ipt_CLUSTERIP.c 18.3 KB
Newer Older
1
/* Cluster IP hashmark target
Linus Torvalds's avatar
Linus Torvalds committed
2 3 4 5 6 7 8 9 10 11
 * (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
 * based on ideas of Fabio Olive Leite <olive@unixforge.org>
 *
 * Development of this code funded by SuSE Linux AG, http://www.suse.com/
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 */
12
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Linus Torvalds's avatar
Linus Torvalds committed
13 14 15
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/jhash.h>
16
#include <linux/bitops.h>
Linus Torvalds's avatar
Linus Torvalds committed
17
#include <linux/skbuff.h>
18
#include <linux/slab.h>
Linus Torvalds's avatar
Linus Torvalds committed
19 20 21 22 23 24 25
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <linux/if_arp.h>
#include <linux/seq_file.h>
#include <linux/netfilter_arp.h>
26
#include <linux/netfilter/x_tables.h>
Linus Torvalds's avatar
Linus Torvalds committed
27 28
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
29
#include <net/netfilter/nf_conntrack.h>
30
#include <net/net_namespace.h>
31
#include <net/checksum.h>
Linus Torvalds's avatar
Linus Torvalds committed
32

33
#define CLUSTERIP_VERSION "0.8"
Linus Torvalds's avatar
Linus Torvalds committed
34 35 36

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
37
MODULE_DESCRIPTION("Xtables: CLUSTERIP target");
Linus Torvalds's avatar
Linus Torvalds committed
38 39 40 41

struct clusterip_config {
	struct list_head list;			/* list of all configs */
	atomic_t refcount;			/* reference count */
42 43
	atomic_t entries;			/* number of entries/rules
						 * referencing us */
Linus Torvalds's avatar
Linus Torvalds committed
44

Al Viro's avatar
Al Viro committed
45
	__be32 clusterip;			/* the IP address */
Linus Torvalds's avatar
Linus Torvalds committed
46 47 48
	u_int8_t clustermac[ETH_ALEN];		/* the MAC address */
	struct net_device *dev;			/* device */
	u_int16_t num_total_nodes;		/* total number of nodes */
49
	unsigned long local_nodes;		/* node number array */
Linus Torvalds's avatar
Linus Torvalds committed
50 51 52 53 54 55

#ifdef CONFIG_PROC_FS
	struct proc_dir_entry *pde;		/* proc dir entry */
#endif
	enum clusterip_hashmode hash_mode;	/* which hashing mode */
	u_int32_t hash_initval;			/* hash initialization */
56
	struct rcu_head rcu;
Linus Torvalds's avatar
Linus Torvalds committed
57 58 59 60
};

static LIST_HEAD(clusterip_configs);

61
/* clusterip_lock protects the clusterip_configs list */
62
static DEFINE_SPINLOCK(clusterip_lock);
Linus Torvalds's avatar
Linus Torvalds committed
63 64

#ifdef CONFIG_PROC_FS
65
static const struct file_operations clusterip_proc_fops;
Linus Torvalds's avatar
Linus Torvalds committed
66 67 68 69
static struct proc_dir_entry *clusterip_procdir;
#endif

static inline void
70 71
clusterip_config_get(struct clusterip_config *c)
{
Linus Torvalds's avatar
Linus Torvalds committed
72 73 74
	atomic_inc(&c->refcount);
}

75 76 77 78 79 80

static void clusterip_config_rcu_free(struct rcu_head *head)
{
	kfree(container_of(head, struct clusterip_config, rcu));
}

Linus Torvalds's avatar
Linus Torvalds committed
81
static inline void
82 83 84
clusterip_config_put(struct clusterip_config *c)
{
	if (atomic_dec_and_test(&c->refcount))
85
		call_rcu_bh(&c->rcu, clusterip_config_rcu_free);
86 87 88 89 90 91 92 93
}

/* decrease the count of entries using/referencing this config.  If last
 * entry(rule) is removed, remove the config from lists, but don't free it
 * yet, since proc-files could still be holding references */
static inline void
clusterip_config_entry_put(struct clusterip_config *c)
{
94 95 96 97 98
	local_bh_disable();
	if (atomic_dec_and_lock(&c->entries, &clusterip_lock)) {
		list_del_rcu(&c->list);
		spin_unlock(&clusterip_lock);
		local_bh_enable();
99

100
		dev_mc_del(c->dev, c->clustermac);
Linus Torvalds's avatar
Linus Torvalds committed
101
		dev_put(c->dev);
102 103 104 105 106 107 108

		/* In case anyone still accesses the file, the open/close
		 * functions are also incrementing the refcount on their own,
		 * so it's safe to remove the entry even if it's in use. */
#ifdef CONFIG_PROC_FS
		remove_proc_entry(c->pde->name, c->pde->parent);
#endif
109
		return;
Linus Torvalds's avatar
Linus Torvalds committed
110
	}
111
	local_bh_enable();
Linus Torvalds's avatar
Linus Torvalds committed
112 113 114
}

static struct clusterip_config *
Al Viro's avatar
Al Viro committed
115
__clusterip_config_find(__be32 clusterip)
Linus Torvalds's avatar
Linus Torvalds committed
116
{
117
	struct clusterip_config *c;
Linus Torvalds's avatar
Linus Torvalds committed
118

119
	list_for_each_entry_rcu(c, &clusterip_configs, list) {
120
		if (c->clusterip == clusterip)
Linus Torvalds's avatar
Linus Torvalds committed
121 122 123 124 125 126 127
			return c;
	}

	return NULL;
}

static inline struct clusterip_config *
Al Viro's avatar
Al Viro committed
128
clusterip_config_find_get(__be32 clusterip, int entry)
Linus Torvalds's avatar
Linus Torvalds committed
129 130 131
{
	struct clusterip_config *c;

132
	rcu_read_lock_bh();
Linus Torvalds's avatar
Linus Torvalds committed
133
	c = __clusterip_config_find(clusterip);
134 135 136 137 138
	if (c) {
		if (unlikely(!atomic_inc_not_zero(&c->refcount)))
			c = NULL;
		else if (entry)
			atomic_inc(&c->entries);
Linus Torvalds's avatar
Linus Torvalds committed
139
	}
140
	rcu_read_unlock_bh();
Linus Torvalds's avatar
Linus Torvalds committed
141 142 143 144

	return c;
}

145 146 147 148 149 150
static void
clusterip_config_init_nodelist(struct clusterip_config *c,
			       const struct ipt_clusterip_tgt_info *i)
{
	int n;

151
	for (n = 0; n < i->num_local_nodes; n++)
152 153 154
		set_bit(i->local_nodes[n] - 1, &c->local_nodes);
}

Linus Torvalds's avatar
Linus Torvalds committed
155
static struct clusterip_config *
156
clusterip_config_init(const struct ipt_clusterip_tgt_info *i, __be32 ip,
Linus Torvalds's avatar
Linus Torvalds committed
157 158 159 160
			struct net_device *dev)
{
	struct clusterip_config *c;

161
	c = kzalloc(sizeof(*c), GFP_ATOMIC);
Linus Torvalds's avatar
Linus Torvalds committed
162 163 164 165 166 167 168
	if (!c)
		return NULL;

	c->dev = dev;
	c->clusterip = ip;
	memcpy(&c->clustermac, &i->clustermac, ETH_ALEN);
	c->num_total_nodes = i->num_total_nodes;
169
	clusterip_config_init_nodelist(c, i);
Linus Torvalds's avatar
Linus Torvalds committed
170 171 172
	c->hash_mode = i->hash_mode;
	c->hash_initval = i->hash_initval;
	atomic_set(&c->refcount, 1);
173
	atomic_set(&c->entries, 1);
Linus Torvalds's avatar
Linus Torvalds committed
174 175

#ifdef CONFIG_PROC_FS
176 177 178 179
	{
		char buffer[16];

		/* create proc dir entry */
180
		sprintf(buffer, "%pI4", &ip);
181 182 183
		c->pde = proc_create_data(buffer, S_IWUSR|S_IRUSR,
					  clusterip_procdir,
					  &clusterip_proc_fops, c);
184 185 186 187
		if (!c->pde) {
			kfree(c);
			return NULL;
		}
Linus Torvalds's avatar
Linus Torvalds committed
188 189 190
	}
#endif

191 192 193
	spin_lock_bh(&clusterip_lock);
	list_add_rcu(&c->list, &clusterip_configs);
	spin_unlock_bh(&clusterip_lock);
Linus Torvalds's avatar
Linus Torvalds committed
194 195 196 197

	return c;
}

198
#ifdef CONFIG_PROC_FS
Linus Torvalds's avatar
Linus Torvalds committed
199 200 201 202
static int
clusterip_add_node(struct clusterip_config *c, u_int16_t nodenum)
{

203 204
	if (nodenum == 0 ||
	    nodenum > c->num_total_nodes)
Linus Torvalds's avatar
Linus Torvalds committed
205 206
		return 1;

207 208 209
	/* check if we already have this number in our bitfield */
	if (test_and_set_bit(nodenum - 1, &c->local_nodes))
		return 1;
Linus Torvalds's avatar
Linus Torvalds committed
210 211 212 213

	return 0;
}

214
static bool
Linus Torvalds's avatar
Linus Torvalds committed
215 216
clusterip_del_node(struct clusterip_config *c, u_int16_t nodenum)
{
217 218
	if (nodenum == 0 ||
	    nodenum > c->num_total_nodes)
219
		return true;
220

221
	if (test_and_clear_bit(nodenum - 1, &c->local_nodes))
222
		return false;
Linus Torvalds's avatar
Linus Torvalds committed
223

224
	return true;
Linus Torvalds's avatar
Linus Torvalds committed
225
}
226
#endif
Linus Torvalds's avatar
Linus Torvalds committed
227 228

static inline u_int32_t
229 230
clusterip_hashfn(const struct sk_buff *skb,
		 const struct clusterip_config *config)
Linus Torvalds's avatar
Linus Torvalds committed
231
{
232
	const struct iphdr *iph = ip_hdr(skb);
Linus Torvalds's avatar
Linus Torvalds committed
233 234
	unsigned long hashval;
	u_int16_t sport, dport;
235
	const u_int16_t *ports;
Linus Torvalds's avatar
Linus Torvalds committed
236 237 238 239

	switch (iph->protocol) {
	case IPPROTO_TCP:
	case IPPROTO_UDP:
240
	case IPPROTO_UDPLITE:
241 242
	case IPPROTO_SCTP:
	case IPPROTO_DCCP:
Linus Torvalds's avatar
Linus Torvalds committed
243
	case IPPROTO_ICMP:
244
		ports = (const void *)iph+iph->ihl*4;
245 246
		sport = ports[0];
		dport = ports[1];
Linus Torvalds's avatar
Linus Torvalds committed
247 248
		break;
	default:
249
		if (net_ratelimit())
250
			pr_info("unknown protocol %u\n", iph->protocol);
Linus Torvalds's avatar
Linus Torvalds committed
251 252 253 254 255 256 257 258 259
		sport = dport = 0;
	}

	switch (config->hash_mode) {
	case CLUSTERIP_HASHMODE_SIP:
		hashval = jhash_1word(ntohl(iph->saddr),
				      config->hash_initval);
		break;
	case CLUSTERIP_HASHMODE_SIP_SPT:
260
		hashval = jhash_2words(ntohl(iph->saddr), sport,
Linus Torvalds's avatar
Linus Torvalds committed
261 262 263 264 265 266 267 268 269 270 271
				       config->hash_initval);
		break;
	case CLUSTERIP_HASHMODE_SIP_SPT_DPT:
		hashval = jhash_3words(ntohl(iph->saddr), sport, dport,
				       config->hash_initval);
		break;
	default:
		/* to make gcc happy */
		hashval = 0;
		/* This cannot happen, unless the check function wasn't called
		 * at rule load time */
272
		pr_info("unknown mode %u\n", config->hash_mode);
Linus Torvalds's avatar
Linus Torvalds committed
273 274 275 276 277
		BUG();
		break;
	}

	/* node numbers are 1..n, not 0..n */
278
	return (((u64)hashval * config->num_total_nodes) >> 32) + 1;
Linus Torvalds's avatar
Linus Torvalds committed
279 280 281
}

static inline int
282
clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
Linus Torvalds's avatar
Linus Torvalds committed
283
{
284
	return test_bit(hash - 1, &config->local_nodes);
Linus Torvalds's avatar
Linus Torvalds committed
285 286
}

287 288
/***********************************************************************
 * IPTABLES TARGET
Linus Torvalds's avatar
Linus Torvalds committed
289 290 291
 ***********************************************************************/

static unsigned int
292
clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
Linus Torvalds's avatar
Linus Torvalds committed
293
{
294
	const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
295
	struct nf_conn *ct;
Linus Torvalds's avatar
Linus Torvalds committed
296
	enum ip_conntrack_info ctinfo;
297
	u_int32_t hash;
Linus Torvalds's avatar
Linus Torvalds committed
298 299 300 301 302

	/* don't need to clusterip_config_get() here, since refcount
	 * is only decremented by destroy() - and ip_tables guarantees
	 * that the ->target() function isn't called after ->destroy() */

303
	ct = nf_ct_get(skb, &ctinfo);
304
	if (ct == NULL) {
305
		pr_info("no conntrack!\n");
Linus Torvalds's avatar
Linus Torvalds committed
306
			/* FIXME: need to drop invalid ones, since replies
307
			 * to outgoing connections of other nodes will be
Linus Torvalds's avatar
Linus Torvalds committed
308 309 310 311 312 313
			 * marked as INVALID */
		return NF_DROP;
	}

	/* special case: ICMP error handling. conntrack distinguishes between
	 * error messages (RELATED) and information requests (see below) */
314 315 316
	if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
	    (ctinfo == IP_CT_RELATED ||
	     ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
317
		return XT_CONTINUE;
Linus Torvalds's avatar
Linus Torvalds committed
318

319
	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
Linus Torvalds's avatar
Linus Torvalds committed
320 321 322
	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
	 * on, which all have an ID field [relevant for hashing]. */

323
	hash = clusterip_hashfn(skb, cipinfo->config);
Linus Torvalds's avatar
Linus Torvalds committed
324 325 326

	switch (ctinfo) {
		case IP_CT_NEW:
327
			ct->mark = hash;
Linus Torvalds's avatar
Linus Torvalds committed
328 329 330 331 332 333 334 335 336 337 338 339 340
			break;
		case IP_CT_RELATED:
		case IP_CT_RELATED+IP_CT_IS_REPLY:
			/* FIXME: we don't handle expectations at the
			 * moment.  they can arrive on a different node than
			 * the master connection (e.g. FTP passive mode) */
		case IP_CT_ESTABLISHED:
		case IP_CT_ESTABLISHED+IP_CT_IS_REPLY:
			break;
		default:
			break;
	}

341
#ifdef DEBUG
342
	nf_ct_dump_tuple_ip(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
Linus Torvalds's avatar
Linus Torvalds committed
343
#endif
344
	pr_debug("hash=%u ct_hash=%u ", hash, ct->mark);
Linus Torvalds's avatar
Linus Torvalds committed
345
	if (!clusterip_responsible(cipinfo->config, hash)) {
346
		pr_debug("not responsible\n");
Linus Torvalds's avatar
Linus Torvalds committed
347 348
		return NF_DROP;
	}
349
	pr_debug("responsible\n");
Linus Torvalds's avatar
Linus Torvalds committed
350 351 352

	/* despite being received via linklayer multicast, this is
	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
353
	skb->pkt_type = PACKET_HOST;
Linus Torvalds's avatar
Linus Torvalds committed
354

355
	return XT_CONTINUE;
Linus Torvalds's avatar
Linus Torvalds committed
356 357
}

358
static int clusterip_tg_check(const struct xt_tgchk_param *par)
Linus Torvalds's avatar
Linus Torvalds committed
359
{
360 361
	struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
	const struct ipt_entry *e = par->entryinfo;
Linus Torvalds's avatar
Linus Torvalds committed
362
	struct clusterip_config *config;
363
	int ret;
Linus Torvalds's avatar
Linus Torvalds committed
364 365 366 367

	if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
	    cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
	    cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
368
		pr_info("unknown mode %u\n", cipinfo->hash_mode);
369
		return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
370 371

	}
372 373
	if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
	    e->ip.dst.s_addr == 0) {
374
		pr_info("Please specify destination IP\n");
375
		return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
376 377 378 379
	}

	/* FIXME: further sanity checks */

380
	config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
381
	if (!config) {
Linus Torvalds's avatar
Linus Torvalds committed
382
		if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
383 384
			pr_info("no config found for %pI4, need 'new'\n",
				&e->ip.dst.s_addr);
385
			return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
386 387 388 389
		} else {
			struct net_device *dev;

			if (e->ip.iniface[0] == '\0') {
390
				pr_info("Please specify an interface name\n");
391
				return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
392 393
			}

394
			dev = dev_get_by_name(&init_net, e->ip.iniface);
Linus Torvalds's avatar
Linus Torvalds committed
395
			if (!dev) {
396 397
				pr_info("no such interface %s\n",
					e->ip.iniface);
398
				return -ENOENT;
Linus Torvalds's avatar
Linus Torvalds committed
399 400
			}

401
			config = clusterip_config_init(cipinfo,
Linus Torvalds's avatar
Linus Torvalds committed
402 403
							e->ip.dst.s_addr, dev);
			if (!config) {
404
				pr_info("cannot allocate config\n");
Linus Torvalds's avatar
Linus Torvalds committed
405
				dev_put(dev);
406
				return -ENOMEM;
Linus Torvalds's avatar
Linus Torvalds committed
407
			}
408
			dev_mc_add(config->dev, config->clustermac);
Linus Torvalds's avatar
Linus Torvalds committed
409 410
		}
	}
411
	cipinfo->config = config;
Linus Torvalds's avatar
Linus Torvalds committed
412

413
	ret = nf_ct_l3proto_try_module_get(par->family);
414
	if (ret < 0)
415 416
		pr_info("cannot load conntrack support for proto=%u\n",
			par->family);
417
	return ret;
Linus Torvalds's avatar
Linus Torvalds committed
418 419 420
}

/* drop reference count of cluster config when rule is deleted */
421
static void clusterip_tg_destroy(const struct xt_tgdtor_param *par)
Linus Torvalds's avatar
Linus Torvalds committed
422
{
423
	const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
Linus Torvalds's avatar
Linus Torvalds committed
424

425 426 427 428
	/* if no more entries are referencing the config, remove it
	 * from the list and destroy the proc entry */
	clusterip_config_entry_put(cipinfo->config);

Linus Torvalds's avatar
Linus Torvalds committed
429
	clusterip_config_put(cipinfo->config);
430

431
	nf_ct_l3proto_module_put(par->family);
Linus Torvalds's avatar
Linus Torvalds committed
432 433
}

434 435 436 437 438 439 440 441 442 443 444 445 446 447
#ifdef CONFIG_COMPAT
struct compat_ipt_clusterip_tgt_info
{
	u_int32_t	flags;
	u_int8_t	clustermac[6];
	u_int16_t	num_total_nodes;
	u_int16_t	num_local_nodes;
	u_int16_t	local_nodes[CLUSTERIP_MAX_NODES];
	u_int32_t	hash_mode;
	u_int32_t	hash_initval;
	compat_uptr_t	config;
};
#endif /* CONFIG_COMPAT */

448
static struct xt_target clusterip_tg_reg __read_mostly = {
449
	.name		= "CLUSTERIP",
450
	.family		= NFPROTO_IPV4,
451 452 453
	.target		= clusterip_tg,
	.checkentry	= clusterip_tg_check,
	.destroy	= clusterip_tg_destroy,
454 455 456 457
	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
#ifdef CONFIG_COMPAT
	.compatsize	= sizeof(struct compat_ipt_clusterip_tgt_info),
#endif /* CONFIG_COMPAT */
458
	.me		= THIS_MODULE
Linus Torvalds's avatar
Linus Torvalds committed
459 460 461
};


462 463
/***********************************************************************
 * ARP MANGLING CODE
Linus Torvalds's avatar
Linus Torvalds committed
464 465 466 467 468
 ***********************************************************************/

/* hardcoded for 48bit ethernet and 32bit ipv4 addresses */
struct arp_payload {
	u_int8_t src_hw[ETH_ALEN];
Al Viro's avatar
Al Viro committed
469
	__be32 src_ip;
Linus Torvalds's avatar
Linus Torvalds committed
470
	u_int8_t dst_hw[ETH_ALEN];
Al Viro's avatar
Al Viro committed
471
	__be32 dst_ip;
472
} __packed;
Linus Torvalds's avatar
Linus Torvalds committed
473

474
#ifdef DEBUG
475
static void arp_print(struct arp_payload *payload)
Linus Torvalds's avatar
Linus Torvalds committed
476 477 478 479 480 481
{
#define HBUFFERLEN 30
	char hbuffer[HBUFFERLEN];
	int j,k;

	for (k=0, j=0; k < HBUFFERLEN-3 && j < ETH_ALEN; j++) {
482 483
		hbuffer[k++] = hex_asc_hi(payload->src_hw[j]);
		hbuffer[k++] = hex_asc_lo(payload->src_hw[j]);
Linus Torvalds's avatar
Linus Torvalds committed
484 485 486 487
		hbuffer[k++]=':';
	}
	hbuffer[--k]='\0';

488 489
	pr_debug("src %pI4@%s, dst %pI4\n",
		 &payload->src_ip, hbuffer, &payload->dst_ip);
Linus Torvalds's avatar
Linus Torvalds committed
490 491 492 493 494
}
#endif

static unsigned int
arp_mangle(unsigned int hook,
495
	   struct sk_buff *skb,
Linus Torvalds's avatar
Linus Torvalds committed
496 497 498 499
	   const struct net_device *in,
	   const struct net_device *out,
	   int (*okfn)(struct sk_buff *))
{
500
	struct arphdr *arp = arp_hdr(skb);
Linus Torvalds's avatar
Linus Torvalds committed
501 502 503 504
	struct arp_payload *payload;
	struct clusterip_config *c;

	/* we don't care about non-ethernet and non-ipv4 ARP */
505 506 507
	if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
	    arp->ar_pro != htons(ETH_P_IP) ||
	    arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
Linus Torvalds's avatar
Linus Torvalds committed
508 509
		return NF_ACCEPT;

510
	/* we only want to mangle arp requests and replies */
511 512
	if (arp->ar_op != htons(ARPOP_REPLY) &&
	    arp->ar_op != htons(ARPOP_REQUEST))
Linus Torvalds's avatar
Linus Torvalds committed
513 514 515 516
		return NF_ACCEPT;

	payload = (void *)(arp+1);

517
	/* if there is no clusterip configuration for the arp reply's
Linus Torvalds's avatar
Linus Torvalds committed
518
	 * source ip, we don't want to mangle it */
519
	c = clusterip_config_find_get(payload->src_ip, 0);
Linus Torvalds's avatar
Linus Torvalds committed
520 521 522
	if (!c)
		return NF_ACCEPT;

523
	/* normally the linux kernel always replies to arp queries of
Linus Torvalds's avatar
Linus Torvalds committed
524 525 526 527
	 * addresses on different interfacs.  However, in the CLUSTERIP case
	 * this wouldn't work, since we didn't subscribe the mcast group on
	 * other interfaces */
	if (c->dev != out) {
528
		pr_debug("not mangling arp reply on different "
529 530
			 "interface: cip'%s'-skb'%s'\n",
			 c->dev->name, out->name);
Linus Torvalds's avatar
Linus Torvalds committed
531 532 533 534 535 536 537
		clusterip_config_put(c);
		return NF_ACCEPT;
	}

	/* mangle reply hardware address */
	memcpy(payload->src_hw, c->clustermac, arp->ar_hln);

538
#ifdef DEBUG
539
	pr_debug("mangled arp reply: ");
Linus Torvalds's avatar
Linus Torvalds committed
540 541 542 543 544 545 546 547
	arp_print(payload);
#endif

	clusterip_config_put(c);

	return NF_ACCEPT;
}

548
static struct nf_hook_ops cip_arp_ops __read_mostly = {
Linus Torvalds's avatar
Linus Torvalds committed
549
	.hook = arp_mangle,
550
	.pf = NFPROTO_ARP,
Linus Torvalds's avatar
Linus Torvalds committed
551 552 553 554
	.hooknum = NF_ARP_OUT,
	.priority = -1
};

555 556
/***********************************************************************
 * PROC DIR HANDLING
Linus Torvalds's avatar
Linus Torvalds committed
557 558 559 560
 ***********************************************************************/

#ifdef CONFIG_PROC_FS

561 562 563 564 565 566 567
struct clusterip_seq_position {
	unsigned int pos;	/* position */
	unsigned int weight;	/* number of bits set == size */
	unsigned int bit;	/* current bit */
	unsigned long val;	/* current value */
};

Linus Torvalds's avatar
Linus Torvalds committed
568 569
static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
{
570
	struct clusterip_config *c = s->private;
571 572 573 574 575 576 577 578
	unsigned int weight;
	u_int32_t local_nodes;
	struct clusterip_seq_position *idx;

	/* FIXME: possible race */
	local_nodes = c->local_nodes;
	weight = hweight32(local_nodes);
	if (*pos >= weight)
Linus Torvalds's avatar
Linus Torvalds committed
579 580
		return NULL;

581 582
	idx = kmalloc(sizeof(struct clusterip_seq_position), GFP_KERNEL);
	if (!idx)
Linus Torvalds's avatar
Linus Torvalds committed
583 584
		return ERR_PTR(-ENOMEM);

585 586 587 588 589 590 591
	idx->pos = *pos;
	idx->weight = weight;
	idx->bit = ffs(local_nodes);
	idx->val = local_nodes;
	clear_bit(idx->bit - 1, &idx->val);

	return idx;
Linus Torvalds's avatar
Linus Torvalds committed
592 593 594 595
}

static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
596
	struct clusterip_seq_position *idx = v;
Linus Torvalds's avatar
Linus Torvalds committed
597

598 599
	*pos = ++idx->pos;
	if (*pos >= idx->weight) {
Linus Torvalds's avatar
Linus Torvalds committed
600 601 602
		kfree(v);
		return NULL;
	}
603 604 605
	idx->bit = ffs(idx->val);
	clear_bit(idx->bit - 1, &idx->val);
	return idx;
Linus Torvalds's avatar
Linus Torvalds committed
606 607 608 609
}

static void clusterip_seq_stop(struct seq_file *s, void *v)
{
610 611
	if (!IS_ERR(v))
		kfree(v);
Linus Torvalds's avatar
Linus Torvalds committed
612 613 614 615
}

static int clusterip_seq_show(struct seq_file *s, void *v)
{
616
	struct clusterip_seq_position *idx = v;
Linus Torvalds's avatar
Linus Torvalds committed
617

618
	if (idx->pos != 0)
Linus Torvalds's avatar
Linus Torvalds committed
619 620
		seq_putc(s, ',');

621 622 623
	seq_printf(s, "%u", idx->bit);

	if (idx->pos == idx->weight - 1)
Linus Torvalds's avatar
Linus Torvalds committed
624 625 626 627 628
		seq_putc(s, '\n');

	return 0;
}

629
static const struct seq_operations clusterip_seq_ops = {
Linus Torvalds's avatar
Linus Torvalds committed
630 631 632 633 634 635 636 637 638 639 640 641
	.start	= clusterip_seq_start,
	.next	= clusterip_seq_next,
	.stop	= clusterip_seq_stop,
	.show	= clusterip_seq_show,
};

static int clusterip_proc_open(struct inode *inode, struct file *file)
{
	int ret = seq_open(file, &clusterip_seq_ops);

	if (!ret) {
		struct seq_file *sf = file->private_data;
642
		struct clusterip_config *c = PDE(inode)->data;
Linus Torvalds's avatar
Linus Torvalds committed
643

644
		sf->private = c;
Linus Torvalds's avatar
Linus Torvalds committed
645 646 647 648 649 650 651 652 653

		clusterip_config_get(c);
	}

	return ret;
}

static int clusterip_proc_release(struct inode *inode, struct file *file)
{
654
	struct clusterip_config *c = PDE(inode)->data;
Linus Torvalds's avatar
Linus Torvalds committed
655 656 657 658 659 660 661 662 663 664 665 666 667
	int ret;

	ret = seq_release(inode, file);

	if (!ret)
		clusterip_config_put(c);

	return ret;
}

static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
				size_t size, loff_t *ofs)
{
668
	struct clusterip_config *c = PDE(file->f_path.dentry->d_inode)->data;
Linus Torvalds's avatar
Linus Torvalds committed
669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689
#define PROC_WRITELEN	10
	char buffer[PROC_WRITELEN+1];
	unsigned long nodenum;

	if (copy_from_user(buffer, input, PROC_WRITELEN))
		return -EFAULT;

	if (*buffer == '+') {
		nodenum = simple_strtoul(buffer+1, NULL, 10);
		if (clusterip_add_node(c, nodenum))
			return -ENOMEM;
	} else if (*buffer == '-') {
		nodenum = simple_strtoul(buffer+1, NULL,10);
		if (clusterip_del_node(c, nodenum))
			return -ENOENT;
	} else
		return -EIO;

	return size;
}

690
static const struct file_operations clusterip_proc_fops = {
Linus Torvalds's avatar
Linus Torvalds committed
691 692 693 694 695 696 697 698 699 700
	.owner	 = THIS_MODULE,
	.open	 = clusterip_proc_open,
	.read	 = seq_read,
	.write	 = clusterip_proc_write,
	.llseek	 = seq_lseek,
	.release = clusterip_proc_release,
};

#endif /* CONFIG_PROC_FS */

701
static int __init clusterip_tg_init(void)
Linus Torvalds's avatar
Linus Torvalds committed
702 703 704
{
	int ret;

705
	ret = xt_register_target(&clusterip_tg_reg);
706 707
	if (ret < 0)
		return ret;
Linus Torvalds's avatar
Linus Torvalds committed
708

709 710
	ret = nf_register_hook(&cip_arp_ops);
	if (ret < 0)
Linus Torvalds's avatar
Linus Torvalds committed
711 712 713
		goto cleanup_target;

#ifdef CONFIG_PROC_FS
714
	clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
Linus Torvalds's avatar
Linus Torvalds committed
715
	if (!clusterip_procdir) {
716
		pr_err("Unable to proc dir entry\n");
Linus Torvalds's avatar
Linus Torvalds committed
717 718 719 720 721
		ret = -ENOMEM;
		goto cleanup_hook;
	}
#endif /* CONFIG_PROC_FS */

722
	pr_info("ClusterIP Version %s loaded successfully\n",
Linus Torvalds's avatar
Linus Torvalds committed
723 724 725
		CLUSTERIP_VERSION);
	return 0;

726
#ifdef CONFIG_PROC_FS
Linus Torvalds's avatar
Linus Torvalds committed
727 728
cleanup_hook:
	nf_unregister_hook(&cip_arp_ops);
729
#endif /* CONFIG_PROC_FS */
Linus Torvalds's avatar
Linus Torvalds committed
730
cleanup_target:
731
	xt_unregister_target(&clusterip_tg_reg);
732
	return ret;
Linus Torvalds's avatar
Linus Torvalds committed
733 734
}

735
static void __exit clusterip_tg_exit(void)
Linus Torvalds's avatar
Linus Torvalds committed
736
{
737
	pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION);
738 739 740 741
#ifdef CONFIG_PROC_FS
	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
#endif
	nf_unregister_hook(&cip_arp_ops);
742
	xt_unregister_target(&clusterip_tg_reg);
743 744 745

	/* Wait for completion of call_rcu_bh()'s (clusterip_config_rcu_free) */
	rcu_barrier_bh();
Linus Torvalds's avatar
Linus Torvalds committed
746 747
}

748 749
module_init(clusterip_tg_init);
module_exit(clusterip_tg_exit);