2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* lock for service table */
59 static DEFINE_RWLOCK(__ip_vs_svc_lock);
61 /* sysctl variables */
63 #ifdef CONFIG_IP_VS_DEBUG
64 static int sysctl_ip_vs_debug_level = 0;
66 int ip_vs_get_debug_level(void)
68 return sysctl_ip_vs_debug_level;
74 static void __ip_vs_del_service(struct ip_vs_service *svc);
77 #ifdef CONFIG_IP_VS_IPV6
78 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
79 static bool __ip_vs_addr_is_local_v6(struct net *net,
80 const struct in6_addr *addr)
85 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
88 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
97 * update_defense_level is called from keventd and from sysctl,
98 * so it needs to protect itself from softirqs
100 static void update_defense_level(struct netns_ipvs *ipvs)
103 static int old_secure_tcp = 0;
108 /* we only count free and buffered memory (in pages) */
110 availmem = i.freeram + i.bufferram;
111 /* however in linux 2.5 the i.bufferram is total page cache size,
113 /* si_swapinfo(&i); */
114 /* availmem = availmem - (i.totalswap - i.freeswap); */
116 nomem = (availmem < ipvs->sysctl_amemthresh);
121 spin_lock(&ipvs->dropentry_lock);
122 switch (ipvs->sysctl_drop_entry) {
124 atomic_set(&ipvs->dropentry, 0);
128 atomic_set(&ipvs->dropentry, 1);
129 ipvs->sysctl_drop_entry = 2;
131 atomic_set(&ipvs->dropentry, 0);
136 atomic_set(&ipvs->dropentry, 1);
138 atomic_set(&ipvs->dropentry, 0);
139 ipvs->sysctl_drop_entry = 1;
143 atomic_set(&ipvs->dropentry, 1);
146 spin_unlock(&ipvs->dropentry_lock);
149 spin_lock(&ipvs->droppacket_lock);
150 switch (ipvs->sysctl_drop_packet) {
156 ipvs->drop_rate = ipvs->drop_counter
157 = ipvs->sysctl_amemthresh /
158 (ipvs->sysctl_amemthresh-availmem);
159 ipvs->sysctl_drop_packet = 2;
166 ipvs->drop_rate = ipvs->drop_counter
167 = ipvs->sysctl_amemthresh /
168 (ipvs->sysctl_amemthresh-availmem);
171 ipvs->sysctl_drop_packet = 1;
175 ipvs->drop_rate = ipvs->sysctl_am_droprate;
178 spin_unlock(&ipvs->droppacket_lock);
181 spin_lock(&ipvs->securetcp_lock);
182 switch (ipvs->sysctl_secure_tcp) {
184 if (old_secure_tcp >= 2)
189 if (old_secure_tcp < 2)
191 ipvs->sysctl_secure_tcp = 2;
193 if (old_secure_tcp >= 2)
199 if (old_secure_tcp < 2)
202 if (old_secure_tcp >= 2)
204 ipvs->sysctl_secure_tcp = 1;
208 if (old_secure_tcp < 2)
212 old_secure_tcp = ipvs->sysctl_secure_tcp;
214 ip_vs_protocol_timeout_change(ipvs,
215 ipvs->sysctl_secure_tcp > 1);
216 spin_unlock(&ipvs->securetcp_lock);
223 * Timer for checking the defense
225 #define DEFENSE_TIMER_PERIOD 1*HZ
227 static void defense_work_handler(struct work_struct *work)
229 struct netns_ipvs *ipvs =
230 container_of(work, struct netns_ipvs, defense_work.work);
232 update_defense_level(ipvs);
233 if (atomic_read(&ipvs->dropentry))
234 ip_vs_random_dropentry(ipvs->net);
235 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
240 ip_vs_use_count_inc(void)
242 return try_module_get(THIS_MODULE);
246 ip_vs_use_count_dec(void)
248 module_put(THIS_MODULE);
253 * Hash table: for virtual service lookups
255 #define IP_VS_SVC_TAB_BITS 8
256 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
257 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
259 /* the service table hashed by <protocol, addr, port> */
260 static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
261 /* the service table hashed by fwmark */
262 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
266 * Returns hash value for virtual service
268 static inline unsigned int
269 ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
270 const union nf_inet_addr *addr, __be16 port)
272 register unsigned int porth = ntohs(port);
273 __be32 addr_fold = addr->ip;
276 #ifdef CONFIG_IP_VS_IPV6
278 addr_fold = addr->ip6[0]^addr->ip6[1]^
279 addr->ip6[2]^addr->ip6[3];
281 ahash = ntohl(addr_fold);
282 ahash ^= ((size_t) net >> 8);
284 return (proto ^ ahash ^ (porth >> IP_VS_SVC_TAB_BITS) ^ porth) &
289 * Returns hash value of fwmark for virtual service lookup
291 static inline unsigned int ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
293 return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
297 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
298 * or in the ip_vs_svc_fwm_table by fwmark.
299 * Should be called with locked tables.
301 static int ip_vs_svc_hash(struct ip_vs_service *svc)
305 if (svc->flags & IP_VS_SVC_F_HASHED) {
306 pr_err("%s(): request for already hashed, called from %pF\n",
307 __func__, __builtin_return_address(0));
311 if (svc->fwmark == 0) {
313 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
315 hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
316 &svc->addr, svc->port);
317 list_add(&svc->s_list, &ip_vs_svc_table[hash]);
320 * Hash it by fwmark in svc_fwm_table
322 hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
323 list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
326 svc->flags |= IP_VS_SVC_F_HASHED;
327 /* increase its refcnt because it is referenced by the svc table */
328 atomic_inc(&svc->refcnt);
334 * Unhashes a service from svc_table / svc_fwm_table.
335 * Should be called with locked tables.
337 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
339 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
340 pr_err("%s(): request for unhash flagged, called from %pF\n",
341 __func__, __builtin_return_address(0));
345 if (svc->fwmark == 0) {
346 /* Remove it from the svc_table table */
347 list_del(&svc->s_list);
349 /* Remove it from the svc_fwm_table table */
350 list_del(&svc->f_list);
353 svc->flags &= ~IP_VS_SVC_F_HASHED;
354 atomic_dec(&svc->refcnt);
360 * Get service by {netns, proto,addr,port} in the service table.
362 static inline struct ip_vs_service *
363 __ip_vs_service_find(struct net *net, int af, __u16 protocol,
364 const union nf_inet_addr *vaddr, __be16 vport)
367 struct ip_vs_service *svc;
369 /* Check for "full" addressed entries */
370 hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
372 list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
374 && ip_vs_addr_equal(af, &svc->addr, vaddr)
375 && (svc->port == vport)
376 && (svc->protocol == protocol)
377 && net_eq(svc->net, net)) {
388 * Get service by {fwmark} in the service table.
390 static inline struct ip_vs_service *
391 __ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
394 struct ip_vs_service *svc;
396 /* Check for fwmark addressed entries */
397 hash = ip_vs_svc_fwm_hashkey(net, fwmark);
399 list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
400 if (svc->fwmark == fwmark && svc->af == af
401 && net_eq(svc->net, net)) {
410 struct ip_vs_service *
411 ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
412 const union nf_inet_addr *vaddr, __be16 vport)
414 struct ip_vs_service *svc;
415 struct netns_ipvs *ipvs = net_ipvs(net);
417 read_lock(&__ip_vs_svc_lock);
420 * Check the table hashed by fwmark first
423 svc = __ip_vs_svc_fwm_find(net, af, fwmark);
429 * Check the table hashed by <protocol,addr,port>
430 * for "full" addressed entries
432 svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
435 && protocol == IPPROTO_TCP
436 && atomic_read(&ipvs->ftpsvc_counter)
437 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
439 * Check if ftp service entry exists, the packet
440 * might belong to FTP data connections.
442 svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
446 && atomic_read(&ipvs->nullsvc_counter)) {
448 * Check if the catch-all port (port zero) exists
450 svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
455 atomic_inc(&svc->usecnt);
456 read_unlock(&__ip_vs_svc_lock);
458 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
459 fwmark, ip_vs_proto_name(protocol),
460 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
461 svc ? "hit" : "not hit");
468 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
470 atomic_inc(&svc->refcnt);
475 __ip_vs_unbind_svc(struct ip_vs_dest *dest)
477 struct ip_vs_service *svc = dest->svc;
480 if (atomic_dec_and_test(&svc->refcnt)) {
481 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
483 IP_VS_DBG_ADDR(svc->af, &svc->addr),
484 ntohs(svc->port), atomic_read(&svc->usecnt));
485 free_percpu(svc->stats.cpustats);
492 * Returns hash value for real service
494 static inline unsigned int ip_vs_rs_hashkey(int af,
495 const union nf_inet_addr *addr,
498 register unsigned int porth = ntohs(port);
499 __be32 addr_fold = addr->ip;
501 #ifdef CONFIG_IP_VS_IPV6
503 addr_fold = addr->ip6[0]^addr->ip6[1]^
504 addr->ip6[2]^addr->ip6[3];
507 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
512 * Hashes ip_vs_dest in rs_table by <proto,addr,port>.
513 * should be called with locked tables.
515 static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
519 if (!list_empty(&dest->d_list)) {
524 * Hash by proto,addr,port,
525 * which are the parameters of the real service.
527 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
529 list_add(&dest->d_list, &ipvs->rs_table[hash]);
535 * UNhashes ip_vs_dest from rs_table.
536 * should be called with locked tables.
538 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
541 * Remove it from the rs_table table.
543 if (!list_empty(&dest->d_list)) {
544 list_del_init(&dest->d_list);
551 * Lookup real service by <proto,addr,port> in the real service table.
554 ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
555 const union nf_inet_addr *daddr,
558 struct netns_ipvs *ipvs = net_ipvs(net);
560 struct ip_vs_dest *dest;
563 * Check for "full" addressed entries
564 * Return the first found entry
566 hash = ip_vs_rs_hashkey(af, daddr, dport);
568 read_lock(&ipvs->rs_lock);
569 list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
571 && ip_vs_addr_equal(af, &dest->addr, daddr)
572 && (dest->port == dport)
573 && ((dest->protocol == protocol) ||
576 read_unlock(&ipvs->rs_lock);
580 read_unlock(&ipvs->rs_lock);
586 * Lookup destination by {addr,port} in the given service
588 static struct ip_vs_dest *
589 ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
592 struct ip_vs_dest *dest;
595 * Find the destination for the given service
597 list_for_each_entry(dest, &svc->destinations, n_list) {
598 if ((dest->af == svc->af)
599 && ip_vs_addr_equal(svc->af, &dest->addr, daddr)
600 && (dest->port == dport)) {
610 * Find destination by {daddr,dport,vaddr,protocol}
611 * Cretaed to be used in ip_vs_process_message() in
612 * the backup synchronization daemon. It finds the
613 * destination to be bound to the received connection
616 * ip_vs_lookup_real_service() looked promissing, but
617 * seems not working as expected.
619 struct ip_vs_dest *ip_vs_find_dest(struct net *net, int af,
620 const union nf_inet_addr *daddr,
622 const union nf_inet_addr *vaddr,
623 __be16 vport, __u16 protocol, __u32 fwmark,
626 struct ip_vs_dest *dest;
627 struct ip_vs_service *svc;
630 svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
633 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
635 dest = ip_vs_lookup_dest(svc, daddr, port);
637 dest = ip_vs_lookup_dest(svc, daddr, port ^ dport);
639 atomic_inc(&dest->refcnt);
640 ip_vs_service_put(svc);
644 /* Release dst_cache for dest in user context */
645 static void __ip_vs_dst_cache_reset(struct ip_vs_dest *dest)
647 struct dst_entry *old_dst;
649 old_dst = dest->dst_cache;
650 dest->dst_cache = NULL;
651 dst_release(old_dst);
652 dest->dst_saddr.ip = 0;
656 * Lookup dest by {svc,addr,port} in the destination trash.
657 * The destination trash is used to hold the destinations that are removed
658 * from the service table but are still referenced by some conn entries.
659 * The reason to add the destination trash is when the dest is temporary
660 * down (either by administrator or by monitor program), the dest can be
661 * picked back from the trash, the remaining connections to the dest can
662 * continue, and the counting information of the dest is also useful for
665 static struct ip_vs_dest *
666 ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
669 struct ip_vs_dest *dest, *nxt;
670 struct netns_ipvs *ipvs = net_ipvs(svc->net);
673 * Find the destination in trash
675 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
676 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
679 IP_VS_DBG_ADDR(svc->af, &dest->addr),
681 atomic_read(&dest->refcnt));
682 if (dest->af == svc->af &&
683 ip_vs_addr_equal(svc->af, &dest->addr, daddr) &&
684 dest->port == dport &&
685 dest->vfwmark == svc->fwmark &&
686 dest->protocol == svc->protocol &&
688 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
689 dest->vport == svc->port))) {
695 * Try to purge the destination from trash if not referenced
697 if (atomic_read(&dest->refcnt) == 1) {
698 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u "
701 IP_VS_DBG_ADDR(svc->af, &dest->addr),
703 list_del(&dest->n_list);
704 __ip_vs_dst_cache_reset(dest);
705 __ip_vs_unbind_svc(dest);
706 free_percpu(dest->stats.cpustats);
716 * Clean up all the destinations in the trash
717 * Called by the ip_vs_control_cleanup()
719 * When the ip_vs_control_clearup is activated by ipvs module exit,
720 * the service tables must have been flushed and all the connections
721 * are expired, and the refcnt of each destination in the trash must
722 * be 1, so we simply release them here.
724 static void ip_vs_trash_cleanup(struct net *net)
726 struct ip_vs_dest *dest, *nxt;
727 struct netns_ipvs *ipvs = net_ipvs(net);
729 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
730 list_del(&dest->n_list);
731 __ip_vs_dst_cache_reset(dest);
732 __ip_vs_unbind_svc(dest);
733 free_percpu(dest->stats.cpustats);
739 ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
741 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
743 spin_lock_bh(&src->lock);
745 IP_VS_SHOW_STATS_COUNTER(conns);
746 IP_VS_SHOW_STATS_COUNTER(inpkts);
747 IP_VS_SHOW_STATS_COUNTER(outpkts);
748 IP_VS_SHOW_STATS_COUNTER(inbytes);
749 IP_VS_SHOW_STATS_COUNTER(outbytes);
751 ip_vs_read_estimator(dst, src);
753 spin_unlock_bh(&src->lock);
757 ip_vs_zero_stats(struct ip_vs_stats *stats)
759 spin_lock_bh(&stats->lock);
761 /* get current counters as zero point, rates are zeroed */
763 #define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
765 IP_VS_ZERO_STATS_COUNTER(conns);
766 IP_VS_ZERO_STATS_COUNTER(inpkts);
767 IP_VS_ZERO_STATS_COUNTER(outpkts);
768 IP_VS_ZERO_STATS_COUNTER(inbytes);
769 IP_VS_ZERO_STATS_COUNTER(outbytes);
771 ip_vs_zero_estimator(stats);
773 spin_unlock_bh(&stats->lock);
777 * Update a destination in the given service
780 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
781 struct ip_vs_dest_user_kern *udest, int add)
783 struct netns_ipvs *ipvs = net_ipvs(svc->net);
786 /* set the weight and the flags */
787 atomic_set(&dest->weight, udest->weight);
788 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
789 conn_flags |= IP_VS_CONN_F_INACTIVE;
791 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
792 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
793 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
796 * Put the real service in rs_table if not present.
797 * For now only for NAT!
799 write_lock_bh(&ipvs->rs_lock);
800 ip_vs_rs_hash(ipvs, dest);
801 write_unlock_bh(&ipvs->rs_lock);
803 atomic_set(&dest->conn_flags, conn_flags);
805 /* bind the service */
807 __ip_vs_bind_svc(dest, svc);
809 if (dest->svc != svc) {
810 __ip_vs_unbind_svc(dest);
811 ip_vs_zero_stats(&dest->stats);
812 __ip_vs_bind_svc(dest, svc);
816 /* set the dest status flags */
817 dest->flags |= IP_VS_DEST_F_AVAILABLE;
819 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
820 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
821 dest->u_threshold = udest->u_threshold;
822 dest->l_threshold = udest->l_threshold;
824 spin_lock_bh(&dest->dst_lock);
825 __ip_vs_dst_cache_reset(dest);
826 spin_unlock_bh(&dest->dst_lock);
829 ip_vs_start_estimator(svc->net, &dest->stats);
831 write_lock_bh(&__ip_vs_svc_lock);
833 /* Wait until all other svc users go away */
834 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
837 list_add(&dest->n_list, &svc->destinations);
841 /* call the update_service, because server weight may be changed */
842 if (svc->scheduler->update_service)
843 svc->scheduler->update_service(svc);
845 write_unlock_bh(&__ip_vs_svc_lock);
850 * Create a destination for the given service
853 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
854 struct ip_vs_dest **dest_p)
856 struct ip_vs_dest *dest;
861 #ifdef CONFIG_IP_VS_IPV6
862 if (svc->af == AF_INET6) {
863 atype = ipv6_addr_type(&udest->addr.in6);
864 if ((!(atype & IPV6_ADDR_UNICAST) ||
865 atype & IPV6_ADDR_LINKLOCAL) &&
866 !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
871 atype = inet_addr_type(svc->net, udest->addr.ip);
872 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
876 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
880 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
881 if (!dest->stats.cpustats)
885 dest->protocol = svc->protocol;
886 dest->vaddr = svc->addr;
887 dest->vport = svc->port;
888 dest->vfwmark = svc->fwmark;
889 ip_vs_addr_copy(svc->af, &dest->addr, &udest->addr);
890 dest->port = udest->port;
892 atomic_set(&dest->activeconns, 0);
893 atomic_set(&dest->inactconns, 0);
894 atomic_set(&dest->persistconns, 0);
895 atomic_set(&dest->refcnt, 1);
897 INIT_LIST_HEAD(&dest->d_list);
898 spin_lock_init(&dest->dst_lock);
899 spin_lock_init(&dest->stats.lock);
900 __ip_vs_update_dest(svc, dest, udest, 1);
914 * Add a destination into an existing service
917 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
919 struct ip_vs_dest *dest;
920 union nf_inet_addr daddr;
921 __be16 dport = udest->port;
926 if (udest->weight < 0) {
927 pr_err("%s(): server weight less than zero\n", __func__);
931 if (udest->l_threshold > udest->u_threshold) {
932 pr_err("%s(): lower threshold is higher than upper threshold\n",
937 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
940 * Check if the dest already exists in the list
942 dest = ip_vs_lookup_dest(svc, &daddr, dport);
945 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
950 * Check if the dest already exists in the trash and
951 * is from the same service
953 dest = ip_vs_trash_get_dest(svc, &daddr, dport);
956 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
957 "dest->refcnt=%d, service %u/%s:%u\n",
958 IP_VS_DBG_ADDR(svc->af, &daddr), ntohs(dport),
959 atomic_read(&dest->refcnt),
961 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
965 * Get the destination from the trash
967 list_del(&dest->n_list);
969 __ip_vs_update_dest(svc, dest, udest, 1);
973 * Allocate and initialize the dest structure
975 ret = ip_vs_new_dest(svc, udest, &dest);
984 * Edit a destination in the given service
987 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
989 struct ip_vs_dest *dest;
990 union nf_inet_addr daddr;
991 __be16 dport = udest->port;
995 if (udest->weight < 0) {
996 pr_err("%s(): server weight less than zero\n", __func__);
1000 if (udest->l_threshold > udest->u_threshold) {
1001 pr_err("%s(): lower threshold is higher than upper threshold\n",
1006 ip_vs_addr_copy(svc->af, &daddr, &udest->addr);
1009 * Lookup the destination list
1011 dest = ip_vs_lookup_dest(svc, &daddr, dport);
1014 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1018 __ip_vs_update_dest(svc, dest, udest, 0);
1026 * Delete a destination (must be already unlinked from the service)
1028 static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
1030 struct netns_ipvs *ipvs = net_ipvs(net);
1032 ip_vs_stop_estimator(net, &dest->stats);
1035 * Remove it from the d-linked list with the real services.
1037 write_lock_bh(&ipvs->rs_lock);
1038 ip_vs_rs_unhash(dest);
1039 write_unlock_bh(&ipvs->rs_lock);
1042 * Decrease the refcnt of the dest, and free the dest
1043 * if nobody refers to it (refcnt=0). Otherwise, throw
1044 * the destination into the trash.
1046 if (atomic_dec_and_test(&dest->refcnt)) {
1047 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u\n",
1049 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1051 __ip_vs_dst_cache_reset(dest);
1052 /* simply decrease svc->refcnt here, let the caller check
1053 and release the service if nobody refers to it.
1054 Only user context can release destination and service,
1055 and only one user context can update virtual service at a
1056 time, so the operation here is OK */
1057 atomic_dec(&dest->svc->refcnt);
1058 free_percpu(dest->stats.cpustats);
1061 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
1062 "dest->refcnt=%d\n",
1063 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1065 atomic_read(&dest->refcnt));
1066 list_add(&dest->n_list, &ipvs->dest_trash);
1067 atomic_inc(&dest->refcnt);
1073 * Unlink a destination from the given service
1075 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1076 struct ip_vs_dest *dest,
1079 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1082 * Remove it from the d-linked destination list.
1084 list_del(&dest->n_list);
1088 * Call the update_service function of its scheduler
1090 if (svcupd && svc->scheduler->update_service)
1091 svc->scheduler->update_service(svc);
1096 * Delete a destination server in the given service
1099 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1101 struct ip_vs_dest *dest;
1102 __be16 dport = udest->port;
1106 dest = ip_vs_lookup_dest(svc, &udest->addr, dport);
1109 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1113 write_lock_bh(&__ip_vs_svc_lock);
1116 * Wait until all other svc users go away.
1118 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1121 * Unlink dest from the service
1123 __ip_vs_unlink_dest(svc, dest, 1);
1125 write_unlock_bh(&__ip_vs_svc_lock);
1128 * Delete the destination
1130 __ip_vs_del_dest(svc->net, dest);
1139 * Add a service into the service hash table
1142 ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1143 struct ip_vs_service **svc_p)
1146 struct ip_vs_scheduler *sched = NULL;
1147 struct ip_vs_pe *pe = NULL;
1148 struct ip_vs_service *svc = NULL;
1149 struct netns_ipvs *ipvs = net_ipvs(net);
1151 /* increase the module use count */
1152 ip_vs_use_count_inc();
1154 /* Lookup the scheduler by 'u->sched_name' */
1155 sched = ip_vs_scheduler_get(u->sched_name);
1156 if (sched == NULL) {
1157 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1162 if (u->pe_name && *u->pe_name) {
1163 pe = ip_vs_pe_getbyname(u->pe_name);
1165 pr_info("persistence engine module ip_vs_pe_%s "
1166 "not found\n", u->pe_name);
1172 #ifdef CONFIG_IP_VS_IPV6
1173 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1179 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1181 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1185 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1186 if (!svc->stats.cpustats) {
1191 /* I'm the first user of the service */
1192 atomic_set(&svc->usecnt, 0);
1193 atomic_set(&svc->refcnt, 0);
1196 svc->protocol = u->protocol;
1197 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1198 svc->port = u->port;
1199 svc->fwmark = u->fwmark;
1200 svc->flags = u->flags;
1201 svc->timeout = u->timeout * HZ;
1202 svc->netmask = u->netmask;
1205 INIT_LIST_HEAD(&svc->destinations);
1206 rwlock_init(&svc->sched_lock);
1207 spin_lock_init(&svc->stats.lock);
1209 /* Bind the scheduler */
1210 ret = ip_vs_bind_scheduler(svc, sched);
1215 /* Bind the ct retriever */
1216 ip_vs_bind_pe(svc, pe);
1219 /* Update the virtual service counters */
1220 if (svc->port == FTPPORT)
1221 atomic_inc(&ipvs->ftpsvc_counter);
1222 else if (svc->port == 0)
1223 atomic_inc(&ipvs->nullsvc_counter);
1225 ip_vs_start_estimator(net, &svc->stats);
1227 /* Count only IPv4 services for old get/setsockopt interface */
1228 if (svc->af == AF_INET)
1229 ipvs->num_services++;
1231 /* Hash the service into the service table */
1232 write_lock_bh(&__ip_vs_svc_lock);
1233 ip_vs_svc_hash(svc);
1234 write_unlock_bh(&__ip_vs_svc_lock);
1237 /* Now there is a service - full throttle */
1244 ip_vs_unbind_scheduler(svc);
1247 ip_vs_app_inc_put(svc->inc);
1250 if (svc->stats.cpustats)
1251 free_percpu(svc->stats.cpustats);
1254 ip_vs_scheduler_put(sched);
1257 /* decrease the module use count */
1258 ip_vs_use_count_dec();
1265 * Edit a service and bind it with a new scheduler
1268 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1270 struct ip_vs_scheduler *sched, *old_sched;
1271 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1275 * Lookup the scheduler, by 'u->sched_name'
1277 sched = ip_vs_scheduler_get(u->sched_name);
1278 if (sched == NULL) {
1279 pr_info("Scheduler module ip_vs_%s not found\n", u->sched_name);
1284 if (u->pe_name && *u->pe_name) {
1285 pe = ip_vs_pe_getbyname(u->pe_name);
1287 pr_info("persistence engine module ip_vs_pe_%s "
1288 "not found\n", u->pe_name);
1295 #ifdef CONFIG_IP_VS_IPV6
1296 if (u->af == AF_INET6 && (u->netmask < 1 || u->netmask > 128)) {
1302 write_lock_bh(&__ip_vs_svc_lock);
1305 * Wait until all other svc users go away.
1307 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1310 * Set the flags and timeout value
1312 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1313 svc->timeout = u->timeout * HZ;
1314 svc->netmask = u->netmask;
1316 old_sched = svc->scheduler;
1317 if (sched != old_sched) {
1319 * Unbind the old scheduler
1321 if ((ret = ip_vs_unbind_scheduler(svc))) {
1327 * Bind the new scheduler
1329 if ((ret = ip_vs_bind_scheduler(svc, sched))) {
1331 * If ip_vs_bind_scheduler fails, restore the old
1333 * The main reason of failure is out of memory.
1335 * The question is if the old scheduler can be
1336 * restored all the time. TODO: if it cannot be
1337 * restored some time, we must delete the service,
1338 * otherwise the system may crash.
1340 ip_vs_bind_scheduler(svc, old_sched);
1348 ip_vs_unbind_pe(svc);
1349 ip_vs_bind_pe(svc, pe);
1353 write_unlock_bh(&__ip_vs_svc_lock);
1355 ip_vs_scheduler_put(old_sched);
1356 ip_vs_pe_put(old_pe);
1362 * Delete a service from the service list
1363 * - The service must be unlinked, unlocked and not referenced!
1364 * - We are called under _bh lock
1366 static void __ip_vs_del_service(struct ip_vs_service *svc)
1368 struct ip_vs_dest *dest, *nxt;
1369 struct ip_vs_scheduler *old_sched;
1370 struct ip_vs_pe *old_pe;
1371 struct netns_ipvs *ipvs = net_ipvs(svc->net);
1373 pr_info("%s: enter\n", __func__);
1375 /* Count only IPv4 services for old get/setsockopt interface */
1376 if (svc->af == AF_INET)
1377 ipvs->num_services--;
1379 ip_vs_stop_estimator(svc->net, &svc->stats);
1381 /* Unbind scheduler */
1382 old_sched = svc->scheduler;
1383 ip_vs_unbind_scheduler(svc);
1384 ip_vs_scheduler_put(old_sched);
1386 /* Unbind persistence engine */
1388 ip_vs_unbind_pe(svc);
1389 ip_vs_pe_put(old_pe);
1391 /* Unbind app inc */
1393 ip_vs_app_inc_put(svc->inc);
1398 * Unlink the whole destination list
1400 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1401 __ip_vs_unlink_dest(svc, dest, 0);
1402 __ip_vs_del_dest(svc->net, dest);
1406 * Update the virtual service counters
1408 if (svc->port == FTPPORT)
1409 atomic_dec(&ipvs->ftpsvc_counter);
1410 else if (svc->port == 0)
1411 atomic_dec(&ipvs->nullsvc_counter);
1414 * Free the service if nobody refers to it
1416 if (atomic_read(&svc->refcnt) == 0) {
1417 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u usecnt=%d\n",
1419 IP_VS_DBG_ADDR(svc->af, &svc->addr),
1420 ntohs(svc->port), atomic_read(&svc->usecnt));
1421 free_percpu(svc->stats.cpustats);
1425 /* decrease the module use count */
1426 ip_vs_use_count_dec();
1430 * Unlink a service from list and try to delete it if its refcnt reached 0
1432 static void ip_vs_unlink_service(struct ip_vs_service *svc)
1435 * Unhash it from the service table
1437 write_lock_bh(&__ip_vs_svc_lock);
1439 ip_vs_svc_unhash(svc);
1442 * Wait until all the svc users go away.
1444 IP_VS_WAIT_WHILE(atomic_read(&svc->usecnt) > 0);
1446 __ip_vs_del_service(svc);
1448 write_unlock_bh(&__ip_vs_svc_lock);
1452 * Delete a service from the service list
1454 static int ip_vs_del_service(struct ip_vs_service *svc)
1458 ip_vs_unlink_service(svc);
1465 * Flush all the virtual services
1467 static int ip_vs_flush(struct net *net)
1470 struct ip_vs_service *svc, *nxt;
1473 * Flush the service table hashed by <netns,protocol,addr,port>
1475 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1476 list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
1478 if (net_eq(svc->net, net))
1479 ip_vs_unlink_service(svc);
1484 * Flush the service table hashed by fwmark
1486 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1487 list_for_each_entry_safe(svc, nxt,
1488 &ip_vs_svc_fwm_table[idx], f_list) {
1489 if (net_eq(svc->net, net))
1490 ip_vs_unlink_service(svc);
1498 * Delete service by {netns} in the service table.
1499 * Called by __ip_vs_cleanup()
1501 void ip_vs_service_net_cleanup(struct net *net)
1504 /* Check for "full" addressed entries */
1505 mutex_lock(&__ip_vs_mutex);
1507 mutex_unlock(&__ip_vs_mutex);
1511 /* Put all references for device (dst_cache) */
1513 ip_vs_forget_dev(struct ip_vs_dest *dest, struct net_device *dev)
1515 spin_lock_bh(&dest->dst_lock);
1516 if (dest->dst_cache && dest->dst_cache->dev == dev) {
1517 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1519 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1521 atomic_read(&dest->refcnt));
1522 __ip_vs_dst_cache_reset(dest);
1524 spin_unlock_bh(&dest->dst_lock);
1527 /* Netdev event receiver
1528 * Currently only NETDEV_DOWN is handled to release refs to cached dsts
1530 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1533 struct net_device *dev = ptr;
1534 struct net *net = dev_net(dev);
1535 struct netns_ipvs *ipvs = net_ipvs(net);
1536 struct ip_vs_service *svc;
1537 struct ip_vs_dest *dest;
1540 if (event != NETDEV_DOWN || !ipvs)
1542 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1544 mutex_lock(&__ip_vs_mutex);
1545 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1546 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1547 if (net_eq(svc->net, net)) {
1548 list_for_each_entry(dest, &svc->destinations,
1550 ip_vs_forget_dev(dest, dev);
1555 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1556 if (net_eq(svc->net, net)) {
1557 list_for_each_entry(dest, &svc->destinations,
1559 ip_vs_forget_dev(dest, dev);
1566 list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
1567 ip_vs_forget_dev(dest, dev);
1569 mutex_unlock(&__ip_vs_mutex);
1575 * Zero counters in a service or all services
1577 static int ip_vs_zero_service(struct ip_vs_service *svc)
1579 struct ip_vs_dest *dest;
1581 write_lock_bh(&__ip_vs_svc_lock);
1582 list_for_each_entry(dest, &svc->destinations, n_list) {
1583 ip_vs_zero_stats(&dest->stats);
1585 ip_vs_zero_stats(&svc->stats);
1586 write_unlock_bh(&__ip_vs_svc_lock);
1590 static int ip_vs_zero_all(struct net *net)
1593 struct ip_vs_service *svc;
1595 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1596 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1597 if (net_eq(svc->net, net))
1598 ip_vs_zero_service(svc);
1602 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1603 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1604 if (net_eq(svc->net, net))
1605 ip_vs_zero_service(svc);
1609 ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
1613 #ifdef CONFIG_SYSCTL
1616 static int three = 3;
1619 proc_do_defense_mode(ctl_table *table, int write,
1620 void __user *buffer, size_t *lenp, loff_t *ppos)
1622 struct net *net = current->nsproxy->net_ns;
1623 int *valp = table->data;
1627 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1628 if (write && (*valp != val)) {
1629 if ((*valp < 0) || (*valp > 3)) {
1630 /* Restore the correct value */
1633 update_defense_level(net_ipvs(net));
1640 proc_do_sync_threshold(ctl_table *table, int write,
1641 void __user *buffer, size_t *lenp, loff_t *ppos)
1643 int *valp = table->data;
1647 /* backup the value first */
1648 memcpy(val, valp, sizeof(val));
1650 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1651 if (write && (valp[0] < 0 || valp[1] < 0 ||
1652 (valp[0] >= valp[1] && valp[1]))) {
1653 /* Restore the correct value */
1654 memcpy(valp, val, sizeof(val));
1660 proc_do_sync_mode(ctl_table *table, int write,
1661 void __user *buffer, size_t *lenp, loff_t *ppos)
1663 int *valp = table->data;
1667 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1668 if (write && (*valp != val)) {
1669 if ((*valp < 0) || (*valp > 1)) {
1670 /* Restore the correct value */
1678 proc_do_sync_ports(ctl_table *table, int write,
1679 void __user *buffer, size_t *lenp, loff_t *ppos)
1681 int *valp = table->data;
1685 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1686 if (write && (*valp != val)) {
1687 if (*valp < 1 || !is_power_of_2(*valp)) {
1688 /* Restore the correct value */
1696 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1697 * Do not change order or insert new entries without
1698 * align with netns init in ip_vs_control_net_init()
1701 static struct ctl_table vs_vars[] = {
1703 .procname = "amemthresh",
1704 .maxlen = sizeof(int),
1706 .proc_handler = proc_dointvec,
1709 .procname = "am_droprate",
1710 .maxlen = sizeof(int),
1712 .proc_handler = proc_dointvec,
1715 .procname = "drop_entry",
1716 .maxlen = sizeof(int),
1718 .proc_handler = proc_do_defense_mode,
1721 .procname = "drop_packet",
1722 .maxlen = sizeof(int),
1724 .proc_handler = proc_do_defense_mode,
1726 #ifdef CONFIG_IP_VS_NFCT
1728 .procname = "conntrack",
1729 .maxlen = sizeof(int),
1731 .proc_handler = &proc_dointvec,
1735 .procname = "secure_tcp",
1736 .maxlen = sizeof(int),
1738 .proc_handler = proc_do_defense_mode,
1741 .procname = "snat_reroute",
1742 .maxlen = sizeof(int),
1744 .proc_handler = &proc_dointvec,
1747 .procname = "sync_version",
1748 .maxlen = sizeof(int),
1750 .proc_handler = &proc_do_sync_mode,
1753 .procname = "sync_ports",
1754 .maxlen = sizeof(int),
1756 .proc_handler = &proc_do_sync_ports,
1759 .procname = "sync_qlen_max",
1760 .maxlen = sizeof(int),
1762 .proc_handler = proc_dointvec,
1765 .procname = "sync_sock_size",
1766 .maxlen = sizeof(int),
1768 .proc_handler = proc_dointvec,
1771 .procname = "cache_bypass",
1772 .maxlen = sizeof(int),
1774 .proc_handler = proc_dointvec,
1777 .procname = "expire_nodest_conn",
1778 .maxlen = sizeof(int),
1780 .proc_handler = proc_dointvec,
1783 .procname = "expire_quiescent_template",
1784 .maxlen = sizeof(int),
1786 .proc_handler = proc_dointvec,
1789 .procname = "sync_threshold",
1791 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1793 .proc_handler = proc_do_sync_threshold,
1796 .procname = "sync_refresh_period",
1797 .maxlen = sizeof(int),
1799 .proc_handler = proc_dointvec_jiffies,
1802 .procname = "sync_retries",
1803 .maxlen = sizeof(int),
1805 .proc_handler = proc_dointvec_minmax,
1810 .procname = "nat_icmp_send",
1811 .maxlen = sizeof(int),
1813 .proc_handler = proc_dointvec,
1816 .procname = "pmtu_disc",
1817 .maxlen = sizeof(int),
1819 .proc_handler = proc_dointvec,
1822 .procname = "backup_only",
1823 .maxlen = sizeof(int),
1825 .proc_handler = proc_dointvec,
1827 #ifdef CONFIG_IP_VS_DEBUG
1829 .procname = "debug_level",
1830 .data = &sysctl_ip_vs_debug_level,
1831 .maxlen = sizeof(int),
1833 .proc_handler = proc_dointvec,
1838 .procname = "timeout_established",
1839 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
1840 .maxlen = sizeof(int),
1842 .proc_handler = proc_dointvec_jiffies,
1845 .procname = "timeout_synsent",
1846 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
1847 .maxlen = sizeof(int),
1849 .proc_handler = proc_dointvec_jiffies,
1852 .procname = "timeout_synrecv",
1853 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
1854 .maxlen = sizeof(int),
1856 .proc_handler = proc_dointvec_jiffies,
1859 .procname = "timeout_finwait",
1860 .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
1861 .maxlen = sizeof(int),
1863 .proc_handler = proc_dointvec_jiffies,
1866 .procname = "timeout_timewait",
1867 .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
1868 .maxlen = sizeof(int),
1870 .proc_handler = proc_dointvec_jiffies,
1873 .procname = "timeout_close",
1874 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
1875 .maxlen = sizeof(int),
1877 .proc_handler = proc_dointvec_jiffies,
1880 .procname = "timeout_closewait",
1881 .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
1882 .maxlen = sizeof(int),
1884 .proc_handler = proc_dointvec_jiffies,
1887 .procname = "timeout_lastack",
1888 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
1889 .maxlen = sizeof(int),
1891 .proc_handler = proc_dointvec_jiffies,
1894 .procname = "timeout_listen",
1895 .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
1896 .maxlen = sizeof(int),
1898 .proc_handler = proc_dointvec_jiffies,
1901 .procname = "timeout_synack",
1902 .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
1903 .maxlen = sizeof(int),
1905 .proc_handler = proc_dointvec_jiffies,
1908 .procname = "timeout_udp",
1909 .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
1910 .maxlen = sizeof(int),
1912 .proc_handler = proc_dointvec_jiffies,
1915 .procname = "timeout_icmp",
1916 .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
1917 .maxlen = sizeof(int),
1919 .proc_handler = proc_dointvec_jiffies,
1927 #ifdef CONFIG_PROC_FS
1930 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1931 struct list_head *table;
1936 * Write the contents of the VS rule table to a PROCfs file.
1937 * (It is kept just for backward compatibility)
1939 static inline const char *ip_vs_fwd_name(unsigned int flags)
1941 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1942 case IP_VS_CONN_F_LOCALNODE:
1944 case IP_VS_CONN_F_TUNNEL:
1946 case IP_VS_CONN_F_DROUTE:
1954 /* Get the Nth entry in the two lists */
1955 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1957 struct net *net = seq_file_net(seq);
1958 struct ip_vs_iter *iter = seq->private;
1960 struct ip_vs_service *svc;
1962 /* look in hash by protocol */
1963 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1964 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1965 if (net_eq(svc->net, net) && pos-- == 0) {
1966 iter->table = ip_vs_svc_table;
1973 /* keep looking in fwmark */
1974 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1975 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1976 if (net_eq(svc->net, net) && pos-- == 0) {
1977 iter->table = ip_vs_svc_fwm_table;
1987 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1988 __acquires(__ip_vs_svc_lock)
1991 read_lock_bh(&__ip_vs_svc_lock);
1992 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1996 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1998 struct list_head *e;
1999 struct ip_vs_iter *iter;
2000 struct ip_vs_service *svc;
2003 if (v == SEQ_START_TOKEN)
2004 return ip_vs_info_array(seq,0);
2007 iter = seq->private;
2009 if (iter->table == ip_vs_svc_table) {
2010 /* next service in table hashed by protocol */
2011 if ((e = svc->s_list.next) != &ip_vs_svc_table[iter->bucket])
2012 return list_entry(e, struct ip_vs_service, s_list);
2015 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2016 list_for_each_entry(svc,&ip_vs_svc_table[iter->bucket],
2022 iter->table = ip_vs_svc_fwm_table;
2027 /* next service in hashed by fwmark */
2028 if ((e = svc->f_list.next) != &ip_vs_svc_fwm_table[iter->bucket])
2029 return list_entry(e, struct ip_vs_service, f_list);
2032 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2033 list_for_each_entry(svc, &ip_vs_svc_fwm_table[iter->bucket],
2041 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2042 __releases(__ip_vs_svc_lock)
2044 read_unlock_bh(&__ip_vs_svc_lock);
2048 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2050 if (v == SEQ_START_TOKEN) {
2052 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2053 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2055 "Prot LocalAddress:Port Scheduler Flags\n");
2057 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2059 const struct ip_vs_service *svc = v;
2060 const struct ip_vs_iter *iter = seq->private;
2061 const struct ip_vs_dest *dest;
2063 if (iter->table == ip_vs_svc_table) {
2064 #ifdef CONFIG_IP_VS_IPV6
2065 if (svc->af == AF_INET6)
2066 seq_printf(seq, "%s [%pI6]:%04X %s ",
2067 ip_vs_proto_name(svc->protocol),
2070 svc->scheduler->name);
2073 seq_printf(seq, "%s %08X:%04X %s %s ",
2074 ip_vs_proto_name(svc->protocol),
2075 ntohl(svc->addr.ip),
2077 svc->scheduler->name,
2078 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2080 seq_printf(seq, "FWM %08X %s %s",
2081 svc->fwmark, svc->scheduler->name,
2082 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2085 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2086 seq_printf(seq, "persistent %d %08X\n",
2088 ntohl(svc->netmask));
2090 seq_putc(seq, '\n');
2092 list_for_each_entry(dest, &svc->destinations, n_list) {
2093 #ifdef CONFIG_IP_VS_IPV6
2094 if (dest->af == AF_INET6)
2097 " %-7s %-6d %-10d %-10d\n",
2100 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2101 atomic_read(&dest->weight),
2102 atomic_read(&dest->activeconns),
2103 atomic_read(&dest->inactconns));
2108 "%-7s %-6d %-10d %-10d\n",
2109 ntohl(dest->addr.ip),
2111 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2112 atomic_read(&dest->weight),
2113 atomic_read(&dest->activeconns),
2114 atomic_read(&dest->inactconns));
2121 static const struct seq_operations ip_vs_info_seq_ops = {
2122 .start = ip_vs_info_seq_start,
2123 .next = ip_vs_info_seq_next,
2124 .stop = ip_vs_info_seq_stop,
2125 .show = ip_vs_info_seq_show,
2128 static int ip_vs_info_open(struct inode *inode, struct file *file)
2130 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2131 sizeof(struct ip_vs_iter));
2134 static const struct file_operations ip_vs_info_fops = {
2135 .owner = THIS_MODULE,
2136 .open = ip_vs_info_open,
2138 .llseek = seq_lseek,
2139 .release = seq_release_net,
2142 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2144 struct net *net = seq_file_single_net(seq);
2145 struct ip_vs_stats_user show;
2147 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2149 " Total Incoming Outgoing Incoming Outgoing\n");
2151 " Conns Packets Packets Bytes Bytes\n");
2153 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2154 seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
2155 show.inpkts, show.outpkts,
2156 (unsigned long long) show.inbytes,
2157 (unsigned long long) show.outbytes);
2159 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2161 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2162 seq_printf(seq, "%8X %8X %8X %16X %16X\n",
2163 show.cps, show.inpps, show.outpps,
2164 show.inbps, show.outbps);
2169 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2171 return single_open_net(inode, file, ip_vs_stats_show);
2174 static const struct file_operations ip_vs_stats_fops = {
2175 .owner = THIS_MODULE,
2176 .open = ip_vs_stats_seq_open,
2178 .llseek = seq_lseek,
2179 .release = single_release_net,
2182 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2184 struct net *net = seq_file_single_net(seq);
2185 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2186 struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
2187 struct ip_vs_stats_user rates;
2190 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2192 " Total Incoming Outgoing Incoming Outgoing\n");
2194 "CPU Conns Packets Packets Bytes Bytes\n");
2196 for_each_possible_cpu(i) {
2197 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2199 __u64 inbytes, outbytes;
2202 start = u64_stats_fetch_begin_bh(&u->syncp);
2203 inbytes = u->ustats.inbytes;
2204 outbytes = u->ustats.outbytes;
2205 } while (u64_stats_fetch_retry_bh(&u->syncp, start));
2207 seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
2208 i, u->ustats.conns, u->ustats.inpkts,
2209 u->ustats.outpkts, (__u64)inbytes,
2213 spin_lock_bh(&tot_stats->lock);
2215 seq_printf(seq, " ~ %8X %8X %8X %16LX %16LX\n\n",
2216 tot_stats->ustats.conns, tot_stats->ustats.inpkts,
2217 tot_stats->ustats.outpkts,
2218 (unsigned long long) tot_stats->ustats.inbytes,
2219 (unsigned long long) tot_stats->ustats.outbytes);
2221 ip_vs_read_estimator(&rates, tot_stats);
2223 spin_unlock_bh(&tot_stats->lock);
2225 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2227 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2228 seq_printf(seq, " %8X %8X %8X %16X %16X\n",
2238 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2240 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2243 static const struct file_operations ip_vs_stats_percpu_fops = {
2244 .owner = THIS_MODULE,
2245 .open = ip_vs_stats_percpu_seq_open,
2247 .llseek = seq_lseek,
2248 .release = single_release_net,
2253 * Set timeout values for tcp tcpfin udp in the timeout_table.
2255 static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
2257 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2258 struct ip_vs_proto_data *pd;
2261 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2266 #ifdef CONFIG_IP_VS_PROTO_TCP
2267 if (u->tcp_timeout) {
2268 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2269 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2270 = u->tcp_timeout * HZ;
2273 if (u->tcp_fin_timeout) {
2274 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2275 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2276 = u->tcp_fin_timeout * HZ;
2280 #ifdef CONFIG_IP_VS_PROTO_UDP
2281 if (u->udp_timeout) {
2282 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2283 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2284 = u->udp_timeout * HZ;
2291 #define SET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2292 #define SERVICE_ARG_LEN (sizeof(struct ip_vs_service_user))
2293 #define SVCDEST_ARG_LEN (sizeof(struct ip_vs_service_user) + \
2294 sizeof(struct ip_vs_dest_user))
2295 #define TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2296 #define DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user))
2297 #define MAX_ARG_LEN SVCDEST_ARG_LEN
2299 static const unsigned char set_arglen[SET_CMDID(IP_VS_SO_SET_MAX)+1] = {
2300 [SET_CMDID(IP_VS_SO_SET_ADD)] = SERVICE_ARG_LEN,
2301 [SET_CMDID(IP_VS_SO_SET_EDIT)] = SERVICE_ARG_LEN,
2302 [SET_CMDID(IP_VS_SO_SET_DEL)] = SERVICE_ARG_LEN,
2303 [SET_CMDID(IP_VS_SO_SET_FLUSH)] = 0,
2304 [SET_CMDID(IP_VS_SO_SET_ADDDEST)] = SVCDEST_ARG_LEN,
2305 [SET_CMDID(IP_VS_SO_SET_DELDEST)] = SVCDEST_ARG_LEN,
2306 [SET_CMDID(IP_VS_SO_SET_EDITDEST)] = SVCDEST_ARG_LEN,
2307 [SET_CMDID(IP_VS_SO_SET_TIMEOUT)] = TIMEOUT_ARG_LEN,
2308 [SET_CMDID(IP_VS_SO_SET_STARTDAEMON)] = DAEMON_ARG_LEN,
2309 [SET_CMDID(IP_VS_SO_SET_STOPDAEMON)] = DAEMON_ARG_LEN,
2310 [SET_CMDID(IP_VS_SO_SET_ZERO)] = SERVICE_ARG_LEN,
2313 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2314 struct ip_vs_service_user *usvc_compat)
2316 memset(usvc, 0, sizeof(*usvc));
2319 usvc->protocol = usvc_compat->protocol;
2320 usvc->addr.ip = usvc_compat->addr;
2321 usvc->port = usvc_compat->port;
2322 usvc->fwmark = usvc_compat->fwmark;
2324 /* Deep copy of sched_name is not needed here */
2325 usvc->sched_name = usvc_compat->sched_name;
2327 usvc->flags = usvc_compat->flags;
2328 usvc->timeout = usvc_compat->timeout;
2329 usvc->netmask = usvc_compat->netmask;
2332 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2333 struct ip_vs_dest_user *udest_compat)
2335 memset(udest, 0, sizeof(*udest));
2337 udest->addr.ip = udest_compat->addr;
2338 udest->port = udest_compat->port;
2339 udest->conn_flags = udest_compat->conn_flags;
2340 udest->weight = udest_compat->weight;
2341 udest->u_threshold = udest_compat->u_threshold;
2342 udest->l_threshold = udest_compat->l_threshold;
2346 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2348 struct net *net = sock_net(sk);
2350 unsigned char arg[MAX_ARG_LEN];
2351 struct ip_vs_service_user *usvc_compat;
2352 struct ip_vs_service_user_kern usvc;
2353 struct ip_vs_service *svc;
2354 struct ip_vs_dest_user *udest_compat;
2355 struct ip_vs_dest_user_kern udest;
2356 struct netns_ipvs *ipvs = net_ipvs(net);
2358 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2361 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2363 if (len < 0 || len > MAX_ARG_LEN)
2365 if (len != set_arglen[SET_CMDID(cmd)]) {
2366 pr_err("set_ctl: len %u != %u\n",
2367 len, set_arglen[SET_CMDID(cmd)]);
2371 if (copy_from_user(arg, user, len) != 0)
2374 /* increase the module use count */
2375 ip_vs_use_count_inc();
2377 /* Handle daemons since they have another lock */
2378 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2379 cmd == IP_VS_SO_SET_STOPDAEMON) {
2380 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2382 if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2386 if (cmd == IP_VS_SO_SET_STARTDAEMON)
2387 ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2390 ret = stop_sync_thread(net, dm->state);
2391 mutex_unlock(&ipvs->sync_mutex);
2395 if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2400 if (cmd == IP_VS_SO_SET_FLUSH) {
2401 /* Flush the virtual service */
2402 ret = ip_vs_flush(net);
2404 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2405 /* Set timeout values for (tcp tcpfin udp) */
2406 ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2410 usvc_compat = (struct ip_vs_service_user *)arg;
2411 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2413 /* We only use the new structs internally, so copy userspace compat
2414 * structs to extended internal versions */
2415 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2416 ip_vs_copy_udest_compat(&udest, udest_compat);
2418 if (cmd == IP_VS_SO_SET_ZERO) {
2419 /* if no service address is set, zero counters in all */
2420 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2421 ret = ip_vs_zero_all(net);
2426 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2427 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2428 usvc.protocol != IPPROTO_SCTP) {
2429 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2430 usvc.protocol, &usvc.addr.ip,
2431 ntohs(usvc.port), usvc.sched_name);
2436 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2437 if (usvc.fwmark == 0)
2438 svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
2439 &usvc.addr, usvc.port);
2441 svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
2443 if (cmd != IP_VS_SO_SET_ADD
2444 && (svc == NULL || svc->protocol != usvc.protocol)) {
2450 case IP_VS_SO_SET_ADD:
2454 ret = ip_vs_add_service(net, &usvc, &svc);
2456 case IP_VS_SO_SET_EDIT:
2457 ret = ip_vs_edit_service(svc, &usvc);
2459 case IP_VS_SO_SET_DEL:
2460 ret = ip_vs_del_service(svc);
2464 case IP_VS_SO_SET_ZERO:
2465 ret = ip_vs_zero_service(svc);
2467 case IP_VS_SO_SET_ADDDEST:
2468 ret = ip_vs_add_dest(svc, &udest);
2470 case IP_VS_SO_SET_EDITDEST:
2471 ret = ip_vs_edit_dest(svc, &udest);
2473 case IP_VS_SO_SET_DELDEST:
2474 ret = ip_vs_del_dest(svc, &udest);
2481 mutex_unlock(&__ip_vs_mutex);
2483 /* decrease the module use count */
2484 ip_vs_use_count_dec();
2491 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2493 dst->protocol = src->protocol;
2494 dst->addr = src->addr.ip;
2495 dst->port = src->port;
2496 dst->fwmark = src->fwmark;
2497 strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name));
2498 dst->flags = src->flags;
2499 dst->timeout = src->timeout / HZ;
2500 dst->netmask = src->netmask;
2501 dst->num_dests = src->num_dests;
2502 ip_vs_copy_stats(&dst->stats, &src->stats);
2506 __ip_vs_get_service_entries(struct net *net,
2507 const struct ip_vs_get_services *get,
2508 struct ip_vs_get_services __user *uptr)
2511 struct ip_vs_service *svc;
2512 struct ip_vs_service_entry entry;
2515 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2516 list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2517 /* Only expose IPv4 entries to old interface */
2518 if (svc->af != AF_INET || !net_eq(svc->net, net))
2521 if (count >= get->num_services)
2523 memset(&entry, 0, sizeof(entry));
2524 ip_vs_copy_service(&entry, svc);
2525 if (copy_to_user(&uptr->entrytable[count],
2526 &entry, sizeof(entry))) {
2534 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2535 list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2536 /* Only expose IPv4 entries to old interface */
2537 if (svc->af != AF_INET || !net_eq(svc->net, net))
2540 if (count >= get->num_services)
2542 memset(&entry, 0, sizeof(entry));
2543 ip_vs_copy_service(&entry, svc);
2544 if (copy_to_user(&uptr->entrytable[count],
2545 &entry, sizeof(entry))) {
2557 __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2558 struct ip_vs_get_dests __user *uptr)
2560 struct ip_vs_service *svc;
2561 union nf_inet_addr addr = { .ip = get->addr };
2565 svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
2567 svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
2572 struct ip_vs_dest *dest;
2573 struct ip_vs_dest_entry entry;
2575 list_for_each_entry(dest, &svc->destinations, n_list) {
2576 if (count >= get->num_dests)
2579 entry.addr = dest->addr.ip;
2580 entry.port = dest->port;
2581 entry.conn_flags = atomic_read(&dest->conn_flags);
2582 entry.weight = atomic_read(&dest->weight);
2583 entry.u_threshold = dest->u_threshold;
2584 entry.l_threshold = dest->l_threshold;
2585 entry.activeconns = atomic_read(&dest->activeconns);
2586 entry.inactconns = atomic_read(&dest->inactconns);
2587 entry.persistconns = atomic_read(&dest->persistconns);
2588 ip_vs_copy_stats(&entry.stats, &dest->stats);
2589 if (copy_to_user(&uptr->entrytable[count],
2590 &entry, sizeof(entry))) {
2602 __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2604 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2605 struct ip_vs_proto_data *pd;
2608 memset(u, 0, sizeof (*u));
2610 #ifdef CONFIG_IP_VS_PROTO_TCP
2611 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2612 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2613 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2615 #ifdef CONFIG_IP_VS_PROTO_UDP
2616 pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
2618 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2623 #define GET_CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2624 #define GET_INFO_ARG_LEN (sizeof(struct ip_vs_getinfo))
2625 #define GET_SERVICES_ARG_LEN (sizeof(struct ip_vs_get_services))
2626 #define GET_SERVICE_ARG_LEN (sizeof(struct ip_vs_service_entry))
2627 #define GET_DESTS_ARG_LEN (sizeof(struct ip_vs_get_dests))
2628 #define GET_TIMEOUT_ARG_LEN (sizeof(struct ip_vs_timeout_user))
2629 #define GET_DAEMON_ARG_LEN (sizeof(struct ip_vs_daemon_user) * 2)
2631 static const unsigned char get_arglen[GET_CMDID(IP_VS_SO_GET_MAX)+1] = {
2632 [GET_CMDID(IP_VS_SO_GET_VERSION)] = 64,
2633 [GET_CMDID(IP_VS_SO_GET_INFO)] = GET_INFO_ARG_LEN,
2634 [GET_CMDID(IP_VS_SO_GET_SERVICES)] = GET_SERVICES_ARG_LEN,
2635 [GET_CMDID(IP_VS_SO_GET_SERVICE)] = GET_SERVICE_ARG_LEN,
2636 [GET_CMDID(IP_VS_SO_GET_DESTS)] = GET_DESTS_ARG_LEN,
2637 [GET_CMDID(IP_VS_SO_GET_TIMEOUT)] = GET_TIMEOUT_ARG_LEN,
2638 [GET_CMDID(IP_VS_SO_GET_DAEMON)] = GET_DAEMON_ARG_LEN,
2642 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2644 unsigned char arg[128];
2646 unsigned int copylen;
2647 struct net *net = sock_net(sk);
2648 struct netns_ipvs *ipvs = net_ipvs(net);
2651 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2654 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2657 if (*len < get_arglen[GET_CMDID(cmd)]) {
2658 pr_err("get_ctl: len %u < %u\n",
2659 *len, get_arglen[GET_CMDID(cmd)]);
2663 copylen = get_arglen[GET_CMDID(cmd)];
2667 if (copy_from_user(arg, user, copylen) != 0)
2670 * Handle daemons first since it has its own locking
2672 if (cmd == IP_VS_SO_GET_DAEMON) {
2673 struct ip_vs_daemon_user d[2];
2675 memset(&d, 0, sizeof(d));
2676 if (mutex_lock_interruptible(&ipvs->sync_mutex))
2677 return -ERESTARTSYS;
2679 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2680 d[0].state = IP_VS_STATE_MASTER;
2681 strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2682 sizeof(d[0].mcast_ifn));
2683 d[0].syncid = ipvs->master_syncid;
2685 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2686 d[1].state = IP_VS_STATE_BACKUP;
2687 strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2688 sizeof(d[1].mcast_ifn));
2689 d[1].syncid = ipvs->backup_syncid;
2691 if (copy_to_user(user, &d, sizeof(d)) != 0)
2693 mutex_unlock(&ipvs->sync_mutex);
2697 if (mutex_lock_interruptible(&__ip_vs_mutex))
2698 return -ERESTARTSYS;
2701 case IP_VS_SO_GET_VERSION:
2705 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2706 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2707 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2711 *len = strlen(buf)+1;
2715 case IP_VS_SO_GET_INFO:
2717 struct ip_vs_getinfo info;
2718 info.version = IP_VS_VERSION_CODE;
2719 info.size = ip_vs_conn_tab_size;
2720 info.num_services = ipvs->num_services;
2721 if (copy_to_user(user, &info, sizeof(info)) != 0)
2726 case IP_VS_SO_GET_SERVICES:
2728 struct ip_vs_get_services *get;
2731 get = (struct ip_vs_get_services *)arg;
2732 size = sizeof(*get) +
2733 sizeof(struct ip_vs_service_entry) * get->num_services;
2735 pr_err("length: %u != %u\n", *len, size);
2739 ret = __ip_vs_get_service_entries(net, get, user);
2743 case IP_VS_SO_GET_SERVICE:
2745 struct ip_vs_service_entry *entry;
2746 struct ip_vs_service *svc;
2747 union nf_inet_addr addr;
2749 entry = (struct ip_vs_service_entry *)arg;
2750 addr.ip = entry->addr;
2752 svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
2754 svc = __ip_vs_service_find(net, AF_INET,
2755 entry->protocol, &addr,
2758 ip_vs_copy_service(entry, svc);
2759 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2766 case IP_VS_SO_GET_DESTS:
2768 struct ip_vs_get_dests *get;
2771 get = (struct ip_vs_get_dests *)arg;
2772 size = sizeof(*get) +
2773 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2775 pr_err("length: %u != %u\n", *len, size);
2779 ret = __ip_vs_get_dest_entries(net, get, user);
2783 case IP_VS_SO_GET_TIMEOUT:
2785 struct ip_vs_timeout_user t;
2787 __ip_vs_get_timeouts(net, &t);
2788 if (copy_to_user(user, &t, sizeof(t)) != 0)
2798 mutex_unlock(&__ip_vs_mutex);
2803 static struct nf_sockopt_ops ip_vs_sockopts = {
2805 .set_optmin = IP_VS_BASE_CTL,
2806 .set_optmax = IP_VS_SO_SET_MAX+1,
2807 .set = do_ip_vs_set_ctl,
2808 .get_optmin = IP_VS_BASE_CTL,
2809 .get_optmax = IP_VS_SO_GET_MAX+1,
2810 .get = do_ip_vs_get_ctl,
2811 .owner = THIS_MODULE,
2815 * Generic Netlink interface
2818 /* IPVS genetlink family */
2819 static struct genl_family ip_vs_genl_family = {
2820 .id = GENL_ID_GENERATE,
2822 .name = IPVS_GENL_NAME,
2823 .version = IPVS_GENL_VERSION,
2824 .maxattr = IPVS_CMD_MAX,
2825 .netnsok = true, /* Make ipvsadm to work on netns */
2828 /* Policy used for first-level command attributes */
2829 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2830 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2831 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2832 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2833 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2834 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2835 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2838 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2839 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2840 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2841 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2842 .len = IP_VS_IFNAME_MAXLEN },
2843 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2846 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2847 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2848 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2849 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2850 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2851 .len = sizeof(union nf_inet_addr) },
2852 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2853 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2854 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2855 .len = IP_VS_SCHEDNAME_MAXLEN },
2856 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2857 .len = IP_VS_PENAME_MAXLEN },
2858 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2859 .len = sizeof(struct ip_vs_flags) },
2860 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2861 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2862 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2865 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2866 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2867 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2868 .len = sizeof(union nf_inet_addr) },
2869 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2870 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2871 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2872 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2873 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2874 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2875 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2876 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2877 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2880 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2881 struct ip_vs_stats *stats)
2883 struct ip_vs_stats_user ustats;
2884 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2888 ip_vs_copy_stats(&ustats, stats);
2890 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns) ||
2891 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts) ||
2892 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts) ||
2893 nla_put_u64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes) ||
2894 nla_put_u64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes) ||
2895 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, ustats.cps) ||
2896 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps) ||
2897 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps) ||
2898 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps) ||
2899 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps))
2900 goto nla_put_failure;
2901 nla_nest_end(skb, nl_stats);
2906 nla_nest_cancel(skb, nl_stats);
2910 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2911 struct ip_vs_service *svc)
2913 struct nlattr *nl_service;
2914 struct ip_vs_flags flags = { .flags = svc->flags,
2917 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2921 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2922 goto nla_put_failure;
2924 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2925 goto nla_put_failure;
2927 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
2928 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
2929 nla_put_u16(skb, IPVS_SVC_ATTR_PORT, svc->port))
2930 goto nla_put_failure;
2933 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, svc->scheduler->name) ||
2935 nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, svc->pe->name)) ||
2936 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
2937 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
2938 nla_put_u32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
2939 goto nla_put_failure;
2940 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &svc->stats))
2941 goto nla_put_failure;
2943 nla_nest_end(skb, nl_service);
2948 nla_nest_cancel(skb, nl_service);
2952 static int ip_vs_genl_dump_service(struct sk_buff *skb,
2953 struct ip_vs_service *svc,
2954 struct netlink_callback *cb)
2958 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2959 &ip_vs_genl_family, NLM_F_MULTI,
2960 IPVS_CMD_NEW_SERVICE);
2964 if (ip_vs_genl_fill_service(skb, svc) < 0)
2965 goto nla_put_failure;
2967 return genlmsg_end(skb, hdr);
2970 genlmsg_cancel(skb, hdr);
2974 static int ip_vs_genl_dump_services(struct sk_buff *skb,
2975 struct netlink_callback *cb)
2978 int start = cb->args[0];
2979 struct ip_vs_service *svc;
2980 struct net *net = skb_sknet(skb);
2982 mutex_lock(&__ip_vs_mutex);
2983 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2984 list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
2985 if (++idx <= start || !net_eq(svc->net, net))
2987 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
2989 goto nla_put_failure;
2994 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
2995 list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
2996 if (++idx <= start || !net_eq(svc->net, net))
2998 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
3000 goto nla_put_failure;
3006 mutex_unlock(&__ip_vs_mutex);
3012 static int ip_vs_genl_parse_service(struct net *net,
3013 struct ip_vs_service_user_kern *usvc,
3014 struct nlattr *nla, int full_entry,
3015 struct ip_vs_service **ret_svc)
3017 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3018 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3019 struct ip_vs_service *svc;
3021 /* Parse mandatory identifying service fields first */
3023 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3026 nla_af = attrs[IPVS_SVC_ATTR_AF];
3027 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3028 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3029 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3030 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3032 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3035 memset(usvc, 0, sizeof(*usvc));
3037 usvc->af = nla_get_u16(nla_af);
3038 #ifdef CONFIG_IP_VS_IPV6
3039 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3041 if (usvc->af != AF_INET)
3043 return -EAFNOSUPPORT;
3046 usvc->protocol = IPPROTO_TCP;
3047 usvc->fwmark = nla_get_u32(nla_fwmark);
3049 usvc->protocol = nla_get_u16(nla_protocol);
3050 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3051 usvc->port = nla_get_u16(nla_port);
3056 svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
3058 svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
3059 &usvc->addr, usvc->port);
3062 /* If a full entry was requested, check for the additional fields */
3064 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3066 struct ip_vs_flags flags;
3068 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3069 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3070 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3071 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3072 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3074 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3077 nla_memcpy(&flags, nla_flags, sizeof(flags));
3079 /* prefill flags from service if it already exists */
3081 usvc->flags = svc->flags;
3083 /* set new flags from userland */
3084 usvc->flags = (usvc->flags & ~flags.mask) |
3085 (flags.flags & flags.mask);
3086 usvc->sched_name = nla_data(nla_sched);
3087 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3088 usvc->timeout = nla_get_u32(nla_timeout);
3089 usvc->netmask = nla_get_u32(nla_netmask);
3095 static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
3098 struct ip_vs_service_user_kern usvc;
3099 struct ip_vs_service *svc;
3102 ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
3103 return ret ? ERR_PTR(ret) : svc;
3106 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3108 struct nlattr *nl_dest;
3110 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3114 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3115 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3116 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3117 (atomic_read(&dest->conn_flags) &
3118 IP_VS_CONN_F_FWD_MASK)) ||
3119 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3120 atomic_read(&dest->weight)) ||
3121 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3122 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3123 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3124 atomic_read(&dest->activeconns)) ||
3125 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3126 atomic_read(&dest->inactconns)) ||
3127 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3128 atomic_read(&dest->persistconns)))
3129 goto nla_put_failure;
3130 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &dest->stats))
3131 goto nla_put_failure;
3133 nla_nest_end(skb, nl_dest);
3138 nla_nest_cancel(skb, nl_dest);
3142 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3143 struct netlink_callback *cb)
3147 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3148 &ip_vs_genl_family, NLM_F_MULTI,
3153 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3154 goto nla_put_failure;
3156 return genlmsg_end(skb, hdr);
3159 genlmsg_cancel(skb, hdr);
3163 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3164 struct netlink_callback *cb)
3167 int start = cb->args[0];
3168 struct ip_vs_service *svc;
3169 struct ip_vs_dest *dest;
3170 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3171 struct net *net = skb_sknet(skb);
3173 mutex_lock(&__ip_vs_mutex);
3175 /* Try to find the service for which to dump destinations */
3176 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3177 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3181 svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
3182 if (IS_ERR(svc) || svc == NULL)
3185 /* Dump the destinations */
3186 list_for_each_entry(dest, &svc->destinations, n_list) {
3189 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3191 goto nla_put_failure;
3199 mutex_unlock(&__ip_vs_mutex);
3204 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3205 struct nlattr *nla, int full_entry)
3207 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3208 struct nlattr *nla_addr, *nla_port;
3210 /* Parse mandatory identifying destination fields first */
3212 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3215 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3216 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3218 if (!(nla_addr && nla_port))
3221 memset(udest, 0, sizeof(*udest));
3223 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3224 udest->port = nla_get_u16(nla_port);
3226 /* If a full entry was requested, check for the additional fields */
3228 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3231 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3232 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3233 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3234 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3236 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3239 udest->conn_flags = nla_get_u32(nla_fwd)
3240 & IP_VS_CONN_F_FWD_MASK;
3241 udest->weight = nla_get_u32(nla_weight);
3242 udest->u_threshold = nla_get_u32(nla_u_thresh);
3243 udest->l_threshold = nla_get_u32(nla_l_thresh);
3249 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __be32 state,
3250 const char *mcast_ifn, __be32 syncid)
3252 struct nlattr *nl_daemon;
3254 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3258 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3259 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, mcast_ifn) ||
3260 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, syncid))
3261 goto nla_put_failure;
3262 nla_nest_end(skb, nl_daemon);
3267 nla_nest_cancel(skb, nl_daemon);
3271 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
3272 const char *mcast_ifn, __be32 syncid,
3273 struct netlink_callback *cb)
3276 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3277 &ip_vs_genl_family, NLM_F_MULTI,
3278 IPVS_CMD_NEW_DAEMON);
3282 if (ip_vs_genl_fill_daemon(skb, state, mcast_ifn, syncid))
3283 goto nla_put_failure;
3285 return genlmsg_end(skb, hdr);
3288 genlmsg_cancel(skb, hdr);
3292 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3293 struct netlink_callback *cb)
3295 struct net *net = skb_sknet(skb);
3296 struct netns_ipvs *ipvs = net_ipvs(net);
3298 mutex_lock(&ipvs->sync_mutex);
3299 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3300 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3301 ipvs->master_mcast_ifn,
3302 ipvs->master_syncid, cb) < 0)
3303 goto nla_put_failure;
3308 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3309 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3310 ipvs->backup_mcast_ifn,
3311 ipvs->backup_syncid, cb) < 0)
3312 goto nla_put_failure;
3318 mutex_unlock(&ipvs->sync_mutex);
3323 static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
3325 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3326 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3327 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3330 return start_sync_thread(net,
3331 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
3332 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3333 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
3336 static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
3338 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3341 return stop_sync_thread(net,
3342 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3345 static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
3347 struct ip_vs_timeout_user t;
3349 __ip_vs_get_timeouts(net, &t);
3351 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3352 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3354 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3356 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3358 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3359 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3361 return ip_vs_set_timeout(net, &t);
3364 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3368 struct netns_ipvs *ipvs;
3370 net = skb_sknet(skb);
3371 ipvs = net_ipvs(net);
3372 cmd = info->genlhdr->cmd;
3374 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3375 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3377 mutex_lock(&ipvs->sync_mutex);
3378 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3379 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3380 info->attrs[IPVS_CMD_ATTR_DAEMON],
3381 ip_vs_daemon_policy)) {
3386 if (cmd == IPVS_CMD_NEW_DAEMON)
3387 ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3389 ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3391 mutex_unlock(&ipvs->sync_mutex);
3396 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3398 struct ip_vs_service *svc = NULL;
3399 struct ip_vs_service_user_kern usvc;
3400 struct ip_vs_dest_user_kern udest;
3402 int need_full_svc = 0, need_full_dest = 0;
3405 net = skb_sknet(skb);
3406 cmd = info->genlhdr->cmd;
3408 mutex_lock(&__ip_vs_mutex);
3410 if (cmd == IPVS_CMD_FLUSH) {
3411 ret = ip_vs_flush(net);
3413 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3414 ret = ip_vs_genl_set_config(net, info->attrs);
3416 } else if (cmd == IPVS_CMD_ZERO &&
3417 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3418 ret = ip_vs_zero_all(net);
3422 /* All following commands require a service argument, so check if we
3423 * received a valid one. We need a full service specification when
3424 * adding / editing a service. Only identifying members otherwise. */
3425 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3428 ret = ip_vs_genl_parse_service(net, &usvc,
3429 info->attrs[IPVS_CMD_ATTR_SERVICE],
3430 need_full_svc, &svc);
3434 /* Unless we're adding a new service, the service must already exist */
3435 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3440 /* Destination commands require a valid destination argument. For
3441 * adding / editing a destination, we need a full destination
3443 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3444 cmd == IPVS_CMD_DEL_DEST) {
3445 if (cmd != IPVS_CMD_DEL_DEST)
3448 ret = ip_vs_genl_parse_dest(&udest,
3449 info->attrs[IPVS_CMD_ATTR_DEST],
3456 case IPVS_CMD_NEW_SERVICE:
3458 ret = ip_vs_add_service(net, &usvc, &svc);
3462 case IPVS_CMD_SET_SERVICE:
3463 ret = ip_vs_edit_service(svc, &usvc);
3465 case IPVS_CMD_DEL_SERVICE:
3466 ret = ip_vs_del_service(svc);
3467 /* do not use svc, it can be freed */
3469 case IPVS_CMD_NEW_DEST:
3470 ret = ip_vs_add_dest(svc, &udest);
3472 case IPVS_CMD_SET_DEST:
3473 ret = ip_vs_edit_dest(svc, &udest);
3475 case IPVS_CMD_DEL_DEST:
3476 ret = ip_vs_del_dest(svc, &udest);
3479 ret = ip_vs_zero_service(svc);
3486 mutex_unlock(&__ip_vs_mutex);
3491 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3493 struct sk_buff *msg;
3495 int ret, cmd, reply_cmd;
3498 net = skb_sknet(skb);
3499 cmd = info->genlhdr->cmd;
3501 if (cmd == IPVS_CMD_GET_SERVICE)
3502 reply_cmd = IPVS_CMD_NEW_SERVICE;
3503 else if (cmd == IPVS_CMD_GET_INFO)
3504 reply_cmd = IPVS_CMD_SET_INFO;
3505 else if (cmd == IPVS_CMD_GET_CONFIG)
3506 reply_cmd = IPVS_CMD_SET_CONFIG;
3508 pr_err("unknown Generic Netlink command\n");
3512 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3516 mutex_lock(&__ip_vs_mutex);
3518 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3520 goto nla_put_failure;
3523 case IPVS_CMD_GET_SERVICE:
3525 struct ip_vs_service *svc;
3527 svc = ip_vs_genl_find_service(net,
3528 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3533 ret = ip_vs_genl_fill_service(msg, svc);
3535 goto nla_put_failure;
3544 case IPVS_CMD_GET_CONFIG:
3546 struct ip_vs_timeout_user t;
3548 __ip_vs_get_timeouts(net, &t);
3549 #ifdef CONFIG_IP_VS_PROTO_TCP
3550 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3552 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3554 goto nla_put_failure;
3556 #ifdef CONFIG_IP_VS_PROTO_UDP
3557 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3558 goto nla_put_failure;
3564 case IPVS_CMD_GET_INFO:
3565 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3566 IP_VS_VERSION_CODE) ||
3567 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3568 ip_vs_conn_tab_size))
3569 goto nla_put_failure;
3573 genlmsg_end(msg, reply);
3574 ret = genlmsg_reply(msg, info);
3578 pr_err("not enough space in Netlink message\n");
3584 mutex_unlock(&__ip_vs_mutex);
3590 static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
3592 .cmd = IPVS_CMD_NEW_SERVICE,
3593 .flags = GENL_ADMIN_PERM,
3594 .policy = ip_vs_cmd_policy,
3595 .doit = ip_vs_genl_set_cmd,
3598 .cmd = IPVS_CMD_SET_SERVICE,
3599 .flags = GENL_ADMIN_PERM,
3600 .policy = ip_vs_cmd_policy,
3601 .doit = ip_vs_genl_set_cmd,
3604 .cmd = IPVS_CMD_DEL_SERVICE,
3605 .flags = GENL_ADMIN_PERM,
3606 .policy = ip_vs_cmd_policy,
3607 .doit = ip_vs_genl_set_cmd,
3610 .cmd = IPVS_CMD_GET_SERVICE,
3611 .flags = GENL_ADMIN_PERM,
3612 .doit = ip_vs_genl_get_cmd,
3613 .dumpit = ip_vs_genl_dump_services,
3614 .policy = ip_vs_cmd_policy,
3617 .cmd = IPVS_CMD_NEW_DEST,
3618 .flags = GENL_ADMIN_PERM,
3619 .policy = ip_vs_cmd_policy,
3620 .doit = ip_vs_genl_set_cmd,
3623 .cmd = IPVS_CMD_SET_DEST,
3624 .flags = GENL_ADMIN_PERM,
3625 .policy = ip_vs_cmd_policy,
3626 .doit = ip_vs_genl_set_cmd,
3629 .cmd = IPVS_CMD_DEL_DEST,
3630 .flags = GENL_ADMIN_PERM,
3631 .policy = ip_vs_cmd_policy,
3632 .doit = ip_vs_genl_set_cmd,
3635 .cmd = IPVS_CMD_GET_DEST,
3636 .flags = GENL_ADMIN_PERM,
3637 .policy = ip_vs_cmd_policy,
3638 .dumpit = ip_vs_genl_dump_dests,
3641 .cmd = IPVS_CMD_NEW_DAEMON,
3642 .flags = GENL_ADMIN_PERM,
3643 .policy = ip_vs_cmd_policy,
3644 .doit = ip_vs_genl_set_daemon,
3647 .cmd = IPVS_CMD_DEL_DAEMON,
3648 .flags = GENL_ADMIN_PERM,
3649 .policy = ip_vs_cmd_policy,
3650 .doit = ip_vs_genl_set_daemon,
3653 .cmd = IPVS_CMD_GET_DAEMON,
3654 .flags = GENL_ADMIN_PERM,
3655 .dumpit = ip_vs_genl_dump_daemons,
3658 .cmd = IPVS_CMD_SET_CONFIG,
3659 .flags = GENL_ADMIN_PERM,
3660 .policy = ip_vs_cmd_policy,
3661 .doit = ip_vs_genl_set_cmd,
3664 .cmd = IPVS_CMD_GET_CONFIG,
3665 .flags = GENL_ADMIN_PERM,
3666 .doit = ip_vs_genl_get_cmd,
3669 .cmd = IPVS_CMD_GET_INFO,
3670 .flags = GENL_ADMIN_PERM,
3671 .doit = ip_vs_genl_get_cmd,
3674 .cmd = IPVS_CMD_ZERO,
3675 .flags = GENL_ADMIN_PERM,
3676 .policy = ip_vs_cmd_policy,
3677 .doit = ip_vs_genl_set_cmd,
3680 .cmd = IPVS_CMD_FLUSH,
3681 .flags = GENL_ADMIN_PERM,
3682 .doit = ip_vs_genl_set_cmd,
3686 static int __init ip_vs_genl_register(void)
3688 return genl_register_family_with_ops(&ip_vs_genl_family,
3689 ip_vs_genl_ops, ARRAY_SIZE(ip_vs_genl_ops));
3692 static void ip_vs_genl_unregister(void)
3694 genl_unregister_family(&ip_vs_genl_family);
3697 /* End of Generic Netlink interface definitions */
3700 * per netns intit/exit func.
3702 #ifdef CONFIG_SYSCTL
3703 static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3706 struct netns_ipvs *ipvs = net_ipvs(net);
3707 struct ctl_table *tbl;
3709 atomic_set(&ipvs->dropentry, 0);
3710 spin_lock_init(&ipvs->dropentry_lock);
3711 spin_lock_init(&ipvs->droppacket_lock);
3712 spin_lock_init(&ipvs->securetcp_lock);
3714 if (!net_eq(net, &init_net)) {
3715 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3719 /* Don't export sysctls to unprivileged users */
3720 if (net->user_ns != &init_user_ns)
3721 tbl[0].procname = NULL;
3724 /* Initialize sysctl defaults */
3726 ipvs->sysctl_amemthresh = 1024;
3727 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3728 ipvs->sysctl_am_droprate = 10;
3729 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3730 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3731 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3732 #ifdef CONFIG_IP_VS_NFCT
3733 tbl[idx++].data = &ipvs->sysctl_conntrack;
3735 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3736 ipvs->sysctl_snat_reroute = 1;
3737 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3738 ipvs->sysctl_sync_ver = 1;
3739 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3740 ipvs->sysctl_sync_ports = 1;
3741 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3742 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3743 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3744 ipvs->sysctl_sync_sock_size = 0;
3745 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3746 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3747 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3748 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3749 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3750 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3751 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3752 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3753 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3754 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3755 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3756 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3757 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3758 ipvs->sysctl_pmtu_disc = 1;
3759 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3760 tbl[idx++].data = &ipvs->sysctl_backup_only;
3763 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3764 if (ipvs->sysctl_hdr == NULL) {
3765 if (!net_eq(net, &init_net))
3769 ip_vs_start_estimator(net, &ipvs->tot_stats);
3770 ipvs->sysctl_tbl = tbl;
3771 /* Schedule defense work */
3772 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3773 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3778 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
3780 struct netns_ipvs *ipvs = net_ipvs(net);
3782 cancel_delayed_work_sync(&ipvs->defense_work);
3783 cancel_work_sync(&ipvs->defense_work.work);
3784 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3789 static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
3790 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
3794 static struct notifier_block ip_vs_dst_notifier = {
3795 .notifier_call = ip_vs_dst_event,
3798 int __net_init ip_vs_control_net_init(struct net *net)
3801 struct netns_ipvs *ipvs = net_ipvs(net);
3803 rwlock_init(&ipvs->rs_lock);
3805 /* Initialize rs_table */
3806 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
3807 INIT_LIST_HEAD(&ipvs->rs_table[idx]);
3809 INIT_LIST_HEAD(&ipvs->dest_trash);
3810 atomic_set(&ipvs->ftpsvc_counter, 0);
3811 atomic_set(&ipvs->nullsvc_counter, 0);
3814 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
3815 if (!ipvs->tot_stats.cpustats)
3818 spin_lock_init(&ipvs->tot_stats.lock);
3820 proc_create("ip_vs", 0, net->proc_net, &ip_vs_info_fops);
3821 proc_create("ip_vs_stats", 0, net->proc_net, &ip_vs_stats_fops);
3822 proc_create("ip_vs_stats_percpu", 0, net->proc_net,
3823 &ip_vs_stats_percpu_fops);
3825 if (ip_vs_control_net_init_sysctl(net))
3831 free_percpu(ipvs->tot_stats.cpustats);
3835 void __net_exit ip_vs_control_net_cleanup(struct net *net)
3837 struct netns_ipvs *ipvs = net_ipvs(net);
3839 ip_vs_trash_cleanup(net);
3840 ip_vs_stop_estimator(net, &ipvs->tot_stats);
3841 ip_vs_control_net_cleanup_sysctl(net);
3842 remove_proc_entry("ip_vs_stats_percpu", net->proc_net);
3843 remove_proc_entry("ip_vs_stats", net->proc_net);
3844 remove_proc_entry("ip_vs", net->proc_net);
3845 free_percpu(ipvs->tot_stats.cpustats);
3848 int __init ip_vs_register_nl_ioctl(void)
3852 ret = nf_register_sockopt(&ip_vs_sockopts);
3854 pr_err("cannot register sockopt.\n");
3858 ret = ip_vs_genl_register();
3860 pr_err("cannot register Generic Netlink interface.\n");
3866 nf_unregister_sockopt(&ip_vs_sockopts);
3871 void ip_vs_unregister_nl_ioctl(void)
3873 ip_vs_genl_unregister();
3874 nf_unregister_sockopt(&ip_vs_sockopts);
3877 int __init ip_vs_control_init(void)
3884 /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
3885 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
3886 INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
3887 INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
3890 smp_wmb(); /* Do we really need it now ? */
3892 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
3901 void ip_vs_control_cleanup(void)
3904 unregister_netdevice_notifier(&ip_vs_dst_notifier);