2 * IPVS An implementation of the IP virtual server support for the
3 * LINUX operating system. IPVS is now implemented as a module
4 * over the NetFilter framework. IPVS can be used to build a
5 * high-performance and highly available server based on a
8 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * Peter Kese <peter.kese@ijs.si>
10 * Julian Anastasov <ja@ssi.bg>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
21 #define KMSG_COMPONENT "IPVS"
22 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/types.h>
27 #include <linux/capability.h>
29 #include <linux/sysctl.h>
30 #include <linux/proc_fs.h>
31 #include <linux/workqueue.h>
32 #include <linux/swap.h>
33 #include <linux/seq_file.h>
34 #include <linux/slab.h>
36 #include <linux/netfilter.h>
37 #include <linux/netfilter_ipv4.h>
38 #include <linux/mutex.h>
40 #include <net/net_namespace.h>
41 #include <linux/nsproxy.h>
43 #ifdef CONFIG_IP_VS_IPV6
45 #include <net/ip6_route.h>
47 #include <net/route.h>
49 #include <net/genetlink.h>
51 #include <asm/uaccess.h>
53 #include <net/ip_vs.h>
55 /* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */
56 static DEFINE_MUTEX(__ip_vs_mutex);
58 /* sysctl variables */
60 #ifdef CONFIG_IP_VS_DEBUG
61 static int sysctl_ip_vs_debug_level = 0;
63 int ip_vs_get_debug_level(void)
65 return sysctl_ip_vs_debug_level;
71 static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup);
74 #ifdef CONFIG_IP_VS_IPV6
75 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
76 static bool __ip_vs_addr_is_local_v6(struct net *net,
77 const struct in6_addr *addr)
82 struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
85 is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
94 * update_defense_level is called from keventd and from sysctl,
95 * so it needs to protect itself from softirqs
97 static void update_defense_level(struct netns_ipvs *ipvs)
100 static int old_secure_tcp = 0;
105 /* we only count free and buffered memory (in pages) */
107 availmem = i.freeram + i.bufferram;
108 /* however in linux 2.5 the i.bufferram is total page cache size,
110 /* si_swapinfo(&i); */
111 /* availmem = availmem - (i.totalswap - i.freeswap); */
113 nomem = (availmem < ipvs->sysctl_amemthresh);
118 spin_lock(&ipvs->dropentry_lock);
119 switch (ipvs->sysctl_drop_entry) {
121 atomic_set(&ipvs->dropentry, 0);
125 atomic_set(&ipvs->dropentry, 1);
126 ipvs->sysctl_drop_entry = 2;
128 atomic_set(&ipvs->dropentry, 0);
133 atomic_set(&ipvs->dropentry, 1);
135 atomic_set(&ipvs->dropentry, 0);
136 ipvs->sysctl_drop_entry = 1;
140 atomic_set(&ipvs->dropentry, 1);
143 spin_unlock(&ipvs->dropentry_lock);
146 spin_lock(&ipvs->droppacket_lock);
147 switch (ipvs->sysctl_drop_packet) {
153 ipvs->drop_rate = ipvs->drop_counter
154 = ipvs->sysctl_amemthresh /
155 (ipvs->sysctl_amemthresh-availmem);
156 ipvs->sysctl_drop_packet = 2;
163 ipvs->drop_rate = ipvs->drop_counter
164 = ipvs->sysctl_amemthresh /
165 (ipvs->sysctl_amemthresh-availmem);
168 ipvs->sysctl_drop_packet = 1;
172 ipvs->drop_rate = ipvs->sysctl_am_droprate;
175 spin_unlock(&ipvs->droppacket_lock);
178 spin_lock(&ipvs->securetcp_lock);
179 switch (ipvs->sysctl_secure_tcp) {
181 if (old_secure_tcp >= 2)
186 if (old_secure_tcp < 2)
188 ipvs->sysctl_secure_tcp = 2;
190 if (old_secure_tcp >= 2)
196 if (old_secure_tcp < 2)
199 if (old_secure_tcp >= 2)
201 ipvs->sysctl_secure_tcp = 1;
205 if (old_secure_tcp < 2)
209 old_secure_tcp = ipvs->sysctl_secure_tcp;
211 ip_vs_protocol_timeout_change(ipvs,
212 ipvs->sysctl_secure_tcp > 1);
213 spin_unlock(&ipvs->securetcp_lock);
220 * Timer for checking the defense
222 #define DEFENSE_TIMER_PERIOD 1*HZ
224 static void defense_work_handler(struct work_struct *work)
226 struct netns_ipvs *ipvs =
227 container_of(work, struct netns_ipvs, defense_work.work);
229 update_defense_level(ipvs);
230 if (atomic_read(&ipvs->dropentry))
231 ip_vs_random_dropentry(ipvs);
232 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
237 ip_vs_use_count_inc(void)
239 return try_module_get(THIS_MODULE);
243 ip_vs_use_count_dec(void)
245 module_put(THIS_MODULE);
250 * Hash table: for virtual service lookups
252 #define IP_VS_SVC_TAB_BITS 8
253 #define IP_VS_SVC_TAB_SIZE (1 << IP_VS_SVC_TAB_BITS)
254 #define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
256 /* the service table hashed by <protocol, addr, port> */
257 static struct hlist_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
258 /* the service table hashed by fwmark */
259 static struct hlist_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
263 * Returns hash value for virtual service
265 static inline unsigned int
266 ip_vs_svc_hashkey(struct netns_ipvs *ipvs, int af, unsigned int proto,
267 const union nf_inet_addr *addr, __be16 port)
269 register unsigned int porth = ntohs(port);
270 __be32 addr_fold = addr->ip;
273 #ifdef CONFIG_IP_VS_IPV6
275 addr_fold = addr->ip6[0]^addr->ip6[1]^
276 addr->ip6[2]^addr->ip6[3];
278 ahash = ntohl(addr_fold);
279 ahash ^= ((size_t) ipvs >> 8);
281 return (proto ^ ahash ^ (porth >> IP_VS_SVC_TAB_BITS) ^ porth) &
286 * Returns hash value of fwmark for virtual service lookup
288 static inline unsigned int ip_vs_svc_fwm_hashkey(struct netns_ipvs *ipvs, __u32 fwmark)
290 return (((size_t)ipvs>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
294 * Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
295 * or in the ip_vs_svc_fwm_table by fwmark.
296 * Should be called with locked tables.
298 static int ip_vs_svc_hash(struct ip_vs_service *svc)
302 if (svc->flags & IP_VS_SVC_F_HASHED) {
303 pr_err("%s(): request for already hashed, called from %pF\n",
304 __func__, __builtin_return_address(0));
308 if (svc->fwmark == 0) {
310 * Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
312 hash = ip_vs_svc_hashkey(svc->ipvs, svc->af, svc->protocol,
313 &svc->addr, svc->port);
314 hlist_add_head_rcu(&svc->s_list, &ip_vs_svc_table[hash]);
317 * Hash it by fwmark in svc_fwm_table
319 hash = ip_vs_svc_fwm_hashkey(svc->ipvs, svc->fwmark);
320 hlist_add_head_rcu(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
323 svc->flags |= IP_VS_SVC_F_HASHED;
324 /* increase its refcnt because it is referenced by the svc table */
325 atomic_inc(&svc->refcnt);
331 * Unhashes a service from svc_table / svc_fwm_table.
332 * Should be called with locked tables.
334 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
336 if (!(svc->flags & IP_VS_SVC_F_HASHED)) {
337 pr_err("%s(): request for unhash flagged, called from %pF\n",
338 __func__, __builtin_return_address(0));
342 if (svc->fwmark == 0) {
343 /* Remove it from the svc_table table */
344 hlist_del_rcu(&svc->s_list);
346 /* Remove it from the svc_fwm_table table */
347 hlist_del_rcu(&svc->f_list);
350 svc->flags &= ~IP_VS_SVC_F_HASHED;
351 atomic_dec(&svc->refcnt);
357 * Get service by {netns, proto,addr,port} in the service table.
359 static inline struct ip_vs_service *
360 __ip_vs_service_find(struct netns_ipvs *ipvs, int af, __u16 protocol,
361 const union nf_inet_addr *vaddr, __be16 vport)
364 struct ip_vs_service *svc;
366 /* Check for "full" addressed entries */
367 hash = ip_vs_svc_hashkey(ipvs, af, protocol, vaddr, vport);
369 hlist_for_each_entry_rcu(svc, &ip_vs_svc_table[hash], s_list) {
371 && ip_vs_addr_equal(af, &svc->addr, vaddr)
372 && (svc->port == vport)
373 && (svc->protocol == protocol)
374 && (svc->ipvs == ipvs)) {
385 * Get service by {fwmark} in the service table.
387 static inline struct ip_vs_service *
388 __ip_vs_svc_fwm_find(struct netns_ipvs *ipvs, int af, __u32 fwmark)
391 struct ip_vs_service *svc;
393 /* Check for fwmark addressed entries */
394 hash = ip_vs_svc_fwm_hashkey(ipvs, fwmark);
396 hlist_for_each_entry_rcu(svc, &ip_vs_svc_fwm_table[hash], f_list) {
397 if (svc->fwmark == fwmark && svc->af == af
398 && (svc->ipvs == ipvs)) {
407 /* Find service, called under RCU lock */
408 struct ip_vs_service *
409 ip_vs_service_find(struct netns_ipvs *ipvs, int af, __u32 fwmark, __u16 protocol,
410 const union nf_inet_addr *vaddr, __be16 vport)
412 struct ip_vs_service *svc;
415 * Check the table hashed by fwmark first
418 svc = __ip_vs_svc_fwm_find(ipvs, af, fwmark);
424 * Check the table hashed by <protocol,addr,port>
425 * for "full" addressed entries
427 svc = __ip_vs_service_find(ipvs, af, protocol, vaddr, vport);
430 && protocol == IPPROTO_TCP
431 && atomic_read(&ipvs->ftpsvc_counter)
432 && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
434 * Check if ftp service entry exists, the packet
435 * might belong to FTP data connections.
437 svc = __ip_vs_service_find(ipvs, af, protocol, vaddr, FTPPORT);
441 && atomic_read(&ipvs->nullsvc_counter)) {
443 * Check if the catch-all port (port zero) exists
445 svc = __ip_vs_service_find(ipvs, af, protocol, vaddr, 0);
449 IP_VS_DBG_BUF(9, "lookup service: fwm %u %s %s:%u %s\n",
450 fwmark, ip_vs_proto_name(protocol),
451 IP_VS_DBG_ADDR(af, vaddr), ntohs(vport),
452 svc ? "hit" : "not hit");
459 __ip_vs_bind_svc(struct ip_vs_dest *dest, struct ip_vs_service *svc)
461 atomic_inc(&svc->refcnt);
462 rcu_assign_pointer(dest->svc, svc);
465 static void ip_vs_service_free(struct ip_vs_service *svc)
467 free_percpu(svc->stats.cpustats);
471 static void ip_vs_service_rcu_free(struct rcu_head *head)
473 struct ip_vs_service *svc;
475 svc = container_of(head, struct ip_vs_service, rcu_head);
476 ip_vs_service_free(svc);
479 static void __ip_vs_svc_put(struct ip_vs_service *svc, bool do_delay)
481 if (atomic_dec_and_test(&svc->refcnt)) {
482 IP_VS_DBG_BUF(3, "Removing service %u/%s:%u\n",
484 IP_VS_DBG_ADDR(svc->af, &svc->addr),
487 call_rcu(&svc->rcu_head, ip_vs_service_rcu_free);
489 ip_vs_service_free(svc);
495 * Returns hash value for real service
497 static inline unsigned int ip_vs_rs_hashkey(int af,
498 const union nf_inet_addr *addr,
501 register unsigned int porth = ntohs(port);
502 __be32 addr_fold = addr->ip;
504 #ifdef CONFIG_IP_VS_IPV6
506 addr_fold = addr->ip6[0]^addr->ip6[1]^
507 addr->ip6[2]^addr->ip6[3];
510 return (ntohl(addr_fold)^(porth>>IP_VS_RTAB_BITS)^porth)
514 /* Hash ip_vs_dest in rs_table by <proto,addr,port>. */
515 static void ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
519 if (dest->in_rs_table)
523 * Hash by proto,addr,port,
524 * which are the parameters of the real service.
526 hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
528 hlist_add_head_rcu(&dest->d_list, &ipvs->rs_table[hash]);
529 dest->in_rs_table = 1;
532 /* Unhash ip_vs_dest from rs_table. */
533 static void ip_vs_rs_unhash(struct ip_vs_dest *dest)
536 * Remove it from the rs_table table.
538 if (dest->in_rs_table) {
539 hlist_del_rcu(&dest->d_list);
540 dest->in_rs_table = 0;
544 /* Check if real service by <proto,addr,port> is present */
545 bool ip_vs_has_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol,
546 const union nf_inet_addr *daddr, __be16 dport)
549 struct ip_vs_dest *dest;
551 /* Check for "full" addressed entries */
552 hash = ip_vs_rs_hashkey(af, daddr, dport);
555 hlist_for_each_entry_rcu(dest, &ipvs->rs_table[hash], d_list) {
556 if (dest->port == dport &&
558 ip_vs_addr_equal(af, &dest->addr, daddr) &&
559 (dest->protocol == protocol || dest->vfwmark)) {
570 /* Find real service record by <proto,addr,port>.
571 * In case of multiple records with the same <proto,addr,port>, only
572 * the first found record is returned.
574 * To be called under RCU lock.
576 struct ip_vs_dest *ip_vs_find_real_service(struct netns_ipvs *ipvs, int af,
578 const union nf_inet_addr *daddr,
582 struct ip_vs_dest *dest;
584 /* Check for "full" addressed entries */
585 hash = ip_vs_rs_hashkey(af, daddr, dport);
587 hlist_for_each_entry_rcu(dest, &ipvs->rs_table[hash], d_list) {
588 if (dest->port == dport &&
590 ip_vs_addr_equal(af, &dest->addr, daddr) &&
591 (dest->protocol == protocol || dest->vfwmark)) {
600 /* Lookup destination by {addr,port} in the given service
601 * Called under RCU lock.
603 static struct ip_vs_dest *
604 ip_vs_lookup_dest(struct ip_vs_service *svc, int dest_af,
605 const union nf_inet_addr *daddr, __be16 dport)
607 struct ip_vs_dest *dest;
610 * Find the destination for the given service
612 list_for_each_entry_rcu(dest, &svc->destinations, n_list) {
613 if ((dest->af == dest_af) &&
614 ip_vs_addr_equal(dest_af, &dest->addr, daddr) &&
615 (dest->port == dport)) {
625 * Find destination by {daddr,dport,vaddr,protocol}
626 * Created to be used in ip_vs_process_message() in
627 * the backup synchronization daemon. It finds the
628 * destination to be bound to the received connection
630 * Called under RCU lock, no refcnt is returned.
632 struct ip_vs_dest *ip_vs_find_dest(struct netns_ipvs *ipvs, int svc_af, int dest_af,
633 const union nf_inet_addr *daddr,
635 const union nf_inet_addr *vaddr,
636 __be16 vport, __u16 protocol, __u32 fwmark,
639 struct ip_vs_dest *dest;
640 struct ip_vs_service *svc;
643 svc = ip_vs_service_find(ipvs, svc_af, fwmark, protocol, vaddr, vport);
646 if (fwmark && (flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ)
648 dest = ip_vs_lookup_dest(svc, dest_af, daddr, port);
650 dest = ip_vs_lookup_dest(svc, dest_af, daddr, port ^ dport);
654 void ip_vs_dest_dst_rcu_free(struct rcu_head *head)
656 struct ip_vs_dest_dst *dest_dst = container_of(head,
657 struct ip_vs_dest_dst,
660 dst_release(dest_dst->dst_cache);
664 /* Release dest_dst and dst_cache for dest in user context */
665 static void __ip_vs_dst_cache_reset(struct ip_vs_dest *dest)
667 struct ip_vs_dest_dst *old;
669 old = rcu_dereference_protected(dest->dest_dst, 1);
671 RCU_INIT_POINTER(dest->dest_dst, NULL);
672 call_rcu(&old->rcu_head, ip_vs_dest_dst_rcu_free);
677 * Lookup dest by {svc,addr,port} in the destination trash.
678 * The destination trash is used to hold the destinations that are removed
679 * from the service table but are still referenced by some conn entries.
680 * The reason to add the destination trash is when the dest is temporary
681 * down (either by administrator or by monitor program), the dest can be
682 * picked back from the trash, the remaining connections to the dest can
683 * continue, and the counting information of the dest is also useful for
686 static struct ip_vs_dest *
687 ip_vs_trash_get_dest(struct ip_vs_service *svc, int dest_af,
688 const union nf_inet_addr *daddr, __be16 dport)
690 struct ip_vs_dest *dest;
691 struct netns_ipvs *ipvs = svc->ipvs;
694 * Find the destination in trash
696 spin_lock_bh(&ipvs->dest_trash_lock);
697 list_for_each_entry(dest, &ipvs->dest_trash, t_list) {
698 IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
701 IP_VS_DBG_ADDR(dest->af, &dest->addr),
703 atomic_read(&dest->refcnt));
704 if (dest->af == dest_af &&
705 ip_vs_addr_equal(dest_af, &dest->addr, daddr) &&
706 dest->port == dport &&
707 dest->vfwmark == svc->fwmark &&
708 dest->protocol == svc->protocol &&
710 (ip_vs_addr_equal(svc->af, &dest->vaddr, &svc->addr) &&
711 dest->vport == svc->port))) {
713 list_del(&dest->t_list);
714 ip_vs_dest_hold(dest);
722 spin_unlock_bh(&ipvs->dest_trash_lock);
727 static void ip_vs_dest_free(struct ip_vs_dest *dest)
729 struct ip_vs_service *svc = rcu_dereference_protected(dest->svc, 1);
731 __ip_vs_dst_cache_reset(dest);
732 __ip_vs_svc_put(svc, false);
733 free_percpu(dest->stats.cpustats);
734 ip_vs_dest_put_and_free(dest);
738 * Clean up all the destinations in the trash
739 * Called by the ip_vs_control_cleanup()
741 * When the ip_vs_control_clearup is activated by ipvs module exit,
742 * the service tables must have been flushed and all the connections
743 * are expired, and the refcnt of each destination in the trash must
744 * be 0, so we simply release them here.
746 static void ip_vs_trash_cleanup(struct netns_ipvs *ipvs)
748 struct ip_vs_dest *dest, *nxt;
750 del_timer_sync(&ipvs->dest_trash_timer);
751 /* No need to use dest_trash_lock */
752 list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, t_list) {
753 list_del(&dest->t_list);
754 ip_vs_dest_free(dest);
759 ip_vs_copy_stats(struct ip_vs_kstats *dst, struct ip_vs_stats *src)
761 #define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->kstats.c - src->kstats0.c
763 spin_lock_bh(&src->lock);
765 IP_VS_SHOW_STATS_COUNTER(conns);
766 IP_VS_SHOW_STATS_COUNTER(inpkts);
767 IP_VS_SHOW_STATS_COUNTER(outpkts);
768 IP_VS_SHOW_STATS_COUNTER(inbytes);
769 IP_VS_SHOW_STATS_COUNTER(outbytes);
771 ip_vs_read_estimator(dst, src);
773 spin_unlock_bh(&src->lock);
777 ip_vs_export_stats_user(struct ip_vs_stats_user *dst, struct ip_vs_kstats *src)
779 dst->conns = (u32)src->conns;
780 dst->inpkts = (u32)src->inpkts;
781 dst->outpkts = (u32)src->outpkts;
782 dst->inbytes = src->inbytes;
783 dst->outbytes = src->outbytes;
784 dst->cps = (u32)src->cps;
785 dst->inpps = (u32)src->inpps;
786 dst->outpps = (u32)src->outpps;
787 dst->inbps = (u32)src->inbps;
788 dst->outbps = (u32)src->outbps;
792 ip_vs_zero_stats(struct ip_vs_stats *stats)
794 spin_lock_bh(&stats->lock);
796 /* get current counters as zero point, rates are zeroed */
798 #define IP_VS_ZERO_STATS_COUNTER(c) stats->kstats0.c = stats->kstats.c
800 IP_VS_ZERO_STATS_COUNTER(conns);
801 IP_VS_ZERO_STATS_COUNTER(inpkts);
802 IP_VS_ZERO_STATS_COUNTER(outpkts);
803 IP_VS_ZERO_STATS_COUNTER(inbytes);
804 IP_VS_ZERO_STATS_COUNTER(outbytes);
806 ip_vs_zero_estimator(stats);
808 spin_unlock_bh(&stats->lock);
812 * Update a destination in the given service
815 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
816 struct ip_vs_dest_user_kern *udest, int add)
818 struct netns_ipvs *ipvs = svc->ipvs;
819 struct ip_vs_service *old_svc;
820 struct ip_vs_scheduler *sched;
823 /* We cannot modify an address and change the address family */
824 BUG_ON(!add && udest->af != dest->af);
826 if (add && udest->af != svc->af)
827 ipvs->mixed_address_family_dests++;
829 /* set the weight and the flags */
830 atomic_set(&dest->weight, udest->weight);
831 conn_flags = udest->conn_flags & IP_VS_CONN_F_DEST_MASK;
832 conn_flags |= IP_VS_CONN_F_INACTIVE;
834 /* set the IP_VS_CONN_F_NOOUTPUT flag if not masquerading/NAT */
835 if ((conn_flags & IP_VS_CONN_F_FWD_MASK) != IP_VS_CONN_F_MASQ) {
836 conn_flags |= IP_VS_CONN_F_NOOUTPUT;
839 * Put the real service in rs_table if not present.
840 * For now only for NAT!
842 ip_vs_rs_hash(ipvs, dest);
844 atomic_set(&dest->conn_flags, conn_flags);
846 /* bind the service */
847 old_svc = rcu_dereference_protected(dest->svc, 1);
849 __ip_vs_bind_svc(dest, svc);
851 if (old_svc != svc) {
852 ip_vs_zero_stats(&dest->stats);
853 __ip_vs_bind_svc(dest, svc);
854 __ip_vs_svc_put(old_svc, true);
858 /* set the dest status flags */
859 dest->flags |= IP_VS_DEST_F_AVAILABLE;
861 if (udest->u_threshold == 0 || udest->u_threshold > dest->u_threshold)
862 dest->flags &= ~IP_VS_DEST_F_OVERLOAD;
863 dest->u_threshold = udest->u_threshold;
864 dest->l_threshold = udest->l_threshold;
866 dest->af = udest->af;
868 spin_lock_bh(&dest->dst_lock);
869 __ip_vs_dst_cache_reset(dest);
870 spin_unlock_bh(&dest->dst_lock);
873 ip_vs_start_estimator(svc->ipvs, &dest->stats);
874 list_add_rcu(&dest->n_list, &svc->destinations);
876 sched = rcu_dereference_protected(svc->scheduler, 1);
877 if (sched && sched->add_dest)
878 sched->add_dest(svc, dest);
880 sched = rcu_dereference_protected(svc->scheduler, 1);
881 if (sched && sched->upd_dest)
882 sched->upd_dest(svc, dest);
888 * Create a destination for the given service
891 ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
892 struct ip_vs_dest **dest_p)
894 struct ip_vs_dest *dest;
895 unsigned int atype, i;
899 #ifdef CONFIG_IP_VS_IPV6
900 if (udest->af == AF_INET6) {
901 atype = ipv6_addr_type(&udest->addr.in6);
902 if ((!(atype & IPV6_ADDR_UNICAST) ||
903 atype & IPV6_ADDR_LINKLOCAL) &&
904 !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
909 atype = inet_addr_type(svc->ipvs->net, udest->addr.ip);
910 if (atype != RTN_LOCAL && atype != RTN_UNICAST)
914 dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
918 dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
919 if (!dest->stats.cpustats)
922 for_each_possible_cpu(i) {
923 struct ip_vs_cpu_stats *ip_vs_dest_stats;
924 ip_vs_dest_stats = per_cpu_ptr(dest->stats.cpustats, i);
925 u64_stats_init(&ip_vs_dest_stats->syncp);
928 dest->af = udest->af;
929 dest->protocol = svc->protocol;
930 dest->vaddr = svc->addr;
931 dest->vport = svc->port;
932 dest->vfwmark = svc->fwmark;
933 ip_vs_addr_copy(udest->af, &dest->addr, &udest->addr);
934 dest->port = udest->port;
936 atomic_set(&dest->activeconns, 0);
937 atomic_set(&dest->inactconns, 0);
938 atomic_set(&dest->persistconns, 0);
939 atomic_set(&dest->refcnt, 1);
941 INIT_HLIST_NODE(&dest->d_list);
942 spin_lock_init(&dest->dst_lock);
943 spin_lock_init(&dest->stats.lock);
944 __ip_vs_update_dest(svc, dest, udest, 1);
958 * Add a destination into an existing service
961 ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
963 struct ip_vs_dest *dest;
964 union nf_inet_addr daddr;
965 __be16 dport = udest->port;
970 if (udest->weight < 0) {
971 pr_err("%s(): server weight less than zero\n", __func__);
975 if (udest->l_threshold > udest->u_threshold) {
976 pr_err("%s(): lower threshold is higher than upper threshold\n",
981 ip_vs_addr_copy(udest->af, &daddr, &udest->addr);
983 /* We use function that requires RCU lock */
985 dest = ip_vs_lookup_dest(svc, udest->af, &daddr, dport);
989 IP_VS_DBG(1, "%s(): dest already exists\n", __func__);
994 * Check if the dest already exists in the trash and
995 * is from the same service
997 dest = ip_vs_trash_get_dest(svc, udest->af, &daddr, dport);
1000 IP_VS_DBG_BUF(3, "Get destination %s:%u from trash, "
1001 "dest->refcnt=%d, service %u/%s:%u\n",
1002 IP_VS_DBG_ADDR(udest->af, &daddr), ntohs(dport),
1003 atomic_read(&dest->refcnt),
1005 IP_VS_DBG_ADDR(svc->af, &dest->vaddr),
1006 ntohs(dest->vport));
1008 __ip_vs_update_dest(svc, dest, udest, 1);
1012 * Allocate and initialize the dest structure
1014 ret = ip_vs_new_dest(svc, udest, &dest);
1023 * Edit a destination in the given service
1026 ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1028 struct ip_vs_dest *dest;
1029 union nf_inet_addr daddr;
1030 __be16 dport = udest->port;
1034 if (udest->weight < 0) {
1035 pr_err("%s(): server weight less than zero\n", __func__);
1039 if (udest->l_threshold > udest->u_threshold) {
1040 pr_err("%s(): lower threshold is higher than upper threshold\n",
1045 ip_vs_addr_copy(udest->af, &daddr, &udest->addr);
1047 /* We use function that requires RCU lock */
1049 dest = ip_vs_lookup_dest(svc, udest->af, &daddr, dport);
1053 IP_VS_DBG(1, "%s(): dest doesn't exist\n", __func__);
1057 __ip_vs_update_dest(svc, dest, udest, 0);
1064 * Delete a destination (must be already unlinked from the service)
1066 static void __ip_vs_del_dest(struct netns_ipvs *ipvs, struct ip_vs_dest *dest,
1069 ip_vs_stop_estimator(ipvs, &dest->stats);
1072 * Remove it from the d-linked list with the real services.
1074 ip_vs_rs_unhash(dest);
1076 spin_lock_bh(&ipvs->dest_trash_lock);
1077 IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, dest->refcnt=%d\n",
1078 IP_VS_DBG_ADDR(dest->af, &dest->addr), ntohs(dest->port),
1079 atomic_read(&dest->refcnt));
1080 if (list_empty(&ipvs->dest_trash) && !cleanup)
1081 mod_timer(&ipvs->dest_trash_timer,
1082 jiffies + (IP_VS_DEST_TRASH_PERIOD >> 1));
1083 /* dest lives in trash without reference */
1084 list_add(&dest->t_list, &ipvs->dest_trash);
1085 dest->idle_start = 0;
1086 spin_unlock_bh(&ipvs->dest_trash_lock);
1087 ip_vs_dest_put(dest);
1092 * Unlink a destination from the given service
1094 static void __ip_vs_unlink_dest(struct ip_vs_service *svc,
1095 struct ip_vs_dest *dest,
1098 dest->flags &= ~IP_VS_DEST_F_AVAILABLE;
1101 * Remove it from the d-linked destination list.
1103 list_del_rcu(&dest->n_list);
1106 if (dest->af != svc->af)
1107 svc->ipvs->mixed_address_family_dests--;
1110 struct ip_vs_scheduler *sched;
1112 sched = rcu_dereference_protected(svc->scheduler, 1);
1113 if (sched && sched->del_dest)
1114 sched->del_dest(svc, dest);
1120 * Delete a destination server in the given service
1123 ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
1125 struct ip_vs_dest *dest;
1126 __be16 dport = udest->port;
1130 /* We use function that requires RCU lock */
1132 dest = ip_vs_lookup_dest(svc, udest->af, &udest->addr, dport);
1136 IP_VS_DBG(1, "%s(): destination not found!\n", __func__);
1141 * Unlink dest from the service
1143 __ip_vs_unlink_dest(svc, dest, 1);
1146 * Delete the destination
1148 __ip_vs_del_dest(svc->ipvs, dest, false);
1155 static void ip_vs_dest_trash_expire(unsigned long data)
1157 struct netns_ipvs *ipvs = (struct netns_ipvs *)data;
1158 struct ip_vs_dest *dest, *next;
1159 unsigned long now = jiffies;
1161 spin_lock(&ipvs->dest_trash_lock);
1162 list_for_each_entry_safe(dest, next, &ipvs->dest_trash, t_list) {
1163 if (atomic_read(&dest->refcnt) > 0)
1165 if (dest->idle_start) {
1166 if (time_before(now, dest->idle_start +
1167 IP_VS_DEST_TRASH_PERIOD))
1170 dest->idle_start = max(1UL, now);
1173 IP_VS_DBG_BUF(3, "Removing destination %u/%s:%u from trash\n",
1175 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1177 list_del(&dest->t_list);
1178 ip_vs_dest_free(dest);
1180 if (!list_empty(&ipvs->dest_trash))
1181 mod_timer(&ipvs->dest_trash_timer,
1182 jiffies + (IP_VS_DEST_TRASH_PERIOD >> 1));
1183 spin_unlock(&ipvs->dest_trash_lock);
1187 * Add a service into the service hash table
1190 ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
1191 struct ip_vs_service **svc_p)
1194 struct ip_vs_scheduler *sched = NULL;
1195 struct ip_vs_pe *pe = NULL;
1196 struct ip_vs_service *svc = NULL;
1198 /* increase the module use count */
1199 ip_vs_use_count_inc();
1201 /* Lookup the scheduler by 'u->sched_name' */
1202 if (strcmp(u->sched_name, "none")) {
1203 sched = ip_vs_scheduler_get(u->sched_name);
1205 pr_info("Scheduler module ip_vs_%s not found\n",
1212 if (u->pe_name && *u->pe_name) {
1213 pe = ip_vs_pe_getbyname(u->pe_name);
1215 pr_info("persistence engine module ip_vs_pe_%s "
1216 "not found\n", u->pe_name);
1222 #ifdef CONFIG_IP_VS_IPV6
1223 if (u->af == AF_INET6) {
1224 __u32 plen = (__force __u32) u->netmask;
1226 if (plen < 1 || plen > 128) {
1233 svc = kzalloc(sizeof(struct ip_vs_service), GFP_KERNEL);
1235 IP_VS_DBG(1, "%s(): no memory\n", __func__);
1239 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1240 if (!svc->stats.cpustats) {
1245 for_each_possible_cpu(i) {
1246 struct ip_vs_cpu_stats *ip_vs_stats;
1247 ip_vs_stats = per_cpu_ptr(svc->stats.cpustats, i);
1248 u64_stats_init(&ip_vs_stats->syncp);
1252 /* I'm the first user of the service */
1253 atomic_set(&svc->refcnt, 0);
1256 svc->protocol = u->protocol;
1257 ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1258 svc->port = u->port;
1259 svc->fwmark = u->fwmark;
1260 svc->flags = u->flags;
1261 svc->timeout = u->timeout * HZ;
1262 svc->netmask = u->netmask;
1265 INIT_LIST_HEAD(&svc->destinations);
1266 spin_lock_init(&svc->sched_lock);
1267 spin_lock_init(&svc->stats.lock);
1269 /* Bind the scheduler */
1271 ret = ip_vs_bind_scheduler(svc, sched);
1277 /* Bind the ct retriever */
1278 RCU_INIT_POINTER(svc->pe, pe);
1281 /* Update the virtual service counters */
1282 if (svc->port == FTPPORT)
1283 atomic_inc(&ipvs->ftpsvc_counter);
1284 else if (svc->port == 0)
1285 atomic_inc(&ipvs->nullsvc_counter);
1286 if (svc->pe && svc->pe->conn_out)
1287 atomic_inc(&ipvs->conn_out_counter);
1289 ip_vs_start_estimator(ipvs, &svc->stats);
1291 /* Count only IPv4 services for old get/setsockopt interface */
1292 if (svc->af == AF_INET)
1293 ipvs->num_services++;
1295 /* Hash the service into the service table */
1296 ip_vs_svc_hash(svc);
1299 /* Now there is a service - full throttle */
1306 ip_vs_unbind_scheduler(svc, sched);
1307 ip_vs_service_free(svc);
1309 ip_vs_scheduler_put(sched);
1312 /* decrease the module use count */
1313 ip_vs_use_count_dec();
1320 * Edit a service and bind it with a new scheduler
1323 ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
1325 struct ip_vs_scheduler *sched = NULL, *old_sched;
1326 struct ip_vs_pe *pe = NULL, *old_pe = NULL;
1328 bool new_pe_conn_out, old_pe_conn_out;
1331 * Lookup the scheduler, by 'u->sched_name'
1333 if (strcmp(u->sched_name, "none")) {
1334 sched = ip_vs_scheduler_get(u->sched_name);
1336 pr_info("Scheduler module ip_vs_%s not found\n",
1343 if (u->pe_name && *u->pe_name) {
1344 pe = ip_vs_pe_getbyname(u->pe_name);
1346 pr_info("persistence engine module ip_vs_pe_%s "
1347 "not found\n", u->pe_name);
1354 #ifdef CONFIG_IP_VS_IPV6
1355 if (u->af == AF_INET6) {
1356 __u32 plen = (__force __u32) u->netmask;
1358 if (plen < 1 || plen > 128) {
1365 old_sched = rcu_dereference_protected(svc->scheduler, 1);
1366 if (sched != old_sched) {
1368 ip_vs_unbind_scheduler(svc, old_sched);
1369 RCU_INIT_POINTER(svc->scheduler, NULL);
1370 /* Wait all svc->sched_data users */
1373 /* Bind the new scheduler */
1375 ret = ip_vs_bind_scheduler(svc, sched);
1377 ip_vs_scheduler_put(sched);
1384 * Set the flags and timeout value
1386 svc->flags = u->flags | IP_VS_SVC_F_HASHED;
1387 svc->timeout = u->timeout * HZ;
1388 svc->netmask = u->netmask;
1390 old_pe = rcu_dereference_protected(svc->pe, 1);
1392 rcu_assign_pointer(svc->pe, pe);
1393 /* check for optional methods in new pe */
1394 new_pe_conn_out = (pe && pe->conn_out) ? true : false;
1395 old_pe_conn_out = (old_pe && old_pe->conn_out) ? true : false;
1396 if (new_pe_conn_out && !old_pe_conn_out)
1397 atomic_inc(&svc->ipvs->conn_out_counter);
1398 if (old_pe_conn_out && !new_pe_conn_out)
1399 atomic_dec(&svc->ipvs->conn_out_counter);
1403 ip_vs_scheduler_put(old_sched);
1404 ip_vs_pe_put(old_pe);
1409 * Delete a service from the service list
1410 * - The service must be unlinked, unlocked and not referenced!
1411 * - We are called under _bh lock
1413 static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
1415 struct ip_vs_dest *dest, *nxt;
1416 struct ip_vs_scheduler *old_sched;
1417 struct ip_vs_pe *old_pe;
1418 struct netns_ipvs *ipvs = svc->ipvs;
1420 /* Count only IPv4 services for old get/setsockopt interface */
1421 if (svc->af == AF_INET)
1422 ipvs->num_services--;
1424 ip_vs_stop_estimator(svc->ipvs, &svc->stats);
1426 /* Unbind scheduler */
1427 old_sched = rcu_dereference_protected(svc->scheduler, 1);
1428 ip_vs_unbind_scheduler(svc, old_sched);
1429 ip_vs_scheduler_put(old_sched);
1431 /* Unbind persistence engine, keep svc->pe */
1432 old_pe = rcu_dereference_protected(svc->pe, 1);
1433 if (old_pe && old_pe->conn_out)
1434 atomic_dec(&ipvs->conn_out_counter);
1435 ip_vs_pe_put(old_pe);
1438 * Unlink the whole destination list
1440 list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
1441 __ip_vs_unlink_dest(svc, dest, 0);
1442 __ip_vs_del_dest(svc->ipvs, dest, cleanup);
1446 * Update the virtual service counters
1448 if (svc->port == FTPPORT)
1449 atomic_dec(&ipvs->ftpsvc_counter);
1450 else if (svc->port == 0)
1451 atomic_dec(&ipvs->nullsvc_counter);
1454 * Free the service if nobody refers to it
1456 __ip_vs_svc_put(svc, true);
1458 /* decrease the module use count */
1459 ip_vs_use_count_dec();
1463 * Unlink a service from list and try to delete it if its refcnt reached 0
1465 static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup)
1467 /* Hold svc to avoid double release from dest_trash */
1468 atomic_inc(&svc->refcnt);
1470 * Unhash it from the service table
1472 ip_vs_svc_unhash(svc);
1474 __ip_vs_del_service(svc, cleanup);
1478 * Delete a service from the service list
1480 static int ip_vs_del_service(struct ip_vs_service *svc)
1484 ip_vs_unlink_service(svc, false);
1491 * Flush all the virtual services
1493 static int ip_vs_flush(struct netns_ipvs *ipvs, bool cleanup)
1496 struct ip_vs_service *svc;
1497 struct hlist_node *n;
1500 * Flush the service table hashed by <netns,protocol,addr,port>
1502 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1503 hlist_for_each_entry_safe(svc, n, &ip_vs_svc_table[idx],
1505 if (svc->ipvs == ipvs)
1506 ip_vs_unlink_service(svc, cleanup);
1511 * Flush the service table hashed by fwmark
1513 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1514 hlist_for_each_entry_safe(svc, n, &ip_vs_svc_fwm_table[idx],
1516 if (svc->ipvs == ipvs)
1517 ip_vs_unlink_service(svc, cleanup);
1525 * Delete service by {netns} in the service table.
1526 * Called by __ip_vs_cleanup()
1528 void ip_vs_service_net_cleanup(struct netns_ipvs *ipvs)
1531 /* Check for "full" addressed entries */
1532 mutex_lock(&__ip_vs_mutex);
1533 ip_vs_flush(ipvs, true);
1534 mutex_unlock(&__ip_vs_mutex);
1538 /* Put all references for device (dst_cache) */
1540 ip_vs_forget_dev(struct ip_vs_dest *dest, struct net_device *dev)
1542 struct ip_vs_dest_dst *dest_dst;
1544 spin_lock_bh(&dest->dst_lock);
1545 dest_dst = rcu_dereference_protected(dest->dest_dst, 1);
1546 if (dest_dst && dest_dst->dst_cache->dev == dev) {
1547 IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
1549 IP_VS_DBG_ADDR(dest->af, &dest->addr),
1551 atomic_read(&dest->refcnt));
1552 __ip_vs_dst_cache_reset(dest);
1554 spin_unlock_bh(&dest->dst_lock);
1557 /* Netdev event receiver
1558 * Currently only NETDEV_DOWN is handled to release refs to cached dsts
1560 static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
1563 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1564 struct net *net = dev_net(dev);
1565 struct netns_ipvs *ipvs = net_ipvs(net);
1566 struct ip_vs_service *svc;
1567 struct ip_vs_dest *dest;
1570 if (event != NETDEV_DOWN || !ipvs)
1572 IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
1574 mutex_lock(&__ip_vs_mutex);
1575 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1576 hlist_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1577 if (svc->ipvs == ipvs) {
1578 list_for_each_entry(dest, &svc->destinations,
1580 ip_vs_forget_dev(dest, dev);
1585 hlist_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1586 if (svc->ipvs == ipvs) {
1587 list_for_each_entry(dest, &svc->destinations,
1589 ip_vs_forget_dev(dest, dev);
1596 spin_lock_bh(&ipvs->dest_trash_lock);
1597 list_for_each_entry(dest, &ipvs->dest_trash, t_list) {
1598 ip_vs_forget_dev(dest, dev);
1600 spin_unlock_bh(&ipvs->dest_trash_lock);
1601 mutex_unlock(&__ip_vs_mutex);
1607 * Zero counters in a service or all services
1609 static int ip_vs_zero_service(struct ip_vs_service *svc)
1611 struct ip_vs_dest *dest;
1613 list_for_each_entry(dest, &svc->destinations, n_list) {
1614 ip_vs_zero_stats(&dest->stats);
1616 ip_vs_zero_stats(&svc->stats);
1620 static int ip_vs_zero_all(struct netns_ipvs *ipvs)
1623 struct ip_vs_service *svc;
1625 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1626 hlist_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
1627 if (svc->ipvs == ipvs)
1628 ip_vs_zero_service(svc);
1632 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1633 hlist_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
1634 if (svc->ipvs == ipvs)
1635 ip_vs_zero_service(svc);
1639 ip_vs_zero_stats(&ipvs->tot_stats);
1643 #ifdef CONFIG_SYSCTL
1646 static int three = 3;
1649 proc_do_defense_mode(struct ctl_table *table, int write,
1650 void __user *buffer, size_t *lenp, loff_t *ppos)
1652 struct netns_ipvs *ipvs = table->extra2;
1653 int *valp = table->data;
1657 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1658 if (write && (*valp != val)) {
1659 if ((*valp < 0) || (*valp > 3)) {
1660 /* Restore the correct value */
1663 update_defense_level(ipvs);
1670 proc_do_sync_threshold(struct ctl_table *table, int write,
1671 void __user *buffer, size_t *lenp, loff_t *ppos)
1673 int *valp = table->data;
1677 /* backup the value first */
1678 memcpy(val, valp, sizeof(val));
1680 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1681 if (write && (valp[0] < 0 || valp[1] < 0 ||
1682 (valp[0] >= valp[1] && valp[1]))) {
1683 /* Restore the correct value */
1684 memcpy(valp, val, sizeof(val));
1690 proc_do_sync_mode(struct ctl_table *table, int write,
1691 void __user *buffer, size_t *lenp, loff_t *ppos)
1693 int *valp = table->data;
1697 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1698 if (write && (*valp != val)) {
1699 if ((*valp < 0) || (*valp > 1)) {
1700 /* Restore the correct value */
1708 proc_do_sync_ports(struct ctl_table *table, int write,
1709 void __user *buffer, size_t *lenp, loff_t *ppos)
1711 int *valp = table->data;
1715 rc = proc_dointvec(table, write, buffer, lenp, ppos);
1716 if (write && (*valp != val)) {
1717 if (*valp < 1 || !is_power_of_2(*valp)) {
1718 /* Restore the correct value */
1726 * IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
1727 * Do not change order or insert new entries without
1728 * align with netns init in ip_vs_control_net_init()
1731 static struct ctl_table vs_vars[] = {
1733 .procname = "amemthresh",
1734 .maxlen = sizeof(int),
1736 .proc_handler = proc_dointvec,
1739 .procname = "am_droprate",
1740 .maxlen = sizeof(int),
1742 .proc_handler = proc_dointvec,
1745 .procname = "drop_entry",
1746 .maxlen = sizeof(int),
1748 .proc_handler = proc_do_defense_mode,
1751 .procname = "drop_packet",
1752 .maxlen = sizeof(int),
1754 .proc_handler = proc_do_defense_mode,
1756 #ifdef CONFIG_IP_VS_NFCT
1758 .procname = "conntrack",
1759 .maxlen = sizeof(int),
1761 .proc_handler = &proc_dointvec,
1765 .procname = "secure_tcp",
1766 .maxlen = sizeof(int),
1768 .proc_handler = proc_do_defense_mode,
1771 .procname = "snat_reroute",
1772 .maxlen = sizeof(int),
1774 .proc_handler = &proc_dointvec,
1777 .procname = "sync_version",
1778 .maxlen = sizeof(int),
1780 .proc_handler = &proc_do_sync_mode,
1783 .procname = "sync_ports",
1784 .maxlen = sizeof(int),
1786 .proc_handler = &proc_do_sync_ports,
1789 .procname = "sync_persist_mode",
1790 .maxlen = sizeof(int),
1792 .proc_handler = proc_dointvec,
1795 .procname = "sync_qlen_max",
1796 .maxlen = sizeof(unsigned long),
1798 .proc_handler = proc_doulongvec_minmax,
1801 .procname = "sync_sock_size",
1802 .maxlen = sizeof(int),
1804 .proc_handler = proc_dointvec,
1807 .procname = "cache_bypass",
1808 .maxlen = sizeof(int),
1810 .proc_handler = proc_dointvec,
1813 .procname = "expire_nodest_conn",
1814 .maxlen = sizeof(int),
1816 .proc_handler = proc_dointvec,
1819 .procname = "sloppy_tcp",
1820 .maxlen = sizeof(int),
1822 .proc_handler = proc_dointvec,
1825 .procname = "sloppy_sctp",
1826 .maxlen = sizeof(int),
1828 .proc_handler = proc_dointvec,
1831 .procname = "expire_quiescent_template",
1832 .maxlen = sizeof(int),
1834 .proc_handler = proc_dointvec,
1837 .procname = "sync_threshold",
1839 sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
1841 .proc_handler = proc_do_sync_threshold,
1844 .procname = "sync_refresh_period",
1845 .maxlen = sizeof(int),
1847 .proc_handler = proc_dointvec_jiffies,
1850 .procname = "sync_retries",
1851 .maxlen = sizeof(int),
1853 .proc_handler = proc_dointvec_minmax,
1858 .procname = "nat_icmp_send",
1859 .maxlen = sizeof(int),
1861 .proc_handler = proc_dointvec,
1864 .procname = "pmtu_disc",
1865 .maxlen = sizeof(int),
1867 .proc_handler = proc_dointvec,
1870 .procname = "backup_only",
1871 .maxlen = sizeof(int),
1873 .proc_handler = proc_dointvec,
1876 .procname = "conn_reuse_mode",
1877 .maxlen = sizeof(int),
1879 .proc_handler = proc_dointvec,
1882 .procname = "schedule_icmp",
1883 .maxlen = sizeof(int),
1885 .proc_handler = proc_dointvec,
1888 .procname = "ignore_tunneled",
1889 .maxlen = sizeof(int),
1891 .proc_handler = proc_dointvec,
1893 #ifdef CONFIG_IP_VS_DEBUG
1895 .procname = "debug_level",
1896 .data = &sysctl_ip_vs_debug_level,
1897 .maxlen = sizeof(int),
1899 .proc_handler = proc_dointvec,
1907 #ifdef CONFIG_PROC_FS
1910 struct seq_net_private p; /* Do not move this, netns depends upon it*/
1911 struct hlist_head *table;
1916 * Write the contents of the VS rule table to a PROCfs file.
1917 * (It is kept just for backward compatibility)
1919 static inline const char *ip_vs_fwd_name(unsigned int flags)
1921 switch (flags & IP_VS_CONN_F_FWD_MASK) {
1922 case IP_VS_CONN_F_LOCALNODE:
1924 case IP_VS_CONN_F_TUNNEL:
1926 case IP_VS_CONN_F_DROUTE:
1934 /* Get the Nth entry in the two lists */
1935 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
1937 struct net *net = seq_file_net(seq);
1938 struct netns_ipvs *ipvs = net_ipvs(net);
1939 struct ip_vs_iter *iter = seq->private;
1941 struct ip_vs_service *svc;
1943 /* look in hash by protocol */
1944 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1945 hlist_for_each_entry_rcu(svc, &ip_vs_svc_table[idx], s_list) {
1946 if ((svc->ipvs == ipvs) && pos-- == 0) {
1947 iter->table = ip_vs_svc_table;
1954 /* keep looking in fwmark */
1955 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
1956 hlist_for_each_entry_rcu(svc, &ip_vs_svc_fwm_table[idx],
1958 if ((svc->ipvs == ipvs) && pos-- == 0) {
1959 iter->table = ip_vs_svc_fwm_table;
1969 static void *ip_vs_info_seq_start(struct seq_file *seq, loff_t *pos)
1973 return *pos ? ip_vs_info_array(seq, *pos - 1) : SEQ_START_TOKEN;
1977 static void *ip_vs_info_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1979 struct hlist_node *e;
1980 struct ip_vs_iter *iter;
1981 struct ip_vs_service *svc;
1984 if (v == SEQ_START_TOKEN)
1985 return ip_vs_info_array(seq,0);
1988 iter = seq->private;
1990 if (iter->table == ip_vs_svc_table) {
1991 /* next service in table hashed by protocol */
1992 e = rcu_dereference(hlist_next_rcu(&svc->s_list));
1994 return hlist_entry(e, struct ip_vs_service, s_list);
1996 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
1997 hlist_for_each_entry_rcu(svc,
1998 &ip_vs_svc_table[iter->bucket],
2004 iter->table = ip_vs_svc_fwm_table;
2009 /* next service in hashed by fwmark */
2010 e = rcu_dereference(hlist_next_rcu(&svc->f_list));
2012 return hlist_entry(e, struct ip_vs_service, f_list);
2015 while (++iter->bucket < IP_VS_SVC_TAB_SIZE) {
2016 hlist_for_each_entry_rcu(svc,
2017 &ip_vs_svc_fwm_table[iter->bucket],
2025 static void ip_vs_info_seq_stop(struct seq_file *seq, void *v)
2032 static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
2034 if (v == SEQ_START_TOKEN) {
2036 "IP Virtual Server version %d.%d.%d (size=%d)\n",
2037 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2039 "Prot LocalAddress:Port Scheduler Flags\n");
2041 " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
2043 const struct ip_vs_service *svc = v;
2044 const struct ip_vs_iter *iter = seq->private;
2045 const struct ip_vs_dest *dest;
2046 struct ip_vs_scheduler *sched = rcu_dereference(svc->scheduler);
2047 char *sched_name = sched ? sched->name : "none";
2049 if (iter->table == ip_vs_svc_table) {
2050 #ifdef CONFIG_IP_VS_IPV6
2051 if (svc->af == AF_INET6)
2052 seq_printf(seq, "%s [%pI6]:%04X %s ",
2053 ip_vs_proto_name(svc->protocol),
2059 seq_printf(seq, "%s %08X:%04X %s %s ",
2060 ip_vs_proto_name(svc->protocol),
2061 ntohl(svc->addr.ip),
2064 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2066 seq_printf(seq, "FWM %08X %s %s",
2067 svc->fwmark, sched_name,
2068 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
2071 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
2072 seq_printf(seq, "persistent %d %08X\n",
2074 ntohl(svc->netmask));
2076 seq_putc(seq, '\n');
2078 list_for_each_entry_rcu(dest, &svc->destinations, n_list) {
2079 #ifdef CONFIG_IP_VS_IPV6
2080 if (dest->af == AF_INET6)
2083 " %-7s %-6d %-10d %-10d\n",
2086 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2087 atomic_read(&dest->weight),
2088 atomic_read(&dest->activeconns),
2089 atomic_read(&dest->inactconns));
2094 "%-7s %-6d %-10d %-10d\n",
2095 ntohl(dest->addr.ip),
2097 ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
2098 atomic_read(&dest->weight),
2099 atomic_read(&dest->activeconns),
2100 atomic_read(&dest->inactconns));
2107 static const struct seq_operations ip_vs_info_seq_ops = {
2108 .start = ip_vs_info_seq_start,
2109 .next = ip_vs_info_seq_next,
2110 .stop = ip_vs_info_seq_stop,
2111 .show = ip_vs_info_seq_show,
2114 static int ip_vs_info_open(struct inode *inode, struct file *file)
2116 return seq_open_net(inode, file, &ip_vs_info_seq_ops,
2117 sizeof(struct ip_vs_iter));
2120 static const struct file_operations ip_vs_info_fops = {
2121 .owner = THIS_MODULE,
2122 .open = ip_vs_info_open,
2124 .llseek = seq_lseek,
2125 .release = seq_release_net,
2128 static int ip_vs_stats_show(struct seq_file *seq, void *v)
2130 struct net *net = seq_file_single_net(seq);
2131 struct ip_vs_kstats show;
2133 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2135 " Total Incoming Outgoing Incoming Outgoing\n");
2137 " Conns Packets Packets Bytes Bytes\n");
2139 ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
2140 seq_printf(seq, "%8LX %8LX %8LX %16LX %16LX\n\n",
2141 (unsigned long long)show.conns,
2142 (unsigned long long)show.inpkts,
2143 (unsigned long long)show.outpkts,
2144 (unsigned long long)show.inbytes,
2145 (unsigned long long)show.outbytes);
2147 /* 01234567 01234567 01234567 0123456701234567 0123456701234567*/
2149 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2150 seq_printf(seq, "%8LX %8LX %8LX %16LX %16LX\n",
2151 (unsigned long long)show.cps,
2152 (unsigned long long)show.inpps,
2153 (unsigned long long)show.outpps,
2154 (unsigned long long)show.inbps,
2155 (unsigned long long)show.outbps);
2160 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
2162 return single_open_net(inode, file, ip_vs_stats_show);
2165 static const struct file_operations ip_vs_stats_fops = {
2166 .owner = THIS_MODULE,
2167 .open = ip_vs_stats_seq_open,
2169 .llseek = seq_lseek,
2170 .release = single_release_net,
2173 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
2175 struct net *net = seq_file_single_net(seq);
2176 struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
2177 struct ip_vs_cpu_stats __percpu *cpustats = tot_stats->cpustats;
2178 struct ip_vs_kstats kstats;
2181 /* 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2183 " Total Incoming Outgoing Incoming Outgoing\n");
2185 "CPU Conns Packets Packets Bytes Bytes\n");
2187 for_each_possible_cpu(i) {
2188 struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
2190 u64 conns, inpkts, outpkts, inbytes, outbytes;
2193 start = u64_stats_fetch_begin_irq(&u->syncp);
2194 conns = u->cnt.conns;
2195 inpkts = u->cnt.inpkts;
2196 outpkts = u->cnt.outpkts;
2197 inbytes = u->cnt.inbytes;
2198 outbytes = u->cnt.outbytes;
2199 } while (u64_stats_fetch_retry_irq(&u->syncp, start));
2201 seq_printf(seq, "%3X %8LX %8LX %8LX %16LX %16LX\n",
2202 i, (u64)conns, (u64)inpkts,
2203 (u64)outpkts, (u64)inbytes,
2207 ip_vs_copy_stats(&kstats, tot_stats);
2209 seq_printf(seq, " ~ %8LX %8LX %8LX %16LX %16LX\n\n",
2210 (unsigned long long)kstats.conns,
2211 (unsigned long long)kstats.inpkts,
2212 (unsigned long long)kstats.outpkts,
2213 (unsigned long long)kstats.inbytes,
2214 (unsigned long long)kstats.outbytes);
2216 /* ... 01234567 01234567 01234567 0123456701234567 0123456701234567 */
2218 " Conns/s Pkts/s Pkts/s Bytes/s Bytes/s\n");
2219 seq_printf(seq, " %8LX %8LX %8LX %16LX %16LX\n",
2229 static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
2231 return single_open_net(inode, file, ip_vs_stats_percpu_show);
2234 static const struct file_operations ip_vs_stats_percpu_fops = {
2235 .owner = THIS_MODULE,
2236 .open = ip_vs_stats_percpu_seq_open,
2238 .llseek = seq_lseek,
2239 .release = single_release_net,
2244 * Set timeout values for tcp tcpfin udp in the timeout_table.
2246 static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user *u)
2248 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2249 struct ip_vs_proto_data *pd;
2252 IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
2257 #ifdef CONFIG_IP_VS_PROTO_TCP
2258 if (u->tcp_timeout) {
2259 pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
2260 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
2261 = u->tcp_timeout * HZ;
2264 if (u->tcp_fin_timeout) {
2265 pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
2266 pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
2267 = u->tcp_fin_timeout * HZ;
2271 #ifdef CONFIG_IP_VS_PROTO_UDP
2272 if (u->udp_timeout) {
2273 pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
2274 pd->timeout_table[IP_VS_UDP_S_NORMAL]
2275 = u->udp_timeout * HZ;
2281 #define CMDID(cmd) (cmd - IP_VS_BASE_CTL)
2283 struct ip_vs_svcdest_user {
2284 struct ip_vs_service_user s;
2285 struct ip_vs_dest_user d;
2288 static const unsigned char set_arglen[CMDID(IP_VS_SO_SET_MAX) + 1] = {
2289 [CMDID(IP_VS_SO_SET_ADD)] = sizeof(struct ip_vs_service_user),
2290 [CMDID(IP_VS_SO_SET_EDIT)] = sizeof(struct ip_vs_service_user),
2291 [CMDID(IP_VS_SO_SET_DEL)] = sizeof(struct ip_vs_service_user),
2292 [CMDID(IP_VS_SO_SET_ADDDEST)] = sizeof(struct ip_vs_svcdest_user),
2293 [CMDID(IP_VS_SO_SET_DELDEST)] = sizeof(struct ip_vs_svcdest_user),
2294 [CMDID(IP_VS_SO_SET_EDITDEST)] = sizeof(struct ip_vs_svcdest_user),
2295 [CMDID(IP_VS_SO_SET_TIMEOUT)] = sizeof(struct ip_vs_timeout_user),
2296 [CMDID(IP_VS_SO_SET_STARTDAEMON)] = sizeof(struct ip_vs_daemon_user),
2297 [CMDID(IP_VS_SO_SET_STOPDAEMON)] = sizeof(struct ip_vs_daemon_user),
2298 [CMDID(IP_VS_SO_SET_ZERO)] = sizeof(struct ip_vs_service_user),
2301 union ip_vs_set_arglen {
2302 struct ip_vs_service_user field_IP_VS_SO_SET_ADD;
2303 struct ip_vs_service_user field_IP_VS_SO_SET_EDIT;
2304 struct ip_vs_service_user field_IP_VS_SO_SET_DEL;
2305 struct ip_vs_svcdest_user field_IP_VS_SO_SET_ADDDEST;
2306 struct ip_vs_svcdest_user field_IP_VS_SO_SET_DELDEST;
2307 struct ip_vs_svcdest_user field_IP_VS_SO_SET_EDITDEST;
2308 struct ip_vs_timeout_user field_IP_VS_SO_SET_TIMEOUT;
2309 struct ip_vs_daemon_user field_IP_VS_SO_SET_STARTDAEMON;
2310 struct ip_vs_daemon_user field_IP_VS_SO_SET_STOPDAEMON;
2311 struct ip_vs_service_user field_IP_VS_SO_SET_ZERO;
2314 #define MAX_SET_ARGLEN sizeof(union ip_vs_set_arglen)
2316 static void ip_vs_copy_usvc_compat(struct ip_vs_service_user_kern *usvc,
2317 struct ip_vs_service_user *usvc_compat)
2319 memset(usvc, 0, sizeof(*usvc));
2322 usvc->protocol = usvc_compat->protocol;
2323 usvc->addr.ip = usvc_compat->addr;
2324 usvc->port = usvc_compat->port;
2325 usvc->fwmark = usvc_compat->fwmark;
2327 /* Deep copy of sched_name is not needed here */
2328 usvc->sched_name = usvc_compat->sched_name;
2330 usvc->flags = usvc_compat->flags;
2331 usvc->timeout = usvc_compat->timeout;
2332 usvc->netmask = usvc_compat->netmask;
2335 static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
2336 struct ip_vs_dest_user *udest_compat)
2338 memset(udest, 0, sizeof(*udest));
2340 udest->addr.ip = udest_compat->addr;
2341 udest->port = udest_compat->port;
2342 udest->conn_flags = udest_compat->conn_flags;
2343 udest->weight = udest_compat->weight;
2344 udest->u_threshold = udest_compat->u_threshold;
2345 udest->l_threshold = udest_compat->l_threshold;
2346 udest->af = AF_INET;
2350 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2352 struct net *net = sock_net(sk);
2354 unsigned char arg[MAX_SET_ARGLEN];
2355 struct ip_vs_service_user *usvc_compat;
2356 struct ip_vs_service_user_kern usvc;
2357 struct ip_vs_service *svc;
2358 struct ip_vs_dest_user *udest_compat;
2359 struct ip_vs_dest_user_kern udest;
2360 struct netns_ipvs *ipvs = net_ipvs(net);
2362 BUILD_BUG_ON(sizeof(arg) > 255);
2363 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2366 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
2368 if (len != set_arglen[CMDID(cmd)]) {
2369 IP_VS_DBG(1, "set_ctl: len %u != %u\n",
2370 len, set_arglen[CMDID(cmd)]);
2374 if (copy_from_user(arg, user, len) != 0)
2377 /* increase the module use count */
2378 ip_vs_use_count_inc();
2380 /* Handle daemons since they have another lock */
2381 if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2382 cmd == IP_VS_SO_SET_STOPDAEMON) {
2383 struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2385 if (cmd == IP_VS_SO_SET_STARTDAEMON) {
2386 struct ipvs_sync_daemon_cfg cfg;
2388 memset(&cfg, 0, sizeof(cfg));
2389 strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
2390 sizeof(cfg.mcast_ifn));
2391 cfg.syncid = dm->syncid;
2393 mutex_lock(&ipvs->sync_mutex);
2394 ret = start_sync_thread(ipvs, &cfg, dm->state);
2395 mutex_unlock(&ipvs->sync_mutex);
2398 mutex_lock(&ipvs->sync_mutex);
2399 ret = stop_sync_thread(ipvs, dm->state);
2400 mutex_unlock(&ipvs->sync_mutex);
2405 mutex_lock(&__ip_vs_mutex);
2406 if (cmd == IP_VS_SO_SET_FLUSH) {
2407 /* Flush the virtual service */
2408 ret = ip_vs_flush(ipvs, false);
2410 } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2411 /* Set timeout values for (tcp tcpfin udp) */
2412 ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
2416 usvc_compat = (struct ip_vs_service_user *)arg;
2417 udest_compat = (struct ip_vs_dest_user *)(usvc_compat + 1);
2419 /* We only use the new structs internally, so copy userspace compat
2420 * structs to extended internal versions */
2421 ip_vs_copy_usvc_compat(&usvc, usvc_compat);
2422 ip_vs_copy_udest_compat(&udest, udest_compat);
2424 if (cmd == IP_VS_SO_SET_ZERO) {
2425 /* if no service address is set, zero counters in all */
2426 if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
2427 ret = ip_vs_zero_all(ipvs);
2432 /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
2433 if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
2434 usvc.protocol != IPPROTO_SCTP) {
2435 pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
2436 usvc.protocol, &usvc.addr.ip,
2437 ntohs(usvc.port), usvc.sched_name);
2442 /* Lookup the exact service by <protocol, addr, port> or fwmark */
2444 if (usvc.fwmark == 0)
2445 svc = __ip_vs_service_find(ipvs, usvc.af, usvc.protocol,
2446 &usvc.addr, usvc.port);
2448 svc = __ip_vs_svc_fwm_find(ipvs, usvc.af, usvc.fwmark);
2451 if (cmd != IP_VS_SO_SET_ADD
2452 && (svc == NULL || svc->protocol != usvc.protocol)) {
2458 case IP_VS_SO_SET_ADD:
2462 ret = ip_vs_add_service(ipvs, &usvc, &svc);
2464 case IP_VS_SO_SET_EDIT:
2465 ret = ip_vs_edit_service(svc, &usvc);
2467 case IP_VS_SO_SET_DEL:
2468 ret = ip_vs_del_service(svc);
2472 case IP_VS_SO_SET_ZERO:
2473 ret = ip_vs_zero_service(svc);
2475 case IP_VS_SO_SET_ADDDEST:
2476 ret = ip_vs_add_dest(svc, &udest);
2478 case IP_VS_SO_SET_EDITDEST:
2479 ret = ip_vs_edit_dest(svc, &udest);
2481 case IP_VS_SO_SET_DELDEST:
2482 ret = ip_vs_del_dest(svc, &udest);
2489 mutex_unlock(&__ip_vs_mutex);
2491 /* decrease the module use count */
2492 ip_vs_use_count_dec();
2499 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
2501 struct ip_vs_scheduler *sched;
2502 struct ip_vs_kstats kstats;
2505 sched = rcu_dereference_protected(src->scheduler, 1);
2506 sched_name = sched ? sched->name : "none";
2507 dst->protocol = src->protocol;
2508 dst->addr = src->addr.ip;
2509 dst->port = src->port;
2510 dst->fwmark = src->fwmark;
2511 strlcpy(dst->sched_name, sched_name, sizeof(dst->sched_name));
2512 dst->flags = src->flags;
2513 dst->timeout = src->timeout / HZ;
2514 dst->netmask = src->netmask;
2515 dst->num_dests = src->num_dests;
2516 ip_vs_copy_stats(&kstats, &src->stats);
2517 ip_vs_export_stats_user(&dst->stats, &kstats);
2521 __ip_vs_get_service_entries(struct netns_ipvs *ipvs,
2522 const struct ip_vs_get_services *get,
2523 struct ip_vs_get_services __user *uptr)
2526 struct ip_vs_service *svc;
2527 struct ip_vs_service_entry entry;
2530 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2531 hlist_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
2532 /* Only expose IPv4 entries to old interface */
2533 if (svc->af != AF_INET || (svc->ipvs != ipvs))
2536 if (count >= get->num_services)
2538 memset(&entry, 0, sizeof(entry));
2539 ip_vs_copy_service(&entry, svc);
2540 if (copy_to_user(&uptr->entrytable[count],
2541 &entry, sizeof(entry))) {
2549 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
2550 hlist_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
2551 /* Only expose IPv4 entries to old interface */
2552 if (svc->af != AF_INET || (svc->ipvs != ipvs))
2555 if (count >= get->num_services)
2557 memset(&entry, 0, sizeof(entry));
2558 ip_vs_copy_service(&entry, svc);
2559 if (copy_to_user(&uptr->entrytable[count],
2560 &entry, sizeof(entry))) {
2572 __ip_vs_get_dest_entries(struct netns_ipvs *ipvs, const struct ip_vs_get_dests *get,
2573 struct ip_vs_get_dests __user *uptr)
2575 struct ip_vs_service *svc;
2576 union nf_inet_addr addr = { .ip = get->addr };
2581 svc = __ip_vs_svc_fwm_find(ipvs, AF_INET, get->fwmark);
2583 svc = __ip_vs_service_find(ipvs, AF_INET, get->protocol, &addr,
2589 struct ip_vs_dest *dest;
2590 struct ip_vs_dest_entry entry;
2591 struct ip_vs_kstats kstats;
2593 memset(&entry, 0, sizeof(entry));
2594 list_for_each_entry(dest, &svc->destinations, n_list) {
2595 if (count >= get->num_dests)
2598 /* Cannot expose heterogeneous members via sockopt
2601 if (dest->af != svc->af)
2604 entry.addr = dest->addr.ip;
2605 entry.port = dest->port;
2606 entry.conn_flags = atomic_read(&dest->conn_flags);
2607 entry.weight = atomic_read(&dest->weight);
2608 entry.u_threshold = dest->u_threshold;
2609 entry.l_threshold = dest->l_threshold;
2610 entry.activeconns = atomic_read(&dest->activeconns);
2611 entry.inactconns = atomic_read(&dest->inactconns);
2612 entry.persistconns = atomic_read(&dest->persistconns);
2613 ip_vs_copy_stats(&kstats, &dest->stats);
2614 ip_vs_export_stats_user(&entry.stats, &kstats);
2615 if (copy_to_user(&uptr->entrytable[count],
2616 &entry, sizeof(entry))) {
2628 __ip_vs_get_timeouts(struct netns_ipvs *ipvs, struct ip_vs_timeout_user *u)
2630 #if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
2631 struct ip_vs_proto_data *pd;
2634 memset(u, 0, sizeof (*u));
2636 #ifdef CONFIG_IP_VS_PROTO_TCP
2637 pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
2638 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
2639 u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
2641 #ifdef CONFIG_IP_VS_PROTO_UDP
2642 pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
2644 pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
2648 static const unsigned char get_arglen[CMDID(IP_VS_SO_GET_MAX) + 1] = {
2649 [CMDID(IP_VS_SO_GET_VERSION)] = 64,
2650 [CMDID(IP_VS_SO_GET_INFO)] = sizeof(struct ip_vs_getinfo),
2651 [CMDID(IP_VS_SO_GET_SERVICES)] = sizeof(struct ip_vs_get_services),
2652 [CMDID(IP_VS_SO_GET_SERVICE)] = sizeof(struct ip_vs_service_entry),
2653 [CMDID(IP_VS_SO_GET_DESTS)] = sizeof(struct ip_vs_get_dests),
2654 [CMDID(IP_VS_SO_GET_TIMEOUT)] = sizeof(struct ip_vs_timeout_user),
2655 [CMDID(IP_VS_SO_GET_DAEMON)] = 2 * sizeof(struct ip_vs_daemon_user),
2658 union ip_vs_get_arglen {
2659 char field_IP_VS_SO_GET_VERSION[64];
2660 struct ip_vs_getinfo field_IP_VS_SO_GET_INFO;
2661 struct ip_vs_get_services field_IP_VS_SO_GET_SERVICES;
2662 struct ip_vs_service_entry field_IP_VS_SO_GET_SERVICE;
2663 struct ip_vs_get_dests field_IP_VS_SO_GET_DESTS;
2664 struct ip_vs_timeout_user field_IP_VS_SO_GET_TIMEOUT;
2665 struct ip_vs_daemon_user field_IP_VS_SO_GET_DAEMON[2];
2668 #define MAX_GET_ARGLEN sizeof(union ip_vs_get_arglen)
2671 do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2673 unsigned char arg[MAX_GET_ARGLEN];
2675 unsigned int copylen;
2676 struct net *net = sock_net(sk);
2677 struct netns_ipvs *ipvs = net_ipvs(net);
2680 BUILD_BUG_ON(sizeof(arg) > 255);
2681 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2684 if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
2687 copylen = get_arglen[CMDID(cmd)];
2688 if (*len < (int) copylen) {
2689 IP_VS_DBG(1, "get_ctl: len %d < %u\n", *len, copylen);
2693 if (copy_from_user(arg, user, copylen) != 0)
2696 * Handle daemons first since it has its own locking
2698 if (cmd == IP_VS_SO_GET_DAEMON) {
2699 struct ip_vs_daemon_user d[2];
2701 memset(&d, 0, sizeof(d));
2702 mutex_lock(&ipvs->sync_mutex);
2703 if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2704 d[0].state = IP_VS_STATE_MASTER;
2705 strlcpy(d[0].mcast_ifn, ipvs->mcfg.mcast_ifn,
2706 sizeof(d[0].mcast_ifn));
2707 d[0].syncid = ipvs->mcfg.syncid;
2709 if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2710 d[1].state = IP_VS_STATE_BACKUP;
2711 strlcpy(d[1].mcast_ifn, ipvs->bcfg.mcast_ifn,
2712 sizeof(d[1].mcast_ifn));
2713 d[1].syncid = ipvs->bcfg.syncid;
2715 if (copy_to_user(user, &d, sizeof(d)) != 0)
2717 mutex_unlock(&ipvs->sync_mutex);
2721 mutex_lock(&__ip_vs_mutex);
2723 case IP_VS_SO_GET_VERSION:
2727 sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)",
2728 NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size);
2729 if (copy_to_user(user, buf, strlen(buf)+1) != 0) {
2733 *len = strlen(buf)+1;
2737 case IP_VS_SO_GET_INFO:
2739 struct ip_vs_getinfo info;
2740 info.version = IP_VS_VERSION_CODE;
2741 info.size = ip_vs_conn_tab_size;
2742 info.num_services = ipvs->num_services;
2743 if (copy_to_user(user, &info, sizeof(info)) != 0)
2748 case IP_VS_SO_GET_SERVICES:
2750 struct ip_vs_get_services *get;
2753 get = (struct ip_vs_get_services *)arg;
2754 size = sizeof(*get) +
2755 sizeof(struct ip_vs_service_entry) * get->num_services;
2757 pr_err("length: %u != %u\n", *len, size);
2761 ret = __ip_vs_get_service_entries(ipvs, get, user);
2765 case IP_VS_SO_GET_SERVICE:
2767 struct ip_vs_service_entry *entry;
2768 struct ip_vs_service *svc;
2769 union nf_inet_addr addr;
2771 entry = (struct ip_vs_service_entry *)arg;
2772 addr.ip = entry->addr;
2775 svc = __ip_vs_svc_fwm_find(ipvs, AF_INET, entry->fwmark);
2777 svc = __ip_vs_service_find(ipvs, AF_INET,
2778 entry->protocol, &addr,
2782 ip_vs_copy_service(entry, svc);
2783 if (copy_to_user(user, entry, sizeof(*entry)) != 0)
2790 case IP_VS_SO_GET_DESTS:
2792 struct ip_vs_get_dests *get;
2795 get = (struct ip_vs_get_dests *)arg;
2796 size = sizeof(*get) +
2797 sizeof(struct ip_vs_dest_entry) * get->num_dests;
2799 pr_err("length: %u != %u\n", *len, size);
2803 ret = __ip_vs_get_dest_entries(ipvs, get, user);
2807 case IP_VS_SO_GET_TIMEOUT:
2809 struct ip_vs_timeout_user t;
2811 __ip_vs_get_timeouts(ipvs, &t);
2812 if (copy_to_user(user, &t, sizeof(t)) != 0)
2822 mutex_unlock(&__ip_vs_mutex);
2827 static struct nf_sockopt_ops ip_vs_sockopts = {
2829 .set_optmin = IP_VS_BASE_CTL,
2830 .set_optmax = IP_VS_SO_SET_MAX+1,
2831 .set = do_ip_vs_set_ctl,
2832 .get_optmin = IP_VS_BASE_CTL,
2833 .get_optmax = IP_VS_SO_GET_MAX+1,
2834 .get = do_ip_vs_get_ctl,
2835 .owner = THIS_MODULE,
2839 * Generic Netlink interface
2842 /* IPVS genetlink family */
2843 static struct genl_family ip_vs_genl_family = {
2844 .id = GENL_ID_GENERATE,
2846 .name = IPVS_GENL_NAME,
2847 .version = IPVS_GENL_VERSION,
2848 .maxattr = IPVS_CMD_MAX,
2849 .netnsok = true, /* Make ipvsadm to work on netns */
2852 /* Policy used for first-level command attributes */
2853 static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
2854 [IPVS_CMD_ATTR_SERVICE] = { .type = NLA_NESTED },
2855 [IPVS_CMD_ATTR_DEST] = { .type = NLA_NESTED },
2856 [IPVS_CMD_ATTR_DAEMON] = { .type = NLA_NESTED },
2857 [IPVS_CMD_ATTR_TIMEOUT_TCP] = { .type = NLA_U32 },
2858 [IPVS_CMD_ATTR_TIMEOUT_TCP_FIN] = { .type = NLA_U32 },
2859 [IPVS_CMD_ATTR_TIMEOUT_UDP] = { .type = NLA_U32 },
2862 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DAEMON */
2863 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
2864 [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
2865 [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
2866 .len = IP_VS_IFNAME_MAXLEN },
2867 [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
2868 [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
2869 [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
2870 [IPVS_DAEMON_ATTR_MCAST_GROUP6] = { .len = sizeof(struct in6_addr) },
2871 [IPVS_DAEMON_ATTR_MCAST_PORT] = { .type = NLA_U16 },
2872 [IPVS_DAEMON_ATTR_MCAST_TTL] = { .type = NLA_U8 },
2875 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_SERVICE */
2876 static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
2877 [IPVS_SVC_ATTR_AF] = { .type = NLA_U16 },
2878 [IPVS_SVC_ATTR_PROTOCOL] = { .type = NLA_U16 },
2879 [IPVS_SVC_ATTR_ADDR] = { .type = NLA_BINARY,
2880 .len = sizeof(union nf_inet_addr) },
2881 [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
2882 [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
2883 [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
2884 .len = IP_VS_SCHEDNAME_MAXLEN },
2885 [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
2886 .len = IP_VS_PENAME_MAXLEN },
2887 [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
2888 .len = sizeof(struct ip_vs_flags) },
2889 [IPVS_SVC_ATTR_TIMEOUT] = { .type = NLA_U32 },
2890 [IPVS_SVC_ATTR_NETMASK] = { .type = NLA_U32 },
2891 [IPVS_SVC_ATTR_STATS] = { .type = NLA_NESTED },
2894 /* Policy used for attributes in nested attribute IPVS_CMD_ATTR_DEST */
2895 static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
2896 [IPVS_DEST_ATTR_ADDR] = { .type = NLA_BINARY,
2897 .len = sizeof(union nf_inet_addr) },
2898 [IPVS_DEST_ATTR_PORT] = { .type = NLA_U16 },
2899 [IPVS_DEST_ATTR_FWD_METHOD] = { .type = NLA_U32 },
2900 [IPVS_DEST_ATTR_WEIGHT] = { .type = NLA_U32 },
2901 [IPVS_DEST_ATTR_U_THRESH] = { .type = NLA_U32 },
2902 [IPVS_DEST_ATTR_L_THRESH] = { .type = NLA_U32 },
2903 [IPVS_DEST_ATTR_ACTIVE_CONNS] = { .type = NLA_U32 },
2904 [IPVS_DEST_ATTR_INACT_CONNS] = { .type = NLA_U32 },
2905 [IPVS_DEST_ATTR_PERSIST_CONNS] = { .type = NLA_U32 },
2906 [IPVS_DEST_ATTR_STATS] = { .type = NLA_NESTED },
2907 [IPVS_DEST_ATTR_ADDR_FAMILY] = { .type = NLA_U16 },
2910 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
2911 struct ip_vs_kstats *kstats)
2913 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2918 if (nla_put_u32(skb, IPVS_STATS_ATTR_CONNS, (u32)kstats->conns) ||
2919 nla_put_u32(skb, IPVS_STATS_ATTR_INPKTS, (u32)kstats->inpkts) ||
2920 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPKTS, (u32)kstats->outpkts) ||
2921 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_INBYTES, kstats->inbytes,
2922 IPVS_STATS_ATTR_PAD) ||
2923 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_OUTBYTES, kstats->outbytes,
2924 IPVS_STATS_ATTR_PAD) ||
2925 nla_put_u32(skb, IPVS_STATS_ATTR_CPS, (u32)kstats->cps) ||
2926 nla_put_u32(skb, IPVS_STATS_ATTR_INPPS, (u32)kstats->inpps) ||
2927 nla_put_u32(skb, IPVS_STATS_ATTR_OUTPPS, (u32)kstats->outpps) ||
2928 nla_put_u32(skb, IPVS_STATS_ATTR_INBPS, (u32)kstats->inbps) ||
2929 nla_put_u32(skb, IPVS_STATS_ATTR_OUTBPS, (u32)kstats->outbps))
2930 goto nla_put_failure;
2931 nla_nest_end(skb, nl_stats);
2936 nla_nest_cancel(skb, nl_stats);
2940 static int ip_vs_genl_fill_stats64(struct sk_buff *skb, int container_type,
2941 struct ip_vs_kstats *kstats)
2943 struct nlattr *nl_stats = nla_nest_start(skb, container_type);
2948 if (nla_put_u64_64bit(skb, IPVS_STATS_ATTR_CONNS, kstats->conns,
2949 IPVS_STATS_ATTR_PAD) ||
2950 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_INPKTS, kstats->inpkts,
2951 IPVS_STATS_ATTR_PAD) ||
2952 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_OUTPKTS, kstats->outpkts,
2953 IPVS_STATS_ATTR_PAD) ||
2954 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_INBYTES, kstats->inbytes,
2955 IPVS_STATS_ATTR_PAD) ||
2956 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_OUTBYTES, kstats->outbytes,
2957 IPVS_STATS_ATTR_PAD) ||
2958 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_CPS, kstats->cps,
2959 IPVS_STATS_ATTR_PAD) ||
2960 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_INPPS, kstats->inpps,
2961 IPVS_STATS_ATTR_PAD) ||
2962 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_OUTPPS, kstats->outpps,
2963 IPVS_STATS_ATTR_PAD) ||
2964 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_INBPS, kstats->inbps,
2965 IPVS_STATS_ATTR_PAD) ||
2966 nla_put_u64_64bit(skb, IPVS_STATS_ATTR_OUTBPS, kstats->outbps,
2967 IPVS_STATS_ATTR_PAD))
2968 goto nla_put_failure;
2969 nla_nest_end(skb, nl_stats);
2974 nla_nest_cancel(skb, nl_stats);
2978 static int ip_vs_genl_fill_service(struct sk_buff *skb,
2979 struct ip_vs_service *svc)
2981 struct ip_vs_scheduler *sched;
2982 struct ip_vs_pe *pe;
2983 struct nlattr *nl_service;
2984 struct ip_vs_flags flags = { .flags = svc->flags,
2986 struct ip_vs_kstats kstats;
2989 nl_service = nla_nest_start(skb, IPVS_CMD_ATTR_SERVICE);
2993 if (nla_put_u16(skb, IPVS_SVC_ATTR_AF, svc->af))
2994 goto nla_put_failure;
2996 if (nla_put_u32(skb, IPVS_SVC_ATTR_FWMARK, svc->fwmark))
2997 goto nla_put_failure;
2999 if (nla_put_u16(skb, IPVS_SVC_ATTR_PROTOCOL, svc->protocol) ||
3000 nla_put(skb, IPVS_SVC_ATTR_ADDR, sizeof(svc->addr), &svc->addr) ||
3001 nla_put_be16(skb, IPVS_SVC_ATTR_PORT, svc->port))
3002 goto nla_put_failure;
3005 sched = rcu_dereference_protected(svc->scheduler, 1);
3006 sched_name = sched ? sched->name : "none";
3007 pe = rcu_dereference_protected(svc->pe, 1);
3008 if (nla_put_string(skb, IPVS_SVC_ATTR_SCHED_NAME, sched_name) ||
3009 (pe && nla_put_string(skb, IPVS_SVC_ATTR_PE_NAME, pe->name)) ||
3010 nla_put(skb, IPVS_SVC_ATTR_FLAGS, sizeof(flags), &flags) ||
3011 nla_put_u32(skb, IPVS_SVC_ATTR_TIMEOUT, svc->timeout / HZ) ||
3012 nla_put_be32(skb, IPVS_SVC_ATTR_NETMASK, svc->netmask))
3013 goto nla_put_failure;
3014 ip_vs_copy_stats(&kstats, &svc->stats);
3015 if (ip_vs_genl_fill_stats(skb, IPVS_SVC_ATTR_STATS, &kstats))
3016 goto nla_put_failure;
3017 if (ip_vs_genl_fill_stats64(skb, IPVS_SVC_ATTR_STATS64, &kstats))
3018 goto nla_put_failure;
3020 nla_nest_end(skb, nl_service);
3025 nla_nest_cancel(skb, nl_service);
3029 static int ip_vs_genl_dump_service(struct sk_buff *skb,
3030 struct ip_vs_service *svc,
3031 struct netlink_callback *cb)
3035 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3036 &ip_vs_genl_family, NLM_F_MULTI,
3037 IPVS_CMD_NEW_SERVICE);
3041 if (ip_vs_genl_fill_service(skb, svc) < 0)
3042 goto nla_put_failure;
3044 genlmsg_end(skb, hdr);
3048 genlmsg_cancel(skb, hdr);
3052 static int ip_vs_genl_dump_services(struct sk_buff *skb,
3053 struct netlink_callback *cb)
3056 int start = cb->args[0];
3057 struct ip_vs_service *svc;
3058 struct net *net = sock_net(skb->sk);
3059 struct netns_ipvs *ipvs = net_ipvs(net);
3061 mutex_lock(&__ip_vs_mutex);
3062 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
3063 hlist_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
3064 if (++idx <= start || (svc->ipvs != ipvs))
3066 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
3068 goto nla_put_failure;
3073 for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
3074 hlist_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
3075 if (++idx <= start || (svc->ipvs != ipvs))
3077 if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
3079 goto nla_put_failure;
3085 mutex_unlock(&__ip_vs_mutex);
3091 static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs,
3092 struct ip_vs_service_user_kern *usvc,
3093 struct nlattr *nla, int full_entry,
3094 struct ip_vs_service **ret_svc)
3096 struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
3097 struct nlattr *nla_af, *nla_port, *nla_fwmark, *nla_protocol, *nla_addr;
3098 struct ip_vs_service *svc;
3100 /* Parse mandatory identifying service fields first */
3102 nla_parse_nested(attrs, IPVS_SVC_ATTR_MAX, nla, ip_vs_svc_policy))
3105 nla_af = attrs[IPVS_SVC_ATTR_AF];
3106 nla_protocol = attrs[IPVS_SVC_ATTR_PROTOCOL];
3107 nla_addr = attrs[IPVS_SVC_ATTR_ADDR];
3108 nla_port = attrs[IPVS_SVC_ATTR_PORT];
3109 nla_fwmark = attrs[IPVS_SVC_ATTR_FWMARK];
3111 if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
3114 memset(usvc, 0, sizeof(*usvc));
3116 usvc->af = nla_get_u16(nla_af);
3117 #ifdef CONFIG_IP_VS_IPV6
3118 if (usvc->af != AF_INET && usvc->af != AF_INET6)
3120 if (usvc->af != AF_INET)
3122 return -EAFNOSUPPORT;
3125 usvc->protocol = IPPROTO_TCP;
3126 usvc->fwmark = nla_get_u32(nla_fwmark);
3128 usvc->protocol = nla_get_u16(nla_protocol);
3129 nla_memcpy(&usvc->addr, nla_addr, sizeof(usvc->addr));
3130 usvc->port = nla_get_be16(nla_port);
3136 svc = __ip_vs_svc_fwm_find(ipvs, usvc->af, usvc->fwmark);
3138 svc = __ip_vs_service_find(ipvs, usvc->af, usvc->protocol,
3139 &usvc->addr, usvc->port);
3143 /* If a full entry was requested, check for the additional fields */
3145 struct nlattr *nla_sched, *nla_flags, *nla_pe, *nla_timeout,
3147 struct ip_vs_flags flags;
3149 nla_sched = attrs[IPVS_SVC_ATTR_SCHED_NAME];
3150 nla_pe = attrs[IPVS_SVC_ATTR_PE_NAME];
3151 nla_flags = attrs[IPVS_SVC_ATTR_FLAGS];
3152 nla_timeout = attrs[IPVS_SVC_ATTR_TIMEOUT];
3153 nla_netmask = attrs[IPVS_SVC_ATTR_NETMASK];
3155 if (!(nla_sched && nla_flags && nla_timeout && nla_netmask))
3158 nla_memcpy(&flags, nla_flags, sizeof(flags));
3160 /* prefill flags from service if it already exists */
3162 usvc->flags = svc->flags;
3164 /* set new flags from userland */
3165 usvc->flags = (usvc->flags & ~flags.mask) |
3166 (flags.flags & flags.mask);
3167 usvc->sched_name = nla_data(nla_sched);
3168 usvc->pe_name = nla_pe ? nla_data(nla_pe) : NULL;
3169 usvc->timeout = nla_get_u32(nla_timeout);
3170 usvc->netmask = nla_get_be32(nla_netmask);
3176 static struct ip_vs_service *ip_vs_genl_find_service(struct netns_ipvs *ipvs,
3179 struct ip_vs_service_user_kern usvc;
3180 struct ip_vs_service *svc;
3183 ret = ip_vs_genl_parse_service(ipvs, &usvc, nla, 0, &svc);
3184 return ret ? ERR_PTR(ret) : svc;
3187 static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
3189 struct nlattr *nl_dest;
3190 struct ip_vs_kstats kstats;
3192 nl_dest = nla_nest_start(skb, IPVS_CMD_ATTR_DEST);
3196 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
3197 nla_put_be16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
3198 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
3199 (atomic_read(&dest->conn_flags) &
3200 IP_VS_CONN_F_FWD_MASK)) ||
3201 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
3202 atomic_read(&dest->weight)) ||
3203 nla_put_u32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold) ||
3204 nla_put_u32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold) ||
3205 nla_put_u32(skb, IPVS_DEST_ATTR_ACTIVE_CONNS,
3206 atomic_read(&dest->activeconns)) ||
3207 nla_put_u32(skb, IPVS_DEST_ATTR_INACT_CONNS,
3208 atomic_read(&dest->inactconns)) ||
3209 nla_put_u32(skb, IPVS_DEST_ATTR_PERSIST_CONNS,
3210 atomic_read(&dest->persistconns)) ||
3211 nla_put_u16(skb, IPVS_DEST_ATTR_ADDR_FAMILY, dest->af))
3212 goto nla_put_failure;
3213 ip_vs_copy_stats(&kstats, &dest->stats);
3214 if (ip_vs_genl_fill_stats(skb, IPVS_DEST_ATTR_STATS, &kstats))
3215 goto nla_put_failure;
3216 if (ip_vs_genl_fill_stats64(skb, IPVS_DEST_ATTR_STATS64, &kstats))
3217 goto nla_put_failure;
3219 nla_nest_end(skb, nl_dest);
3224 nla_nest_cancel(skb, nl_dest);
3228 static int ip_vs_genl_dump_dest(struct sk_buff *skb, struct ip_vs_dest *dest,
3229 struct netlink_callback *cb)
3233 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3234 &ip_vs_genl_family, NLM_F_MULTI,
3239 if (ip_vs_genl_fill_dest(skb, dest) < 0)
3240 goto nla_put_failure;
3242 genlmsg_end(skb, hdr);
3246 genlmsg_cancel(skb, hdr);
3250 static int ip_vs_genl_dump_dests(struct sk_buff *skb,
3251 struct netlink_callback *cb)
3254 int start = cb->args[0];
3255 struct ip_vs_service *svc;
3256 struct ip_vs_dest *dest;
3257 struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
3258 struct net *net = sock_net(skb->sk);
3259 struct netns_ipvs *ipvs = net_ipvs(net);
3261 mutex_lock(&__ip_vs_mutex);
3263 /* Try to find the service for which to dump destinations */
3264 if (nlmsg_parse(cb->nlh, GENL_HDRLEN, attrs,
3265 IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
3269 svc = ip_vs_genl_find_service(ipvs, attrs[IPVS_CMD_ATTR_SERVICE]);
3270 if (IS_ERR(svc) || svc == NULL)
3273 /* Dump the destinations */
3274 list_for_each_entry(dest, &svc->destinations, n_list) {
3277 if (ip_vs_genl_dump_dest(skb, dest, cb) < 0) {
3279 goto nla_put_failure;
3287 mutex_unlock(&__ip_vs_mutex);
3292 static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
3293 struct nlattr *nla, int full_entry)
3295 struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
3296 struct nlattr *nla_addr, *nla_port;
3297 struct nlattr *nla_addr_family;
3299 /* Parse mandatory identifying destination fields first */
3301 nla_parse_nested(attrs, IPVS_DEST_ATTR_MAX, nla, ip_vs_dest_policy))
3304 nla_addr = attrs[IPVS_DEST_ATTR_ADDR];
3305 nla_port = attrs[IPVS_DEST_ATTR_PORT];
3306 nla_addr_family = attrs[IPVS_DEST_ATTR_ADDR_FAMILY];
3308 if (!(nla_addr && nla_port))
3311 memset(udest, 0, sizeof(*udest));
3313 nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
3314 udest->port = nla_get_be16(nla_port);
3316 if (nla_addr_family)
3317 udest->af = nla_get_u16(nla_addr_family);
3321 /* If a full entry was requested, check for the additional fields */
3323 struct nlattr *nla_fwd, *nla_weight, *nla_u_thresh,
3326 nla_fwd = attrs[IPVS_DEST_ATTR_FWD_METHOD];
3327 nla_weight = attrs[IPVS_DEST_ATTR_WEIGHT];
3328 nla_u_thresh = attrs[IPVS_DEST_ATTR_U_THRESH];
3329 nla_l_thresh = attrs[IPVS_DEST_ATTR_L_THRESH];
3331 if (!(nla_fwd && nla_weight && nla_u_thresh && nla_l_thresh))
3334 udest->conn_flags = nla_get_u32(nla_fwd)
3335 & IP_VS_CONN_F_FWD_MASK;
3336 udest->weight = nla_get_u32(nla_weight);
3337 udest->u_threshold = nla_get_u32(nla_u_thresh);
3338 udest->l_threshold = nla_get_u32(nla_l_thresh);
3344 static int ip_vs_genl_fill_daemon(struct sk_buff *skb, __u32 state,
3345 struct ipvs_sync_daemon_cfg *c)
3347 struct nlattr *nl_daemon;
3349 nl_daemon = nla_nest_start(skb, IPVS_CMD_ATTR_DAEMON);
3353 if (nla_put_u32(skb, IPVS_DAEMON_ATTR_STATE, state) ||
3354 nla_put_string(skb, IPVS_DAEMON_ATTR_MCAST_IFN, c->mcast_ifn) ||
3355 nla_put_u32(skb, IPVS_DAEMON_ATTR_SYNC_ID, c->syncid) ||
3356 nla_put_u16(skb, IPVS_DAEMON_ATTR_SYNC_MAXLEN, c->sync_maxlen) ||
3357 nla_put_u16(skb, IPVS_DAEMON_ATTR_MCAST_PORT, c->mcast_port) ||
3358 nla_put_u8(skb, IPVS_DAEMON_ATTR_MCAST_TTL, c->mcast_ttl))
3359 goto nla_put_failure;
3360 #ifdef CONFIG_IP_VS_IPV6
3361 if (c->mcast_af == AF_INET6) {
3362 if (nla_put_in6_addr(skb, IPVS_DAEMON_ATTR_MCAST_GROUP6,
3363 &c->mcast_group.in6))
3364 goto nla_put_failure;
3367 if (c->mcast_af == AF_INET &&
3368 nla_put_in_addr(skb, IPVS_DAEMON_ATTR_MCAST_GROUP,
3370 goto nla_put_failure;
3371 nla_nest_end(skb, nl_daemon);
3376 nla_nest_cancel(skb, nl_daemon);
3380 static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __u32 state,
3381 struct ipvs_sync_daemon_cfg *c,
3382 struct netlink_callback *cb)
3385 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
3386 &ip_vs_genl_family, NLM_F_MULTI,
3387 IPVS_CMD_NEW_DAEMON);
3391 if (ip_vs_genl_fill_daemon(skb, state, c))
3392 goto nla_put_failure;
3394 genlmsg_end(skb, hdr);
3398 genlmsg_cancel(skb, hdr);
3402 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
3403 struct netlink_callback *cb)
3405 struct net *net = sock_net(skb->sk);
3406 struct netns_ipvs *ipvs = net_ipvs(net);
3408 mutex_lock(&ipvs->sync_mutex);
3409 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3410 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3411 &ipvs->mcfg, cb) < 0)
3412 goto nla_put_failure;
3417 if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
3418 if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
3419 &ipvs->bcfg, cb) < 0)
3420 goto nla_put_failure;
3426 mutex_unlock(&ipvs->sync_mutex);
3431 static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
3433 struct ipvs_sync_daemon_cfg c;
3437 memset(&c, 0, sizeof(c));
3438 if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
3439 attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
3440 attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
3442 strlcpy(c.mcast_ifn, nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
3443 sizeof(c.mcast_ifn));
3444 c.syncid = nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]);
3446 a = attrs[IPVS_DAEMON_ATTR_SYNC_MAXLEN];
3448 c.sync_maxlen = nla_get_u16(a);
3450 a = attrs[IPVS_DAEMON_ATTR_MCAST_GROUP];
3452 c.mcast_af = AF_INET;
3453 c.mcast_group.ip = nla_get_in_addr(a);
3454 if (!ipv4_is_multicast(c.mcast_group.ip))
3457 a = attrs[IPVS_DAEMON_ATTR_MCAST_GROUP6];
3459 #ifdef CONFIG_IP_VS_IPV6
3462 c.mcast_af = AF_INET6;
3463 c.mcast_group.in6 = nla_get_in6_addr(a);
3464 addr_type = ipv6_addr_type(&c.mcast_group.in6);
3465 if (!(addr_type & IPV6_ADDR_MULTICAST))
3468 return -EAFNOSUPPORT;
3473 a = attrs[IPVS_DAEMON_ATTR_MCAST_PORT];
3475 c.mcast_port = nla_get_u16(a);
3477 a = attrs[IPVS_DAEMON_ATTR_MCAST_TTL];
3479 c.mcast_ttl = nla_get_u8(a);
3481 /* The synchronization protocol is incompatible with mixed family
3484 if (ipvs->mixed_address_family_dests > 0)
3488 mutex_lock(&ipvs->sync_mutex);
3489 ret = start_sync_thread(ipvs, &c,
3490 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3491 mutex_unlock(&ipvs->sync_mutex);
3496 static int ip_vs_genl_del_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
3500 if (!attrs[IPVS_DAEMON_ATTR_STATE])
3503 mutex_lock(&ipvs->sync_mutex);
3504 ret = stop_sync_thread(ipvs,
3505 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
3506 mutex_unlock(&ipvs->sync_mutex);
3510 static int ip_vs_genl_set_config(struct netns_ipvs *ipvs, struct nlattr **attrs)
3512 struct ip_vs_timeout_user t;
3514 __ip_vs_get_timeouts(ipvs, &t);
3516 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
3517 t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
3519 if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN])
3521 nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP_FIN]);
3523 if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
3524 t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
3526 return ip_vs_set_timeout(ipvs, &t);
3529 static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3531 int ret = -EINVAL, cmd;
3532 struct net *net = sock_net(skb->sk);
3533 struct netns_ipvs *ipvs = net_ipvs(net);
3535 cmd = info->genlhdr->cmd;
3537 if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3538 struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3540 if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3541 nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3542 info->attrs[IPVS_CMD_ATTR_DAEMON],
3543 ip_vs_daemon_policy))
3546 if (cmd == IPVS_CMD_NEW_DAEMON)
3547 ret = ip_vs_genl_new_daemon(ipvs, daemon_attrs);
3549 ret = ip_vs_genl_del_daemon(ipvs, daemon_attrs);
3556 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3558 struct ip_vs_service *svc = NULL;
3559 struct ip_vs_service_user_kern usvc;
3560 struct ip_vs_dest_user_kern udest;
3562 int need_full_svc = 0, need_full_dest = 0;
3563 struct net *net = sock_net(skb->sk);
3564 struct netns_ipvs *ipvs = net_ipvs(net);
3566 cmd = info->genlhdr->cmd;
3568 mutex_lock(&__ip_vs_mutex);
3570 if (cmd == IPVS_CMD_FLUSH) {
3571 ret = ip_vs_flush(ipvs, false);
3573 } else if (cmd == IPVS_CMD_SET_CONFIG) {
3574 ret = ip_vs_genl_set_config(ipvs, info->attrs);
3576 } else if (cmd == IPVS_CMD_ZERO &&
3577 !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
3578 ret = ip_vs_zero_all(ipvs);
3582 /* All following commands require a service argument, so check if we
3583 * received a valid one. We need a full service specification when
3584 * adding / editing a service. Only identifying members otherwise. */
3585 if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
3588 ret = ip_vs_genl_parse_service(ipvs, &usvc,
3589 info->attrs[IPVS_CMD_ATTR_SERVICE],
3590 need_full_svc, &svc);
3594 /* Unless we're adding a new service, the service must already exist */
3595 if ((cmd != IPVS_CMD_NEW_SERVICE) && (svc == NULL)) {
3600 /* Destination commands require a valid destination argument. For
3601 * adding / editing a destination, we need a full destination
3603 if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
3604 cmd == IPVS_CMD_DEL_DEST) {
3605 if (cmd != IPVS_CMD_DEL_DEST)
3608 ret = ip_vs_genl_parse_dest(&udest,
3609 info->attrs[IPVS_CMD_ATTR_DEST],
3614 /* Old protocols did not allow the user to specify address
3615 * family, so we set it to zero instead. We also didn't
3616 * allow heterogeneous pools in the old code, so it's safe
3617 * to assume that this will have the same address family as
3623 if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) {
3624 /* The synchronization protocol is incompatible
3625 * with mixed family services
3627 if (ipvs->sync_state) {
3632 /* Which connection types do we support? */
3633 switch (udest.conn_flags) {
3634 case IP_VS_CONN_F_TUNNEL:
3635 /* We are able to forward this */
3645 case IPVS_CMD_NEW_SERVICE:
3647 ret = ip_vs_add_service(ipvs, &usvc, &svc);
3651 case IPVS_CMD_SET_SERVICE:
3652 ret = ip_vs_edit_service(svc, &usvc);
3654 case IPVS_CMD_DEL_SERVICE:
3655 ret = ip_vs_del_service(svc);
3656 /* do not use svc, it can be freed */
3658 case IPVS_CMD_NEW_DEST:
3659 ret = ip_vs_add_dest(svc, &udest);
3661 case IPVS_CMD_SET_DEST:
3662 ret = ip_vs_edit_dest(svc, &udest);
3664 case IPVS_CMD_DEL_DEST:
3665 ret = ip_vs_del_dest(svc, &udest);
3668 ret = ip_vs_zero_service(svc);
3675 mutex_unlock(&__ip_vs_mutex);
3680 static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
3682 struct sk_buff *msg;
3684 int ret, cmd, reply_cmd;
3685 struct net *net = sock_net(skb->sk);
3686 struct netns_ipvs *ipvs = net_ipvs(net);
3688 cmd = info->genlhdr->cmd;
3690 if (cmd == IPVS_CMD_GET_SERVICE)
3691 reply_cmd = IPVS_CMD_NEW_SERVICE;
3692 else if (cmd == IPVS_CMD_GET_INFO)
3693 reply_cmd = IPVS_CMD_SET_INFO;
3694 else if (cmd == IPVS_CMD_GET_CONFIG)
3695 reply_cmd = IPVS_CMD_SET_CONFIG;
3697 pr_err("unknown Generic Netlink command\n");
3701 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3705 mutex_lock(&__ip_vs_mutex);
3707 reply = genlmsg_put_reply(msg, info, &ip_vs_genl_family, 0, reply_cmd);
3709 goto nla_put_failure;
3712 case IPVS_CMD_GET_SERVICE:
3714 struct ip_vs_service *svc;
3716 svc = ip_vs_genl_find_service(ipvs,
3717 info->attrs[IPVS_CMD_ATTR_SERVICE]);
3722 ret = ip_vs_genl_fill_service(msg, svc);
3724 goto nla_put_failure;
3733 case IPVS_CMD_GET_CONFIG:
3735 struct ip_vs_timeout_user t;
3737 __ip_vs_get_timeouts(ipvs, &t);
3738 #ifdef CONFIG_IP_VS_PROTO_TCP
3739 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP,
3741 nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
3743 goto nla_put_failure;
3745 #ifdef CONFIG_IP_VS_PROTO_UDP
3746 if (nla_put_u32(msg, IPVS_CMD_ATTR_TIMEOUT_UDP, t.udp_timeout))
3747 goto nla_put_failure;
3753 case IPVS_CMD_GET_INFO:
3754 if (nla_put_u32(msg, IPVS_INFO_ATTR_VERSION,
3755 IP_VS_VERSION_CODE) ||
3756 nla_put_u32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE,
3757 ip_vs_conn_tab_size))
3758 goto nla_put_failure;
3762 genlmsg_end(msg, reply);
3763 ret = genlmsg_reply(msg, info);
3767 pr_err("not enough space in Netlink message\n");
3773 mutex_unlock(&__ip_vs_mutex);
3779 static const struct genl_ops ip_vs_genl_ops[] = {
3781 .cmd = IPVS_CMD_NEW_SERVICE,
3782 .flags = GENL_ADMIN_PERM,
3783 .policy = ip_vs_cmd_policy,
3784 .doit = ip_vs_genl_set_cmd,
3787 .cmd = IPVS_CMD_SET_SERVICE,
3788 .flags = GENL_ADMIN_PERM,
3789 .policy = ip_vs_cmd_policy,
3790 .doit = ip_vs_genl_set_cmd,
3793 .cmd = IPVS_CMD_DEL_SERVICE,
3794 .flags = GENL_ADMIN_PERM,
3795 .policy = ip_vs_cmd_policy,
3796 .doit = ip_vs_genl_set_cmd,
3799 .cmd = IPVS_CMD_GET_SERVICE,
3800 .flags = GENL_ADMIN_PERM,
3801 .doit = ip_vs_genl_get_cmd,
3802 .dumpit = ip_vs_genl_dump_services,
3803 .policy = ip_vs_cmd_policy,
3806 .cmd = IPVS_CMD_NEW_DEST,
3807 .flags = GENL_ADMIN_PERM,
3808 .policy = ip_vs_cmd_policy,
3809 .doit = ip_vs_genl_set_cmd,
3812 .cmd = IPVS_CMD_SET_DEST,
3813 .flags = GENL_ADMIN_PERM,
3814 .policy = ip_vs_cmd_policy,
3815 .doit = ip_vs_genl_set_cmd,
3818 .cmd = IPVS_CMD_DEL_DEST,
3819 .flags = GENL_ADMIN_PERM,
3820 .policy = ip_vs_cmd_policy,
3821 .doit = ip_vs_genl_set_cmd,
3824 .cmd = IPVS_CMD_GET_DEST,
3825 .flags = GENL_ADMIN_PERM,
3826 .policy = ip_vs_cmd_policy,
3827 .dumpit = ip_vs_genl_dump_dests,
3830 .cmd = IPVS_CMD_NEW_DAEMON,
3831 .flags = GENL_ADMIN_PERM,
3832 .policy = ip_vs_cmd_policy,
3833 .doit = ip_vs_genl_set_daemon,
3836 .cmd = IPVS_CMD_DEL_DAEMON,
3837 .flags = GENL_ADMIN_PERM,
3838 .policy = ip_vs_cmd_policy,
3839 .doit = ip_vs_genl_set_daemon,
3842 .cmd = IPVS_CMD_GET_DAEMON,
3843 .flags = GENL_ADMIN_PERM,
3844 .dumpit = ip_vs_genl_dump_daemons,
3847 .cmd = IPVS_CMD_SET_CONFIG,
3848 .flags = GENL_ADMIN_PERM,
3849 .policy = ip_vs_cmd_policy,
3850 .doit = ip_vs_genl_set_cmd,
3853 .cmd = IPVS_CMD_GET_CONFIG,
3854 .flags = GENL_ADMIN_PERM,
3855 .doit = ip_vs_genl_get_cmd,
3858 .cmd = IPVS_CMD_GET_INFO,
3859 .flags = GENL_ADMIN_PERM,
3860 .doit = ip_vs_genl_get_cmd,
3863 .cmd = IPVS_CMD_ZERO,
3864 .flags = GENL_ADMIN_PERM,
3865 .policy = ip_vs_cmd_policy,
3866 .doit = ip_vs_genl_set_cmd,
3869 .cmd = IPVS_CMD_FLUSH,
3870 .flags = GENL_ADMIN_PERM,
3871 .doit = ip_vs_genl_set_cmd,
3875 static int __init ip_vs_genl_register(void)
3877 return genl_register_family_with_ops(&ip_vs_genl_family,
3881 static void ip_vs_genl_unregister(void)
3883 genl_unregister_family(&ip_vs_genl_family);
3886 /* End of Generic Netlink interface definitions */
3889 * per netns intit/exit func.
3891 #ifdef CONFIG_SYSCTL
3892 static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
3894 struct net *net = ipvs->net;
3896 struct ctl_table *tbl;
3898 atomic_set(&ipvs->dropentry, 0);
3899 spin_lock_init(&ipvs->dropentry_lock);
3900 spin_lock_init(&ipvs->droppacket_lock);
3901 spin_lock_init(&ipvs->securetcp_lock);
3903 if (!net_eq(net, &init_net)) {
3904 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3908 /* Don't export sysctls to unprivileged users */
3909 if (net->user_ns != &init_user_ns)
3910 tbl[0].procname = NULL;
3913 /* Initialize sysctl defaults */
3914 for (idx = 0; idx < ARRAY_SIZE(vs_vars); idx++) {
3915 if (tbl[idx].proc_handler == proc_do_defense_mode)
3916 tbl[idx].extra2 = ipvs;
3919 ipvs->sysctl_amemthresh = 1024;
3920 tbl[idx++].data = &ipvs->sysctl_amemthresh;
3921 ipvs->sysctl_am_droprate = 10;
3922 tbl[idx++].data = &ipvs->sysctl_am_droprate;
3923 tbl[idx++].data = &ipvs->sysctl_drop_entry;
3924 tbl[idx++].data = &ipvs->sysctl_drop_packet;
3925 #ifdef CONFIG_IP_VS_NFCT
3926 tbl[idx++].data = &ipvs->sysctl_conntrack;
3928 tbl[idx++].data = &ipvs->sysctl_secure_tcp;
3929 ipvs->sysctl_snat_reroute = 1;
3930 tbl[idx++].data = &ipvs->sysctl_snat_reroute;
3931 ipvs->sysctl_sync_ver = 1;
3932 tbl[idx++].data = &ipvs->sysctl_sync_ver;
3933 ipvs->sysctl_sync_ports = 1;
3934 tbl[idx++].data = &ipvs->sysctl_sync_ports;
3935 tbl[idx++].data = &ipvs->sysctl_sync_persist_mode;
3936 ipvs->sysctl_sync_qlen_max = nr_free_buffer_pages() / 32;
3937 tbl[idx++].data = &ipvs->sysctl_sync_qlen_max;
3938 ipvs->sysctl_sync_sock_size = 0;
3939 tbl[idx++].data = &ipvs->sysctl_sync_sock_size;
3940 tbl[idx++].data = &ipvs->sysctl_cache_bypass;
3941 tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
3942 tbl[idx++].data = &ipvs->sysctl_sloppy_tcp;
3943 tbl[idx++].data = &ipvs->sysctl_sloppy_sctp;
3944 tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
3945 ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
3946 ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
3947 tbl[idx].data = &ipvs->sysctl_sync_threshold;
3948 tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
3949 ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
3950 tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
3951 ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
3952 tbl[idx++].data = &ipvs->sysctl_sync_retries;
3953 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3954 ipvs->sysctl_pmtu_disc = 1;
3955 tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
3956 tbl[idx++].data = &ipvs->sysctl_backup_only;
3957 ipvs->sysctl_conn_reuse_mode = 1;
3958 tbl[idx++].data = &ipvs->sysctl_conn_reuse_mode;
3959 tbl[idx++].data = &ipvs->sysctl_schedule_icmp;
3960 tbl[idx++].data = &ipvs->sysctl_ignore_tunneled;
3962 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
3963 if (ipvs->sysctl_hdr == NULL) {
3964 if (!net_eq(net, &init_net))
3968 ip_vs_start_estimator(ipvs, &ipvs->tot_stats);
3969 ipvs->sysctl_tbl = tbl;
3970 /* Schedule defense work */
3971 INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
3972 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3977 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
3979 struct net *net = ipvs->net;
3981 cancel_delayed_work_sync(&ipvs->defense_work);
3982 cancel_work_sync(&ipvs->defense_work.work);
3983 unregister_net_sysctl_table(ipvs->sysctl_hdr);
3984 ip_vs_stop_estimator(ipvs, &ipvs->tot_stats);
3986 if (!net_eq(net, &init_net))
3987 kfree(ipvs->sysctl_tbl);
3992 static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) { return 0; }
3993 static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs) { }
3997 static struct notifier_block ip_vs_dst_notifier = {
3998 .notifier_call = ip_vs_dst_event,
4001 int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
4005 /* Initialize rs_table */
4006 for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
4007 INIT_HLIST_HEAD(&ipvs->rs_table[idx]);
4009 INIT_LIST_HEAD(&ipvs->dest_trash);
4010 spin_lock_init(&ipvs->dest_trash_lock);
4011 setup_timer(&ipvs->dest_trash_timer, ip_vs_dest_trash_expire,
4012 (unsigned long) ipvs);
4013 atomic_set(&ipvs->ftpsvc_counter, 0);
4014 atomic_set(&ipvs->nullsvc_counter, 0);
4015 atomic_set(&ipvs->conn_out_counter, 0);
4018 ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
4019 if (!ipvs->tot_stats.cpustats)
4022 for_each_possible_cpu(i) {
4023 struct ip_vs_cpu_stats *ipvs_tot_stats;
4024 ipvs_tot_stats = per_cpu_ptr(ipvs->tot_stats.cpustats, i);
4025 u64_stats_init(&ipvs_tot_stats->syncp);
4028 spin_lock_init(&ipvs->tot_stats.lock);
4030 proc_create("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_fops);
4031 proc_create("ip_vs_stats", 0, ipvs->net->proc_net, &ip_vs_stats_fops);
4032 proc_create("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
4033 &ip_vs_stats_percpu_fops);
4035 if (ip_vs_control_net_init_sysctl(ipvs))
4041 free_percpu(ipvs->tot_stats.cpustats);
4045 void __net_exit ip_vs_control_net_cleanup(struct netns_ipvs *ipvs)
4047 ip_vs_trash_cleanup(ipvs);
4048 ip_vs_control_net_cleanup_sysctl(ipvs);
4049 remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
4050 remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
4051 remove_proc_entry("ip_vs", ipvs->net->proc_net);
4052 free_percpu(ipvs->tot_stats.cpustats);
4055 int __init ip_vs_register_nl_ioctl(void)
4059 ret = nf_register_sockopt(&ip_vs_sockopts);
4061 pr_err("cannot register sockopt.\n");
4065 ret = ip_vs_genl_register();
4067 pr_err("cannot register Generic Netlink interface.\n");
4073 nf_unregister_sockopt(&ip_vs_sockopts);
4078 void ip_vs_unregister_nl_ioctl(void)
4080 ip_vs_genl_unregister();
4081 nf_unregister_sockopt(&ip_vs_sockopts);
4084 int __init ip_vs_control_init(void)
4091 /* Initialize svc_table, ip_vs_svc_fwm_table */
4092 for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
4093 INIT_HLIST_HEAD(&ip_vs_svc_table[idx]);
4094 INIT_HLIST_HEAD(&ip_vs_svc_fwm_table[idx]);
4097 smp_wmb(); /* Do we really need it now ? */
4099 ret = register_netdevice_notifier(&ip_vs_dst_notifier);
4108 void ip_vs_control_cleanup(void)
4111 unregister_netdevice_notifier(&ip_vs_dst_notifier);
projects / cascardo / linux.git / blob