2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* lock for service table */
59 static DEFINE_RWLOCK(__ip_vs_svc_lock);
61 /* sysctl variables */
63 #ifdef CONFIG_IP_VS_DEBUG
64 static int sysctl_ip_vs_debug_level = 0;
66 int ip_vs_get_debug_level(void)
68 return sysctl_ip_vs_debug_level;
74 static void __ip_vs_del_service(struct ip_vs_service *svc);
77 #ifdef CONFIG_IP_VS_IPV6
78 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
79 static bool __ip_vs_addr_is_local_v6(struct net *net,
80 const struct in6_addr *addr)
85 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
88 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
97 * update_defense_level is called from keventd and from sysctl,
98 * so it needs to protect itself from softirqs
100 static void update_defense_level(struct netns_ipvs *ipvs)
103 static int old_secure_tcp = 0;
108 /* we only count free and buffered memory (in pages) */
110 availmem = i.freeram + i.bufferram;
111 /* however in linux 2.5 the i.bufferram is total page cache size,
113 /* si_swapinfo(&i); */
114 /* availmem = availmem - (i.totalswap - i.freeswap); */
116 nomem = (availmem < ipvs->sysctl_amemthresh);
121 spin_lock(&ipvs->dropentry_lock);
122 switch (ipvs->sysctl_drop_entry) {
124 atomic_set(&ipvs->dropentry, 0);
128 atomic_set(&ipvs->dropentry, 1);
129 ipvs->sysctl_drop_entry = 2;
131 atomic_set(&ipvs->dropentry, 0);
136 atomic_set(&ipvs->dropentry, 1);
138 atomic_set(&ipvs->dropentry, 0);
139 ipvs->sysctl_drop_entry = 1;
143 atomic_set(&ipvs->dropentry, 1);
146 spin_unlock(&ipvs->dropentry_lock);
149 spin_lock(&ipvs->droppacket_lock);
150 switch (ipvs->sysctl_drop_packet) {
156 ipvs->drop_rate = ipvs->drop_counter
157 = ipvs->sysctl_amemthresh /
158 (ipvs->sysctl_amemthresh-availmem);
159 ipvs->sysctl_drop_packet = 2;
166 ipvs->drop_rate = ipvs->drop_counter
167 = ipvs->sysctl_amemthresh /
168 (ipvs->sysctl_amemthresh-availmem);
171 ipvs->sysctl_drop_packet = 1;
175 ipvs->drop_rate = ipvs->sysctl_am_droprate;
178 spin_unlock(&ipvs->droppacket_lock);
181 spin_lock(&ipvs->securetcp_lock);
182 switch (ipvs->sysctl_secure_tcp) {
184 if (old_secure_tcp >= 2)
189 if (old_secure_tcp < 2)
191 ipvs->sysctl_secure_tcp = 2;
193 if (old_secure_tcp >= 2)
199 if (old_secure_tcp < 2)
202 if (old_secure_tcp >= 2)
204 ipvs->sysctl_secure_tcp = 1;
208 if (old_secure_tcp < 2)
212 old_secure_tcp = ipvs->sysctl_secure_tcp;
214 ip_vs_protocol_timeout_change(ipvs,
215 ipvs->sysctl_secure_tcp > 1);
216 spin_unlock(&ipvs->securetcp_lock);
223 * Timer for checking the defense
225 #define DEFENSE_TIMER_PERIOD 1*HZ
227 static void defense_work_handler(struct work_struct *work)
229 struct netns_ipvs *ipvs =
230 container_of(work, struct netns_ipvs, defense_work.work);
232 update_defense_level(ipvs);
233 if (atomic_read(&ipvs->dropentry))
234 ip_vs_random_dropentry(ipvs->net);
235 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
240 ip_vs_use_count_inc(void)
242 return try_module_get(THIS_MODULE);
246 ip_vs_use_count_dec(void)
248 module_put(THIS_MODULE);
253 * Hash table: for virtual service lookups
255 #define IP_VS_SVC_TAB_BITS 8
256 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
257 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
259 /* the service table hashed by <protocol, addr, port> */
260 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
261 /* the service table hashed by fwmark */
262 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
266 * Returns hash value for virtual service
268 static inline unsigned int
269 ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
270 const union nf_inet_addr *addr, __be16 port)
272 register unsigned int porth = ntohs(port);
273 __be32 addr_fold = addr->ip;
275 #ifdef CONFIG_IP_VS_IPV6
277 addr_fold = addr->ip6[0]^addr->ip6[1]^
278 addr->ip6[2]^addr->ip6[3];
280 addr_fold ^= ((size_t)net>>8);
282 return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
283 & IP_VS_SVC_TAB_MASK;
287 * Returns hash value of fwmark for virtual service lookup
289 static inline unsigned int ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
291 return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
295 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
296 * or in the ip_vs_svc_fwm_table by fwmark.
297 * Should be called with locked tables.
299 static int ip_vs_svc_hash(struct ip_vs_service *svc)
303 if (svc->flags & IP_VS_SVC_F_HASHED) {
304 pr_err("%s(): request for already hashed, called from %pF\n",
305 __func__, __builtin_return_address(0));
309 if (svc->fwmark == 0) {
311 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
313 hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
314 &svc->addr, svc->port);
315 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
318 * Hash it by fwmark in svc_fwm_table
320 hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
321 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
324 svc->flags |= IP_VS_SVC_F_HASHED;
325 /* increase its refcnt because it is referenced by the svc table */
326 atomic_inc(&svc->refcnt);
332 * Unhashes a service from svc_table / svc_fwm_table.
333 * Should be called with locked tables.
335 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
337 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
338 pr_err("%s(): request for unhash flagged, called from %pF\n",
339 __func__, __builtin_return_address(0));
343 if (svc->fwmark == 0) {
344 /* Remove it from the svc_table table */
345 list_del(&svc->s_list);
347 /* Remove it from the svc_fwm_table table */
348 list_del(&svc->f_list);
351 svc->flags &= ~IP_VS_SVC_F_HASHED;
352 atomic_dec(&svc->refcnt);
358 * Get service by {netns, proto,addr,port} in the service table.
360 static inline struct ip_vs_service *
361 __ip_vs_service_find(struct net *net, int af, __u16 protocol,
362 const union nf_inet_addr *vaddr, __be16 vport)
365 struct ip_vs_service *svc;
367 /* Check for "full" addressed entries */
368 hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
370 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
372 && ip_vs_addr_equal(af, &svc->addr, vaddr)
373 && (svc->port == vport)
374 && (svc->protocol == protocol)
375 && net_eq(svc->net, net)) {
386 * Get service by {fwmark} in the service table.
388 static inline struct ip_vs_service *
389 __ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
392 struct ip_vs_service *svc;
394 /* Check for fwmark addressed entries */
395 hash = ip_vs_svc_fwm_hashkey(net, fwmark);
397 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
398 if (svc->fwmark == fwmark && svc->af == af
399 && net_eq(svc->net, net)) {
408 struct ip_vs_service *
409 ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
410 const union nf_inet_addr *vaddr, __be16 vport)
412 struct ip_vs_service *svc;
413 struct netns_ipvs *ipvs = net_ipvs(net);
415 read_lock(&__ip_vs_svc_lock);
418 * Check the table hashed by fwmark first
421 svc = __ip_vs_svc_fwm_find(net, af, fwmark);
427 * Check the table hashed by <protocol,addr,port>
428 * for "full" addressed entries
430 svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
433 && protocol == IPPROTO_TCP
434 && atomic_read(&ipvs->ftpsvc_counter)
435 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
437 * Check if ftp service entry exists, the packet
438 * might belong to FTP data connections.
440 svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
444 && atomic_read(&ipvs->nullsvc_counter)) {
446 * Check if the catch-all port (port zero) exists
448 svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
453 atomic_inc(&svc->usecnt);
454 read_unlock(&__ip_vs_svc_lock);
456 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
457 fwmark, ip_vs_proto_name(protocol),
458 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
459 svc ? "hit" : "not hit");
466 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
468 atomic_inc(&svc->refcnt);
473 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
475 struct ip_vs_service *svc = dest->svc;
478 if (atomic_dec_and_test(&svc->refcnt)) {
479 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
481 IP_VS_DBG_ADDR(svc->af, &svc->addr),
482 ntohs(svc->port), atomic_read(&svc->usecnt));
483 free_percpu(svc->stats.cpustats);
490 * Returns hash value for real service
492 static inline unsigned int ip_vs_rs_hashkey(int af,
493 const union nf_inet_addr *addr,
496 register unsigned int porth = ntohs(port);
497 __be32 addr_fold = addr->ip;
499 #ifdef CONFIG_IP_VS_IPV6
501 addr_fold = addr->ip6[0]^addr->ip6[1]^
502 addr->ip6[2]^addr->ip6[3];
505 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
510 * Hashes ip_vs_dest in rs_table by <proto,addr,port>.
511 * should be called with locked tables.
513 static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
517 if (!list_empty(&dest->d_list)) {
522 * Hash by proto,addr,port,
523 * which are the parameters of the real service.
525 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
527 list_add(&dest->d_list, &ipvs->rs_table[hash]);
533 * UNhashes ip_vs_dest from rs_table.
534 * should be called with locked tables.
536 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
539 * Remove it from the rs_table table.
541 if (!list_empty(&dest->d_list)) {
542 list_del(&dest->d_list);
543 INIT_LIST_HEAD(&dest->d_list);
550 * Lookup real service by <proto,addr,port> in the real service table.
553 ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
554 const union nf_inet_addr *daddr,
557 struct netns_ipvs *ipvs = net_ipvs(net);
559 struct ip_vs_dest *dest;
562 * Check for "full" addressed entries
563 * Return the first found entry
565 hash = ip_vs_rs_hashkey(af, daddr, dport);
567 read_lock(&ipvs->rs_lock);
568 list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
570 && ip_vs_addr_equal(af, &dest->addr, daddr)
571 && (dest->port == dport)
572 && ((dest->protocol == protocol) ||
575 read_unlock(&ipvs->rs_lock);
579 read_unlock(&ipvs->rs_lock);
585 * Lookup destination by {addr,port} in the given service
587 static struct ip_vs_dest *
588 ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
591 struct ip_vs_dest *dest;
594 * Find the destination for the given service
596 list_for_each_entry(dest, &svc->destinations, n_list) {
597 if ((dest->af == svc->af)
598 && ip_vs_addr_equal(svc->af, &dest->addr, daddr)
599 && (dest->port == dport)) {
609 * Find destination by {daddr,dport,vaddr,protocol}
610 * Cretaed to be used in ip_vs_process_message() in
611 * the backup synchronization daemon. It finds the
612 * destination to be bound to the received connection
615 * ip_vs_lookup_real_service() looked promissing, but
616 * seems not working as expected.
618 struct ip_vs_dest *ip_vs_find_dest(struct net *net, int af,
619 const union nf_inet_addr *daddr,
621 const union nf_inet_addr *vaddr,
622 __be16 vport, __u16 protocol, __u32 fwmark,
625 struct ip_vs_dest *dest;
626 struct ip_vs_service *svc;
629 svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
632 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
634 dest = ip_vs_lookup_dest(svc, daddr, port);
636 dest = ip_vs_lookup_dest(svc, daddr, port ^ dport);
638 atomic_inc(&dest->refcnt);
639 ip_vs_service_put(svc);
644 * Lookup dest by {svc,addr,port} in the destination trash.
645 * The destination trash is used to hold the destinations that are removed
646 * from the service table but are still referenced by some conn entries.
647 * The reason to add the destination trash is when the dest is temporary
648 * down (either by administrator or by monitor program), the dest can be
649 * picked back from the trash, the remaining connections to the dest can
650 * continue, and the counting information of the dest is also useful for
653 static struct ip_vs_dest *
654 ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
657 struct ip_vs_dest *dest, *nxt;
658 struct netns_ipvs *ipvs = net_ipvs(svc->net);
661 * Find the destination in trash
663 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
664 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
667 IP_VS_DBG_ADDR(svc->af, &dest->addr),
669 atomic_read(&dest->refcnt));
670 if (dest->af == svc->af &&
671 ip_vs_addr_equal(svc->af, &dest->addr, daddr) &&
672 dest->port == dport &&
673 dest->vfwmark == svc->fwmark &&
674 dest->protocol == svc->protocol &&
676 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
677 dest->vport == svc->port))) {
683 * Try to purge the destination from trash if not referenced
685 if (atomic_read(&dest->refcnt) == 1) {
686 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u "
689 IP_VS_DBG_ADDR(svc->af, &dest->addr),
691 list_del(&dest->n_list);
692 ip_vs_dst_reset(dest);
693 __ip_vs_unbind_svc(dest);
694 free_percpu(dest->stats.cpustats);
704 * Clean up all the destinations in the trash
705 * Called by the ip_vs_control_cleanup()
707 * When the ip_vs_control_clearup is activated by ipvs module exit,
708 * the service tables must have been flushed and all the connections
709 * are expired, and the refcnt of each destination in the trash must
710 * be 1, so we simply release them here.
712 static void ip_vs_trash_cleanup(struct net *net)
714 struct ip_vs_dest *dest, *nxt;
715 struct netns_ipvs *ipvs = net_ipvs(net);
717 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
718 list_del(&dest->n_list);
719 ip_vs_dst_reset(dest);
720 __ip_vs_unbind_svc(dest);
721 free_percpu(dest->stats.cpustats);
727 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
729 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
731 spin_lock_bh(&src->lock);
733 IP_VS_SHOW_STATS_COUNTER(conns);
734 IP_VS_SHOW_STATS_COUNTER(inpkts);
735 IP_VS_SHOW_STATS_COUNTER(outpkts);
736 IP_VS_SHOW_STATS_COUNTER(inbytes);
737 IP_VS_SHOW_STATS_COUNTER(outbytes);
739 ip_vs_read_estimator(dst, src);
741 spin_unlock_bh(&src->lock);
745 ip_vs_zero_stats(struct ip_vs_stats *stats)
747 spin_lock_bh(&stats->lock);
749 /* get current counters as zero point, rates are zeroed */
751 #define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
753 IP_VS_ZERO_STATS_COUNTER(conns);
754 IP_VS_ZERO_STATS_COUNTER(inpkts);
755 IP_VS_ZERO_STATS_COUNTER(outpkts);
756 IP_VS_ZERO_STATS_COUNTER(inbytes);
757 IP_VS_ZERO_STATS_COUNTER(outbytes);
759 ip_vs_zero_estimator(stats);
761 spin_unlock_bh(&stats->lock);
765 * Update a destination in the given service
768 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
769 struct ip_vs_dest_user_kern *udest, int add)
771 struct netns_ipvs *ipvs = net_ipvs(svc->net);
774 /* set the weight and the flags */
775 atomic_set(&dest->weight, udest->weight);
776 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
777 conn_flags |= IP_VS_CONN_F_INACTIVE;
779 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
780 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
781 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
784 * Put the real service in rs_table if not present.
785 * For now only for NAT!
787 write_lock_bh(&ipvs->rs_lock);
788 ip_vs_rs_hash(ipvs, dest);
789 write_unlock_bh(&ipvs->rs_lock);
791 atomic_set(&dest->conn_flags, conn_flags);
793 /* bind the service */
795 __ip_vs_bind_svc(dest, svc);
797 if (dest->svc != svc) {
798 __ip_vs_unbind_svc(dest);
799 ip_vs_zero_stats(&dest->stats);
800 __ip_vs_bind_svc(dest, svc);
804 /* set the dest status flags */
805 dest->flags |= IP_VS_DEST_F_AVAILABLE;
807 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
808 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
809 dest->u_threshold = udest->u_threshold;
810 dest->l_threshold = udest->l_threshold;
812 spin_lock_bh(&dest->dst_lock);
813 ip_vs_dst_reset(dest);
814 spin_unlock_bh(&dest->dst_lock);
817 ip_vs_start_estimator(svc->net, &dest->stats);
819 write_lock_bh(&__ip_vs_svc_lock);
821 /* Wait until all other svc users go away */
822 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
825 list_add(&dest->n_list, &svc->destinations);
829 /* call the update_service, because server weight may be changed */
830 if (svc->scheduler->update_service)
831 svc->scheduler->update_service(svc);
833 write_unlock_bh(&__ip_vs_svc_lock);
838 * Create a destination for the given service
841 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
842 struct ip_vs_dest **dest_p)
844 struct ip_vs_dest *dest;
849 #ifdef CONFIG_IP_VS_IPV6
850 if (svc->af == AF_INET6) {
851 atype = ipv6_addr_type(&udest->addr.in6);
852 if ((!(atype & IPV6_ADDR_UNICAST) ||
853 atype & IPV6_ADDR_LINKLOCAL) &&
854 !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
859 atype = inet_addr_type(svc->net, udest->addr.ip);
860 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
864 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
868 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
869 if (!dest->stats.cpustats)
873 dest->protocol = svc->protocol;
874 dest->vaddr = svc->addr;
875 dest->vport = svc->port;
876 dest->vfwmark = svc->fwmark;
877 ip_vs_addr_copy(svc->af, &dest->addr, &udest->addr);
878 dest->port = udest->port;
880 atomic_set(&dest->activeconns, 0);
881 atomic_set(&dest->inactconns, 0);
882 atomic_set(&dest->persistconns, 0);
883 atomic_set(&dest->refcnt, 1);
885 INIT_LIST_HEAD(&dest->d_list);
886 spin_lock_init(&dest->dst_lock);
887 spin_lock_init(&dest->stats.lock);
888 __ip_vs_update_dest(svc, dest, udest, 1);
902 * Add a destination into an existing service
905 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
907 struct ip_vs_dest *dest;
908 union nf_inet_addr daddr;
909 __be16 dport = udest->port;
914 if (udest->weight < 0) {
915 pr_err("%s(): server weight less than zero\n", __func__);
919 if (udest->l_threshold > udest->u_threshold) {
920 pr_err("%s(): lower threshold is higher than upper threshold\n",
925 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
928 * Check if the dest already exists in the list
930 dest = ip_vs_lookup_dest(svc, &daddr, dport);
933 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
938 * Check if the dest already exists in the trash and
939 * is from the same service
941 dest = ip_vs_trash_get_dest(svc, &daddr, dport);
944 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
945 "dest->refcnt=%d, service %u/%s:%u\n",
946 IP_VS_DBG_ADDR(svc->af, &daddr), ntohs(dport),
947 atomic_read(&dest->refcnt),
949 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
953 * Get the destination from the trash
955 list_del(&dest->n_list);
957 __ip_vs_update_dest(svc, dest, udest, 1);
961 * Allocate and initialize the dest structure
963 ret = ip_vs_new_dest(svc, udest, &dest);
972 * Edit a destination in the given service
975 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
977 struct ip_vs_dest *dest;
978 union nf_inet_addr daddr;
979 __be16 dport = udest->port;
983 if (udest->weight < 0) {
984 pr_err("%s(): server weight less than zero\n", __func__);
988 if (udest->l_threshold > udest->u_threshold) {
989 pr_err("%s(): lower threshold is higher than upper threshold\n",
994 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
997 * Lookup the destination list
999 dest = ip_vs_lookup_dest(svc, &daddr, dport);
1002 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1006 __ip_vs_update_dest(svc, dest, udest, 0);
1014 * Delete a destination (must be already unlinked from the service)
1016 static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
1018 struct netns_ipvs *ipvs = net_ipvs(net);
1020 ip_vs_stop_estimator(net, &dest->stats);
1023 * Remove it from the d-linked list with the real services.
1025 write_lock_bh(&ipvs->rs_lock);
1026 ip_vs_rs_unhash(dest);
1027 write_unlock_bh(&ipvs->rs_lock);
1030 * Decrease the refcnt of the dest, and free the dest
1031 * if nobody refers to it (refcnt=0). Otherwise, throw
1032 * the destination into the trash.
1034 if (atomic_dec_and_test(&dest->refcnt)) {
1035 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u\n",
1037 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1039 ip_vs_dst_reset(dest);
1040 /* simply decrease svc->refcnt here, let the caller check
1041 and release the service if nobody refers to it.
1042 Only user context can release destination and service,
1043 and only one user context can update virtual service at a
1044 time, so the operation here is OK */
1045 atomic_dec(&dest->svc->refcnt);
1046 free_percpu(dest->stats.cpustats);
1049 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
1050 "dest->refcnt=%d\n",
1051 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1053 atomic_read(&dest->refcnt));
1054 list_add(&dest->n_list, &ipvs->dest_trash);
1055 atomic_inc(&dest->refcnt);
1061 * Unlink a destination from the given service
1063 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1064 struct ip_vs_dest *dest,
1067 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1070 * Remove it from the d-linked destination list.
1072 list_del(&dest->n_list);
1076 * Call the update_service function of its scheduler
1078 if (svcupd && svc->scheduler->update_service)
1079 svc->scheduler->update_service(svc);
1084 * Delete a destination server in the given service
1087 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1089 struct ip_vs_dest *dest;
1090 __be16 dport = udest->port;
1094 dest = ip_vs_lookup_dest(svc, &udest->addr, dport);
1097 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1101 write_lock_bh(&__ip_vs_svc_lock);
1104 * Wait until all other svc users go away.
1106 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1109 * Unlink dest from the service
1111 __ip_vs_unlink_dest(svc, dest, 1);
1113 write_unlock_bh(&__ip_vs_svc_lock);
1116 * Delete the destination
1118 __ip_vs_del_dest(svc->net, dest);
1127 * Add a service into the service hash table
1130 ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1131 struct ip_vs_service **svc_p)
1134 struct ip_vs_scheduler *sched = NULL;
1135 struct ip_vs_pe *pe = NULL;
1136 struct ip_vs_service *svc = NULL;
1137 struct netns_ipvs *ipvs = net_ipvs(net);
1139 /* increase the module use count */
1140 ip_vs_use_count_inc();
1142 /* Lookup the scheduler by 'u->sched_name' */
1143 sched = ip_vs_scheduler_get(u->sched_name);
1144 if (sched == NULL) {
1145 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1150 if (u->pe_name && *u->pe_name) {
1151 pe = ip_vs_pe_getbyname(u->pe_name);
1153 pr_info("persistence engine module ip_vs_pe_%s "
1154 "not found\n", u->pe_name);
1160 #ifdef CONFIG_IP_VS_IPV6
1161 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1167 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1169 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1173 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1174 if (!svc->stats.cpustats) {
1179 /* I'm the first user of the service */
1180 atomic_set(&svc->usecnt, 0);
1181 atomic_set(&svc->refcnt, 0);
1184 svc->protocol = u->protocol;
1185 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1186 svc->port = u->port;
1187 svc->fwmark = u->fwmark;
1188 svc->flags = u->flags;
1189 svc->timeout = u->timeout * HZ;
1190 svc->netmask = u->netmask;
1193 INIT_LIST_HEAD(&svc->destinations);
1194 rwlock_init(&svc->sched_lock);
1195 spin_lock_init(&svc->stats.lock);
1197 /* Bind the scheduler */
1198 ret = ip_vs_bind_scheduler(svc, sched);
1203 /* Bind the ct retriever */
1204 ip_vs_bind_pe(svc, pe);
1207 /* Update the virtual service counters */
1208 if (svc->port == FTPPORT)
1209 atomic_inc(&ipvs->ftpsvc_counter);
1210 else if (svc->port == 0)
1211 atomic_inc(&ipvs->nullsvc_counter);
1213 ip_vs_start_estimator(net, &svc->stats);
1215 /* Count only IPv4 services for old get/setsockopt interface */
1216 if (svc->af == AF_INET)
1217 ipvs->num_services++;
1219 /* Hash the service into the service table */
1220 write_lock_bh(&__ip_vs_svc_lock);
1221 ip_vs_svc_hash(svc);
1222 write_unlock_bh(&__ip_vs_svc_lock);
1225 /* Now there is a service - full throttle */
1232 ip_vs_unbind_scheduler(svc);
1235 ip_vs_app_inc_put(svc->inc);
1238 if (svc->stats.cpustats)
1239 free_percpu(svc->stats.cpustats);
1242 ip_vs_scheduler_put(sched);
1245 /* decrease the module use count */
1246 ip_vs_use_count_dec();
1253 * Edit a service and bind it with a new scheduler
1256 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1258 struct ip_vs_scheduler *sched, *old_sched;
1259 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1263 * Lookup the scheduler, by 'u->sched_name'
1265 sched = ip_vs_scheduler_get(u->sched_name);
1266 if (sched == NULL) {
1267 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1272 if (u->pe_name && *u->pe_name) {
1273 pe = ip_vs_pe_getbyname(u->pe_name);
1275 pr_info("persistence engine module ip_vs_pe_%s "
1276 "not found\n", u->pe_name);
1283 #ifdef CONFIG_IP_VS_IPV6
1284 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1290 write_lock_bh(&__ip_vs_svc_lock);
1293 * Wait until all other svc users go away.
1295 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1298 * Set the flags and timeout value
1300 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1301 svc->timeout = u->timeout * HZ;
1302 svc->netmask = u->netmask;
1304 old_sched = svc->scheduler;
1305 if (sched != old_sched) {
1307 * Unbind the old scheduler
1309 if ((ret = ip_vs_unbind_scheduler(svc))) {
1315 * Bind the new scheduler
1317 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1319 * If ip_vs_bind_scheduler fails, restore the old
1321 * The main reason of failure is out of memory.
1323 * The question is if the old scheduler can be
1324 * restored all the time. TODO: if it cannot be
1325 * restored some time, we must delete the service,
1326 * otherwise the system may crash.
1328 ip_vs_bind_scheduler(svc, old_sched);
1336 ip_vs_unbind_pe(svc);
1337 ip_vs_bind_pe(svc, pe);
1341 write_unlock_bh(&__ip_vs_svc_lock);
1343 ip_vs_scheduler_put(old_sched);
1344 ip_vs_pe_put(old_pe);
1350 * Delete a service from the service list
1351 * - The service must be unlinked, unlocked and not referenced!
1352 * - We are called under _bh lock
1354 static void __ip_vs_del_service(struct ip_vs_service *svc)
1356 struct ip_vs_dest *dest, *nxt;
1357 struct ip_vs_scheduler *old_sched;
1358 struct ip_vs_pe *old_pe;
1359 struct netns_ipvs *ipvs = net_ipvs(svc->net);
1361 pr_info("%s: enter\n", __func__);
1363 /* Count only IPv4 services for old get/setsockopt interface */
1364 if (svc->af == AF_INET)
1365 ipvs->num_services--;
1367 ip_vs_stop_estimator(svc->net, &svc->stats);
1369 /* Unbind scheduler */
1370 old_sched = svc->scheduler;
1371 ip_vs_unbind_scheduler(svc);
1372 ip_vs_scheduler_put(old_sched);
1374 /* Unbind persistence engine */
1376 ip_vs_unbind_pe(svc);
1377 ip_vs_pe_put(old_pe);
1379 /* Unbind app inc */
1381 ip_vs_app_inc_put(svc->inc);
1386 * Unlink the whole destination list
1388 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1389 __ip_vs_unlink_dest(svc, dest, 0);
1390 __ip_vs_del_dest(svc->net, dest);
1394 * Update the virtual service counters
1396 if (svc->port == FTPPORT)
1397 atomic_dec(&ipvs->ftpsvc_counter);
1398 else if (svc->port == 0)
1399 atomic_dec(&ipvs->nullsvc_counter);
1402 * Free the service if nobody refers to it
1404 if (atomic_read(&svc->refcnt) == 0) {
1405 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
1407 IP_VS_DBG_ADDR(svc->af, &svc->addr),
1408 ntohs(svc->port), atomic_read(&svc->usecnt));
1409 free_percpu(svc->stats.cpustats);
1413 /* decrease the module use count */
1414 ip_vs_use_count_dec();
1418 * Unlink a service from list and try to delete it if its refcnt reached 0
1420 static void ip_vs_unlink_service(struct ip_vs_service *svc)
1423 * Unhash it from the service table
1425 write_lock_bh(&__ip_vs_svc_lock);
1427 ip_vs_svc_unhash(svc);
1430 * Wait until all the svc users go away.
1432 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1434 __ip_vs_del_service(svc);
1436 write_unlock_bh(&__ip_vs_svc_lock);
1440 * Delete a service from the service list
1442 static int ip_vs_del_service(struct ip_vs_service *svc)
1446 ip_vs_unlink_service(svc);
1453 * Flush all the virtual services
1455 static int ip_vs_flush(struct net *net)
1458 struct ip_vs_service *svc, *nxt;
1461 * Flush the service table hashed by <netns,protocol,addr,port>
1463 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1464 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
1466 if (net_eq(svc->net, net))
1467 ip_vs_unlink_service(svc);
1472 * Flush the service table hashed by fwmark
1474 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1475 list_for_each_entry_safe(svc, nxt,
1476 &ip_vs_svc_fwm_table[idx], f_list) {
1477 if (net_eq(svc->net, net))
1478 ip_vs_unlink_service(svc);
1486 * Delete service by {netns} in the service table.
1487 * Called by __ip_vs_cleanup()
1489 void ip_vs_service_net_cleanup(struct net *net)
1492 /* Check for "full" addressed entries */
1493 mutex_lock(&__ip_vs_mutex);
1495 mutex_unlock(&__ip_vs_mutex);
1499 * Release dst hold by dst_cache
1502 __ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
1504 spin_lock_bh(&dest->dst_lock);
1505 if (dest->dst_cache && dest->dst_cache->dev == dev) {
1506 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1508 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1510 atomic_read(&dest->refcnt));
1511 ip_vs_dst_reset(dest);
1513 spin_unlock_bh(&dest->dst_lock);
1517 * Netdev event receiver
1518 * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
1519 * a device that is "unregister" it must be released.
1521 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1524 struct net_device *dev = ptr;
1525 struct net *net = dev_net(dev);
1526 struct netns_ipvs *ipvs = net_ipvs(net);
1527 struct ip_vs_service *svc;
1528 struct ip_vs_dest *dest;
1531 if (event != NETDEV_UNREGISTER || !ipvs)
1533 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1535 mutex_lock(&__ip_vs_mutex);
1536 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1537 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1538 if (net_eq(svc->net, net)) {
1539 list_for_each_entry(dest, &svc->destinations,
1541 __ip_vs_dev_reset(dest, dev);
1546 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1547 if (net_eq(svc->net, net)) {
1548 list_for_each_entry(dest, &svc->destinations,
1550 __ip_vs_dev_reset(dest, dev);
1557 list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
1558 __ip_vs_dev_reset(dest, dev);
1560 mutex_unlock(&__ip_vs_mutex);
1566 * Zero counters in a service or all services
1568 static int ip_vs_zero_service(struct ip_vs_service *svc)
1570 struct ip_vs_dest *dest;
1572 write_lock_bh(&__ip_vs_svc_lock);
1573 list_for_each_entry(dest, &svc->destinations, n_list) {
1574 ip_vs_zero_stats(&dest->stats);
1576 ip_vs_zero_stats(&svc->stats);
1577 write_unlock_bh(&__ip_vs_svc_lock);
1581 static int ip_vs_zero_all(struct net *net)
1584 struct ip_vs_service *svc;
1586 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1587 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1588 if (net_eq(svc->net, net))
1589 ip_vs_zero_service(svc);
1593 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1594 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1595 if (net_eq(svc->net, net))
1596 ip_vs_zero_service(svc);
1600 ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
1604 #ifdef CONFIG_SYSCTL
1607 static int three = 3;
1610 proc_do_defense_mode(ctl_table *table, int write,
1611 void __user *buffer, size_t *lenp, loff_t *ppos)
1613 struct net *net = current->nsproxy->net_ns;
1614 int *valp = table->data;
1618 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1619 if (write && (*valp != val)) {
1620 if ((*valp < 0) || (*valp > 3)) {
1621 /* Restore the correct value */
1624 update_defense_level(net_ipvs(net));
1631 proc_do_sync_threshold(ctl_table *table, int write,
1632 void __user *buffer, size_t *lenp, loff_t *ppos)
1634 int *valp = table->data;
1638 /* backup the value first */
1639 memcpy(val, valp, sizeof(val));
1641 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1642 if (write && (valp[0] < 0 || valp[1] < 0 ||
1643 (valp[0] >= valp[1] && valp[1]))) {
1644 /* Restore the correct value */
1645 memcpy(valp, val, sizeof(val));
1651 proc_do_sync_mode(ctl_table *table, int write,
1652 void __user *buffer, size_t *lenp, loff_t *ppos)
1654 int *valp = table->data;
1658 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1659 if (write && (*valp != val)) {
1660 if ((*valp < 0) || (*valp > 1)) {
1661 /* Restore the correct value */
1669 proc_do_sync_ports(ctl_table *table, int write,
1670 void __user *buffer, size_t *lenp, loff_t *ppos)
1672 int *valp = table->data;
1676 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1677 if (write && (*valp != val)) {
1678 if (*valp < 1 || !is_power_of_2(*valp)) {
1679 /* Restore the correct value */
1687 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1688 * Do not change order or insert new entries without
1689 * align with netns init in ip_vs_control_net_init()
1692 static struct ctl_table vs_vars[] = {
1694 .procname = "amemthresh",
1695 .maxlen = sizeof(int),
1697 .proc_handler = proc_dointvec,
1700 .procname = "am_droprate",
1701 .maxlen = sizeof(int),
1703 .proc_handler = proc_dointvec,
1706 .procname = "drop_entry",
1707 .maxlen = sizeof(int),
1709 .proc_handler = proc_do_defense_mode,
1712 .procname = "drop_packet",
1713 .maxlen = sizeof(int),
1715 .proc_handler = proc_do_defense_mode,
1717 #ifdef CONFIG_IP_VS_NFCT
1719 .procname = "conntrack",
1720 .maxlen = sizeof(int),
1722 .proc_handler = &proc_dointvec,
1726 .procname = "secure_tcp",
1727 .maxlen = sizeof(int),
1729 .proc_handler = proc_do_defense_mode,
1732 .procname = "snat_reroute",
1733 .maxlen = sizeof(int),
1735 .proc_handler = &proc_dointvec,
1738 .procname = "sync_version",
1739 .maxlen = sizeof(int),
1741 .proc_handler = &proc_do_sync_mode,
1744 .procname = "sync_ports",
1745 .maxlen = sizeof(int),
1747 .proc_handler = &proc_do_sync_ports,
1750 .procname = "sync_qlen_max",
1751 .maxlen = sizeof(int),
1753 .proc_handler = proc_dointvec,
1756 .procname = "sync_sock_size",
1757 .maxlen = sizeof(int),
1759 .proc_handler = proc_dointvec,
1762 .procname = "cache_bypass",
1763 .maxlen = sizeof(int),
1765 .proc_handler = proc_dointvec,
1768 .procname = "expire_nodest_conn",
1769 .maxlen = sizeof(int),
1771 .proc_handler = proc_dointvec,
1774 .procname = "expire_quiescent_template",
1775 .maxlen = sizeof(int),
1777 .proc_handler = proc_dointvec,
1780 .procname = "sync_threshold",
1782 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1784 .proc_handler = proc_do_sync_threshold,
1787 .procname = "sync_refresh_period",
1788 .maxlen = sizeof(int),
1790 .proc_handler = proc_dointvec_jiffies,
1793 .procname = "sync_retries",
1794 .maxlen = sizeof(int),
1796 .proc_handler = proc_dointvec_minmax,
1801 .procname = "nat_icmp_send",
1802 .maxlen = sizeof(int),
1804 .proc_handler = proc_dointvec,
1807 .procname = "pmtu_disc",
1808 .maxlen = sizeof(int),
1810 .proc_handler = proc_dointvec,
1812 #ifdef CONFIG_IP_VS_DEBUG
1814 .procname = "debug_level",
1815 .data = &sysctl_ip_vs_debug_level,
1816 .maxlen = sizeof(int),
1818 .proc_handler = proc_dointvec,
1823 .procname = "timeout_established",
1824 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1825 .maxlen = sizeof(int),
1827 .proc_handler = proc_dointvec_jiffies,
1830 .procname = "timeout_synsent",
1831 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1832 .maxlen = sizeof(int),
1834 .proc_handler = proc_dointvec_jiffies,
1837 .procname = "timeout_synrecv",
1838 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1839 .maxlen = sizeof(int),
1841 .proc_handler = proc_dointvec_jiffies,
1844 .procname = "timeout_finwait",
1845 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1846 .maxlen = sizeof(int),
1848 .proc_handler = proc_dointvec_jiffies,
1851 .procname = "timeout_timewait",
1852 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1853 .maxlen = sizeof(int),
1855 .proc_handler = proc_dointvec_jiffies,
1858 .procname = "timeout_close",
1859 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1860 .maxlen = sizeof(int),
1862 .proc_handler = proc_dointvec_jiffies,
1865 .procname = "timeout_closewait",
1866 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1867 .maxlen = sizeof(int),
1869 .proc_handler = proc_dointvec_jiffies,
1872 .procname = "timeout_lastack",
1873 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1874 .maxlen = sizeof(int),
1876 .proc_handler = proc_dointvec_jiffies,
1879 .procname = "timeout_listen",
1880 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1881 .maxlen = sizeof(int),
1883 .proc_handler = proc_dointvec_jiffies,
1886 .procname = "timeout_synack",
1887 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1888 .maxlen = sizeof(int),
1890 .proc_handler = proc_dointvec_jiffies,
1893 .procname = "timeout_udp",
1894 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1895 .maxlen = sizeof(int),
1897 .proc_handler = proc_dointvec_jiffies,
1900 .procname = "timeout_icmp",
1901 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1902 .maxlen = sizeof(int),
1904 .proc_handler = proc_dointvec_jiffies,
1912 #ifdef CONFIG_PROC_FS
1915 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1916 struct list_head *table;
1921 * Write the contents of the VS rule table to a PROCfs file.
1922 * (It is kept just for backward compatibility)
1924 static inline const char *ip_vs_fwd_name(unsigned int flags)
1926 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1927 case IP_VS_CONN_F_LOCALNODE:
1929 case IP_VS_CONN_F_TUNNEL:
1931 case IP_VS_CONN_F_DROUTE:
1939 /* Get the Nth entry in the two lists */
1940 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1942 struct net *net = seq_file_net(seq);
1943 struct ip_vs_iter *iter = seq->private;
1945 struct ip_vs_service *svc;
1947 /* look in hash by protocol */
1948 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1949 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1950 if (net_eq(svc->net, net) && pos-- == 0) {
1951 iter->table = ip_vs_svc_table;
1958 /* keep looking in fwmark */
1959 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1960 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1961 if (net_eq(svc->net, net) && pos-- == 0) {
1962 iter->table = ip_vs_svc_fwm_table;
1972 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1973 __acquires(__ip_vs_svc_lock)
1976 read_lock_bh(&__ip_vs_svc_lock);
1977 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1981 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1983 struct list_head *e;
1984 struct ip_vs_iter *iter;
1985 struct ip_vs_service *svc;
1988 if (v == SEQ_START_TOKEN)
1989 return ip_vs_info_array(seq,0);
1992 iter = seq->private;
1994 if (iter->table == ip_vs_svc_table) {
1995 /* next service in table hashed by protocol */
1996 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
1997 return list_entry(e, struct ip_vs_service, s_list);
2000 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2001 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
2007 iter->table = ip_vs_svc_fwm_table;
2012 /* next service in hashed by fwmark */
2013 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
2014 return list_entry(e, struct ip_vs_service, f_list);
2017 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2018 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
2026 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2027 __releases(__ip_vs_svc_lock)
2029 read_unlock_bh(&__ip_vs_svc_lock);
2033 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2035 if (v == SEQ_START_TOKEN) {
2037 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2038 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2040 "Prot LocalAddress:Port Scheduler Flags\n");
2042 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2044 const struct ip_vs_service *svc = v;
2045 const struct ip_vs_iter *iter = seq->private;
2046 const struct ip_vs_dest *dest;
2048 if (iter->table == ip_vs_svc_table) {
2049 #ifdef CONFIG_IP_VS_IPV6
2050 if (svc->af == AF_INET6)
2051 seq_printf(seq, "%s [%pI6]:%04X %s ",
2052 ip_vs_proto_name(svc->protocol),
2055 svc->scheduler->name);
2058 seq_printf(seq, "%s %08X:%04X %s %s ",
2059 ip_vs_proto_name(svc->protocol),
2060 ntohl(svc->addr.ip),
2062 svc->scheduler->name,
2063 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2065 seq_printf(seq, "FWM %08X %s %s",
2066 svc->fwmark, svc->scheduler->name,
2067 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2070 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2071 seq_printf(seq, "persistent %d %08X\n",
2073 ntohl(svc->netmask));
2075 seq_putc(seq, '\n');
2077 list_for_each_entry(dest, &svc->destinations, n_list) {
2078 #ifdef CONFIG_IP_VS_IPV6
2079 if (dest->af == AF_INET6)
2082 " %-7s %-6d %-10d %-10d\n",
2085 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2086 atomic_read(&dest->weight),
2087 atomic_read(&dest->activeconns),
2088 atomic_read(&dest->inactconns));
2093 "%-7s %-6d %-10d %-10d\n",
2094 ntohl(dest->addr.ip),
2096 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2097 atomic_read(&dest->weight),
2098 atomic_read(&dest->activeconns),
2099 atomic_read(&dest->inactconns));
2106 static const struct seq_operations ip_vs_info_seq_ops = {
2107 .start = ip_vs_info_seq_start,
2108 .next = ip_vs_info_seq_next,
2109 .stop = ip_vs_info_seq_stop,
2110 .show = ip_vs_info_seq_show,
2113 static int ip_vs_info_open(struct inode *inode, struct file *file)
2115 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2116 sizeof(struct ip_vs_iter));
2119 static const struct file_operations ip_vs_info_fops = {
2120 .owner = THIS_MODULE,
2121 .open = ip_vs_info_open,
2123 .llseek = seq_lseek,
2124 .release = seq_release_net,
2127 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2129 struct net *net = seq_file_single_net(seq);
2130 struct ip_vs_stats_user show;
2132 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2134 " Total Incoming Outgoing Incoming Outgoing\n");
2136 " Conns Packets Packets Bytes Bytes\n");
2138 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2139 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
2140 show.inpkts, show.outpkts,
2141 (unsigned long long) show.inbytes,
2142 (unsigned long long) show.outbytes);
2144 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2146 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2147 seq_printf(seq, "%8X %8X %8X %16X %16X\n",
2148 show.cps, show.inpps, show.outpps,
2149 show.inbps, show.outbps);
2154 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2156 return single_open_net(inode, file, ip_vs_stats_show);
2159 static const struct file_operations ip_vs_stats_fops = {
2160 .owner = THIS_MODULE,
2161 .open = ip_vs_stats_seq_open,
2163 .llseek = seq_lseek,
2164 .release = single_release_net,
2167 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2169 struct net *net = seq_file_single_net(seq);
2170 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2171 struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
2172 struct ip_vs_stats_user rates;
2175 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2177 " Total Incoming Outgoing Incoming Outgoing\n");
2179 "CPU Conns Packets Packets Bytes Bytes\n");
2181 for_each_possible_cpu(i) {
2182 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2184 __u64 inbytes, outbytes;
2187 start = u64_stats_fetch_begin_bh(&u->syncp);
2188 inbytes = u->ustats.inbytes;
2189 outbytes = u->ustats.outbytes;
2190 } while (u64_stats_fetch_retry_bh(&u->syncp, start));
2192 seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
2193 i, u->ustats.conns, u->ustats.inpkts,
2194 u->ustats.outpkts, (__u64)inbytes,
2198 spin_lock_bh(&tot_stats->lock);
2200 seq_printf(seq, " ~ %8X %8X %8X %16LX %16LX\n\n",
2201 tot_stats->ustats.conns, tot_stats->ustats.inpkts,
2202 tot_stats->ustats.outpkts,
2203 (unsigned long long) tot_stats->ustats.inbytes,
2204 (unsigned long long) tot_stats->ustats.outbytes);
2206 ip_vs_read_estimator(&rates, tot_stats);
2208 spin_unlock_bh(&tot_stats->lock);
2210 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2212 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2213 seq_printf(seq, " %8X %8X %8X %16X %16X\n",
2223 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2225 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2228 static const struct file_operations ip_vs_stats_percpu_fops = {
2229 .owner = THIS_MODULE,
2230 .open = ip_vs_stats_percpu_seq_open,
2232 .llseek = seq_lseek,
2233 .release = single_release_net,
2238 * Set timeout values for tcp tcpfin udp in the timeout_table.
2240 static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
2242 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2243 struct ip_vs_proto_data *pd;
2246 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2251 #ifdef CONFIG_IP_VS_PROTO_TCP
2252 if (u->tcp_timeout) {
2253 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2254 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2255 = u->tcp_timeout * HZ;
2258 if (u->tcp_fin_timeout) {
2259 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2260 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2261 = u->tcp_fin_timeout * HZ;
2265 #ifdef CONFIG_IP_VS_PROTO_UDP
2266 if (u->udp_timeout) {
2267 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2268 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2269 = u->udp_timeout * HZ;
2276 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2277 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
2278 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
2279 sizeof(struct ip_vs_dest_user))
2280 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2281 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
2282 #define MAX_ARG_LEN SVCDEST_ARG_LEN
2284 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
2285 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
2286 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
2287 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
2288 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
2289 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
2290 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
2291 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
2292 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
2293 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
2294 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
2295 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
2298 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2299 struct ip_vs_service_user *usvc_compat)
2301 memset(usvc, 0, sizeof(*usvc));
2304 usvc->protocol = usvc_compat->protocol;
2305 usvc->addr.ip = usvc_compat->addr;
2306 usvc->port = usvc_compat->port;
2307 usvc->fwmark = usvc_compat->fwmark;
2309 /* Deep copy of sched_name is not needed here */
2310 usvc->sched_name = usvc_compat->sched_name;
2312 usvc->flags = usvc_compat->flags;
2313 usvc->timeout = usvc_compat->timeout;
2314 usvc->netmask = usvc_compat->netmask;
2317 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2318 struct ip_vs_dest_user *udest_compat)
2320 memset(udest, 0, sizeof(*udest));
2322 udest->addr.ip = udest_compat->addr;
2323 udest->port = udest_compat->port;
2324 udest->conn_flags = udest_compat->conn_flags;
2325 udest->weight = udest_compat->weight;
2326 udest->u_threshold = udest_compat->u_threshold;
2327 udest->l_threshold = udest_compat->l_threshold;
2331 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2333 struct net *net = sock_net(sk);
2335 unsigned char arg[MAX_ARG_LEN];
2336 struct ip_vs_service_user *usvc_compat;
2337 struct ip_vs_service_user_kern usvc;
2338 struct ip_vs_service *svc;
2339 struct ip_vs_dest_user *udest_compat;
2340 struct ip_vs_dest_user_kern udest;
2341 struct netns_ipvs *ipvs = net_ipvs(net);
2343 if (!capable(CAP_NET_ADMIN))
2346 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2348 if (len < 0 || len > MAX_ARG_LEN)
2350 if (len != set_arglen[SET_CMDID(cmd)]) {
2351 pr_err("set_ctl: len %u != %u\n",
2352 len, set_arglen[SET_CMDID(cmd)]);
2356 if (copy_from_user(arg, user, len) != 0)
2359 /* increase the module use count */
2360 ip_vs_use_count_inc();
2362 /* Handle daemons since they have another lock */
2363 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2364 cmd == IP_VS_SO_SET_STOPDAEMON) {
2365 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2367 if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2371 if (cmd == IP_VS_SO_SET_STARTDAEMON)
2372 ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2375 ret = stop_sync_thread(net, dm->state);
2376 mutex_unlock(&ipvs->sync_mutex);
2380 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2385 if (cmd == IP_VS_SO_SET_FLUSH) {
2386 /* Flush the virtual service */
2387 ret = ip_vs_flush(net);
2389 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2390 /* Set timeout values for (tcp tcpfin udp) */
2391 ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2395 usvc_compat = (struct ip_vs_service_user *)arg;
2396 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2398 /* We only use the new structs internally, so copy userspace compat
2399 * structs to extended internal versions */
2400 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2401 ip_vs_copy_udest_compat(&udest, udest_compat);
2403 if (cmd == IP_VS_SO_SET_ZERO) {
2404 /* if no service address is set, zero counters in all */
2405 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2406 ret = ip_vs_zero_all(net);
2411 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2412 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2413 usvc.protocol != IPPROTO_SCTP) {
2414 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2415 usvc.protocol, &usvc.addr.ip,
2416 ntohs(usvc.port), usvc.sched_name);
2421 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2422 if (usvc.fwmark == 0)
2423 svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
2424 &usvc.addr, usvc.port);
2426 svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
2428 if (cmd != IP_VS_SO_SET_ADD
2429 && (svc == NULL || svc->protocol != usvc.protocol)) {
2435 case IP_VS_SO_SET_ADD:
2439 ret = ip_vs_add_service(net, &usvc, &svc);
2441 case IP_VS_SO_SET_EDIT:
2442 ret = ip_vs_edit_service(svc, &usvc);
2444 case IP_VS_SO_SET_DEL:
2445 ret = ip_vs_del_service(svc);
2449 case IP_VS_SO_SET_ZERO:
2450 ret = ip_vs_zero_service(svc);
2452 case IP_VS_SO_SET_ADDDEST:
2453 ret = ip_vs_add_dest(svc, &udest);
2455 case IP_VS_SO_SET_EDITDEST:
2456 ret = ip_vs_edit_dest(svc, &udest);
2458 case IP_VS_SO_SET_DELDEST:
2459 ret = ip_vs_del_dest(svc, &udest);
2466 mutex_unlock(&__ip_vs_mutex);
2468 /* decrease the module use count */
2469 ip_vs_use_count_dec();
2476 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2478 dst->protocol = src->protocol;
2479 dst->addr = src->addr.ip;
2480 dst->port = src->port;
2481 dst->fwmark = src->fwmark;
2482 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2483 dst->flags = src->flags;
2484 dst->timeout = src->timeout / HZ;
2485 dst->netmask = src->netmask;
2486 dst->num_dests = src->num_dests;
2487 ip_vs_copy_stats(&dst->stats, &src->stats);
2491 __ip_vs_get_service_entries(struct net *net,
2492 const struct ip_vs_get_services *get,
2493 struct ip_vs_get_services __user *uptr)
2496 struct ip_vs_service *svc;
2497 struct ip_vs_service_entry entry;
2500 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2501 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2502 /* Only expose IPv4 entries to old interface */
2503 if (svc->af != AF_INET || !net_eq(svc->net, net))
2506 if (count >= get->num_services)
2508 memset(&entry, 0, sizeof(entry));
2509 ip_vs_copy_service(&entry, svc);
2510 if (copy_to_user(&uptr->entrytable[count],
2511 &entry, sizeof(entry))) {
2519 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2520 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2521 /* Only expose IPv4 entries to old interface */
2522 if (svc->af != AF_INET || !net_eq(svc->net, net))
2525 if (count >= get->num_services)
2527 memset(&entry, 0, sizeof(entry));
2528 ip_vs_copy_service(&entry, svc);
2529 if (copy_to_user(&uptr->entrytable[count],
2530 &entry, sizeof(entry))) {
2542 __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2543 struct ip_vs_get_dests __user *uptr)
2545 struct ip_vs_service *svc;
2546 union nf_inet_addr addr = { .ip = get->addr };
2550 svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
2552 svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
2557 struct ip_vs_dest *dest;
2558 struct ip_vs_dest_entry entry;
2560 list_for_each_entry(dest, &svc->destinations, n_list) {
2561 if (count >= get->num_dests)
2564 entry.addr = dest->addr.ip;
2565 entry.port = dest->port;
2566 entry.conn_flags = atomic_read(&dest->conn_flags);
2567 entry.weight = atomic_read(&dest->weight);
2568 entry.u_threshold = dest->u_threshold;
2569 entry.l_threshold = dest->l_threshold;
2570 entry.activeconns = atomic_read(&dest->activeconns);
2571 entry.inactconns = atomic_read(&dest->inactconns);
2572 entry.persistconns = atomic_read(&dest->persistconns);
2573 ip_vs_copy_stats(&entry.stats, &dest->stats);
2574 if (copy_to_user(&uptr->entrytable[count],
2575 &entry, sizeof(entry))) {
2587 __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2589 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2590 struct ip_vs_proto_data *pd;
2593 #ifdef CONFIG_IP_VS_PROTO_TCP
2594 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2595 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2596 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2598 #ifdef CONFIG_IP_VS_PROTO_UDP
2599 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2601 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2606 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2607 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2608 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2609 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2610 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2611 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2612 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2614 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2615 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2616 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2617 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2618 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2619 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2620 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2621 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2625 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2627 unsigned char arg[128];
2629 unsigned int copylen;
2630 struct net *net = sock_net(sk);
2631 struct netns_ipvs *ipvs = net_ipvs(net);
2634 if (!capable(CAP_NET_ADMIN))
2637 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2640 if (*len < get_arglen[GET_CMDID(cmd)]) {
2641 pr_err("get_ctl: len %u < %u\n",
2642 *len, get_arglen[GET_CMDID(cmd)]);
2646 copylen = get_arglen[GET_CMDID(cmd)];
2650 if (copy_from_user(arg, user, copylen) != 0)
2653 * Handle daemons first since it has its own locking
2655 if (cmd == IP_VS_SO_GET_DAEMON) {
2656 struct ip_vs_daemon_user d[2];
2658 memset(&d, 0, sizeof(d));
2659 if (mutex_lock_interruptible(&ipvs->sync_mutex))
2660 return -ERESTARTSYS;
2662 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2663 d[0].state = IP_VS_STATE_MASTER;
2664 strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2665 sizeof(d[0].mcast_ifn));
2666 d[0].syncid = ipvs->master_syncid;
2668 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2669 d[1].state = IP_VS_STATE_BACKUP;
2670 strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2671 sizeof(d[1].mcast_ifn));
2672 d[1].syncid = ipvs->backup_syncid;
2674 if (copy_to_user(user, &d, sizeof(d)) != 0)
2676 mutex_unlock(&ipvs->sync_mutex);
2680 if (mutex_lock_interruptible(&__ip_vs_mutex))
2681 return -ERESTARTSYS;
2684 case IP_VS_SO_GET_VERSION:
2688 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2689 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2690 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2694 *len = strlen(buf)+1;
2698 case IP_VS_SO_GET_INFO:
2700 struct ip_vs_getinfo info;
2701 info.version = IP_VS_VERSION_CODE;
2702 info.size = ip_vs_conn_tab_size;
2703 info.num_services = ipvs->num_services;
2704 if (copy_to_user(user, &info, sizeof(info)) != 0)
2709 case IP_VS_SO_GET_SERVICES:
2711 struct ip_vs_get_services *get;
2714 get = (struct ip_vs_get_services *)arg;
2715 size = sizeof(*get) +
2716 sizeof(struct ip_vs_service_entry) * get->num_services;
2718 pr_err("length: %u != %u\n", *len, size);
2722 ret = __ip_vs_get_service_entries(net, get, user);
2726 case IP_VS_SO_GET_SERVICE:
2728 struct ip_vs_service_entry *entry;
2729 struct ip_vs_service *svc;
2730 union nf_inet_addr addr;
2732 entry = (struct ip_vs_service_entry *)arg;
2733 addr.ip = entry->addr;
2735 svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
2737 svc = __ip_vs_service_find(net, AF_INET,
2738 entry->protocol, &addr,
2741 ip_vs_copy_service(entry, svc);
2742 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2749 case IP_VS_SO_GET_DESTS:
2751 struct ip_vs_get_dests *get;
2754 get = (struct ip_vs_get_dests *)arg;
2755 size = sizeof(*get) +
2756 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2758 pr_err("length: %u != %u\n", *len, size);
2762 ret = __ip_vs_get_dest_entries(net, get, user);
2766 case IP_VS_SO_GET_TIMEOUT:
2768 struct ip_vs_timeout_user t;
2770 memset(&t, 0, sizeof(t));
2771 __ip_vs_get_timeouts(net, &t);
2772 if (copy_to_user(user, &t, sizeof(t)) != 0)
2782 mutex_unlock(&__ip_vs_mutex);
2787 static struct nf_sockopt_ops ip_vs_sockopts = {
2789 .set_optmin = IP_VS_BASE_CTL,
2790 .set_optmax = IP_VS_SO_SET_MAX+1,
2791 .set = do_ip_vs_set_ctl,
2792 .get_optmin = IP_VS_BASE_CTL,
2793 .get_optmax = IP_VS_SO_GET_MAX+1,
2794 .get = do_ip_vs_get_ctl,
2795 .owner = THIS_MODULE,
2799 * Generic Netlink interface
2802 /* IPVS genetlink family */
2803 static struct genl_family ip_vs_genl_family = {
2804 .id = GENL_ID_GENERATE,
2806 .name = IPVS_GENL_NAME,
2807 .version = IPVS_GENL_VERSION,
2808 .maxattr = IPVS_CMD_MAX,
2809 .netnsok = true, /* Make ipvsadm to work on netns */
2812 /* Policy used for first-level command attributes */
2813 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2814 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2815 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2816 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2817 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2818 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2819 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2822 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2823 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2824 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2825 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2826 .len = IP_VS_IFNAME_MAXLEN },
2827 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2830 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2831 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2832 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2833 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2834 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2835 .len = sizeof(union nf_inet_addr) },
2836 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2837 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2838 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2839 .len = IP_VS_SCHEDNAME_MAXLEN },
2840 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2841 .len = IP_VS_PENAME_MAXLEN },
2842 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2843 .len = sizeof(struct ip_vs_flags) },
2844 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2845 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2846 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2849 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2850 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2851 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2852 .len = sizeof(union nf_inet_addr) },
2853 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2854 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2855 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2856 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2857 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2858 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2859 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2860 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2861 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2864 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2865 struct ip_vs_stats *stats)
2867 struct ip_vs_stats_user ustats;
2868 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2872 ip_vs_copy_stats(&ustats, stats);
2874 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns) ||
2875 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts) ||
2876 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts) ||
2877 nla_put_u64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes) ||
2878 nla_put_u64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes) ||
2879 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, ustats.cps) ||
2880 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps) ||
2881 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps) ||
2882 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps) ||
2883 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps))
2884 goto nla_put_failure;
2885 nla_nest_end(skb, nl_stats);
2890 nla_nest_cancel(skb, nl_stats);
2894 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2895 struct ip_vs_service *svc)
2897 struct nlattr *nl_service;
2898 struct ip_vs_flags flags = { .flags = svc->flags,
2901 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2905 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2906 goto nla_put_failure;
2908 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2909 goto nla_put_failure;
2911 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
2912 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
2913 nla_put_u16(skb, IPVS_SVC_ATTR_PORT, svc->port))
2914 goto nla_put_failure;
2917 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name) ||
2919 nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, svc->pe->name)) ||
2920 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
2921 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
2922 nla_put_u32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
2923 goto nla_put_failure;
2924 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2925 goto nla_put_failure;
2927 nla_nest_end(skb, nl_service);
2932 nla_nest_cancel(skb, nl_service);
2936 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2937 struct ip_vs_service *svc,
2938 struct netlink_callback *cb)
2942 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
2943 &ip_vs_genl_family, NLM_F_MULTI,
2944 IPVS_CMD_NEW_SERVICE);
2948 if (ip_vs_genl_fill_service(skb, svc) < 0)
2949 goto nla_put_failure;
2951 return genlmsg_end(skb, hdr);
2954 genlmsg_cancel(skb, hdr);
2958 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2959 struct netlink_callback *cb)
2962 int start = cb->args[0];
2963 struct ip_vs_service *svc;
2964 struct net *net = skb_sknet(skb);
2966 mutex_lock(&__ip_vs_mutex);
2967 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2968 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2969 if (++idx <= start || !net_eq(svc->net, net))
2971 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2973 goto nla_put_failure;
2978 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2979 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2980 if (++idx <= start || !net_eq(svc->net, net))
2982 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2984 goto nla_put_failure;
2990 mutex_unlock(&__ip_vs_mutex);
2996 static int ip_vs_genl_parse_service(struct net *net,
2997 struct ip_vs_service_user_kern *usvc,
2998 struct nlattr *nla, int full_entry,
2999 struct ip_vs_service **ret_svc)
3001 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3002 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3003 struct ip_vs_service *svc;
3005 /* Parse mandatory identifying service fields first */
3007 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3010 nla_af = attrs[IPVS_SVC_ATTR_AF];
3011 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3012 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3013 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3014 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3016 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3019 memset(usvc, 0, sizeof(*usvc));
3021 usvc->af = nla_get_u16(nla_af);
3022 #ifdef CONFIG_IP_VS_IPV6
3023 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3025 if (usvc->af != AF_INET)
3027 return -EAFNOSUPPORT;
3030 usvc->protocol = IPPROTO_TCP;
3031 usvc->fwmark = nla_get_u32(nla_fwmark);
3033 usvc->protocol = nla_get_u16(nla_protocol);
3034 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3035 usvc->port = nla_get_u16(nla_port);
3040 svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
3042 svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
3043 &usvc->addr, usvc->port);
3046 /* If a full entry was requested, check for the additional fields */
3048 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3050 struct ip_vs_flags flags;
3052 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3053 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3054 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3055 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3056 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3058 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3061 nla_memcpy(&flags, nla_flags, sizeof(flags));
3063 /* prefill flags from service if it already exists */
3065 usvc->flags = svc->flags;
3067 /* set new flags from userland */
3068 usvc->flags = (usvc->flags & ~flags.mask) |
3069 (flags.flags & flags.mask);
3070 usvc->sched_name = nla_data(nla_sched);
3071 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3072 usvc->timeout = nla_get_u32(nla_timeout);
3073 usvc->netmask = nla_get_u32(nla_netmask);
3079 static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
3082 struct ip_vs_service_user_kern usvc;
3083 struct ip_vs_service *svc;
3086 ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
3087 return ret ? ERR_PTR(ret) : svc;
3090 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3092 struct nlattr *nl_dest;
3094 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3098 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3099 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3100 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3101 (atomic_read(&dest->conn_flags) &
3102 IP_VS_CONN_F_FWD_MASK)) ||
3103 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3104 atomic_read(&dest->weight)) ||
3105 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3106 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3107 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3108 atomic_read(&dest->activeconns)) ||
3109 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3110 atomic_read(&dest->inactconns)) ||
3111 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3112 atomic_read(&dest->persistconns)))
3113 goto nla_put_failure;
3114 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
3115 goto nla_put_failure;
3117 nla_nest_end(skb, nl_dest);
3122 nla_nest_cancel(skb, nl_dest);
3126 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3127 struct netlink_callback *cb)
3131 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
3132 &ip_vs_genl_family, NLM_F_MULTI,
3137 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3138 goto nla_put_failure;
3140 return genlmsg_end(skb, hdr);
3143 genlmsg_cancel(skb, hdr);
3147 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3148 struct netlink_callback *cb)
3151 int start = cb->args[0];
3152 struct ip_vs_service *svc;
3153 struct ip_vs_dest *dest;
3154 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3155 struct net *net = skb_sknet(skb);
3157 mutex_lock(&__ip_vs_mutex);
3159 /* Try to find the service for which to dump destinations */
3160 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3161 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3165 svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
3166 if (IS_ERR(svc) || svc == NULL)
3169 /* Dump the destinations */
3170 list_for_each_entry(dest, &svc->destinations, n_list) {
3173 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3175 goto nla_put_failure;
3183 mutex_unlock(&__ip_vs_mutex);
3188 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3189 struct nlattr *nla, int full_entry)
3191 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3192 struct nlattr *nla_addr, *nla_port;
3194 /* Parse mandatory identifying destination fields first */
3196 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3199 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3200 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3202 if (!(nla_addr && nla_port))
3205 memset(udest, 0, sizeof(*udest));
3207 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3208 udest->port = nla_get_u16(nla_port);
3210 /* If a full entry was requested, check for the additional fields */
3212 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3215 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3216 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3217 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3218 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3220 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3223 udest->conn_flags = nla_get_u32(nla_fwd)
3224 & IP_VS_CONN_F_FWD_MASK;
3225 udest->weight = nla_get_u32(nla_weight);
3226 udest->u_threshold = nla_get_u32(nla_u_thresh);
3227 udest->l_threshold = nla_get_u32(nla_l_thresh);
3233 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
3234 const char *mcast_ifn, __be32 syncid)
3236 struct nlattr *nl_daemon;
3238 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3242 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3243 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn) ||
3244 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid))
3245 goto nla_put_failure;
3246 nla_nest_end(skb, nl_daemon);
3251 nla_nest_cancel(skb, nl_daemon);
3255 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
3256 const char *mcast_ifn, __be32 syncid,
3257 struct netlink_callback *cb)
3260 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
3261 &ip_vs_genl_family, NLM_F_MULTI,
3262 IPVS_CMD_NEW_DAEMON);
3266 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
3267 goto nla_put_failure;
3269 return genlmsg_end(skb, hdr);
3272 genlmsg_cancel(skb, hdr);
3276 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3277 struct netlink_callback *cb)
3279 struct net *net = skb_sknet(skb);
3280 struct netns_ipvs *ipvs = net_ipvs(net);
3282 mutex_lock(&ipvs->sync_mutex);
3283 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3284 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3285 ipvs->master_mcast_ifn,
3286 ipvs->master_syncid, cb) < 0)
3287 goto nla_put_failure;
3292 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3293 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3294 ipvs->backup_mcast_ifn,
3295 ipvs->backup_syncid, cb) < 0)
3296 goto nla_put_failure;
3302 mutex_unlock(&ipvs->sync_mutex);
3307 static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
3309 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3310 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3311 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3314 return start_sync_thread(net,
3315 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
3316 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3317 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
3320 static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
3322 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3325 return stop_sync_thread(net,
3326 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3329 static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
3331 struct ip_vs_timeout_user t;
3333 __ip_vs_get_timeouts(net, &t);
3335 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3336 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3338 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3340 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3342 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3343 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3345 return ip_vs_set_timeout(net, &t);
3348 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3352 struct netns_ipvs *ipvs;
3354 net = skb_sknet(skb);
3355 ipvs = net_ipvs(net);
3356 cmd = info->genlhdr->cmd;
3358 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3359 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3361 mutex_lock(&ipvs->sync_mutex);
3362 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3363 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3364 info->attrs[IPVS_CMD_ATTR_DAEMON],
3365 ip_vs_daemon_policy)) {
3370 if (cmd == IPVS_CMD_NEW_DAEMON)
3371 ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3373 ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3375 mutex_unlock(&ipvs->sync_mutex);
3380 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3382 struct ip_vs_service *svc = NULL;
3383 struct ip_vs_service_user_kern usvc;
3384 struct ip_vs_dest_user_kern udest;
3386 int need_full_svc = 0, need_full_dest = 0;
3389 net = skb_sknet(skb);
3390 cmd = info->genlhdr->cmd;
3392 mutex_lock(&__ip_vs_mutex);
3394 if (cmd == IPVS_CMD_FLUSH) {
3395 ret = ip_vs_flush(net);
3397 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3398 ret = ip_vs_genl_set_config(net, info->attrs);
3400 } else if (cmd == IPVS_CMD_ZERO &&
3401 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3402 ret = ip_vs_zero_all(net);
3406 /* All following commands require a service argument, so check if we
3407 * received a valid one. We need a full service specification when
3408 * adding / editing a service. Only identifying members otherwise. */
3409 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3412 ret = ip_vs_genl_parse_service(net, &usvc,
3413 info->attrs[IPVS_CMD_ATTR_SERVICE],
3414 need_full_svc, &svc);
3418 /* Unless we're adding a new service, the service must already exist */
3419 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3424 /* Destination commands require a valid destination argument. For
3425 * adding / editing a destination, we need a full destination
3427 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3428 cmd == IPVS_CMD_DEL_DEST) {
3429 if (cmd != IPVS_CMD_DEL_DEST)
3432 ret = ip_vs_genl_parse_dest(&udest,
3433 info->attrs[IPVS_CMD_ATTR_DEST],
3440 case IPVS_CMD_NEW_SERVICE:
3442 ret = ip_vs_add_service(net, &usvc, &svc);
3446 case IPVS_CMD_SET_SERVICE:
3447 ret = ip_vs_edit_service(svc, &usvc);
3449 case IPVS_CMD_DEL_SERVICE:
3450 ret = ip_vs_del_service(svc);
3451 /* do not use svc, it can be freed */
3453 case IPVS_CMD_NEW_DEST:
3454 ret = ip_vs_add_dest(svc, &udest);
3456 case IPVS_CMD_SET_DEST:
3457 ret = ip_vs_edit_dest(svc, &udest);
3459 case IPVS_CMD_DEL_DEST:
3460 ret = ip_vs_del_dest(svc, &udest);
3463 ret = ip_vs_zero_service(svc);
3470 mutex_unlock(&__ip_vs_mutex);
3475 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3477 struct sk_buff *msg;
3479 int ret, cmd, reply_cmd;
3482 net = skb_sknet(skb);
3483 cmd = info->genlhdr->cmd;
3485 if (cmd == IPVS_CMD_GET_SERVICE)
3486 reply_cmd = IPVS_CMD_NEW_SERVICE;
3487 else if (cmd == IPVS_CMD_GET_INFO)
3488 reply_cmd = IPVS_CMD_SET_INFO;
3489 else if (cmd == IPVS_CMD_GET_CONFIG)
3490 reply_cmd = IPVS_CMD_SET_CONFIG;
3492 pr_err("unknown Generic Netlink command\n");
3496 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3500 mutex_lock(&__ip_vs_mutex);
3502 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3504 goto nla_put_failure;
3507 case IPVS_CMD_GET_SERVICE:
3509 struct ip_vs_service *svc;
3511 svc = ip_vs_genl_find_service(net,
3512 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3517 ret = ip_vs_genl_fill_service(msg, svc);
3519 goto nla_put_failure;
3528 case IPVS_CMD_GET_CONFIG:
3530 struct ip_vs_timeout_user t;
3532 __ip_vs_get_timeouts(net, &t);
3533 #ifdef CONFIG_IP_VS_PROTO_TCP
3534 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3536 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3538 goto nla_put_failure;
3540 #ifdef CONFIG_IP_VS_PROTO_UDP
3541 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3542 goto nla_put_failure;
3548 case IPVS_CMD_GET_INFO:
3549 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3550 IP_VS_VERSION_CODE) ||
3551 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3552 ip_vs_conn_tab_size))
3553 goto nla_put_failure;
3557 genlmsg_end(msg, reply);
3558 ret = genlmsg_reply(msg, info);
3562 pr_err("not enough space in Netlink message\n");
3568 mutex_unlock(&__ip_vs_mutex);
3574 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3576 .cmd = IPVS_CMD_NEW_SERVICE,
3577 .flags = GENL_ADMIN_PERM,
3578 .policy = ip_vs_cmd_policy,
3579 .doit = ip_vs_genl_set_cmd,
3582 .cmd = IPVS_CMD_SET_SERVICE,
3583 .flags = GENL_ADMIN_PERM,
3584 .policy = ip_vs_cmd_policy,
3585 .doit = ip_vs_genl_set_cmd,
3588 .cmd = IPVS_CMD_DEL_SERVICE,
3589 .flags = GENL_ADMIN_PERM,
3590 .policy = ip_vs_cmd_policy,
3591 .doit = ip_vs_genl_set_cmd,
3594 .cmd = IPVS_CMD_GET_SERVICE,
3595 .flags = GENL_ADMIN_PERM,
3596 .doit = ip_vs_genl_get_cmd,
3597 .dumpit = ip_vs_genl_dump_services,
3598 .policy = ip_vs_cmd_policy,
3601 .cmd = IPVS_CMD_NEW_DEST,
3602 .flags = GENL_ADMIN_PERM,
3603 .policy = ip_vs_cmd_policy,
3604 .doit = ip_vs_genl_set_cmd,
3607 .cmd = IPVS_CMD_SET_DEST,
3608 .flags = GENL_ADMIN_PERM,
3609 .policy = ip_vs_cmd_policy,
3610 .doit = ip_vs_genl_set_cmd,
3613 .cmd = IPVS_CMD_DEL_DEST,
3614 .flags = GENL_ADMIN_PERM,
3615 .policy = ip_vs_cmd_policy,
3616 .doit = ip_vs_genl_set_cmd,
3619 .cmd = IPVS_CMD_GET_DEST,
3620 .flags = GENL_ADMIN_PERM,
3621 .policy = ip_vs_cmd_policy,
3622 .dumpit = ip_vs_genl_dump_dests,
3625 .cmd = IPVS_CMD_NEW_DAEMON,
3626 .flags = GENL_ADMIN_PERM,
3627 .policy = ip_vs_cmd_policy,
3628 .doit = ip_vs_genl_set_daemon,
3631 .cmd = IPVS_CMD_DEL_DAEMON,
3632 .flags = GENL_ADMIN_PERM,
3633 .policy = ip_vs_cmd_policy,
3634 .doit = ip_vs_genl_set_daemon,
3637 .cmd = IPVS_CMD_GET_DAEMON,
3638 .flags = GENL_ADMIN_PERM,
3639 .dumpit = ip_vs_genl_dump_daemons,
3642 .cmd = IPVS_CMD_SET_CONFIG,
3643 .flags = GENL_ADMIN_PERM,
3644 .policy = ip_vs_cmd_policy,
3645 .doit = ip_vs_genl_set_cmd,
3648 .cmd = IPVS_CMD_GET_CONFIG,
3649 .flags = GENL_ADMIN_PERM,
3650 .doit = ip_vs_genl_get_cmd,
3653 .cmd = IPVS_CMD_GET_INFO,
3654 .flags = GENL_ADMIN_PERM,
3655 .doit = ip_vs_genl_get_cmd,
3658 .cmd = IPVS_CMD_ZERO,
3659 .flags = GENL_ADMIN_PERM,
3660 .policy = ip_vs_cmd_policy,
3661 .doit = ip_vs_genl_set_cmd,
3664 .cmd = IPVS_CMD_FLUSH,
3665 .flags = GENL_ADMIN_PERM,
3666 .doit = ip_vs_genl_set_cmd,
3670 static int __init ip_vs_genl_register(void)
3672 return genl_register_family_with_ops(&ip_vs_genl_family,
3673 ip_vs_genl_ops, ARRAY_SIZE(ip_vs_genl_ops));
3676 static void ip_vs_genl_unregister(void)
3678 genl_unregister_family(&ip_vs_genl_family);
3681 /* End of Generic Netlink interface definitions */
3684 * per netns intit/exit func.
3686 #ifdef CONFIG_SYSCTL
3687 static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3690 struct netns_ipvs *ipvs = net_ipvs(net);
3691 struct ctl_table *tbl;
3693 atomic_set(&ipvs->dropentry, 0);
3694 spin_lock_init(&ipvs->dropentry_lock);
3695 spin_lock_init(&ipvs->droppacket_lock);
3696 spin_lock_init(&ipvs->securetcp_lock);
3698 if (!net_eq(net, &init_net)) {
3699 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3704 /* Initialize sysctl defaults */
3706 ipvs->sysctl_amemthresh = 1024;
3707 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3708 ipvs->sysctl_am_droprate = 10;
3709 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3710 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3711 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3712 #ifdef CONFIG_IP_VS_NFCT
3713 tbl[idx++].data = &ipvs->sysctl_conntrack;
3715 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3716 ipvs->sysctl_snat_reroute = 1;
3717 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3718 ipvs->sysctl_sync_ver = 1;
3719 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3720 ipvs->sysctl_sync_ports = 1;
3721 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3722 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3723 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3724 ipvs->sysctl_sync_sock_size = 0;
3725 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3726 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3727 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3728 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3729 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3730 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3731 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3732 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3733 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3734 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3735 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3736 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3737 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3738 ipvs->sysctl_pmtu_disc = 1;
3739 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3742 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3743 if (ipvs->sysctl_hdr == NULL) {
3744 if (!net_eq(net, &init_net))
3748 ip_vs_start_estimator(net, &ipvs->tot_stats);
3749 ipvs->sysctl_tbl = tbl;
3750 /* Schedule defense work */
3751 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3752 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3757 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
3759 struct netns_ipvs *ipvs = net_ipvs(net);
3761 cancel_delayed_work_sync(&ipvs->defense_work);
3762 cancel_work_sync(&ipvs->defense_work.work);
3763 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3768 static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
3769 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
3773 static struct notifier_block ip_vs_dst_notifier = {
3774 .notifier_call = ip_vs_dst_event,
3777 int __net_init ip_vs_control_net_init(struct net *net)
3780 struct netns_ipvs *ipvs = net_ipvs(net);
3782 rwlock_init(&ipvs->rs_lock);
3784 /* Initialize rs_table */
3785 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
3786 INIT_LIST_HEAD(&ipvs->rs_table[idx]);
3788 INIT_LIST_HEAD(&ipvs->dest_trash);
3789 atomic_set(&ipvs->ftpsvc_counter, 0);
3790 atomic_set(&ipvs->nullsvc_counter, 0);
3793 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
3794 if (!ipvs->tot_stats.cpustats)
3797 spin_lock_init(&ipvs->tot_stats.lock);
3799 proc_net_fops_create(net, "ip_vs", 0, &ip_vs_info_fops);
3800 proc_net_fops_create(net, "ip_vs_stats", 0, &ip_vs_stats_fops);
3801 proc_net_fops_create(net, "ip_vs_stats_percpu", 0,
3802 &ip_vs_stats_percpu_fops);
3804 if (ip_vs_control_net_init_sysctl(net))
3810 free_percpu(ipvs->tot_stats.cpustats);
3814 void __net_exit ip_vs_control_net_cleanup(struct net *net)
3816 struct netns_ipvs *ipvs = net_ipvs(net);
3818 ip_vs_trash_cleanup(net);
3819 ip_vs_stop_estimator(net, &ipvs->tot_stats);
3820 ip_vs_control_net_cleanup_sysctl(net);
3821 proc_net_remove(net, "ip_vs_stats_percpu");
3822 proc_net_remove(net, "ip_vs_stats");
3823 proc_net_remove(net, "ip_vs");
3824 free_percpu(ipvs->tot_stats.cpustats);
3827 int __init ip_vs_register_nl_ioctl(void)
3831 ret = nf_register_sockopt(&ip_vs_sockopts);
3833 pr_err("cannot register sockopt.\n");
3837 ret = ip_vs_genl_register();
3839 pr_err("cannot register Generic Netlink interface.\n");
3845 nf_unregister_sockopt(&ip_vs_sockopts);
3850 void ip_vs_unregister_nl_ioctl(void)
3852 ip_vs_genl_unregister();
3853 nf_unregister_sockopt(&ip_vs_sockopts);
3856 int __init ip_vs_control_init(void)
3863 /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
3864 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3865 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3866 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3869 smp_wmb(); /* Do we really need it now ? */
3871 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
3880 void ip_vs_control_cleanup(void)
3883 unregister_netdevice_notifier(&ip_vs_dst_notifier);
projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blob