 1459 | { |
51ef348b | 1460 | struct ip_vs_iphdr iph; |
1da177e4 LT |
1461 | struct ip_vs_protocol *pp; |
1462 | struct ip_vs_conn *cp; | |
cb59155f | 1463 | int ret, restart, pkts; |
2a3b791e | 1464 | |
fc604767 JA |
1465 | /* Already marked as IPVS request or reply? */ |
1466 | if (skb->ipvs_property) | |
1467 | return NF_ACCEPT; | |
1468 | ||
1da177e4 | 1469 | /* |
cb59155f JA |
1470 | * Big tappo: |
1471 | * - remote client: only PACKET_HOST | |
1472 | * - route: used for struct net when skb->dev is unset | |
1da177e4 | 1473 | */ |
cb59155f JA |
1474 | if (unlikely((skb->pkt_type != PACKET_HOST && |
1475 | hooknum != NF_INET_LOCAL_OUT) || | |
1476 | !skb_dst(skb))) { | |
1477 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1478 | IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s" | |
1479 | " ignored in hook %u\n", | |
1480 | skb->pkt_type, iph.protocol, | |
1481 | IP_VS_DBG_ADDR(af, &iph.daddr), hooknum); | |
1da177e4 LT |
1482 | return NF_ACCEPT; |
1483 | } | |
cb59155f JA |
1484 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); |
1485 | ||
1486 | /* Bad... Do not break raw sockets */ | |
1487 | if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT && | |
1488 | af == AF_INET)) { | |
1489 | struct sock *sk = skb->sk; | |
1490 | struct inet_sock *inet = inet_sk(skb->sk); | |
1491 | ||
1492 | if (inet && sk->sk_family == PF_INET && inet->nodefrag) | |
1493 | return NF_ACCEPT; | |
1494 | } | |
1da177e4 | 1495 | |
94b26551 JV |
1496 | #ifdef CONFIG_IP_VS_IPV6 |
1497 | if (af == AF_INET6) { | |
1498 | if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { | |
1ca5bb54 JA |
1499 | int related; |
1500 | int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum); | |
1da177e4 | 1501 | |
94b26551 JV |
1502 | if (related) |
1503 | return verdict; | |
1504 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1505 | } | |
1506 | } else | |
1507 | #endif | |
1508 | if (unlikely(iph.protocol == IPPROTO_ICMP)) { | |
1ca5bb54 JA |
1509 | int related; |
1510 | int verdict = ip_vs_in_icmp(skb, &related, hooknum); | |
94b26551 JV |
1511 | |
1512 | if (related) | |
1513 | return verdict; | |
1514 | ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); | |
1515 | } | |
1da177e4 LT |
1516 | |
1517 | /* Protocol supported? */ | |
51ef348b | 1518 | pp = ip_vs_proto_get(iph.protocol); |
1da177e4 LT |
1519 | if (unlikely(!pp)) |
1520 | return NF_ACCEPT; | |
1521 | ||
1da177e4 LT |
1522 | /* |
1523 | * Check if the packet belongs to an existing connection entry | |
1524 | */ | |
2a3b791e | 1525 | cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0); |
1da177e4 LT |
1526 | |
1527 | if (unlikely(!cp)) { | |
1528 | int v; | |
1529 | ||
2a3b791e | 1530 | if (!pp->conn_schedule(af, skb, pp, &v, &cp)) |
1da177e4 LT |
1531 | return v; |
1532 | } | |
1533 | ||
1534 | if (unlikely(!cp)) { | |
1535 | /* sorry, all this trouble for a no-hit :) */ | |
0d79641a | 1536 | IP_VS_DBG_PKT(12, af, pp, skb, 0, |
cb59155f | 1537 | "ip_vs_in: packet continues traversal as normal"); |
1da177e4 LT |
1538 | return NF_ACCEPT; |
1539 | } | |
1540 | ||
0d79641a | 1541 | IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet"); |
1da177e4 LT |
1542 | |
1543 | /* Check the server status */ | |
1544 | if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { | |
1545 | /* the destination server is not available */ | |
1546 | ||
1547 | if (sysctl_ip_vs_expire_nodest_conn) { | |
1548 | /* try to expire the connection immediately */ | |
1549 | ip_vs_conn_expire_now(cp); | |
1da177e4 | 1550 | } |
dc8103f2 JA |
1551 | /* don't restart its timer, and silently |
1552 | drop the packet. */ | |
1553 | __ip_vs_conn_put(cp); | |
1da177e4 LT |
1554 | return NF_DROP; |
1555 | } | |
1556 | ||
1557 | ip_vs_in_stats(cp, skb); | |
1558 | restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp); | |
1559 | if (cp->packet_xmit) | |
1560 | ret = cp->packet_xmit(skb, cp, pp); | |
1561 | /* do not touch skb anymore */ | |
1562 | else { | |
1563 | IP_VS_DBG_RL("warning: packet_xmit is null"); | |
1564 | ret = NF_ACCEPT; | |
1565 | } | |
1566 | ||
efac5276 RB |
1567 | /* Increase its packet counter and check if it is needed |
1568 | * to be synchronized | |
1569 | * | |
1570 | * Sync connection if it is about to close to | |
1571 | * encorage the standby servers to update the connections timeout | |
986a0757 HS |
1572 | * |
1573 | * For ONE_PKT let ip_vs_sync_conn() do the filter work. | |
efac5276 | 1574 | */ |
986a0757 HS |
1575 | if (cp->flags & IP_VS_CONN_F_ONE_PACKET) |
1576 | pkts = sysctl_ip_vs_sync_threshold[0]; | |
1577 | else | |
1578 | pkts = atomic_add_return(1, &cp->in_pkts); | |
1579 | ||
1580 | if ((ip_vs_sync_state & IP_VS_STATE_MASTER) && | |
2906f66a VMR |
1581 | cp->protocol == IPPROTO_SCTP) { |
1582 | if ((cp->state == IP_VS_SCTP_S_ESTABLISHED && | |
8ed2163f | 1583 | (pkts % sysctl_ip_vs_sync_threshold[1] |
2906f66a VMR |
1584 | == sysctl_ip_vs_sync_threshold[0])) || |
1585 | (cp->old_state != cp->state && | |
1586 | ((cp->state == IP_VS_SCTP_S_CLOSED) || | |
1587 | (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) || | |
1588 | (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) { | |
1589 | ip_vs_sync_conn(cp); | |
1590 | goto out; | |
1591 | } | |
1592 | } | |
1593 | ||
8ed2163f | 1594 | /* Keep this block last: TCP and others with pp->num_states <= 1 */ |
986a0757 | 1595 | else if ((ip_vs_sync_state & IP_VS_STATE_MASTER) && |
efac5276 RB |
1596 | (((cp->protocol != IPPROTO_TCP || |
1597 | cp->state == IP_VS_TCP_S_ESTABLISHED) && | |
1e66dafc | 1598 | (pkts % sysctl_ip_vs_sync_threshold[1] |
efac5276 RB |
1599 | == sysctl_ip_vs_sync_threshold[0])) || |
1600 | ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) && | |
1601 | ((cp->state == IP_VS_TCP_S_FIN_WAIT) || | |
9abfe315 | 1602 | (cp->state == IP_VS_TCP_S_CLOSE) || |
9d3a0de7 RB |
1603 | (cp->state == IP_VS_TCP_S_CLOSE_WAIT) || |
1604 | (cp->state == IP_VS_TCP_S_TIME_WAIT))))) | |
1da177e4 | 1605 | ip_vs_sync_conn(cp); |
2906f66a | 1606 | out: |
efac5276 | 1607 | cp->old_state = cp->state; |
1da177e4 LT |
1608 | |
1609 | ip_vs_conn_put(cp); | |
1610 | return ret; | |
1611 | } | |
1612 | ||
cb59155f JA |
1613 | /* |
1614 | * AF_INET handler in NF_INET_LOCAL_IN chain | |
1615 | * Schedule and forward packets from remote clients | |
1616 | */ | |
1617 | static unsigned int | |
1618 | ip_vs_remote_request4(unsigned int hooknum, struct sk_buff *skb, | |
1619 | const struct net_device *in, | |
1620 | const struct net_device *out, | |
1621 | int (*okfn)(struct sk_buff *)) | |
1622 | { | |
1623 | return ip_vs_in(hooknum, skb, AF_INET); | |
1624 | } | |
1625 | ||
1626 | /* | |
1627 | * AF_INET handler in NF_INET_LOCAL_OUT chain | |
1628 | * Schedule and forward packets from local clients | |
1629 | */ | |
1630 | static unsigned int | |
1631 | ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb, | |
1632 | const struct net_device *in, const struct net_device *out, | |
1633 | int (*okfn)(struct sk_buff *)) | |
1634 | { | |
1635 | unsigned int verdict; | |
1636 | ||
1637 | /* Disable BH in LOCAL_OUT until all places are fixed */ | |
1638 | local_bh_disable(); | |
1639 | verdict = ip_vs_in(hooknum, skb, AF_INET); | |
1640 | local_bh_enable(); | |
1641 | return verdict; | |
1642 | } | |
1643 | ||
1644 | #ifdef CONFIG_IP_VS_IPV6 | |
1645 | ||
1646 | /* | |
1647 | * AF_INET6 handler in NF_INET_LOCAL_IN chain | |
1648 | * Schedule and forward packets from remote clients | |
1649 | */ | |
1650 | static unsigned int | |
1651 | ip_vs_remote_request6(unsigned int hooknum, struct sk_buff *skb, | |
1652 | const struct net_device *in, | |
1653 | const struct net_device *out, | |
1654 | int (*okfn)(struct sk_buff *)) | |
1655 | { | |
1656 | return ip_vs_in(hooknum, skb, AF_INET6); | |
1657 | } | |
1658 | ||
1659 | /* | |
1660 | * AF_INET6 handler in NF_INET_LOCAL_OUT chain | |
1661 | * Schedule and forward packets from local clients | |
1662 | */ | |
1663 | static unsigned int | |
1664 | ip_vs_local_request6(unsigned int hooknum, struct sk_buff *skb, | |
1665 | const struct net_device *in, const struct net_device *out, | |
1666 | int (*okfn)(struct sk_buff *)) | |
1667 | { | |
1668 | unsigned int verdict; | |
1669 | ||
1670 | /* Disable BH in LOCAL_OUT until all places are fixed */ | |
1671 | local_bh_disable(); | |
1672 | verdict = ip_vs_in(hooknum, skb, AF_INET6); | |
1673 | local_bh_enable(); | |
1674 | return verdict; | |
1675 | } | |
1676 | ||
1677 | #endif | |
1678 | ||
1da177e4 LT |
1679 | |
1680 | /* | |
6e23ae2a | 1681 | * It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP |
1da177e4 LT |
1682 | * related packets destined for 0.0.0.0/0. |
1683 | * When fwmark-based virtual service is used, such as transparent | |
1684 | * cache cluster, TCP packets can be marked and routed to ip_vs_in, | |
1685 | * but ICMP destined for 0.0.0.0/0 cannot not be easily marked and | |
6e23ae2a | 1686 | * sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain |
1da177e4 LT |
1687 | * and send them to ip_vs_in_icmp. |
1688 | */ | |
1689 | static unsigned int | |
3db05fea | 1690 | ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb, |
1da177e4 LT |
1691 | const struct net_device *in, const struct net_device *out, |
1692 | int (*okfn)(struct sk_buff *)) | |
1693 | { | |
1694 | int r; | |
1695 | ||
3db05fea | 1696 | if (ip_hdr(skb)->protocol != IPPROTO_ICMP) |
1da177e4 LT |
1697 | return NF_ACCEPT; |
1698 | ||
3db05fea | 1699 | return ip_vs_in_icmp(skb, &r, hooknum); |
1da177e4 LT |
1700 | } |
1701 | ||
2a3b791e JV |
1702 | #ifdef CONFIG_IP_VS_IPV6 |
1703 | static unsigned int | |
1704 | ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb, | |
1705 | const struct net_device *in, const struct net_device *out, | |
1706 | int (*okfn)(struct sk_buff *)) | |
1707 | { | |
1708 | int r; | |
1709 | ||
1710 | if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6) | |
1711 | return NF_ACCEPT; | |
1712 | ||
1713 | return ip_vs_in_icmp_v6(skb, &r, hooknum); | |
1714 | } | |
1715 | #endif | |
1716 | ||
1da177e4 | 1717 | |
1999414a | 1718 | static struct nf_hook_ops ip_vs_ops[] __read_mostly = { |
cb59155f JA |
1719 | /* After packet filtering, change source only for VS/NAT */ |
1720 | { | |
1721 | .hook = ip_vs_reply4, | |
1722 | .owner = THIS_MODULE, | |
1723 | .pf = PF_INET, | |
1724 | .hooknum = NF_INET_LOCAL_IN, | |
1725 | .priority = 99, | |
1726 | }, | |
41c5b317 PM |
1727 | /* After packet filtering, forward packet through VS/DR, VS/TUN, |
1728 | * or VS/NAT(change destination), so that filtering rules can be | |
1729 | * applied to IPVS. */ | |
1730 | { | |
cb59155f | 1731 | .hook = ip_vs_remote_request4, |
41c5b317 PM |
1732 | .owner = THIS_MODULE, |
1733 | .pf = PF_INET, | |
cb59155f JA |
1734 | .hooknum = NF_INET_LOCAL_IN, |
1735 | .priority = 101, | |
41c5b317 | 1736 | }, |
fc604767 | 1737 | /* Before ip_vs_in, change source only for VS/NAT */ |
41c5b317 | 1738 | { |
fc604767 | 1739 | .hook = ip_vs_local_reply4, |
41c5b317 PM |
1740 | .owner = THIS_MODULE, |
1741 | .pf = PF_INET, | |
fc604767 JA |
1742 | .hooknum = NF_INET_LOCAL_OUT, |
1743 | .priority = -99, | |
41c5b317 | 1744 | }, |
cb59155f JA |
1745 | /* After mangle, schedule and forward local requests */ |
1746 | { | |
1747 | .hook = ip_vs_local_request4, | |
1748 | .owner = THIS_MODULE, | |
1749 | .pf = PF_INET, | |
1750 | .hooknum = NF_INET_LOCAL_OUT, | |
1751 | .priority = -98, | |
1752 | }, | |
41c5b317 PM |
1753 | /* After packet filtering (but before ip_vs_out_icmp), catch icmp |
1754 | * destined for 0.0.0.0/0, which is for incoming IPVS connections */ | |
1755 | { | |
1756 | .hook = ip_vs_forward_icmp, | |
1757 | .owner = THIS_MODULE, | |
1758 | .pf = PF_INET, | |
cb59155f JA |
1759 | .hooknum = NF_INET_FORWARD, |
1760 | .priority = 99, | |
41c5b317 | 1761 | }, |
fc604767 JA |
1762 | /* After packet filtering, change source only for VS/NAT */ |
1763 | { | |
1764 | .hook = ip_vs_reply4, | |
1765 | .owner = THIS_MODULE, | |
1766 | .pf = PF_INET, | |
1767 | .hooknum = NF_INET_FORWARD, | |
1768 | .priority = 100, | |
1769 | }, | |
473b23d3 | 1770 | #ifdef CONFIG_IP_VS_IPV6 |
cb59155f JA |
1771 | /* After packet filtering, change source only for VS/NAT */ |
1772 | { | |
1773 | .hook = ip_vs_reply6, | |
1774 | .owner = THIS_MODULE, | |
1775 | .pf = PF_INET6, | |
1776 | .hooknum = NF_INET_LOCAL_IN, | |
1777 | .priority = 99, | |
1778 | }, | |
473b23d3 JV |
1779 | /* After packet filtering, forward packet through VS/DR, VS/TUN, |
1780 | * or VS/NAT(change destination), so that filtering rules can be | |
1781 | * applied to IPVS. */ | |
1782 | { | |
cb59155f | 1783 | .hook = ip_vs_remote_request6, |
473b23d3 JV |
1784 | .owner = THIS_MODULE, |
1785 | .pf = PF_INET6, | |
cb59155f JA |
1786 | .hooknum = NF_INET_LOCAL_IN, |
1787 | .priority = 101, | |
473b23d3 | 1788 | }, |
fc604767 | 1789 | /* Before ip_vs_in, change source only for VS/NAT */ |
473b23d3 | 1790 | { |
fc604767 | 1791 | .hook = ip_vs_local_reply6, |
473b23d3 | 1792 | .owner = THIS_MODULE, |
fc604767 JA |
1793 | .pf = PF_INET, |
1794 | .hooknum = NF_INET_LOCAL_OUT, | |
1795 | .priority = -99, | |
473b23d3 | 1796 | }, |
cb59155f JA |
1797 | /* After mangle, schedule and forward local requests */ |
1798 | { | |
1799 | .hook = ip_vs_local_request6, | |
1800 | .owner = THIS_MODULE, | |
1801 | .pf = PF_INET6, | |
1802 | .hooknum = NF_INET_LOCAL_OUT, | |
1803 | .priority = -98, | |
1804 | }, | |
473b23d3 JV |
1805 | /* After packet filtering (but before ip_vs_out_icmp), catch icmp |
1806 | * destined for 0.0.0.0/0, which is for incoming IPVS connections */ | |
1807 | { | |
1808 | .hook = ip_vs_forward_icmp_v6, | |
1809 | .owner = THIS_MODULE, | |
1810 | .pf = PF_INET6, | |
cb59155f JA |
1811 | .hooknum = NF_INET_FORWARD, |
1812 | .priority = 99, | |
473b23d3 | 1813 | }, |
fc604767 JA |
1814 | /* After packet filtering, change source only for VS/NAT */ |
1815 | { | |
1816 | .hook = ip_vs_reply6, | |
1817 | .owner = THIS_MODULE, | |
1818 | .pf = PF_INET6, | |
1819 | .hooknum = NF_INET_FORWARD, | |
1820 | .priority = 100, | |
1821 | }, | |
473b23d3 | 1822 | #endif |
1da177e4 LT |
1823 | }; |
1824 | ||
61b1ab45 HS |
1825 | /* |
1826 | * Initialize IP Virtual Server netns mem. | |
1827 | */ | |
1828 | static int __net_init __ip_vs_init(struct net *net) | |
1829 | { | |
1830 | struct netns_ipvs *ipvs; | |
1831 | ||
1832 | if (!net_eq(net, &init_net)) { | |
1833 | pr_err("The final patch for enabling netns is missing\n"); | |
1834 | return -EPERM; | |
1835 | } | |
1836 | ipvs = net_generic(net, ip_vs_net_id); | |
1837 | if (ipvs == NULL) { | |
1838 | pr_err("%s(): no memory.\n", __func__); | |
1839 | return -ENOMEM; | |
1840 | } | |
1841 | /* Counters used for creating unique names */ | |
1842 | ipvs->gen = atomic_read(&ipvs_netns_cnt); | |
1843 | atomic_inc(&ipvs_netns_cnt); | |
1844 | net->ipvs = ipvs; | |
1845 | printk(KERN_INFO "IPVS: Creating netns size=%lu id=%d\n", | |
1846 | sizeof(struct netns_ipvs), ipvs->gen); | |
1847 | return 0; | |
1848 | } | |
1849 | ||
1850 | static void __net_exit __ip_vs_cleanup(struct net *net) | |
1851 | { | |
1852 | struct netns_ipvs *ipvs = net_ipvs(net); | |
1853 | ||
1854 | IP_VS_DBG(10, "ipvs netns %d released\n", ipvs->gen); | |
1855 | } | |
1856 | ||
1857 | static struct pernet_operations ipvs_core_ops = { | |
1858 | .init = __ip_vs_init, | |
1859 | .exit = __ip_vs_cleanup, | |
1860 | .id = &ip_vs_net_id, | |
1861 | .size = sizeof(struct netns_ipvs), | |
1862 | }; | |
1da177e4 LT |
1863 | |
1864 | /* | |
1865 | * Initialize IP Virtual Server | |
1866 | */ | |
1867 | static int __init ip_vs_init(void) | |
1868 | { | |
1869 | int ret; | |
1870 | ||
61b1ab45 HS |
1871 | ret = register_pernet_subsys(&ipvs_core_ops); /* Alloc ip_vs struct */ |
1872 | if (ret < 0) | |
1873 | return ret; | |
a919cf4b | 1874 | |
61b1ab45 | 1875 | ip_vs_estimator_init(); |
1da177e4 LT |
1876 | ret = ip_vs_control_init(); |
1877 | if (ret < 0) { | |
1e3e238e | 1878 | pr_err("can't setup control.\n"); |
a919cf4b | 1879 | goto cleanup_estimator; |
1da177e4 LT |
1880 | } |
1881 | ||
1882 | ip_vs_protocol_init(); | |
1883 | ||
1884 | ret = ip_vs_app_init(); | |
1885 | if (ret < 0) { | |
1e3e238e | 1886 | pr_err("can't setup application helper.\n"); |
1da177e4 LT |
1887 | goto cleanup_protocol; |
1888 | } | |
1889 | ||
1890 | ret = ip_vs_conn_init(); | |
1891 | if (ret < 0) { | |
1e3e238e | 1892 | pr_err("can't setup connection table.\n"); |
1da177e4 LT |
1893 | goto cleanup_app; |
1894 | } | |
1895 | ||
61b1ab45 HS |
1896 | ret = ip_vs_sync_init(); |
1897 | if (ret < 0) { | |
1898 | pr_err("can't setup sync data.\n"); | |
1899 | goto cleanup_conn; | |
1900 | } | |
1901 | ||
41c5b317 | 1902 | ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); |
1da177e4 | 1903 | if (ret < 0) { |
1e3e238e | 1904 | pr_err("can't register hooks.\n"); |
61b1ab45 | 1905 | goto cleanup_sync; |
1da177e4 LT |
1906 | } |
1907 | ||
1e3e238e | 1908 | pr_info("ipvs loaded.\n"); |
1da177e4 LT |
1909 | return ret; |
1910 | ||
61b1ab45 HS |
1911 | cleanup_sync: |
1912 | ip_vs_sync_cleanup(); | |
1da177e4 LT |
1913 | cleanup_conn: |
1914 | ip_vs_conn_cleanup(); | |
1915 | cleanup_app: | |
1916 | ip_vs_app_cleanup(); | |
1917 | cleanup_protocol: | |
1918 | ip_vs_protocol_cleanup(); | |
1919 | ip_vs_control_cleanup(); | |
a919cf4b SW |
1920 | cleanup_estimator: |
1921 | ip_vs_estimator_cleanup(); | |
61b1ab45 | 1922 | unregister_pernet_subsys(&ipvs_core_ops); /* free ip_vs struct */ |
1da177e4 LT |
1923 | return ret; |
1924 | } | |
1925 | ||
1926 | static void __exit ip_vs_cleanup(void) | |
1927 | { | |
41c5b317 | 1928 | nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); |
61b1ab45 | 1929 | ip_vs_sync_cleanup(); |
1da177e4 LT |
1930 | ip_vs_conn_cleanup(); |
1931 | ip_vs_app_cleanup(); | |
1932 | ip_vs_protocol_cleanup(); | |
1933 | ip_vs_control_cleanup(); | |
a919cf4b | 1934 | ip_vs_estimator_cleanup(); |
61b1ab45 | 1935 | unregister_pernet_subsys(&ipvs_core_ops); /* free ip_vs struct */ |
1e3e238e | 1936 | pr_info("ipvs unloaded.\n"); |
1da177e4 LT |
1937 | } |
1938 | ||
1939 | module_init(ip_vs_init); | |
1940 | module_exit(ip_vs_cleanup); | |
1941 | MODULE_LICENSE("GPL"); |