IPVS: netns, use ip_vs_proto_data as param.

	void (*exit_netns)(struct net *net, struct ip_vs_proto_data *pd);

	int (*conn_schedule)(int af, struct sk_buff *skb,

			     struct ip_vs_protocol *pp,

			     struct ip_vs_proto_data *pd,

			     int *verdict, struct ip_vs_conn **cpp);

	struct ip_vs_conn *

	(*conn_in_get)(int af,

		       const struct sk_buff *skb,

		       struct ip_vs_protocol *pp,

		       const struct ip_vs_iphdr *iph,

		       unsigned int proto_off,

		       int inverse);

	struct ip_vs_conn *

	(*conn_out_get)(int af,

			const struct sk_buff *skb,

			struct ip_vs_protocol *pp,

			const struct ip_vs_iphdr *iph,

			unsigned int proto_off,

			int inverse);

	int (*state_transition)(struct ip_vs_conn *cp, int direction,

				const struct sk_buff *skb,

				struct ip_vs_protocol *pp);

				struct ip_vs_proto_data *pd);

	int (*register_app)(struct ip_vs_app *inc);

			     int offset,

			     const char *msg);

	void (*timeout_change)(struct ip_vs_protocol *pp, int flags);

	int (*set_state_timeout)(struct ip_vs_protocol *pp, char *sname, int to);

	void (*timeout_change)(struct ip_vs_proto_data *pd, int flags);

};

/*

struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p);

struct ip_vs_conn * ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,

					    struct ip_vs_protocol *pp,

					    const struct ip_vs_iphdr *iph,

					    unsigned int proto_off,

					    int inverse);

struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p);

struct ip_vs_conn * ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,

					     struct ip_vs_protocol *pp,

					     const struct ip_vs_iphdr *iph,

					     unsigned int proto_off,

					     int inverse);

 */

extern int ip_vs_protocol_init(void);

extern void ip_vs_protocol_cleanup(void);

extern void ip_vs_protocol_timeout_change(int flags);

extern void ip_vs_protocol_timeout_change(struct netns_ipvs *ipvs, int flags);

extern int *ip_vs_create_timeout_table(int *table, int size);

extern int

ip_vs_set_state_timeout(int *table, int num, const char *const *names,

extern void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);

extern struct ip_vs_conn *

ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,

	       struct ip_vs_protocol *pp, int *ignored);

	       struct ip_vs_proto_data *pd, int *ignored);

extern int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,

			struct ip_vs_protocol *pp);

			struct ip_vs_proto_data *pd);

/*

struct ip_vs_conn *

ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,

			struct ip_vs_protocol *pp,

			const struct ip_vs_iphdr *iph,

			unsigned int proto_off, int inverse)

{

struct ip_vs_conn *

ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,

			 struct ip_vs_protocol *pp,

			 const struct ip_vs_iphdr *iph,

			 unsigned int proto_off, int inverse)

{

static inline int

ip_vs_set_state(struct ip_vs_conn *cp, int direction,

		const struct sk_buff *skb,

		struct ip_vs_protocol *pp)

		struct ip_vs_proto_data *pd)

{

	if (unlikely(!pp->state_transition))

	if (unlikely(!pd->pp->state_transition))

		return 0;

	return pp->state_transition(cp, direction, skb, pp);

	return pd->pp->state_transition(cp, direction, skb, pd);

}

static inline int

 */

struct ip_vs_conn *

ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,

	       struct ip_vs_protocol *pp, int *ignored)

	       struct ip_vs_proto_data *pd, int *ignored)

{

	struct ip_vs_protocol *pp = pd->pp;

	struct ip_vs_conn *cp = NULL;

	struct ip_vs_iphdr iph;

	struct ip_vs_dest *dest;

	 *    Do not schedule replies from local real server.

	 */

	if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&

	    (cp = pp->conn_in_get(svc->af, skb, pp, &iph, iph.len, 1))) {

	    (cp = pp->conn_in_get(svc->af, skb, &iph, iph.len, 1))) {

		IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,

			      "Not scheduling reply for existing connection");

		__ip_vs_conn_put(cp);

 *  no destination is available for a new connection.

 */

int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,

		struct ip_vs_protocol *pp)

		struct ip_vs_proto_data *pd)

{

	__be16 _ports[2], *pptr;

	struct ip_vs_iphdr iph;

	int unicast;

	ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);

	pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);

		ip_vs_in_stats(cp, skb);

		/* set state */

		cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);

		cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);

		/* transmit the first SYN packet */

		ret = cp->packet_xmit(skb, cp, pp);

		ret = cp->packet_xmit(skb, cp, pd->pp);

		/* do not touch skb anymore */

		atomic_inc(&cp->in_pkts);

	ip_vs_fill_iphdr(AF_INET, cih, &ciph);

	/* The embedded headers contain source and dest in reverse order */

	cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);

	cp = pp->conn_out_get(AF_INET, skb, &ciph, offset, 1);

	if (!cp)

		return NF_ACCEPT;

	ip_vs_fill_iphdr(AF_INET6, cih, &ciph);

	/* The embedded headers contain source and dest in reverse order */

	cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);

	cp = pp->conn_out_get(AF_INET6, skb, &ciph, offset, 1);

	if (!cp)

		return NF_ACCEPT;

 * Used for NAT and local client.

 */

static unsigned int

handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,

handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,

		struct ip_vs_conn *cp, int ihl)

{

	struct ip_vs_protocol *pp = pd->pp;

	IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet");

	if (!skb_make_writable(skb, ihl))

	IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");

	ip_vs_out_stats(cp, skb);

	ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);

	ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd);

	skb->ipvs_property = 1;

	if (!(cp->flags & IP_VS_CONN_F_NFCT))

		ip_vs_notrack(skb);

	struct net *net = NULL;

	struct ip_vs_iphdr iph;

	struct ip_vs_protocol *pp;

	struct ip_vs_proto_data *pd;

	struct ip_vs_conn *cp;

	EnterFunction(11);

			ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);

		}

	pp = ip_vs_proto_get(iph.protocol);

	if (unlikely(!pp))

	pd = ip_vs_proto_data_get(net, iph.protocol);

	if (unlikely(!pd))

		return NF_ACCEPT;

	pp = pd->pp;

	/* reassemble IP fragments */

#ifdef CONFIG_IP_VS_IPV6

	/*

	 * Check if the packet belongs to an existing entry

	 */

	cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);

	cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);

	if (likely(cp))

		return handle_response(af, skb, pp, cp, iph.len);

		return handle_response(af, skb, pd, cp, iph.len);

	if (sysctl_ip_vs_nat_icmp_send &&

	    (pp->protocol == IPPROTO_TCP ||

	     pp->protocol == IPPROTO_UDP ||

static int

ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)

{

	struct net *net = NULL;

	struct iphdr *iph;

	struct icmphdr	_icmph, *ic;

	struct iphdr	_ciph, *cih;	/* The ip header contained within the ICMP */

	struct ip_vs_iphdr ciph;

	struct ip_vs_conn *cp;

	struct ip_vs_protocol *pp;

	struct ip_vs_proto_data *pd;

	unsigned int offset, ihl, verdict;

	union nf_inet_addr snet;

	if (cih == NULL)

		return NF_ACCEPT; /* The packet looks wrong, ignore */

	pp = ip_vs_proto_get(cih->protocol);

	if (!pp)

	net = skb_net(skb);

	pd = ip_vs_proto_data_get(net, cih->protocol);

	if (!pd)

		return NF_ACCEPT;

	pp = pd->pp;

	/* Is the embedded protocol header present? */

	if (unlikely(cih->frag_off & htons(IP_OFFSET) &&

	ip_vs_fill_iphdr(AF_INET, cih, &ciph);

	/* The embedded headers contain source and dest in reverse order */

	cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);

	cp = pp->conn_in_get(AF_INET, skb, &ciph, offset, 1);

	if (!cp) {

		/* The packet could also belong to a local client */

		cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);

		cp = pp->conn_out_get(AF_INET, skb, &ciph, offset, 1);

		if (cp) {

			snet.ip = iph->saddr;

			return handle_response_icmp(AF_INET, skb, &snet,

static int

ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)

{

	struct net *net = NULL;

	struct ipv6hdr *iph;

	struct icmp6hdr	_icmph, *ic;

	struct ipv6hdr	_ciph, *cih;	/* The ip header contained

	struct ip_vs_iphdr ciph;

	struct ip_vs_conn *cp;

	struct ip_vs_protocol *pp;

	struct ip_vs_proto_data *pd;

	unsigned int offset, verdict;

	union nf_inet_addr snet;

	struct rt6_info *rt;

	if (cih == NULL)

		return NF_ACCEPT; /* The packet looks wrong, ignore */

	pp = ip_vs_proto_get(cih->nexthdr);

	if (!pp)

	net = skb_net(skb);

	pd = ip_vs_proto_data_get(net, cih->nexthdr);

	if (!pd)

		return NF_ACCEPT;

	pp = pd->pp;

	/* Is the embedded protocol header present? */

	/* TODO: we don't support fragmentation at the moment anyways */

	ip_vs_fill_iphdr(AF_INET6, cih, &ciph);

	/* The embedded headers contain source and dest in reverse order */

	cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);

	cp = pp->conn_in_get(AF_INET6, skb, &ciph, offset, 1);

	if (!cp) {

		/* The packet could also belong to a local client */

		cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);

		cp = pp->conn_out_get(AF_INET6, skb, &ciph, offset, 1);

		if (cp) {

			ipv6_addr_copy(&snet.in6, &iph->saddr);

			return handle_response_icmp(AF_INET6, skb, &snet,

static unsigned int

ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)

{

	struct net *net = NULL;

	struct ip_vs_iphdr iph;

	struct ip_vs_protocol *pp;

	struct ip_vs_proto_data *pd;

	struct ip_vs_conn *cp;

	int ret, restart, pkts;

			ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);

		}

	net = skb_net(skb);

	/* Protocol supported? */

	pp = ip_vs_proto_get(iph.protocol);

	if (unlikely(!pp))

	pd = ip_vs_proto_data_get(net, iph.protocol);

	if (unlikely(!pd))

		return NF_ACCEPT;

	pp = pd->pp;

	/*

	 * Check if the packet belongs to an existing connection entry

	 */

	cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);

	cp = pp->conn_in_get(af, skb, &iph, iph.len, 0);

	if (unlikely(!cp)) {

		int v;

		if (!pp->conn_schedule(af, skb, pp, &v, &cp))

		if (!pp->conn_schedule(af, skb, pd, &v, &cp))

			return v;

	}

	}

	ip_vs_in_stats(cp, skb);

	restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);

	restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);

	if (cp->packet_xmit)

		ret = cp->packet_xmit(skb, cp, pp);

		/* do not touch skb anymore */

#include <linux/mutex.h>

#include <net/net_namespace.h>

#include <linux/nsproxy.h>

#include <net/ip.h>

#ifdef CONFIG_IP_VS_IPV6

#include <net/ipv6.h>

 *	update_defense_level is called from keventd and from sysctl,

 *	so it needs to protect itself from softirqs

 */

static void update_defense_level(void)

static void update_defense_level(struct netns_ipvs *ipvs)

{

	struct sysinfo i;

	static int old_secure_tcp = 0;

	}

	old_secure_tcp = sysctl_ip_vs_secure_tcp;

	if (to_change >= 0)

		ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);

		ip_vs_protocol_timeout_change(ipvs,

					     sysctl_ip_vs_secure_tcp > 1);

	spin_unlock(&ip_vs_securetcp_lock);

	local_bh_enable();

static void defense_work_handler(struct work_struct *work)

{

	update_defense_level();

	struct net *net = &init_net;

	struct netns_ipvs *ipvs = net_ipvs(net);

	update_defense_level(ipvs);

	if (atomic_read(&ip_vs_dropentry))

		ip_vs_random_dropentry();

proc_do_defense_mode(ctl_table *table, int write,

		     void __user *buffer, size_t *lenp, loff_t *ppos)

{

	struct net *net = current->nsproxy->net_ns;

	int *valp = table->data;

	int val = *valp;

	int rc;

			/* Restore the correct value */

			*valp = val;

		} else {

			update_defense_level();

			update_defense_level(net_ipvs(net));

		}

	}

	return rc;

/*

 *	Set timeout values for tcp tcpfin udp in the timeout_table.

 */

static int ip_vs_set_timeout(struct ip_vs_timeout_user *u)

static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)

{

	struct ip_vs_proto_data *pd;

	IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",

		  u->tcp_timeout,

		  u->tcp_fin_timeout,

#ifdef CONFIG_IP_VS_PROTO_TCP

	if (u->tcp_timeout) {

		ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED]

		pd = ip_vs_proto_data_get(net, IPPROTO_TCP);

		pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]

			= u->tcp_timeout * HZ;

	}

	if (u->tcp_fin_timeout) {

		ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT]

		pd = ip_vs_proto_data_get(net, IPPROTO_TCP);

		pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]

			= u->tcp_fin_timeout * HZ;

	}

#endif

#ifdef CONFIG_IP_VS_PROTO_UDP

	if (u->udp_timeout) {

		ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL]

		pd = ip_vs_proto_data_get(net, IPPROTO_UDP);

		pd->timeout_table[IP_VS_UDP_S_NORMAL]

			= u->udp_timeout * HZ;

	}

#endif

		goto out_unlock;

	} else if (cmd == IP_VS_SO_SET_TIMEOUT) {

		/* Set timeout values for (tcp tcpfin udp) */

		ret = ip_vs_set_timeout((struct ip_vs_timeout_user *)arg);

		ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);

		goto out_unlock;

	} else if (cmd == IP_VS_SO_SET_STARTDAEMON) {

		struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;

}

static inline void

__ip_vs_get_timeouts(struct ip_vs_timeout_user *u)

__ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)

{

	struct ip_vs_proto_data *pd;

#ifdef CONFIG_IP_VS_PROTO_TCP

	u->tcp_timeout =

		ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;

	u->tcp_fin_timeout =

		ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;

	pd = ip_vs_proto_data_get(net, IPPROTO_TCP);

	u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;

	u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;

#endif

#ifdef CONFIG_IP_VS_PROTO_UDP

	pd = ip_vs_proto_data_get(net, IPPROTO_UDP);

	u->udp_timeout =

		ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL] / HZ;

			pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;

#endif

}

	{

		struct ip_vs_timeout_user t;

		__ip_vs_get_timeouts(&t);

		__ip_vs_get_timeouts(net, &t);

		if (copy_to_user(user, &t, sizeof(t)) != 0)

			ret = -EFAULT;

	}

	return stop_sync_thread(nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));

}

static int ip_vs_genl_set_config(struct nlattr **attrs)

static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)

{

	struct ip_vs_timeout_user t;

	__ip_vs_get_timeouts(&t);

	__ip_vs_get_timeouts(net, &t);

	if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])

		t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);

	if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])

		t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);

	return ip_vs_set_timeout(&t);

	return ip_vs_set_timeout(net, &t);

}

static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)

		ret = ip_vs_flush(net);

		goto out;

	} else if (cmd == IPVS_CMD_SET_CONFIG) {

		ret = ip_vs_genl_set_config(info->attrs);

		ret = ip_vs_genl_set_config(net, info->attrs);

		goto out;

	} else if (cmd == IPVS_CMD_NEW_DAEMON ||

		   cmd == IPVS_CMD_DEL_DAEMON) {

	{

		struct ip_vs_timeout_user t;

		__ip_vs_get_timeouts(&t);

		__ip_vs_get_timeouts(net, &t);

#ifdef CONFIG_IP_VS_PROTO_TCP

		NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP, t.tcp_timeout);

		NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,

 *	get ip_vs_protocol object data by netns and proto

 */

struct ip_vs_proto_data *

ip_vs_proto_data_get(struct net *net, unsigned short proto)

__ipvs_proto_data_get(struct netns_ipvs *ipvs, unsigned short proto)

{

	struct netns_ipvs *ipvs = net_ipvs(net);

	struct ip_vs_proto_data *pd;