2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* lock for service table */
59 static DEFINE_RWLOCK(__ip_vs_svc_lock);
61 /* sysctl variables */
63 #ifdef CONFIG_IP_VS_DEBUG
64 static int sysctl_ip_vs_debug_level = 0;
66 int ip_vs_get_debug_level(void)
68 return sysctl_ip_vs_debug_level;
74 static void __ip_vs_del_service(struct ip_vs_service *svc);
77 #ifdef CONFIG_IP_VS_IPV6
78 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
79 static bool __ip_vs_addr_is_local_v6(struct net *net,
80 const struct in6_addr *addr)
85 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
88 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
97 * update_defense_level is called from keventd and from sysctl,
98 * so it needs to protect itself from softirqs
100 static void update_defense_level(struct netns_ipvs *ipvs)
103 static int old_secure_tcp = 0;
108 /* we only count free and buffered memory (in pages) */
110 availmem = i.freeram + i.bufferram;
111 /* however in linux 2.5 the i.bufferram is total page cache size,
113 /* si_swapinfo(&i); */
114 /* availmem = availmem - (i.totalswap - i.freeswap); */
116 nomem = (availmem < ipvs->sysctl_amemthresh);
121 spin_lock(&ipvs->dropentry_lock);
122 switch (ipvs->sysctl_drop_entry) {
124 atomic_set(&ipvs->dropentry, 0);
128 atomic_set(&ipvs->dropentry, 1);
129 ipvs->sysctl_drop_entry = 2;
131 atomic_set(&ipvs->dropentry, 0);
136 atomic_set(&ipvs->dropentry, 1);
138 atomic_set(&ipvs->dropentry, 0);
139 ipvs->sysctl_drop_entry = 1;
143 atomic_set(&ipvs->dropentry, 1);
146 spin_unlock(&ipvs->dropentry_lock);
149 spin_lock(&ipvs->droppacket_lock);
150 switch (ipvs->sysctl_drop_packet) {
156 ipvs->drop_rate = ipvs->drop_counter
157 = ipvs->sysctl_amemthresh /
158 (ipvs->sysctl_amemthresh-availmem);
159 ipvs->sysctl_drop_packet = 2;
166 ipvs->drop_rate = ipvs->drop_counter
167 = ipvs->sysctl_amemthresh /
168 (ipvs->sysctl_amemthresh-availmem);
171 ipvs->sysctl_drop_packet = 1;
175 ipvs->drop_rate = ipvs->sysctl_am_droprate;
178 spin_unlock(&ipvs->droppacket_lock);
181 spin_lock(&ipvs->securetcp_lock);
182 switch (ipvs->sysctl_secure_tcp) {
184 if (old_secure_tcp >= 2)
189 if (old_secure_tcp < 2)
191 ipvs->sysctl_secure_tcp = 2;
193 if (old_secure_tcp >= 2)
199 if (old_secure_tcp < 2)
202 if (old_secure_tcp >= 2)
204 ipvs->sysctl_secure_tcp = 1;
208 if (old_secure_tcp < 2)
212 old_secure_tcp = ipvs->sysctl_secure_tcp;
214 ip_vs_protocol_timeout_change(ipvs,
215 ipvs->sysctl_secure_tcp > 1);
216 spin_unlock(&ipvs->securetcp_lock);
223 * Timer for checking the defense
225 #define DEFENSE_TIMER_PERIOD 1*HZ
227 static void defense_work_handler(struct work_struct *work)
229 struct netns_ipvs *ipvs =
230 container_of(work, struct netns_ipvs, defense_work.work);
232 update_defense_level(ipvs);
233 if (atomic_read(&ipvs->dropentry))
234 ip_vs_random_dropentry(ipvs->net);
235 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
240 ip_vs_use_count_inc(void)
242 return try_module_get(THIS_MODULE);
246 ip_vs_use_count_dec(void)
248 module_put(THIS_MODULE);
253 * Hash table: for virtual service lookups
255 #define IP_VS_SVC_TAB_BITS 8
256 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
257 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
259 /* the service table hashed by <protocol, addr, port> */
260 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
261 /* the service table hashed by fwmark */
262 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
266 * Returns hash value for virtual service
268 static inline unsigned int
269 ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
270 const union nf_inet_addr *addr, __be16 port)
272 register unsigned int porth = ntohs(port);
273 __be32 addr_fold = addr->ip;
275 #ifdef CONFIG_IP_VS_IPV6
277 addr_fold = addr->ip6[0]^addr->ip6[1]^
278 addr->ip6[2]^addr->ip6[3];
280 addr_fold ^= ((size_t)net>>8);
282 return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
283 & IP_VS_SVC_TAB_MASK;
287 * Returns hash value of fwmark for virtual service lookup
289 static inline unsigned int ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
291 return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
295 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
296 * or in the ip_vs_svc_fwm_table by fwmark.
297 * Should be called with locked tables.
299 static int ip_vs_svc_hash(struct ip_vs_service *svc)
303 if (svc->flags & IP_VS_SVC_F_HASHED) {
304 pr_err("%s(): request for already hashed, called from %pF\n",
305 __func__, __builtin_return_address(0));
309 if (svc->fwmark == 0) {
311 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
313 hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
314 &svc->addr, svc->port);
315 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
318 * Hash it by fwmark in svc_fwm_table
320 hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
321 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
324 svc->flags |= IP_VS_SVC_F_HASHED;
325 /* increase its refcnt because it is referenced by the svc table */
326 atomic_inc(&svc->refcnt);
332 * Unhashes a service from svc_table / svc_fwm_table.
333 * Should be called with locked tables.
335 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
337 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
338 pr_err("%s(): request for unhash flagged, called from %pF\n",
339 __func__, __builtin_return_address(0));
343 if (svc->fwmark == 0) {
344 /* Remove it from the svc_table table */
345 list_del(&svc->s_list);
347 /* Remove it from the svc_fwm_table table */
348 list_del(&svc->f_list);
351 svc->flags &= ~IP_VS_SVC_F_HASHED;
352 atomic_dec(&svc->refcnt);
358 * Get service by {netns, proto,addr,port} in the service table.
360 static inline struct ip_vs_service *
361 __ip_vs_service_find(struct net *net, int af, __u16 protocol,
362 const union nf_inet_addr *vaddr, __be16 vport)
365 struct ip_vs_service *svc;
367 /* Check for "full" addressed entries */
368 hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
370 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
372 && ip_vs_addr_equal(af, &svc->addr, vaddr)
373 && (svc->port == vport)
374 && (svc->protocol == protocol)
375 && net_eq(svc->net, net)) {
386 * Get service by {fwmark} in the service table.
388 static inline struct ip_vs_service *
389 __ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
392 struct ip_vs_service *svc;
394 /* Check for fwmark addressed entries */
395 hash = ip_vs_svc_fwm_hashkey(net, fwmark);
397 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
398 if (svc->fwmark == fwmark && svc->af == af
399 && net_eq(svc->net, net)) {
408 struct ip_vs_service *
409 ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
410 const union nf_inet_addr *vaddr, __be16 vport)
412 struct ip_vs_service *svc;
413 struct netns_ipvs *ipvs = net_ipvs(net);
415 read_lock(&__ip_vs_svc_lock);
418 * Check the table hashed by fwmark first
421 svc = __ip_vs_svc_fwm_find(net, af, fwmark);
427 * Check the table hashed by <protocol,addr,port>
428 * for "full" addressed entries
430 svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
433 && protocol == IPPROTO_TCP
434 && atomic_read(&ipvs->ftpsvc_counter)
435 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
437 * Check if ftp service entry exists, the packet
438 * might belong to FTP data connections.
440 svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
444 && atomic_read(&ipvs->nullsvc_counter)) {
446 * Check if the catch-all port (port zero) exists
448 svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
453 atomic_inc(&svc->usecnt);
454 read_unlock(&__ip_vs_svc_lock);
456 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
457 fwmark, ip_vs_proto_name(protocol),
458 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
459 svc ? "hit" : "not hit");
466 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
468 atomic_inc(&svc->refcnt);
473 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
475 struct ip_vs_service *svc = dest->svc;
478 if (atomic_dec_and_test(&svc->refcnt)) {
479 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
481 IP_VS_DBG_ADDR(svc->af, &svc->addr),
482 ntohs(svc->port), atomic_read(&svc->usecnt));
483 free_percpu(svc->stats.cpustats);
490 * Returns hash value for real service
492 static inline unsigned int ip_vs_rs_hashkey(int af,
493 const union nf_inet_addr *addr,
496 register unsigned int porth = ntohs(port);
497 __be32 addr_fold = addr->ip;
499 #ifdef CONFIG_IP_VS_IPV6
501 addr_fold = addr->ip6[0]^addr->ip6[1]^
502 addr->ip6[2]^addr->ip6[3];
505 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
510 * Hashes ip_vs_dest in rs_table by <proto,addr,port>.
511 * should be called with locked tables.
513 static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
517 if (!list_empty(&dest->d_list)) {
522 * Hash by proto,addr,port,
523 * which are the parameters of the real service.
525 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
527 list_add(&dest->d_list, &ipvs->rs_table[hash]);
533 * UNhashes ip_vs_dest from rs_table.
534 * should be called with locked tables.
536 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
539 * Remove it from the rs_table table.
541 if (!list_empty(&dest->d_list)) {
542 list_del_init(&dest->d_list);
549 * Lookup real service by <proto,addr,port> in the real service table.
552 ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
553 const union nf_inet_addr *daddr,
556 struct netns_ipvs *ipvs = net_ipvs(net);
558 struct ip_vs_dest *dest;
561 * Check for "full" addressed entries
562 * Return the first found entry
564 hash = ip_vs_rs_hashkey(af, daddr, dport);
566 read_lock(&ipvs->rs_lock);
567 list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
569 && ip_vs_addr_equal(af, &dest->addr, daddr)
570 && (dest->port == dport)
571 && ((dest->protocol == protocol) ||
574 read_unlock(&ipvs->rs_lock);
578 read_unlock(&ipvs->rs_lock);
584 * Lookup destination by {addr,port} in the given service
586 static struct ip_vs_dest *
587 ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
590 struct ip_vs_dest *dest;
593 * Find the destination for the given service
595 list_for_each_entry(dest, &svc->destinations, n_list) {
596 if ((dest->af == svc->af)
597 && ip_vs_addr_equal(svc->af, &dest->addr, daddr)
598 && (dest->port == dport)) {
608 * Find destination by {daddr,dport,vaddr,protocol}
609 * Cretaed to be used in ip_vs_process_message() in
610 * the backup synchronization daemon. It finds the
611 * destination to be bound to the received connection
614 * ip_vs_lookup_real_service() looked promissing, but
615 * seems not working as expected.
617 struct ip_vs_dest *ip_vs_find_dest(struct net *net, int af,
618 const union nf_inet_addr *daddr,
620 const union nf_inet_addr *vaddr,
621 __be16 vport, __u16 protocol, __u32 fwmark,
624 struct ip_vs_dest *dest;
625 struct ip_vs_service *svc;
628 svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
631 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
633 dest = ip_vs_lookup_dest(svc, daddr, port);
635 dest = ip_vs_lookup_dest(svc, daddr, port ^ dport);
637 atomic_inc(&dest->refcnt);
638 ip_vs_service_put(svc);
643 * Lookup dest by {svc,addr,port} in the destination trash.
644 * The destination trash is used to hold the destinations that are removed
645 * from the service table but are still referenced by some conn entries.
646 * The reason to add the destination trash is when the dest is temporary
647 * down (either by administrator or by monitor program), the dest can be
648 * picked back from the trash, the remaining connections to the dest can
649 * continue, and the counting information of the dest is also useful for
652 static struct ip_vs_dest *
653 ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
656 struct ip_vs_dest *dest, *nxt;
657 struct netns_ipvs *ipvs = net_ipvs(svc->net);
660 * Find the destination in trash
662 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
663 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
666 IP_VS_DBG_ADDR(svc->af, &dest->addr),
668 atomic_read(&dest->refcnt));
669 if (dest->af == svc->af &&
670 ip_vs_addr_equal(svc->af, &dest->addr, daddr) &&
671 dest->port == dport &&
672 dest->vfwmark == svc->fwmark &&
673 dest->protocol == svc->protocol &&
675 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
676 dest->vport == svc->port))) {
682 * Try to purge the destination from trash if not referenced
684 if (atomic_read(&dest->refcnt) == 1) {
685 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u "
688 IP_VS_DBG_ADDR(svc->af, &dest->addr),
690 list_del(&dest->n_list);
691 ip_vs_dst_reset(dest);
692 __ip_vs_unbind_svc(dest);
693 free_percpu(dest->stats.cpustats);
703 * Clean up all the destinations in the trash
704 * Called by the ip_vs_control_cleanup()
706 * When the ip_vs_control_clearup is activated by ipvs module exit,
707 * the service tables must have been flushed and all the connections
708 * are expired, and the refcnt of each destination in the trash must
709 * be 1, so we simply release them here.
711 static void ip_vs_trash_cleanup(struct net *net)
713 struct ip_vs_dest *dest, *nxt;
714 struct netns_ipvs *ipvs = net_ipvs(net);
716 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
717 list_del(&dest->n_list);
718 ip_vs_dst_reset(dest);
719 __ip_vs_unbind_svc(dest);
720 free_percpu(dest->stats.cpustats);
726 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
728 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
730 spin_lock_bh(&src->lock);
732 IP_VS_SHOW_STATS_COUNTER(conns);
733 IP_VS_SHOW_STATS_COUNTER(inpkts);
734 IP_VS_SHOW_STATS_COUNTER(outpkts);
735 IP_VS_SHOW_STATS_COUNTER(inbytes);
736 IP_VS_SHOW_STATS_COUNTER(outbytes);
738 ip_vs_read_estimator(dst, src);
740 spin_unlock_bh(&src->lock);
744 ip_vs_zero_stats(struct ip_vs_stats *stats)
746 spin_lock_bh(&stats->lock);
748 /* get current counters as zero point, rates are zeroed */
750 #define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
752 IP_VS_ZERO_STATS_COUNTER(conns);
753 IP_VS_ZERO_STATS_COUNTER(inpkts);
754 IP_VS_ZERO_STATS_COUNTER(outpkts);
755 IP_VS_ZERO_STATS_COUNTER(inbytes);
756 IP_VS_ZERO_STATS_COUNTER(outbytes);
758 ip_vs_zero_estimator(stats);
760 spin_unlock_bh(&stats->lock);
764 * Update a destination in the given service
767 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
768 struct ip_vs_dest_user_kern *udest, int add)
770 struct netns_ipvs *ipvs = net_ipvs(svc->net);
773 /* set the weight and the flags */
774 atomic_set(&dest->weight, udest->weight);
775 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
776 conn_flags |= IP_VS_CONN_F_INACTIVE;
778 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
779 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
780 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
783 * Put the real service in rs_table if not present.
784 * For now only for NAT!
786 write_lock_bh(&ipvs->rs_lock);
787 ip_vs_rs_hash(ipvs, dest);
788 write_unlock_bh(&ipvs->rs_lock);
790 atomic_set(&dest->conn_flags, conn_flags);
792 /* bind the service */
794 __ip_vs_bind_svc(dest, svc);
796 if (dest->svc != svc) {
797 __ip_vs_unbind_svc(dest);
798 ip_vs_zero_stats(&dest->stats);
799 __ip_vs_bind_svc(dest, svc);
803 /* set the dest status flags */
804 dest->flags |= IP_VS_DEST_F_AVAILABLE;
806 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
807 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
808 dest->u_threshold = udest->u_threshold;
809 dest->l_threshold = udest->l_threshold;
811 spin_lock_bh(&dest->dst_lock);
812 ip_vs_dst_reset(dest);
813 spin_unlock_bh(&dest->dst_lock);
816 ip_vs_start_estimator(svc->net, &dest->stats);
818 write_lock_bh(&__ip_vs_svc_lock);
820 /* Wait until all other svc users go away */
821 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
824 list_add(&dest->n_list, &svc->destinations);
828 /* call the update_service, because server weight may be changed */
829 if (svc->scheduler->update_service)
830 svc->scheduler->update_service(svc);
832 write_unlock_bh(&__ip_vs_svc_lock);
837 * Create a destination for the given service
840 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
841 struct ip_vs_dest **dest_p)
843 struct ip_vs_dest *dest;
848 #ifdef CONFIG_IP_VS_IPV6
849 if (svc->af == AF_INET6) {
850 atype = ipv6_addr_type(&udest->addr.in6);
851 if ((!(atype & IPV6_ADDR_UNICAST) ||
852 atype & IPV6_ADDR_LINKLOCAL) &&
853 !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
858 atype = inet_addr_type(svc->net, udest->addr.ip);
859 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
863 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
867 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
868 if (!dest->stats.cpustats)
872 dest->protocol = svc->protocol;
873 dest->vaddr = svc->addr;
874 dest->vport = svc->port;
875 dest->vfwmark = svc->fwmark;
876 ip_vs_addr_copy(svc->af, &dest->addr, &udest->addr);
877 dest->port = udest->port;
879 atomic_set(&dest->activeconns, 0);
880 atomic_set(&dest->inactconns, 0);
881 atomic_set(&dest->persistconns, 0);
882 atomic_set(&dest->refcnt, 1);
884 INIT_LIST_HEAD(&dest->d_list);
885 spin_lock_init(&dest->dst_lock);
886 spin_lock_init(&dest->stats.lock);
887 __ip_vs_update_dest(svc, dest, udest, 1);
901 * Add a destination into an existing service
904 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
906 struct ip_vs_dest *dest;
907 union nf_inet_addr daddr;
908 __be16 dport = udest->port;
913 if (udest->weight < 0) {
914 pr_err("%s(): server weight less than zero\n", __func__);
918 if (udest->l_threshold > udest->u_threshold) {
919 pr_err("%s(): lower threshold is higher than upper threshold\n",
924 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
927 * Check if the dest already exists in the list
929 dest = ip_vs_lookup_dest(svc, &daddr, dport);
932 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
937 * Check if the dest already exists in the trash and
938 * is from the same service
940 dest = ip_vs_trash_get_dest(svc, &daddr, dport);
943 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
944 "dest->refcnt=%d, service %u/%s:%u\n",
945 IP_VS_DBG_ADDR(svc->af, &daddr), ntohs(dport),
946 atomic_read(&dest->refcnt),
948 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
952 * Get the destination from the trash
954 list_del(&dest->n_list);
956 __ip_vs_update_dest(svc, dest, udest, 1);
960 * Allocate and initialize the dest structure
962 ret = ip_vs_new_dest(svc, udest, &dest);
971 * Edit a destination in the given service
974 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
976 struct ip_vs_dest *dest;
977 union nf_inet_addr daddr;
978 __be16 dport = udest->port;
982 if (udest->weight < 0) {
983 pr_err("%s(): server weight less than zero\n", __func__);
987 if (udest->l_threshold > udest->u_threshold) {
988 pr_err("%s(): lower threshold is higher than upper threshold\n",
993 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
996 * Lookup the destination list
998 dest = ip_vs_lookup_dest(svc, &daddr, dport);
1001 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1005 __ip_vs_update_dest(svc, dest, udest, 0);
1013 * Delete a destination (must be already unlinked from the service)
1015 static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
1017 struct netns_ipvs *ipvs = net_ipvs(net);
1019 ip_vs_stop_estimator(net, &dest->stats);
1022 * Remove it from the d-linked list with the real services.
1024 write_lock_bh(&ipvs->rs_lock);
1025 ip_vs_rs_unhash(dest);
1026 write_unlock_bh(&ipvs->rs_lock);
1029 * Decrease the refcnt of the dest, and free the dest
1030 * if nobody refers to it (refcnt=0). Otherwise, throw
1031 * the destination into the trash.
1033 if (atomic_dec_and_test(&dest->refcnt)) {
1034 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u\n",
1036 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1038 ip_vs_dst_reset(dest);
1039 /* simply decrease svc->refcnt here, let the caller check
1040 and release the service if nobody refers to it.
1041 Only user context can release destination and service,
1042 and only one user context can update virtual service at a
1043 time, so the operation here is OK */
1044 atomic_dec(&dest->svc->refcnt);
1045 free_percpu(dest->stats.cpustats);
1048 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
1049 "dest->refcnt=%d\n",
1050 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1052 atomic_read(&dest->refcnt));
1053 list_add(&dest->n_list, &ipvs->dest_trash);
1054 atomic_inc(&dest->refcnt);
1060 * Unlink a destination from the given service
1062 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1063 struct ip_vs_dest *dest,
1066 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1069 * Remove it from the d-linked destination list.
1071 list_del(&dest->n_list);
1075 * Call the update_service function of its scheduler
1077 if (svcupd && svc->scheduler->update_service)
1078 svc->scheduler->update_service(svc);
1083 * Delete a destination server in the given service
1086 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1088 struct ip_vs_dest *dest;
1089 __be16 dport = udest->port;
1093 dest = ip_vs_lookup_dest(svc, &udest->addr, dport);
1096 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1100 write_lock_bh(&__ip_vs_svc_lock);
1103 * Wait until all other svc users go away.
1105 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1108 * Unlink dest from the service
1110 __ip_vs_unlink_dest(svc, dest, 1);
1112 write_unlock_bh(&__ip_vs_svc_lock);
1115 * Delete the destination
1117 __ip_vs_del_dest(svc->net, dest);
1126 * Add a service into the service hash table
1129 ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1130 struct ip_vs_service **svc_p)
1133 struct ip_vs_scheduler *sched = NULL;
1134 struct ip_vs_pe *pe = NULL;
1135 struct ip_vs_service *svc = NULL;
1136 struct netns_ipvs *ipvs = net_ipvs(net);
1138 /* increase the module use count */
1139 ip_vs_use_count_inc();
1141 /* Lookup the scheduler by 'u->sched_name' */
1142 sched = ip_vs_scheduler_get(u->sched_name);
1143 if (sched == NULL) {
1144 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1149 if (u->pe_name && *u->pe_name) {
1150 pe = ip_vs_pe_getbyname(u->pe_name);
1152 pr_info("persistence engine module ip_vs_pe_%s "
1153 "not found\n", u->pe_name);
1159 #ifdef CONFIG_IP_VS_IPV6
1160 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1166 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1168 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1172 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1173 if (!svc->stats.cpustats) {
1178 /* I'm the first user of the service */
1179 atomic_set(&svc->usecnt, 0);
1180 atomic_set(&svc->refcnt, 0);
1183 svc->protocol = u->protocol;
1184 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1185 svc->port = u->port;
1186 svc->fwmark = u->fwmark;
1187 svc->flags = u->flags;
1188 svc->timeout = u->timeout * HZ;
1189 svc->netmask = u->netmask;
1192 INIT_LIST_HEAD(&svc->destinations);
1193 rwlock_init(&svc->sched_lock);
1194 spin_lock_init(&svc->stats.lock);
1196 /* Bind the scheduler */
1197 ret = ip_vs_bind_scheduler(svc, sched);
1202 /* Bind the ct retriever */
1203 ip_vs_bind_pe(svc, pe);
1206 /* Update the virtual service counters */
1207 if (svc->port == FTPPORT)
1208 atomic_inc(&ipvs->ftpsvc_counter);
1209 else if (svc->port == 0)
1210 atomic_inc(&ipvs->nullsvc_counter);
1212 ip_vs_start_estimator(net, &svc->stats);
1214 /* Count only IPv4 services for old get/setsockopt interface */
1215 if (svc->af == AF_INET)
1216 ipvs->num_services++;
1218 /* Hash the service into the service table */
1219 write_lock_bh(&__ip_vs_svc_lock);
1220 ip_vs_svc_hash(svc);
1221 write_unlock_bh(&__ip_vs_svc_lock);
1224 /* Now there is a service - full throttle */
1231 ip_vs_unbind_scheduler(svc);
1234 ip_vs_app_inc_put(svc->inc);
1237 if (svc->stats.cpustats)
1238 free_percpu(svc->stats.cpustats);
1241 ip_vs_scheduler_put(sched);
1244 /* decrease the module use count */
1245 ip_vs_use_count_dec();
1252 * Edit a service and bind it with a new scheduler
1255 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1257 struct ip_vs_scheduler *sched, *old_sched;
1258 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1262 * Lookup the scheduler, by 'u->sched_name'
1264 sched = ip_vs_scheduler_get(u->sched_name);
1265 if (sched == NULL) {
1266 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1271 if (u->pe_name && *u->pe_name) {
1272 pe = ip_vs_pe_getbyname(u->pe_name);
1274 pr_info("persistence engine module ip_vs_pe_%s "
1275 "not found\n", u->pe_name);
1282 #ifdef CONFIG_IP_VS_IPV6
1283 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1289 write_lock_bh(&__ip_vs_svc_lock);
1292 * Wait until all other svc users go away.
1294 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1297 * Set the flags and timeout value
1299 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1300 svc->timeout = u->timeout * HZ;
1301 svc->netmask = u->netmask;
1303 old_sched = svc->scheduler;
1304 if (sched != old_sched) {
1306 * Unbind the old scheduler
1308 if ((ret = ip_vs_unbind_scheduler(svc))) {
1314 * Bind the new scheduler
1316 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1318 * If ip_vs_bind_scheduler fails, restore the old
1320 * The main reason of failure is out of memory.
1322 * The question is if the old scheduler can be
1323 * restored all the time. TODO: if it cannot be
1324 * restored some time, we must delete the service,
1325 * otherwise the system may crash.
1327 ip_vs_bind_scheduler(svc, old_sched);
1335 ip_vs_unbind_pe(svc);
1336 ip_vs_bind_pe(svc, pe);
1340 write_unlock_bh(&__ip_vs_svc_lock);
1342 ip_vs_scheduler_put(old_sched);
1343 ip_vs_pe_put(old_pe);
1349 * Delete a service from the service list
1350 * - The service must be unlinked, unlocked and not referenced!
1351 * - We are called under _bh lock
1353 static void __ip_vs_del_service(struct ip_vs_service *svc)
1355 struct ip_vs_dest *dest, *nxt;
1356 struct ip_vs_scheduler *old_sched;
1357 struct ip_vs_pe *old_pe;
1358 struct netns_ipvs *ipvs = net_ipvs(svc->net);
1360 pr_info("%s: enter\n", __func__);
1362 /* Count only IPv4 services for old get/setsockopt interface */
1363 if (svc->af == AF_INET)
1364 ipvs->num_services--;
1366 ip_vs_stop_estimator(svc->net, &svc->stats);
1368 /* Unbind scheduler */
1369 old_sched = svc->scheduler;
1370 ip_vs_unbind_scheduler(svc);
1371 ip_vs_scheduler_put(old_sched);
1373 /* Unbind persistence engine */
1375 ip_vs_unbind_pe(svc);
1376 ip_vs_pe_put(old_pe);
1378 /* Unbind app inc */
1380 ip_vs_app_inc_put(svc->inc);
1385 * Unlink the whole destination list
1387 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1388 __ip_vs_unlink_dest(svc, dest, 0);
1389 __ip_vs_del_dest(svc->net, dest);
1393 * Update the virtual service counters
1395 if (svc->port == FTPPORT)
1396 atomic_dec(&ipvs->ftpsvc_counter);
1397 else if (svc->port == 0)
1398 atomic_dec(&ipvs->nullsvc_counter);
1401 * Free the service if nobody refers to it
1403 if (atomic_read(&svc->refcnt) == 0) {
1404 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
1406 IP_VS_DBG_ADDR(svc->af, &svc->addr),
1407 ntohs(svc->port), atomic_read(&svc->usecnt));
1408 free_percpu(svc->stats.cpustats);
1412 /* decrease the module use count */
1413 ip_vs_use_count_dec();
1417 * Unlink a service from list and try to delete it if its refcnt reached 0
1419 static void ip_vs_unlink_service(struct ip_vs_service *svc)
1422 * Unhash it from the service table
1424 write_lock_bh(&__ip_vs_svc_lock);
1426 ip_vs_svc_unhash(svc);
1429 * Wait until all the svc users go away.
1431 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1433 __ip_vs_del_service(svc);
1435 write_unlock_bh(&__ip_vs_svc_lock);
1439 * Delete a service from the service list
1441 static int ip_vs_del_service(struct ip_vs_service *svc)
1445 ip_vs_unlink_service(svc);
1452 * Flush all the virtual services
1454 static int ip_vs_flush(struct net *net)
1457 struct ip_vs_service *svc, *nxt;
1460 * Flush the service table hashed by <netns,protocol,addr,port>
1462 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1463 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
1465 if (net_eq(svc->net, net))
1466 ip_vs_unlink_service(svc);
1471 * Flush the service table hashed by fwmark
1473 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1474 list_for_each_entry_safe(svc, nxt,
1475 &ip_vs_svc_fwm_table[idx], f_list) {
1476 if (net_eq(svc->net, net))
1477 ip_vs_unlink_service(svc);
1485 * Delete service by {netns} in the service table.
1486 * Called by __ip_vs_cleanup()
1488 void ip_vs_service_net_cleanup(struct net *net)
1491 /* Check for "full" addressed entries */
1492 mutex_lock(&__ip_vs_mutex);
1494 mutex_unlock(&__ip_vs_mutex);
1498 * Release dst hold by dst_cache
1501 __ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
1503 spin_lock_bh(&dest->dst_lock);
1504 if (dest->dst_cache && dest->dst_cache->dev == dev) {
1505 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1507 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1509 atomic_read(&dest->refcnt));
1510 ip_vs_dst_reset(dest);
1512 spin_unlock_bh(&dest->dst_lock);
1516 * Netdev event receiver
1517 * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
1518 * a device that is "unregister" it must be released.
1520 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1523 struct net_device *dev = ptr;
1524 struct net *net = dev_net(dev);
1525 struct netns_ipvs *ipvs = net_ipvs(net);
1526 struct ip_vs_service *svc;
1527 struct ip_vs_dest *dest;
1530 if (event != NETDEV_UNREGISTER || !ipvs)
1532 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1534 mutex_lock(&__ip_vs_mutex);
1535 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1536 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1537 if (net_eq(svc->net, net)) {
1538 list_for_each_entry(dest, &svc->destinations,
1540 __ip_vs_dev_reset(dest, dev);
1545 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1546 if (net_eq(svc->net, net)) {
1547 list_for_each_entry(dest, &svc->destinations,
1549 __ip_vs_dev_reset(dest, dev);
1556 list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
1557 __ip_vs_dev_reset(dest, dev);
1559 mutex_unlock(&__ip_vs_mutex);
1565 * Zero counters in a service or all services
1567 static int ip_vs_zero_service(struct ip_vs_service *svc)
1569 struct ip_vs_dest *dest;
1571 write_lock_bh(&__ip_vs_svc_lock);
1572 list_for_each_entry(dest, &svc->destinations, n_list) {
1573 ip_vs_zero_stats(&dest->stats);
1575 ip_vs_zero_stats(&svc->stats);
1576 write_unlock_bh(&__ip_vs_svc_lock);
1580 static int ip_vs_zero_all(struct net *net)
1583 struct ip_vs_service *svc;
1585 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1586 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1587 if (net_eq(svc->net, net))
1588 ip_vs_zero_service(svc);
1592 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1593 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1594 if (net_eq(svc->net, net))
1595 ip_vs_zero_service(svc);
1599 ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
1603 #ifdef CONFIG_SYSCTL
1606 static int three = 3;
1609 proc_do_defense_mode(ctl_table *table, int write,
1610 void __user *buffer, size_t *lenp, loff_t *ppos)
1612 struct net *net = current->nsproxy->net_ns;
1613 int *valp = table->data;
1617 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1618 if (write && (*valp != val)) {
1619 if ((*valp < 0) || (*valp > 3)) {
1620 /* Restore the correct value */
1623 update_defense_level(net_ipvs(net));
1630 proc_do_sync_threshold(ctl_table *table, int write,
1631 void __user *buffer, size_t *lenp, loff_t *ppos)
1633 int *valp = table->data;
1637 /* backup the value first */
1638 memcpy(val, valp, sizeof(val));
1640 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1641 if (write && (valp[0] < 0 || valp[1] < 0 ||
1642 (valp[0] >= valp[1] && valp[1]))) {
1643 /* Restore the correct value */
1644 memcpy(valp, val, sizeof(val));
1650 proc_do_sync_mode(ctl_table *table, int write,
1651 void __user *buffer, size_t *lenp, loff_t *ppos)
1653 int *valp = table->data;
1657 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1658 if (write && (*valp != val)) {
1659 if ((*valp < 0) || (*valp > 1)) {
1660 /* Restore the correct value */
1668 proc_do_sync_ports(ctl_table *table, int write,
1669 void __user *buffer, size_t *lenp, loff_t *ppos)
1671 int *valp = table->data;
1675 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1676 if (write && (*valp != val)) {
1677 if (*valp < 1 || !is_power_of_2(*valp)) {
1678 /* Restore the correct value */
1686 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1687 * Do not change order or insert new entries without
1688 * align with netns init in ip_vs_control_net_init()
1691 static struct ctl_table vs_vars[] = {
1693 .procname = "amemthresh",
1694 .maxlen = sizeof(int),
1696 .proc_handler = proc_dointvec,
1699 .procname = "am_droprate",
1700 .maxlen = sizeof(int),
1702 .proc_handler = proc_dointvec,
1705 .procname = "drop_entry",
1706 .maxlen = sizeof(int),
1708 .proc_handler = proc_do_defense_mode,
1711 .procname = "drop_packet",
1712 .maxlen = sizeof(int),
1714 .proc_handler = proc_do_defense_mode,
1716 #ifdef CONFIG_IP_VS_NFCT
1718 .procname = "conntrack",
1719 .maxlen = sizeof(int),
1721 .proc_handler = &proc_dointvec,
1725 .procname = "secure_tcp",
1726 .maxlen = sizeof(int),
1728 .proc_handler = proc_do_defense_mode,
1731 .procname = "snat_reroute",
1732 .maxlen = sizeof(int),
1734 .proc_handler = &proc_dointvec,
1737 .procname = "sync_version",
1738 .maxlen = sizeof(int),
1740 .proc_handler = &proc_do_sync_mode,
1743 .procname = "sync_ports",
1744 .maxlen = sizeof(int),
1746 .proc_handler = &proc_do_sync_ports,
1749 .procname = "sync_qlen_max",
1750 .maxlen = sizeof(int),
1752 .proc_handler = proc_dointvec,
1755 .procname = "sync_sock_size",
1756 .maxlen = sizeof(int),
1758 .proc_handler = proc_dointvec,
1761 .procname = "cache_bypass",
1762 .maxlen = sizeof(int),
1764 .proc_handler = proc_dointvec,
1767 .procname = "expire_nodest_conn",
1768 .maxlen = sizeof(int),
1770 .proc_handler = proc_dointvec,
1773 .procname = "expire_quiescent_template",
1774 .maxlen = sizeof(int),
1776 .proc_handler = proc_dointvec,
1779 .procname = "sync_threshold",
1781 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1783 .proc_handler = proc_do_sync_threshold,
1786 .procname = "sync_refresh_period",
1787 .maxlen = sizeof(int),
1789 .proc_handler = proc_dointvec_jiffies,
1792 .procname = "sync_retries",
1793 .maxlen = sizeof(int),
1795 .proc_handler = proc_dointvec_minmax,
1800 .procname = "nat_icmp_send",
1801 .maxlen = sizeof(int),
1803 .proc_handler = proc_dointvec,
1806 .procname = "pmtu_disc",
1807 .maxlen = sizeof(int),
1809 .proc_handler = proc_dointvec,
1812 .procname = "backup_only",
1813 .maxlen = sizeof(int),
1815 .proc_handler = proc_dointvec,
1817 #ifdef CONFIG_IP_VS_DEBUG
1819 .procname = "debug_level",
1820 .data = &sysctl_ip_vs_debug_level,
1821 .maxlen = sizeof(int),
1823 .proc_handler = proc_dointvec,
1828 .procname = "timeout_established",
1829 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1830 .maxlen = sizeof(int),
1832 .proc_handler = proc_dointvec_jiffies,
1835 .procname = "timeout_synsent",
1836 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1837 .maxlen = sizeof(int),
1839 .proc_handler = proc_dointvec_jiffies,
1842 .procname = "timeout_synrecv",
1843 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1844 .maxlen = sizeof(int),
1846 .proc_handler = proc_dointvec_jiffies,
1849 .procname = "timeout_finwait",
1850 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1851 .maxlen = sizeof(int),
1853 .proc_handler = proc_dointvec_jiffies,
1856 .procname = "timeout_timewait",
1857 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1858 .maxlen = sizeof(int),
1860 .proc_handler = proc_dointvec_jiffies,
1863 .procname = "timeout_close",
1864 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1865 .maxlen = sizeof(int),
1867 .proc_handler = proc_dointvec_jiffies,
1870 .procname = "timeout_closewait",
1871 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1872 .maxlen = sizeof(int),
1874 .proc_handler = proc_dointvec_jiffies,
1877 .procname = "timeout_lastack",
1878 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1879 .maxlen = sizeof(int),
1881 .proc_handler = proc_dointvec_jiffies,
1884 .procname = "timeout_listen",
1885 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1886 .maxlen = sizeof(int),
1888 .proc_handler = proc_dointvec_jiffies,
1891 .procname = "timeout_synack",
1892 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1893 .maxlen = sizeof(int),
1895 .proc_handler = proc_dointvec_jiffies,
1898 .procname = "timeout_udp",
1899 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1900 .maxlen = sizeof(int),
1902 .proc_handler = proc_dointvec_jiffies,
1905 .procname = "timeout_icmp",
1906 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1907 .maxlen = sizeof(int),
1909 .proc_handler = proc_dointvec_jiffies,
1917 #ifdef CONFIG_PROC_FS
1920 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1921 struct list_head *table;
1926 * Write the contents of the VS rule table to a PROCfs file.
1927 * (It is kept just for backward compatibility)
1929 static inline const char *ip_vs_fwd_name(unsigned int flags)
1931 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1932 case IP_VS_CONN_F_LOCALNODE:
1934 case IP_VS_CONN_F_TUNNEL:
1936 case IP_VS_CONN_F_DROUTE:
1944 /* Get the Nth entry in the two lists */
1945 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1947 struct net *net = seq_file_net(seq);
1948 struct ip_vs_iter *iter = seq->private;
1950 struct ip_vs_service *svc;
1952 /* look in hash by protocol */
1953 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1954 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1955 if (net_eq(svc->net, net) && pos-- == 0) {
1956 iter->table = ip_vs_svc_table;
1963 /* keep looking in fwmark */
1964 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1965 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1966 if (net_eq(svc->net, net) && pos-- == 0) {
1967 iter->table = ip_vs_svc_fwm_table;
1977 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1978 __acquires(__ip_vs_svc_lock)
1981 read_lock_bh(&__ip_vs_svc_lock);
1982 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1986 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1988 struct list_head *e;
1989 struct ip_vs_iter *iter;
1990 struct ip_vs_service *svc;
1993 if (v == SEQ_START_TOKEN)
1994 return ip_vs_info_array(seq,0);
1997 iter = seq->private;
1999 if (iter->table == ip_vs_svc_table) {
2000 /* next service in table hashed by protocol */
2001 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
2002 return list_entry(e, struct ip_vs_service, s_list);
2005 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2006 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
2012 iter->table = ip_vs_svc_fwm_table;
2017 /* next service in hashed by fwmark */
2018 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
2019 return list_entry(e, struct ip_vs_service, f_list);
2022 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2023 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
2031 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2032 __releases(__ip_vs_svc_lock)
2034 read_unlock_bh(&__ip_vs_svc_lock);
2038 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2040 if (v == SEQ_START_TOKEN) {
2042 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2043 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2045 "Prot LocalAddress:Port Scheduler Flags\n");
2047 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2049 const struct ip_vs_service *svc = v;
2050 const struct ip_vs_iter *iter = seq->private;
2051 const struct ip_vs_dest *dest;
2053 if (iter->table == ip_vs_svc_table) {
2054 #ifdef CONFIG_IP_VS_IPV6
2055 if (svc->af == AF_INET6)
2056 seq_printf(seq, "%s [%pI6]:%04X %s ",
2057 ip_vs_proto_name(svc->protocol),
2060 svc->scheduler->name);
2063 seq_printf(seq, "%s %08X:%04X %s %s ",
2064 ip_vs_proto_name(svc->protocol),
2065 ntohl(svc->addr.ip),
2067 svc->scheduler->name,
2068 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2070 seq_printf(seq, "FWM %08X %s %s",
2071 svc->fwmark, svc->scheduler->name,
2072 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2075 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2076 seq_printf(seq, "persistent %d %08X\n",
2078 ntohl(svc->netmask));
2080 seq_putc(seq, '\n');
2082 list_for_each_entry(dest, &svc->destinations, n_list) {
2083 #ifdef CONFIG_IP_VS_IPV6
2084 if (dest->af == AF_INET6)
2087 " %-7s %-6d %-10d %-10d\n",
2090 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2091 atomic_read(&dest->weight),
2092 atomic_read(&dest->activeconns),
2093 atomic_read(&dest->inactconns));
2098 "%-7s %-6d %-10d %-10d\n",
2099 ntohl(dest->addr.ip),
2101 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2102 atomic_read(&dest->weight),
2103 atomic_read(&dest->activeconns),
2104 atomic_read(&dest->inactconns));
2111 static const struct seq_operations ip_vs_info_seq_ops = {
2112 .start = ip_vs_info_seq_start,
2113 .next = ip_vs_info_seq_next,
2114 .stop = ip_vs_info_seq_stop,
2115 .show = ip_vs_info_seq_show,
2118 static int ip_vs_info_open(struct inode *inode, struct file *file)
2120 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2121 sizeof(struct ip_vs_iter));
2124 static const struct file_operations ip_vs_info_fops = {
2125 .owner = THIS_MODULE,
2126 .open = ip_vs_info_open,
2128 .llseek = seq_lseek,
2129 .release = seq_release_net,
2132 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2134 struct net *net = seq_file_single_net(seq);
2135 struct ip_vs_stats_user show;
2137 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2139 " Total Incoming Outgoing Incoming Outgoing\n");
2141 " Conns Packets Packets Bytes Bytes\n");
2143 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2144 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
2145 show.inpkts, show.outpkts,
2146 (unsigned long long) show.inbytes,
2147 (unsigned long long) show.outbytes);
2149 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2151 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2152 seq_printf(seq, "%8X %8X %8X %16X %16X\n",
2153 show.cps, show.inpps, show.outpps,
2154 show.inbps, show.outbps);
2159 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2161 return single_open_net(inode, file, ip_vs_stats_show);
2164 static const struct file_operations ip_vs_stats_fops = {
2165 .owner = THIS_MODULE,
2166 .open = ip_vs_stats_seq_open,
2168 .llseek = seq_lseek,
2169 .release = single_release_net,
2172 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2174 struct net *net = seq_file_single_net(seq);
2175 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2176 struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
2177 struct ip_vs_stats_user rates;
2180 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2182 " Total Incoming Outgoing Incoming Outgoing\n");
2184 "CPU Conns Packets Packets Bytes Bytes\n");
2186 for_each_possible_cpu(i) {
2187 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2189 __u64 inbytes, outbytes;
2192 start = u64_stats_fetch_begin_bh(&u->syncp);
2193 inbytes = u->ustats.inbytes;
2194 outbytes = u->ustats.outbytes;
2195 } while (u64_stats_fetch_retry_bh(&u->syncp, start));
2197 seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
2198 i, u->ustats.conns, u->ustats.inpkts,
2199 u->ustats.outpkts, (__u64)inbytes,
2203 spin_lock_bh(&tot_stats->lock);
2205 seq_printf(seq, " ~ %8X %8X %8X %16LX %16LX\n\n",
2206 tot_stats->ustats.conns, tot_stats->ustats.inpkts,
2207 tot_stats->ustats.outpkts,
2208 (unsigned long long) tot_stats->ustats.inbytes,
2209 (unsigned long long) tot_stats->ustats.outbytes);
2211 ip_vs_read_estimator(&rates, tot_stats);
2213 spin_unlock_bh(&tot_stats->lock);
2215 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2217 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2218 seq_printf(seq, " %8X %8X %8X %16X %16X\n",
2228 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2230 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2233 static const struct file_operations ip_vs_stats_percpu_fops = {
2234 .owner = THIS_MODULE,
2235 .open = ip_vs_stats_percpu_seq_open,
2237 .llseek = seq_lseek,
2238 .release = single_release_net,
2243 * Set timeout values for tcp tcpfin udp in the timeout_table.
2245 static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
2247 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2248 struct ip_vs_proto_data *pd;
2251 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2256 #ifdef CONFIG_IP_VS_PROTO_TCP
2257 if (u->tcp_timeout) {
2258 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2259 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2260 = u->tcp_timeout * HZ;
2263 if (u->tcp_fin_timeout) {
2264 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2265 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2266 = u->tcp_fin_timeout * HZ;
2270 #ifdef CONFIG_IP_VS_PROTO_UDP
2271 if (u->udp_timeout) {
2272 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2273 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2274 = u->udp_timeout * HZ;
2281 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2282 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
2283 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
2284 sizeof(struct ip_vs_dest_user))
2285 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2286 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
2287 #define MAX_ARG_LEN SVCDEST_ARG_LEN
2289 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
2290 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
2291 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
2292 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
2293 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
2294 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
2295 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
2296 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
2297 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
2298 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
2299 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
2300 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
2303 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2304 struct ip_vs_service_user *usvc_compat)
2306 memset(usvc, 0, sizeof(*usvc));
2309 usvc->protocol = usvc_compat->protocol;
2310 usvc->addr.ip = usvc_compat->addr;
2311 usvc->port = usvc_compat->port;
2312 usvc->fwmark = usvc_compat->fwmark;
2314 /* Deep copy of sched_name is not needed here */
2315 usvc->sched_name = usvc_compat->sched_name;
2317 usvc->flags = usvc_compat->flags;
2318 usvc->timeout = usvc_compat->timeout;
2319 usvc->netmask = usvc_compat->netmask;
2322 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2323 struct ip_vs_dest_user *udest_compat)
2325 memset(udest, 0, sizeof(*udest));
2327 udest->addr.ip = udest_compat->addr;
2328 udest->port = udest_compat->port;
2329 udest->conn_flags = udest_compat->conn_flags;
2330 udest->weight = udest_compat->weight;
2331 udest->u_threshold = udest_compat->u_threshold;
2332 udest->l_threshold = udest_compat->l_threshold;
2336 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2338 struct net *net = sock_net(sk);
2340 unsigned char arg[MAX_ARG_LEN];
2341 struct ip_vs_service_user *usvc_compat;
2342 struct ip_vs_service_user_kern usvc;
2343 struct ip_vs_service *svc;
2344 struct ip_vs_dest_user *udest_compat;
2345 struct ip_vs_dest_user_kern udest;
2346 struct netns_ipvs *ipvs = net_ipvs(net);
2348 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2351 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2353 if (len < 0 || len > MAX_ARG_LEN)
2355 if (len != set_arglen[SET_CMDID(cmd)]) {
2356 pr_err("set_ctl: len %u != %u\n",
2357 len, set_arglen[SET_CMDID(cmd)]);
2361 if (copy_from_user(arg, user, len) != 0)
2364 /* increase the module use count */
2365 ip_vs_use_count_inc();
2367 /* Handle daemons since they have another lock */
2368 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2369 cmd == IP_VS_SO_SET_STOPDAEMON) {
2370 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2372 if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2376 if (cmd == IP_VS_SO_SET_STARTDAEMON)
2377 ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2380 ret = stop_sync_thread(net, dm->state);
2381 mutex_unlock(&ipvs->sync_mutex);
2385 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2390 if (cmd == IP_VS_SO_SET_FLUSH) {
2391 /* Flush the virtual service */
2392 ret = ip_vs_flush(net);
2394 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2395 /* Set timeout values for (tcp tcpfin udp) */
2396 ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2400 usvc_compat = (struct ip_vs_service_user *)arg;
2401 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2403 /* We only use the new structs internally, so copy userspace compat
2404 * structs to extended internal versions */
2405 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2406 ip_vs_copy_udest_compat(&udest, udest_compat);
2408 if (cmd == IP_VS_SO_SET_ZERO) {
2409 /* if no service address is set, zero counters in all */
2410 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2411 ret = ip_vs_zero_all(net);
2416 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2417 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2418 usvc.protocol != IPPROTO_SCTP) {
2419 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2420 usvc.protocol, &usvc.addr.ip,
2421 ntohs(usvc.port), usvc.sched_name);
2426 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2427 if (usvc.fwmark == 0)
2428 svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
2429 &usvc.addr, usvc.port);
2431 svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
2433 if (cmd != IP_VS_SO_SET_ADD
2434 && (svc == NULL || svc->protocol != usvc.protocol)) {
2440 case IP_VS_SO_SET_ADD:
2444 ret = ip_vs_add_service(net, &usvc, &svc);
2446 case IP_VS_SO_SET_EDIT:
2447 ret = ip_vs_edit_service(svc, &usvc);
2449 case IP_VS_SO_SET_DEL:
2450 ret = ip_vs_del_service(svc);
2454 case IP_VS_SO_SET_ZERO:
2455 ret = ip_vs_zero_service(svc);
2457 case IP_VS_SO_SET_ADDDEST:
2458 ret = ip_vs_add_dest(svc, &udest);
2460 case IP_VS_SO_SET_EDITDEST:
2461 ret = ip_vs_edit_dest(svc, &udest);
2463 case IP_VS_SO_SET_DELDEST:
2464 ret = ip_vs_del_dest(svc, &udest);
2471 mutex_unlock(&__ip_vs_mutex);
2473 /* decrease the module use count */
2474 ip_vs_use_count_dec();
2481 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2483 dst->protocol = src->protocol;
2484 dst->addr = src->addr.ip;
2485 dst->port = src->port;
2486 dst->fwmark = src->fwmark;
2487 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2488 dst->flags = src->flags;
2489 dst->timeout = src->timeout / HZ;
2490 dst->netmask = src->netmask;
2491 dst->num_dests = src->num_dests;
2492 ip_vs_copy_stats(&dst->stats, &src->stats);
2496 __ip_vs_get_service_entries(struct net *net,
2497 const struct ip_vs_get_services *get,
2498 struct ip_vs_get_services __user *uptr)
2501 struct ip_vs_service *svc;
2502 struct ip_vs_service_entry entry;
2505 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2506 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2507 /* Only expose IPv4 entries to old interface */
2508 if (svc->af != AF_INET || !net_eq(svc->net, net))
2511 if (count >= get->num_services)
2513 memset(&entry, 0, sizeof(entry));
2514 ip_vs_copy_service(&entry, svc);
2515 if (copy_to_user(&uptr->entrytable[count],
2516 &entry, sizeof(entry))) {
2524 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2525 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2526 /* Only expose IPv4 entries to old interface */
2527 if (svc->af != AF_INET || !net_eq(svc->net, net))
2530 if (count >= get->num_services)
2532 memset(&entry, 0, sizeof(entry));
2533 ip_vs_copy_service(&entry, svc);
2534 if (copy_to_user(&uptr->entrytable[count],
2535 &entry, sizeof(entry))) {
2547 __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2548 struct ip_vs_get_dests __user *uptr)
2550 struct ip_vs_service *svc;
2551 union nf_inet_addr addr = { .ip = get->addr };
2555 svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
2557 svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
2562 struct ip_vs_dest *dest;
2563 struct ip_vs_dest_entry entry;
2565 list_for_each_entry(dest, &svc->destinations, n_list) {
2566 if (count >= get->num_dests)
2569 entry.addr = dest->addr.ip;
2570 entry.port = dest->port;
2571 entry.conn_flags = atomic_read(&dest->conn_flags);
2572 entry.weight = atomic_read(&dest->weight);
2573 entry.u_threshold = dest->u_threshold;
2574 entry.l_threshold = dest->l_threshold;
2575 entry.activeconns = atomic_read(&dest->activeconns);
2576 entry.inactconns = atomic_read(&dest->inactconns);
2577 entry.persistconns = atomic_read(&dest->persistconns);
2578 ip_vs_copy_stats(&entry.stats, &dest->stats);
2579 if (copy_to_user(&uptr->entrytable[count],
2580 &entry, sizeof(entry))) {
2592 __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2594 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2595 struct ip_vs_proto_data *pd;
2598 memset(u, 0, sizeof (*u));
2600 #ifdef CONFIG_IP_VS_PROTO_TCP
2601 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2602 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2603 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2605 #ifdef CONFIG_IP_VS_PROTO_UDP
2606 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2608 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2613 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2614 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2615 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2616 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2617 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2618 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2619 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2621 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2622 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2623 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2624 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2625 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2626 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2627 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2628 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2632 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2634 unsigned char arg[128];
2636 unsigned int copylen;
2637 struct net *net = sock_net(sk);
2638 struct netns_ipvs *ipvs = net_ipvs(net);
2641 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2644 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2647 if (*len < get_arglen[GET_CMDID(cmd)]) {
2648 pr_err("get_ctl: len %u < %u\n",
2649 *len, get_arglen[GET_CMDID(cmd)]);
2653 copylen = get_arglen[GET_CMDID(cmd)];
2657 if (copy_from_user(arg, user, copylen) != 0)
2660 * Handle daemons first since it has its own locking
2662 if (cmd == IP_VS_SO_GET_DAEMON) {
2663 struct ip_vs_daemon_user d[2];
2665 memset(&d, 0, sizeof(d));
2666 if (mutex_lock_interruptible(&ipvs->sync_mutex))
2667 return -ERESTARTSYS;
2669 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2670 d[0].state = IP_VS_STATE_MASTER;
2671 strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2672 sizeof(d[0].mcast_ifn));
2673 d[0].syncid = ipvs->master_syncid;
2675 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2676 d[1].state = IP_VS_STATE_BACKUP;
2677 strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2678 sizeof(d[1].mcast_ifn));
2679 d[1].syncid = ipvs->backup_syncid;
2681 if (copy_to_user(user, &d, sizeof(d)) != 0)
2683 mutex_unlock(&ipvs->sync_mutex);
2687 if (mutex_lock_interruptible(&__ip_vs_mutex))
2688 return -ERESTARTSYS;
2691 case IP_VS_SO_GET_VERSION:
2695 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2696 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2697 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2701 *len = strlen(buf)+1;
2705 case IP_VS_SO_GET_INFO:
2707 struct ip_vs_getinfo info;
2708 info.version = IP_VS_VERSION_CODE;
2709 info.size = ip_vs_conn_tab_size;
2710 info.num_services = ipvs->num_services;
2711 if (copy_to_user(user, &info, sizeof(info)) != 0)
2716 case IP_VS_SO_GET_SERVICES:
2718 struct ip_vs_get_services *get;
2721 get = (struct ip_vs_get_services *)arg;
2722 size = sizeof(*get) +
2723 sizeof(struct ip_vs_service_entry) * get->num_services;
2725 pr_err("length: %u != %u\n", *len, size);
2729 ret = __ip_vs_get_service_entries(net, get, user);
2733 case IP_VS_SO_GET_SERVICE:
2735 struct ip_vs_service_entry *entry;
2736 struct ip_vs_service *svc;
2737 union nf_inet_addr addr;
2739 entry = (struct ip_vs_service_entry *)arg;
2740 addr.ip = entry->addr;
2742 svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
2744 svc = __ip_vs_service_find(net, AF_INET,
2745 entry->protocol, &addr,
2748 ip_vs_copy_service(entry, svc);
2749 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2756 case IP_VS_SO_GET_DESTS:
2758 struct ip_vs_get_dests *get;
2761 get = (struct ip_vs_get_dests *)arg;
2762 size = sizeof(*get) +
2763 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2765 pr_err("length: %u != %u\n", *len, size);
2769 ret = __ip_vs_get_dest_entries(net, get, user);
2773 case IP_VS_SO_GET_TIMEOUT:
2775 struct ip_vs_timeout_user t;
2777 __ip_vs_get_timeouts(net, &t);
2778 if (copy_to_user(user, &t, sizeof(t)) != 0)
2788 mutex_unlock(&__ip_vs_mutex);
2793 static struct nf_sockopt_ops ip_vs_sockopts = {
2795 .set_optmin = IP_VS_BASE_CTL,
2796 .set_optmax = IP_VS_SO_SET_MAX+1,
2797 .set = do_ip_vs_set_ctl,
2798 .get_optmin = IP_VS_BASE_CTL,
2799 .get_optmax = IP_VS_SO_GET_MAX+1,
2800 .get = do_ip_vs_get_ctl,
2801 .owner = THIS_MODULE,
2805 * Generic Netlink interface
2808 /* IPVS genetlink family */
2809 static struct genl_family ip_vs_genl_family = {
2810 .id = GENL_ID_GENERATE,
2812 .name = IPVS_GENL_NAME,
2813 .version = IPVS_GENL_VERSION,
2814 .maxattr = IPVS_CMD_MAX,
2815 .netnsok = true, /* Make ipvsadm to work on netns */
2818 /* Policy used for first-level command attributes */
2819 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2820 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2821 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2822 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2823 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2824 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2825 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2828 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2829 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2830 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2831 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2832 .len = IP_VS_IFNAME_MAXLEN },
2833 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2836 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2837 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2838 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2839 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2840 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2841 .len = sizeof(union nf_inet_addr) },
2842 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2843 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2844 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2845 .len = IP_VS_SCHEDNAME_MAXLEN },
2846 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2847 .len = IP_VS_PENAME_MAXLEN },
2848 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2849 .len = sizeof(struct ip_vs_flags) },
2850 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2851 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2852 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2855 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2856 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2857 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2858 .len = sizeof(union nf_inet_addr) },
2859 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2860 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2861 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2862 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2863 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2864 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2865 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2866 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2867 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2870 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2871 struct ip_vs_stats *stats)
2873 struct ip_vs_stats_user ustats;
2874 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2878 ip_vs_copy_stats(&ustats, stats);
2880 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns) ||
2881 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts) ||
2882 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts) ||
2883 nla_put_u64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes) ||
2884 nla_put_u64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes) ||
2885 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, ustats.cps) ||
2886 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps) ||
2887 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps) ||
2888 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps) ||
2889 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps))
2890 goto nla_put_failure;
2891 nla_nest_end(skb, nl_stats);
2896 nla_nest_cancel(skb, nl_stats);
2900 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2901 struct ip_vs_service *svc)
2903 struct nlattr *nl_service;
2904 struct ip_vs_flags flags = { .flags = svc->flags,
2907 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2911 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2912 goto nla_put_failure;
2914 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2915 goto nla_put_failure;
2917 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
2918 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
2919 nla_put_u16(skb, IPVS_SVC_ATTR_PORT, svc->port))
2920 goto nla_put_failure;
2923 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name) ||
2925 nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, svc->pe->name)) ||
2926 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
2927 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
2928 nla_put_u32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
2929 goto nla_put_failure;
2930 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2931 goto nla_put_failure;
2933 nla_nest_end(skb, nl_service);
2938 nla_nest_cancel(skb, nl_service);
2942 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2943 struct ip_vs_service *svc,
2944 struct netlink_callback *cb)
2948 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2949 &ip_vs_genl_family, NLM_F_MULTI,
2950 IPVS_CMD_NEW_SERVICE);
2954 if (ip_vs_genl_fill_service(skb, svc) < 0)
2955 goto nla_put_failure;
2957 return genlmsg_end(skb, hdr);
2960 genlmsg_cancel(skb, hdr);
2964 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2965 struct netlink_callback *cb)
2968 int start = cb->args[0];
2969 struct ip_vs_service *svc;
2970 struct net *net = skb_sknet(skb);
2972 mutex_lock(&__ip_vs_mutex);
2973 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2974 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2975 if (++idx <= start || !net_eq(svc->net, net))
2977 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2979 goto nla_put_failure;
2984 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2985 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2986 if (++idx <= start || !net_eq(svc->net, net))
2988 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2990 goto nla_put_failure;
2996 mutex_unlock(&__ip_vs_mutex);
3002 static int ip_vs_genl_parse_service(struct net *net,
3003 struct ip_vs_service_user_kern *usvc,
3004 struct nlattr *nla, int full_entry,
3005 struct ip_vs_service **ret_svc)
3007 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3008 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3009 struct ip_vs_service *svc;
3011 /* Parse mandatory identifying service fields first */
3013 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3016 nla_af = attrs[IPVS_SVC_ATTR_AF];
3017 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3018 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3019 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3020 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3022 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3025 memset(usvc, 0, sizeof(*usvc));
3027 usvc->af = nla_get_u16(nla_af);
3028 #ifdef CONFIG_IP_VS_IPV6
3029 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3031 if (usvc->af != AF_INET)
3033 return -EAFNOSUPPORT;
3036 usvc->protocol = IPPROTO_TCP;
3037 usvc->fwmark = nla_get_u32(nla_fwmark);
3039 usvc->protocol = nla_get_u16(nla_protocol);
3040 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3041 usvc->port = nla_get_u16(nla_port);
3046 svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
3048 svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
3049 &usvc->addr, usvc->port);
3052 /* If a full entry was requested, check for the additional fields */
3054 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3056 struct ip_vs_flags flags;
3058 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3059 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3060 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3061 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3062 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3064 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3067 nla_memcpy(&flags, nla_flags, sizeof(flags));
3069 /* prefill flags from service if it already exists */
3071 usvc->flags = svc->flags;
3073 /* set new flags from userland */
3074 usvc->flags = (usvc->flags & ~flags.mask) |
3075 (flags.flags & flags.mask);
3076 usvc->sched_name = nla_data(nla_sched);
3077 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3078 usvc->timeout = nla_get_u32(nla_timeout);
3079 usvc->netmask = nla_get_u32(nla_netmask);
3085 static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
3088 struct ip_vs_service_user_kern usvc;
3089 struct ip_vs_service *svc;
3092 ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
3093 return ret ? ERR_PTR(ret) : svc;
3096 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3098 struct nlattr *nl_dest;
3100 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3104 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3105 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3106 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3107 (atomic_read(&dest->conn_flags) &
3108 IP_VS_CONN_F_FWD_MASK)) ||
3109 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3110 atomic_read(&dest->weight)) ||
3111 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3112 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3113 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3114 atomic_read(&dest->activeconns)) ||
3115 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3116 atomic_read(&dest->inactconns)) ||
3117 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3118 atomic_read(&dest->persistconns)))
3119 goto nla_put_failure;
3120 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
3121 goto nla_put_failure;
3123 nla_nest_end(skb, nl_dest);
3128 nla_nest_cancel(skb, nl_dest);
3132 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3133 struct netlink_callback *cb)
3137 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3138 &ip_vs_genl_family, NLM_F_MULTI,
3143 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3144 goto nla_put_failure;
3146 return genlmsg_end(skb, hdr);
3149 genlmsg_cancel(skb, hdr);
3153 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3154 struct netlink_callback *cb)
3157 int start = cb->args[0];
3158 struct ip_vs_service *svc;
3159 struct ip_vs_dest *dest;
3160 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3161 struct net *net = skb_sknet(skb);
3163 mutex_lock(&__ip_vs_mutex);
3165 /* Try to find the service for which to dump destinations */
3166 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3167 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3171 svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
3172 if (IS_ERR(svc) || svc == NULL)
3175 /* Dump the destinations */
3176 list_for_each_entry(dest, &svc->destinations, n_list) {
3179 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3181 goto nla_put_failure;
3189 mutex_unlock(&__ip_vs_mutex);
3194 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3195 struct nlattr *nla, int full_entry)
3197 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3198 struct nlattr *nla_addr, *nla_port;
3200 /* Parse mandatory identifying destination fields first */
3202 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3205 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3206 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3208 if (!(nla_addr && nla_port))
3211 memset(udest, 0, sizeof(*udest));
3213 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3214 udest->port = nla_get_u16(nla_port);
3216 /* If a full entry was requested, check for the additional fields */
3218 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3221 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3222 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3223 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3224 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3226 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3229 udest->conn_flags = nla_get_u32(nla_fwd)
3230 & IP_VS_CONN_F_FWD_MASK;
3231 udest->weight = nla_get_u32(nla_weight);
3232 udest->u_threshold = nla_get_u32(nla_u_thresh);
3233 udest->l_threshold = nla_get_u32(nla_l_thresh);
3239 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
3240 const char *mcast_ifn, __be32 syncid)
3242 struct nlattr *nl_daemon;
3244 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3248 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3249 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn) ||
3250 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid))
3251 goto nla_put_failure;
3252 nla_nest_end(skb, nl_daemon);
3257 nla_nest_cancel(skb, nl_daemon);
3261 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
3262 const char *mcast_ifn, __be32 syncid,
3263 struct netlink_callback *cb)
3266 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3267 &ip_vs_genl_family, NLM_F_MULTI,
3268 IPVS_CMD_NEW_DAEMON);
3272 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
3273 goto nla_put_failure;
3275 return genlmsg_end(skb, hdr);
3278 genlmsg_cancel(skb, hdr);
3282 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3283 struct netlink_callback *cb)
3285 struct net *net = skb_sknet(skb);
3286 struct netns_ipvs *ipvs = net_ipvs(net);
3288 mutex_lock(&ipvs->sync_mutex);
3289 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3290 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3291 ipvs->master_mcast_ifn,
3292 ipvs->master_syncid, cb) < 0)
3293 goto nla_put_failure;
3298 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3299 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3300 ipvs->backup_mcast_ifn,
3301 ipvs->backup_syncid, cb) < 0)
3302 goto nla_put_failure;
3308 mutex_unlock(&ipvs->sync_mutex);
3313 static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
3315 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3316 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3317 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3320 return start_sync_thread(net,
3321 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
3322 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3323 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
3326 static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
3328 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3331 return stop_sync_thread(net,
3332 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3335 static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
3337 struct ip_vs_timeout_user t;
3339 __ip_vs_get_timeouts(net, &t);
3341 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3342 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3344 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3346 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3348 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3349 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3351 return ip_vs_set_timeout(net, &t);
3354 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3358 struct netns_ipvs *ipvs;
3360 net = skb_sknet(skb);
3361 ipvs = net_ipvs(net);
3362 cmd = info->genlhdr->cmd;
3364 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3365 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3367 mutex_lock(&ipvs->sync_mutex);
3368 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3369 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3370 info->attrs[IPVS_CMD_ATTR_DAEMON],
3371 ip_vs_daemon_policy)) {
3376 if (cmd == IPVS_CMD_NEW_DAEMON)
3377 ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3379 ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3381 mutex_unlock(&ipvs->sync_mutex);
3386 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3388 struct ip_vs_service *svc = NULL;
3389 struct ip_vs_service_user_kern usvc;
3390 struct ip_vs_dest_user_kern udest;
3392 int need_full_svc = 0, need_full_dest = 0;
3395 net = skb_sknet(skb);
3396 cmd = info->genlhdr->cmd;
3398 mutex_lock(&__ip_vs_mutex);
3400 if (cmd == IPVS_CMD_FLUSH) {
3401 ret = ip_vs_flush(net);
3403 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3404 ret = ip_vs_genl_set_config(net, info->attrs);
3406 } else if (cmd == IPVS_CMD_ZERO &&
3407 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3408 ret = ip_vs_zero_all(net);
3412 /* All following commands require a service argument, so check if we
3413 * received a valid one. We need a full service specification when
3414 * adding / editing a service. Only identifying members otherwise. */
3415 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3418 ret = ip_vs_genl_parse_service(net, &usvc,
3419 info->attrs[IPVS_CMD_ATTR_SERVICE],
3420 need_full_svc, &svc);
3424 /* Unless we're adding a new service, the service must already exist */
3425 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3430 /* Destination commands require a valid destination argument. For
3431 * adding / editing a destination, we need a full destination
3433 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3434 cmd == IPVS_CMD_DEL_DEST) {
3435 if (cmd != IPVS_CMD_DEL_DEST)
3438 ret = ip_vs_genl_parse_dest(&udest,
3439 info->attrs[IPVS_CMD_ATTR_DEST],
3446 case IPVS_CMD_NEW_SERVICE:
3448 ret = ip_vs_add_service(net, &usvc, &svc);
3452 case IPVS_CMD_SET_SERVICE:
3453 ret = ip_vs_edit_service(svc, &usvc);
3455 case IPVS_CMD_DEL_SERVICE:
3456 ret = ip_vs_del_service(svc);
3457 /* do not use svc, it can be freed */
3459 case IPVS_CMD_NEW_DEST:
3460 ret = ip_vs_add_dest(svc, &udest);
3462 case IPVS_CMD_SET_DEST:
3463 ret = ip_vs_edit_dest(svc, &udest);
3465 case IPVS_CMD_DEL_DEST:
3466 ret = ip_vs_del_dest(svc, &udest);
3469 ret = ip_vs_zero_service(svc);
3476 mutex_unlock(&__ip_vs_mutex);
3481 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3483 struct sk_buff *msg;
3485 int ret, cmd, reply_cmd;
3488 net = skb_sknet(skb);
3489 cmd = info->genlhdr->cmd;
3491 if (cmd == IPVS_CMD_GET_SERVICE)
3492 reply_cmd = IPVS_CMD_NEW_SERVICE;
3493 else if (cmd == IPVS_CMD_GET_INFO)
3494 reply_cmd = IPVS_CMD_SET_INFO;
3495 else if (cmd == IPVS_CMD_GET_CONFIG)
3496 reply_cmd = IPVS_CMD_SET_CONFIG;
3498 pr_err("unknown Generic Netlink command\n");
3502 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3506 mutex_lock(&__ip_vs_mutex);
3508 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3510 goto nla_put_failure;
3513 case IPVS_CMD_GET_SERVICE:
3515 struct ip_vs_service *svc;
3517 svc = ip_vs_genl_find_service(net,
3518 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3523 ret = ip_vs_genl_fill_service(msg, svc);
3525 goto nla_put_failure;
3534 case IPVS_CMD_GET_CONFIG:
3536 struct ip_vs_timeout_user t;
3538 __ip_vs_get_timeouts(net, &t);
3539 #ifdef CONFIG_IP_VS_PROTO_TCP
3540 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3542 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3544 goto nla_put_failure;
3546 #ifdef CONFIG_IP_VS_PROTO_UDP
3547 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3548 goto nla_put_failure;
3554 case IPVS_CMD_GET_INFO:
3555 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3556 IP_VS_VERSION_CODE) ||
3557 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3558 ip_vs_conn_tab_size))
3559 goto nla_put_failure;
3563 genlmsg_end(msg, reply);
3564 ret = genlmsg_reply(msg, info);
3568 pr_err("not enough space in Netlink message\n");
3574 mutex_unlock(&__ip_vs_mutex);
3580 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3582 .cmd = IPVS_CMD_NEW_SERVICE,
3583 .flags = GENL_ADMIN_PERM,
3584 .policy = ip_vs_cmd_policy,
3585 .doit = ip_vs_genl_set_cmd,
3588 .cmd = IPVS_CMD_SET_SERVICE,
3589 .flags = GENL_ADMIN_PERM,
3590 .policy = ip_vs_cmd_policy,
3591 .doit = ip_vs_genl_set_cmd,
3594 .cmd = IPVS_CMD_DEL_SERVICE,
3595 .flags = GENL_ADMIN_PERM,
3596 .policy = ip_vs_cmd_policy,
3597 .doit = ip_vs_genl_set_cmd,
3600 .cmd = IPVS_CMD_GET_SERVICE,
3601 .flags = GENL_ADMIN_PERM,
3602 .doit = ip_vs_genl_get_cmd,
3603 .dumpit = ip_vs_genl_dump_services,
3604 .policy = ip_vs_cmd_policy,
3607 .cmd = IPVS_CMD_NEW_DEST,
3608 .flags = GENL_ADMIN_PERM,
3609 .policy = ip_vs_cmd_policy,
3610 .doit = ip_vs_genl_set_cmd,
3613 .cmd = IPVS_CMD_SET_DEST,
3614 .flags = GENL_ADMIN_PERM,
3615 .policy = ip_vs_cmd_policy,
3616 .doit = ip_vs_genl_set_cmd,
3619 .cmd = IPVS_CMD_DEL_DEST,
3620 .flags = GENL_ADMIN_PERM,
3621 .policy = ip_vs_cmd_policy,
3622 .doit = ip_vs_genl_set_cmd,
3625 .cmd = IPVS_CMD_GET_DEST,
3626 .flags = GENL_ADMIN_PERM,
3627 .policy = ip_vs_cmd_policy,
3628 .dumpit = ip_vs_genl_dump_dests,
3631 .cmd = IPVS_CMD_NEW_DAEMON,
3632 .flags = GENL_ADMIN_PERM,
3633 .policy = ip_vs_cmd_policy,
3634 .doit = ip_vs_genl_set_daemon,
3637 .cmd = IPVS_CMD_DEL_DAEMON,
3638 .flags = GENL_ADMIN_PERM,
3639 .policy = ip_vs_cmd_policy,
3640 .doit = ip_vs_genl_set_daemon,
3643 .cmd = IPVS_CMD_GET_DAEMON,
3644 .flags = GENL_ADMIN_PERM,
3645 .dumpit = ip_vs_genl_dump_daemons,
3648 .cmd = IPVS_CMD_SET_CONFIG,
3649 .flags = GENL_ADMIN_PERM,
3650 .policy = ip_vs_cmd_policy,
3651 .doit = ip_vs_genl_set_cmd,
3654 .cmd = IPVS_CMD_GET_CONFIG,
3655 .flags = GENL_ADMIN_PERM,
3656 .doit = ip_vs_genl_get_cmd,
3659 .cmd = IPVS_CMD_GET_INFO,
3660 .flags = GENL_ADMIN_PERM,
3661 .doit = ip_vs_genl_get_cmd,
3664 .cmd = IPVS_CMD_ZERO,
3665 .flags = GENL_ADMIN_PERM,
3666 .policy = ip_vs_cmd_policy,
3667 .doit = ip_vs_genl_set_cmd,
3670 .cmd = IPVS_CMD_FLUSH,
3671 .flags = GENL_ADMIN_PERM,
3672 .doit = ip_vs_genl_set_cmd,
3676 static int __init ip_vs_genl_register(void)
3678 return genl_register_family_with_ops(&ip_vs_genl_family,
3679 ip_vs_genl_ops, ARRAY_SIZE(ip_vs_genl_ops));
3682 static void ip_vs_genl_unregister(void)
3684 genl_unregister_family(&ip_vs_genl_family);
3687 /* End of Generic Netlink interface definitions */
3690 * per netns intit/exit func.
3692 #ifdef CONFIG_SYSCTL
3693 static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3696 struct netns_ipvs *ipvs = net_ipvs(net);
3697 struct ctl_table *tbl;
3699 atomic_set(&ipvs->dropentry, 0);
3700 spin_lock_init(&ipvs->dropentry_lock);
3701 spin_lock_init(&ipvs->droppacket_lock);
3702 spin_lock_init(&ipvs->securetcp_lock);
3704 if (!net_eq(net, &init_net)) {
3705 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3709 /* Don't export sysctls to unprivileged users */
3710 if (net->user_ns != &init_user_ns)
3711 tbl[0].procname = NULL;
3714 /* Initialize sysctl defaults */
3716 ipvs->sysctl_amemthresh = 1024;
3717 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3718 ipvs->sysctl_am_droprate = 10;
3719 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3720 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3721 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3722 #ifdef CONFIG_IP_VS_NFCT
3723 tbl[idx++].data = &ipvs->sysctl_conntrack;
3725 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3726 ipvs->sysctl_snat_reroute = 1;
3727 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3728 ipvs->sysctl_sync_ver = 1;
3729 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3730 ipvs->sysctl_sync_ports = 1;
3731 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3732 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3733 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3734 ipvs->sysctl_sync_sock_size = 0;
3735 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3736 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3737 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3738 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3739 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3740 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3741 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3742 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3743 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3744 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3745 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3746 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3747 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3748 ipvs->sysctl_pmtu_disc = 1;
3749 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3750 tbl[idx++].data = &ipvs->sysctl_backup_only;
3753 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3754 if (ipvs->sysctl_hdr == NULL) {
3755 if (!net_eq(net, &init_net))
3759 ip_vs_start_estimator(net, &ipvs->tot_stats);
3760 ipvs->sysctl_tbl = tbl;
3761 /* Schedule defense work */
3762 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3763 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3768 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
3770 struct netns_ipvs *ipvs = net_ipvs(net);
3772 cancel_delayed_work_sync(&ipvs->defense_work);
3773 cancel_work_sync(&ipvs->defense_work.work);
3774 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3779 static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
3780 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
3784 static struct notifier_block ip_vs_dst_notifier = {
3785 .notifier_call = ip_vs_dst_event,
3788 int __net_init ip_vs_control_net_init(struct net *net)
3791 struct netns_ipvs *ipvs = net_ipvs(net);
3793 rwlock_init(&ipvs->rs_lock);
3795 /* Initialize rs_table */
3796 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
3797 INIT_LIST_HEAD(&ipvs->rs_table[idx]);
3799 INIT_LIST_HEAD(&ipvs->dest_trash);
3800 atomic_set(&ipvs->ftpsvc_counter, 0);
3801 atomic_set(&ipvs->nullsvc_counter, 0);
3804 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
3805 if (!ipvs->tot_stats.cpustats)
3808 spin_lock_init(&ipvs->tot_stats.lock);
3810 proc_create("ip_vs", 0, net->proc_net, &ip_vs_info_fops);
3811 proc_create("ip_vs_stats", 0, net->proc_net, &ip_vs_stats_fops);
3812 proc_create("ip_vs_stats_percpu", 0, net->proc_net,
3813 &ip_vs_stats_percpu_fops);
3815 if (ip_vs_control_net_init_sysctl(net))
3821 free_percpu(ipvs->tot_stats.cpustats);
3825 void __net_exit ip_vs_control_net_cleanup(struct net *net)
3827 struct netns_ipvs *ipvs = net_ipvs(net);
3829 ip_vs_trash_cleanup(net);
3830 ip_vs_stop_estimator(net, &ipvs->tot_stats);
3831 ip_vs_control_net_cleanup_sysctl(net);
3832 remove_proc_entry("ip_vs_stats_percpu", net->proc_net);
3833 remove_proc_entry("ip_vs_stats", net->proc_net);
3834 remove_proc_entry("ip_vs", net->proc_net);
3835 free_percpu(ipvs->tot_stats.cpustats);
3838 int __init ip_vs_register_nl_ioctl(void)
3842 ret = nf_register_sockopt(&ip_vs_sockopts);
3844 pr_err("cannot register sockopt.\n");
3848 ret = ip_vs_genl_register();
3850 pr_err("cannot register Generic Netlink interface.\n");
3856 nf_unregister_sockopt(&ip_vs_sockopts);
3861 void ip_vs_unregister_nl_ioctl(void)
3863 ip_vs_genl_unregister();
3864 nf_unregister_sockopt(&ip_vs_sockopts);
3867 int __init ip_vs_control_init(void)
3874 /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
3875 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3876 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3877 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3880 smp_wmb(); /* Do we really need it now ? */
3882 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
3891 void ip_vs_control_cleanup(void)
3894 unregister_netdevice_notifier(&ip_vs_dst_notifier);
projects / karo-tx-linux.git / blob