2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
14 * Description of forwarding methods:
15 * - all transmitters are called from LOCAL_IN (remote clients) and
16 * LOCAL_OUT (local clients) but for ICMP can be called from FORWARD
17 * - not all connections have destination server, for example,
18 * connections in backup server when fwmark is used
19 * - bypass connections use daddr from packet
21 * - skb->dev is NULL, skb->protocol is not set (both are set in POST_ROUTING)
22 * - skb->pkt_type is not set yet
23 * - the only place where we can see skb->sk != NULL
26 #define KMSG_COMPONENT "IPVS"
27 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
29 #include <linux/kernel.h>
30 #include <linux/slab.h>
31 #include <linux/tcp.h> /* for tcphdr */
33 #include <net/tcp.h> /* for csum_tcpudp_magic */
35 #include <net/icmp.h> /* for icmp_send */
36 #include <net/route.h> /* for ip_route_output */
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <linux/icmpv6.h>
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv4.h>
44 #include <net/ip_vs.h>
47 IP_VS_RT_MODE_LOCAL = 1, /* Allow local dest */
48 IP_VS_RT_MODE_NON_LOCAL = 2, /* Allow non-local dest */
49 IP_VS_RT_MODE_RDR = 4, /* Allow redirect from remote daddr to
52 IP_VS_RT_MODE_CONNECT = 8, /* Always bind route to saddr */
53 IP_VS_RT_MODE_KNOWN_NH = 16,/* Route via remote addr */
54 IP_VS_RT_MODE_TUNNEL = 32,/* Tunnel mode */
58 * Destination cache to speed up outgoing route lookup
61 __ip_vs_dst_set(struct ip_vs_dest *dest, struct dst_entry *dst, u32 dst_cookie)
63 struct dst_entry *old_dst;
65 old_dst = dest->dst_cache;
66 dest->dst_cache = dst;
67 dest->dst_cookie = dst_cookie;
71 static inline struct dst_entry *
72 __ip_vs_dst_check(struct ip_vs_dest *dest)
74 struct dst_entry *dst = dest->dst_cache;
78 if (dst->obsolete && dst->ops->check(dst, dest->dst_cookie) == NULL) {
79 dest->dst_cache = NULL;
88 __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
90 if (IP6CB(skb)->frag_max_size) {
91 /* frag_max_size tell us that, this packet have been
92 * defragmented by netfilter IPv6 conntrack module.
94 if (IP6CB(skb)->frag_max_size > mtu)
95 return true; /* largest fragment violate MTU */
97 else if (skb->len > mtu && !skb_is_gso(skb)) {
98 return true; /* Packet size violate MTU size */
103 /* Get route to daddr, update *saddr, optionally bind route to saddr */
104 static struct rtable *do_output_route4(struct net *net, __be32 daddr,
105 int rt_mode, __be32 *saddr)
111 memset(&fl4, 0, sizeof(fl4));
113 fl4.saddr = (rt_mode & IP_VS_RT_MODE_CONNECT) ? *saddr : 0;
114 fl4.flowi4_flags = (rt_mode & IP_VS_RT_MODE_KNOWN_NH) ?
115 FLOWI_FLAG_KNOWN_NH : 0;
118 rt = ip_route_output_key(net, &fl4);
120 /* Invalid saddr ? */
121 if (PTR_ERR(rt) == -EINVAL && *saddr &&
122 rt_mode & IP_VS_RT_MODE_CONNECT && !loop) {
124 flowi4_update_output(&fl4, 0, 0, daddr, 0);
127 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n", &daddr);
129 } else if (!*saddr && rt_mode & IP_VS_RT_MODE_CONNECT && fl4.saddr) {
132 flowi4_update_output(&fl4, 0, 0, daddr, fl4.saddr);
140 /* Get route to destination or remote server */
142 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
143 __be32 daddr, int rt_mode, __be32 *ret_saddr)
145 struct net *net = dev_net(skb_dst(skb)->dev);
146 struct netns_ipvs *ipvs = net_ipvs(net);
147 struct rtable *rt; /* Route to the other host */
148 struct rtable *ort; /* Original route */
155 spin_lock(&dest->dst_lock);
156 rt = (struct rtable *) __ip_vs_dst_check(dest);
158 rt = do_output_route4(net, dest->addr.ip, rt_mode,
159 &dest->dst_saddr.ip);
161 spin_unlock(&dest->dst_lock);
164 __ip_vs_dst_set(dest, dst_clone(&rt->dst), 0);
165 IP_VS_DBG(10, "new dst %pI4, src %pI4, refcnt=%d\n",
166 &dest->addr.ip, &dest->dst_saddr.ip,
167 atomic_read(&rt->dst.__refcnt));
169 daddr = dest->addr.ip;
171 *ret_saddr = dest->dst_saddr.ip;
172 spin_unlock(&dest->dst_lock);
174 __be32 saddr = htonl(INADDR_ANY);
176 /* For such unconfigured boxes avoid many route lookups
177 * for performance reasons because we do not remember saddr
179 rt_mode &= ~IP_VS_RT_MODE_CONNECT;
180 rt = do_output_route4(net, daddr, rt_mode, &saddr);
187 local = (rt->rt_flags & RTCF_LOCAL) ? 1 : 0;
188 if (!((local ? IP_VS_RT_MODE_LOCAL : IP_VS_RT_MODE_NON_LOCAL) &
190 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
191 (rt->rt_flags & RTCF_LOCAL) ?
192 "local":"non-local", &daddr);
196 if (likely(!local)) {
197 if (unlikely(ipv4_is_loopback(iph->saddr))) {
198 IP_VS_DBG_RL("Stopping traffic from loopback address "
199 "%pI4 to non-local address, dest: %pI4\n",
200 &iph->saddr, &daddr);
204 ort = skb_rtable(skb);
205 if (!(rt_mode & IP_VS_RT_MODE_RDR) &&
206 !(ort->rt_flags & RTCF_LOCAL)) {
207 IP_VS_DBG_RL("Redirect from non-local address %pI4 to "
208 "local requires NAT method, dest: %pI4\n",
209 &iph->daddr, &daddr);
212 /* skb to local stack, preserve old route */
217 if (likely(!(rt_mode & IP_VS_RT_MODE_TUNNEL))) {
218 mtu = dst_mtu(&rt->dst);
219 df = iph->frag_off & htons(IP_DF);
221 struct sock *sk = skb->sk;
223 mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr);
225 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
228 ort = skb_rtable(skb);
229 if (!skb->dev && sk && sk->sk_state != TCP_TIME_WAIT)
230 ort->dst.ops->update_pmtu(&ort->dst, sk, NULL, mtu);
231 /* MTU check allowed? */
232 df = sysctl_pmtu_disc(ipvs) ? iph->frag_off & htons(IP_DF) : 0;
236 if (unlikely(df && skb->len > mtu && !skb_is_gso(skb))) {
237 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
238 IP_VS_DBG(1, "frag needed for %pI4\n", &iph->saddr);
243 skb_dst_set(skb, &rt->dst);
252 dst_link_failure(skb);
256 #ifdef CONFIG_IP_VS_IPV6
258 static inline int __ip_vs_is_local_route6(struct rt6_info *rt)
260 return rt->dst.dev && rt->dst.dev->flags & IFF_LOOPBACK;
263 static struct dst_entry *
264 __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
265 struct in6_addr *ret_saddr, int do_xfrm)
267 struct dst_entry *dst;
268 struct flowi6 fl6 = {
272 dst = ip6_route_output(net, NULL, &fl6);
277 if (ipv6_addr_any(&fl6.saddr) &&
278 ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
279 &fl6.daddr, 0, &fl6.saddr) < 0)
282 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
288 *ret_saddr = fl6.saddr;
293 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n", daddr);
298 * Get route to destination or remote server
301 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
302 struct in6_addr *daddr, struct in6_addr *ret_saddr,
303 struct ip_vs_iphdr *ipvsh, int do_xfrm, int rt_mode)
305 struct net *net = dev_net(skb_dst(skb)->dev);
306 struct rt6_info *rt; /* Route to the other host */
307 struct rt6_info *ort; /* Original route */
308 struct dst_entry *dst;
313 spin_lock(&dest->dst_lock);
314 rt = (struct rt6_info *)__ip_vs_dst_check(dest);
318 dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
319 &dest->dst_saddr.in6,
322 spin_unlock(&dest->dst_lock);
325 rt = (struct rt6_info *) dst;
326 cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
327 __ip_vs_dst_set(dest, dst_clone(&rt->dst), cookie);
328 IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
329 &dest->addr.in6, &dest->dst_saddr.in6,
330 atomic_read(&rt->dst.__refcnt));
333 *ret_saddr = dest->dst_saddr.in6;
334 spin_unlock(&dest->dst_lock);
336 dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
339 rt = (struct rt6_info *) dst;
342 local = __ip_vs_is_local_route6(rt);
343 if (!((local ? IP_VS_RT_MODE_LOCAL : IP_VS_RT_MODE_NON_LOCAL) &
345 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6c\n",
346 local ? "local":"non-local", daddr);
349 if (likely(!local)) {
350 if (unlikely((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
351 ipv6_addr_type(&ipv6_hdr(skb)->saddr) &
352 IPV6_ADDR_LOOPBACK)) {
353 IP_VS_DBG_RL("Stopping traffic from loopback address "
354 "%pI6c to non-local address, "
356 &ipv6_hdr(skb)->saddr, daddr);
360 ort = (struct rt6_info *) skb_dst(skb);
361 if (!(rt_mode & IP_VS_RT_MODE_RDR) &&
362 !__ip_vs_is_local_route6(ort)) {
363 IP_VS_DBG_RL("Redirect from non-local address %pI6c "
364 "to local requires NAT method, "
366 &ipv6_hdr(skb)->daddr, daddr);
369 /* skb to local stack, preserve old route */
370 dst_release(&rt->dst);
375 if (likely(!(rt_mode & IP_VS_RT_MODE_TUNNEL)))
376 mtu = dst_mtu(&rt->dst);
378 struct sock *sk = skb->sk;
380 mtu = dst_mtu(&rt->dst) - sizeof(struct ipv6hdr);
381 if (mtu < IPV6_MIN_MTU) {
382 IP_VS_DBG_RL("%s(): mtu less than %d\n", __func__,
386 ort = (struct rt6_info *) skb_dst(skb);
387 if (!skb->dev && sk && sk->sk_state != TCP_TIME_WAIT)
388 ort->dst.ops->update_pmtu(&ort->dst, sk, NULL, mtu);
391 if (unlikely(__mtu_check_toobig_v6(skb, mtu))) {
393 skb->dev = net->loopback_dev;
394 /* only send ICMP too big on first fragment */
395 if (!ipvsh->fragoffs)
396 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
397 IP_VS_DBG(1, "frag needed for %pI6c\n", &ipv6_hdr(skb)->saddr);
402 skb_dst_set(skb, &rt->dst);
407 dst_release(&rt->dst);
411 dst_link_failure(skb);
417 /* return NF_ACCEPT to allow forwarding or other NF_xxx on error */
418 static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb,
419 struct ip_vs_conn *cp)
423 skb->ipvs_property = 1;
424 if (unlikely(cp->flags & IP_VS_CONN_F_NFCT))
425 ret = ip_vs_confirm_conntrack(skb);
426 if (ret == NF_ACCEPT) {
428 skb_forward_csum(skb);
433 /* return NF_STOLEN (sent) or NF_ACCEPT if local=1 (not sent) */
434 static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb,
435 struct ip_vs_conn *cp, int local)
439 skb->ipvs_property = 1;
440 if (likely(!(cp->flags & IP_VS_CONN_F_NFCT)))
443 ip_vs_update_conntrack(skb, cp, 1);
445 skb_forward_csum(skb);
446 NF_HOOK(pf, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
453 /* return NF_STOLEN (sent) or NF_ACCEPT if local=1 (not sent) */
454 static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb,
455 struct ip_vs_conn *cp, int local)
459 skb->ipvs_property = 1;
460 if (likely(!(cp->flags & IP_VS_CONN_F_NFCT)))
463 skb_forward_csum(skb);
464 NF_HOOK(pf, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
473 * NULL transmitter (do nothing except return NF_ACCEPT)
476 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
477 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
479 /* we do not touch skb and do not need pskb ptr */
480 return ip_vs_send_or_cont(NFPROTO_IPV4, skb, cp, 1);
486 * Let packets bypass the destination when the destination is not
487 * available, it may be only used in transparent cache cluster.
490 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
491 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
493 struct iphdr *iph = ip_hdr(skb);
497 if (__ip_vs_get_out_rt(skb, NULL, iph->daddr, IP_VS_RT_MODE_NON_LOCAL,
503 /* Another hack: avoid icmp_send in ip_fragment */
506 ip_vs_send_or_cont(NFPROTO_IPV4, skb, cp, 0);
517 #ifdef CONFIG_IP_VS_IPV6
519 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
520 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
524 if (__ip_vs_get_out_rt_v6(skb, NULL, &ipvsh->daddr.in6, NULL,
525 ipvsh, 0, IP_VS_RT_MODE_NON_LOCAL) < 0)
528 /* Another hack: avoid icmp_send in ip_fragment */
531 ip_vs_send_or_cont(NFPROTO_IPV6, skb, cp, 0);
544 * NAT transmitter (only for outside-to-inside nat forwarding)
545 * Not used for related ICMP
548 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
549 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
551 struct rtable *rt; /* Route to the other host */
552 int local, rc, was_input;
556 /* check if it is a connection of no-client-port */
557 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
560 p = skb_header_pointer(skb, ipvsh->len, sizeof(_pt), &_pt);
563 ip_vs_conn_fill_cport(cp, *p);
564 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
567 was_input = rt_is_input_route(skb_rtable(skb));
568 local = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
569 IP_VS_RT_MODE_LOCAL |
570 IP_VS_RT_MODE_NON_LOCAL |
571 IP_VS_RT_MODE_RDR, NULL);
574 rt = skb_rtable(skb);
576 * Avoid duplicate tuple in reply direction for NAT traffic
577 * to local address when connection is sync-ed
579 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
580 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
581 enum ip_conntrack_info ctinfo;
582 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
584 if (ct && !nf_ct_is_untracked(ct)) {
585 IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, 0,
587 "stopping DNAT to local address");
593 /* From world but DNAT to loopback address? */
594 if (local && ipv4_is_loopback(cp->daddr.ip) && was_input) {
595 IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
596 "stopping DNAT to loopback address");
600 /* copy-on-write the packet before mangling it */
601 if (!skb_make_writable(skb, sizeof(struct iphdr)))
604 if (skb_cow(skb, rt->dst.dev->hard_header_len))
607 /* mangle the packet */
608 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp, ipvsh))
610 ip_hdr(skb)->daddr = cp->daddr.ip;
611 ip_send_check(ip_hdr(skb));
613 IP_VS_DBG_PKT(10, AF_INET, pp, skb, 0, "After DNAT");
615 /* FIXME: when application helper enlarges the packet and the length
616 is larger than the MTU of outgoing device, there will be still
619 /* Another hack: avoid icmp_send in ip_fragment */
622 rc = ip_vs_nat_send_or_cont(NFPROTO_IPV4, skb, cp, local);
633 #ifdef CONFIG_IP_VS_IPV6
635 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
636 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
638 struct rt6_info *rt; /* Route to the other host */
643 /* check if it is a connection of no-client-port */
644 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT && !ipvsh->fragoffs)) {
646 p = skb_header_pointer(skb, ipvsh->len, sizeof(_pt), &_pt);
649 ip_vs_conn_fill_cport(cp, *p);
650 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
653 local = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
655 IP_VS_RT_MODE_LOCAL |
656 IP_VS_RT_MODE_NON_LOCAL |
660 rt = (struct rt6_info *) skb_dst(skb);
662 * Avoid duplicate tuple in reply direction for NAT traffic
663 * to local address when connection is sync-ed
665 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
666 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
667 enum ip_conntrack_info ctinfo;
668 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
670 if (ct && !nf_ct_is_untracked(ct)) {
671 IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, 0,
672 "ip_vs_nat_xmit_v6(): "
673 "stopping DNAT to local address");
679 /* From world but DNAT to loopback address? */
680 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
681 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
682 IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, 0,
683 "ip_vs_nat_xmit_v6(): "
684 "stopping DNAT to loopback address");
688 /* copy-on-write the packet before mangling it */
689 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
692 if (skb_cow(skb, rt->dst.dev->hard_header_len))
695 /* mangle the packet */
696 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp, ipvsh))
698 ipv6_hdr(skb)->daddr = cp->daddr.in6;
700 IP_VS_DBG_PKT(10, AF_INET6, pp, skb, 0, "After DNAT");
702 /* FIXME: when application helper enlarges the packet and the length
703 is larger than the MTU of outgoing device, there will be still
706 /* Another hack: avoid icmp_send in ip_fragment */
709 rc = ip_vs_nat_send_or_cont(NFPROTO_IPV6, skb, cp, local);
723 * IP Tunneling transmitter
725 * This function encapsulates the packet in a new IP packet, its
726 * destination will be set to cp->daddr. Most code of this function
727 * is taken from ipip.c.
729 * It is used in VS/TUN cluster. The load balancer selects a real
730 * server from a cluster based on a scheduling algorithm,
731 * encapsulates the request packet and forwards it to the selected
732 * server. For example, all real servers are configured with
733 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
734 * the encapsulated packet, it will decapsulate the packet, processe
735 * the request and return the response packets directly to the client
736 * without passing the load balancer. This can greatly increase the
737 * scalability of virtual server.
739 * Used for ANY protocol
742 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
743 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
745 struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
746 struct rtable *rt; /* Route to the other host */
747 __be32 saddr; /* Source for tunnel */
748 struct net_device *tdev; /* Device to other host */
749 struct iphdr *old_iph = ip_hdr(skb);
750 u8 tos = old_iph->tos;
752 struct iphdr *iph; /* Our new IP header */
753 unsigned int max_headroom; /* The extra header space needed */
758 local = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
759 IP_VS_RT_MODE_LOCAL |
760 IP_VS_RT_MODE_NON_LOCAL |
761 IP_VS_RT_MODE_CONNECT |
762 IP_VS_RT_MODE_TUNNEL, &saddr);
766 return ip_vs_send_or_cont(NFPROTO_IPV4, skb, cp, 1);
768 rt = skb_rtable(skb);
771 /* Copy DF, reset fragment offset and MF */
772 df = sysctl_pmtu_disc(ipvs) ? old_iph->frag_off & htons(IP_DF) : 0;
775 * Okay, now see if we can stuff it in the buffer as-is.
777 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
779 if (skb_headroom(skb) < max_headroom || skb_cloned(skb)) {
780 struct sk_buff *new_skb =
781 skb_realloc_headroom(skb, max_headroom);
787 old_iph = ip_hdr(skb);
790 skb->transport_header = skb->network_header;
792 /* fix old IP header checksum */
793 ip_send_check(old_iph);
795 skb_push(skb, sizeof(struct iphdr));
796 skb_reset_network_header(skb);
797 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
800 * Push down and install the IPIP header.
804 iph->ihl = sizeof(struct iphdr)>>2;
806 iph->protocol = IPPROTO_IPIP;
808 iph->daddr = cp->daddr.ip;
810 iph->ttl = old_iph->ttl;
811 ip_select_ident(iph, &rt->dst, NULL);
813 /* Another hack: avoid icmp_send in ip_fragment */
816 ret = ip_vs_tunnel_xmit_prepare(skb, cp);
817 if (ret == NF_ACCEPT)
819 else if (ret == NF_DROP)
832 #ifdef CONFIG_IP_VS_IPV6
834 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
835 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
837 struct rt6_info *rt; /* Route to the other host */
838 struct in6_addr saddr; /* Source for tunnel */
839 struct net_device *tdev; /* Device to other host */
840 struct ipv6hdr *old_iph = ipv6_hdr(skb);
841 struct ipv6hdr *iph; /* Our new IP header */
842 unsigned int max_headroom; /* The extra header space needed */
847 local = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
849 IP_VS_RT_MODE_LOCAL |
850 IP_VS_RT_MODE_NON_LOCAL |
851 IP_VS_RT_MODE_TUNNEL);
855 return ip_vs_send_or_cont(NFPROTO_IPV6, skb, cp, 1);
857 rt = (struct rt6_info *) skb_dst(skb);
861 * Okay, now see if we can stuff it in the buffer as-is.
863 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
865 if (skb_headroom(skb) < max_headroom || skb_cloned(skb)) {
866 struct sk_buff *new_skb =
867 skb_realloc_headroom(skb, max_headroom);
873 old_iph = ipv6_hdr(skb);
876 skb->transport_header = skb->network_header;
878 skb_push(skb, sizeof(struct ipv6hdr));
879 skb_reset_network_header(skb);
880 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
883 * Push down and install the IPIP header.
887 iph->nexthdr = IPPROTO_IPV6;
888 iph->payload_len = old_iph->payload_len;
889 be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
890 iph->priority = old_iph->priority;
891 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
892 iph->daddr = cp->daddr.in6;
894 iph->hop_limit = old_iph->hop_limit;
896 /* Another hack: avoid icmp_send in ip_fragment */
899 ret = ip_vs_tunnel_xmit_prepare(skb, cp);
900 if (ret == NF_ACCEPT)
902 else if (ret == NF_DROP)
918 * Direct Routing transmitter
919 * Used for ANY protocol
922 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
923 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
929 local = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
930 IP_VS_RT_MODE_LOCAL |
931 IP_VS_RT_MODE_NON_LOCAL |
932 IP_VS_RT_MODE_KNOWN_NH, NULL);
936 return ip_vs_send_or_cont(NFPROTO_IPV4, skb, cp, 1);
938 ip_send_check(ip_hdr(skb));
940 /* Another hack: avoid icmp_send in ip_fragment */
943 ip_vs_send_or_cont(NFPROTO_IPV4, skb, cp, 0);
954 #ifdef CONFIG_IP_VS_IPV6
956 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
957 struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
963 local = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
965 IP_VS_RT_MODE_LOCAL |
966 IP_VS_RT_MODE_NON_LOCAL);
970 return ip_vs_send_or_cont(NFPROTO_IPV6, skb, cp, 1);
972 /* Another hack: avoid icmp_send in ip_fragment */
975 ip_vs_send_or_cont(NFPROTO_IPV6, skb, cp, 0);
989 * ICMP packet transmitter
990 * called by the ip_vs_in_icmp
993 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
994 struct ip_vs_protocol *pp, int offset, unsigned int hooknum,
995 struct ip_vs_iphdr *iph)
997 struct rtable *rt; /* Route to the other host */
1000 int rt_mode, was_input;
1004 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1005 forwarded directly here, because there is no need to
1006 translate address/port back */
1007 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1008 if (cp->packet_xmit)
1009 rc = cp->packet_xmit(skb, cp, pp, iph);
1012 /* do not touch skb anymore */
1013 atomic_inc(&cp->in_pkts);
1018 * mangle and send the packet here (only for VS/NAT)
1020 was_input = rt_is_input_route(skb_rtable(skb));
1022 /* LOCALNODE from FORWARD hook is not supported */
1023 rt_mode = (hooknum != NF_INET_FORWARD) ?
1024 IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
1025 IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
1026 local = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip, rt_mode, NULL);
1029 rt = skb_rtable(skb);
1032 * Avoid duplicate tuple in reply direction for NAT traffic
1033 * to local address when connection is sync-ed
1035 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
1036 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1037 enum ip_conntrack_info ctinfo;
1038 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1040 if (ct && !nf_ct_is_untracked(ct)) {
1041 IP_VS_DBG(10, "%s(): "
1042 "stopping DNAT to local address %pI4\n",
1043 __func__, &cp->daddr.ip);
1049 /* From world but DNAT to loopback address? */
1050 if (local && ipv4_is_loopback(cp->daddr.ip) && was_input) {
1051 IP_VS_DBG(1, "%s(): "
1052 "stopping DNAT to loopback %pI4\n",
1053 __func__, &cp->daddr.ip);
1057 /* copy-on-write the packet before mangling it */
1058 if (!skb_make_writable(skb, offset))
1061 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1064 ip_vs_nat_icmp(skb, pp, cp, 0);
1066 /* Another hack: avoid icmp_send in ip_fragment */
1069 rc = ip_vs_nat_send_or_cont(NFPROTO_IPV4, skb, cp, local);
1080 #ifdef CONFIG_IP_VS_IPV6
1082 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1083 struct ip_vs_protocol *pp, int offset, unsigned int hooknum,
1084 struct ip_vs_iphdr *ipvsh)
1086 struct rt6_info *rt; /* Route to the other host */
1093 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1094 forwarded directly here, because there is no need to
1095 translate address/port back */
1096 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1097 if (cp->packet_xmit)
1098 rc = cp->packet_xmit(skb, cp, pp, ipvsh);
1101 /* do not touch skb anymore */
1102 atomic_inc(&cp->in_pkts);
1107 * mangle and send the packet here (only for VS/NAT)
1110 /* LOCALNODE from FORWARD hook is not supported */
1111 rt_mode = (hooknum != NF_INET_FORWARD) ?
1112 IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
1113 IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
1114 local = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1118 rt = (struct rt6_info *) skb_dst(skb);
1120 * Avoid duplicate tuple in reply direction for NAT traffic
1121 * to local address when connection is sync-ed
1123 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
1124 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1125 enum ip_conntrack_info ctinfo;
1126 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1128 if (ct && !nf_ct_is_untracked(ct)) {
1129 IP_VS_DBG(10, "%s(): "
1130 "stopping DNAT to local address %pI6\n",
1131 __func__, &cp->daddr.in6);
1137 /* From world but DNAT to loopback address? */
1138 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
1139 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
1140 IP_VS_DBG(1, "%s(): "
1141 "stopping DNAT to loopback %pI6\n",
1142 __func__, &cp->daddr.in6);
1146 /* copy-on-write the packet before mangling it */
1147 if (!skb_make_writable(skb, offset))
1150 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1153 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
1155 /* Another hack: avoid icmp_send in ip_fragment */
1158 rc = ip_vs_nat_send_or_cont(NFPROTO_IPV6, skb, cp, local);