static int
sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
int *verdict, struct ip_vs_conn **cpp)
{
struct net *net;
struct ip_vs_service *svc;
sctp_chunkhdr_t _schunkh, *sch;
sctp_sctphdr_t *sh, _sctph;
struct ip_vs_iphdr iph;
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
sh = skb_header_pointer(skb, iph.len, sizeof(_sctph), &_sctph);
if (sh == NULL)
return 0;
sch = skb_header_pointer(skb, iph.len + sizeof(sctp_sctphdr_t),
sizeof(_schunkh), &_schunkh);
if (sch == NULL)
return 0;
net = skb_net(skb);
if ((sch->type == SCTP_CID_INIT) &&
(svc = ip_vs_service_get(net, af, skb->mark, iph.protocol,
&iph.daddr, sh->dest))) {
int ignored;
if (ip_vs_todrop(net_ipvs(net))) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
ip_vs_service_put(svc);
*verdict = NF_DROP;
return 0;
}
/*
* Let the virtual server select a real server for the
* incoming connection, and create a connection entry.
*/
*cpp = ip_vs_schedule(svc, skb, pd, &ignored);
if (!*cpp && ignored <= 0) {
if (!ignored)
*verdict = ip_vs_leave(svc, skb, pd);
else {
ip_vs_service_put(svc);
*verdict = NF_DROP;
}
return 0;
}
ip_vs_service_put(svc);
}
/* NF_ACCEPT */
return 1;
}
/*
* Syn-proxy step 2 logic
* Receive client's 3-handshakes Ack packet, do cookie check
* and then send syn to rs after creating a session.
*
*/
int
ip_vs_synproxy_ack_rcv(int af, struct sk_buff *skb, struct tcphdr *th,
struct ip_vs_protocol *pp, struct ip_vs_conn **cpp,
struct ip_vs_iphdr *iph, int *verdict)
{
struct ip_vs_synproxy_opt opt;
struct ip_vs_service *svc;
int res_cookie_check;
/*
* Don't check svc syn-proxy flag, as it may
* be changed after syn-proxy step 1.
*/
if (!th->syn && th->ack && !th->rst && !th->fin &&
(svc =
ip_vs_service_get(af, skb->mark, iph->protocol, &iph->daddr,
th->dest))) {
if (ip_vs_todrop()) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
ip_vs_service_put(svc);
*verdict = NF_DROP;
return 0;
}
if (sysctl_ip_vs_synproxy_defer &&
!syn_proxy_ack_has_data(skb, iph, th)) {
/* update statistics */
IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_NULL_ACK);
/*
* When expecting ack packet with payload,
* we get a pure ack, so have to drop it.
*/
ip_vs_service_put(svc);
*verdict = NF_DROP;
return 0;
}
/*
* Import: set tcp hdr before cookie check, as it
* will be used in cookie_check funcs.
*/
skb_set_transport_header(skb, iph->len);
#ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
res_cookie_check = ip_vs_synproxy_v6_cookie_check(skb,
ntohl
(th->
ack_seq)
- 1,
&opt);
} else
#endif
{
res_cookie_check = ip_vs_synproxy_v4_cookie_check(skb,
ntohl
(th->
ack_seq)
- 1,
&opt);
}
if (!res_cookie_check) {
/* update statistics */
IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_BAD_ACK);
/*
* Cookie check fail, drop it.
*/
IP_VS_DBG(6, "syn_cookie check failed seq=%u\n",
ntohl(th->ack_seq) - 1);
ip_vs_service_put(svc);
*verdict = NF_DROP;
return 0;
}
/* update statistics */
IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_OK_ACK);
/*
* Let the virtual server select a real server for the
* incoming connection, and create a connection entry.
*/
*cpp = ip_vs_schedule(svc, skb, 1);
if (!*cpp) {
IP_VS_DBG(6, "ip_vs_schedule failed\n");
*verdict = ip_vs_leave(svc, skb, pp);
return 0;
}
/*
* Release service, we don't need it any more.
*/
ip_vs_service_put(svc);
/*
* Do anything but print a error msg when fail.
* Because session will be correctly freed in ip_vs_conn_expire.
*/
if (!syn_proxy_send_rs_syn(af, th, *cpp, skb, pp, &opt)) {
IP_VS_ERR_RL("syn_proxy_send_rs_syn failed!\n");
}
/* count in the ack packet (STOLEN by synproxy) */
ip_vs_in_stats(*cpp, skb);
/*
* Active sesion timer, and dec refcnt.
* Also stole the skb, and let caller return immediately.
*/
ip_vs_conn_put(*cpp);
*verdict = NF_STOLEN;
return 0;
}
return 1;
}
/*
* syn-proxy step 1 logic:
* Check if synproxy is enabled for this skb, and
* send Syn/Ack back.
*
* Synproxy is enabled when:
* 1) skb is a Syn packet.
* 2) And the service is synproxy-enable.
* 3) And ip_vs_todrop return false.
*
* @return 0 means the caller should return at once and use
* verdict as return value, return 1 for nothing.
*/
int
ip_vs_synproxy_syn_rcv(int af, struct sk_buff *skb,
struct ip_vs_iphdr *iph, int *verdict)
{
struct ip_vs_service *svc = NULL;
struct tcphdr _tcph, *th;
struct ip_vs_synproxy_opt tcp_opt;
th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
if (unlikely(th == NULL)) {
goto syn_rcv_out;
}
if (th->syn && !th->ack && !th->rst && !th->fin &&
(svc =
ip_vs_service_get(af, skb->mark, iph->protocol, &iph->daddr,
th->dest))
&& (svc->flags & IP_VS_CONN_F_SYNPROXY)) {
// release service here, because don't use it any all.
ip_vs_service_put(svc);
if (ip_vs_todrop()) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
goto syn_rcv_out;
}
} else {
/*
* release service.
*/
if (svc != NULL) {
ip_vs_service_put(svc);
}
return 1;
}
/* update statistics */
IP_VS_INC_ESTATS(ip_vs_esmib, SYNPROXY_SYN_CNT);
/* Try to reuse skb if possible */
if (unlikely(skb_shared(skb) || skb_cloned(skb))) {
struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC);
if (unlikely(new_skb == NULL)) {
goto syn_rcv_out;
}
/* Drop old skb */
kfree_skb(skb);
skb = new_skb;
}
/* reuse skb here: deal with tcp options, exchage ip, port. */
syn_proxy_reuse_skb(af, skb, &tcp_opt);
if (unlikely(skb->dev == NULL)) {
IP_VS_ERR_RL("%s: skb->dev is null !!!\n", __func__);
goto syn_rcv_out;
}
/* Send the packet out */
if (likely(skb->dev->type == ARPHRD_ETHER)) {
unsigned char t_hwaddr[ETH_ALEN];
/* Move the data pointer to point to the link layer header */
struct ethhdr *eth = (struct ethhdr *)skb_mac_header(skb);
skb->data = (unsigned char *)skb_mac_header(skb);
skb->len += ETH_HLEN; //sizeof(skb->mac.ethernet);
memcpy(t_hwaddr, (eth->h_dest), ETH_ALEN);
memcpy((eth->h_dest), (eth->h_source), ETH_ALEN);
memcpy((eth->h_source), t_hwaddr, ETH_ALEN);
skb->pkt_type = PACKET_OUTGOING;
} else if (skb->dev->type == ARPHRD_LOOPBACK) {
/* set link layer */
if (likely(skb_mac_header_was_set(skb))) {
skb->data = skb_mac_header(skb);
skb->len += sizeof(struct ethhdr);
} else {
skb_push(skb, sizeof(struct ethhdr));
skb_reset_mac_header(skb);
}
}
dev_queue_xmit(skb);
*verdict = NF_STOLEN;
return 0;
syn_rcv_out:
/* Drop the packet when all things are right also,
* then we needn't to kfree_skb() */
*verdict = NF_DROP;
return 0;
}
/*
* Check if it's for virtual services, look it up,
* and send it on its way...
*/
static unsigned int ip_vs_in(unsigned int hooknum,
struct sk_buff **skb_p,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *skb = *skb_p;
struct iphdr *iph = skb->nh.iph;
union ip_vs_tphdr h;
struct ip_vs_conn *cp;
struct ip_vs_service *svc;
int ihl;
int ret;
/*
* Big tappo: only PACKET_HOST (nor loopback neither mcasts)
* ... don't know why 1st test DOES NOT include 2nd (?)
*/
if (skb->pkt_type != PACKET_HOST || skb->dev == &loopback_dev) {
IP_VS_DBG(12, "packet type=%d proto=%d daddr=%d.%d.%d.%d ignored\n",
skb->pkt_type,
iph->protocol,
NIPQUAD(iph->daddr));
return NF_ACCEPT;
}
if (iph->protocol == IPPROTO_ICMP)
return ip_vs_in_icmp(skb_p);
/* let it go if other IP protocols */
if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP)
return NF_ACCEPT;
/* make sure that protocol header available in skb data area,
note that skb data area may be reallocated. */
ihl = iph->ihl << 2;
if (ip_vs_header_check(skb, iph->protocol, ihl) == -1)
return NF_DROP;
iph = skb->nh.iph;
h.raw = (char*) iph + ihl;
/*
* Check if the packet belongs to an existing connection entry
*/
cp = ip_vs_conn_in_get(iph->protocol, iph->saddr, h.portp[0],
iph->daddr, h.portp[1]);
if (!cp &&
(h.th->syn || (iph->protocol!=IPPROTO_TCP)) &&
(svc = ip_vs_service_get(skb->nfmark, iph->protocol,
iph->daddr, h.portp[1]))) {
if (ip_vs_todrop()) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
ip_vs_service_put(svc);
return NF_DROP;
}
/*
* Let the virtual server select a real server for the
* incoming connection, and create a connection entry.
*/
cp = ip_vs_schedule(svc, iph);
if (!cp)
return ip_vs_leave(svc, skb);
ip_vs_conn_stats(cp, svc);
ip_vs_service_put(svc);
}
if (!cp) {
/* sorry, all this trouble for a no-hit :) */
IP_VS_DBG(12, "packet for %s %d.%d.%d.%d:%d continue "
"traversal as normal.\n",
ip_vs_proto_name(iph->protocol),
NIPQUAD(iph->daddr),
ntohs(h.portp[1]));
return NF_ACCEPT;
}
IP_VS_DBG(11, "Incoming %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d\n",
ip_vs_proto_name(iph->protocol),
NIPQUAD(iph->saddr), ntohs(h.portp[0]),
NIPQUAD(iph->daddr), ntohs(h.portp[1]));
/* Check the server status */
if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
/* the destination server is not available */
if (sysctl_ip_vs_expire_nodest_conn) {
/* try to expire the connection immediately */
ip_vs_conn_expire_now(cp);
} else {
/* don't restart its timer, and silently
drop the packet. */
__ip_vs_conn_put(cp);
}
return NF_DROP;
}
ip_vs_in_stats(cp, skb);
ip_vs_set_state(cp, VS_STATE_INPUT, iph, h.portp);
if (cp->packet_xmit)
ret = cp->packet_xmit(skb, cp);
else {
IP_VS_DBG_RL("warning: packet_xmit is null");
ret = NF_ACCEPT;
}
/* increase its packet counter and check if it is needed
to be synchronized */
atomic_inc(&cp->in_pkts);
if (ip_vs_sync_state & IP_VS_STATE_MASTER &&
(cp->protocol != IPPROTO_TCP ||
cp->state == IP_VS_S_ESTABLISHED) &&
(atomic_read(&cp->in_pkts) % 50 == sysctl_ip_vs_sync_threshold))
ip_vs_sync_conn(cp);
ip_vs_conn_put(cp);
return ret;
}
static int
tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
struct ip_vs_proto_data *pd,
int *verdict, struct ip_vs_conn **cpp,
struct ip_vs_iphdr *iph)
{
struct ip_vs_service *svc;
struct tcphdr _tcph, *th;
__be16 _ports[2], *ports = NULL;
/* In the event of icmp, we're only guaranteed to have the first 8
* bytes of the transport header, so we only check the rest of the
* TCP packet for non-ICMP packets
*/
if (likely(!ip_vs_iph_icmp(iph))) {
th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
if (th) {
if (th->rst || !(sysctl_sloppy_tcp(ipvs) || th->syn))
return 1;
ports = &th->source;
}
} else {
ports = skb_header_pointer(
skb, iph->len, sizeof(_ports), &_ports);
}
if (!ports) {
*verdict = NF_DROP;
return 0;
}
/* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */
rcu_read_lock();
if (likely(!ip_vs_iph_inverse(iph)))
svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
&iph->daddr, ports[1]);
else
svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
&iph->saddr, ports[0]);
if (svc) {
int ignored;
if (ip_vs_todrop(ipvs)) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
rcu_read_unlock();
*verdict = NF_DROP;
return 0;
}
/*
* Let the virtual server select a real server for the
* incoming connection, and create a connection entry.
*/
*cpp = ip_vs_schedule(svc, skb, pd, &ignored, iph);
if (!*cpp && ignored <= 0) {
if (!ignored)
*verdict = ip_vs_leave(svc, skb, pd, iph);
else
*verdict = NF_DROP;
rcu_read_unlock();
return 0;
}
}
rcu_read_unlock();
/* NF_ACCEPT */
return 1;
}
static int
tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
int *verdict, struct ip_vs_conn **cpp)
{
struct ip_vs_service *svc;
struct tcphdr _tcph, *th;
struct ip_vs_iphdr iph;
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
th = skb_header_pointer(skb, iph.len, sizeof(_tcph), &_tcph);
if (th == NULL) {
*verdict = NF_DROP;
return 0;
}
/*
* Syn-proxy step 2 logic: receive client's
* 3-handshake Ack packet
*/
if (ip_vs_synproxy_ack_rcv(af, skb, th, pp, cpp, &iph, verdict) == 0) {
return 0;
}
if (th->syn && !th->ack && !th->fin && !th->rst &&
(svc = ip_vs_service_get(af, skb->mark, iph.protocol, &iph.daddr,
th->dest))) {
if (ip_vs_todrop()) {
/*
* It seems that we are very loaded.
* We have to drop this packet :(
*/
ip_vs_service_put(svc);
*verdict = NF_DROP;
return 0;
}
/*
* Let the virtual server select a real server for the
* incoming connection, and create a connection entry.
*/
*cpp = ip_vs_schedule(svc, skb, 0);
if (!*cpp) {
*verdict = ip_vs_leave(svc, skb, pp);
return 0;
}
/*
* Set private establish state timeout into cp from svc,
* due cp may use its user establish state timeout
* different from sysctl_ip_vs_tcp_timeouts
*/
(*cpp)->est_timeout = svc->est_timeout;
ip_vs_service_put(svc);
return 1;
}
/* drop tcp packet which send to vip and !vport */
if (sysctl_ip_vs_tcp_drop_entry &&
(svc = ip_vs_lookup_vip(af, iph.protocol, &iph.daddr))) {
IP_VS_INC_ESTATS(ip_vs_esmib, DEFENCE_TCP_DROP);
*verdict = NF_DROP;
return 0;
}
return 1;
}
