2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
16 #define KMSG_COMPONENT "IPVS"
17 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
19 #include <linux/kernel.h>
20 #include <linux/tcp.h> /* for tcphdr */
22 #include <net/tcp.h> /* for csum_tcpudp_magic */
24 #include <net/icmp.h> /* for icmp_send */
25 #include <net/route.h> /* for ip_route_output */
27 #include <net/ip6_route.h>
28 #include <linux/icmpv6.h>
29 #include <linux/netfilter.h>
30 #include <linux/netfilter_ipv4.h>
32 #include <net/ip_vs.h>
36 * Destination cache to speed up outgoing route lookup
39 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst)
41 struct dst_entry *old_dst;
43 old_dst = dest->dst_cache;
44 dest->dst_cache = dst;
45 dest->dst_rtos = rtos;
49 static inline struct dst_entry *
50 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos, u32 cookie)
52 struct dst_entry *dst = dest->dst_cache;
57 || (dest->af == AF_INET && rtos != dest->dst_rtos)) &&
58 dst->ops->check(dst, cookie) == NULL) {
59 dest->dst_cache = NULL;
67 static struct rtable *
68 __ip_vs_get_out_rt(struct ip_vs_conn *cp, u32 rtos)
70 struct rtable *rt; /* Route to the other host */
71 struct ip_vs_dest *dest = cp->dest;
74 spin_lock(&dest->dst_lock);
75 if (!(rt = (struct rtable *)
76 __ip_vs_dst_check(dest, rtos, 0))) {
81 .daddr = dest->addr.ip,
86 if (ip_route_output_key(&init_net, &rt, &fl)) {
87 spin_unlock(&dest->dst_lock);
88 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
92 __ip_vs_dst_set(dest, rtos, dst_clone(&rt->u.dst));
93 IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
95 atomic_read(&rt->u.dst.__refcnt), rtos);
97 spin_unlock(&dest->dst_lock);
103 .daddr = cp->daddr.ip,
108 if (ip_route_output_key(&init_net, &rt, &fl)) {
109 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
118 #ifdef CONFIG_IP_VS_IPV6
119 static struct rt6_info *
120 __ip_vs_get_out_rt_v6(struct ip_vs_conn *cp)
122 struct rt6_info *rt; /* Route to the other host */
123 struct ip_vs_dest *dest = cp->dest;
126 spin_lock(&dest->dst_lock);
127 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0, 0);
133 .daddr = dest->addr.in6,
142 rt = (struct rt6_info *)ip6_route_output(&init_net,
145 spin_unlock(&dest->dst_lock);
146 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n",
150 __ip_vs_dst_set(dest, 0, dst_clone(&rt->u.dst));
151 IP_VS_DBG(10, "new dst %pI6, refcnt=%d\n",
153 atomic_read(&rt->u.dst.__refcnt));
155 spin_unlock(&dest->dst_lock);
161 .daddr = cp->daddr.in6,
163 .s6_addr32 = { 0, 0, 0, 0 },
169 rt = (struct rt6_info *)ip6_route_output(&init_net, NULL, &fl);
171 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n",
183 * Release dest->dst_cache before a dest is removed
186 ip_vs_dst_reset(struct ip_vs_dest *dest)
188 struct dst_entry *old_dst;
190 old_dst = dest->dst_cache;
191 dest->dst_cache = NULL;
192 dst_release(old_dst);
195 #define IP_VS_XMIT(pf, skb, rt) \
197 (skb)->ipvs_property = 1; \
198 skb_forward_csum(skb); \
199 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
200 (rt)->u.dst.dev, dst_output); \
205 * NULL transmitter (do nothing except return NF_ACCEPT)
208 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
209 struct ip_vs_protocol *pp)
211 /* we do not touch skb and do not need pskb ptr */
218 * Let packets bypass the destination when the destination is not
219 * available, it may be only used in transparent cache cluster.
222 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
223 struct ip_vs_protocol *pp)
225 struct rtable *rt; /* Route to the other host */
226 struct iphdr *iph = ip_hdr(skb);
235 .tos = RT_TOS(tos), } },
240 if (ip_route_output_key(&init_net, &rt, &fl)) {
241 IP_VS_DBG_RL("%s(): ip_route_output error, dest: %pI4\n",
242 __func__, &iph->daddr);
247 mtu = dst_mtu(&rt->u.dst);
248 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
250 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
251 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
256 * Call ip_send_check because we are not sure it is called
257 * after ip_defrag. Is copy-on-write needed?
259 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
263 ip_send_check(ip_hdr(skb));
267 skb_dst_set(skb, &rt->u.dst);
269 /* Another hack: avoid icmp_send in ip_fragment */
272 IP_VS_XMIT(PF_INET, skb, rt);
278 dst_link_failure(skb);
285 #ifdef CONFIG_IP_VS_IPV6
287 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
288 struct ip_vs_protocol *pp)
290 struct rt6_info *rt; /* Route to the other host */
291 struct ipv6hdr *iph = ipv6_hdr(skb);
298 .saddr = { .s6_addr32 = {0, 0, 0, 0} }, } },
303 rt = (struct rt6_info *)ip6_route_output(&init_net, NULL, &fl);
305 IP_VS_DBG_RL("%s(): ip6_route_output error, dest: %pI6\n",
306 __func__, &iph->daddr);
311 mtu = dst_mtu(&rt->u.dst);
312 if (skb->len > mtu) {
313 dst_release(&rt->u.dst);
314 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
315 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
320 * Call ip_send_check because we are not sure it is called
321 * after ip_defrag. Is copy-on-write needed?
323 skb = skb_share_check(skb, GFP_ATOMIC);
324 if (unlikely(skb == NULL)) {
325 dst_release(&rt->u.dst);
331 skb_dst_set(skb, &rt->u.dst);
333 /* Another hack: avoid icmp_send in ip_fragment */
336 IP_VS_XMIT(PF_INET6, skb, rt);
342 dst_link_failure(skb);
351 * NAT transmitter (only for outside-to-inside nat forwarding)
352 * Not used for related ICMP
355 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
356 struct ip_vs_protocol *pp)
358 struct rtable *rt; /* Route to the other host */
360 struct iphdr *iph = ip_hdr(skb);
364 /* check if it is a connection of no-client-port */
365 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
367 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
370 ip_vs_conn_fill_cport(cp, *p);
371 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
374 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(iph->tos))))
378 mtu = dst_mtu(&rt->u.dst);
379 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
381 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
382 IP_VS_DBG_RL_PKT(0, pp, skb, 0, "ip_vs_nat_xmit(): frag needed for");
386 /* copy-on-write the packet before mangling it */
387 if (!skb_make_writable(skb, sizeof(struct iphdr)))
390 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
395 skb_dst_set(skb, &rt->u.dst);
397 /* mangle the packet */
398 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
400 ip_hdr(skb)->daddr = cp->daddr.ip;
401 ip_send_check(ip_hdr(skb));
403 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
405 /* FIXME: when application helper enlarges the packet and the length
406 is larger than the MTU of outgoing device, there will be still
409 /* Another hack: avoid icmp_send in ip_fragment */
412 IP_VS_XMIT(PF_INET, skb, rt);
418 dst_link_failure(skb);
428 #ifdef CONFIG_IP_VS_IPV6
430 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
431 struct ip_vs_protocol *pp)
433 struct rt6_info *rt; /* Route to the other host */
438 /* check if it is a connection of no-client-port */
439 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
441 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
445 ip_vs_conn_fill_cport(cp, *p);
446 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
449 rt = __ip_vs_get_out_rt_v6(cp);
454 mtu = dst_mtu(&rt->u.dst);
455 if (skb->len > mtu) {
456 dst_release(&rt->u.dst);
457 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
458 IP_VS_DBG_RL_PKT(0, pp, skb, 0,
459 "ip_vs_nat_xmit_v6(): frag needed for");
463 /* copy-on-write the packet before mangling it */
464 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
467 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
472 skb_dst_set(skb, &rt->u.dst);
474 /* mangle the packet */
475 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
477 ipv6_hdr(skb)->daddr = cp->daddr.in6;
479 IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
481 /* FIXME: when application helper enlarges the packet and the length
482 is larger than the MTU of outgoing device, there will be still
485 /* Another hack: avoid icmp_send in ip_fragment */
488 IP_VS_XMIT(PF_INET6, skb, rt);
494 dst_link_failure(skb);
500 dst_release(&rt->u.dst);
507 * IP Tunneling transmitter
509 * This function encapsulates the packet in a new IP packet, its
510 * destination will be set to cp->daddr. Most code of this function
511 * is taken from ipip.c.
513 * It is used in VS/TUN cluster. The load balancer selects a real
514 * server from a cluster based on a scheduling algorithm,
515 * encapsulates the request packet and forwards it to the selected
516 * server. For example, all real servers are configured with
517 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
518 * the encapsulated packet, it will decapsulate the packet, processe
519 * the request and return the response packets directly to the client
520 * without passing the load balancer. This can greatly increase the
521 * scalability of virtual server.
523 * Used for ANY protocol
526 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
527 struct ip_vs_protocol *pp)
529 struct rtable *rt; /* Route to the other host */
530 struct net_device *tdev; /* Device to other host */
531 struct iphdr *old_iph = ip_hdr(skb);
532 u8 tos = old_iph->tos;
533 __be16 df = old_iph->frag_off;
534 sk_buff_data_t old_transport_header = skb->transport_header;
535 struct iphdr *iph; /* Our new IP header */
536 unsigned int max_headroom; /* The extra header space needed */
541 if (skb->protocol != htons(ETH_P_IP)) {
542 IP_VS_DBG_RL("%s(): protocol error, "
543 "ETH_P_IP: %d, skb protocol: %d\n",
544 __func__, htons(ETH_P_IP), skb->protocol);
548 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(tos))))
551 tdev = rt->u.dst.dev;
553 mtu = dst_mtu(&rt->u.dst) - sizeof(struct iphdr);
556 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
560 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
562 df |= (old_iph->frag_off & htons(IP_DF));
564 if ((old_iph->frag_off & htons(IP_DF))
565 && mtu < ntohs(old_iph->tot_len)) {
566 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
568 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
573 * Okay, now see if we can stuff it in the buffer as-is.
575 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
577 if (skb_headroom(skb) < max_headroom
578 || skb_cloned(skb) || skb_shared(skb)) {
579 struct sk_buff *new_skb =
580 skb_realloc_headroom(skb, max_headroom);
584 IP_VS_ERR_RL("%s(): no memory\n", __func__);
589 old_iph = ip_hdr(skb);
592 skb->transport_header = old_transport_header;
594 /* fix old IP header checksum */
595 ip_send_check(old_iph);
597 skb_push(skb, sizeof(struct iphdr));
598 skb_reset_network_header(skb);
599 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
603 skb_dst_set(skb, &rt->u.dst);
606 * Push down and install the IPIP header.
610 iph->ihl = sizeof(struct iphdr)>>2;
612 iph->protocol = IPPROTO_IPIP;
614 iph->daddr = rt->rt_dst;
615 iph->saddr = rt->rt_src;
616 iph->ttl = old_iph->ttl;
617 ip_select_ident(iph, &rt->u.dst, NULL);
619 /* Another hack: avoid icmp_send in ip_fragment */
629 dst_link_failure(skb);
636 #ifdef CONFIG_IP_VS_IPV6
638 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
639 struct ip_vs_protocol *pp)
641 struct rt6_info *rt; /* Route to the other host */
642 struct net_device *tdev; /* Device to other host */
643 struct ipv6hdr *old_iph = ipv6_hdr(skb);
644 sk_buff_data_t old_transport_header = skb->transport_header;
645 struct ipv6hdr *iph; /* Our new IP header */
646 unsigned int max_headroom; /* The extra header space needed */
651 if (skb->protocol != htons(ETH_P_IPV6)) {
652 IP_VS_DBG_RL("%s(): protocol error, "
653 "ETH_P_IPV6: %d, skb protocol: %d\n",
654 __func__, htons(ETH_P_IPV6), skb->protocol);
658 rt = __ip_vs_get_out_rt_v6(cp);
662 tdev = rt->u.dst.dev;
664 mtu = dst_mtu(&rt->u.dst) - sizeof(struct ipv6hdr);
665 /* TODO IPv6: do we need this check in IPv6? */
667 dst_release(&rt->u.dst);
668 IP_VS_DBG_RL("%s(): mtu less than 1280\n", __func__);
672 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
674 if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
675 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
676 dst_release(&rt->u.dst);
677 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
682 * Okay, now see if we can stuff it in the buffer as-is.
684 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
686 if (skb_headroom(skb) < max_headroom
687 || skb_cloned(skb) || skb_shared(skb)) {
688 struct sk_buff *new_skb =
689 skb_realloc_headroom(skb, max_headroom);
691 dst_release(&rt->u.dst);
693 IP_VS_ERR_RL("%s(): no memory\n", __func__);
698 old_iph = ipv6_hdr(skb);
701 skb->transport_header = old_transport_header;
703 skb_push(skb, sizeof(struct ipv6hdr));
704 skb_reset_network_header(skb);
705 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
709 skb_dst_set(skb, &rt->u.dst);
712 * Push down and install the IPIP header.
716 iph->nexthdr = IPPROTO_IPV6;
717 iph->payload_len = old_iph->payload_len;
718 be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
719 iph->priority = old_iph->priority;
720 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
721 iph->daddr = rt->rt6i_dst.addr;
722 iph->saddr = cp->vaddr.in6; /* rt->rt6i_src.addr; */
723 iph->hop_limit = old_iph->hop_limit;
725 /* Another hack: avoid icmp_send in ip_fragment */
735 dst_link_failure(skb);
745 * Direct Routing transmitter
746 * Used for ANY protocol
749 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
750 struct ip_vs_protocol *pp)
752 struct rtable *rt; /* Route to the other host */
753 struct iphdr *iph = ip_hdr(skb);
758 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(iph->tos))))
762 mtu = dst_mtu(&rt->u.dst);
763 if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
764 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
766 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
771 * Call ip_send_check because we are not sure it is called
772 * after ip_defrag. Is copy-on-write needed?
774 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
778 ip_send_check(ip_hdr(skb));
782 skb_dst_set(skb, &rt->u.dst);
784 /* Another hack: avoid icmp_send in ip_fragment */
787 IP_VS_XMIT(PF_INET, skb, rt);
793 dst_link_failure(skb);
800 #ifdef CONFIG_IP_VS_IPV6
802 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
803 struct ip_vs_protocol *pp)
805 struct rt6_info *rt; /* Route to the other host */
810 rt = __ip_vs_get_out_rt_v6(cp);
815 mtu = dst_mtu(&rt->u.dst);
816 if (skb->len > mtu) {
817 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
818 dst_release(&rt->u.dst);
819 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
824 * Call ip_send_check because we are not sure it is called
825 * after ip_defrag. Is copy-on-write needed?
827 skb = skb_share_check(skb, GFP_ATOMIC);
828 if (unlikely(skb == NULL)) {
829 dst_release(&rt->u.dst);
835 skb_dst_set(skb, &rt->u.dst);
837 /* Another hack: avoid icmp_send in ip_fragment */
840 IP_VS_XMIT(PF_INET6, skb, rt);
846 dst_link_failure(skb);
856 * ICMP packet transmitter
857 * called by the ip_vs_in_icmp
860 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
861 struct ip_vs_protocol *pp, int offset)
863 struct rtable *rt; /* Route to the other host */
869 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
870 forwarded directly here, because there is no need to
871 translate address/port back */
872 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
874 rc = cp->packet_xmit(skb, cp, pp);
877 /* do not touch skb anymore */
878 atomic_inc(&cp->in_pkts);
883 * mangle and send the packet here (only for VS/NAT)
886 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(ip_hdr(skb)->tos))))
890 mtu = dst_mtu(&rt->u.dst);
891 if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
893 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
894 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
898 /* copy-on-write the packet before mangling it */
899 if (!skb_make_writable(skb, offset))
902 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
905 /* drop the old route when skb is not shared */
907 skb_dst_set(skb, &rt->u.dst);
909 ip_vs_nat_icmp(skb, pp, cp, 0);
911 /* Another hack: avoid icmp_send in ip_fragment */
914 IP_VS_XMIT(PF_INET, skb, rt);
920 dst_link_failure(skb);
932 #ifdef CONFIG_IP_VS_IPV6
934 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
935 struct ip_vs_protocol *pp, int offset)
937 struct rt6_info *rt; /* Route to the other host */
943 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
944 forwarded directly here, because there is no need to
945 translate address/port back */
946 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
948 rc = cp->packet_xmit(skb, cp, pp);
951 /* do not touch skb anymore */
952 atomic_inc(&cp->in_pkts);
957 * mangle and send the packet here (only for VS/NAT)
960 rt = __ip_vs_get_out_rt_v6(cp);
965 mtu = dst_mtu(&rt->u.dst);
966 if (skb->len > mtu) {
967 dst_release(&rt->u.dst);
968 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
969 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
973 /* copy-on-write the packet before mangling it */
974 if (!skb_make_writable(skb, offset))
977 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
980 /* drop the old route when skb is not shared */
982 skb_dst_set(skb, &rt->u.dst);
984 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
986 /* Another hack: avoid icmp_send in ip_fragment */
989 IP_VS_XMIT(PF_INET6, skb, rt);
995 dst_link_failure(skb);
1003 dst_release(&rt->u.dst);
projects / linux-flexiantxendom0-natty.git / blob