static bool ip_vs_sip_ct_match(const struct ip_vs_conn_param *p, struct ip_vs_conn *ct) { bool ret = false; if (ct->af == p->af && ip_vs_addr_equal(p->af, p->caddr, &ct->caddr) && ip_vs_addr_equal(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af, p->vaddr, &ct->vaddr) && ct->vport == p->vport && ct->flags & IP_VS_CONN_F_TEMPLATE && ct->protocol == p->protocol && ct->pe_data && ct->pe_data_len == p->pe_data_len && !memcmp(ct->pe_data, p->pe_data, p->pe_data_len)) ret = true; IP_VS_DBG_BUF(9, "SIP template match %s %s->%s:%d %s\n", ip_vs_proto_name(p->protocol), IP_VS_DEBUG_CALLID(p->pe_data, p->pe_data_len), IP_VS_DBG_ADDR(p->af, p->vaddr), ntohs(p->vport), ret ? "hit" : "not hit"); return ret; }
/* * Check if it's for virtual services, look it up, * and send it on its way... */ static unsigned int ip_vs_in(unsigned int hooknum, struct sk_buff **skb_p, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->nh.iph; union ip_vs_tphdr h; struct ip_vs_conn *cp; struct ip_vs_service *svc; int ihl; int ret; /* * Big tappo: only PACKET_HOST (nor loopback neither mcasts) * ... don't know why 1st test DOES NOT include 2nd (?) */ if (skb->pkt_type != PACKET_HOST || skb->dev == &loopback_dev) { IP_VS_DBG(12, "packet type=%d proto=%d daddr=%d.%d.%d.%d ignored\n", skb->pkt_type, iph->protocol, NIPQUAD(iph->daddr)); return NF_ACCEPT; } if (iph->protocol == IPPROTO_ICMP) return ip_vs_in_icmp(skb_p); /* let it go if other IP protocols */ if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP) return NF_ACCEPT; /* make sure that protocol header available in skb data area, note that skb data area may be reallocated. */ ihl = iph->ihl << 2; if (ip_vs_header_check(skb, iph->protocol, ihl) == -1) return NF_DROP; iph = skb->nh.iph; h.raw = (char*) iph + ihl; /* * Check if the packet belongs to an existing connection entry */ cp = ip_vs_conn_in_get(iph->protocol, iph->saddr, h.portp[0], iph->daddr, h.portp[1]); if (!cp && (h.th->syn || (iph->protocol!=IPPROTO_TCP)) && (svc = ip_vs_service_get(skb->nfmark, iph->protocol, iph->daddr, h.portp[1]))) { if (ip_vs_todrop()) { /* * It seems that we are very loaded. * We have to drop this packet :( */ ip_vs_service_put(svc); return NF_DROP; } /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ cp = ip_vs_schedule(svc, iph); if (!cp) return ip_vs_leave(svc, skb); ip_vs_conn_stats(cp, svc); ip_vs_service_put(svc); } if (!cp) { /* sorry, all this trouble for a no-hit :) */ IP_VS_DBG(12, "packet for %s %d.%d.%d.%d:%d continue " "traversal as normal.\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->daddr), ntohs(h.portp[1])); return NF_ACCEPT; } IP_VS_DBG(11, "Incoming %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->saddr), ntohs(h.portp[0]), NIPQUAD(iph->daddr), ntohs(h.portp[1])); /* Check the server status */ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { /* the destination server is not available */ if (sysctl_ip_vs_expire_nodest_conn) { /* try to expire the connection immediately */ ip_vs_conn_expire_now(cp); } else { /* don't restart its timer, and silently drop the packet. */ __ip_vs_conn_put(cp); } return NF_DROP; } ip_vs_in_stats(cp, skb); ip_vs_set_state(cp, VS_STATE_INPUT, iph, h.portp); if (cp->packet_xmit) ret = cp->packet_xmit(skb, cp); else { IP_VS_DBG_RL("warning: packet_xmit is null"); ret = NF_ACCEPT; } /* increase its packet counter and check if it is needed to be synchronized */ atomic_inc(&cp->in_pkts); if (ip_vs_sync_state & IP_VS_STATE_MASTER && (cp->protocol != IPPROTO_TCP || cp->state == IP_VS_S_ESTABLISHED) && (atomic_read(&cp->in_pkts) % 50 == sysctl_ip_vs_sync_threshold)) ip_vs_sync_conn(cp); ip_vs_conn_put(cp); return ret; }
/* * It is hooked at the NF_IP_FORWARD chain, used only for VS/NAT. * Check if outgoing packet belongs to the established ip_vs_conn, * rewrite addresses of the packet and send it on its way... */ static unsigned int ip_vs_out(unsigned int hooknum, struct sk_buff **skb_p, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *skb = *skb_p; struct iphdr *iph; union ip_vs_tphdr h; struct ip_vs_conn *cp; int size; int ihl; EnterFunction(11); if (skb->nfcache & NFC_IPVS_PROPERTY) return NF_ACCEPT; iph = skb->nh.iph; if (iph->protocol == IPPROTO_ICMP) return ip_vs_out_icmp(skb_p); /* let it go if other IP protocols */ if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP) return NF_ACCEPT; /* reassemble IP fragments */ if (iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) { skb = ip_defrag(skb, IP_DEFRAG_VS_OUT); if (!skb) return NF_STOLEN; iph = skb->nh.iph; *skb_p = skb; } /* make sure that protocol header available in skb data area, note that skb data area may be reallocated. */ ihl = iph->ihl << 2; if (ip_vs_header_check(skb, iph->protocol, ihl) == -1) return NF_DROP; iph = skb->nh.iph; h.raw = (char*) iph + ihl; /* * Check if the packet belongs to an old entry */ cp = ip_vs_conn_out_get(iph->protocol, iph->saddr, h.portp[0], iph->daddr, h.portp[1]); if (!cp) { if (sysctl_ip_vs_nat_icmp_send && ip_vs_lookup_real_service(iph->protocol, iph->saddr, h.portp[0])) { /* * Notify the real server: there is no existing * entry if it is not RST packet or not TCP packet. */ if (!h.th->rst || iph->protocol != IPPROTO_TCP) { icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); kfree_skb(skb); return NF_STOLEN; } } IP_VS_DBG(12, "packet for %s %d.%d.%d.%d:%d " "continue traversal as normal.\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->daddr), ntohs(h.portp[1])); if (skb_is_nonlinear(skb)) ip_send_check(iph); return NF_ACCEPT; } /* * If it has ip_vs_app helper, the helper may change the payload, * so it needs full checksum checking and checksum calculation. * If not, only the header (addr/port) is changed, so it is fast * to do incremental checksum update, and let the destination host * do final checksum checking. */ if (cp->app && skb_is_nonlinear(skb)) { if (skb_linearize(skb, GFP_ATOMIC) != 0) { ip_vs_conn_put(cp); return NF_DROP; } iph = skb->nh.iph; h.raw = (char*) iph + ihl; } size = skb->len - ihl; IP_VS_DBG(11, "O-pkt: %s size=%d\n", ip_vs_proto_name(iph->protocol), size); /* do TCP/UDP checksum checking if it has application helper */ if (cp->app && (iph->protocol != IPPROTO_UDP || h.uh->check != 0)) { switch (skb->ip_summed) { case CHECKSUM_NONE: skb->csum = csum_partial(h.raw, size, 0); case CHECKSUM_HW: if (csum_tcpudp_magic(iph->saddr, iph->daddr, size, iph->protocol, skb->csum)) { ip_vs_conn_put(cp); IP_VS_DBG_RL("Outgoing failed %s checksum " "from %d.%d.%d.%d (size=%d)!\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->saddr), size); return NF_DROP; } break; default: /* CHECKSUM_UNNECESSARY */ break; } } IP_VS_DBG(11, "Outgoing %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->saddr), ntohs(h.portp[0]), NIPQUAD(iph->daddr), ntohs(h.portp[1])); /* mangle the packet */ iph->saddr = cp->vaddr; h.portp[0] = cp->vport; /* * Call application helper if needed */ if (ip_vs_app_pkt_out(cp, skb) != 0) { /* skb data has probably changed, update pointers */ iph = skb->nh.iph; h.raw = (char*)iph + ihl; size = skb->len - ihl; } /* * Adjust TCP/UDP checksums */ if (!cp->app && (iph->protocol != IPPROTO_UDP || h.uh->check != 0)) { /* Only port and addr are changed, do fast csum update */ ip_vs_fast_check_update(&h, cp->daddr, cp->vaddr, cp->dport, cp->vport, iph->protocol); if (skb->ip_summed == CHECKSUM_HW) skb->ip_summed = CHECKSUM_NONE; } else { /* full checksum calculation */ switch (iph->protocol) { case IPPROTO_TCP: h.th->check = 0; skb->csum = csum_partial(h.raw, size, 0); h.th->check = csum_tcpudp_magic(iph->saddr, iph->daddr, size, iph->protocol, skb->csum); IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%d)\n", ip_vs_proto_name(iph->protocol), h.th->check, (char*)&(h.th->check) - (char*)h.raw); break; case IPPROTO_UDP: h.uh->check = 0; skb->csum = csum_partial(h.raw, size, 0); h.uh->check = csum_tcpudp_magic(iph->saddr, iph->daddr, size, iph->protocol, skb->csum); if (h.uh->check == 0) h.uh->check = 0xFFFF; IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%d)\n", ip_vs_proto_name(iph->protocol), h.uh->check, (char*)&(h.uh->check) - (char*)h.raw); break; } } ip_send_check(iph); ip_vs_out_stats(cp, skb); ip_vs_set_state(cp, VS_STATE_OUTPUT, iph, h.portp); ip_vs_conn_put(cp); skb->nfcache |= NFC_IPVS_PROPERTY; LeaveFunction(11); return NF_ACCEPT; }
#ifdef CONFIG_IP_VS_IPV6 if (cp->af == AF_INET6) seq_printf(seq, "%-3s %pI6 %04X %pI6 %04X %pI6 %04X %-11s %-6s %7lu\n", ip_vs_proto_name(cp->protocol), &cp->caddr.in6, ntohs(cp->cport), &cp->vaddr.in6, ntohs(cp->vport), &cp->daddr.in6, ntohs(cp->dport), ip_vs_state_name(cp->protocol, cp->state), ip_vs_origin_name(cp->flags), (cp->timer.expires-jiffies)/HZ); else #endif seq_printf(seq, "%-3s %08X %04X %08X %04X " "%08X %04X %-11s %-6s %7lu\n", ip_vs_proto_name(cp->protocol), ntohl(cp->caddr.ip), ntohs(cp->cport), ntohl(cp->vaddr.ip), ntohs(cp->vport), ntohl(cp->daddr.ip), ntohs(cp->dport), ip_vs_state_name(cp->protocol, cp->state), ip_vs_origin_name(cp->flags), (cp->timer.expires-jiffies)/HZ);