2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* lock for service table */
59 static DEFINE_RWLOCK(__ip_vs_svc_lock);
61 /* sysctl variables */
63 #ifdef CONFIG_IP_VS_DEBUG
64 static int sysctl_ip_vs_debug_level = 0;
66 int ip_vs_get_debug_level(void)
68 return sysctl_ip_vs_debug_level;
74 static void __ip_vs_del_service(struct ip_vs_service *svc);
77 #ifdef CONFIG_IP_VS_IPV6
78 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
79 static bool __ip_vs_addr_is_local_v6(struct net *net,
80 const struct in6_addr *addr)
85 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
88 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
97 * update_defense_level is called from keventd and from sysctl,
98 * so it needs to protect itself from softirqs
100 static void update_defense_level(struct netns_ipvs *ipvs)
103 static int old_secure_tcp = 0;
108 /* we only count free and buffered memory (in pages) */
110 availmem = i.freeram + i.bufferram;
111 /* however in linux 2.5 the i.bufferram is total page cache size,
113 /* si_swapinfo(&i); */
114 /* availmem = availmem - (i.totalswap - i.freeswap); */
116 nomem = (availmem < ipvs->sysctl_amemthresh);
121 spin_lock(&ipvs->dropentry_lock);
122 switch (ipvs->sysctl_drop_entry) {
124 atomic_set(&ipvs->dropentry, 0);
128 atomic_set(&ipvs->dropentry, 1);
129 ipvs->sysctl_drop_entry = 2;
131 atomic_set(&ipvs->dropentry, 0);
136 atomic_set(&ipvs->dropentry, 1);
138 atomic_set(&ipvs->dropentry, 0);
139 ipvs->sysctl_drop_entry = 1;
143 atomic_set(&ipvs->dropentry, 1);
146 spin_unlock(&ipvs->dropentry_lock);
149 spin_lock(&ipvs->droppacket_lock);
150 switch (ipvs->sysctl_drop_packet) {
156 ipvs->drop_rate = ipvs->drop_counter
157 = ipvs->sysctl_amemthresh /
158 (ipvs->sysctl_amemthresh-availmem);
159 ipvs->sysctl_drop_packet = 2;
166 ipvs->drop_rate = ipvs->drop_counter
167 = ipvs->sysctl_amemthresh /
168 (ipvs->sysctl_amemthresh-availmem);
171 ipvs->sysctl_drop_packet = 1;
175 ipvs->drop_rate = ipvs->sysctl_am_droprate;
178 spin_unlock(&ipvs->droppacket_lock);
181 spin_lock(&ipvs->securetcp_lock);
182 switch (ipvs->sysctl_secure_tcp) {
184 if (old_secure_tcp >= 2)
189 if (old_secure_tcp < 2)
191 ipvs->sysctl_secure_tcp = 2;
193 if (old_secure_tcp >= 2)
199 if (old_secure_tcp < 2)
202 if (old_secure_tcp >= 2)
204 ipvs->sysctl_secure_tcp = 1;
208 if (old_secure_tcp < 2)
212 old_secure_tcp = ipvs->sysctl_secure_tcp;
214 ip_vs_protocol_timeout_change(ipvs,
215 ipvs->sysctl_secure_tcp > 1);
216 spin_unlock(&ipvs->securetcp_lock);
223 * Timer for checking the defense
225 #define DEFENSE_TIMER_PERIOD 1*HZ
227 static void defense_work_handler(struct work_struct *work)
229 struct netns_ipvs *ipvs =
230 container_of(work, struct netns_ipvs, defense_work.work);
232 update_defense_level(ipvs);
233 if (atomic_read(&ipvs->dropentry))
234 ip_vs_random_dropentry(ipvs->net);
235 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
240 ip_vs_use_count_inc(void)
242 return try_module_get(THIS_MODULE);
246 ip_vs_use_count_dec(void)
248 module_put(THIS_MODULE);
253 * Hash table: for virtual service lookups
255 #define IP_VS_SVC_TAB_BITS 8
256 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
257 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
259 /* the service table hashed by <protocol, addr, port> */
260 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
261 /* the service table hashed by fwmark */
262 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
266 * Returns hash value for virtual service
268 static inline unsigned int
269 ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
270 const union nf_inet_addr *addr, __be16 port)
272 register unsigned int porth = ntohs(port);
273 __be32 addr_fold = addr->ip;
275 #ifdef CONFIG_IP_VS_IPV6
277 addr_fold = addr->ip6[0]^addr->ip6[1]^
278 addr->ip6[2]^addr->ip6[3];
280 addr_fold ^= ((size_t)net>>8);
282 return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
283 & IP_VS_SVC_TAB_MASK;
287 * Returns hash value of fwmark for virtual service lookup
289 static inline unsigned int ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
291 return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
295 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
296 * or in the ip_vs_svc_fwm_table by fwmark.
297 * Should be called with locked tables.
299 static int ip_vs_svc_hash(struct ip_vs_service *svc)
303 if (svc->flags & IP_VS_SVC_F_HASHED) {
304 pr_err("%s(): request for already hashed, called from %pF\n",
305 __func__, __builtin_return_address(0));
309 if (svc->fwmark == 0) {
311 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
313 hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
314 &svc->addr, svc->port);
315 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
318 * Hash it by fwmark in svc_fwm_table
320 hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
321 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
324 svc->flags |= IP_VS_SVC_F_HASHED;
325 /* increase its refcnt because it is referenced by the svc table */
326 atomic_inc(&svc->refcnt);
332 * Unhashes a service from svc_table / svc_fwm_table.
333 * Should be called with locked tables.
335 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
337 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
338 pr_err("%s(): request for unhash flagged, called from %pF\n",
339 __func__, __builtin_return_address(0));
343 if (svc->fwmark == 0) {
344 /* Remove it from the svc_table table */
345 list_del(&svc->s_list);
347 /* Remove it from the svc_fwm_table table */
348 list_del(&svc->f_list);
351 svc->flags &= ~IP_VS_SVC_F_HASHED;
352 atomic_dec(&svc->refcnt);
358 * Get service by {netns, proto,addr,port} in the service table.
360 static inline struct ip_vs_service *
361 __ip_vs_service_find(struct net *net, int af, __u16 protocol,
362 const union nf_inet_addr *vaddr, __be16 vport)
365 struct ip_vs_service *svc;
367 /* Check for "full" addressed entries */
368 hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
370 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
372 && ip_vs_addr_equal(af, &svc->addr, vaddr)
373 && (svc->port == vport)
374 && (svc->protocol == protocol)
375 && net_eq(svc->net, net)) {
386 * Get service by {fwmark} in the service table.
388 static inline struct ip_vs_service *
389 __ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
392 struct ip_vs_service *svc;
394 /* Check for fwmark addressed entries */
395 hash = ip_vs_svc_fwm_hashkey(net, fwmark);
397 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
398 if (svc->fwmark == fwmark && svc->af == af
399 && net_eq(svc->net, net)) {
408 struct ip_vs_service *
409 ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
410 const union nf_inet_addr *vaddr, __be16 vport)
412 struct ip_vs_service *svc;
413 struct netns_ipvs *ipvs = net_ipvs(net);
415 read_lock(&__ip_vs_svc_lock);
418 * Check the table hashed by fwmark first
421 svc = __ip_vs_svc_fwm_find(net, af, fwmark);
427 * Check the table hashed by <protocol,addr,port>
428 * for "full" addressed entries
430 svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
433 && protocol == IPPROTO_TCP
434 && atomic_read(&ipvs->ftpsvc_counter)
435 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
437 * Check if ftp service entry exists, the packet
438 * might belong to FTP data connections.
440 svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
444 && atomic_read(&ipvs->nullsvc_counter)) {
446 * Check if the catch-all port (port zero) exists
448 svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
453 atomic_inc(&svc->usecnt);
454 read_unlock(&__ip_vs_svc_lock);
456 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
457 fwmark, ip_vs_proto_name(protocol),
458 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
459 svc ? "hit" : "not hit");
466 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
468 atomic_inc(&svc->refcnt);
473 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
475 struct ip_vs_service *svc = dest->svc;
478 if (atomic_dec_and_test(&svc->refcnt)) {
479 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
481 IP_VS_DBG_ADDR(svc->af, &svc->addr),
482 ntohs(svc->port), atomic_read(&svc->usecnt));
483 free_percpu(svc->stats.cpustats);
490 * Returns hash value for real service
492 static inline unsigned int ip_vs_rs_hashkey(int af,
493 const union nf_inet_addr *addr,
496 register unsigned int porth = ntohs(port);
497 __be32 addr_fold = addr->ip;
499 #ifdef CONFIG_IP_VS_IPV6
501 addr_fold = addr->ip6[0]^addr->ip6[1]^
502 addr->ip6[2]^addr->ip6[3];
505 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
510 * Hashes ip_vs_dest in rs_table by <proto,addr,port>.
511 * should be called with locked tables.
513 static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
517 if (!list_empty(&dest->d_list)) {
522 * Hash by proto,addr,port,
523 * which are the parameters of the real service.
525 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
527 list_add(&dest->d_list, &ipvs->rs_table[hash]);
533 * UNhashes ip_vs_dest from rs_table.
534 * should be called with locked tables.
536 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
539 * Remove it from the rs_table table.
541 if (!list_empty(&dest->d_list)) {
542 list_del_init(&dest->d_list);
549 * Lookup real service by <proto,addr,port> in the real service table.
552 ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
553 const union nf_inet_addr *daddr,
556 struct netns_ipvs *ipvs = net_ipvs(net);
558 struct ip_vs_dest *dest;
561 * Check for "full" addressed entries
562 * Return the first found entry
564 hash = ip_vs_rs_hashkey(af, daddr, dport);
566 read_lock(&ipvs->rs_lock);
567 list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
569 && ip_vs_addr_equal(af, &dest->addr, daddr)
570 && (dest->port == dport)
571 && ((dest->protocol == protocol) ||
574 read_unlock(&ipvs->rs_lock);
578 read_unlock(&ipvs->rs_lock);
584 * Lookup destination by {addr,port} in the given service
586 static struct ip_vs_dest *
587 ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
590 struct ip_vs_dest *dest;
593 * Find the destination for the given service
595 list_for_each_entry(dest, &svc->destinations, n_list) {
596 if ((dest->af == svc->af)
597 && ip_vs_addr_equal(svc->af, &dest->addr, daddr)
598 && (dest->port == dport)) {
608 * Find destination by {daddr,dport,vaddr,protocol}
609 * Cretaed to be used in ip_vs_process_message() in
610 * the backup synchronization daemon. It finds the
611 * destination to be bound to the received connection
614 * ip_vs_lookup_real_service() looked promissing, but
615 * seems not working as expected.
617 struct ip_vs_dest *ip_vs_find_dest(struct net *net, int af,
618 const union nf_inet_addr *daddr,
620 const union nf_inet_addr *vaddr,
621 __be16 vport, __u16 protocol, __u32 fwmark,
624 struct ip_vs_dest *dest;
625 struct ip_vs_service *svc;
628 svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
631 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
633 dest = ip_vs_lookup_dest(svc, daddr, port);
635 dest = ip_vs_lookup_dest(svc, daddr, port ^ dport);
637 atomic_inc(&dest->refcnt);
638 ip_vs_service_put(svc);
643 * Lookup dest by {svc,addr,port} in the destination trash.
644 * The destination trash is used to hold the destinations that are removed
645 * from the service table but are still referenced by some conn entries.
646 * The reason to add the destination trash is when the dest is temporary
647 * down (either by administrator or by monitor program), the dest can be
648 * picked back from the trash, the remaining connections to the dest can
649 * continue, and the counting information of the dest is also useful for
652 static struct ip_vs_dest *
653 ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
656 struct ip_vs_dest *dest, *nxt;
657 struct netns_ipvs *ipvs = net_ipvs(svc->net);
660 * Find the destination in trash
662 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
663 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
666 IP_VS_DBG_ADDR(svc->af, &dest->addr),
668 atomic_read(&dest->refcnt));
669 if (dest->af == svc->af &&
670 ip_vs_addr_equal(svc->af, &dest->addr, daddr) &&
671 dest->port == dport &&
672 dest->vfwmark == svc->fwmark &&
673 dest->protocol == svc->protocol &&
675 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
676 dest->vport == svc->port))) {
682 * Try to purge the destination from trash if not referenced
684 if (atomic_read(&dest->refcnt) == 1) {
685 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u "
688 IP_VS_DBG_ADDR(svc->af, &dest->addr),
690 list_del(&dest->n_list);
691 ip_vs_dst_reset(dest);
692 __ip_vs_unbind_svc(dest);
693 free_percpu(dest->stats.cpustats);
703 * Clean up all the destinations in the trash
704 * Called by the ip_vs_control_cleanup()
706 * When the ip_vs_control_clearup is activated by ipvs module exit,
707 * the service tables must have been flushed and all the connections
708 * are expired, and the refcnt of each destination in the trash must
709 * be 1, so we simply release them here.
711 static void ip_vs_trash_cleanup(struct net *net)
713 struct ip_vs_dest *dest, *nxt;
714 struct netns_ipvs *ipvs = net_ipvs(net);
716 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
717 list_del(&dest->n_list);
718 ip_vs_dst_reset(dest);
719 __ip_vs_unbind_svc(dest);
720 free_percpu(dest->stats.cpustats);
726 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
728 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
730 spin_lock_bh(&src->lock);
732 IP_VS_SHOW_STATS_COUNTER(conns);
733 IP_VS_SHOW_STATS_COUNTER(inpkts);
734 IP_VS_SHOW_STATS_COUNTER(outpkts);
735 IP_VS_SHOW_STATS_COUNTER(inbytes);
736 IP_VS_SHOW_STATS_COUNTER(outbytes);
738 ip_vs_read_estimator(dst, src);
740 spin_unlock_bh(&src->lock);
744 ip_vs_zero_stats(struct ip_vs_stats *stats)
746 spin_lock_bh(&stats->lock);
748 /* get current counters as zero point, rates are zeroed */
750 #define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
752 IP_VS_ZERO_STATS_COUNTER(conns);
753 IP_VS_ZERO_STATS_COUNTER(inpkts);
754 IP_VS_ZERO_STATS_COUNTER(outpkts);
755 IP_VS_ZERO_STATS_COUNTER(inbytes);
756 IP_VS_ZERO_STATS_COUNTER(outbytes);
758 ip_vs_zero_estimator(stats);
760 spin_unlock_bh(&stats->lock);
764 * Update a destination in the given service
767 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
768 struct ip_vs_dest_user_kern *udest, int add)
770 struct netns_ipvs *ipvs = net_ipvs(svc->net);
773 /* set the weight and the flags */
774 atomic_set(&dest->weight, udest->weight);
775 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
776 conn_flags |= IP_VS_CONN_F_INACTIVE;
778 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
779 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
780 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
783 * Put the real service in rs_table if not present.
784 * For now only for NAT!
786 write_lock_bh(&ipvs->rs_lock);
787 ip_vs_rs_hash(ipvs, dest);
788 write_unlock_bh(&ipvs->rs_lock);
790 atomic_set(&dest->conn_flags, conn_flags);
792 /* bind the service */
794 __ip_vs_bind_svc(dest, svc);
796 if (dest->svc != svc) {
797 __ip_vs_unbind_svc(dest);
798 ip_vs_zero_stats(&dest->stats);
799 __ip_vs_bind_svc(dest, svc);
803 /* set the dest status flags */
804 dest->flags |= IP_VS_DEST_F_AVAILABLE;
806 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
807 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
808 dest->u_threshold = udest->u_threshold;
809 dest->l_threshold = udest->l_threshold;
811 spin_lock_bh(&dest->dst_lock);
812 ip_vs_dst_reset(dest);
813 spin_unlock_bh(&dest->dst_lock);
816 ip_vs_start_estimator(svc->net, &dest->stats);
818 write_lock_bh(&__ip_vs_svc_lock);
820 /* Wait until all other svc users go away */
821 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
824 list_add(&dest->n_list, &svc->destinations);
828 /* call the update_service, because server weight may be changed */
829 if (svc->scheduler->update_service)
830 svc->scheduler->update_service(svc);
832 write_unlock_bh(&__ip_vs_svc_lock);
837 * Create a destination for the given service
840 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
841 struct ip_vs_dest **dest_p)
843 struct ip_vs_dest *dest;
848 #ifdef CONFIG_IP_VS_IPV6
849 if (svc->af == AF_INET6) {
850 atype = ipv6_addr_type(&udest->addr.in6);
851 if ((!(atype & IPV6_ADDR_UNICAST) ||
852 atype & IPV6_ADDR_LINKLOCAL) &&
853 !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
858 atype = inet_addr_type(svc->net, udest->addr.ip);
859 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
863 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
867 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
868 if (!dest->stats.cpustats)
872 dest->protocol = svc->protocol;
873 dest->vaddr = svc->addr;
874 dest->vport = svc->port;
875 dest->vfwmark = svc->fwmark;
876 ip_vs_addr_copy(svc->af, &dest->addr, &udest->addr);
877 dest->port = udest->port;
879 atomic_set(&dest->activeconns, 0);
880 atomic_set(&dest->inactconns, 0);
881 atomic_set(&dest->persistconns, 0);
882 atomic_set(&dest->refcnt, 1);
884 INIT_LIST_HEAD(&dest->d_list);
885 spin_lock_init(&dest->dst_lock);
886 spin_lock_init(&dest->stats.lock);
887 __ip_vs_update_dest(svc, dest, udest, 1);
901 * Add a destination into an existing service
904 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
906 struct ip_vs_dest *dest;
907 union nf_inet_addr daddr;
908 __be16 dport = udest->port;
913 if (udest->weight < 0) {
914 pr_err("%s(): server weight less than zero\n", __func__);
918 if (udest->l_threshold > udest->u_threshold) {
919 pr_err("%s(): lower threshold is higher than upper threshold\n",
924 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
927 * Check if the dest already exists in the list
929 dest = ip_vs_lookup_dest(svc, &daddr, dport);
932 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
937 * Check if the dest already exists in the trash and
938 * is from the same service
940 dest = ip_vs_trash_get_dest(svc, &daddr, dport);
943 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
944 "dest->refcnt=%d, service %u/%s:%u\n",
945 IP_VS_DBG_ADDR(svc->af, &daddr), ntohs(dport),
946 atomic_read(&dest->refcnt),
948 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
952 * Get the destination from the trash
954 list_del(&dest->n_list);
956 __ip_vs_update_dest(svc, dest, udest, 1);
960 * Allocate and initialize the dest structure
962 ret = ip_vs_new_dest(svc, udest, &dest);
971 * Edit a destination in the given service
974 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
976 struct ip_vs_dest *dest;
977 union nf_inet_addr daddr;
978 __be16 dport = udest->port;
982 if (udest->weight < 0) {
983 pr_err("%s(): server weight less than zero\n", __func__);
987 if (udest->l_threshold > udest->u_threshold) {
988 pr_err("%s(): lower threshold is higher than upper threshold\n",
993 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
996 * Lookup the destination list
998 dest = ip_vs_lookup_dest(svc, &daddr, dport);
1001 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1005 __ip_vs_update_dest(svc, dest, udest, 0);
1013 * Delete a destination (must be already unlinked from the service)
1015 static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
1017 struct netns_ipvs *ipvs = net_ipvs(net);
1019 ip_vs_stop_estimator(net, &dest->stats);
1022 * Remove it from the d-linked list with the real services.
1024 write_lock_bh(&ipvs->rs_lock);
1025 ip_vs_rs_unhash(dest);
1026 write_unlock_bh(&ipvs->rs_lock);
1029 * Decrease the refcnt of the dest, and free the dest
1030 * if nobody refers to it (refcnt=0). Otherwise, throw
1031 * the destination into the trash.
1033 if (atomic_dec_and_test(&dest->refcnt)) {
1034 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u\n",
1036 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1038 ip_vs_dst_reset(dest);
1039 /* simply decrease svc->refcnt here, let the caller check
1040 and release the service if nobody refers to it.
1041 Only user context can release destination and service,
1042 and only one user context can update virtual service at a
1043 time, so the operation here is OK */
1044 atomic_dec(&dest->svc->refcnt);
1045 free_percpu(dest->stats.cpustats);
1048 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
1049 "dest->refcnt=%d\n",
1050 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1052 atomic_read(&dest->refcnt));
1053 list_add(&dest->n_list, &ipvs->dest_trash);
1054 atomic_inc(&dest->refcnt);
1060 * Unlink a destination from the given service
1062 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1063 struct ip_vs_dest *dest,
1066 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1069 * Remove it from the d-linked destination list.
1071 list_del(&dest->n_list);
1075 * Call the update_service function of its scheduler
1077 if (svcupd && svc->scheduler->update_service)
1078 svc->scheduler->update_service(svc);
1083 * Delete a destination server in the given service
1086 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1088 struct ip_vs_dest *dest;
1089 __be16 dport = udest->port;
1093 dest = ip_vs_lookup_dest(svc, &udest->addr, dport);
1096 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1100 write_lock_bh(&__ip_vs_svc_lock);
1103 * Wait until all other svc users go away.
1105 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1108 * Unlink dest from the service
1110 __ip_vs_unlink_dest(svc, dest, 1);
1112 write_unlock_bh(&__ip_vs_svc_lock);
1115 * Delete the destination
1117 __ip_vs_del_dest(svc->net, dest);
1126 * Add a service into the service hash table
1129 ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1130 struct ip_vs_service **svc_p)
1133 struct ip_vs_scheduler *sched = NULL;
1134 struct ip_vs_pe *pe = NULL;
1135 struct ip_vs_service *svc = NULL;
1136 struct netns_ipvs *ipvs = net_ipvs(net);
1138 /* increase the module use count */
1139 ip_vs_use_count_inc();
1141 /* Lookup the scheduler by 'u->sched_name' */
1142 sched = ip_vs_scheduler_get(u->sched_name);
1143 if (sched == NULL) {
1144 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1149 if (u->pe_name && *u->pe_name) {
1150 pe = ip_vs_pe_getbyname(u->pe_name);
1152 pr_info("persistence engine module ip_vs_pe_%s "
1153 "not found\n", u->pe_name);
1159 #ifdef CONFIG_IP_VS_IPV6
1160 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1166 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1168 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1172 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1173 if (!svc->stats.cpustats) {
1178 /* I'm the first user of the service */
1179 atomic_set(&svc->usecnt, 0);
1180 atomic_set(&svc->refcnt, 0);
1183 svc->protocol = u->protocol;
1184 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1185 svc->port = u->port;
1186 svc->fwmark = u->fwmark;
1187 svc->flags = u->flags;
1188 svc->timeout = u->timeout * HZ;
1189 svc->netmask = u->netmask;
1192 INIT_LIST_HEAD(&svc->destinations);
1193 rwlock_init(&svc->sched_lock);
1194 spin_lock_init(&svc->stats.lock);
1196 /* Bind the scheduler */
1197 ret = ip_vs_bind_scheduler(svc, sched);
1202 /* Bind the ct retriever */
1203 ip_vs_bind_pe(svc, pe);
1206 /* Update the virtual service counters */
1207 if (svc->port == FTPPORT)
1208 atomic_inc(&ipvs->ftpsvc_counter);
1209 else if (svc->port == 0)
1210 atomic_inc(&ipvs->nullsvc_counter);
1212 ip_vs_start_estimator(net, &svc->stats);
1214 /* Count only IPv4 services for old get/setsockopt interface */
1215 if (svc->af == AF_INET)
1216 ipvs->num_services++;
1218 /* Hash the service into the service table */
1219 write_lock_bh(&__ip_vs_svc_lock);
1220 ip_vs_svc_hash(svc);
1221 write_unlock_bh(&__ip_vs_svc_lock);
1224 /* Now there is a service - full throttle */
1231 ip_vs_unbind_scheduler(svc);
1234 ip_vs_app_inc_put(svc->inc);
1237 if (svc->stats.cpustats)
1238 free_percpu(svc->stats.cpustats);
1241 ip_vs_scheduler_put(sched);
1244 /* decrease the module use count */
1245 ip_vs_use_count_dec();
1252 * Edit a service and bind it with a new scheduler
1255 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1257 struct ip_vs_scheduler *sched, *old_sched;
1258 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1262 * Lookup the scheduler, by 'u->sched_name'
1264 sched = ip_vs_scheduler_get(u->sched_name);
1265 if (sched == NULL) {
1266 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1271 if (u->pe_name && *u->pe_name) {
1272 pe = ip_vs_pe_getbyname(u->pe_name);
1274 pr_info("persistence engine module ip_vs_pe_%s "
1275 "not found\n", u->pe_name);
1282 #ifdef CONFIG_IP_VS_IPV6
1283 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1289 write_lock_bh(&__ip_vs_svc_lock);
1292 * Wait until all other svc users go away.
1294 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1297 * Set the flags and timeout value
1299 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1300 svc->timeout = u->timeout * HZ;
1301 svc->netmask = u->netmask;
1303 old_sched = svc->scheduler;
1304 if (sched != old_sched) {
1306 * Unbind the old scheduler
1308 if ((ret = ip_vs_unbind_scheduler(svc))) {
1314 * Bind the new scheduler
1316 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1318 * If ip_vs_bind_scheduler fails, restore the old
1320 * The main reason of failure is out of memory.
1322 * The question is if the old scheduler can be
1323 * restored all the time. TODO: if it cannot be
1324 * restored some time, we must delete the service,
1325 * otherwise the system may crash.
1327 ip_vs_bind_scheduler(svc, old_sched);
1335 ip_vs_unbind_pe(svc);
1336 ip_vs_bind_pe(svc, pe);
1340 write_unlock_bh(&__ip_vs_svc_lock);
1342 ip_vs_scheduler_put(old_sched);
1343 ip_vs_pe_put(old_pe);
1349 * Delete a service from the service list
1350 * - The service must be unlinked, unlocked and not referenced!
1351 * - We are called under _bh lock
1353 static void __ip_vs_del_service(struct ip_vs_service *svc)
1355 struct ip_vs_dest *dest, *nxt;
1356 struct ip_vs_scheduler *old_sched;
1357 struct ip_vs_pe *old_pe;
1358 struct netns_ipvs *ipvs = net_ipvs(svc->net);
1360 pr_info("%s: enter\n", __func__);
1362 /* Count only IPv4 services for old get/setsockopt interface */
1363 if (svc->af == AF_INET)
1364 ipvs->num_services--;
1366 ip_vs_stop_estimator(svc->net, &svc->stats);
1368 /* Unbind scheduler */
1369 old_sched = svc->scheduler;
1370 ip_vs_unbind_scheduler(svc);
1371 ip_vs_scheduler_put(old_sched);
1373 /* Unbind persistence engine */
1375 ip_vs_unbind_pe(svc);
1376 ip_vs_pe_put(old_pe);
1378 /* Unbind app inc */
1380 ip_vs_app_inc_put(svc->inc);
1385 * Unlink the whole destination list
1387 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1388 __ip_vs_unlink_dest(svc, dest, 0);
1389 __ip_vs_del_dest(svc->net, dest);
1393 * Update the virtual service counters
1395 if (svc->port == FTPPORT)
1396 atomic_dec(&ipvs->ftpsvc_counter);
1397 else if (svc->port == 0)
1398 atomic_dec(&ipvs->nullsvc_counter);
1401 * Free the service if nobody refers to it
1403 if (atomic_read(&svc->refcnt) == 0) {
1404 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
1406 IP_VS_DBG_ADDR(svc->af, &svc->addr),
1407 ntohs(svc->port), atomic_read(&svc->usecnt));
1408 free_percpu(svc->stats.cpustats);
1412 /* decrease the module use count */
1413 ip_vs_use_count_dec();
1417 * Unlink a service from list and try to delete it if its refcnt reached 0
1419 static void ip_vs_unlink_service(struct ip_vs_service *svc)
1422 * Unhash it from the service table
1424 write_lock_bh(&__ip_vs_svc_lock);
1426 ip_vs_svc_unhash(svc);
1429 * Wait until all the svc users go away.
1431 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1433 __ip_vs_del_service(svc);
1435 write_unlock_bh(&__ip_vs_svc_lock);
1439 * Delete a service from the service list
1441 static int ip_vs_del_service(struct ip_vs_service *svc)
1445 ip_vs_unlink_service(svc);
1452 * Flush all the virtual services
1454 static int ip_vs_flush(struct net *net)
1457 struct ip_vs_service *svc, *nxt;
1460 * Flush the service table hashed by <netns,protocol,addr,port>
1462 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1463 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
1465 if (net_eq(svc->net, net))
1466 ip_vs_unlink_service(svc);
1471 * Flush the service table hashed by fwmark
1473 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1474 list_for_each_entry_safe(svc, nxt,
1475 &ip_vs_svc_fwm_table[idx], f_list) {
1476 if (net_eq(svc->net, net))
1477 ip_vs_unlink_service(svc);
1485 * Delete service by {netns} in the service table.
1486 * Called by __ip_vs_cleanup()
1488 void ip_vs_service_net_cleanup(struct net *net)
1491 /* Check for "full" addressed entries */
1492 mutex_lock(&__ip_vs_mutex);
1494 mutex_unlock(&__ip_vs_mutex);
1498 * Release dst hold by dst_cache
1501 __ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
1503 spin_lock_bh(&dest->dst_lock);
1504 if (dest->dst_cache && dest->dst_cache->dev == dev) {
1505 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1507 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1509 atomic_read(&dest->refcnt));
1510 ip_vs_dst_reset(dest);
1512 spin_unlock_bh(&dest->dst_lock);
1516 * Netdev event receiver
1517 * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
1518 * a device that is "unregister" it must be released.
1520 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1523 struct net_device *dev = ptr;
1524 struct net *net = dev_net(dev);
1525 struct netns_ipvs *ipvs = net_ipvs(net);
1526 struct ip_vs_service *svc;
1527 struct ip_vs_dest *dest;
1530 if (event != NETDEV_UNREGISTER || !ipvs)
1532 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1534 mutex_lock(&__ip_vs_mutex);
1535 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1536 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1537 if (net_eq(svc->net, net)) {
1538 list_for_each_entry(dest, &svc->destinations,
1540 __ip_vs_dev_reset(dest, dev);
1545 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1546 if (net_eq(svc->net, net)) {
1547 list_for_each_entry(dest, &svc->destinations,
1549 __ip_vs_dev_reset(dest, dev);
1556 list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
1557 __ip_vs_dev_reset(dest, dev);
1559 mutex_unlock(&__ip_vs_mutex);
1565 * Zero counters in a service or all services
1567 static int ip_vs_zero_service(struct ip_vs_service *svc)
1569 struct ip_vs_dest *dest;
1571 write_lock_bh(&__ip_vs_svc_lock);
1572 list_for_each_entry(dest, &svc->destinations, n_list) {
1573 ip_vs_zero_stats(&dest->stats);
1575 ip_vs_zero_stats(&svc->stats);
1576 write_unlock_bh(&__ip_vs_svc_lock);
1580 static int ip_vs_zero_all(struct net *net)
1583 struct ip_vs_service *svc;
1585 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1586 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1587 if (net_eq(svc->net, net))
1588 ip_vs_zero_service(svc);
1592 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1593 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1594 if (net_eq(svc->net, net))
1595 ip_vs_zero_service(svc);
1599 ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
1603 #ifdef CONFIG_SYSCTL
1606 static int three = 3;
1609 proc_do_defense_mode(ctl_table *table, int write,
1610 void __user *buffer, size_t *lenp, loff_t *ppos)
1612 struct net *net = current->nsproxy->net_ns;
1613 int *valp = table->data;
1617 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1618 if (write && (*valp != val)) {
1619 if ((*valp < 0) || (*valp > 3)) {
1620 /* Restore the correct value */
1623 update_defense_level(net_ipvs(net));
1630 proc_do_sync_threshold(ctl_table *table, int write,
1631 void __user *buffer, size_t *lenp, loff_t *ppos)
1633 int *valp = table->data;
1637 /* backup the value first */
1638 memcpy(val, valp, sizeof(val));
1640 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1641 if (write && (valp[0] < 0 || valp[1] < 0 ||
1642 (valp[0] >= valp[1] && valp[1]))) {
1643 /* Restore the correct value */
1644 memcpy(valp, val, sizeof(val));
1650 proc_do_sync_mode(ctl_table *table, int write,
1651 void __user *buffer, size_t *lenp, loff_t *ppos)
1653 int *valp = table->data;
1657 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1658 if (write && (*valp != val)) {
1659 if ((*valp < 0) || (*valp > 1)) {
1660 /* Restore the correct value */
1668 proc_do_sync_ports(ctl_table *table, int write,
1669 void __user *buffer, size_t *lenp, loff_t *ppos)
1671 int *valp = table->data;
1675 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1676 if (write && (*valp != val)) {
1677 if (*valp < 1 || !is_power_of_2(*valp)) {
1678 /* Restore the correct value */
1686 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1687 * Do not change order or insert new entries without
1688 * align with netns init in ip_vs_control_net_init()
1691 static struct ctl_table vs_vars[] = {
1693 .procname = "amemthresh",
1694 .maxlen = sizeof(int),
1696 .proc_handler = proc_dointvec,
1699 .procname = "am_droprate",
1700 .maxlen = sizeof(int),
1702 .proc_handler = proc_dointvec,
1705 .procname = "drop_entry",
1706 .maxlen = sizeof(int),
1708 .proc_handler = proc_do_defense_mode,
1711 .procname = "drop_packet",
1712 .maxlen = sizeof(int),
1714 .proc_handler = proc_do_defense_mode,
1716 #ifdef CONFIG_IP_VS_NFCT
1718 .procname = "conntrack",
1719 .maxlen = sizeof(int),
1721 .proc_handler = &proc_dointvec,
1725 .procname = "secure_tcp",
1726 .maxlen = sizeof(int),
1728 .proc_handler = proc_do_defense_mode,
1731 .procname = "snat_reroute",
1732 .maxlen = sizeof(int),
1734 .proc_handler = &proc_dointvec,
1737 .procname = "sync_version",
1738 .maxlen = sizeof(int),
1740 .proc_handler = &proc_do_sync_mode,
1743 .procname = "sync_ports",
1744 .maxlen = sizeof(int),
1746 .proc_handler = &proc_do_sync_ports,
1749 .procname = "sync_qlen_max",
1750 .maxlen = sizeof(int),
1752 .proc_handler = proc_dointvec,
1755 .procname = "sync_sock_size",
1756 .maxlen = sizeof(int),
1758 .proc_handler = proc_dointvec,
1761 .procname = "cache_bypass",
1762 .maxlen = sizeof(int),
1764 .proc_handler = proc_dointvec,
1767 .procname = "expire_nodest_conn",
1768 .maxlen = sizeof(int),
1770 .proc_handler = proc_dointvec,
1773 .procname = "expire_quiescent_template",
1774 .maxlen = sizeof(int),
1776 .proc_handler = proc_dointvec,
1779 .procname = "sync_threshold",
1781 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1783 .proc_handler = proc_do_sync_threshold,
1786 .procname = "sync_refresh_period",
1787 .maxlen = sizeof(int),
1789 .proc_handler = proc_dointvec_jiffies,
1792 .procname = "sync_retries",
1793 .maxlen = sizeof(int),
1795 .proc_handler = proc_dointvec_minmax,
1800 .procname = "nat_icmp_send",
1801 .maxlen = sizeof(int),
1803 .proc_handler = proc_dointvec,
1806 .procname = "pmtu_disc",
1807 .maxlen = sizeof(int),
1809 .proc_handler = proc_dointvec,
1811 #ifdef CONFIG_IP_VS_DEBUG
1813 .procname = "debug_level",
1814 .data = &sysctl_ip_vs_debug_level,
1815 .maxlen = sizeof(int),
1817 .proc_handler = proc_dointvec,
1822 .procname = "timeout_established",
1823 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1824 .maxlen = sizeof(int),
1826 .proc_handler = proc_dointvec_jiffies,
1829 .procname = "timeout_synsent",
1830 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1831 .maxlen = sizeof(int),
1833 .proc_handler = proc_dointvec_jiffies,
1836 .procname = "timeout_synrecv",
1837 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1838 .maxlen = sizeof(int),
1840 .proc_handler = proc_dointvec_jiffies,
1843 .procname = "timeout_finwait",
1844 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1845 .maxlen = sizeof(int),
1847 .proc_handler = proc_dointvec_jiffies,
1850 .procname = "timeout_timewait",
1851 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1852 .maxlen = sizeof(int),
1854 .proc_handler = proc_dointvec_jiffies,
1857 .procname = "timeout_close",
1858 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1859 .maxlen = sizeof(int),
1861 .proc_handler = proc_dointvec_jiffies,
1864 .procname = "timeout_closewait",
1865 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1866 .maxlen = sizeof(int),
1868 .proc_handler = proc_dointvec_jiffies,
1871 .procname = "timeout_lastack",
1872 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1873 .maxlen = sizeof(int),
1875 .proc_handler = proc_dointvec_jiffies,
1878 .procname = "timeout_listen",
1879 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1880 .maxlen = sizeof(int),
1882 .proc_handler = proc_dointvec_jiffies,
1885 .procname = "timeout_synack",
1886 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1887 .maxlen = sizeof(int),
1889 .proc_handler = proc_dointvec_jiffies,
1892 .procname = "timeout_udp",
1893 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1894 .maxlen = sizeof(int),
1896 .proc_handler = proc_dointvec_jiffies,
1899 .procname = "timeout_icmp",
1900 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1901 .maxlen = sizeof(int),
1903 .proc_handler = proc_dointvec_jiffies,
1911 #ifdef CONFIG_PROC_FS
1914 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1915 struct list_head *table;
1920 * Write the contents of the VS rule table to a PROCfs file.
1921 * (It is kept just for backward compatibility)
1923 static inline const char *ip_vs_fwd_name(unsigned int flags)
1925 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1926 case IP_VS_CONN_F_LOCALNODE:
1928 case IP_VS_CONN_F_TUNNEL:
1930 case IP_VS_CONN_F_DROUTE:
1938 /* Get the Nth entry in the two lists */
1939 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1941 struct net *net = seq_file_net(seq);
1942 struct ip_vs_iter *iter = seq->private;
1944 struct ip_vs_service *svc;
1946 /* look in hash by protocol */
1947 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1948 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1949 if (net_eq(svc->net, net) && pos-- == 0) {
1950 iter->table = ip_vs_svc_table;
1957 /* keep looking in fwmark */
1958 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1959 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1960 if (net_eq(svc->net, net) && pos-- == 0) {
1961 iter->table = ip_vs_svc_fwm_table;
1971 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1972 __acquires(__ip_vs_svc_lock)
1975 read_lock_bh(&__ip_vs_svc_lock);
1976 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1980 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1982 struct list_head *e;
1983 struct ip_vs_iter *iter;
1984 struct ip_vs_service *svc;
1987 if (v == SEQ_START_TOKEN)
1988 return ip_vs_info_array(seq,0);
1991 iter = seq->private;
1993 if (iter->table == ip_vs_svc_table) {
1994 /* next service in table hashed by protocol */
1995 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
1996 return list_entry(e, struct ip_vs_service, s_list);
1999 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2000 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
2006 iter->table = ip_vs_svc_fwm_table;
2011 /* next service in hashed by fwmark */
2012 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
2013 return list_entry(e, struct ip_vs_service, f_list);
2016 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2017 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
2025 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2026 __releases(__ip_vs_svc_lock)
2028 read_unlock_bh(&__ip_vs_svc_lock);
2032 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2034 if (v == SEQ_START_TOKEN) {
2036 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2037 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2039 "Prot LocalAddress:Port Scheduler Flags\n");
2041 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2043 const struct ip_vs_service *svc = v;
2044 const struct ip_vs_iter *iter = seq->private;
2045 const struct ip_vs_dest *dest;
2047 if (iter->table == ip_vs_svc_table) {
2048 #ifdef CONFIG_IP_VS_IPV6
2049 if (svc->af == AF_INET6)
2050 seq_printf(seq, "%s [%pI6]:%04X %s ",
2051 ip_vs_proto_name(svc->protocol),
2054 svc->scheduler->name);
2057 seq_printf(seq, "%s %08X:%04X %s %s ",
2058 ip_vs_proto_name(svc->protocol),
2059 ntohl(svc->addr.ip),
2061 svc->scheduler->name,
2062 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2064 seq_printf(seq, "FWM %08X %s %s",
2065 svc->fwmark, svc->scheduler->name,
2066 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2069 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2070 seq_printf(seq, "persistent %d %08X\n",
2072 ntohl(svc->netmask));
2074 seq_putc(seq, '\n');
2076 list_for_each_entry(dest, &svc->destinations, n_list) {
2077 #ifdef CONFIG_IP_VS_IPV6
2078 if (dest->af == AF_INET6)
2081 " %-7s %-6d %-10d %-10d\n",
2084 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2085 atomic_read(&dest->weight),
2086 atomic_read(&dest->activeconns),
2087 atomic_read(&dest->inactconns));
2092 "%-7s %-6d %-10d %-10d\n",
2093 ntohl(dest->addr.ip),
2095 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2096 atomic_read(&dest->weight),
2097 atomic_read(&dest->activeconns),
2098 atomic_read(&dest->inactconns));
2105 static const struct seq_operations ip_vs_info_seq_ops = {
2106 .start = ip_vs_info_seq_start,
2107 .next = ip_vs_info_seq_next,
2108 .stop = ip_vs_info_seq_stop,
2109 .show = ip_vs_info_seq_show,
2112 static int ip_vs_info_open(struct inode *inode, struct file *file)
2114 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2115 sizeof(struct ip_vs_iter));
2118 static const struct file_operations ip_vs_info_fops = {
2119 .owner = THIS_MODULE,
2120 .open = ip_vs_info_open,
2122 .llseek = seq_lseek,
2123 .release = seq_release_net,
2126 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2128 struct net *net = seq_file_single_net(seq);
2129 struct ip_vs_stats_user show;
2131 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2133 " Total Incoming Outgoing Incoming Outgoing\n");
2135 " Conns Packets Packets Bytes Bytes\n");
2137 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2138 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
2139 show.inpkts, show.outpkts,
2140 (unsigned long long) show.inbytes,
2141 (unsigned long long) show.outbytes);
2143 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2145 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2146 seq_printf(seq, "%8X %8X %8X %16X %16X\n",
2147 show.cps, show.inpps, show.outpps,
2148 show.inbps, show.outbps);
2153 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2155 return single_open_net(inode, file, ip_vs_stats_show);
2158 static const struct file_operations ip_vs_stats_fops = {
2159 .owner = THIS_MODULE,
2160 .open = ip_vs_stats_seq_open,
2162 .llseek = seq_lseek,
2163 .release = single_release_net,
2166 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2168 struct net *net = seq_file_single_net(seq);
2169 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2170 struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
2171 struct ip_vs_stats_user rates;
2174 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2176 " Total Incoming Outgoing Incoming Outgoing\n");
2178 "CPU Conns Packets Packets Bytes Bytes\n");
2180 for_each_possible_cpu(i) {
2181 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2183 __u64 inbytes, outbytes;
2186 start = u64_stats_fetch_begin_bh(&u->syncp);
2187 inbytes = u->ustats.inbytes;
2188 outbytes = u->ustats.outbytes;
2189 } while (u64_stats_fetch_retry_bh(&u->syncp, start));
2191 seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
2192 i, u->ustats.conns, u->ustats.inpkts,
2193 u->ustats.outpkts, (__u64)inbytes,
2197 spin_lock_bh(&tot_stats->lock);
2199 seq_printf(seq, " ~ %8X %8X %8X %16LX %16LX\n\n",
2200 tot_stats->ustats.conns, tot_stats->ustats.inpkts,
2201 tot_stats->ustats.outpkts,
2202 (unsigned long long) tot_stats->ustats.inbytes,
2203 (unsigned long long) tot_stats->ustats.outbytes);
2205 ip_vs_read_estimator(&rates, tot_stats);
2207 spin_unlock_bh(&tot_stats->lock);
2209 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2211 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2212 seq_printf(seq, " %8X %8X %8X %16X %16X\n",
2222 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2224 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2227 static const struct file_operations ip_vs_stats_percpu_fops = {
2228 .owner = THIS_MODULE,
2229 .open = ip_vs_stats_percpu_seq_open,
2231 .llseek = seq_lseek,
2232 .release = single_release_net,
2237 * Set timeout values for tcp tcpfin udp in the timeout_table.
2239 static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
2241 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2242 struct ip_vs_proto_data *pd;
2245 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2250 #ifdef CONFIG_IP_VS_PROTO_TCP
2251 if (u->tcp_timeout) {
2252 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2253 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2254 = u->tcp_timeout * HZ;
2257 if (u->tcp_fin_timeout) {
2258 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2259 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2260 = u->tcp_fin_timeout * HZ;
2264 #ifdef CONFIG_IP_VS_PROTO_UDP
2265 if (u->udp_timeout) {
2266 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2267 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2268 = u->udp_timeout * HZ;
2275 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2276 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
2277 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
2278 sizeof(struct ip_vs_dest_user))
2279 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2280 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
2281 #define MAX_ARG_LEN SVCDEST_ARG_LEN
2283 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
2284 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
2285 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
2286 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
2287 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
2288 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
2289 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
2290 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
2291 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
2292 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
2293 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
2294 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
2297 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2298 struct ip_vs_service_user *usvc_compat)
2300 memset(usvc, 0, sizeof(*usvc));
2303 usvc->protocol = usvc_compat->protocol;
2304 usvc->addr.ip = usvc_compat->addr;
2305 usvc->port = usvc_compat->port;
2306 usvc->fwmark = usvc_compat->fwmark;
2308 /* Deep copy of sched_name is not needed here */
2309 usvc->sched_name = usvc_compat->sched_name;
2311 usvc->flags = usvc_compat->flags;
2312 usvc->timeout = usvc_compat->timeout;
2313 usvc->netmask = usvc_compat->netmask;
2316 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2317 struct ip_vs_dest_user *udest_compat)
2319 memset(udest, 0, sizeof(*udest));
2321 udest->addr.ip = udest_compat->addr;
2322 udest->port = udest_compat->port;
2323 udest->conn_flags = udest_compat->conn_flags;
2324 udest->weight = udest_compat->weight;
2325 udest->u_threshold = udest_compat->u_threshold;
2326 udest->l_threshold = udest_compat->l_threshold;
2330 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2332 struct net *net = sock_net(sk);
2334 unsigned char arg[MAX_ARG_LEN];
2335 struct ip_vs_service_user *usvc_compat;
2336 struct ip_vs_service_user_kern usvc;
2337 struct ip_vs_service *svc;
2338 struct ip_vs_dest_user *udest_compat;
2339 struct ip_vs_dest_user_kern udest;
2340 struct netns_ipvs *ipvs = net_ipvs(net);
2342 if (!capable(CAP_NET_ADMIN))
2345 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2347 if (len < 0 || len > MAX_ARG_LEN)
2349 if (len != set_arglen[SET_CMDID(cmd)]) {
2350 pr_err("set_ctl: len %u != %u\n",
2351 len, set_arglen[SET_CMDID(cmd)]);
2355 if (copy_from_user(arg, user, len) != 0)
2358 /* increase the module use count */
2359 ip_vs_use_count_inc();
2361 /* Handle daemons since they have another lock */
2362 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2363 cmd == IP_VS_SO_SET_STOPDAEMON) {
2364 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2366 if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2370 if (cmd == IP_VS_SO_SET_STARTDAEMON)
2371 ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2374 ret = stop_sync_thread(net, dm->state);
2375 mutex_unlock(&ipvs->sync_mutex);
2379 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2384 if (cmd == IP_VS_SO_SET_FLUSH) {
2385 /* Flush the virtual service */
2386 ret = ip_vs_flush(net);
2388 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2389 /* Set timeout values for (tcp tcpfin udp) */
2390 ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2394 usvc_compat = (struct ip_vs_service_user *)arg;
2395 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2397 /* We only use the new structs internally, so copy userspace compat
2398 * structs to extended internal versions */
2399 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2400 ip_vs_copy_udest_compat(&udest, udest_compat);
2402 if (cmd == IP_VS_SO_SET_ZERO) {
2403 /* if no service address is set, zero counters in all */
2404 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2405 ret = ip_vs_zero_all(net);
2410 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2411 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2412 usvc.protocol != IPPROTO_SCTP) {
2413 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2414 usvc.protocol, &usvc.addr.ip,
2415 ntohs(usvc.port), usvc.sched_name);
2420 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2421 if (usvc.fwmark == 0)
2422 svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
2423 &usvc.addr, usvc.port);
2425 svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
2427 if (cmd != IP_VS_SO_SET_ADD
2428 && (svc == NULL || svc->protocol != usvc.protocol)) {
2434 case IP_VS_SO_SET_ADD:
2438 ret = ip_vs_add_service(net, &usvc, &svc);
2440 case IP_VS_SO_SET_EDIT:
2441 ret = ip_vs_edit_service(svc, &usvc);
2443 case IP_VS_SO_SET_DEL:
2444 ret = ip_vs_del_service(svc);
2448 case IP_VS_SO_SET_ZERO:
2449 ret = ip_vs_zero_service(svc);
2451 case IP_VS_SO_SET_ADDDEST:
2452 ret = ip_vs_add_dest(svc, &udest);
2454 case IP_VS_SO_SET_EDITDEST:
2455 ret = ip_vs_edit_dest(svc, &udest);
2457 case IP_VS_SO_SET_DELDEST:
2458 ret = ip_vs_del_dest(svc, &udest);
2465 mutex_unlock(&__ip_vs_mutex);
2467 /* decrease the module use count */
2468 ip_vs_use_count_dec();
2475 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2477 dst->protocol = src->protocol;
2478 dst->addr = src->addr.ip;
2479 dst->port = src->port;
2480 dst->fwmark = src->fwmark;
2481 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2482 dst->flags = src->flags;
2483 dst->timeout = src->timeout / HZ;
2484 dst->netmask = src->netmask;
2485 dst->num_dests = src->num_dests;
2486 ip_vs_copy_stats(&dst->stats, &src->stats);
2490 __ip_vs_get_service_entries(struct net *net,
2491 const struct ip_vs_get_services *get,
2492 struct ip_vs_get_services __user *uptr)
2495 struct ip_vs_service *svc;
2496 struct ip_vs_service_entry entry;
2499 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2500 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2501 /* Only expose IPv4 entries to old interface */
2502 if (svc->af != AF_INET || !net_eq(svc->net, net))
2505 if (count >= get->num_services)
2507 memset(&entry, 0, sizeof(entry));
2508 ip_vs_copy_service(&entry, svc);
2509 if (copy_to_user(&uptr->entrytable[count],
2510 &entry, sizeof(entry))) {
2518 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2519 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2520 /* Only expose IPv4 entries to old interface */
2521 if (svc->af != AF_INET || !net_eq(svc->net, net))
2524 if (count >= get->num_services)
2526 memset(&entry, 0, sizeof(entry));
2527 ip_vs_copy_service(&entry, svc);
2528 if (copy_to_user(&uptr->entrytable[count],
2529 &entry, sizeof(entry))) {
2541 __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2542 struct ip_vs_get_dests __user *uptr)
2544 struct ip_vs_service *svc;
2545 union nf_inet_addr addr = { .ip = get->addr };
2549 svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
2551 svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
2556 struct ip_vs_dest *dest;
2557 struct ip_vs_dest_entry entry;
2559 list_for_each_entry(dest, &svc->destinations, n_list) {
2560 if (count >= get->num_dests)
2563 entry.addr = dest->addr.ip;
2564 entry.port = dest->port;
2565 entry.conn_flags = atomic_read(&dest->conn_flags);
2566 entry.weight = atomic_read(&dest->weight);
2567 entry.u_threshold = dest->u_threshold;
2568 entry.l_threshold = dest->l_threshold;
2569 entry.activeconns = atomic_read(&dest->activeconns);
2570 entry.inactconns = atomic_read(&dest->inactconns);
2571 entry.persistconns = atomic_read(&dest->persistconns);
2572 ip_vs_copy_stats(&entry.stats, &dest->stats);
2573 if (copy_to_user(&uptr->entrytable[count],
2574 &entry, sizeof(entry))) {
2586 __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2588 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2589 struct ip_vs_proto_data *pd;
2592 memset(u, 0, sizeof (*u));
2594 #ifdef CONFIG_IP_VS_PROTO_TCP
2595 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2596 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2597 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2599 #ifdef CONFIG_IP_VS_PROTO_UDP
2600 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2602 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2607 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2608 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2609 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2610 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2611 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2612 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2613 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2615 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2616 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2617 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2618 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2619 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2620 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2621 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2622 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2626 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2628 unsigned char arg[128];
2630 unsigned int copylen;
2631 struct net *net = sock_net(sk);
2632 struct netns_ipvs *ipvs = net_ipvs(net);
2635 if (!capable(CAP_NET_ADMIN))
2638 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2641 if (*len < get_arglen[GET_CMDID(cmd)]) {
2642 pr_err("get_ctl: len %u < %u\n",
2643 *len, get_arglen[GET_CMDID(cmd)]);
2647 copylen = get_arglen[GET_CMDID(cmd)];
2651 if (copy_from_user(arg, user, copylen) != 0)
2654 * Handle daemons first since it has its own locking
2656 if (cmd == IP_VS_SO_GET_DAEMON) {
2657 struct ip_vs_daemon_user d[2];
2659 memset(&d, 0, sizeof(d));
2660 if (mutex_lock_interruptible(&ipvs->sync_mutex))
2661 return -ERESTARTSYS;
2663 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2664 d[0].state = IP_VS_STATE_MASTER;
2665 strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2666 sizeof(d[0].mcast_ifn));
2667 d[0].syncid = ipvs->master_syncid;
2669 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2670 d[1].state = IP_VS_STATE_BACKUP;
2671 strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2672 sizeof(d[1].mcast_ifn));
2673 d[1].syncid = ipvs->backup_syncid;
2675 if (copy_to_user(user, &d, sizeof(d)) != 0)
2677 mutex_unlock(&ipvs->sync_mutex);
2681 if (mutex_lock_interruptible(&__ip_vs_mutex))
2682 return -ERESTARTSYS;
2685 case IP_VS_SO_GET_VERSION:
2689 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2690 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2691 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2695 *len = strlen(buf)+1;
2699 case IP_VS_SO_GET_INFO:
2701 struct ip_vs_getinfo info;
2702 info.version = IP_VS_VERSION_CODE;
2703 info.size = ip_vs_conn_tab_size;
2704 info.num_services = ipvs->num_services;
2705 if (copy_to_user(user, &info, sizeof(info)) != 0)
2710 case IP_VS_SO_GET_SERVICES:
2712 struct ip_vs_get_services *get;
2715 get = (struct ip_vs_get_services *)arg;
2716 size = sizeof(*get) +
2717 sizeof(struct ip_vs_service_entry) * get->num_services;
2719 pr_err("length: %u != %u\n", *len, size);
2723 ret = __ip_vs_get_service_entries(net, get, user);
2727 case IP_VS_SO_GET_SERVICE:
2729 struct ip_vs_service_entry *entry;
2730 struct ip_vs_service *svc;
2731 union nf_inet_addr addr;
2733 entry = (struct ip_vs_service_entry *)arg;
2734 addr.ip = entry->addr;
2736 svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
2738 svc = __ip_vs_service_find(net, AF_INET,
2739 entry->protocol, &addr,
2742 ip_vs_copy_service(entry, svc);
2743 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2750 case IP_VS_SO_GET_DESTS:
2752 struct ip_vs_get_dests *get;
2755 get = (struct ip_vs_get_dests *)arg;
2756 size = sizeof(*get) +
2757 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2759 pr_err("length: %u != %u\n", *len, size);
2763 ret = __ip_vs_get_dest_entries(net, get, user);
2767 case IP_VS_SO_GET_TIMEOUT:
2769 struct ip_vs_timeout_user t;
2771 __ip_vs_get_timeouts(net, &t);
2772 if (copy_to_user(user, &t, sizeof(t)) != 0)
2782 mutex_unlock(&__ip_vs_mutex);
2787 static struct nf_sockopt_ops ip_vs_sockopts = {
2789 .set_optmin = IP_VS_BASE_CTL,
2790 .set_optmax = IP_VS_SO_SET_MAX+1,
2791 .set = do_ip_vs_set_ctl,
2792 .get_optmin = IP_VS_BASE_CTL,
2793 .get_optmax = IP_VS_SO_GET_MAX+1,
2794 .get = do_ip_vs_get_ctl,
2795 .owner = THIS_MODULE,
2799 * Generic Netlink interface
2802 /* IPVS genetlink family */
2803 static struct genl_family ip_vs_genl_family = {
2804 .id = GENL_ID_GENERATE,
2806 .name = IPVS_GENL_NAME,
2807 .version = IPVS_GENL_VERSION,
2808 .maxattr = IPVS_CMD_MAX,
2809 .netnsok = true, /* Make ipvsadm to work on netns */
2812 /* Policy used for first-level command attributes */
2813 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2814 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2815 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2816 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2817 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2818 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2819 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2822 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2823 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2824 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2825 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2826 .len = IP_VS_IFNAME_MAXLEN },
2827 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2830 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2831 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2832 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2833 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2834 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2835 .len = sizeof(union nf_inet_addr) },
2836 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2837 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2838 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2839 .len = IP_VS_SCHEDNAME_MAXLEN },
2840 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2841 .len = IP_VS_PENAME_MAXLEN },
2842 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2843 .len = sizeof(struct ip_vs_flags) },
2844 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2845 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2846 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2849 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2850 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2851 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2852 .len = sizeof(union nf_inet_addr) },
2853 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2854 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2855 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2856 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2857 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2858 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2859 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2860 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2861 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2864 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2865 struct ip_vs_stats *stats)
2867 struct ip_vs_stats_user ustats;
2868 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2872 ip_vs_copy_stats(&ustats, stats);
2874 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns) ||
2875 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts) ||
2876 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts) ||
2877 nla_put_u64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes) ||
2878 nla_put_u64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes) ||
2879 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, ustats.cps) ||
2880 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps) ||
2881 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps) ||
2882 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps) ||
2883 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps))
2884 goto nla_put_failure;
2885 nla_nest_end(skb, nl_stats);
2890 nla_nest_cancel(skb, nl_stats);
2894 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2895 struct ip_vs_service *svc)
2897 struct nlattr *nl_service;
2898 struct ip_vs_flags flags = { .flags = svc->flags,
2901 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2905 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2906 goto nla_put_failure;
2908 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2909 goto nla_put_failure;
2911 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
2912 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
2913 nla_put_u16(skb, IPVS_SVC_ATTR_PORT, svc->port))
2914 goto nla_put_failure;
2917 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name) ||
2919 nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, svc->pe->name)) ||
2920 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
2921 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
2922 nla_put_u32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
2923 goto nla_put_failure;
2924 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2925 goto nla_put_failure;
2927 nla_nest_end(skb, nl_service);
2932 nla_nest_cancel(skb, nl_service);
2936 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2937 struct ip_vs_service *svc,
2938 struct netlink_callback *cb)
2942 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2943 &ip_vs_genl_family, NLM_F_MULTI,
2944 IPVS_CMD_NEW_SERVICE);
2948 if (ip_vs_genl_fill_service(skb, svc) < 0)
2949 goto nla_put_failure;
2951 return genlmsg_end(skb, hdr);
2954 genlmsg_cancel(skb, hdr);
2958 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2959 struct netlink_callback *cb)
2962 int start = cb->args[0];
2963 struct ip_vs_service *svc;
2964 struct net *net = skb_sknet(skb);
2966 mutex_lock(&__ip_vs_mutex);
2967 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2968 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2969 if (++idx <= start || !net_eq(svc->net, net))
2971 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2973 goto nla_put_failure;
2978 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2979 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2980 if (++idx <= start || !net_eq(svc->net, net))
2982 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2984 goto nla_put_failure;
2990 mutex_unlock(&__ip_vs_mutex);
2996 static int ip_vs_genl_parse_service(struct net *net,
2997 struct ip_vs_service_user_kern *usvc,
2998 struct nlattr *nla, int full_entry,
2999 struct ip_vs_service **ret_svc)
3001 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3002 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3003 struct ip_vs_service *svc;
3005 /* Parse mandatory identifying service fields first */
3007 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3010 nla_af = attrs[IPVS_SVC_ATTR_AF];
3011 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3012 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3013 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3014 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3016 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3019 memset(usvc, 0, sizeof(*usvc));
3021 usvc->af = nla_get_u16(nla_af);
3022 #ifdef CONFIG_IP_VS_IPV6
3023 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3025 if (usvc->af != AF_INET)
3027 return -EAFNOSUPPORT;
3030 usvc->protocol = IPPROTO_TCP;
3031 usvc->fwmark = nla_get_u32(nla_fwmark);
3033 usvc->protocol = nla_get_u16(nla_protocol);
3034 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3035 usvc->port = nla_get_u16(nla_port);
3040 svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
3042 svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
3043 &usvc->addr, usvc->port);
3046 /* If a full entry was requested, check for the additional fields */
3048 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3050 struct ip_vs_flags flags;
3052 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3053 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3054 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3055 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3056 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3058 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3061 nla_memcpy(&flags, nla_flags, sizeof(flags));
3063 /* prefill flags from service if it already exists */
3065 usvc->flags = svc->flags;
3067 /* set new flags from userland */
3068 usvc->flags = (usvc->flags & ~flags.mask) |
3069 (flags.flags & flags.mask);
3070 usvc->sched_name = nla_data(nla_sched);
3071 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3072 usvc->timeout = nla_get_u32(nla_timeout);
3073 usvc->netmask = nla_get_u32(nla_netmask);
3079 static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
3082 struct ip_vs_service_user_kern usvc;
3083 struct ip_vs_service *svc;
3086 ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
3087 return ret ? ERR_PTR(ret) : svc;
3090 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3092 struct nlattr *nl_dest;
3094 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3098 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3099 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3100 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3101 (atomic_read(&dest->conn_flags) &
3102 IP_VS_CONN_F_FWD_MASK)) ||
3103 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3104 atomic_read(&dest->weight)) ||
3105 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3106 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3107 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3108 atomic_read(&dest->activeconns)) ||
3109 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3110 atomic_read(&dest->inactconns)) ||
3111 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3112 atomic_read(&dest->persistconns)))
3113 goto nla_put_failure;
3114 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
3115 goto nla_put_failure;
3117 nla_nest_end(skb, nl_dest);
3122 nla_nest_cancel(skb, nl_dest);
3126 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3127 struct netlink_callback *cb)
3131 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3132 &ip_vs_genl_family, NLM_F_MULTI,
3137 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3138 goto nla_put_failure;
3140 return genlmsg_end(skb, hdr);
3143 genlmsg_cancel(skb, hdr);
3147 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3148 struct netlink_callback *cb)
3151 int start = cb->args[0];
3152 struct ip_vs_service *svc;
3153 struct ip_vs_dest *dest;
3154 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3155 struct net *net = skb_sknet(skb);
3157 mutex_lock(&__ip_vs_mutex);
3159 /* Try to find the service for which to dump destinations */
3160 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3161 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3165 svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
3166 if (IS_ERR(svc) || svc == NULL)
3169 /* Dump the destinations */
3170 list_for_each_entry(dest, &svc->destinations, n_list) {
3173 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3175 goto nla_put_failure;
3183 mutex_unlock(&__ip_vs_mutex);
3188 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3189 struct nlattr *nla, int full_entry)
3191 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3192 struct nlattr *nla_addr, *nla_port;
3194 /* Parse mandatory identifying destination fields first */
3196 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3199 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3200 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3202 if (!(nla_addr && nla_port))
3205 memset(udest, 0, sizeof(*udest));
3207 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3208 udest->port = nla_get_u16(nla_port);
3210 /* If a full entry was requested, check for the additional fields */
3212 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3215 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3216 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3217 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3218 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3220 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3223 udest->conn_flags = nla_get_u32(nla_fwd)
3224 & IP_VS_CONN_F_FWD_MASK;
3225 udest->weight = nla_get_u32(nla_weight);
3226 udest->u_threshold = nla_get_u32(nla_u_thresh);
3227 udest->l_threshold = nla_get_u32(nla_l_thresh);
3233 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
3234 const char *mcast_ifn, __be32 syncid)
3236 struct nlattr *nl_daemon;
3238 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3242 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3243 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn) ||
3244 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid))
3245 goto nla_put_failure;
3246 nla_nest_end(skb, nl_daemon);
3251 nla_nest_cancel(skb, nl_daemon);
3255 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
3256 const char *mcast_ifn, __be32 syncid,
3257 struct netlink_callback *cb)
3260 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3261 &ip_vs_genl_family, NLM_F_MULTI,
3262 IPVS_CMD_NEW_DAEMON);
3266 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
3267 goto nla_put_failure;
3269 return genlmsg_end(skb, hdr);
3272 genlmsg_cancel(skb, hdr);
3276 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3277 struct netlink_callback *cb)
3279 struct net *net = skb_sknet(skb);
3280 struct netns_ipvs *ipvs = net_ipvs(net);
3282 mutex_lock(&ipvs->sync_mutex);
3283 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3284 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3285 ipvs->master_mcast_ifn,
3286 ipvs->master_syncid, cb) < 0)
3287 goto nla_put_failure;
3292 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3293 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3294 ipvs->backup_mcast_ifn,
3295 ipvs->backup_syncid, cb) < 0)
3296 goto nla_put_failure;
3302 mutex_unlock(&ipvs->sync_mutex);
3307 static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
3309 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3310 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3311 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3314 return start_sync_thread(net,
3315 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
3316 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3317 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
3320 static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
3322 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3325 return stop_sync_thread(net,
3326 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3329 static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
3331 struct ip_vs_timeout_user t;
3333 __ip_vs_get_timeouts(net, &t);
3335 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3336 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3338 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3340 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3342 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3343 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3345 return ip_vs_set_timeout(net, &t);
3348 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3352 struct netns_ipvs *ipvs;
3354 net = skb_sknet(skb);
3355 ipvs = net_ipvs(net);
3356 cmd = info->genlhdr->cmd;
3358 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3359 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3361 mutex_lock(&ipvs->sync_mutex);
3362 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3363 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3364 info->attrs[IPVS_CMD_ATTR_DAEMON],
3365 ip_vs_daemon_policy)) {
3370 if (cmd == IPVS_CMD_NEW_DAEMON)
3371 ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3373 ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3375 mutex_unlock(&ipvs->sync_mutex);
3380 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3382 struct ip_vs_service *svc = NULL;
3383 struct ip_vs_service_user_kern usvc;
3384 struct ip_vs_dest_user_kern udest;
3386 int need_full_svc = 0, need_full_dest = 0;
3389 net = skb_sknet(skb);
3390 cmd = info->genlhdr->cmd;
3392 mutex_lock(&__ip_vs_mutex);
3394 if (cmd == IPVS_CMD_FLUSH) {
3395 ret = ip_vs_flush(net);
3397 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3398 ret = ip_vs_genl_set_config(net, info->attrs);
3400 } else if (cmd == IPVS_CMD_ZERO &&
3401 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3402 ret = ip_vs_zero_all(net);
3406 /* All following commands require a service argument, so check if we
3407 * received a valid one. We need a full service specification when
3408 * adding / editing a service. Only identifying members otherwise. */
3409 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3412 ret = ip_vs_genl_parse_service(net, &usvc,
3413 info->attrs[IPVS_CMD_ATTR_SERVICE],
3414 need_full_svc, &svc);
3418 /* Unless we're adding a new service, the service must already exist */
3419 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3424 /* Destination commands require a valid destination argument. For
3425 * adding / editing a destination, we need a full destination
3427 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3428 cmd == IPVS_CMD_DEL_DEST) {
3429 if (cmd != IPVS_CMD_DEL_DEST)
3432 ret = ip_vs_genl_parse_dest(&udest,
3433 info->attrs[IPVS_CMD_ATTR_DEST],
3440 case IPVS_CMD_NEW_SERVICE:
3442 ret = ip_vs_add_service(net, &usvc, &svc);
3446 case IPVS_CMD_SET_SERVICE:
3447 ret = ip_vs_edit_service(svc, &usvc);
3449 case IPVS_CMD_DEL_SERVICE:
3450 ret = ip_vs_del_service(svc);
3451 /* do not use svc, it can be freed */
3453 case IPVS_CMD_NEW_DEST:
3454 ret = ip_vs_add_dest(svc, &udest);
3456 case IPVS_CMD_SET_DEST:
3457 ret = ip_vs_edit_dest(svc, &udest);
3459 case IPVS_CMD_DEL_DEST:
3460 ret = ip_vs_del_dest(svc, &udest);
3463 ret = ip_vs_zero_service(svc);
3470 mutex_unlock(&__ip_vs_mutex);
3475 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3477 struct sk_buff *msg;
3479 int ret, cmd, reply_cmd;
3482 net = skb_sknet(skb);
3483 cmd = info->genlhdr->cmd;
3485 if (cmd == IPVS_CMD_GET_SERVICE)
3486 reply_cmd = IPVS_CMD_NEW_SERVICE;
3487 else if (cmd == IPVS_CMD_GET_INFO)
3488 reply_cmd = IPVS_CMD_SET_INFO;
3489 else if (cmd == IPVS_CMD_GET_CONFIG)
3490 reply_cmd = IPVS_CMD_SET_CONFIG;
3492 pr_err("unknown Generic Netlink command\n");
3496 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3500 mutex_lock(&__ip_vs_mutex);
3502 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3504 goto nla_put_failure;
3507 case IPVS_CMD_GET_SERVICE:
3509 struct ip_vs_service *svc;
3511 svc = ip_vs_genl_find_service(net,
3512 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3517 ret = ip_vs_genl_fill_service(msg, svc);
3519 goto nla_put_failure;
3528 case IPVS_CMD_GET_CONFIG:
3530 struct ip_vs_timeout_user t;
3532 __ip_vs_get_timeouts(net, &t);
3533 #ifdef CONFIG_IP_VS_PROTO_TCP
3534 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3536 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3538 goto nla_put_failure;
3540 #ifdef CONFIG_IP_VS_PROTO_UDP
3541 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3542 goto nla_put_failure;
3548 case IPVS_CMD_GET_INFO:
3549 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3550 IP_VS_VERSION_CODE) ||
3551 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3552 ip_vs_conn_tab_size))
3553 goto nla_put_failure;
3557 genlmsg_end(msg, reply);
3558 ret = genlmsg_reply(msg, info);
3562 pr_err("not enough space in Netlink message\n");
3568 mutex_unlock(&__ip_vs_mutex);
3574 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3576 .cmd = IPVS_CMD_NEW_SERVICE,
3577 .flags = GENL_ADMIN_PERM,
3578 .policy = ip_vs_cmd_policy,
3579 .doit = ip_vs_genl_set_cmd,
3582 .cmd = IPVS_CMD_SET_SERVICE,
3583 .flags = GENL_ADMIN_PERM,
3584 .policy = ip_vs_cmd_policy,
3585 .doit = ip_vs_genl_set_cmd,
3588 .cmd = IPVS_CMD_DEL_SERVICE,
3589 .flags = GENL_ADMIN_PERM,
3590 .policy = ip_vs_cmd_policy,
3591 .doit = ip_vs_genl_set_cmd,
3594 .cmd = IPVS_CMD_GET_SERVICE,
3595 .flags = GENL_ADMIN_PERM,
3596 .doit = ip_vs_genl_get_cmd,
3597 .dumpit = ip_vs_genl_dump_services,
3598 .policy = ip_vs_cmd_policy,
3601 .cmd = IPVS_CMD_NEW_DEST,
3602 .flags = GENL_ADMIN_PERM,
3603 .policy = ip_vs_cmd_policy,
3604 .doit = ip_vs_genl_set_cmd,
3607 .cmd = IPVS_CMD_SET_DEST,
3608 .flags = GENL_ADMIN_PERM,
3609 .policy = ip_vs_cmd_policy,
3610 .doit = ip_vs_genl_set_cmd,
3613 .cmd = IPVS_CMD_DEL_DEST,
3614 .flags = GENL_ADMIN_PERM,
3615 .policy = ip_vs_cmd_policy,
3616 .doit = ip_vs_genl_set_cmd,
3619 .cmd = IPVS_CMD_GET_DEST,
3620 .flags = GENL_ADMIN_PERM,
3621 .policy = ip_vs_cmd_policy,
3622 .dumpit = ip_vs_genl_dump_dests,
3625 .cmd = IPVS_CMD_NEW_DAEMON,
3626 .flags = GENL_ADMIN_PERM,
3627 .policy = ip_vs_cmd_policy,
3628 .doit = ip_vs_genl_set_daemon,
3631 .cmd = IPVS_CMD_DEL_DAEMON,
3632 .flags = GENL_ADMIN_PERM,
3633 .policy = ip_vs_cmd_policy,
3634 .doit = ip_vs_genl_set_daemon,
3637 .cmd = IPVS_CMD_GET_DAEMON,
3638 .flags = GENL_ADMIN_PERM,
3639 .dumpit = ip_vs_genl_dump_daemons,
3642 .cmd = IPVS_CMD_SET_CONFIG,
3643 .flags = GENL_ADMIN_PERM,
3644 .policy = ip_vs_cmd_policy,
3645 .doit = ip_vs_genl_set_cmd,
3648 .cmd = IPVS_CMD_GET_CONFIG,
3649 .flags = GENL_ADMIN_PERM,
3650 .doit = ip_vs_genl_get_cmd,
3653 .cmd = IPVS_CMD_GET_INFO,
3654 .flags = GENL_ADMIN_PERM,
3655 .doit = ip_vs_genl_get_cmd,
3658 .cmd = IPVS_CMD_ZERO,
3659 .flags = GENL_ADMIN_PERM,
3660 .policy = ip_vs_cmd_policy,
3661 .doit = ip_vs_genl_set_cmd,
3664 .cmd = IPVS_CMD_FLUSH,
3665 .flags = GENL_ADMIN_PERM,
3666 .doit = ip_vs_genl_set_cmd,
3670 static int __init ip_vs_genl_register(void)
3672 return genl_register_family_with_ops(&ip_vs_genl_family,
3673 ip_vs_genl_ops, ARRAY_SIZE(ip_vs_genl_ops));
3676 static void ip_vs_genl_unregister(void)
3678 genl_unregister_family(&ip_vs_genl_family);
3681 /* End of Generic Netlink interface definitions */
3684 * per netns intit/exit func.
3686 #ifdef CONFIG_SYSCTL
3687 static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3690 struct netns_ipvs *ipvs = net_ipvs(net);
3691 struct ctl_table *tbl;
3693 atomic_set(&ipvs->dropentry, 0);
3694 spin_lock_init(&ipvs->dropentry_lock);
3695 spin_lock_init(&ipvs->droppacket_lock);
3696 spin_lock_init(&ipvs->securetcp_lock);
3698 if (!net_eq(net, &init_net)) {
3699 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3704 /* Initialize sysctl defaults */
3706 ipvs->sysctl_amemthresh = 1024;
3707 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3708 ipvs->sysctl_am_droprate = 10;
3709 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3710 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3711 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3712 #ifdef CONFIG_IP_VS_NFCT
3713 tbl[idx++].data = &ipvs->sysctl_conntrack;
3715 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3716 ipvs->sysctl_snat_reroute = 1;
3717 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3718 ipvs->sysctl_sync_ver = 1;
3719 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3720 ipvs->sysctl_sync_ports = 1;
3721 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3722 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3723 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3724 ipvs->sysctl_sync_sock_size = 0;
3725 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3726 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3727 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3728 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3729 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3730 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3731 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3732 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3733 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3734 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3735 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3736 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3737 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3738 ipvs->sysctl_pmtu_disc = 1;
3739 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3742 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3743 if (ipvs->sysctl_hdr == NULL) {
3744 if (!net_eq(net, &init_net))
3748 ip_vs_start_estimator(net, &ipvs->tot_stats);
3749 ipvs->sysctl_tbl = tbl;
3750 /* Schedule defense work */
3751 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3752 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3757 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
3759 struct netns_ipvs *ipvs = net_ipvs(net);
3761 cancel_delayed_work_sync(&ipvs->defense_work);
3762 cancel_work_sync(&ipvs->defense_work.work);
3763 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3768 static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
3769 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
3773 static struct notifier_block ip_vs_dst_notifier = {
3774 .notifier_call = ip_vs_dst_event,
3777 int __net_init ip_vs_control_net_init(struct net *net)
3780 struct netns_ipvs *ipvs = net_ipvs(net);
3782 rwlock_init(&ipvs->rs_lock);
3784 /* Initialize rs_table */
3785 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
3786 INIT_LIST_HEAD(&ipvs->rs_table[idx]);
3788 INIT_LIST_HEAD(&ipvs->dest_trash);
3789 atomic_set(&ipvs->ftpsvc_counter, 0);
3790 atomic_set(&ipvs->nullsvc_counter, 0);
3793 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
3794 if (!ipvs->tot_stats.cpustats)
3797 spin_lock_init(&ipvs->tot_stats.lock);
3799 proc_net_fops_create(net, "ip_vs", 0, &ip_vs_info_fops);
3800 proc_net_fops_create(net, "ip_vs_stats", 0, &ip_vs_stats_fops);
3801 proc_net_fops_create(net, "ip_vs_stats_percpu", 0,
3802 &ip_vs_stats_percpu_fops);
3804 if (ip_vs_control_net_init_sysctl(net))
3810 free_percpu(ipvs->tot_stats.cpustats);
3814 void __net_exit ip_vs_control_net_cleanup(struct net *net)
3816 struct netns_ipvs *ipvs = net_ipvs(net);
3818 ip_vs_trash_cleanup(net);
3819 ip_vs_stop_estimator(net, &ipvs->tot_stats);
3820 ip_vs_control_net_cleanup_sysctl(net);
3821 proc_net_remove(net, "ip_vs_stats_percpu");
3822 proc_net_remove(net, "ip_vs_stats");
3823 proc_net_remove(net, "ip_vs");
3824 free_percpu(ipvs->tot_stats.cpustats);
3827 int __init ip_vs_register_nl_ioctl(void)
3831 ret = nf_register_sockopt(&ip_vs_sockopts);
3833 pr_err("cannot register sockopt.\n");
3837 ret = ip_vs_genl_register();
3839 pr_err("cannot register Generic Netlink interface.\n");
3845 nf_unregister_sockopt(&ip_vs_sockopts);
3850 void ip_vs_unregister_nl_ioctl(void)
3852 ip_vs_genl_unregister();
3853 nf_unregister_sockopt(&ip_vs_sockopts);
3856 int __init ip_vs_control_init(void)
3863 /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
3864 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3865 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3866 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3869 smp_wmb(); /* Do we really need it now ? */
3871 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
3880 void ip_vs_control_cleanup(void)
3883 unregister_netdevice_notifier(&ip_vs_dst_notifier);
projects / can-eth-gw-linux.git / blob