2 * ip_vs_xmit.c: various packet transmitters for IPVS
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
5 * Julian Anastasov <ja@ssi.bg>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
14 * Description of forwarding methods:
15 * - all transmitters are called from LOCAL_IN (remote clients) and
16 * LOCAL_OUT (local clients) but for ICMP can be called from FORWARD
17 * - not all connections have destination server, for example,
18 * connections in backup server when fwmark is used
19 * - bypass connections use daddr from packet
21 * - skb->dev is NULL, skb->protocol is not set (both are set in POST_ROUTING)
22 * - skb->pkt_type is not set yet
23 * - the only place where we can see skb->sk != NULL
26 #define KMSG_COMPONENT "IPVS"
27 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
29 #include <linux/kernel.h>
30 #include <linux/slab.h>
31 #include <linux/tcp.h> /* for tcphdr */
33 #include <net/tcp.h> /* for csum_tcpudp_magic */
35 #include <net/icmp.h> /* for icmp_send */
36 #include <net/route.h> /* for ip_route_output */
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <linux/icmpv6.h>
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv4.h>
44 #include <net/ip_vs.h>
48 * Destination cache to speed up outgoing route lookup
51 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst,
54 struct dst_entry *old_dst;
56 old_dst = dest->dst_cache;
57 dest->dst_cache = dst;
58 dest->dst_rtos = rtos;
59 dest->dst_cookie = dst_cookie;
63 static inline struct dst_entry *
64 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
66 struct dst_entry *dst = dest->dst_cache;
70 if ((dst->obsolete || rtos != dest->dst_rtos) &&
71 dst->ops->check(dst, dest->dst_cookie) == NULL) {
72 dest->dst_cache = NULL;
81 * Get route to destination or remote server
82 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
83 * &4=Allow redirect from remote daddr to local
85 static struct rtable *
86 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
87 __be32 daddr, u32 rtos, int rt_mode)
89 struct net *net = dev_net(skb_dst(skb)->dev);
90 struct rtable *rt; /* Route to the other host */
91 struct rtable *ort; /* Original route */
95 spin_lock(&dest->dst_lock);
96 if (!(rt = (struct rtable *)
97 __ip_vs_dst_check(dest, rtos))) {
102 .daddr = dest->addr.ip,
107 if (ip_route_output_key(net, &rt, &fl)) {
108 spin_unlock(&dest->dst_lock);
109 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
113 __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
114 IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
116 atomic_read(&rt->dst.__refcnt), rtos);
118 spin_unlock(&dest->dst_lock);
129 if (ip_route_output_key(net, &rt, &fl)) {
130 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
136 local = rt->rt_flags & RTCF_LOCAL;
137 if (!((local ? 1 : 2) & rt_mode)) {
138 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
139 (rt->rt_flags & RTCF_LOCAL) ?
140 "local":"non-local", &rt->rt_dst);
144 if (local && !(rt_mode & 4) && !((ort = skb_rtable(skb)) &&
145 ort->rt_flags & RTCF_LOCAL)) {
146 IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
147 "requires NAT method, dest: %pI4\n",
148 &ip_hdr(skb)->daddr, &rt->rt_dst);
152 if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
153 IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
154 "to non-local address, dest: %pI4\n",
155 &ip_hdr(skb)->saddr, &rt->rt_dst);
163 /* Reroute packet to local IPv4 stack after DNAT */
165 __ip_vs_reroute_locally(struct sk_buff *skb)
167 struct rtable *rt = skb_rtable(skb);
168 struct net_device *dev = rt->dst.dev;
169 struct net *net = dev_net(dev);
170 struct iphdr *iph = ip_hdr(skb);
172 if (rt_is_input_route(rt)) {
173 unsigned long orefdst = skb->_skb_refdst;
175 if (ip_route_input(skb, iph->daddr, iph->saddr,
178 refdst_drop(orefdst);
186 .tos = RT_TOS(iph->tos),
192 if (ip_route_output_key(net, &rt, &fl))
194 if (!(rt->rt_flags & RTCF_LOCAL)) {
198 /* Drop old route. */
200 skb_dst_set(skb, &rt->dst);
205 #ifdef CONFIG_IP_VS_IPV6
207 static inline int __ip_vs_is_local_route6(struct rt6_info *rt)
209 return rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK;
212 static struct dst_entry *
213 __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
214 struct in6_addr *ret_saddr, int do_xfrm)
216 struct dst_entry *dst;
226 dst = ip6_route_output(net, NULL, &fl);
231 if (ipv6_addr_any(&fl.fl6_src) &&
232 ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
233 &fl.fl6_dst, 0, &fl.fl6_src) < 0)
235 if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0)
237 ipv6_addr_copy(ret_saddr, &fl.fl6_src);
242 IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n", daddr);
247 * Get route to destination or remote server
248 * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
249 * &4=Allow redirect from remote daddr to local
251 static struct rt6_info *
252 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
253 struct in6_addr *daddr, struct in6_addr *ret_saddr,
254 int do_xfrm, int rt_mode)
256 struct net *net = dev_net(skb_dst(skb)->dev);
257 struct rt6_info *rt; /* Route to the other host */
258 struct rt6_info *ort; /* Original route */
259 struct dst_entry *dst;
263 spin_lock(&dest->dst_lock);
264 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0);
268 dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
272 spin_unlock(&dest->dst_lock);
275 rt = (struct rt6_info *) dst;
276 cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
277 __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
278 IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
279 &dest->addr.in6, &dest->dst_saddr,
280 atomic_read(&rt->dst.__refcnt));
283 ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
284 spin_unlock(&dest->dst_lock);
286 dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
289 rt = (struct rt6_info *) dst;
292 local = __ip_vs_is_local_route6(rt);
293 if (!((local ? 1 : 2) & rt_mode)) {
294 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
295 local ? "local":"non-local", daddr);
296 dst_release(&rt->dst);
299 if (local && !(rt_mode & 4) &&
300 !((ort = (struct rt6_info *) skb_dst(skb)) &&
301 __ip_vs_is_local_route6(ort))) {
302 IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
303 "requires NAT method, dest: %pI6\n",
304 &ipv6_hdr(skb)->daddr, daddr);
305 dst_release(&rt->dst);
308 if (unlikely(!local && (!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
309 ipv6_addr_type(&ipv6_hdr(skb)->saddr) &
310 IPV6_ADDR_LOOPBACK)) {
311 IP_VS_DBG_RL("Stopping traffic from loopback address %pI6 "
312 "to non-local address, dest: %pI6\n",
313 &ipv6_hdr(skb)->saddr, daddr);
314 dst_release(&rt->dst);
324 * Release dest->dst_cache before a dest is removed
327 ip_vs_dst_reset(struct ip_vs_dest *dest)
329 struct dst_entry *old_dst;
331 old_dst = dest->dst_cache;
332 dest->dst_cache = NULL;
333 dst_release(old_dst);
336 #define IP_VS_XMIT_TUNNEL(skb, cp) \
338 int __ret = NF_ACCEPT; \
340 (skb)->ipvs_property = 1; \
341 if (unlikely((cp)->flags & IP_VS_CONN_F_NFCT)) \
342 __ret = ip_vs_confirm_conntrack(skb, cp); \
343 if (__ret == NF_ACCEPT) { \
345 skb_forward_csum(skb); \
350 #define IP_VS_XMIT_NAT(pf, skb, cp, local) \
352 (skb)->ipvs_property = 1; \
353 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
354 ip_vs_notrack(skb); \
356 ip_vs_update_conntrack(skb, cp, 1); \
359 skb_forward_csum(skb); \
360 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
361 skb_dst(skb)->dev, dst_output); \
364 #define IP_VS_XMIT(pf, skb, cp, local) \
366 (skb)->ipvs_property = 1; \
367 if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
368 ip_vs_notrack(skb); \
371 skb_forward_csum(skb); \
372 NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL, \
373 skb_dst(skb)->dev, dst_output); \
378 * NULL transmitter (do nothing except return NF_ACCEPT)
381 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
382 struct ip_vs_protocol *pp)
384 /* we do not touch skb and do not need pskb ptr */
385 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
391 * Let packets bypass the destination when the destination is not
392 * available, it may be only used in transparent cache cluster.
395 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
396 struct ip_vs_protocol *pp)
398 struct rtable *rt; /* Route to the other host */
399 struct iphdr *iph = ip_hdr(skb);
404 if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr,
405 RT_TOS(iph->tos), 2)))
409 mtu = dst_mtu(&rt->dst);
410 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) &&
413 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
414 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
419 * Call ip_send_check because we are not sure it is called
420 * after ip_defrag. Is copy-on-write needed?
422 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
426 ip_send_check(ip_hdr(skb));
430 skb_dst_set(skb, &rt->dst);
432 /* Another hack: avoid icmp_send in ip_fragment */
435 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
441 dst_link_failure(skb);
448 #ifdef CONFIG_IP_VS_IPV6
450 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
451 struct ip_vs_protocol *pp)
453 struct rt6_info *rt; /* Route to the other host */
454 struct ipv6hdr *iph = ipv6_hdr(skb);
459 if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
463 mtu = dst_mtu(&rt->dst);
464 if (skb->len > mtu && !skb_is_gso(skb)) {
466 struct net *net = dev_net(skb_dst(skb)->dev);
468 skb->dev = net->loopback_dev;
470 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
471 dst_release(&rt->dst);
472 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
477 * Call ip_send_check because we are not sure it is called
478 * after ip_defrag. Is copy-on-write needed?
480 skb = skb_share_check(skb, GFP_ATOMIC);
481 if (unlikely(skb == NULL)) {
482 dst_release(&rt->dst);
488 skb_dst_set(skb, &rt->dst);
490 /* Another hack: avoid icmp_send in ip_fragment */
493 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
499 dst_link_failure(skb);
508 * NAT transmitter (only for outside-to-inside nat forwarding)
509 * Not used for related ICMP
512 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
513 struct ip_vs_protocol *pp)
515 struct rtable *rt; /* Route to the other host */
517 struct iphdr *iph = ip_hdr(skb);
522 /* check if it is a connection of no-client-port */
523 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
525 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
528 ip_vs_conn_fill_cport(cp, *p);
529 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
532 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
533 RT_TOS(iph->tos), 1|2|4)))
535 local = rt->rt_flags & RTCF_LOCAL;
537 * Avoid duplicate tuple in reply direction for NAT traffic
538 * to local address when connection is sync-ed
540 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
541 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
542 enum ip_conntrack_info ctinfo;
543 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
545 if (ct && !nf_ct_is_untracked(ct)) {
546 IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, 0,
548 "stopping DNAT to local address");
554 /* From world but DNAT to loopback address? */
555 if (local && ipv4_is_loopback(rt->rt_dst) &&
556 rt_is_input_route(skb_rtable(skb))) {
557 IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
558 "stopping DNAT to loopback address");
563 mtu = dst_mtu(&rt->dst);
564 if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) &&
566 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
567 IP_VS_DBG_RL_PKT(0, AF_INET, pp, skb, 0,
568 "ip_vs_nat_xmit(): frag needed for");
572 /* copy-on-write the packet before mangling it */
573 if (!skb_make_writable(skb, sizeof(struct iphdr)))
576 if (skb_cow(skb, rt->dst.dev->hard_header_len))
579 /* mangle the packet */
580 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
582 ip_hdr(skb)->daddr = cp->daddr.ip;
583 ip_send_check(ip_hdr(skb));
588 skb_dst_set(skb, &rt->dst);
592 * Some IPv4 replies get local address from routes,
593 * not from iph, so while we DNAT after routing
594 * we need this second input/output route.
596 if (!__ip_vs_reroute_locally(skb))
600 IP_VS_DBG_PKT(10, AF_INET, pp, skb, 0, "After DNAT");
602 /* FIXME: when application helper enlarges the packet and the length
603 is larger than the MTU of outgoing device, there will be still
606 /* Another hack: avoid icmp_send in ip_fragment */
609 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
615 dst_link_failure(skb);
625 #ifdef CONFIG_IP_VS_IPV6
627 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
628 struct ip_vs_protocol *pp)
630 struct rt6_info *rt; /* Route to the other host */
636 /* check if it is a connection of no-client-port */
637 if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
639 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
643 ip_vs_conn_fill_cport(cp, *p);
644 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
647 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
650 local = __ip_vs_is_local_route6(rt);
652 * Avoid duplicate tuple in reply direction for NAT traffic
653 * to local address when connection is sync-ed
655 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
656 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
657 enum ip_conntrack_info ctinfo;
658 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
660 if (ct && !nf_ct_is_untracked(ct)) {
661 IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, 0,
662 "ip_vs_nat_xmit_v6(): "
663 "stopping DNAT to local address");
669 /* From world but DNAT to loopback address? */
670 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
671 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
672 IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, 0,
673 "ip_vs_nat_xmit_v6(): "
674 "stopping DNAT to loopback address");
679 mtu = dst_mtu(&rt->dst);
680 if (skb->len > mtu && !skb_is_gso(skb)) {
682 struct net *net = dev_net(skb_dst(skb)->dev);
684 skb->dev = net->loopback_dev;
686 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
687 IP_VS_DBG_RL_PKT(0, AF_INET6, pp, skb, 0,
688 "ip_vs_nat_xmit_v6(): frag needed for");
692 /* copy-on-write the packet before mangling it */
693 if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
696 if (skb_cow(skb, rt->dst.dev->hard_header_len))
699 /* mangle the packet */
700 if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
702 ipv6_addr_copy(&ipv6_hdr(skb)->daddr, &cp->daddr.in6);
704 if (!local || !skb->dev) {
705 /* drop the old route when skb is not shared */
707 skb_dst_set(skb, &rt->dst);
709 /* destined to loopback, do we need to change route? */
710 dst_release(&rt->dst);
713 IP_VS_DBG_PKT(10, AF_INET6, pp, skb, 0, "After DNAT");
715 /* FIXME: when application helper enlarges the packet and the length
716 is larger than the MTU of outgoing device, there will be still
719 /* Another hack: avoid icmp_send in ip_fragment */
722 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
728 dst_link_failure(skb);
734 dst_release(&rt->dst);
741 * IP Tunneling transmitter
743 * This function encapsulates the packet in a new IP packet, its
744 * destination will be set to cp->daddr. Most code of this function
745 * is taken from ipip.c.
747 * It is used in VS/TUN cluster. The load balancer selects a real
748 * server from a cluster based on a scheduling algorithm,
749 * encapsulates the request packet and forwards it to the selected
750 * server. For example, all real servers are configured with
751 * "ifconfig tunl0 <Virtual IP Address> up". When the server receives
752 * the encapsulated packet, it will decapsulate the packet, processe
753 * the request and return the response packets directly to the client
754 * without passing the load balancer. This can greatly increase the
755 * scalability of virtual server.
757 * Used for ANY protocol
760 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
761 struct ip_vs_protocol *pp)
763 struct rtable *rt; /* Route to the other host */
764 struct net_device *tdev; /* Device to other host */
765 struct iphdr *old_iph = ip_hdr(skb);
766 u8 tos = old_iph->tos;
767 __be16 df = old_iph->frag_off;
768 struct iphdr *iph; /* Our new IP header */
769 unsigned int max_headroom; /* The extra header space needed */
775 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
778 if (rt->rt_flags & RTCF_LOCAL) {
780 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
785 mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr);
787 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
791 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
793 df |= (old_iph->frag_off & htons(IP_DF));
795 if ((old_iph->frag_off & htons(IP_DF) &&
796 mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb))) {
797 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
798 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
803 * Okay, now see if we can stuff it in the buffer as-is.
805 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
807 if (skb_headroom(skb) < max_headroom
808 || skb_cloned(skb) || skb_shared(skb)) {
809 struct sk_buff *new_skb =
810 skb_realloc_headroom(skb, max_headroom);
814 IP_VS_ERR_RL("%s(): no memory\n", __func__);
819 old_iph = ip_hdr(skb);
822 skb->transport_header = skb->network_header;
824 /* fix old IP header checksum */
825 ip_send_check(old_iph);
827 skb_push(skb, sizeof(struct iphdr));
828 skb_reset_network_header(skb);
829 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
833 skb_dst_set(skb, &rt->dst);
836 * Push down and install the IPIP header.
840 iph->ihl = sizeof(struct iphdr)>>2;
842 iph->protocol = IPPROTO_IPIP;
844 iph->daddr = rt->rt_dst;
845 iph->saddr = rt->rt_src;
846 iph->ttl = old_iph->ttl;
847 ip_select_ident(iph, &rt->dst, NULL);
849 /* Another hack: avoid icmp_send in ip_fragment */
852 ret = IP_VS_XMIT_TUNNEL(skb, cp);
853 if (ret == NF_ACCEPT)
855 else if (ret == NF_DROP)
863 dst_link_failure(skb);
873 #ifdef CONFIG_IP_VS_IPV6
875 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
876 struct ip_vs_protocol *pp)
878 struct rt6_info *rt; /* Route to the other host */
879 struct in6_addr saddr; /* Source for tunnel */
880 struct net_device *tdev; /* Device to other host */
881 struct ipv6hdr *old_iph = ipv6_hdr(skb);
882 struct ipv6hdr *iph; /* Our new IP header */
883 unsigned int max_headroom; /* The extra header space needed */
889 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
892 if (__ip_vs_is_local_route6(rt)) {
893 dst_release(&rt->dst);
894 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
899 mtu = dst_mtu(&rt->dst) - sizeof(struct ipv6hdr);
900 if (mtu < IPV6_MIN_MTU) {
901 IP_VS_DBG_RL("%s(): mtu less than %d\n", __func__,
906 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
908 if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr) &&
911 struct net *net = dev_net(skb_dst(skb)->dev);
913 skb->dev = net->loopback_dev;
915 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
916 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
921 * Okay, now see if we can stuff it in the buffer as-is.
923 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
925 if (skb_headroom(skb) < max_headroom
926 || skb_cloned(skb) || skb_shared(skb)) {
927 struct sk_buff *new_skb =
928 skb_realloc_headroom(skb, max_headroom);
930 dst_release(&rt->dst);
932 IP_VS_ERR_RL("%s(): no memory\n", __func__);
937 old_iph = ipv6_hdr(skb);
940 skb->transport_header = skb->network_header;
942 skb_push(skb, sizeof(struct ipv6hdr));
943 skb_reset_network_header(skb);
944 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
948 skb_dst_set(skb, &rt->dst);
951 * Push down and install the IPIP header.
955 iph->nexthdr = IPPROTO_IPV6;
956 iph->payload_len = old_iph->payload_len;
957 be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
958 iph->priority = old_iph->priority;
959 memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
960 ipv6_addr_copy(&iph->daddr, &cp->daddr.in6);
961 ipv6_addr_copy(&iph->saddr, &saddr);
962 iph->hop_limit = old_iph->hop_limit;
964 /* Another hack: avoid icmp_send in ip_fragment */
967 ret = IP_VS_XMIT_TUNNEL(skb, cp);
968 if (ret == NF_ACCEPT)
970 else if (ret == NF_DROP)
978 dst_link_failure(skb);
984 dst_release(&rt->dst);
991 * Direct Routing transmitter
992 * Used for ANY protocol
995 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
996 struct ip_vs_protocol *pp)
998 struct rtable *rt; /* Route to the other host */
999 struct iphdr *iph = ip_hdr(skb);
1004 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1005 RT_TOS(iph->tos), 1|2)))
1007 if (rt->rt_flags & RTCF_LOCAL) {
1009 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
1013 mtu = dst_mtu(&rt->dst);
1014 if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu &&
1016 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
1018 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1023 * Call ip_send_check because we are not sure it is called
1024 * after ip_defrag. Is copy-on-write needed?
1026 if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
1030 ip_send_check(ip_hdr(skb));
1032 /* drop old route */
1034 skb_dst_set(skb, &rt->dst);
1036 /* Another hack: avoid icmp_send in ip_fragment */
1039 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
1045 dst_link_failure(skb);
1052 #ifdef CONFIG_IP_VS_IPV6
1054 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1055 struct ip_vs_protocol *pp)
1057 struct rt6_info *rt; /* Route to the other host */
1062 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1065 if (__ip_vs_is_local_route6(rt)) {
1066 dst_release(&rt->dst);
1067 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
1071 mtu = dst_mtu(&rt->dst);
1072 if (skb->len > mtu) {
1074 struct net *net = dev_net(skb_dst(skb)->dev);
1076 skb->dev = net->loopback_dev;
1078 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1079 dst_release(&rt->dst);
1080 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1085 * Call ip_send_check because we are not sure it is called
1086 * after ip_defrag. Is copy-on-write needed?
1088 skb = skb_share_check(skb, GFP_ATOMIC);
1089 if (unlikely(skb == NULL)) {
1090 dst_release(&rt->dst);
1094 /* drop old route */
1096 skb_dst_set(skb, &rt->dst);
1098 /* Another hack: avoid icmp_send in ip_fragment */
1101 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
1107 dst_link_failure(skb);
1117 * ICMP packet transmitter
1118 * called by the ip_vs_in_icmp
1121 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
1122 struct ip_vs_protocol *pp, int offset)
1124 struct rtable *rt; /* Route to the other host */
1131 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1132 forwarded directly here, because there is no need to
1133 translate address/port back */
1134 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1135 if (cp->packet_xmit)
1136 rc = cp->packet_xmit(skb, cp, pp);
1139 /* do not touch skb anymore */
1140 atomic_inc(&cp->in_pkts);
1145 * mangle and send the packet here (only for VS/NAT)
1148 if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1149 RT_TOS(ip_hdr(skb)->tos), 1|2|4)))
1151 local = rt->rt_flags & RTCF_LOCAL;
1154 * Avoid duplicate tuple in reply direction for NAT traffic
1155 * to local address when connection is sync-ed
1157 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1158 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1159 enum ip_conntrack_info ctinfo;
1160 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1162 if (ct && !nf_ct_is_untracked(ct)) {
1163 IP_VS_DBG(10, "%s(): "
1164 "stopping DNAT to local address %pI4\n",
1165 __func__, &cp->daddr.ip);
1171 /* From world but DNAT to loopback address? */
1172 if (local && ipv4_is_loopback(rt->rt_dst) &&
1173 rt_is_input_route(skb_rtable(skb))) {
1174 IP_VS_DBG(1, "%s(): "
1175 "stopping DNAT to loopback %pI4\n",
1176 __func__, &cp->daddr.ip);
1181 mtu = dst_mtu(&rt->dst);
1182 if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF)) &&
1184 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
1185 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1189 /* copy-on-write the packet before mangling it */
1190 if (!skb_make_writable(skb, offset))
1193 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1196 ip_vs_nat_icmp(skb, pp, cp, 0);
1199 /* drop the old route when skb is not shared */
1201 skb_dst_set(skb, &rt->dst);
1205 * Some IPv4 replies get local address from routes,
1206 * not from iph, so while we DNAT after routing
1207 * we need this second input/output route.
1209 if (!__ip_vs_reroute_locally(skb))
1213 /* Another hack: avoid icmp_send in ip_fragment */
1216 IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
1222 dst_link_failure(skb);
1234 #ifdef CONFIG_IP_VS_IPV6
1236 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1237 struct ip_vs_protocol *pp, int offset)
1239 struct rt6_info *rt; /* Route to the other host */
1246 /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1247 forwarded directly here, because there is no need to
1248 translate address/port back */
1249 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1250 if (cp->packet_xmit)
1251 rc = cp->packet_xmit(skb, cp, pp);
1254 /* do not touch skb anymore */
1255 atomic_inc(&cp->in_pkts);
1260 * mangle and send the packet here (only for VS/NAT)
1263 if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1267 local = __ip_vs_is_local_route6(rt);
1269 * Avoid duplicate tuple in reply direction for NAT traffic
1270 * to local address when connection is sync-ed
1272 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1273 if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1274 enum ip_conntrack_info ctinfo;
1275 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1277 if (ct && !nf_ct_is_untracked(ct)) {
1278 IP_VS_DBG(10, "%s(): "
1279 "stopping DNAT to local address %pI6\n",
1280 __func__, &cp->daddr.in6);
1286 /* From world but DNAT to loopback address? */
1287 if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
1288 ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
1289 IP_VS_DBG(1, "%s(): "
1290 "stopping DNAT to loopback %pI6\n",
1291 __func__, &cp->daddr.in6);
1296 mtu = dst_mtu(&rt->dst);
1297 if (skb->len > mtu && !skb_is_gso(skb)) {
1299 struct net *net = dev_net(skb_dst(skb)->dev);
1301 skb->dev = net->loopback_dev;
1303 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1304 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1308 /* copy-on-write the packet before mangling it */
1309 if (!skb_make_writable(skb, offset))
1312 if (skb_cow(skb, rt->dst.dev->hard_header_len))
1315 ip_vs_nat_icmp_v6(skb, pp, cp, 0);
1317 if (!local || !skb->dev) {
1318 /* drop the old route when skb is not shared */
1320 skb_dst_set(skb, &rt->dst);
1322 /* destined to loopback, do we need to change route? */
1323 dst_release(&rt->dst);
1326 /* Another hack: avoid icmp_send in ip_fragment */
1329 IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
1335 dst_link_failure(skb);
1343 dst_release(&rt->dst);
projects / karo-tx-linux.git / blob