IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.

 * Get net ptr from skb in traffic cases

 * use skb_sknet when call is from userland (ioctl or netlink)

 */

static inline struct net *skb_net(struct sk_buff *skb)

static inline struct net *skb_net(const struct sk_buff *skb)

{

#ifdef CONFIG_NET_NS

#ifdef CONFIG_IP_VS_DEBUG

#endif

}

static inline struct net *skb_sknet(struct sk_buff *skb)

static inline struct net *skb_sknet(const struct sk_buff *skb)

{

#ifdef CONFIG_NET_NS

#ifdef CONFIG_IP_VS_DEBUG

/*

 *      IPVS control data and functions (from ip_vs_ctl.c)

 */

extern int sysctl_ip_vs_cache_bypass;

extern int sysctl_ip_vs_expire_nodest_conn;

extern int sysctl_ip_vs_expire_quiescent_template;

extern int sysctl_ip_vs_sync_threshold[2];

extern int sysctl_ip_vs_nat_icmp_send;

extern int sysctl_ip_vs_conntrack;

extern int sysctl_ip_vs_snat_reroute;

extern struct ip_vs_stats ip_vs_stats;

extern const struct ctl_path net_vs_ctl_path[];

extern int sysctl_ip_vs_sync_ver;

extern int ip_vs_drop_rate;

extern int ip_vs_drop_counter;

static __inline__ int ip_vs_todrop(void)

static inline int ip_vs_todrop(struct netns_ipvs *ipvs)

{

	if (!ip_vs_drop_rate) return 0;

	if (--ip_vs_drop_counter > 0) return 0;

	ip_vs_drop_counter = ip_vs_drop_rate;

	if (!ipvs->drop_rate)

		return 0;

	if (--ipvs->drop_counter > 0)

		return 0;

	ipvs->drop_counter = ipvs->drop_rate;

	return 1;

}

 *      Netfilter connection tracking

 *      (from ip_vs_nfct.c)

 */

static inline int ip_vs_conntrack_enabled(void)

static inline int ip_vs_conntrack_enabled(struct netns_ipvs *ipvs)

{

	return sysctl_ip_vs_conntrack;

	return ipvs->sysctl_conntrack;

}

extern void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp,

#else

static inline int ip_vs_conntrack_enabled(void)

static inline int ip_vs_conntrack_enabled(struct netns_ipvs *ipvs)

{

	return 0;

}

	struct list_head	sctp_apps[SCTP_APP_TAB_SIZE];

	spinlock_t		sctp_app_lock;

#endif

	/* ip_vs_conn */

	atomic_t		conn_count;      /*  connection counter */

	/* ip_vs_ctl */

	struct ip_vs_stats		*tot_stats;  /* Statistics & est. */

	struct ip_vs_cpu_stats __percpu *cpustats;   /* Stats per cpu */

	seqcount_t			*ustats_seq; /* u64 read retry */

	/* ip_vs_conn */

	atomic_t		conn_count;         /*  connection counter */

	int			num_services;    /* no of virtual services */

	/* 1/rate drop and drop-entry variables */

	int			drop_rate;

	int			drop_counter;

	atomic_t		dropentry;

	/* locks in ctl.c */

	spinlock_t		dropentry_lock;  /* drop entry handling */

	spinlock_t		droppacket_lock; /* drop packet handling */

	spinlock_t		securetcp_lock;  /* state and timeout tables */

	rwlock_t		rs_lock;         /* real services table */

	/* semaphore for IPVS sockopts. And, [gs]etsockopt may sleep. */

	struct lock_class_key	ctl_key;	/* ctl_mutex debuging */

	/* sys-ctl struct */

	struct ctl_table_header	*sysctl_hdr;

	struct ctl_table	*sysctl_tbl;

	/* sysctl variables */

	int			sysctl_amemthresh;

	int			sysctl_am_droprate;

	int			sysctl_drop_entry;

	int			sysctl_drop_packet;

	int			sysctl_secure_tcp;

#ifdef CONFIG_IP_VS_NFCT

	int			sysctl_conntrack;

#endif

	int			sysctl_snat_reroute;

	int			sysctl_sync_ver;

	int			sysctl_cache_bypass;

	int			sysctl_expire_nodest_conn;

	int			sysctl_expire_quiescent_template;

	int			sysctl_sync_threshold[2];

	int			sysctl_nat_icmp_send;

	/* ip_vs_lblc */

	int			sysctl_lblc_expiration;

	struct ctl_table_header	*lblc_ctl_header;

int ip_vs_check_template(struct ip_vs_conn *ct)

{

	struct ip_vs_dest *dest = ct->dest;

	struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(ct));

	/*

	 * Checking the dest server status.

	 */

	if ((dest == NULL) ||

	    !(dest->flags & IP_VS_DEST_F_AVAILABLE) ||

	    (sysctl_ip_vs_expire_quiescent_template &&

	    (ipvs->sysctl_expire_quiescent_template &&

	     (atomic_read(&dest->weight) == 0))) {

		IP_VS_DBG_BUF(9, "check_template: dest not available for "

			      "protocol %s s:%s:%d v:%s:%d "

	 * IP_VS_CONN_F_ONE_PACKET too.

	 */

	if (ip_vs_conntrack_enabled())

	if (ip_vs_conntrack_enabled(ipvs))

		cp->flags |= IP_VS_CONN_F_NFCT;

	/* Hash it in the ip_vs_conn_tab finally */

int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,

		struct ip_vs_proto_data *pd)

{

	struct netns_ipvs *ipvs;

	__be16 _ports[2], *pptr;

	struct ip_vs_iphdr iph;

	int unicast;

	/* if it is fwmark-based service, the cache_bypass sysctl is up

	   and the destination is a non-local unicast, then create

	   a cache_bypass connection entry */

	if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {

	ipvs = net_ipvs(skb_net(skb));

	if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) {

		int ret, cs;

		struct ip_vs_conn *cp;

		unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&

				struct ip_vs_protocol *pp,

				unsigned int offset, unsigned int ihl)

{

	struct netns_ipvs *ipvs;

	unsigned int verdict = NF_DROP;

	if (IP_VS_FWD_METHOD(cp) != 0) {

	if (!skb_make_writable(skb, offset))

		goto out;

	ipvs = net_ipvs(skb_net(skb));

#ifdef CONFIG_IP_VS_IPV6

	if (af == AF_INET6)

		ip_vs_nat_icmp_v6(skb, pp, cp, 1);

#ifdef CONFIG_IP_VS_IPV6

	if (af == AF_INET6) {

		if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)

		if (ipvs->sysctl_snat_reroute && ip6_route_me_harder(skb) != 0)

			goto out;

	} else

#endif

		if ((sysctl_ip_vs_snat_reroute ||

		if ((ipvs->sysctl_snat_reroute ||

		     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&

		    ip_route_me_harder(skb, RTN_LOCAL) != 0)

			goto out;

		struct ip_vs_conn *cp, int ihl)

{

	struct ip_vs_protocol *pp = pd->pp;

	struct netns_ipvs *ipvs;

	IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet");

	 * if it came from this machine itself.  So re-compute

	 * the routing information.

	 */

	ipvs = net_ipvs(skb_net(skb));

#ifdef CONFIG_IP_VS_IPV6

	if (af == AF_INET6) {

		if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)

		if (ipvs->sysctl_snat_reroute && ip6_route_me_harder(skb) != 0)

			goto drop;

	} else

#endif

		if ((sysctl_ip_vs_snat_reroute ||

		if ((ipvs->sysctl_snat_reroute ||

		     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&

		    ip_route_me_harder(skb, RTN_LOCAL) != 0)

			goto drop;

	struct ip_vs_protocol *pp;

	struct ip_vs_proto_data *pd;

	struct ip_vs_conn *cp;

	struct netns_ipvs *ipvs;

	EnterFunction(11);

	 * Check if the packet belongs to an existing entry

	 */

	cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);

	ipvs = net_ipvs(net);

	if (likely(cp))

		return handle_response(af, skb, pd, cp, iph.len);

	if (sysctl_ip_vs_nat_icmp_send &&

	if (ipvs->sysctl_nat_icmp_send &&

	    (pp->protocol == IPPROTO_TCP ||

	     pp->protocol == IPPROTO_UDP ||

	     pp->protocol == IPPROTO_SCTP)) {

	if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {

		/* the destination server is not available */

		if (sysctl_ip_vs_expire_nodest_conn) {

		if (ipvs->sysctl_expire_nodest_conn) {

			/* try to expire the connection immediately */

			ip_vs_conn_expire_now(cp);

		}

	 */

	if (cp->flags & IP_VS_CONN_F_ONE_PACKET)

		pkts = sysctl_ip_vs_sync_threshold[0];

		pkts = ipvs->sysctl_sync_threshold[0];

	else

		pkts = atomic_add_return(1, &cp->in_pkts);

	if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&

	    cp->protocol == IPPROTO_SCTP) {

		if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&

			(pkts % sysctl_ip_vs_sync_threshold[1]

			 == sysctl_ip_vs_sync_threshold[0])) ||

			(pkts % ipvs->sysctl_sync_threshold[1]

			 == ipvs->sysctl_sync_threshold[0])) ||

				(cp->old_state != cp->state &&

				 ((cp->state == IP_VS_SCTP_S_CLOSED) ||

				  (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||

	else if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&

	    (((cp->protocol != IPPROTO_TCP ||

	       cp->state == IP_VS_TCP_S_ESTABLISHED) &&

	      (pkts % sysctl_ip_vs_sync_threshold[1]

	       == sysctl_ip_vs_sync_threshold[0])) ||

	      (pkts % ipvs->sysctl_sync_threshold[1]

	       == ipvs->sysctl_sync_threshold[0])) ||

	     ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&

	      ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||

	       (cp->state == IP_VS_TCP_S_CLOSE) ||

/* lock for service table */

static DEFINE_RWLOCK(__ip_vs_svc_lock);

/* lock for table with the real services */

static DEFINE_RWLOCK(__ip_vs_rs_lock);

/* lock for state and timeout tables */

static DEFINE_SPINLOCK(ip_vs_securetcp_lock);

/* lock for drop entry handling */

static DEFINE_SPINLOCK(__ip_vs_dropentry_lock);

/* lock for drop packet handling */

static DEFINE_SPINLOCK(__ip_vs_droppacket_lock);

/* 1/rate drop and drop-entry variables */

int ip_vs_drop_rate = 0;

int ip_vs_drop_counter = 0;

static atomic_t ip_vs_dropentry = ATOMIC_INIT(0);

/* number of virtual services */

static int ip_vs_num_services = 0;

/* sysctl variables */

static int sysctl_ip_vs_drop_entry = 0;

static int sysctl_ip_vs_drop_packet = 0;

static int sysctl_ip_vs_secure_tcp = 0;

static int sysctl_ip_vs_amemthresh = 1024;

static int sysctl_ip_vs_am_droprate = 10;

int sysctl_ip_vs_cache_bypass = 0;

int sysctl_ip_vs_expire_nodest_conn = 0;

int sysctl_ip_vs_expire_quiescent_template = 0;

int sysctl_ip_vs_sync_threshold[2] = { 3, 50 };

int sysctl_ip_vs_nat_icmp_send = 0;

#ifdef CONFIG_IP_VS_NFCT

int sysctl_ip_vs_conntrack;

#endif

int sysctl_ip_vs_snat_reroute = 1;

int sysctl_ip_vs_sync_ver = 1;		/* Default version of sync proto */

#ifdef CONFIG_IP_VS_DEBUG

static int sysctl_ip_vs_debug_level = 0;

	/* si_swapinfo(&i); */

	/* availmem = availmem - (i.totalswap - i.freeswap); */

	nomem = (availmem < sysctl_ip_vs_amemthresh);

	nomem = (availmem < ipvs->sysctl_amemthresh);

	local_bh_disable();

	/* drop_entry */

	spin_lock(&__ip_vs_dropentry_lock);

	switch (sysctl_ip_vs_drop_entry) {

	spin_lock(&ipvs->dropentry_lock);

	switch (ipvs->sysctl_drop_entry) {

	case 0:

		atomic_set(&ip_vs_dropentry, 0);

		atomic_set(&ipvs->dropentry, 0);

		break;

	case 1:

		if (nomem) {

			atomic_set(&ip_vs_dropentry, 1);

			sysctl_ip_vs_drop_entry = 2;

			atomic_set(&ipvs->dropentry, 1);

			ipvs->sysctl_drop_entry = 2;

		} else {

			atomic_set(&ip_vs_dropentry, 0);

			atomic_set(&ipvs->dropentry, 0);

		}

		break;

	case 2:

		if (nomem) {

			atomic_set(&ip_vs_dropentry, 1);

			atomic_set(&ipvs->dropentry, 1);

		} else {

			atomic_set(&ip_vs_dropentry, 0);

			sysctl_ip_vs_drop_entry = 1;

			atomic_set(&ipvs->dropentry, 0);

			ipvs->sysctl_drop_entry = 1;

		};

		break;

	case 3:

		atomic_set(&ip_vs_dropentry, 1);

		atomic_set(&ipvs->dropentry, 1);

		break;

	}

	spin_unlock(&__ip_vs_dropentry_lock);

	spin_unlock(&ipvs->dropentry_lock);

	/* drop_packet */

	spin_lock(&__ip_vs_droppacket_lock);

	switch (sysctl_ip_vs_drop_packet) {

	spin_lock(&ipvs->droppacket_lock);

	switch (ipvs->sysctl_drop_packet) {

	case 0:

		ip_vs_drop_rate = 0;

		ipvs->drop_rate = 0;

		break;

	case 1:

		if (nomem) {

			ip_vs_drop_rate = ip_vs_drop_counter

				= sysctl_ip_vs_amemthresh /

				(sysctl_ip_vs_amemthresh-availmem);

			sysctl_ip_vs_drop_packet = 2;

			ipvs->drop_rate = ipvs->drop_counter

				= ipvs->sysctl_amemthresh /

				(ipvs->sysctl_amemthresh-availmem);

			ipvs->sysctl_drop_packet = 2;

		} else {

			ip_vs_drop_rate = 0;

			ipvs->drop_rate = 0;

		}

		break;

	case 2:

		if (nomem) {

			ip_vs_drop_rate = ip_vs_drop_counter

				= sysctl_ip_vs_amemthresh /

				(sysctl_ip_vs_amemthresh-availmem);

			ipvs->drop_rate = ipvs->drop_counter

				= ipvs->sysctl_amemthresh /

				(ipvs->sysctl_amemthresh-availmem);

		} else {

			ip_vs_drop_rate = 0;

			sysctl_ip_vs_drop_packet = 1;

			ipvs->drop_rate = 0;

			ipvs->sysctl_drop_packet = 1;

		}

		break;

	case 3:

		ip_vs_drop_rate = sysctl_ip_vs_am_droprate;

		ipvs->drop_rate = ipvs->sysctl_am_droprate;

		break;

	}

	spin_unlock(&__ip_vs_droppacket_lock);

	spin_unlock(&ipvs->droppacket_lock);

	/* secure_tcp */

	spin_lock(&ip_vs_securetcp_lock);

	switch (sysctl_ip_vs_secure_tcp) {

	spin_lock(&ipvs->securetcp_lock);

	switch (ipvs->sysctl_secure_tcp) {

	case 0:

		if (old_secure_tcp >= 2)

			to_change = 0;

		if (nomem) {

			if (old_secure_tcp < 2)

				to_change = 1;

			sysctl_ip_vs_secure_tcp = 2;

			ipvs->sysctl_secure_tcp = 2;

		} else {

			if (old_secure_tcp >= 2)

				to_change = 0;

		} else {

			if (old_secure_tcp >= 2)

				to_change = 0;

			sysctl_ip_vs_secure_tcp = 1;

			ipvs->sysctl_secure_tcp = 1;

		}

		break;

	case 3:

			to_change = 1;

		break;

	}

	old_secure_tcp = sysctl_ip_vs_secure_tcp;

	old_secure_tcp = ipvs->sysctl_secure_tcp;

	if (to_change >= 0)

		ip_vs_protocol_timeout_change(ipvs,

					     sysctl_ip_vs_secure_tcp > 1);

	spin_unlock(&ip_vs_securetcp_lock);

					      ipvs->sysctl_secure_tcp > 1);

	spin_unlock(&ipvs->securetcp_lock);

	local_bh_enable();

}

	struct netns_ipvs *ipvs = net_ipvs(&init_net);

	update_defense_level(ipvs);

	if (atomic_read(&ip_vs_dropentry))

	if (atomic_read(&ipvs->dropentry))

		ip_vs_random_dropentry();

	schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);

	 */

	hash = ip_vs_rs_hashkey(af, daddr, dport);

	read_lock(&__ip_vs_rs_lock);

	read_lock(&ipvs->rs_lock);

	list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {

		if ((dest->af == af)

		    && ip_vs_addr_equal(af, &dest->addr, daddr)

		    && ((dest->protocol == protocol) ||

			dest->vfwmark)) {

			/* HIT */

			read_unlock(&__ip_vs_rs_lock);

			read_unlock(&ipvs->rs_lock);

			return dest;

		}

	}

	read_unlock(&__ip_vs_rs_lock);

	read_unlock(&ipvs->rs_lock);

	return NULL;

}

		 *    Put the real service in rs_table if not present.

		 *    For now only for NAT!

		 */

		write_lock_bh(&__ip_vs_rs_lock);

		write_lock_bh(&ipvs->rs_lock);

		ip_vs_rs_hash(ipvs, dest);

		write_unlock_bh(&__ip_vs_rs_lock);

		write_unlock_bh(&ipvs->rs_lock);

	}

	atomic_set(&dest->conn_flags, conn_flags);

 */

static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)

{

	struct netns_ipvs *ipvs = net_ipvs(net);

	ip_vs_kill_estimator(net, &dest->stats);

	/*

	 *  Remove it from the d-linked list with the real services.

	 */

	write_lock_bh(&__ip_vs_rs_lock);

	write_lock_bh(&ipvs->rs_lock);

	ip_vs_rs_unhash(dest);

	write_unlock_bh(&__ip_vs_rs_lock);

	write_unlock_bh(&ipvs->rs_lock);

	/*

	 *  Decrease the refcnt of the dest, and free the dest

ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)

{

	struct ip_vs_dest *dest;

	struct net *net = svc->net;

	__be16 dport = udest->port;

	EnterFunction(2);

	/*

	 *	Delete the destination

	 */

	__ip_vs_del_dest(net, dest);

	__ip_vs_del_dest(svc->net, dest);

	LeaveFunction(2);

	struct ip_vs_scheduler *sched = NULL;

	struct ip_vs_pe *pe = NULL;

	struct ip_vs_service *svc = NULL;

	struct netns_ipvs *ipvs = net_ipvs(net);

	/* increase the module use count */

	ip_vs_use_count_inc();

	/* Count only IPv4 services for old get/setsockopt interface */

	if (svc->af == AF_INET)

		ip_vs_num_services++;

		ipvs->num_services++;

	/* Hash the service into the service table */

	write_lock_bh(&__ip_vs_svc_lock);

	struct ip_vs_dest *dest, *nxt;

	struct ip_vs_scheduler *old_sched;

	struct ip_vs_pe *old_pe;

	struct netns_ipvs *ipvs = net_ipvs(svc->net);

	pr_info("%s: enter\n", __func__);

	/* Count only IPv4 services for old get/setsockopt interface */

	if (svc->af == AF_INET)

		ip_vs_num_services--;

		ipvs->num_services--;

	ip_vs_kill_estimator(svc->net, &svc->stats);

/*

 *	IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)

 *	Do not change order or insert new entries without

 *	align with netns init in __ip_vs_control_init()

 */

static struct ctl_table vs_vars[] = {

	{

		.procname	= "amemthresh",

		.data		= &sysctl_ip_vs_amemthresh,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

	},

#ifdef CONFIG_IP_VS_DEBUG

	{

		.procname	= "debug_level",

		.data		= &sysctl_ip_vs_debug_level,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

	},

#endif

	{

		.procname	= "am_droprate",

		.data		= &sysctl_ip_vs_am_droprate,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

	},

	{

		.procname	= "drop_entry",

		.data		= &sysctl_ip_vs_drop_entry,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_do_defense_mode,

	},

	{

		.procname	= "drop_packet",

		.data		= &sysctl_ip_vs_drop_packet,

		.maxlen		= sizeof(int),

		.mode		= 0644,