ipvs: netfilter connection tracking changes

Add more code to IPVS to work with Netfilter connection tracking and fix some problems. - Allow IPVS to be compiled without connection tracking as in 2.6.35 and before. This can avoid keeping conntracks for all IPVS connections because this costs memory. ip_vs_ftp still depends on connection tracking and NAT as implemented for 2.6.36. - Add sysctl var "conntrack" to enable connection tracking for all IPVS connections. For loaded IPVS directors it needs tuning of nf_conntrack_max limit. - Add IP_VS_CONN_F_NFCT connection flag to request the connection to use connection tracking. This allows user space to provide this flag, for example, in dest->conn_flags. This can be useful to request connection tracking per real server instead of forcing it for all connections with the "conntrack" sysctl. This flag is set currently only by ip_vs_ftp and of course by "conntrack" sysctl. - Add ip_vs_nfct.c file to hold all connection tracking code, by this way main code should not depend of netfilter conntrack support. - Return back the ip_vs_post_routing handler as in 2.6.35 and use skb->ipvs_property=1 to allow IPVS to work without connection tracking Connection tracking: - most of the code is already in 2.6.36-rc - alter conntrack reply tuple for LVS-NAT connections when first packet from client is forwarded and conntrack state is NEW or RELATED. Additionally, alter reply for RELATED connections from real server, again for packet in original direction. - add IP_VS_XMIT_TUNNEL to confirm conntrack (without altering reply) for LVS-TUN early because we want to call nf_reset. It is needed because we add IPIP header and the original conntrack should be preserved, not destroyed. The transmitted IPIP packets can reuse same conntrack, so we do not set skb->ipvs_property. - try to destroy conntrack when the IPVS connection is destroyed. It is not fatal if conntrack disappears before that, it depends on the used timers. Fix problems from long time: - add skb->ip_summed = CHECKSUM_NONE for the LVS-TUN transmitters Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Julian Anastasov <ja@ssi.bg> 2010-09-21 11:35:41 -0400
committer: Patrick McHardy <kaber@trash.net> 2010-09-21 11:35:41 -0400
commit: f4bc17cdd205ebaa3807c2aa973719bb5ce6a5b2 (patch)
tree: c2bbaf2251ba91f4951f6614a9475e04fdec790e /include
parent: 3575792e005dc9994f15ae72c1c6f401d134177d (diff)
2 files changed, 45 insertions, 1 deletions
diff --git a/include/linux/ip_vs.h b/include/linux/ip_vs.h
index 003d75f6ffe1..df7728613720 100644
--- a/include/linux/ip_vs.h
+++ b/include/linux/ip_vs.h
@@ -90,10 +90,12 @@
 #define IP_VS_CONN_F_ONE_PACKET 0x2000          /* forward only one packet */
 /* Flags that are not sent to backup server start from bit 16 */
+#define IP_VS_CONN_F_NFCT       (1 << 16)       /* use netfilter conntrack */
 /* Connection flags from destination that can be changed by user space */
 #define IP_VS_CONN_F_DEST_MASK (IP_VS_CONN_F_FWD_MASK | \
                                IP_VS_CONN_F_ONE_PACKET | \
+                                IP_VS_CONN_F_NFCT | \
                                0)
 #define IP_VS_SCHEDNAME_MAXLEN  16
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 62698a9c1631..e8ec5231eae9 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -25,7 +25,9 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>                 /* for struct ipv6hdr */
 #include <net/ipv6.h>                   /* for ipv6_addr_copy */
+#ifdef CONFIG_IP_VS_NFCT
+#include <net/netfilter/nf_conntrack.h>
+#endif
 /* Connections' size value needed by ip_vs_ctl.c */
 extern int ip_vs_conn_tab_size;
@@ -798,6 +800,7 @@ extern int sysctl_ip_vs_expire_nodest_conn;
 extern int sysctl_ip_vs_expire_quiescent_template;
 extern int sysctl_ip_vs_sync_threshold[2];
 extern int sysctl_ip_vs_nat_icmp_send;
+extern int sysctl_ip_vs_conntrack;
 extern struct ip_vs_stats ip_vs_stats;
 extern const struct ctl_path net_vs_ctl_path[];
@@ -955,8 +958,47 @@ static inline __wsum ip_vs_check_diff2(__be16 old, __be16 new, __wsum oldsum)
        return csum_partial(diff, sizeof(diff), oldsum);
 }
+#ifdef CONFIG_IP_VS_NFCT
+/*
+ *      Netfilter connection tracking
+ *      (from ip_vs_nfct.c)
+ */
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return sysctl_ip_vs_conntrack;
+}
 extern void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp,
                                   int outin);
+extern int ip_vs_confirm_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp);
+extern void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
+                                      struct ip_vs_conn *cp, u_int8_t proto,
+                                      const __be16 port, int from_rs);
+extern void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp);
+#else
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return 0;
+}
+static inline void ip_vs_update_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp, int outin)
+{
+}
+static inline int ip_vs_confirm_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp)
+{
+        return NF_ACCEPT;
+}
+static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
+{
+}
+/* CONFIG_IP_VS_NFCT */
+#endif
 #endif /* __KERNEL__ */
author	Julian Anastasov <ja@ssi.bg>	2010-09-21 11:35:41 -0400
committer	Patrick McHardy <kaber@trash.net>	2010-09-21 11:35:41 -0400
commit	f4bc17cdd205ebaa3807c2aa973719bb5ce6a5b2 (patch)
tree	c2bbaf2251ba91f4951f6614a9475e04fdec790e /include
parent	3575792e005dc9994f15ae72c1c6f401d134177d (diff)

diff --git a/include/linux/ip_vs.h b/include/linux/ip_vs.h index 003d75f6ffe1..df7728613720 100644 --- a/include/linux/ip_vs.h +++ b/include/linux/ip_vs.h
@@ -90,10 +90,12 @@
90	#define IP_VS_CONN_F_ONE_PACKET 0x2000 /* forward only one packet */	90	#define IP_VS_CONN_F_ONE_PACKET 0x2000 /* forward only one packet */
91		91
92	/* Flags that are not sent to backup server start from bit 16 */	92	/* Flags that are not sent to backup server start from bit 16 */
		93	#define IP_VS_CONN_F_NFCT (1 << 16) /* use netfilter conntrack */
93		94
94	/* Connection flags from destination that can be changed by user space */	95	/* Connection flags from destination that can be changed by user space */
95	#define IP_VS_CONN_F_DEST_MASK (IP_VS_CONN_F_FWD_MASK \| \	96	#define IP_VS_CONN_F_DEST_MASK (IP_VS_CONN_F_FWD_MASK \| \
96	IP_VS_CONN_F_ONE_PACKET \| \	97	IP_VS_CONN_F_ONE_PACKET \| \
		98	IP_VS_CONN_F_NFCT \| \
97	0)	99	0)
98		100
99	#define IP_VS_SCHEDNAME_MAXLEN 16	101	#define IP_VS_SCHEDNAME_MAXLEN 16


diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 62698a9c1631..e8ec5231eae9 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h
@@ -25,7 +25,9 @@
25	#include <linux/ip.h>	25	#include <linux/ip.h>
26	#include <linux/ipv6.h> /* for struct ipv6hdr */	26	#include <linux/ipv6.h> /* for struct ipv6hdr */
27	#include <net/ipv6.h> /* for ipv6_addr_copy */	27	#include <net/ipv6.h> /* for ipv6_addr_copy */
28		28	#ifdef CONFIG_IP_VS_NFCT
		29	#include <net/netfilter/nf_conntrack.h>
		30	#endif
29		31
30	/* Connections' size value needed by ip_vs_ctl.c */	32	/* Connections' size value needed by ip_vs_ctl.c */
31	extern int ip_vs_conn_tab_size;	33	extern int ip_vs_conn_tab_size;
@@ -798,6 +800,7 @@ extern int sysctl_ip_vs_expire_nodest_conn;
798	extern int sysctl_ip_vs_expire_quiescent_template;	800	extern int sysctl_ip_vs_expire_quiescent_template;
799	extern int sysctl_ip_vs_sync_threshold[2];	801	extern int sysctl_ip_vs_sync_threshold[2];
800	extern int sysctl_ip_vs_nat_icmp_send;	802	extern int sysctl_ip_vs_nat_icmp_send;
		803	extern int sysctl_ip_vs_conntrack;
801	extern struct ip_vs_stats ip_vs_stats;	804	extern struct ip_vs_stats ip_vs_stats;
802	extern const struct ctl_path net_vs_ctl_path[];	805	extern const struct ctl_path net_vs_ctl_path[];
803		806
@@ -955,8 +958,47 @@ static inline __wsum ip_vs_check_diff2(__be16 old, __be16 new, __wsum oldsum)
955	return csum_partial(diff, sizeof(diff), oldsum);	958	return csum_partial(diff, sizeof(diff), oldsum);
956	}	959	}
957		960
		961	#ifdef CONFIG_IP_VS_NFCT
		962	/*
		963	* Netfilter connection tracking
		964	* (from ip_vs_nfct.c)
		965	*/
		966	static inline int ip_vs_conntrack_enabled(void)
		967	{
		968	return sysctl_ip_vs_conntrack;
		969	}
		970
958	extern void ip_vs_update_conntrack(struct sk_buff skb, struct ip_vs_conn cp,	971	extern void ip_vs_update_conntrack(struct sk_buff skb, struct ip_vs_conn cp,
959	int outin);	972	int outin);
		973	extern int ip_vs_confirm_conntrack(struct sk_buff skb, struct ip_vs_conn cp);
		974	extern void ip_vs_nfct_expect_related(struct sk_buff skb, struct nf_conn ct,
		975	struct ip_vs_conn *cp, u_int8_t proto,
		976	const __be16 port, int from_rs);
		977	extern void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp);
		978
		979	#else
		980
		981	static inline int ip_vs_conntrack_enabled(void)
		982	{
		983	return 0;
		984	}
		985
		986	static inline void ip_vs_update_conntrack(struct sk_buff *skb,
		987	struct ip_vs_conn *cp, int outin)
		988	{
		989	}
		990
		991	static inline int ip_vs_confirm_conntrack(struct sk_buff *skb,
		992	struct ip_vs_conn *cp)
		993	{
		994	return NF_ACCEPT;
		995	}
		996
		997	static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
		998	{
		999	}
		1000	/* CONFIG_IP_VS_NFCT */
		1001	#endif
960		1002
961	#endif /* __KERNEL__ */	1003	#endif /* __KERNEL__ */
962		1004