/net/netfilter/ipvs/ip_vs_proto_udp.c

http://github.com/mirrors/linux · C · 503 lines · 392 code · 64 blank · 47 comment · 85 complexity · 9f33e16eb156383b535d8aead8c99fbc MD5 · raw file

  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * ip_vs_proto_udp.c: UDP load balancing support for IPVS
  4. *
  5. * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
  6. * Julian Anastasov <ja@ssi.bg>
  7. *
  8. * Changes: Hans Schillstrom <hans.schillstrom@ericsson.com>
  9. * Network name space (netns) aware.
  10. */
  11. #define KMSG_COMPONENT "IPVS"
  12. #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
  13. #include <linux/in.h>
  14. #include <linux/ip.h>
  15. #include <linux/kernel.h>
  16. #include <linux/netfilter.h>
  17. #include <linux/netfilter_ipv4.h>
  18. #include <linux/udp.h>
  19. #include <linux/indirect_call_wrapper.h>
  20. #include <net/ip_vs.h>
  21. #include <net/ip.h>
  22. #include <net/ip6_checksum.h>
  23. static int
  24. udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
  25. static int
  26. udp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
  27. struct ip_vs_proto_data *pd,
  28. int *verdict, struct ip_vs_conn **cpp,
  29. struct ip_vs_iphdr *iph)
  30. {
  31. struct ip_vs_service *svc;
  32. struct udphdr _udph, *uh;
  33. __be16 _ports[2], *ports = NULL;
  34. if (likely(!ip_vs_iph_icmp(iph))) {
  35. /* IPv6 fragments, only first fragment will hit this */
  36. uh = skb_header_pointer(skb, iph->len, sizeof(_udph), &_udph);
  37. if (uh)
  38. ports = &uh->source;
  39. } else {
  40. ports = skb_header_pointer(
  41. skb, iph->len, sizeof(_ports), &_ports);
  42. }
  43. if (!ports) {
  44. *verdict = NF_DROP;
  45. return 0;
  46. }
  47. if (likely(!ip_vs_iph_inverse(iph)))
  48. svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
  49. &iph->daddr, ports[1]);
  50. else
  51. svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
  52. &iph->saddr, ports[0]);
  53. if (svc) {
  54. int ignored;
  55. if (ip_vs_todrop(ipvs)) {
  56. /*
  57. * It seems that we are very loaded.
  58. * We have to drop this packet :(
  59. */
  60. *verdict = NF_DROP;
  61. return 0;
  62. }
  63. /*
  64. * Let the virtual server select a real server for the
  65. * incoming connection, and create a connection entry.
  66. */
  67. *cpp = ip_vs_schedule(svc, skb, pd, &ignored, iph);
  68. if (!*cpp && ignored <= 0) {
  69. if (!ignored)
  70. *verdict = ip_vs_leave(svc, skb, pd, iph);
  71. else
  72. *verdict = NF_DROP;
  73. return 0;
  74. }
  75. }
  76. /* NF_ACCEPT */
  77. return 1;
  78. }
  79. static inline void
  80. udp_fast_csum_update(int af, struct udphdr *uhdr,
  81. const union nf_inet_addr *oldip,
  82. const union nf_inet_addr *newip,
  83. __be16 oldport, __be16 newport)
  84. {
  85. #ifdef CONFIG_IP_VS_IPV6
  86. if (af == AF_INET6)
  87. uhdr->check =
  88. csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6,
  89. ip_vs_check_diff2(oldport, newport,
  90. ~csum_unfold(uhdr->check))));
  91. else
  92. #endif
  93. uhdr->check =
  94. csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip,
  95. ip_vs_check_diff2(oldport, newport,
  96. ~csum_unfold(uhdr->check))));
  97. if (!uhdr->check)
  98. uhdr->check = CSUM_MANGLED_0;
  99. }
  100. static inline void
  101. udp_partial_csum_update(int af, struct udphdr *uhdr,
  102. const union nf_inet_addr *oldip,
  103. const union nf_inet_addr *newip,
  104. __be16 oldlen, __be16 newlen)
  105. {
  106. #ifdef CONFIG_IP_VS_IPV6
  107. if (af == AF_INET6)
  108. uhdr->check =
  109. ~csum_fold(ip_vs_check_diff16(oldip->ip6, newip->ip6,
  110. ip_vs_check_diff2(oldlen, newlen,
  111. csum_unfold(uhdr->check))));
  112. else
  113. #endif
  114. uhdr->check =
  115. ~csum_fold(ip_vs_check_diff4(oldip->ip, newip->ip,
  116. ip_vs_check_diff2(oldlen, newlen,
  117. csum_unfold(uhdr->check))));
  118. }
  119. INDIRECT_CALLABLE_SCOPE int
  120. udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
  121. struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
  122. {
  123. struct udphdr *udph;
  124. unsigned int udphoff = iph->len;
  125. bool payload_csum = false;
  126. int oldlen;
  127. #ifdef CONFIG_IP_VS_IPV6
  128. if (cp->af == AF_INET6 && iph->fragoffs)
  129. return 1;
  130. #endif
  131. oldlen = skb->len - udphoff;
  132. /* csum_check requires unshared skb */
  133. if (skb_ensure_writable(skb, udphoff + sizeof(*udph)))
  134. return 0;
  135. if (unlikely(cp->app != NULL)) {
  136. int ret;
  137. /* Some checks before mangling */
  138. if (!udp_csum_check(cp->af, skb, pp))
  139. return 0;
  140. /*
  141. * Call application helper if needed
  142. */
  143. if (!(ret = ip_vs_app_pkt_out(cp, skb, iph)))
  144. return 0;
  145. /* ret=2: csum update is needed after payload mangling */
  146. if (ret == 1)
  147. oldlen = skb->len - udphoff;
  148. else
  149. payload_csum = true;
  150. }
  151. udph = (void *)skb_network_header(skb) + udphoff;
  152. udph->source = cp->vport;
  153. /*
  154. * Adjust UDP checksums
  155. */
  156. if (skb->ip_summed == CHECKSUM_PARTIAL) {
  157. udp_partial_csum_update(cp->af, udph, &cp->daddr, &cp->vaddr,
  158. htons(oldlen),
  159. htons(skb->len - udphoff));
  160. } else if (!payload_csum && (udph->check != 0)) {
  161. /* Only port and addr are changed, do fast csum update */
  162. udp_fast_csum_update(cp->af, udph, &cp->daddr, &cp->vaddr,
  163. cp->dport, cp->vport);
  164. if (skb->ip_summed == CHECKSUM_COMPLETE)
  165. skb->ip_summed = cp->app ?
  166. CHECKSUM_UNNECESSARY : CHECKSUM_NONE;
  167. } else {
  168. /* full checksum calculation */
  169. udph->check = 0;
  170. skb->csum = skb_checksum(skb, udphoff, skb->len - udphoff, 0);
  171. #ifdef CONFIG_IP_VS_IPV6
  172. if (cp->af == AF_INET6)
  173. udph->check = csum_ipv6_magic(&cp->vaddr.in6,
  174. &cp->caddr.in6,
  175. skb->len - udphoff,
  176. cp->protocol, skb->csum);
  177. else
  178. #endif
  179. udph->check = csum_tcpudp_magic(cp->vaddr.ip,
  180. cp->caddr.ip,
  181. skb->len - udphoff,
  182. cp->protocol,
  183. skb->csum);
  184. if (udph->check == 0)
  185. udph->check = CSUM_MANGLED_0;
  186. skb->ip_summed = CHECKSUM_UNNECESSARY;
  187. IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%zd)\n",
  188. pp->name, udph->check,
  189. (char*)&(udph->check) - (char*)udph);
  190. }
  191. return 1;
  192. }
  193. static int
  194. udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
  195. struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
  196. {
  197. struct udphdr *udph;
  198. unsigned int udphoff = iph->len;
  199. bool payload_csum = false;
  200. int oldlen;
  201. #ifdef CONFIG_IP_VS_IPV6
  202. if (cp->af == AF_INET6 && iph->fragoffs)
  203. return 1;
  204. #endif
  205. oldlen = skb->len - udphoff;
  206. /* csum_check requires unshared skb */
  207. if (skb_ensure_writable(skb, udphoff + sizeof(*udph)))
  208. return 0;
  209. if (unlikely(cp->app != NULL)) {
  210. int ret;
  211. /* Some checks before mangling */
  212. if (!udp_csum_check(cp->af, skb, pp))
  213. return 0;
  214. /*
  215. * Attempt ip_vs_app call.
  216. * It will fix ip_vs_conn
  217. */
  218. if (!(ret = ip_vs_app_pkt_in(cp, skb, iph)))
  219. return 0;
  220. /* ret=2: csum update is needed after payload mangling */
  221. if (ret == 1)
  222. oldlen = skb->len - udphoff;
  223. else
  224. payload_csum = true;
  225. }
  226. udph = (void *)skb_network_header(skb) + udphoff;
  227. udph->dest = cp->dport;
  228. /*
  229. * Adjust UDP checksums
  230. */
  231. if (skb->ip_summed == CHECKSUM_PARTIAL) {
  232. udp_partial_csum_update(cp->af, udph, &cp->vaddr, &cp->daddr,
  233. htons(oldlen),
  234. htons(skb->len - udphoff));
  235. } else if (!payload_csum && (udph->check != 0)) {
  236. /* Only port and addr are changed, do fast csum update */
  237. udp_fast_csum_update(cp->af, udph, &cp->vaddr, &cp->daddr,
  238. cp->vport, cp->dport);
  239. if (skb->ip_summed == CHECKSUM_COMPLETE)
  240. skb->ip_summed = cp->app ?
  241. CHECKSUM_UNNECESSARY : CHECKSUM_NONE;
  242. } else {
  243. /* full checksum calculation */
  244. udph->check = 0;
  245. skb->csum = skb_checksum(skb, udphoff, skb->len - udphoff, 0);
  246. #ifdef CONFIG_IP_VS_IPV6
  247. if (cp->af == AF_INET6)
  248. udph->check = csum_ipv6_magic(&cp->caddr.in6,
  249. &cp->daddr.in6,
  250. skb->len - udphoff,
  251. cp->protocol, skb->csum);
  252. else
  253. #endif
  254. udph->check = csum_tcpudp_magic(cp->caddr.ip,
  255. cp->daddr.ip,
  256. skb->len - udphoff,
  257. cp->protocol,
  258. skb->csum);
  259. if (udph->check == 0)
  260. udph->check = CSUM_MANGLED_0;
  261. skb->ip_summed = CHECKSUM_UNNECESSARY;
  262. }
  263. return 1;
  264. }
  265. static int
  266. udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
  267. {
  268. struct udphdr _udph, *uh;
  269. unsigned int udphoff;
  270. #ifdef CONFIG_IP_VS_IPV6
  271. if (af == AF_INET6)
  272. udphoff = sizeof(struct ipv6hdr);
  273. else
  274. #endif
  275. udphoff = ip_hdrlen(skb);
  276. uh = skb_header_pointer(skb, udphoff, sizeof(_udph), &_udph);
  277. if (uh == NULL)
  278. return 0;
  279. if (uh->check != 0) {
  280. switch (skb->ip_summed) {
  281. case CHECKSUM_NONE:
  282. skb->csum = skb_checksum(skb, udphoff,
  283. skb->len - udphoff, 0);
  284. /* fall through */
  285. case CHECKSUM_COMPLETE:
  286. #ifdef CONFIG_IP_VS_IPV6
  287. if (af == AF_INET6) {
  288. if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
  289. &ipv6_hdr(skb)->daddr,
  290. skb->len - udphoff,
  291. ipv6_hdr(skb)->nexthdr,
  292. skb->csum)) {
  293. IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
  294. "Failed checksum for");
  295. return 0;
  296. }
  297. } else
  298. #endif
  299. if (csum_tcpudp_magic(ip_hdr(skb)->saddr,
  300. ip_hdr(skb)->daddr,
  301. skb->len - udphoff,
  302. ip_hdr(skb)->protocol,
  303. skb->csum)) {
  304. IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
  305. "Failed checksum for");
  306. return 0;
  307. }
  308. break;
  309. default:
  310. /* No need to checksum. */
  311. break;
  312. }
  313. }
  314. return 1;
  315. }
  316. static inline __u16 udp_app_hashkey(__be16 port)
  317. {
  318. return (((__force u16)port >> UDP_APP_TAB_BITS) ^ (__force u16)port)
  319. & UDP_APP_TAB_MASK;
  320. }
  321. static int udp_register_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc)
  322. {
  323. struct ip_vs_app *i;
  324. __u16 hash;
  325. __be16 port = inc->port;
  326. int ret = 0;
  327. struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
  328. hash = udp_app_hashkey(port);
  329. list_for_each_entry(i, &ipvs->udp_apps[hash], p_list) {
  330. if (i->port == port) {
  331. ret = -EEXIST;
  332. goto out;
  333. }
  334. }
  335. list_add_rcu(&inc->p_list, &ipvs->udp_apps[hash]);
  336. atomic_inc(&pd->appcnt);
  337. out:
  338. return ret;
  339. }
  340. static void
  341. udp_unregister_app(struct netns_ipvs *ipvs, struct ip_vs_app *inc)
  342. {
  343. struct ip_vs_proto_data *pd = ip_vs_proto_data_get(ipvs, IPPROTO_UDP);
  344. atomic_dec(&pd->appcnt);
  345. list_del_rcu(&inc->p_list);
  346. }
  347. static int udp_app_conn_bind(struct ip_vs_conn *cp)
  348. {
  349. struct netns_ipvs *ipvs = cp->ipvs;
  350. int hash;
  351. struct ip_vs_app *inc;
  352. int result = 0;
  353. /* Default binding: bind app only for NAT */
  354. if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
  355. return 0;
  356. /* Lookup application incarnations and bind the right one */
  357. hash = udp_app_hashkey(cp->vport);
  358. list_for_each_entry_rcu(inc, &ipvs->udp_apps[hash], p_list) {
  359. if (inc->port == cp->vport) {
  360. if (unlikely(!ip_vs_app_inc_get(inc)))
  361. break;
  362. IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->"
  363. "%s:%u to app %s on port %u\n",
  364. __func__,
  365. IP_VS_DBG_ADDR(cp->af, &cp->caddr),
  366. ntohs(cp->cport),
  367. IP_VS_DBG_ADDR(cp->af, &cp->vaddr),
  368. ntohs(cp->vport),
  369. inc->name, ntohs(inc->port));
  370. cp->app = inc;
  371. if (inc->init_conn)
  372. result = inc->init_conn(inc, cp);
  373. break;
  374. }
  375. }
  376. return result;
  377. }
  378. static const int udp_timeouts[IP_VS_UDP_S_LAST+1] = {
  379. [IP_VS_UDP_S_NORMAL] = 5*60*HZ,
  380. [IP_VS_UDP_S_LAST] = 2*HZ,
  381. };
  382. static const char *const udp_state_name_table[IP_VS_UDP_S_LAST+1] = {
  383. [IP_VS_UDP_S_NORMAL] = "UDP",
  384. [IP_VS_UDP_S_LAST] = "BUG!",
  385. };
  386. static const char * udp_state_name(int state)
  387. {
  388. if (state >= IP_VS_UDP_S_LAST)
  389. return "ERR!";
  390. return udp_state_name_table[state] ? udp_state_name_table[state] : "?";
  391. }
  392. static void
  393. udp_state_transition(struct ip_vs_conn *cp, int direction,
  394. const struct sk_buff *skb,
  395. struct ip_vs_proto_data *pd)
  396. {
  397. if (unlikely(!pd)) {
  398. pr_err("UDP no ns data\n");
  399. return;
  400. }
  401. cp->timeout = pd->timeout_table[IP_VS_UDP_S_NORMAL];
  402. if (direction == IP_VS_DIR_OUTPUT)
  403. ip_vs_control_assure_ct(cp);
  404. }
  405. static int __udp_init(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd)
  406. {
  407. ip_vs_init_hash_table(ipvs->udp_apps, UDP_APP_TAB_SIZE);
  408. pd->timeout_table = ip_vs_create_timeout_table((int *)udp_timeouts,
  409. sizeof(udp_timeouts));
  410. if (!pd->timeout_table)
  411. return -ENOMEM;
  412. return 0;
  413. }
  414. static void __udp_exit(struct netns_ipvs *ipvs, struct ip_vs_proto_data *pd)
  415. {
  416. kfree(pd->timeout_table);
  417. }
  418. struct ip_vs_protocol ip_vs_protocol_udp = {
  419. .name = "UDP",
  420. .protocol = IPPROTO_UDP,
  421. .num_states = IP_VS_UDP_S_LAST,
  422. .dont_defrag = 0,
  423. .init = NULL,
  424. .exit = NULL,
  425. .init_netns = __udp_init,
  426. .exit_netns = __udp_exit,
  427. .conn_schedule = udp_conn_schedule,
  428. .conn_in_get = ip_vs_conn_in_get_proto,
  429. .conn_out_get = ip_vs_conn_out_get_proto,
  430. .snat_handler = udp_snat_handler,
  431. .dnat_handler = udp_dnat_handler,
  432. .state_transition = udp_state_transition,
  433. .state_name = udp_state_name,
  434. .register_app = udp_register_app,
  435. .unregister_app = udp_unregister_app,
  436. .app_conn_bind = udp_app_conn_bind,
  437. .debug_packet = ip_vs_tcpudp_debug_packet,
  438. .timeout_change = NULL,
  439. };