Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * ip_vs_proto_tcp.c: TCP load balancing support for IPVS | |
3 | * | |
1da177e4 LT |
4 | * Authors: Wensong Zhang <wensong@linuxvirtualserver.org> |
5 | * Julian Anastasov <ja@ssi.bg> | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or | |
8 | * modify it under the terms of the GNU General Public License | |
9 | * as published by the Free Software Foundation; either version | |
10 | * 2 of the License, or (at your option) any later version. | |
11 | * | |
4a85b96c | 12 | * Changes: Hans Schillstrom <hans.schillstrom@ericsson.com> |
1da177e4 | 13 | * |
4a85b96c HS |
14 | * Network name space (netns) aware. |
15 | * Global data moved to netns i.e struct netns_ipvs | |
16 | * tcp_timeouts table has copy per netns in a hash table per | |
17 | * protocol ip_vs_proto_data and is handled by netns | |
1da177e4 LT |
18 | */ |
19 | ||
9aada7ac HE |
20 | #define KMSG_COMPONENT "IPVS" |
21 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
22 | ||
1da177e4 LT |
23 | #include <linux/kernel.h> |
24 | #include <linux/ip.h> | |
25 | #include <linux/tcp.h> /* for tcphdr */ | |
26 | #include <net/ip.h> | |
27 | #include <net/tcp.h> /* for csum_tcpudp_magic */ | |
63f2c046 | 28 | #include <net/ip6_checksum.h> |
af1e1cf0 | 29 | #include <linux/netfilter.h> |
1da177e4 LT |
30 | #include <linux/netfilter_ipv4.h> |
31 | ||
32 | #include <net/ip_vs.h> | |
33 | ||
fe19a8fe MC |
34 | static int |
35 | tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp); | |
36 | ||
1da177e4 | 37 | static int |
d8f44c33 EB |
38 | tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, |
39 | struct ip_vs_proto_data *pd, | |
d4383f04 JDB |
40 | int *verdict, struct ip_vs_conn **cpp, |
41 | struct ip_vs_iphdr *iph) | |
1da177e4 LT |
42 | { |
43 | struct ip_vs_service *svc; | |
44 | struct tcphdr _tcph, *th; | |
8f88ea68 | 45 | __be16 _ports[2], *ports = NULL; |
1da177e4 | 46 | |
8f88ea68 AG |
47 | /* In the event of icmp, we're only guaranteed to have the first 8 |
48 | * bytes of the transport header, so we only check the rest of the | |
49 | * TCP packet for non-ICMP packets | |
50 | */ | |
51 | if (likely(!ip_vs_iph_icmp(iph))) { | |
52 | th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph); | |
53 | if (th) { | |
54 | if (th->rst || !(sysctl_sloppy_tcp(ipvs) || th->syn)) | |
55 | return 1; | |
56 | ports = &th->source; | |
57 | } | |
58 | } else { | |
59 | ports = skb_header_pointer( | |
60 | skb, iph->len, sizeof(_ports), &_ports); | |
6044eeff AG |
61 | } |
62 | ||
8f88ea68 | 63 | if (!ports) { |
1da177e4 LT |
64 | *verdict = NF_DROP; |
65 | return 0; | |
66 | } | |
6044eeff | 67 | |
190ecd27 | 68 | /* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */ |
8f88ea68 AG |
69 | |
70 | if (likely(!ip_vs_iph_inverse(iph))) | |
0a4fd6ce | 71 | svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol, |
8f88ea68 AG |
72 | &iph->daddr, ports[1]); |
73 | else | |
0a4fd6ce | 74 | svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol, |
8f88ea68 AG |
75 | &iph->saddr, ports[0]); |
76 | ||
77 | if (svc) { | |
190ecd27 JA |
78 | int ignored; |
79 | ||
c6c96c18 | 80 | if (ip_vs_todrop(ipvs)) { |
1da177e4 LT |
81 | /* |
82 | * It seems that we are very loaded. | |
83 | * We have to drop this packet :( | |
84 | */ | |
1da177e4 LT |
85 | *verdict = NF_DROP; |
86 | return 0; | |
87 | } | |
88 | ||
89 | /* | |
90 | * Let the virtual server select a real server for the | |
91 | * incoming connection, and create a connection entry. | |
92 | */ | |
d4383f04 | 93 | *cpp = ip_vs_schedule(svc, skb, pd, &ignored, iph); |
a5959d53 HS |
94 | if (!*cpp && ignored <= 0) { |
95 | if (!ignored) | |
d4383f04 | 96 | *verdict = ip_vs_leave(svc, skb, pd, iph); |
ceec4c38 | 97 | else |
a5959d53 | 98 | *verdict = NF_DROP; |
1da177e4 LT |
99 | return 0; |
100 | } | |
1da177e4 | 101 | } |
a5959d53 | 102 | /* NF_ACCEPT */ |
1da177e4 LT |
103 | return 1; |
104 | } | |
105 | ||
106 | ||
107 | static inline void | |
0bbdd42b JV |
108 | tcp_fast_csum_update(int af, struct tcphdr *tcph, |
109 | const union nf_inet_addr *oldip, | |
110 | const union nf_inet_addr *newip, | |
014d730d | 111 | __be16 oldport, __be16 newport) |
1da177e4 | 112 | { |
0bbdd42b JV |
113 | #ifdef CONFIG_IP_VS_IPV6 |
114 | if (af == AF_INET6) | |
115 | tcph->check = | |
116 | csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6, | |
117 | ip_vs_check_diff2(oldport, newport, | |
118 | ~csum_unfold(tcph->check)))); | |
119 | else | |
120 | #endif | |
1da177e4 | 121 | tcph->check = |
0bbdd42b | 122 | csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip, |
f9214b26 AV |
123 | ip_vs_check_diff2(oldport, newport, |
124 | ~csum_unfold(tcph->check)))); | |
1da177e4 LT |
125 | } |
126 | ||
127 | ||
503e81f6 SH |
128 | static inline void |
129 | tcp_partial_csum_update(int af, struct tcphdr *tcph, | |
130 | const union nf_inet_addr *oldip, | |
131 | const union nf_inet_addr *newip, | |
132 | __be16 oldlen, __be16 newlen) | |
133 | { | |
134 | #ifdef CONFIG_IP_VS_IPV6 | |
135 | if (af == AF_INET6) | |
136 | tcph->check = | |
5bc9068e | 137 | ~csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6, |
503e81f6 | 138 | ip_vs_check_diff2(oldlen, newlen, |
5bc9068e | 139 | csum_unfold(tcph->check)))); |
503e81f6 SH |
140 | else |
141 | #endif | |
142 | tcph->check = | |
5bc9068e | 143 | ~csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip, |
503e81f6 | 144 | ip_vs_check_diff2(oldlen, newlen, |
5bc9068e | 145 | csum_unfold(tcph->check)))); |
503e81f6 SH |
146 | } |
147 | ||
148 | ||
1da177e4 | 149 | static int |
d4383f04 JDB |
150 | tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, |
151 | struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) | |
1da177e4 LT |
152 | { |
153 | struct tcphdr *tcph; | |
d4383f04 | 154 | unsigned int tcphoff = iph->len; |
503e81f6 | 155 | int oldlen; |
8b27b10f | 156 | int payload_csum = 0; |
0bbdd42b JV |
157 | |
158 | #ifdef CONFIG_IP_VS_IPV6 | |
d4383f04 | 159 | if (cp->af == AF_INET6 && iph->fragoffs) |
63dca2c0 | 160 | return 1; |
0bbdd42b | 161 | #endif |
503e81f6 | 162 | oldlen = skb->len - tcphoff; |
1da177e4 LT |
163 | |
164 | /* csum_check requires unshared skb */ | |
3db05fea | 165 | if (!skb_make_writable(skb, tcphoff+sizeof(*tcph))) |
1da177e4 LT |
166 | return 0; |
167 | ||
168 | if (unlikely(cp->app != NULL)) { | |
8b27b10f JA |
169 | int ret; |
170 | ||
1da177e4 | 171 | /* Some checks before mangling */ |
fe19a8fe | 172 | if (!tcp_csum_check(cp->af, skb, pp)) |
1da177e4 LT |
173 | return 0; |
174 | ||
175 | /* Call application helper if needed */ | |
d12e1229 | 176 | if (!(ret = ip_vs_app_pkt_out(cp, skb, iph))) |
1da177e4 | 177 | return 0; |
8b27b10f JA |
178 | /* ret=2: csum update is needed after payload mangling */ |
179 | if (ret == 1) | |
180 | oldlen = skb->len - tcphoff; | |
181 | else | |
182 | payload_csum = 1; | |
1da177e4 LT |
183 | } |
184 | ||
0bbdd42b | 185 | tcph = (void *)skb_network_header(skb) + tcphoff; |
1da177e4 LT |
186 | tcph->source = cp->vport; |
187 | ||
188 | /* Adjust TCP checksums */ | |
503e81f6 SH |
189 | if (skb->ip_summed == CHECKSUM_PARTIAL) { |
190 | tcp_partial_csum_update(cp->af, tcph, &cp->daddr, &cp->vaddr, | |
ca62059b HH |
191 | htons(oldlen), |
192 | htons(skb->len - tcphoff)); | |
8b27b10f | 193 | } else if (!payload_csum) { |
1da177e4 | 194 | /* Only port and addr are changed, do fast csum update */ |
0bbdd42b | 195 | tcp_fast_csum_update(cp->af, tcph, &cp->daddr, &cp->vaddr, |
1da177e4 | 196 | cp->dport, cp->vport); |
3db05fea | 197 | if (skb->ip_summed == CHECKSUM_COMPLETE) |
fe19a8fe | 198 | skb->ip_summed = cp->app ? |
8b27b10f | 199 | CHECKSUM_UNNECESSARY : CHECKSUM_NONE; |
1da177e4 LT |
200 | } else { |
201 | /* full checksum calculation */ | |
202 | tcph->check = 0; | |
3db05fea | 203 | skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0); |
0bbdd42b JV |
204 | #ifdef CONFIG_IP_VS_IPV6 |
205 | if (cp->af == AF_INET6) | |
206 | tcph->check = csum_ipv6_magic(&cp->vaddr.in6, | |
207 | &cp->caddr.in6, | |
208 | skb->len - tcphoff, | |
209 | cp->protocol, skb->csum); | |
210 | else | |
211 | #endif | |
212 | tcph->check = csum_tcpudp_magic(cp->vaddr.ip, | |
213 | cp->caddr.ip, | |
214 | skb->len - tcphoff, | |
215 | cp->protocol, | |
216 | skb->csum); | |
8b27b10f | 217 | skb->ip_summed = CHECKSUM_UNNECESSARY; |
0bbdd42b | 218 | |
1da177e4 LT |
219 | IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%zd)\n", |
220 | pp->name, tcph->check, | |
221 | (char*)&(tcph->check) - (char*)tcph); | |
222 | } | |
223 | return 1; | |
224 | } | |
225 | ||
226 | ||
227 | static int | |
d4383f04 JDB |
228 | tcp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, |
229 | struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) | |
1da177e4 LT |
230 | { |
231 | struct tcphdr *tcph; | |
d4383f04 | 232 | unsigned int tcphoff = iph->len; |
503e81f6 | 233 | int oldlen; |
8b27b10f | 234 | int payload_csum = 0; |
0bbdd42b JV |
235 | |
236 | #ifdef CONFIG_IP_VS_IPV6 | |
d4383f04 | 237 | if (cp->af == AF_INET6 && iph->fragoffs) |
63dca2c0 | 238 | return 1; |
0bbdd42b | 239 | #endif |
503e81f6 | 240 | oldlen = skb->len - tcphoff; |
1da177e4 LT |
241 | |
242 | /* csum_check requires unshared skb */ | |
3db05fea | 243 | if (!skb_make_writable(skb, tcphoff+sizeof(*tcph))) |
1da177e4 LT |
244 | return 0; |
245 | ||
246 | if (unlikely(cp->app != NULL)) { | |
8b27b10f JA |
247 | int ret; |
248 | ||
1da177e4 | 249 | /* Some checks before mangling */ |
fe19a8fe | 250 | if (!tcp_csum_check(cp->af, skb, pp)) |
1da177e4 LT |
251 | return 0; |
252 | ||
253 | /* | |
254 | * Attempt ip_vs_app call. | |
255 | * It will fix ip_vs_conn and iph ack_seq stuff | |
256 | */ | |
d12e1229 | 257 | if (!(ret = ip_vs_app_pkt_in(cp, skb, iph))) |
1da177e4 | 258 | return 0; |
8b27b10f JA |
259 | /* ret=2: csum update is needed after payload mangling */ |
260 | if (ret == 1) | |
261 | oldlen = skb->len - tcphoff; | |
262 | else | |
263 | payload_csum = 1; | |
1da177e4 LT |
264 | } |
265 | ||
0bbdd42b | 266 | tcph = (void *)skb_network_header(skb) + tcphoff; |
1da177e4 LT |
267 | tcph->dest = cp->dport; |
268 | ||
269 | /* | |
270 | * Adjust TCP checksums | |
271 | */ | |
503e81f6 | 272 | if (skb->ip_summed == CHECKSUM_PARTIAL) { |
5bc9068e | 273 | tcp_partial_csum_update(cp->af, tcph, &cp->vaddr, &cp->daddr, |
ca62059b HH |
274 | htons(oldlen), |
275 | htons(skb->len - tcphoff)); | |
8b27b10f | 276 | } else if (!payload_csum) { |
1da177e4 | 277 | /* Only port and addr are changed, do fast csum update */ |
0bbdd42b | 278 | tcp_fast_csum_update(cp->af, tcph, &cp->vaddr, &cp->daddr, |
1da177e4 | 279 | cp->vport, cp->dport); |
3db05fea | 280 | if (skb->ip_summed == CHECKSUM_COMPLETE) |
fe19a8fe | 281 | skb->ip_summed = cp->app ? |
8b27b10f | 282 | CHECKSUM_UNNECESSARY : CHECKSUM_NONE; |
1da177e4 LT |
283 | } else { |
284 | /* full checksum calculation */ | |
285 | tcph->check = 0; | |
3db05fea | 286 | skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0); |
0bbdd42b JV |
287 | #ifdef CONFIG_IP_VS_IPV6 |
288 | if (cp->af == AF_INET6) | |
289 | tcph->check = csum_ipv6_magic(&cp->caddr.in6, | |
290 | &cp->daddr.in6, | |
291 | skb->len - tcphoff, | |
292 | cp->protocol, skb->csum); | |
293 | else | |
294 | #endif | |
295 | tcph->check = csum_tcpudp_magic(cp->caddr.ip, | |
296 | cp->daddr.ip, | |
297 | skb->len - tcphoff, | |
298 | cp->protocol, | |
299 | skb->csum); | |
3db05fea | 300 | skb->ip_summed = CHECKSUM_UNNECESSARY; |
1da177e4 LT |
301 | } |
302 | return 1; | |
303 | } | |
304 | ||
305 | ||
306 | static int | |
51ef348b | 307 | tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp) |
1da177e4 | 308 | { |
51ef348b JV |
309 | unsigned int tcphoff; |
310 | ||
311 | #ifdef CONFIG_IP_VS_IPV6 | |
312 | if (af == AF_INET6) | |
313 | tcphoff = sizeof(struct ipv6hdr); | |
314 | else | |
315 | #endif | |
316 | tcphoff = ip_hdrlen(skb); | |
1da177e4 LT |
317 | |
318 | switch (skb->ip_summed) { | |
319 | case CHECKSUM_NONE: | |
320 | skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0); | |
e8542dce | 321 | /* fall through */ |
84fa7933 | 322 | case CHECKSUM_COMPLETE: |
51ef348b JV |
323 | #ifdef CONFIG_IP_VS_IPV6 |
324 | if (af == AF_INET6) { | |
325 | if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr, | |
326 | &ipv6_hdr(skb)->daddr, | |
327 | skb->len - tcphoff, | |
328 | ipv6_hdr(skb)->nexthdr, | |
329 | skb->csum)) { | |
0d79641a | 330 | IP_VS_DBG_RL_PKT(0, af, pp, skb, 0, |
51ef348b JV |
331 | "Failed checksum for"); |
332 | return 0; | |
333 | } | |
334 | } else | |
335 | #endif | |
336 | if (csum_tcpudp_magic(ip_hdr(skb)->saddr, | |
337 | ip_hdr(skb)->daddr, | |
338 | skb->len - tcphoff, | |
339 | ip_hdr(skb)->protocol, | |
340 | skb->csum)) { | |
0d79641a | 341 | IP_VS_DBG_RL_PKT(0, af, pp, skb, 0, |
51ef348b JV |
342 | "Failed checksum for"); |
343 | return 0; | |
344 | } | |
1da177e4 LT |
345 | break; |
346 | default: | |
84fa7933 | 347 | /* No need to checksum. */ |
1da177e4 LT |
348 | break; |
349 | } | |
350 | ||
351 | return 1; | |
352 | } | |
353 | ||
354 | ||
355 | #define TCP_DIR_INPUT 0 | |
356 | #define TCP_DIR_OUTPUT 4 | |
357 | #define TCP_DIR_INPUT_ONLY 8 | |
358 | ||
9b5b5cff | 359 | static const int tcp_state_off[IP_VS_DIR_LAST] = { |
1da177e4 LT |
360 | [IP_VS_DIR_INPUT] = TCP_DIR_INPUT, |
361 | [IP_VS_DIR_OUTPUT] = TCP_DIR_OUTPUT, | |
362 | [IP_VS_DIR_INPUT_ONLY] = TCP_DIR_INPUT_ONLY, | |
363 | }; | |
364 | ||
365 | /* | |
366 | * Timeout table[state] | |
367 | */ | |
4a85b96c | 368 | static const int tcp_timeouts[IP_VS_TCP_S_LAST+1] = { |
1da177e4 LT |
369 | [IP_VS_TCP_S_NONE] = 2*HZ, |
370 | [IP_VS_TCP_S_ESTABLISHED] = 15*60*HZ, | |
371 | [IP_VS_TCP_S_SYN_SENT] = 2*60*HZ, | |
372 | [IP_VS_TCP_S_SYN_RECV] = 1*60*HZ, | |
373 | [IP_VS_TCP_S_FIN_WAIT] = 2*60*HZ, | |
374 | [IP_VS_TCP_S_TIME_WAIT] = 2*60*HZ, | |
375 | [IP_VS_TCP_S_CLOSE] = 10*HZ, | |
376 | [IP_VS_TCP_S_CLOSE_WAIT] = 60*HZ, | |
377 | [IP_VS_TCP_S_LAST_ACK] = 30*HZ, | |
378 | [IP_VS_TCP_S_LISTEN] = 2*60*HZ, | |
379 | [IP_VS_TCP_S_SYNACK] = 120*HZ, | |
380 | [IP_VS_TCP_S_LAST] = 2*HZ, | |
381 | }; | |
382 | ||
36cbd3dc | 383 | static const char *const tcp_state_name_table[IP_VS_TCP_S_LAST+1] = { |
1da177e4 LT |
384 | [IP_VS_TCP_S_NONE] = "NONE", |
385 | [IP_VS_TCP_S_ESTABLISHED] = "ESTABLISHED", | |
386 | [IP_VS_TCP_S_SYN_SENT] = "SYN_SENT", | |
387 | [IP_VS_TCP_S_SYN_RECV] = "SYN_RECV", | |
388 | [IP_VS_TCP_S_FIN_WAIT] = "FIN_WAIT", | |
389 | [IP_VS_TCP_S_TIME_WAIT] = "TIME_WAIT", | |
390 | [IP_VS_TCP_S_CLOSE] = "CLOSE", | |
391 | [IP_VS_TCP_S_CLOSE_WAIT] = "CLOSE_WAIT", | |
392 | [IP_VS_TCP_S_LAST_ACK] = "LAST_ACK", | |
393 | [IP_VS_TCP_S_LISTEN] = "LISTEN", | |
394 | [IP_VS_TCP_S_SYNACK] = "SYNACK", | |
395 | [IP_VS_TCP_S_LAST] = "BUG!", | |
396 | }; | |
397 | ||
be2cef49 MK |
398 | static const bool tcp_state_active_table[IP_VS_TCP_S_LAST] = { |
399 | [IP_VS_TCP_S_NONE] = false, | |
400 | [IP_VS_TCP_S_ESTABLISHED] = true, | |
401 | [IP_VS_TCP_S_SYN_SENT] = true, | |
402 | [IP_VS_TCP_S_SYN_RECV] = true, | |
403 | [IP_VS_TCP_S_FIN_WAIT] = false, | |
404 | [IP_VS_TCP_S_TIME_WAIT] = false, | |
405 | [IP_VS_TCP_S_CLOSE] = false, | |
406 | [IP_VS_TCP_S_CLOSE_WAIT] = false, | |
407 | [IP_VS_TCP_S_LAST_ACK] = false, | |
408 | [IP_VS_TCP_S_LISTEN] = false, | |
409 | [IP_VS_TCP_S_SYNACK] = true, | |
410 | }; | |
411 | ||
1da177e4 LT |
412 | #define sNO IP_VS_TCP_S_NONE |
413 | #define sES IP_VS_TCP_S_ESTABLISHED | |
414 | #define sSS IP_VS_TCP_S_SYN_SENT | |
415 | #define sSR IP_VS_TCP_S_SYN_RECV | |
416 | #define sFW IP_VS_TCP_S_FIN_WAIT | |
417 | #define sTW IP_VS_TCP_S_TIME_WAIT | |
418 | #define sCL IP_VS_TCP_S_CLOSE | |
419 | #define sCW IP_VS_TCP_S_CLOSE_WAIT | |
420 | #define sLA IP_VS_TCP_S_LAST_ACK | |
421 | #define sLI IP_VS_TCP_S_LISTEN | |
422 | #define sSA IP_VS_TCP_S_SYNACK | |
423 | ||
424 | struct tcp_states_t { | |
425 | int next_state[IP_VS_TCP_S_LAST]; | |
426 | }; | |
427 | ||
428 | static const char * tcp_state_name(int state) | |
429 | { | |
430 | if (state >= IP_VS_TCP_S_LAST) | |
431 | return "ERR!"; | |
432 | return tcp_state_name_table[state] ? tcp_state_name_table[state] : "?"; | |
433 | } | |
434 | ||
be2cef49 MK |
435 | static bool tcp_state_active(int state) |
436 | { | |
437 | if (state >= IP_VS_TCP_S_LAST) | |
438 | return false; | |
439 | return tcp_state_active_table[state]; | |
440 | } | |
441 | ||
535101ec | 442 | static struct tcp_states_t tcp_states[] = { |
1da177e4 LT |
443 | /* INPUT */ |
444 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
445 | /*syn*/ {{sSR, sES, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR }}, | |
446 | /*fin*/ {{sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI, sTW }}, | |
c6c96c18 | 447 | /*ack*/ {{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sCL, sLI, sES }}, |
1da177e4 LT |
448 | /*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sSR }}, |
449 | ||
450 | /* OUTPUT */ | |
451 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
452 | /*syn*/ {{sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI, sSR }}, | |
453 | /*fin*/ {{sTW, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI, sTW }}, | |
454 | /*ack*/ {{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES, sES }}, | |
455 | /*rst*/ {{sCL, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL, sCL }}, | |
456 | ||
457 | /* INPUT-ONLY */ | |
458 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
459 | /*syn*/ {{sSR, sES, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR }}, | |
460 | /*fin*/ {{sCL, sFW, sSS, sTW, sFW, sTW, sCL, sCW, sLA, sLI, sTW }}, | |
c6c96c18 | 461 | /*ack*/ {{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sCL, sLI, sES }}, |
1da177e4 LT |
462 | /*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sCL }}, |
463 | }; | |
464 | ||
535101ec | 465 | static struct tcp_states_t tcp_states_dos[] = { |
1da177e4 LT |
466 | /* INPUT */ |
467 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
468 | /*syn*/ {{sSR, sES, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSA }}, | |
469 | /*fin*/ {{sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI, sSA }}, | |
c6c96c18 | 470 | /*ack*/ {{sES, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI, sSA }}, |
1da177e4 LT |
471 | /*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sCL }}, |
472 | ||
473 | /* OUTPUT */ | |
474 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
475 | /*syn*/ {{sSS, sES, sSS, sSA, sSS, sSS, sSS, sSS, sSS, sLI, sSA }}, | |
476 | /*fin*/ {{sTW, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI, sTW }}, | |
477 | /*ack*/ {{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES, sES }}, | |
478 | /*rst*/ {{sCL, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL, sCL }}, | |
479 | ||
480 | /* INPUT-ONLY */ | |
481 | /* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */ | |
482 | /*syn*/ {{sSA, sES, sES, sSR, sSA, sSA, sSA, sSA, sSA, sSA, sSA }}, | |
483 | /*fin*/ {{sCL, sFW, sSS, sTW, sFW, sTW, sCL, sCW, sLA, sLI, sTW }}, | |
c6c96c18 | 484 | /*ack*/ {{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sCL, sLI, sES }}, |
1da177e4 LT |
485 | /*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sCL }}, |
486 | }; | |
487 | ||
9330419d | 488 | static void tcp_timeout_change(struct ip_vs_proto_data *pd, int flags) |
1da177e4 LT |
489 | { |
490 | int on = (flags & 1); /* secure_tcp */ | |
491 | ||
492 | /* | |
493 | ** FIXME: change secure_tcp to independent sysctl var | |
494 | ** or make it per-service or per-app because it is valid | |
495 | ** for most if not for all of the applications. Something | |
496 | ** like "capabilities" (flags) for each object. | |
497 | */ | |
9330419d | 498 | pd->tcp_state_table = (on ? tcp_states_dos : tcp_states); |
1da177e4 LT |
499 | } |
500 | ||
1da177e4 LT |
501 | static inline int tcp_state_idx(struct tcphdr *th) |
502 | { | |
503 | if (th->rst) | |
504 | return 3; | |
505 | if (th->syn) | |
506 | return 0; | |
507 | if (th->fin) | |
508 | return 1; | |
509 | if (th->ack) | |
510 | return 2; | |
511 | return -1; | |
512 | } | |
513 | ||
514 | static inline void | |
9330419d | 515 | set_tcp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp, |
1da177e4 LT |
516 | int direction, struct tcphdr *th) |
517 | { | |
518 | int state_idx; | |
519 | int new_state = IP_VS_TCP_S_CLOSE; | |
520 | int state_off = tcp_state_off[direction]; | |
521 | ||
522 | /* | |
523 | * Update state offset to INPUT_ONLY if necessary | |
524 | * or delete NO_OUTPUT flag if output packet detected | |
525 | */ | |
526 | if (cp->flags & IP_VS_CONN_F_NOOUTPUT) { | |
527 | if (state_off == TCP_DIR_OUTPUT) | |
528 | cp->flags &= ~IP_VS_CONN_F_NOOUTPUT; | |
529 | else | |
530 | state_off = TCP_DIR_INPUT_ONLY; | |
531 | } | |
532 | ||
533 | if ((state_idx = tcp_state_idx(th)) < 0) { | |
534 | IP_VS_DBG(8, "tcp_state_idx=%d!!!\n", state_idx); | |
535 | goto tcp_state_out; | |
536 | } | |
537 | ||
9330419d HS |
538 | new_state = |
539 | pd->tcp_state_table[state_off+state_idx].next_state[cp->state]; | |
1da177e4 LT |
540 | |
541 | tcp_state_out: | |
542 | if (new_state != cp->state) { | |
543 | struct ip_vs_dest *dest = cp->dest; | |
544 | ||
cfc78c5a JV |
545 | IP_VS_DBG_BUF(8, "%s %s [%c%c%c%c] %s:%d->" |
546 | "%s:%d state: %s->%s conn->refcnt:%d\n", | |
9330419d | 547 | pd->pp->name, |
cfc78c5a JV |
548 | ((state_off == TCP_DIR_OUTPUT) ? |
549 | "output " : "input "), | |
550 | th->syn ? 'S' : '.', | |
551 | th->fin ? 'F' : '.', | |
552 | th->ack ? 'A' : '.', | |
553 | th->rst ? 'R' : '.', | |
f18ae720 | 554 | IP_VS_DBG_ADDR(cp->daf, &cp->daddr), |
cfc78c5a JV |
555 | ntohs(cp->dport), |
556 | IP_VS_DBG_ADDR(cp->af, &cp->caddr), | |
557 | ntohs(cp->cport), | |
558 | tcp_state_name(cp->state), | |
559 | tcp_state_name(new_state), | |
b54ab92b | 560 | refcount_read(&cp->refcnt)); |
cfc78c5a | 561 | |
1da177e4 LT |
562 | if (dest) { |
563 | if (!(cp->flags & IP_VS_CONN_F_INACTIVE) && | |
be2cef49 | 564 | !tcp_state_active(new_state)) { |
1da177e4 LT |
565 | atomic_dec(&dest->activeconns); |
566 | atomic_inc(&dest->inactconns); | |
567 | cp->flags |= IP_VS_CONN_F_INACTIVE; | |
568 | } else if ((cp->flags & IP_VS_CONN_F_INACTIVE) && | |
be2cef49 | 569 | tcp_state_active(new_state)) { |
1da177e4 LT |
570 | atomic_inc(&dest->activeconns); |
571 | atomic_dec(&dest->inactconns); | |
572 | cp->flags &= ~IP_VS_CONN_F_INACTIVE; | |
573 | } | |
574 | } | |
27541143 JA |
575 | if (new_state == IP_VS_TCP_S_ESTABLISHED) |
576 | ip_vs_control_assure_ct(cp); | |
1da177e4 LT |
577 | } |
578 | ||
4a85b96c HS |
579 | if (likely(pd)) |
580 | cp->timeout = pd->timeout_table[cp->state = new_state]; | |
581 | else /* What to do ? */ | |
582 | cp->timeout = tcp_timeouts[cp->state = new_state]; | |
1da177e4 LT |
583 | } |
584 | ||
1da177e4 LT |
585 | /* |
586 | * Handle state transitions | |
587 | */ | |
4a516f11 | 588 | static void |
1da177e4 LT |
589 | tcp_state_transition(struct ip_vs_conn *cp, int direction, |
590 | const struct sk_buff *skb, | |
9330419d | 591 | struct ip_vs_proto_data *pd) |
1da177e4 LT |
592 | { |
593 | struct tcphdr _tcph, *th; | |
594 | ||
0bbdd42b JV |
595 | #ifdef CONFIG_IP_VS_IPV6 |
596 | int ihl = cp->af == AF_INET ? ip_hdrlen(skb) : sizeof(struct ipv6hdr); | |
597 | #else | |
598 | int ihl = ip_hdrlen(skb); | |
599 | #endif | |
600 | ||
601 | th = skb_header_pointer(skb, ihl, sizeof(_tcph), &_tcph); | |
1da177e4 | 602 | if (th == NULL) |
4a516f11 | 603 | return; |
1da177e4 | 604 | |
ac69269a | 605 | spin_lock_bh(&cp->lock); |
9330419d | 606 | set_tcp_state(pd, cp, direction, th); |
ac69269a | 607 | spin_unlock_bh(&cp->lock); |
1da177e4 LT |
608 | } |
609 | ||
75e7ce66 | 610 | static inline __u16 tcp_app_hashkey(__be16 port) |
1da177e4 | 611 | { |
75e7ce66 AV |
612 | return (((__force u16)port >> TCP_APP_TAB_BITS) ^ (__force u16)port) |
613 | & TCP_APP_TAB_MASK; | |
1da177e4 LT |
614 | } |
615 | ||
616 | ||
19648918 | 617 | static int tcp_register_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc) |
1da177e4 LT |
618 | { |
619 | struct ip_vs_app *i; | |
75e7ce66 AV |
620 | __u16 hash; |
621 | __be16 port = inc->port; | |
1da177e4 | 622 | int ret = 0; |
18d6ade6 | 623 | struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP); |
1da177e4 LT |
624 | |
625 | hash = tcp_app_hashkey(port); | |
626 | ||
4a85b96c | 627 | list_for_each_entry(i, &ipvs->tcp_apps[hash], p_list) { |
1da177e4 LT |
628 | if (i->port == port) { |
629 | ret = -EEXIST; | |
630 | goto out; | |
631 | } | |
632 | } | |
363c97d7 | 633 | list_add_rcu(&inc->p_list, &ipvs->tcp_apps[hash]); |
9bbac6a9 | 634 | atomic_inc(&pd->appcnt); |
1da177e4 LT |
635 | |
636 | out: | |
1da177e4 LT |
637 | return ret; |
638 | } | |
639 | ||
640 | ||
641 | static void | |
19648918 | 642 | tcp_unregister_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc) |
1da177e4 | 643 | { |
19648918 | 644 | struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP); |
4a85b96c | 645 | |
9bbac6a9 | 646 | atomic_dec(&pd->appcnt); |
363c97d7 | 647 | list_del_rcu(&inc->p_list); |
1da177e4 LT |
648 | } |
649 | ||
650 | ||
651 | static int | |
652 | tcp_app_conn_bind(struct ip_vs_conn *cp) | |
653 | { | |
58dbc6f2 | 654 | struct netns_ipvs *ipvs = cp->ipvs; |
1da177e4 LT |
655 | int hash; |
656 | struct ip_vs_app *inc; | |
657 | int result = 0; | |
658 | ||
659 | /* Default binding: bind app only for NAT */ | |
660 | if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) | |
661 | return 0; | |
662 | ||
663 | /* Lookup application incarnations and bind the right one */ | |
664 | hash = tcp_app_hashkey(cp->vport); | |
665 | ||
363c97d7 | 666 | list_for_each_entry_rcu(inc, &ipvs->tcp_apps[hash], p_list) { |
1da177e4 LT |
667 | if (inc->port == cp->vport) { |
668 | if (unlikely(!ip_vs_app_inc_get(inc))) | |
669 | break; | |
1da177e4 | 670 | |
1e3e238e | 671 | IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->" |
cfc78c5a JV |
672 | "%s:%u to app %s on port %u\n", |
673 | __func__, | |
674 | IP_VS_DBG_ADDR(cp->af, &cp->caddr), | |
675 | ntohs(cp->cport), | |
676 | IP_VS_DBG_ADDR(cp->af, &cp->vaddr), | |
677 | ntohs(cp->vport), | |
678 | inc->name, ntohs(inc->port)); | |
679 | ||
1da177e4 LT |
680 | cp->app = inc; |
681 | if (inc->init_conn) | |
682 | result = inc->init_conn(inc, cp); | |
0b35f603 | 683 | break; |
1da177e4 LT |
684 | } |
685 | } | |
1da177e4 | 686 | |
1da177e4 LT |
687 | return result; |
688 | } | |
689 | ||
690 | ||
691 | /* | |
692 | * Set LISTEN timeout. (ip_vs_conn_put will setup timer) | |
693 | */ | |
69f39093 | 694 | void ip_vs_tcp_conn_listen(struct ip_vs_conn *cp) |
1da177e4 | 695 | { |
69f39093 | 696 | struct ip_vs_proto_data *pd = ip_vs_proto_data_get(cp->ipvs, IPPROTO_TCP); |
4a85b96c | 697 | |
ac69269a | 698 | spin_lock_bh(&cp->lock); |
1da177e4 | 699 | cp->state = IP_VS_TCP_S_LISTEN; |
4a85b96c HS |
700 | cp->timeout = (pd ? pd->timeout_table[IP_VS_TCP_S_LISTEN] |
701 | : tcp_timeouts[IP_VS_TCP_S_LISTEN]); | |
ac69269a | 702 | spin_unlock_bh(&cp->lock); |
1da177e4 LT |
703 | } |
704 | ||
4a85b96c HS |
705 | /* --------------------------------------------- |
706 | * timeouts is netns related now. | |
707 | * --------------------------------------------- | |
708 | */ | |
1281a9c2 | 709 | static int __ip_vs_tcp_init(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd) |
1da177e4 | 710 | { |
4a85b96c | 711 | ip_vs_init_hash_table(ipvs->tcp_apps, TCP_APP_TAB_SIZE); |
4a85b96c HS |
712 | pd->timeout_table = ip_vs_create_timeout_table((int *)tcp_timeouts, |
713 | sizeof(tcp_timeouts)); | |
582b8e3e HS |
714 | if (!pd->timeout_table) |
715 | return -ENOMEM; | |
9330419d | 716 | pd->tcp_state_table = tcp_states; |
582b8e3e | 717 | return 0; |
4a85b96c | 718 | } |
1da177e4 | 719 | |
1281a9c2 | 720 | static void __ip_vs_tcp_exit(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd) |
1da177e4 | 721 | { |
4a85b96c | 722 | kfree(pd->timeout_table); |
1da177e4 LT |
723 | } |
724 | ||
725 | ||
726 | struct ip_vs_protocol ip_vs_protocol_tcp = { | |
727 | .name = "TCP", | |
728 | .protocol = IPPROTO_TCP, | |
2ad17def | 729 | .num_states = IP_VS_TCP_S_LAST, |
1da177e4 | 730 | .dont_defrag = 0, |
4a85b96c HS |
731 | .init = NULL, |
732 | .exit = NULL, | |
733 | .init_netns = __ip_vs_tcp_init, | |
734 | .exit_netns = __ip_vs_tcp_exit, | |
1da177e4 LT |
735 | .register_app = tcp_register_app, |
736 | .unregister_app = tcp_unregister_app, | |
737 | .conn_schedule = tcp_conn_schedule, | |
5c0d2374 SH |
738 | .conn_in_get = ip_vs_conn_in_get_proto, |
739 | .conn_out_get = ip_vs_conn_out_get_proto, | |
1da177e4 LT |
740 | .snat_handler = tcp_snat_handler, |
741 | .dnat_handler = tcp_dnat_handler, | |
1da177e4 LT |
742 | .state_name = tcp_state_name, |
743 | .state_transition = tcp_state_transition, | |
744 | .app_conn_bind = tcp_app_conn_bind, | |
745 | .debug_packet = ip_vs_tcpudp_debug_packet, | |
746 | .timeout_change = tcp_timeout_change, | |
1da177e4 | 747 | }; |