ipvs: add function to find tunnels
authorJulian Anastasov <ja@ssi.bg>
Sun, 5 May 2019 12:14:39 +0000 (15:14 +0300)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 31 May 2019 15:48:09 +0000 (17:48 +0200)
Add ip_vs_find_tunnel() to match tunnel headers
by family, address and optional port. Use it to
properly find the tunnel real server used in
received ICMP errors.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/ip_vs.h
net/netfilter/ipvs/ip_vs_core.c
net/netfilter/ipvs/ip_vs_ctl.c

index 9a8ac8997e34e142521ac4a9294712dc4d6a4df7..b01a94ebfc0e8f197581d960151df7fbd7c2a1a8 100644 (file)
@@ -1404,6 +1404,9 @@ bool ip_vs_has_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol,
 struct ip_vs_dest *
 ip_vs_find_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol,
                        const union nf_inet_addr *daddr, __be16 dport);
+struct ip_vs_dest *ip_vs_find_tunnel(struct netns_ipvs *ipvs, int af,
+                                    const union nf_inet_addr *daddr,
+                                    __be16 tun_port);
 
 int ip_vs_use_count_inc(void);
 void ip_vs_use_count_dec(void);
index 14457551bcb4edca3047320028be0a331d185e14..4447ee512b88866d1d8d4b06f30efe9259ee5272 100644 (file)
@@ -1598,6 +1598,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
        struct ip_vs_proto_data *pd;
        unsigned int offset, offset2, ihl, verdict;
        bool ipip, new_cp = false;
+       union nf_inet_addr *raddr;
 
        *related = 1;
 
@@ -1636,15 +1637,22 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
        cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
        if (cih == NULL)
                return NF_ACCEPT; /* The packet looks wrong, ignore */
+       raddr = (union nf_inet_addr *)&cih->daddr;
 
        /* Special case for errors for IPIP packets */
        ipip = false;
        if (cih->protocol == IPPROTO_IPIP) {
+               struct ip_vs_dest *dest;
+
                if (unlikely(cih->frag_off & htons(IP_OFFSET)))
                        return NF_ACCEPT;
                /* Error for our IPIP must arrive at LOCAL_IN */
                if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL))
                        return NF_ACCEPT;
+               dest = ip_vs_find_tunnel(ipvs, AF_INET, raddr, 0);
+               /* Only for known tunnel */
+               if (!dest || dest->tun_type != IP_VS_CONN_F_TUNNEL_TYPE_IPIP)
+                       return NF_ACCEPT;
                offset += cih->ihl * 4;
                cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
                if (cih == NULL)
index 30b1a9f9c2e32b5b2909974c47ee6f899f450cba..d5847e06350f65a2a454561c21cef0cba973d6ef 100644 (file)
@@ -617,6 +617,35 @@ struct ip_vs_dest *ip_vs_find_real_service(struct netns_ipvs *ipvs, int af,
        return NULL;
 }
 
+/* Find real service record by <af,addr,tun_port>.
+ * In case of multiple records with the same <af,addr,tun_port>, only
+ * the first found record is returned.
+ *
+ * To be called under RCU lock.
+ */
+struct ip_vs_dest *ip_vs_find_tunnel(struct netns_ipvs *ipvs, int af,
+                                    const union nf_inet_addr *daddr,
+                                    __be16 tun_port)
+{
+       struct ip_vs_dest *dest;
+       unsigned int hash;
+
+       /* Check for "full" addressed entries */
+       hash = ip_vs_rs_hashkey(af, daddr, tun_port);
+
+       hlist_for_each_entry_rcu(dest, &ipvs->rs_table[hash], d_list) {
+               if (dest->tun_port == tun_port &&
+                   dest->af == af &&
+                   ip_vs_addr_equal(af, &dest->addr, daddr) &&
+                   IP_VS_DFWD_METHOD(dest) == IP_VS_CONN_F_TUNNEL) {
+                       /* HIT */
+                       return dest;
+               }
+       }
+
+       return NULL;
+}
+
 /* Lookup destination by {addr,port} in the given service
  * Called under RCU lock.
  */