static int sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, int *verdict, struct ip_vs_conn **cpp) { struct net *net; struct ip_vs_service *svc; sctp_chunkhdr_t _schunkh, *sch; sctp_sctphdr_t *sh, _sctph; struct ip_vs_iphdr iph; ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); sh = skb_header_pointer(skb, iph.len, sizeof(_sctph), &_sctph); if (sh == NULL) return 0; sch = skb_header_pointer(skb, iph.len + sizeof(sctp_sctphdr_t), sizeof(_schunkh), &_schunkh); if (sch == NULL) return 0; net = skb_net(skb); if ((sch->type == SCTP_CID_INIT) && (svc = ip_vs_service_get(net, af, skb->mark, iph.protocol, &iph.daddr, sh->dest))) { int ignored; if (ip_vs_todrop(net_ipvs(net))) { /* * It seems that we are very loaded. * We have to drop this packet :( */ ip_vs_service_put(svc); *verdict = NF_DROP; return 0; } /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ *cpp = ip_vs_schedule(svc, skb, pd, &ignored); if (!*cpp && ignored <= 0) { if (!ignored) *verdict = ip_vs_leave(svc, skb, pd); else { ip_vs_service_put(svc); *verdict = NF_DROP; } return 0; } ip_vs_service_put(svc); } /* NF_ACCEPT */ return 1; }
/* * Syn-proxy step 2 logic * Receive client's 3-handshakes Ack packet, do cookie check * and then send syn to rs after creating a session. * */ int ip_vs_synproxy_ack_rcv(int af, struct sk_buff *skb, struct tcphdr *th, struct ip_vs_protocol *pp, struct ip_vs_conn **cpp, struct ip_vs_iphdr *iph, int *verdict) { struct ip_vs_synproxy_opt opt; struct ip_vs_service *svc; int res_cookie_check; /* * Don't check svc syn-proxy flag, as it may * be changed after syn-proxy step 1. */ if (!th->syn && th->ack && !th->rst && !th->fin && (svc = ip_vs_service_get(af, skb->mark, iph->protocol, &iph->daddr, th->dest))) { if (ip_vs_todrop()) { /* * It seems that we are very loaded. * We have to drop this packet :( */ ip_vs_service_put(svc); *verdict = NF_DROP; return 0; } if (sysctl_ip_vs_synproxy_defer && !syn_proxy_ack_has_data(skb, iph, th)) { /* update statistics */ IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_NULL_ACK); /* * When expecting ack packet with payload, * we get a pure ack, so have to drop it. */ ip_vs_service_put(svc); *verdict = NF_DROP; return 0; } /* * Import: set tcp hdr before cookie check, as it * will be used in cookie_check funcs. */ skb_set_transport_header(skb, iph->len); #ifdef CONFIG_IP_VS_IPV6 if (af == AF_INET6) { res_cookie_check = ip_vs_synproxy_v6_cookie_check(skb, ntohl (th-> ack_seq) - 1, &opt); } else #endif { res_cookie_check = ip_vs_synproxy_v4_cookie_check(skb, ntohl (th-> ack_seq) - 1, &opt); } if (!res_cookie_check) { /* update statistics */ IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_BAD_ACK); /* * Cookie check fail, drop it. */ IP_VS_DBG(6, "syn_cookie check failed seq=%u\n", ntohl(th->ack_seq) - 1); ip_vs_service_put(svc); *verdict = NF_DROP; return 0; } /* update statistics */ IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_OK_ACK); /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ *cpp = ip_vs_schedule(svc, skb, 1); if (!*cpp) { IP_VS_DBG(6, "ip_vs_schedule failed\n"); *verdict = ip_vs_leave(svc, skb, pp); return 0; } /* * Release service, we don't need it any more. */ ip_vs_service_put(svc); /* * Do anything but print a error msg when fail. * Because session will be correctly freed in ip_vs_conn_expire. */ if (!syn_proxy_send_rs_syn(af, th, *cpp, skb, pp, &opt)) { IP_VS_ERR_RL("syn_proxy_send_rs_syn failed!\n"); } /* count in the ack packet (STOLEN by synproxy) */ ip_vs_in_stats(*cpp, skb); /* * Active sesion timer, and dec refcnt. * Also stole the skb, and let caller return immediately. */ ip_vs_conn_put(*cpp); *verdict = NF_STOLEN; return 0; } return 1; }
/* * syn-proxy step 1 logic: * Check if synproxy is enabled for this skb, and * send Syn/Ack back. * * Synproxy is enabled when: * 1) skb is a Syn packet. * 2) And the service is synproxy-enable. * 3) And ip_vs_todrop return false. * * @return 0 means the caller should return at once and use * verdict as return value, return 1 for nothing. */ int ip_vs_synproxy_syn_rcv(int af, struct sk_buff *skb, struct ip_vs_iphdr *iph, int *verdict) { struct ip_vs_service *svc = NULL; struct tcphdr _tcph, *th; struct ip_vs_synproxy_opt tcp_opt; th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph); if (unlikely(th == NULL)) { goto syn_rcv_out; } if (th->syn && !th->ack && !th->rst && !th->fin && (svc = ip_vs_service_get(af, skb->mark, iph->protocol, &iph->daddr, th->dest)) && (svc->flags & IP_VS_CONN_F_SYNPROXY)) { // release service here, because don't use it any all. ip_vs_service_put(svc); if (ip_vs_todrop()) { /* * It seems that we are very loaded. * We have to drop this packet :( */ goto syn_rcv_out; } } else { /* * release service. */ if (svc != NULL) { ip_vs_service_put(svc); } return 1; } /* update statistics */ IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_SYN_CNT); /* Try to reuse skb if possible */ if (unlikely(skb_shared(skb) || skb_cloned(skb))) { struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC); if (unlikely(new_skb == NULL)) { goto syn_rcv_out; } /* Drop old skb */ kfree_skb(skb); skb = new_skb; } /* reuse skb here: deal with tcp options, exchage ip, port. */ syn_proxy_reuse_skb(af, skb, &tcp_opt); if (unlikely(skb->dev == NULL)) { IP_VS_ERR_RL("%s: skb->dev is null !!!\n", __func__); goto syn_rcv_out; } /* Send the packet out */ if (likely(skb->dev->type == ARPHRD_ETHER)) { unsigned char t_hwaddr[ETH_ALEN]; /* Move the data pointer to point to the link layer header */ struct ethhdr *eth = (struct ethhdr *)skb_mac_header(skb); skb->data = (unsigned char *)skb_mac_header(skb); skb->len += ETH_HLEN; //sizeof(skb->mac.ethernet); memcpy(t_hwaddr, (eth->h_dest), ETH_ALEN); memcpy((eth->h_dest), (eth->h_source), ETH_ALEN); memcpy((eth->h_source), t_hwaddr, ETH_ALEN); skb->pkt_type = PACKET_OUTGOING; } else if (skb->dev->type == ARPHRD_LOOPBACK) { /* set link layer */ if (likely(skb_mac_header_was_set(skb))) { skb->data = skb_mac_header(skb); skb->len += sizeof(struct ethhdr); } else { skb_push(skb, sizeof(struct ethhdr)); skb_reset_mac_header(skb); } } dev_queue_xmit(skb); *verdict = NF_STOLEN; return 0; syn_rcv_out: /* Drop the packet when all things are right also, * then we needn't to kfree_skb() */ *verdict = NF_DROP; return 0; }
/* * Check if it's for virtual services, look it up, * and send it on its way... */ static unsigned int ip_vs_in(unsigned int hooknum, struct sk_buff **skb_p, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->nh.iph; union ip_vs_tphdr h; struct ip_vs_conn *cp; struct ip_vs_service *svc; int ihl; int ret; /* * Big tappo: only PACKET_HOST (nor loopback neither mcasts) * ... don't know why 1st test DOES NOT include 2nd (?) */ if (skb->pkt_type != PACKET_HOST || skb->dev == &loopback_dev) { IP_VS_DBG(12, "packet type=%d proto=%d daddr=%d.%d.%d.%d ignored\n", skb->pkt_type, iph->protocol, NIPQUAD(iph->daddr)); return NF_ACCEPT; } if (iph->protocol == IPPROTO_ICMP) return ip_vs_in_icmp(skb_p); /* let it go if other IP protocols */ if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP) return NF_ACCEPT; /* make sure that protocol header available in skb data area, note that skb data area may be reallocated. */ ihl = iph->ihl << 2; if (ip_vs_header_check(skb, iph->protocol, ihl) == -1) return NF_DROP; iph = skb->nh.iph; h.raw = (char*) iph + ihl; /* * Check if the packet belongs to an existing connection entry */ cp = ip_vs_conn_in_get(iph->protocol, iph->saddr, h.portp[0], iph->daddr, h.portp[1]); if (!cp && (h.th->syn || (iph->protocol!=IPPROTO_TCP)) && (svc = ip_vs_service_get(skb->nfmark, iph->protocol, iph->daddr, h.portp[1]))) { if (ip_vs_todrop()) { /* * It seems that we are very loaded. * We have to drop this packet :( */ ip_vs_service_put(svc); return NF_DROP; } /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ cp = ip_vs_schedule(svc, iph); if (!cp) return ip_vs_leave(svc, skb); ip_vs_conn_stats(cp, svc); ip_vs_service_put(svc); } if (!cp) { /* sorry, all this trouble for a no-hit :) */ IP_VS_DBG(12, "packet for %s %d.%d.%d.%d:%d continue " "traversal as normal.\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->daddr), ntohs(h.portp[1])); return NF_ACCEPT; } IP_VS_DBG(11, "Incoming %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d\n", ip_vs_proto_name(iph->protocol), NIPQUAD(iph->saddr), ntohs(h.portp[0]), NIPQUAD(iph->daddr), ntohs(h.portp[1])); /* Check the server status */ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { /* the destination server is not available */ if (sysctl_ip_vs_expire_nodest_conn) { /* try to expire the connection immediately */ ip_vs_conn_expire_now(cp); } else { /* don't restart its timer, and silently drop the packet. */ __ip_vs_conn_put(cp); } return NF_DROP; } ip_vs_in_stats(cp, skb); ip_vs_set_state(cp, VS_STATE_INPUT, iph, h.portp); if (cp->packet_xmit) ret = cp->packet_xmit(skb, cp); else { IP_VS_DBG_RL("warning: packet_xmit is null"); ret = NF_ACCEPT; } /* increase its packet counter and check if it is needed to be synchronized */ atomic_inc(&cp->in_pkts); if (ip_vs_sync_state & IP_VS_STATE_MASTER && (cp->protocol != IPPROTO_TCP || cp->state == IP_VS_S_ESTABLISHED) && (atomic_read(&cp->in_pkts) % 50 == sysctl_ip_vs_sync_threshold)) ip_vs_sync_conn(cp); ip_vs_conn_put(cp); return ret; }
static int tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, int *verdict, struct ip_vs_conn **cpp, struct ip_vs_iphdr *iph) { struct ip_vs_service *svc; struct tcphdr _tcph, *th; __be16 _ports[2], *ports = NULL; /* In the event of icmp, we're only guaranteed to have the first 8 * bytes of the transport header, so we only check the rest of the * TCP packet for non-ICMP packets */ if (likely(!ip_vs_iph_icmp(iph))) { th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph); if (th) { if (th->rst || !(sysctl_sloppy_tcp(ipvs) || th->syn)) return 1; ports = &th->source; } } else { ports = skb_header_pointer( skb, iph->len, sizeof(_ports), &_ports); } if (!ports) { *verdict = NF_DROP; return 0; } /* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */ rcu_read_lock(); if (likely(!ip_vs_iph_inverse(iph))) svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol, &iph->daddr, ports[1]); else svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol, &iph->saddr, ports[0]); if (svc) { int ignored; if (ip_vs_todrop(ipvs)) { /* * It seems that we are very loaded. * We have to drop this packet :( */ rcu_read_unlock(); *verdict = NF_DROP; return 0; } /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ *cpp = ip_vs_schedule(svc, skb, pd, &ignored, iph); if (!*cpp && ignored <= 0) { if (!ignored) *verdict = ip_vs_leave(svc, skb, pd, iph); else *verdict = NF_DROP; rcu_read_unlock(); return 0; } } rcu_read_unlock(); /* NF_ACCEPT */ return 1; }
static int tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp, int *verdict, struct ip_vs_conn **cpp) { struct ip_vs_service *svc; struct tcphdr _tcph, *th; struct ip_vs_iphdr iph; ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); th = skb_header_pointer(skb, iph.len, sizeof(_tcph), &_tcph); if (th == NULL) { *verdict = NF_DROP; return 0; } /* * Syn-proxy step 2 logic: receive client's * 3-handshake Ack packet */ if (ip_vs_synproxy_ack_rcv(af, skb, th, pp, cpp, &iph, verdict) == 0) { return 0; } if (th->syn && !th->ack && !th->fin && !th->rst && (svc = ip_vs_service_get(af, skb->mark, iph.protocol, &iph.daddr, th->dest))) { if (ip_vs_todrop()) { /* * It seems that we are very loaded. * We have to drop this packet :( */ ip_vs_service_put(svc); *verdict = NF_DROP; return 0; } /* * Let the virtual server select a real server for the * incoming connection, and create a connection entry. */ *cpp = ip_vs_schedule(svc, skb, 0); if (!*cpp) { *verdict = ip_vs_leave(svc, skb, pp); return 0; } /* * Set private establish state timeout into cp from svc, * due cp may use its user establish state timeout * different from sysctl_ip_vs_tcp_timeouts */ (*cpp)->est_timeout = svc->est_timeout; ip_vs_service_put(svc); return 1; } /* drop tcp packet which send to vip and !vport */ if (sysctl_ip_vs_tcp_drop_entry && (svc = ip_vs_lookup_vip(af, iph.protocol, &iph.daddr))) { IP_VS_INC_ESTATS(ip_vs_esmib, DEFENCE_TCP_DROP); *verdict = NF_DROP; return 0; } return 1; }