ip_vs.h (50787B)
1/* SPDX-License-Identifier: GPL-2.0 */ 2/* IP Virtual Server 3 * data structure and functionality definitions 4 */ 5 6#ifndef _NET_IP_VS_H 7#define _NET_IP_VS_H 8 9#include <linux/ip_vs.h> /* definitions shared with userland */ 10 11#include <asm/types.h> /* for __uXX types */ 12 13#include <linux/list.h> /* for struct list_head */ 14#include <linux/spinlock.h> /* for struct rwlock_t */ 15#include <linux/atomic.h> /* for struct atomic_t */ 16#include <linux/refcount.h> /* for struct refcount_t */ 17#include <linux/workqueue.h> 18 19#include <linux/compiler.h> 20#include <linux/timer.h> 21#include <linux/bug.h> 22 23#include <net/checksum.h> 24#include <linux/netfilter.h> /* for union nf_inet_addr */ 25#include <linux/ip.h> 26#include <linux/ipv6.h> /* for struct ipv6hdr */ 27#include <net/ipv6.h> 28#if IS_ENABLED(CONFIG_NF_CONNTRACK) 29#include <net/netfilter/nf_conntrack.h> 30#endif 31#include <net/net_namespace.h> /* Netw namespace */ 32 33#define IP_VS_HDR_INVERSE 1 34#define IP_VS_HDR_ICMP 2 35 36/* Generic access of ipvs struct */ 37static inline struct netns_ipvs *net_ipvs(struct net* net) 38{ 39 return net->ipvs; 40} 41 42/* Connections' size value needed by ip_vs_ctl.c */ 43extern int ip_vs_conn_tab_size; 44 45struct ip_vs_iphdr { 46 int hdr_flags; /* ipvs flags */ 47 __u32 off; /* Where IP or IPv4 header starts */ 48 __u32 len; /* IPv4 simply where L4 starts 49 * IPv6 where L4 Transport Header starts */ 50 __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/ 51 __s16 protocol; 52 __s32 flags; 53 union nf_inet_addr saddr; 54 union nf_inet_addr daddr; 55}; 56 57static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, 58 int len, void *buffer) 59{ 60 return skb_header_pointer(skb, offset, len, buffer); 61} 62 63/* This function handles filling *ip_vs_iphdr, both for IPv4 and IPv6. 64 * IPv6 requires some extra work, as finding proper header position, 65 * depend on the IPv6 extension headers. 66 */ 67static inline int 68ip_vs_fill_iph_skb_off(int af, const struct sk_buff *skb, int offset, 69 int hdr_flags, struct ip_vs_iphdr *iphdr) 70{ 71 iphdr->hdr_flags = hdr_flags; 72 iphdr->off = offset; 73 74#ifdef CONFIG_IP_VS_IPV6 75 if (af == AF_INET6) { 76 struct ipv6hdr _iph; 77 const struct ipv6hdr *iph = skb_header_pointer( 78 skb, offset, sizeof(_iph), &_iph); 79 if (!iph) 80 return 0; 81 82 iphdr->saddr.in6 = iph->saddr; 83 iphdr->daddr.in6 = iph->daddr; 84 /* ipv6_find_hdr() updates len, flags */ 85 iphdr->len = offset; 86 iphdr->flags = 0; 87 iphdr->protocol = ipv6_find_hdr(skb, &iphdr->len, -1, 88 &iphdr->fragoffs, 89 &iphdr->flags); 90 if (iphdr->protocol < 0) 91 return 0; 92 } else 93#endif 94 { 95 struct iphdr _iph; 96 const struct iphdr *iph = skb_header_pointer( 97 skb, offset, sizeof(_iph), &_iph); 98 if (!iph) 99 return 0; 100 101 iphdr->len = offset + iph->ihl * 4; 102 iphdr->fragoffs = 0; 103 iphdr->protocol = iph->protocol; 104 iphdr->saddr.ip = iph->saddr; 105 iphdr->daddr.ip = iph->daddr; 106 } 107 108 return 1; 109} 110 111static inline int 112ip_vs_fill_iph_skb_icmp(int af, const struct sk_buff *skb, int offset, 113 bool inverse, struct ip_vs_iphdr *iphdr) 114{ 115 int hdr_flags = IP_VS_HDR_ICMP; 116 117 if (inverse) 118 hdr_flags |= IP_VS_HDR_INVERSE; 119 120 return ip_vs_fill_iph_skb_off(af, skb, offset, hdr_flags, iphdr); 121} 122 123static inline int 124ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, bool inverse, 125 struct ip_vs_iphdr *iphdr) 126{ 127 int hdr_flags = 0; 128 129 if (inverse) 130 hdr_flags |= IP_VS_HDR_INVERSE; 131 132 return ip_vs_fill_iph_skb_off(af, skb, skb_network_offset(skb), 133 hdr_flags, iphdr); 134} 135 136static inline bool 137ip_vs_iph_inverse(const struct ip_vs_iphdr *iph) 138{ 139 return !!(iph->hdr_flags & IP_VS_HDR_INVERSE); 140} 141 142static inline bool 143ip_vs_iph_icmp(const struct ip_vs_iphdr *iph) 144{ 145 return !!(iph->hdr_flags & IP_VS_HDR_ICMP); 146} 147 148static inline void ip_vs_addr_copy(int af, union nf_inet_addr *dst, 149 const union nf_inet_addr *src) 150{ 151#ifdef CONFIG_IP_VS_IPV6 152 if (af == AF_INET6) 153 dst->in6 = src->in6; 154 else 155#endif 156 dst->ip = src->ip; 157} 158 159static inline void ip_vs_addr_set(int af, union nf_inet_addr *dst, 160 const union nf_inet_addr *src) 161{ 162#ifdef CONFIG_IP_VS_IPV6 163 if (af == AF_INET6) { 164 dst->in6 = src->in6; 165 return; 166 } 167#endif 168 dst->ip = src->ip; 169 dst->all[1] = 0; 170 dst->all[2] = 0; 171 dst->all[3] = 0; 172} 173 174static inline int ip_vs_addr_equal(int af, const union nf_inet_addr *a, 175 const union nf_inet_addr *b) 176{ 177#ifdef CONFIG_IP_VS_IPV6 178 if (af == AF_INET6) 179 return ipv6_addr_equal(&a->in6, &b->in6); 180#endif 181 return a->ip == b->ip; 182} 183 184#ifdef CONFIG_IP_VS_DEBUG 185#include <linux/net.h> 186 187int ip_vs_get_debug_level(void); 188 189static inline const char *ip_vs_dbg_addr(int af, char *buf, size_t buf_len, 190 const union nf_inet_addr *addr, 191 int *idx) 192{ 193 int len; 194#ifdef CONFIG_IP_VS_IPV6 195 if (af == AF_INET6) 196 len = snprintf(&buf[*idx], buf_len - *idx, "[%pI6c]", 197 &addr->in6) + 1; 198 else 199#endif 200 len = snprintf(&buf[*idx], buf_len - *idx, "%pI4", 201 &addr->ip) + 1; 202 203 *idx += len; 204 BUG_ON(*idx > buf_len + 1); 205 return &buf[*idx - len]; 206} 207 208#define IP_VS_DBG_BUF(level, msg, ...) \ 209 do { \ 210 char ip_vs_dbg_buf[160]; \ 211 int ip_vs_dbg_idx = 0; \ 212 if (level <= ip_vs_get_debug_level()) \ 213 printk(KERN_DEBUG pr_fmt(msg), ##__VA_ARGS__); \ 214 } while (0) 215#define IP_VS_ERR_BUF(msg...) \ 216 do { \ 217 char ip_vs_dbg_buf[160]; \ 218 int ip_vs_dbg_idx = 0; \ 219 pr_err(msg); \ 220 } while (0) 221 222/* Only use from within IP_VS_DBG_BUF() or IP_VS_ERR_BUF macros */ 223#define IP_VS_DBG_ADDR(af, addr) \ 224 ip_vs_dbg_addr(af, ip_vs_dbg_buf, \ 225 sizeof(ip_vs_dbg_buf), addr, \ 226 &ip_vs_dbg_idx) 227 228#define IP_VS_DBG(level, msg, ...) \ 229 do { \ 230 if (level <= ip_vs_get_debug_level()) \ 231 printk(KERN_DEBUG pr_fmt(msg), ##__VA_ARGS__); \ 232 } while (0) 233#define IP_VS_DBG_RL(msg, ...) \ 234 do { \ 235 if (net_ratelimit()) \ 236 printk(KERN_DEBUG pr_fmt(msg), ##__VA_ARGS__); \ 237 } while (0) 238#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg) \ 239 do { \ 240 if (level <= ip_vs_get_debug_level()) \ 241 pp->debug_packet(af, pp, skb, ofs, msg); \ 242 } while (0) 243#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg) \ 244 do { \ 245 if (level <= ip_vs_get_debug_level() && \ 246 net_ratelimit()) \ 247 pp->debug_packet(af, pp, skb, ofs, msg); \ 248 } while (0) 249#else /* NO DEBUGGING at ALL */ 250#define IP_VS_DBG_BUF(level, msg...) do {} while (0) 251#define IP_VS_ERR_BUF(msg...) do {} while (0) 252#define IP_VS_DBG(level, msg...) do {} while (0) 253#define IP_VS_DBG_RL(msg...) do {} while (0) 254#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg) do {} while (0) 255#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg) do {} while (0) 256#endif 257 258#define IP_VS_BUG() BUG() 259#define IP_VS_ERR_RL(msg, ...) \ 260 do { \ 261 if (net_ratelimit()) \ 262 pr_err(msg, ##__VA_ARGS__); \ 263 } while (0) 264 265#ifdef CONFIG_IP_VS_DEBUG 266#define EnterFunction(level) \ 267 do { \ 268 if (level <= ip_vs_get_debug_level()) \ 269 printk(KERN_DEBUG \ 270 pr_fmt("Enter: %s, %s line %i\n"), \ 271 __func__, __FILE__, __LINE__); \ 272 } while (0) 273#define LeaveFunction(level) \ 274 do { \ 275 if (level <= ip_vs_get_debug_level()) \ 276 printk(KERN_DEBUG \ 277 pr_fmt("Leave: %s, %s line %i\n"), \ 278 __func__, __FILE__, __LINE__); \ 279 } while (0) 280#else 281#define EnterFunction(level) do {} while (0) 282#define LeaveFunction(level) do {} while (0) 283#endif 284 285/* The port number of FTP service (in network order). */ 286#define FTPPORT cpu_to_be16(21) 287#define FTPDATA cpu_to_be16(20) 288 289/* TCP State Values */ 290enum { 291 IP_VS_TCP_S_NONE = 0, 292 IP_VS_TCP_S_ESTABLISHED, 293 IP_VS_TCP_S_SYN_SENT, 294 IP_VS_TCP_S_SYN_RECV, 295 IP_VS_TCP_S_FIN_WAIT, 296 IP_VS_TCP_S_TIME_WAIT, 297 IP_VS_TCP_S_CLOSE, 298 IP_VS_TCP_S_CLOSE_WAIT, 299 IP_VS_TCP_S_LAST_ACK, 300 IP_VS_TCP_S_LISTEN, 301 IP_VS_TCP_S_SYNACK, 302 IP_VS_TCP_S_LAST 303}; 304 305/* UDP State Values */ 306enum { 307 IP_VS_UDP_S_NORMAL, 308 IP_VS_UDP_S_LAST, 309}; 310 311/* ICMP State Values */ 312enum { 313 IP_VS_ICMP_S_NORMAL, 314 IP_VS_ICMP_S_LAST, 315}; 316 317/* SCTP State Values */ 318enum ip_vs_sctp_states { 319 IP_VS_SCTP_S_NONE, 320 IP_VS_SCTP_S_INIT1, 321 IP_VS_SCTP_S_INIT, 322 IP_VS_SCTP_S_COOKIE_SENT, 323 IP_VS_SCTP_S_COOKIE_REPLIED, 324 IP_VS_SCTP_S_COOKIE_WAIT, 325 IP_VS_SCTP_S_COOKIE, 326 IP_VS_SCTP_S_COOKIE_ECHOED, 327 IP_VS_SCTP_S_ESTABLISHED, 328 IP_VS_SCTP_S_SHUTDOWN_SENT, 329 IP_VS_SCTP_S_SHUTDOWN_RECEIVED, 330 IP_VS_SCTP_S_SHUTDOWN_ACK_SENT, 331 IP_VS_SCTP_S_REJECTED, 332 IP_VS_SCTP_S_CLOSED, 333 IP_VS_SCTP_S_LAST 334}; 335 336/* Connection templates use bits from state */ 337#define IP_VS_CTPL_S_NONE 0x0000 338#define IP_VS_CTPL_S_ASSURED 0x0001 339#define IP_VS_CTPL_S_LAST 0x0002 340 341/* Delta sequence info structure 342 * Each ip_vs_conn has 2 (output AND input seq. changes). 343 * Only used in the VS/NAT. 344 */ 345struct ip_vs_seq { 346 __u32 init_seq; /* Add delta from this seq */ 347 __u32 delta; /* Delta in sequence numbers */ 348 __u32 previous_delta; /* Delta in sequence numbers 349 * before last resized pkt */ 350}; 351 352/* counters per cpu */ 353struct ip_vs_counters { 354 __u64 conns; /* connections scheduled */ 355 __u64 inpkts; /* incoming packets */ 356 __u64 outpkts; /* outgoing packets */ 357 __u64 inbytes; /* incoming bytes */ 358 __u64 outbytes; /* outgoing bytes */ 359}; 360/* Stats per cpu */ 361struct ip_vs_cpu_stats { 362 struct ip_vs_counters cnt; 363 struct u64_stats_sync syncp; 364}; 365 366/* IPVS statistics objects */ 367struct ip_vs_estimator { 368 struct list_head list; 369 370 u64 last_inbytes; 371 u64 last_outbytes; 372 u64 last_conns; 373 u64 last_inpkts; 374 u64 last_outpkts; 375 376 u64 cps; 377 u64 inpps; 378 u64 outpps; 379 u64 inbps; 380 u64 outbps; 381}; 382 383/* 384 * IPVS statistics object, 64-bit kernel version of struct ip_vs_stats_user 385 */ 386struct ip_vs_kstats { 387 u64 conns; /* connections scheduled */ 388 u64 inpkts; /* incoming packets */ 389 u64 outpkts; /* outgoing packets */ 390 u64 inbytes; /* incoming bytes */ 391 u64 outbytes; /* outgoing bytes */ 392 393 u64 cps; /* current connection rate */ 394 u64 inpps; /* current in packet rate */ 395 u64 outpps; /* current out packet rate */ 396 u64 inbps; /* current in byte rate */ 397 u64 outbps; /* current out byte rate */ 398}; 399 400struct ip_vs_stats { 401 struct ip_vs_kstats kstats; /* kernel statistics */ 402 struct ip_vs_estimator est; /* estimator */ 403 struct ip_vs_cpu_stats __percpu *cpustats; /* per cpu counters */ 404 spinlock_t lock; /* spin lock */ 405 struct ip_vs_kstats kstats0; /* reset values */ 406}; 407 408struct dst_entry; 409struct iphdr; 410struct ip_vs_conn; 411struct ip_vs_app; 412struct sk_buff; 413struct ip_vs_proto_data; 414 415struct ip_vs_protocol { 416 struct ip_vs_protocol *next; 417 char *name; 418 u16 protocol; 419 u16 num_states; 420 int dont_defrag; 421 422 void (*init)(struct ip_vs_protocol *pp); 423 424 void (*exit)(struct ip_vs_protocol *pp); 425 426 int (*init_netns)(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd); 427 428 void (*exit_netns)(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd); 429 430 int (*conn_schedule)(struct netns_ipvs *ipvs, 431 int af, struct sk_buff *skb, 432 struct ip_vs_proto_data *pd, 433 int *verdict, struct ip_vs_conn **cpp, 434 struct ip_vs_iphdr *iph); 435 436 struct ip_vs_conn * 437 (*conn_in_get)(struct netns_ipvs *ipvs, 438 int af, 439 const struct sk_buff *skb, 440 const struct ip_vs_iphdr *iph); 441 442 struct ip_vs_conn * 443 (*conn_out_get)(struct netns_ipvs *ipvs, 444 int af, 445 const struct sk_buff *skb, 446 const struct ip_vs_iphdr *iph); 447 448 int (*snat_handler)(struct sk_buff *skb, struct ip_vs_protocol *pp, 449 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph); 450 451 int (*dnat_handler)(struct sk_buff *skb, struct ip_vs_protocol *pp, 452 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph); 453 454 const char *(*state_name)(int state); 455 456 void (*state_transition)(struct ip_vs_conn *cp, int direction, 457 const struct sk_buff *skb, 458 struct ip_vs_proto_data *pd); 459 460 int (*register_app)(struct netns_ipvs *ipvs, struct ip_vs_app *inc); 461 462 void (*unregister_app)(struct netns_ipvs *ipvs, struct ip_vs_app *inc); 463 464 int (*app_conn_bind)(struct ip_vs_conn *cp); 465 466 void (*debug_packet)(int af, struct ip_vs_protocol *pp, 467 const struct sk_buff *skb, 468 int offset, 469 const char *msg); 470 471 void (*timeout_change)(struct ip_vs_proto_data *pd, int flags); 472}; 473 474/* protocol data per netns */ 475struct ip_vs_proto_data { 476 struct ip_vs_proto_data *next; 477 struct ip_vs_protocol *pp; 478 int *timeout_table; /* protocol timeout table */ 479 atomic_t appcnt; /* counter of proto app incs. */ 480 struct tcp_states_t *tcp_state_table; 481}; 482 483struct ip_vs_protocol *ip_vs_proto_get(unsigned short proto); 484struct ip_vs_proto_data *ip_vs_proto_data_get(struct netns_ipvs *ipvs, 485 unsigned short proto); 486 487struct ip_vs_conn_param { 488 struct netns_ipvs *ipvs; 489 const union nf_inet_addr *caddr; 490 const union nf_inet_addr *vaddr; 491 __be16 cport; 492 __be16 vport; 493 __u16 protocol; 494 u16 af; 495 496 const struct ip_vs_pe *pe; 497 char *pe_data; 498 __u8 pe_data_len; 499}; 500 501/* IP_VS structure allocated for each dynamically scheduled connection */ 502struct ip_vs_conn { 503 struct hlist_node c_list; /* hashed list heads */ 504 /* Protocol, addresses and port numbers */ 505 __be16 cport; 506 __be16 dport; 507 __be16 vport; 508 u16 af; /* address family */ 509 union nf_inet_addr caddr; /* client address */ 510 union nf_inet_addr vaddr; /* virtual address */ 511 union nf_inet_addr daddr; /* destination address */ 512 volatile __u32 flags; /* status flags */ 513 __u16 protocol; /* Which protocol (TCP/UDP) */ 514 __u16 daf; /* Address family of the dest */ 515 struct netns_ipvs *ipvs; 516 517 /* counter and timer */ 518 refcount_t refcnt; /* reference count */ 519 struct timer_list timer; /* Expiration timer */ 520 volatile unsigned long timeout; /* timeout */ 521 522 /* Flags and state transition */ 523 spinlock_t lock; /* lock for state transition */ 524 volatile __u16 state; /* state info */ 525 volatile __u16 old_state; /* old state, to be used for 526 * state transition triggerd 527 * synchronization 528 */ 529 __u32 fwmark; /* Fire wall mark from skb */ 530 unsigned long sync_endtime; /* jiffies + sent_retries */ 531 532 /* Control members */ 533 struct ip_vs_conn *control; /* Master control connection */ 534 atomic_t n_control; /* Number of controlled ones */ 535 struct ip_vs_dest *dest; /* real server */ 536 atomic_t in_pkts; /* incoming packet counter */ 537 538 /* Packet transmitter for different forwarding methods. If it 539 * mangles the packet, it must return NF_DROP or better NF_STOLEN, 540 * otherwise this must be changed to a sk_buff **. 541 * NF_ACCEPT can be returned when destination is local. 542 */ 543 int (*packet_xmit)(struct sk_buff *skb, struct ip_vs_conn *cp, 544 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 545 546 /* Note: we can group the following members into a structure, 547 * in order to save more space, and the following members are 548 * only used in VS/NAT anyway 549 */ 550 struct ip_vs_app *app; /* bound ip_vs_app object */ 551 void *app_data; /* Application private data */ 552 struct ip_vs_seq in_seq; /* incoming seq. struct */ 553 struct ip_vs_seq out_seq; /* outgoing seq. struct */ 554 555 const struct ip_vs_pe *pe; 556 char *pe_data; 557 __u8 pe_data_len; 558 559 struct rcu_head rcu_head; 560}; 561 562/* Extended internal versions of struct ip_vs_service_user and ip_vs_dest_user 563 * for IPv6 support. 564 * 565 * We need these to conveniently pass around service and destination 566 * options, but unfortunately, we also need to keep the old definitions to 567 * maintain userspace backwards compatibility for the setsockopt interface. 568 */ 569struct ip_vs_service_user_kern { 570 /* virtual service addresses */ 571 u16 af; 572 u16 protocol; 573 union nf_inet_addr addr; /* virtual ip address */ 574 __be16 port; 575 u32 fwmark; /* firwall mark of service */ 576 577 /* virtual service options */ 578 char *sched_name; 579 char *pe_name; 580 unsigned int flags; /* virtual service flags */ 581 unsigned int timeout; /* persistent timeout in sec */ 582 __be32 netmask; /* persistent netmask or plen */ 583}; 584 585 586struct ip_vs_dest_user_kern { 587 /* destination server address */ 588 union nf_inet_addr addr; 589 __be16 port; 590 591 /* real server options */ 592 unsigned int conn_flags; /* connection flags */ 593 int weight; /* destination weight */ 594 595 /* thresholds for active connections */ 596 u32 u_threshold; /* upper threshold */ 597 u32 l_threshold; /* lower threshold */ 598 599 /* Address family of addr */ 600 u16 af; 601 602 u16 tun_type; /* tunnel type */ 603 __be16 tun_port; /* tunnel port */ 604 u16 tun_flags; /* tunnel flags */ 605}; 606 607 608/* 609 * The information about the virtual service offered to the net and the 610 * forwarding entries. 611 */ 612struct ip_vs_service { 613 struct hlist_node s_list; /* for normal service table */ 614 struct hlist_node f_list; /* for fwmark-based service table */ 615 atomic_t refcnt; /* reference counter */ 616 617 u16 af; /* address family */ 618 __u16 protocol; /* which protocol (TCP/UDP) */ 619 union nf_inet_addr addr; /* IP address for virtual service */ 620 __be16 port; /* port number for the service */ 621 __u32 fwmark; /* firewall mark of the service */ 622 unsigned int flags; /* service status flags */ 623 unsigned int timeout; /* persistent timeout in ticks */ 624 __be32 netmask; /* grouping granularity, mask/plen */ 625 struct netns_ipvs *ipvs; 626 627 struct list_head destinations; /* real server d-linked list */ 628 __u32 num_dests; /* number of servers */ 629 struct ip_vs_stats stats; /* statistics for the service */ 630 631 /* for scheduling */ 632 struct ip_vs_scheduler __rcu *scheduler; /* bound scheduler object */ 633 spinlock_t sched_lock; /* lock sched_data */ 634 void *sched_data; /* scheduler application data */ 635 636 /* alternate persistence engine */ 637 struct ip_vs_pe __rcu *pe; 638 int conntrack_afmask; 639 640 struct rcu_head rcu_head; 641}; 642 643/* Information for cached dst */ 644struct ip_vs_dest_dst { 645 struct dst_entry *dst_cache; /* destination cache entry */ 646 u32 dst_cookie; 647 union nf_inet_addr dst_saddr; 648 struct rcu_head rcu_head; 649}; 650 651/* The real server destination forwarding entry with ip address, port number, 652 * and so on. 653 */ 654struct ip_vs_dest { 655 struct list_head n_list; /* for the dests in the service */ 656 struct hlist_node d_list; /* for table with all the dests */ 657 658 u16 af; /* address family */ 659 __be16 port; /* port number of the server */ 660 union nf_inet_addr addr; /* IP address of the server */ 661 volatile unsigned int flags; /* dest status flags */ 662 atomic_t conn_flags; /* flags to copy to conn */ 663 atomic_t weight; /* server weight */ 664 atomic_t last_weight; /* server latest weight */ 665 __u16 tun_type; /* tunnel type */ 666 __be16 tun_port; /* tunnel port */ 667 __u16 tun_flags; /* tunnel flags */ 668 669 refcount_t refcnt; /* reference counter */ 670 struct ip_vs_stats stats; /* statistics */ 671 unsigned long idle_start; /* start time, jiffies */ 672 673 /* connection counters and thresholds */ 674 atomic_t activeconns; /* active connections */ 675 atomic_t inactconns; /* inactive connections */ 676 atomic_t persistconns; /* persistent connections */ 677 __u32 u_threshold; /* upper threshold */ 678 __u32 l_threshold; /* lower threshold */ 679 680 /* for destination cache */ 681 spinlock_t dst_lock; /* lock of dst_cache */ 682 struct ip_vs_dest_dst __rcu *dest_dst; /* cached dst info */ 683 684 /* for virtual service */ 685 struct ip_vs_service __rcu *svc; /* service it belongs to */ 686 __u16 protocol; /* which protocol (TCP/UDP) */ 687 __be16 vport; /* virtual port number */ 688 union nf_inet_addr vaddr; /* virtual IP address */ 689 __u32 vfwmark; /* firewall mark of service */ 690 691 struct list_head t_list; /* in dest_trash */ 692 unsigned int in_rs_table:1; /* we are in rs_table */ 693}; 694 695/* The scheduler object */ 696struct ip_vs_scheduler { 697 struct list_head n_list; /* d-linked list head */ 698 char *name; /* scheduler name */ 699 atomic_t refcnt; /* reference counter */ 700 struct module *module; /* THIS_MODULE/NULL */ 701 702 /* scheduler initializing service */ 703 int (*init_service)(struct ip_vs_service *svc); 704 /* scheduling service finish */ 705 void (*done_service)(struct ip_vs_service *svc); 706 /* dest is linked */ 707 int (*add_dest)(struct ip_vs_service *svc, struct ip_vs_dest *dest); 708 /* dest is unlinked */ 709 int (*del_dest)(struct ip_vs_service *svc, struct ip_vs_dest *dest); 710 /* dest is updated */ 711 int (*upd_dest)(struct ip_vs_service *svc, struct ip_vs_dest *dest); 712 713 /* selecting a server from the given service */ 714 struct ip_vs_dest* (*schedule)(struct ip_vs_service *svc, 715 const struct sk_buff *skb, 716 struct ip_vs_iphdr *iph); 717}; 718 719/* The persistence engine object */ 720struct ip_vs_pe { 721 struct list_head n_list; /* d-linked list head */ 722 char *name; /* scheduler name */ 723 atomic_t refcnt; /* reference counter */ 724 struct module *module; /* THIS_MODULE/NULL */ 725 726 /* get the connection template, if any */ 727 int (*fill_param)(struct ip_vs_conn_param *p, struct sk_buff *skb); 728 bool (*ct_match)(const struct ip_vs_conn_param *p, 729 struct ip_vs_conn *ct); 730 u32 (*hashkey_raw)(const struct ip_vs_conn_param *p, u32 initval, 731 bool inverse); 732 int (*show_pe_data)(const struct ip_vs_conn *cp, char *buf); 733 /* create connections for real-server outgoing packets */ 734 struct ip_vs_conn* (*conn_out)(struct ip_vs_service *svc, 735 struct ip_vs_dest *dest, 736 struct sk_buff *skb, 737 const struct ip_vs_iphdr *iph, 738 __be16 dport, __be16 cport); 739}; 740 741/* The application module object (a.k.a. app incarnation) */ 742struct ip_vs_app { 743 struct list_head a_list; /* member in app list */ 744 int type; /* IP_VS_APP_TYPE_xxx */ 745 char *name; /* application module name */ 746 __u16 protocol; 747 struct module *module; /* THIS_MODULE/NULL */ 748 struct list_head incs_list; /* list of incarnations */ 749 750 /* members for application incarnations */ 751 struct list_head p_list; /* member in proto app list */ 752 struct ip_vs_app *app; /* its real application */ 753 __be16 port; /* port number in net order */ 754 atomic_t usecnt; /* usage counter */ 755 struct rcu_head rcu_head; 756 757 /* output hook: Process packet in inout direction, diff set for TCP. 758 * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok, 759 * 2=Mangled but checksum was not updated 760 */ 761 int (*pkt_out)(struct ip_vs_app *, struct ip_vs_conn *, 762 struct sk_buff *, int *diff, struct ip_vs_iphdr *ipvsh); 763 764 /* input hook: Process packet in outin direction, diff set for TCP. 765 * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok, 766 * 2=Mangled but checksum was not updated 767 */ 768 int (*pkt_in)(struct ip_vs_app *, struct ip_vs_conn *, 769 struct sk_buff *, int *diff, struct ip_vs_iphdr *ipvsh); 770 771 /* ip_vs_app initializer */ 772 int (*init_conn)(struct ip_vs_app *, struct ip_vs_conn *); 773 774 /* ip_vs_app finish */ 775 int (*done_conn)(struct ip_vs_app *, struct ip_vs_conn *); 776 777 778 /* not used now */ 779 int (*bind_conn)(struct ip_vs_app *, struct ip_vs_conn *, 780 struct ip_vs_protocol *); 781 782 void (*unbind_conn)(struct ip_vs_app *, struct ip_vs_conn *); 783 784 int * timeout_table; 785 int * timeouts; 786 int timeouts_size; 787 788 int (*conn_schedule)(struct sk_buff *skb, struct ip_vs_app *app, 789 int *verdict, struct ip_vs_conn **cpp); 790 791 struct ip_vs_conn * 792 (*conn_in_get)(const struct sk_buff *skb, struct ip_vs_app *app, 793 const struct iphdr *iph, int inverse); 794 795 struct ip_vs_conn * 796 (*conn_out_get)(const struct sk_buff *skb, struct ip_vs_app *app, 797 const struct iphdr *iph, int inverse); 798 799 int (*state_transition)(struct ip_vs_conn *cp, int direction, 800 const struct sk_buff *skb, 801 struct ip_vs_app *app); 802 803 void (*timeout_change)(struct ip_vs_app *app, int flags); 804}; 805 806struct ipvs_master_sync_state { 807 struct list_head sync_queue; 808 struct ip_vs_sync_buff *sync_buff; 809 unsigned long sync_queue_len; 810 unsigned int sync_queue_delay; 811 struct delayed_work master_wakeup_work; 812 struct netns_ipvs *ipvs; 813}; 814 815struct ip_vs_sync_thread_data; 816 817/* How much time to keep dests in trash */ 818#define IP_VS_DEST_TRASH_PERIOD (120 * HZ) 819 820struct ipvs_sync_daemon_cfg { 821 union nf_inet_addr mcast_group; 822 int syncid; 823 u16 sync_maxlen; 824 u16 mcast_port; 825 u8 mcast_af; 826 u8 mcast_ttl; 827 /* multicast interface name */ 828 char mcast_ifn[IP_VS_IFNAME_MAXLEN]; 829}; 830 831/* IPVS in network namespace */ 832struct netns_ipvs { 833 int gen; /* Generation */ 834 int enable; /* enable like nf_hooks do */ 835 /* Hash table: for real service lookups */ 836 #define IP_VS_RTAB_BITS 4 837 #define IP_VS_RTAB_SIZE (1 << IP_VS_RTAB_BITS) 838 #define IP_VS_RTAB_MASK (IP_VS_RTAB_SIZE - 1) 839 840 struct hlist_head rs_table[IP_VS_RTAB_SIZE]; 841 /* ip_vs_app */ 842 struct list_head app_list; 843 /* ip_vs_proto */ 844 #define IP_VS_PROTO_TAB_SIZE 32 /* must be power of 2 */ 845 struct ip_vs_proto_data *proto_data_table[IP_VS_PROTO_TAB_SIZE]; 846 /* ip_vs_proto_tcp */ 847#ifdef CONFIG_IP_VS_PROTO_TCP 848 #define TCP_APP_TAB_BITS 4 849 #define TCP_APP_TAB_SIZE (1 << TCP_APP_TAB_BITS) 850 #define TCP_APP_TAB_MASK (TCP_APP_TAB_SIZE - 1) 851 struct list_head tcp_apps[TCP_APP_TAB_SIZE]; 852#endif 853 /* ip_vs_proto_udp */ 854#ifdef CONFIG_IP_VS_PROTO_UDP 855 #define UDP_APP_TAB_BITS 4 856 #define UDP_APP_TAB_SIZE (1 << UDP_APP_TAB_BITS) 857 #define UDP_APP_TAB_MASK (UDP_APP_TAB_SIZE - 1) 858 struct list_head udp_apps[UDP_APP_TAB_SIZE]; 859#endif 860 /* ip_vs_proto_sctp */ 861#ifdef CONFIG_IP_VS_PROTO_SCTP 862 #define SCTP_APP_TAB_BITS 4 863 #define SCTP_APP_TAB_SIZE (1 << SCTP_APP_TAB_BITS) 864 #define SCTP_APP_TAB_MASK (SCTP_APP_TAB_SIZE - 1) 865 /* Hash table for SCTP application incarnations */ 866 struct list_head sctp_apps[SCTP_APP_TAB_SIZE]; 867#endif 868 /* ip_vs_conn */ 869 atomic_t conn_count; /* connection counter */ 870 871 /* ip_vs_ctl */ 872 struct ip_vs_stats tot_stats; /* Statistics & est. */ 873 874 int num_services; /* no of virtual services */ 875 int num_services6; /* IPv6 virtual services */ 876 877 /* Trash for destinations */ 878 struct list_head dest_trash; 879 spinlock_t dest_trash_lock; 880 struct timer_list dest_trash_timer; /* expiration timer */ 881 /* Service counters */ 882 atomic_t ftpsvc_counter; 883 atomic_t nullsvc_counter; 884 atomic_t conn_out_counter; 885 886#ifdef CONFIG_SYSCTL 887 /* delayed work for expiring no dest connections */ 888 struct delayed_work expire_nodest_conn_work; 889 /* 1/rate drop and drop-entry variables */ 890 struct delayed_work defense_work; /* Work handler */ 891 int drop_rate; 892 int drop_counter; 893 int old_secure_tcp; 894 atomic_t dropentry; 895 /* locks in ctl.c */ 896 spinlock_t dropentry_lock; /* drop entry handling */ 897 spinlock_t droppacket_lock; /* drop packet handling */ 898 spinlock_t securetcp_lock; /* state and timeout tables */ 899 900 /* sys-ctl struct */ 901 struct ctl_table_header *sysctl_hdr; 902 struct ctl_table *sysctl_tbl; 903#endif 904 905 /* sysctl variables */ 906 int sysctl_amemthresh; 907 int sysctl_am_droprate; 908 int sysctl_drop_entry; 909 int sysctl_drop_packet; 910 int sysctl_secure_tcp; 911#ifdef CONFIG_IP_VS_NFCT 912 int sysctl_conntrack; 913#endif 914 int sysctl_snat_reroute; 915 int sysctl_sync_ver; 916 int sysctl_sync_ports; 917 int sysctl_sync_persist_mode; 918 unsigned long sysctl_sync_qlen_max; 919 int sysctl_sync_sock_size; 920 int sysctl_cache_bypass; 921 int sysctl_expire_nodest_conn; 922 int sysctl_sloppy_tcp; 923 int sysctl_sloppy_sctp; 924 int sysctl_expire_quiescent_template; 925 int sysctl_sync_threshold[2]; 926 unsigned int sysctl_sync_refresh_period; 927 int sysctl_sync_retries; 928 int sysctl_nat_icmp_send; 929 int sysctl_pmtu_disc; 930 int sysctl_backup_only; 931 int sysctl_conn_reuse_mode; 932 int sysctl_schedule_icmp; 933 int sysctl_ignore_tunneled; 934 int sysctl_run_estimation; 935 936 /* ip_vs_lblc */ 937 int sysctl_lblc_expiration; 938 struct ctl_table_header *lblc_ctl_header; 939 struct ctl_table *lblc_ctl_table; 940 /* ip_vs_lblcr */ 941 int sysctl_lblcr_expiration; 942 struct ctl_table_header *lblcr_ctl_header; 943 struct ctl_table *lblcr_ctl_table; 944 /* ip_vs_est */ 945 struct list_head est_list; /* estimator list */ 946 spinlock_t est_lock; 947 struct timer_list est_timer; /* Estimation timer */ 948 /* ip_vs_sync */ 949 spinlock_t sync_lock; 950 struct ipvs_master_sync_state *ms; 951 spinlock_t sync_buff_lock; 952 struct ip_vs_sync_thread_data *master_tinfo; 953 struct ip_vs_sync_thread_data *backup_tinfo; 954 int threads_mask; 955 volatile int sync_state; 956 struct mutex sync_mutex; 957 struct ipvs_sync_daemon_cfg mcfg; /* Master Configuration */ 958 struct ipvs_sync_daemon_cfg bcfg; /* Backup Configuration */ 959 /* net name space ptr */ 960 struct net *net; /* Needed by timer routines */ 961 /* Number of heterogeneous destinations, needed becaus heterogeneous 962 * are not supported when synchronization is enabled. 963 */ 964 unsigned int mixed_address_family_dests; 965 unsigned int hooks_afmask; /* &1=AF_INET, &2=AF_INET6 */ 966}; 967 968#define DEFAULT_SYNC_THRESHOLD 3 969#define DEFAULT_SYNC_PERIOD 50 970#define DEFAULT_SYNC_VER 1 971#define DEFAULT_SLOPPY_TCP 0 972#define DEFAULT_SLOPPY_SCTP 0 973#define DEFAULT_SYNC_REFRESH_PERIOD (0U * HZ) 974#define DEFAULT_SYNC_RETRIES 0 975#define IPVS_SYNC_WAKEUP_RATE 8 976#define IPVS_SYNC_QLEN_MAX (IPVS_SYNC_WAKEUP_RATE * 4) 977#define IPVS_SYNC_SEND_DELAY (HZ / 50) 978#define IPVS_SYNC_CHECK_PERIOD HZ 979#define IPVS_SYNC_FLUSH_TIME (HZ * 2) 980#define IPVS_SYNC_PORTS_MAX (1 << 6) 981 982#ifdef CONFIG_SYSCTL 983 984static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs) 985{ 986 return ipvs->sysctl_sync_threshold[0]; 987} 988 989static inline int sysctl_sync_period(struct netns_ipvs *ipvs) 990{ 991 return READ_ONCE(ipvs->sysctl_sync_threshold[1]); 992} 993 994static inline unsigned int sysctl_sync_refresh_period(struct netns_ipvs *ipvs) 995{ 996 return READ_ONCE(ipvs->sysctl_sync_refresh_period); 997} 998 999static inline int sysctl_sync_retries(struct netns_ipvs *ipvs) 1000{ 1001 return ipvs->sysctl_sync_retries; 1002} 1003 1004static inline int sysctl_sync_ver(struct netns_ipvs *ipvs) 1005{ 1006 return ipvs->sysctl_sync_ver; 1007} 1008 1009static inline int sysctl_sloppy_tcp(struct netns_ipvs *ipvs) 1010{ 1011 return ipvs->sysctl_sloppy_tcp; 1012} 1013 1014static inline int sysctl_sloppy_sctp(struct netns_ipvs *ipvs) 1015{ 1016 return ipvs->sysctl_sloppy_sctp; 1017} 1018 1019static inline int sysctl_sync_ports(struct netns_ipvs *ipvs) 1020{ 1021 return READ_ONCE(ipvs->sysctl_sync_ports); 1022} 1023 1024static inline int sysctl_sync_persist_mode(struct netns_ipvs *ipvs) 1025{ 1026 return ipvs->sysctl_sync_persist_mode; 1027} 1028 1029static inline unsigned long sysctl_sync_qlen_max(struct netns_ipvs *ipvs) 1030{ 1031 return ipvs->sysctl_sync_qlen_max; 1032} 1033 1034static inline int sysctl_sync_sock_size(struct netns_ipvs *ipvs) 1035{ 1036 return ipvs->sysctl_sync_sock_size; 1037} 1038 1039static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs) 1040{ 1041 return ipvs->sysctl_pmtu_disc; 1042} 1043 1044static inline int sysctl_backup_only(struct netns_ipvs *ipvs) 1045{ 1046 return ipvs->sync_state & IP_VS_STATE_BACKUP && 1047 ipvs->sysctl_backup_only; 1048} 1049 1050static inline int sysctl_conn_reuse_mode(struct netns_ipvs *ipvs) 1051{ 1052 return ipvs->sysctl_conn_reuse_mode; 1053} 1054 1055static inline int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) 1056{ 1057 return ipvs->sysctl_expire_nodest_conn; 1058} 1059 1060static inline int sysctl_schedule_icmp(struct netns_ipvs *ipvs) 1061{ 1062 return ipvs->sysctl_schedule_icmp; 1063} 1064 1065static inline int sysctl_ignore_tunneled(struct netns_ipvs *ipvs) 1066{ 1067 return ipvs->sysctl_ignore_tunneled; 1068} 1069 1070static inline int sysctl_cache_bypass(struct netns_ipvs *ipvs) 1071{ 1072 return ipvs->sysctl_cache_bypass; 1073} 1074 1075static inline int sysctl_run_estimation(struct netns_ipvs *ipvs) 1076{ 1077 return ipvs->sysctl_run_estimation; 1078} 1079 1080#else 1081 1082static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs) 1083{ 1084 return DEFAULT_SYNC_THRESHOLD; 1085} 1086 1087static inline int sysctl_sync_period(struct netns_ipvs *ipvs) 1088{ 1089 return DEFAULT_SYNC_PERIOD; 1090} 1091 1092static inline unsigned int sysctl_sync_refresh_period(struct netns_ipvs *ipvs) 1093{ 1094 return DEFAULT_SYNC_REFRESH_PERIOD; 1095} 1096 1097static inline int sysctl_sync_retries(struct netns_ipvs *ipvs) 1098{ 1099 return DEFAULT_SYNC_RETRIES & 3; 1100} 1101 1102static inline int sysctl_sync_ver(struct netns_ipvs *ipvs) 1103{ 1104 return DEFAULT_SYNC_VER; 1105} 1106 1107static inline int sysctl_sloppy_tcp(struct netns_ipvs *ipvs) 1108{ 1109 return DEFAULT_SLOPPY_TCP; 1110} 1111 1112static inline int sysctl_sloppy_sctp(struct netns_ipvs *ipvs) 1113{ 1114 return DEFAULT_SLOPPY_SCTP; 1115} 1116 1117static inline int sysctl_sync_ports(struct netns_ipvs *ipvs) 1118{ 1119 return 1; 1120} 1121 1122static inline int sysctl_sync_persist_mode(struct netns_ipvs *ipvs) 1123{ 1124 return 0; 1125} 1126 1127static inline unsigned long sysctl_sync_qlen_max(struct netns_ipvs *ipvs) 1128{ 1129 return IPVS_SYNC_QLEN_MAX; 1130} 1131 1132static inline int sysctl_sync_sock_size(struct netns_ipvs *ipvs) 1133{ 1134 return 0; 1135} 1136 1137static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs) 1138{ 1139 return 1; 1140} 1141 1142static inline int sysctl_backup_only(struct netns_ipvs *ipvs) 1143{ 1144 return 0; 1145} 1146 1147static inline int sysctl_conn_reuse_mode(struct netns_ipvs *ipvs) 1148{ 1149 return 1; 1150} 1151 1152static inline int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) 1153{ 1154 return 0; 1155} 1156 1157static inline int sysctl_schedule_icmp(struct netns_ipvs *ipvs) 1158{ 1159 return 0; 1160} 1161 1162static inline int sysctl_ignore_tunneled(struct netns_ipvs *ipvs) 1163{ 1164 return 0; 1165} 1166 1167static inline int sysctl_cache_bypass(struct netns_ipvs *ipvs) 1168{ 1169 return 0; 1170} 1171 1172static inline int sysctl_run_estimation(struct netns_ipvs *ipvs) 1173{ 1174 return 1; 1175} 1176 1177#endif 1178 1179/* IPVS core functions 1180 * (from ip_vs_core.c) 1181 */ 1182const char *ip_vs_proto_name(unsigned int proto); 1183void ip_vs_init_hash_table(struct list_head *table, int rows); 1184struct ip_vs_conn *ip_vs_new_conn_out(struct ip_vs_service *svc, 1185 struct ip_vs_dest *dest, 1186 struct sk_buff *skb, 1187 const struct ip_vs_iphdr *iph, 1188 __be16 dport, 1189 __be16 cport); 1190#define IP_VS_INIT_HASH_TABLE(t) ip_vs_init_hash_table((t), ARRAY_SIZE((t))) 1191 1192#define IP_VS_APP_TYPE_FTP 1 1193 1194/* ip_vs_conn handling functions 1195 * (from ip_vs_conn.c) 1196 */ 1197enum { 1198 IP_VS_DIR_INPUT = 0, 1199 IP_VS_DIR_OUTPUT, 1200 IP_VS_DIR_INPUT_ONLY, 1201 IP_VS_DIR_LAST, 1202}; 1203 1204static inline void ip_vs_conn_fill_param(struct netns_ipvs *ipvs, int af, int protocol, 1205 const union nf_inet_addr *caddr, 1206 __be16 cport, 1207 const union nf_inet_addr *vaddr, 1208 __be16 vport, 1209 struct ip_vs_conn_param *p) 1210{ 1211 p->ipvs = ipvs; 1212 p->af = af; 1213 p->protocol = protocol; 1214 p->caddr = caddr; 1215 p->cport = cport; 1216 p->vaddr = vaddr; 1217 p->vport = vport; 1218 p->pe = NULL; 1219 p->pe_data = NULL; 1220} 1221 1222struct ip_vs_conn *ip_vs_conn_in_get(const struct ip_vs_conn_param *p); 1223struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p); 1224 1225struct ip_vs_conn * ip_vs_conn_in_get_proto(struct netns_ipvs *ipvs, int af, 1226 const struct sk_buff *skb, 1227 const struct ip_vs_iphdr *iph); 1228 1229struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p); 1230 1231struct ip_vs_conn * ip_vs_conn_out_get_proto(struct netns_ipvs *ipvs, int af, 1232 const struct sk_buff *skb, 1233 const struct ip_vs_iphdr *iph); 1234 1235/* Get reference to gain full access to conn. 1236 * By default, RCU read-side critical sections have access only to 1237 * conn fields and its PE data, see ip_vs_conn_rcu_free() for reference. 1238 */ 1239static inline bool __ip_vs_conn_get(struct ip_vs_conn *cp) 1240{ 1241 return refcount_inc_not_zero(&cp->refcnt); 1242} 1243 1244/* put back the conn without restarting its timer */ 1245static inline void __ip_vs_conn_put(struct ip_vs_conn *cp) 1246{ 1247 smp_mb__before_atomic(); 1248 refcount_dec(&cp->refcnt); 1249} 1250void ip_vs_conn_put(struct ip_vs_conn *cp); 1251void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport); 1252 1253struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af, 1254 const union nf_inet_addr *daddr, 1255 __be16 dport, unsigned int flags, 1256 struct ip_vs_dest *dest, __u32 fwmark); 1257void ip_vs_conn_expire_now(struct ip_vs_conn *cp); 1258 1259const char *ip_vs_state_name(const struct ip_vs_conn *cp); 1260 1261void ip_vs_tcp_conn_listen(struct ip_vs_conn *cp); 1262int ip_vs_check_template(struct ip_vs_conn *ct, struct ip_vs_dest *cdest); 1263void ip_vs_random_dropentry(struct netns_ipvs *ipvs); 1264int ip_vs_conn_init(void); 1265void ip_vs_conn_cleanup(void); 1266 1267static inline void ip_vs_control_del(struct ip_vs_conn *cp) 1268{ 1269 struct ip_vs_conn *ctl_cp = cp->control; 1270 if (!ctl_cp) { 1271 IP_VS_ERR_BUF("request control DEL for uncontrolled: " 1272 "%s:%d to %s:%d\n", 1273 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 1274 ntohs(cp->cport), 1275 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), 1276 ntohs(cp->vport)); 1277 1278 return; 1279 } 1280 1281 IP_VS_DBG_BUF(7, "DELeting control for: " 1282 "cp.dst=%s:%d ctl_cp.dst=%s:%d\n", 1283 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 1284 ntohs(cp->cport), 1285 IP_VS_DBG_ADDR(cp->af, &ctl_cp->caddr), 1286 ntohs(ctl_cp->cport)); 1287 1288 cp->control = NULL; 1289 if (atomic_read(&ctl_cp->n_control) == 0) { 1290 IP_VS_ERR_BUF("BUG control DEL with n=0 : " 1291 "%s:%d to %s:%d\n", 1292 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 1293 ntohs(cp->cport), 1294 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), 1295 ntohs(cp->vport)); 1296 1297 return; 1298 } 1299 atomic_dec(&ctl_cp->n_control); 1300} 1301 1302static inline void 1303ip_vs_control_add(struct ip_vs_conn *cp, struct ip_vs_conn *ctl_cp) 1304{ 1305 if (cp->control) { 1306 IP_VS_ERR_BUF("request control ADD for already controlled: " 1307 "%s:%d to %s:%d\n", 1308 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 1309 ntohs(cp->cport), 1310 IP_VS_DBG_ADDR(cp->af, &cp->vaddr), 1311 ntohs(cp->vport)); 1312 1313 ip_vs_control_del(cp); 1314 } 1315 1316 IP_VS_DBG_BUF(7, "ADDing control for: " 1317 "cp.dst=%s:%d ctl_cp.dst=%s:%d\n", 1318 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 1319 ntohs(cp->cport), 1320 IP_VS_DBG_ADDR(cp->af, &ctl_cp->caddr), 1321 ntohs(ctl_cp->cport)); 1322 1323 cp->control = ctl_cp; 1324 atomic_inc(&ctl_cp->n_control); 1325} 1326 1327/* Mark our template as assured */ 1328static inline void 1329ip_vs_control_assure_ct(struct ip_vs_conn *cp) 1330{ 1331 struct ip_vs_conn *ct = cp->control; 1332 1333 if (ct && !(ct->state & IP_VS_CTPL_S_ASSURED) && 1334 (ct->flags & IP_VS_CONN_F_TEMPLATE)) 1335 ct->state |= IP_VS_CTPL_S_ASSURED; 1336} 1337 1338/* IPVS netns init & cleanup functions */ 1339int ip_vs_estimator_net_init(struct netns_ipvs *ipvs); 1340int ip_vs_control_net_init(struct netns_ipvs *ipvs); 1341int ip_vs_protocol_net_init(struct netns_ipvs *ipvs); 1342int ip_vs_app_net_init(struct netns_ipvs *ipvs); 1343int ip_vs_conn_net_init(struct netns_ipvs *ipvs); 1344int ip_vs_sync_net_init(struct netns_ipvs *ipvs); 1345void ip_vs_conn_net_cleanup(struct netns_ipvs *ipvs); 1346void ip_vs_app_net_cleanup(struct netns_ipvs *ipvs); 1347void ip_vs_protocol_net_cleanup(struct netns_ipvs *ipvs); 1348void ip_vs_control_net_cleanup(struct netns_ipvs *ipvs); 1349void ip_vs_estimator_net_cleanup(struct netns_ipvs *ipvs); 1350void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs); 1351void ip_vs_service_nets_cleanup(struct list_head *net_list); 1352 1353/* IPVS application functions 1354 * (from ip_vs_app.c) 1355 */ 1356#define IP_VS_APP_MAX_PORTS 8 1357struct ip_vs_app *register_ip_vs_app(struct netns_ipvs *ipvs, struct ip_vs_app *app); 1358void unregister_ip_vs_app(struct netns_ipvs *ipvs, struct ip_vs_app *app); 1359int ip_vs_bind_app(struct ip_vs_conn *cp, struct ip_vs_protocol *pp); 1360void ip_vs_unbind_app(struct ip_vs_conn *cp); 1361int register_ip_vs_app_inc(struct netns_ipvs *ipvs, struct ip_vs_app *app, __u16 proto, 1362 __u16 port); 1363int ip_vs_app_inc_get(struct ip_vs_app *inc); 1364void ip_vs_app_inc_put(struct ip_vs_app *inc); 1365 1366int ip_vs_app_pkt_out(struct ip_vs_conn *, struct sk_buff *skb, 1367 struct ip_vs_iphdr *ipvsh); 1368int ip_vs_app_pkt_in(struct ip_vs_conn *, struct sk_buff *skb, 1369 struct ip_vs_iphdr *ipvsh); 1370 1371int register_ip_vs_pe(struct ip_vs_pe *pe); 1372int unregister_ip_vs_pe(struct ip_vs_pe *pe); 1373struct ip_vs_pe *ip_vs_pe_getbyname(const char *name); 1374struct ip_vs_pe *__ip_vs_pe_getbyname(const char *pe_name); 1375 1376/* Use a #define to avoid all of module.h just for these trivial ops */ 1377#define ip_vs_pe_get(pe) \ 1378 if (pe && pe->module) \ 1379 __module_get(pe->module); 1380 1381#define ip_vs_pe_put(pe) \ 1382 if (pe && pe->module) \ 1383 module_put(pe->module); 1384 1385/* IPVS protocol functions (from ip_vs_proto.c) */ 1386int ip_vs_protocol_init(void); 1387void ip_vs_protocol_cleanup(void); 1388void ip_vs_protocol_timeout_change(struct netns_ipvs *ipvs, int flags); 1389int *ip_vs_create_timeout_table(int *table, int size); 1390void ip_vs_tcpudp_debug_packet(int af, struct ip_vs_protocol *pp, 1391 const struct sk_buff *skb, int offset, 1392 const char *msg); 1393 1394extern struct ip_vs_protocol ip_vs_protocol_tcp; 1395extern struct ip_vs_protocol ip_vs_protocol_udp; 1396extern struct ip_vs_protocol ip_vs_protocol_icmp; 1397extern struct ip_vs_protocol ip_vs_protocol_esp; 1398extern struct ip_vs_protocol ip_vs_protocol_ah; 1399extern struct ip_vs_protocol ip_vs_protocol_sctp; 1400 1401/* Registering/unregistering scheduler functions 1402 * (from ip_vs_sched.c) 1403 */ 1404int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler); 1405int unregister_ip_vs_scheduler(struct ip_vs_scheduler *scheduler); 1406int ip_vs_bind_scheduler(struct ip_vs_service *svc, 1407 struct ip_vs_scheduler *scheduler); 1408void ip_vs_unbind_scheduler(struct ip_vs_service *svc, 1409 struct ip_vs_scheduler *sched); 1410struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name); 1411void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler); 1412struct ip_vs_conn * 1413ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb, 1414 struct ip_vs_proto_data *pd, int *ignored, 1415 struct ip_vs_iphdr *iph); 1416int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, 1417 struct ip_vs_proto_data *pd, struct ip_vs_iphdr *iph); 1418 1419void ip_vs_scheduler_err(struct ip_vs_service *svc, const char *msg); 1420 1421/* IPVS control data and functions (from ip_vs_ctl.c) */ 1422extern struct ip_vs_stats ip_vs_stats; 1423extern int sysctl_ip_vs_sync_ver; 1424 1425struct ip_vs_service * 1426ip_vs_service_find(struct netns_ipvs *ipvs, int af, __u32 fwmark, __u16 protocol, 1427 const union nf_inet_addr *vaddr, __be16 vport); 1428 1429bool ip_vs_has_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol, 1430 const union nf_inet_addr *daddr, __be16 dport); 1431 1432struct ip_vs_dest * 1433ip_vs_find_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol, 1434 const union nf_inet_addr *daddr, __be16 dport); 1435struct ip_vs_dest *ip_vs_find_tunnel(struct netns_ipvs *ipvs, int af, 1436 const union nf_inet_addr *daddr, 1437 __be16 tun_port); 1438 1439int ip_vs_use_count_inc(void); 1440void ip_vs_use_count_dec(void); 1441int ip_vs_register_nl_ioctl(void); 1442void ip_vs_unregister_nl_ioctl(void); 1443int ip_vs_control_init(void); 1444void ip_vs_control_cleanup(void); 1445struct ip_vs_dest * 1446ip_vs_find_dest(struct netns_ipvs *ipvs, int svc_af, int dest_af, 1447 const union nf_inet_addr *daddr, __be16 dport, 1448 const union nf_inet_addr *vaddr, __be16 vport, 1449 __u16 protocol, __u32 fwmark, __u32 flags); 1450void ip_vs_try_bind_dest(struct ip_vs_conn *cp); 1451 1452static inline void ip_vs_dest_hold(struct ip_vs_dest *dest) 1453{ 1454 refcount_inc(&dest->refcnt); 1455} 1456 1457static inline void ip_vs_dest_put(struct ip_vs_dest *dest) 1458{ 1459 smp_mb__before_atomic(); 1460 refcount_dec(&dest->refcnt); 1461} 1462 1463static inline void ip_vs_dest_put_and_free(struct ip_vs_dest *dest) 1464{ 1465 if (refcount_dec_and_test(&dest->refcnt)) 1466 kfree(dest); 1467} 1468 1469/* IPVS sync daemon data and function prototypes 1470 * (from ip_vs_sync.c) 1471 */ 1472int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *cfg, 1473 int state); 1474int stop_sync_thread(struct netns_ipvs *ipvs, int state); 1475void ip_vs_sync_conn(struct netns_ipvs *ipvs, struct ip_vs_conn *cp, int pkts); 1476 1477/* IPVS rate estimator prototypes (from ip_vs_est.c) */ 1478void ip_vs_start_estimator(struct netns_ipvs *ipvs, struct ip_vs_stats *stats); 1479void ip_vs_stop_estimator(struct netns_ipvs *ipvs, struct ip_vs_stats *stats); 1480void ip_vs_zero_estimator(struct ip_vs_stats *stats); 1481void ip_vs_read_estimator(struct ip_vs_kstats *dst, struct ip_vs_stats *stats); 1482 1483/* Various IPVS packet transmitters (from ip_vs_xmit.c) */ 1484int ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1485 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1486int ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1487 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1488int ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1489 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1490int ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1491 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1492int ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1493 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1494int ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, 1495 struct ip_vs_protocol *pp, int offset, 1496 unsigned int hooknum, struct ip_vs_iphdr *iph); 1497void ip_vs_dest_dst_rcu_free(struct rcu_head *head); 1498 1499#ifdef CONFIG_IP_VS_IPV6 1500int ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, 1501 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1502int ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, 1503 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1504int ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, 1505 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1506int ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, 1507 struct ip_vs_protocol *pp, struct ip_vs_iphdr *iph); 1508int ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, 1509 struct ip_vs_protocol *pp, int offset, 1510 unsigned int hooknum, struct ip_vs_iphdr *iph); 1511#endif 1512 1513#ifdef CONFIG_SYSCTL 1514/* This is a simple mechanism to ignore packets when 1515 * we are loaded. Just set ip_vs_drop_rate to 'n' and 1516 * we start to drop 1/rate of the packets 1517 */ 1518static inline int ip_vs_todrop(struct netns_ipvs *ipvs) 1519{ 1520 if (!ipvs->drop_rate) 1521 return 0; 1522 if (--ipvs->drop_counter > 0) 1523 return 0; 1524 ipvs->drop_counter = ipvs->drop_rate; 1525 return 1; 1526} 1527#else 1528static inline int ip_vs_todrop(struct netns_ipvs *ipvs) { return 0; } 1529#endif 1530 1531#ifdef CONFIG_SYSCTL 1532/* Enqueue delayed work for expiring no dest connections 1533 * Only run when sysctl_expire_nodest=1 1534 */ 1535static inline void ip_vs_enqueue_expire_nodest_conns(struct netns_ipvs *ipvs) 1536{ 1537 if (sysctl_expire_nodest_conn(ipvs)) 1538 queue_delayed_work(system_long_wq, 1539 &ipvs->expire_nodest_conn_work, 1); 1540} 1541 1542void ip_vs_expire_nodest_conn_flush(struct netns_ipvs *ipvs); 1543#else 1544static inline void ip_vs_enqueue_expire_nodest_conns(struct netns_ipvs *ipvs) {} 1545#endif 1546 1547#define IP_VS_DFWD_METHOD(dest) (atomic_read(&(dest)->conn_flags) & \ 1548 IP_VS_CONN_F_FWD_MASK) 1549 1550/* ip_vs_fwd_tag returns the forwarding tag of the connection */ 1551#define IP_VS_FWD_METHOD(cp) (cp->flags & IP_VS_CONN_F_FWD_MASK) 1552 1553static inline char ip_vs_fwd_tag(struct ip_vs_conn *cp) 1554{ 1555 char fwd; 1556 1557 switch (IP_VS_FWD_METHOD(cp)) { 1558 case IP_VS_CONN_F_MASQ: 1559 fwd = 'M'; break; 1560 case IP_VS_CONN_F_LOCALNODE: 1561 fwd = 'L'; break; 1562 case IP_VS_CONN_F_TUNNEL: 1563 fwd = 'T'; break; 1564 case IP_VS_CONN_F_DROUTE: 1565 fwd = 'R'; break; 1566 case IP_VS_CONN_F_BYPASS: 1567 fwd = 'B'; break; 1568 default: 1569 fwd = '?'; break; 1570 } 1571 return fwd; 1572} 1573 1574void ip_vs_nat_icmp(struct sk_buff *skb, struct ip_vs_protocol *pp, 1575 struct ip_vs_conn *cp, int dir); 1576 1577#ifdef CONFIG_IP_VS_IPV6 1578void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp, 1579 struct ip_vs_conn *cp, int dir); 1580#endif 1581 1582__sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset); 1583 1584static inline __wsum ip_vs_check_diff4(__be32 old, __be32 new, __wsum oldsum) 1585{ 1586 __be32 diff[2] = { ~old, new }; 1587 1588 return csum_partial(diff, sizeof(diff), oldsum); 1589} 1590 1591#ifdef CONFIG_IP_VS_IPV6 1592static inline __wsum ip_vs_check_diff16(const __be32 *old, const __be32 *new, 1593 __wsum oldsum) 1594{ 1595 __be32 diff[8] = { ~old[3], ~old[2], ~old[1], ~old[0], 1596 new[3], new[2], new[1], new[0] }; 1597 1598 return csum_partial(diff, sizeof(diff), oldsum); 1599} 1600#endif 1601 1602static inline __wsum ip_vs_check_diff2(__be16 old, __be16 new, __wsum oldsum) 1603{ 1604 __be16 diff[2] = { ~old, new }; 1605 1606 return csum_partial(diff, sizeof(diff), oldsum); 1607} 1608 1609/* Forget current conntrack (unconfirmed) and attach notrack entry */ 1610static inline void ip_vs_notrack(struct sk_buff *skb) 1611{ 1612#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 1613 enum ip_conntrack_info ctinfo; 1614 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 1615 1616 if (ct) { 1617 nf_conntrack_put(&ct->ct_general); 1618 nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 1619 } 1620#endif 1621} 1622 1623#ifdef CONFIG_IP_VS_NFCT 1624/* Netfilter connection tracking 1625 * (from ip_vs_nfct.c) 1626 */ 1627static inline int ip_vs_conntrack_enabled(struct netns_ipvs *ipvs) 1628{ 1629#ifdef CONFIG_SYSCTL 1630 return ipvs->sysctl_conntrack; 1631#else 1632 return 0; 1633#endif 1634} 1635 1636void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, 1637 int outin); 1638int ip_vs_confirm_conntrack(struct sk_buff *skb); 1639void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct, 1640 struct ip_vs_conn *cp, u_int8_t proto, 1641 const __be16 port, int from_rs); 1642void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp); 1643 1644#else 1645 1646static inline int ip_vs_conntrack_enabled(struct netns_ipvs *ipvs) 1647{ 1648 return 0; 1649} 1650 1651static inline void ip_vs_update_conntrack(struct sk_buff *skb, 1652 struct ip_vs_conn *cp, int outin) 1653{ 1654} 1655 1656static inline int ip_vs_confirm_conntrack(struct sk_buff *skb) 1657{ 1658 return NF_ACCEPT; 1659} 1660 1661static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) 1662{ 1663} 1664#endif /* CONFIG_IP_VS_NFCT */ 1665 1666/* Using old conntrack that can not be redirected to another real server? */ 1667static inline bool ip_vs_conn_uses_old_conntrack(struct ip_vs_conn *cp, 1668 struct sk_buff *skb) 1669{ 1670#ifdef CONFIG_IP_VS_NFCT 1671 enum ip_conntrack_info ctinfo; 1672 struct nf_conn *ct; 1673 1674 ct = nf_ct_get(skb, &ctinfo); 1675 if (ct && nf_ct_is_confirmed(ct)) 1676 return true; 1677#endif 1678 return false; 1679} 1680 1681static inline int ip_vs_register_conntrack(struct ip_vs_service *svc) 1682{ 1683#if IS_ENABLED(CONFIG_NF_CONNTRACK) 1684 int afmask = (svc->af == AF_INET6) ? 2 : 1; 1685 int ret = 0; 1686 1687 if (!(svc->conntrack_afmask & afmask)) { 1688 ret = nf_ct_netns_get(svc->ipvs->net, svc->af); 1689 if (ret >= 0) 1690 svc->conntrack_afmask |= afmask; 1691 } 1692 return ret; 1693#else 1694 return 0; 1695#endif 1696} 1697 1698static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc) 1699{ 1700#if IS_ENABLED(CONFIG_NF_CONNTRACK) 1701 int afmask = (svc->af == AF_INET6) ? 2 : 1; 1702 1703 if (svc->conntrack_afmask & afmask) { 1704 nf_ct_netns_put(svc->ipvs->net, svc->af); 1705 svc->conntrack_afmask &= ~afmask; 1706 } 1707#endif 1708} 1709 1710int ip_vs_register_hooks(struct netns_ipvs *ipvs, unsigned int af); 1711void ip_vs_unregister_hooks(struct netns_ipvs *ipvs, unsigned int af); 1712 1713static inline int 1714ip_vs_dest_conn_overhead(struct ip_vs_dest *dest) 1715{ 1716 /* We think the overhead of processing active connections is 256 1717 * times higher than that of inactive connections in average. (This 1718 * 256 times might not be accurate, we will change it later) We 1719 * use the following formula to estimate the overhead now: 1720 * dest->activeconns*256 + dest->inactconns 1721 */ 1722 return (atomic_read(&dest->activeconns) << 8) + 1723 atomic_read(&dest->inactconns); 1724} 1725 1726#ifdef CONFIG_IP_VS_PROTO_TCP 1727INDIRECT_CALLABLE_DECLARE(int 1728 tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, 1729 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)); 1730#endif 1731 1732#ifdef CONFIG_IP_VS_PROTO_UDP 1733INDIRECT_CALLABLE_DECLARE(int 1734 udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, 1735 struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)); 1736#endif 1737#endif /* _NET_IP_VS_H */