10bd39c0ae2d6941925855909ba680a69987039b
[linux-3.10.git] / net / netfilter / ipvs / ip_vs_xmit.c
1 /*
2  * ip_vs_xmit.c: various packet transmitters for IPVS
3  *
4  * Authors:     Wensong Zhang <wensong@linuxvirtualserver.org>
5  *              Julian Anastasov <ja@ssi.bg>
6  *
7  *              This program is free software; you can redistribute it and/or
8  *              modify it under the terms of the GNU General Public License
9  *              as published by the Free Software Foundation; either version
10  *              2 of the License, or (at your option) any later version.
11  *
12  * Changes:
13  *
14  * Description of forwarding methods:
15  * - all transmitters are called from LOCAL_IN (remote clients) and
16  * LOCAL_OUT (local clients) but for ICMP can be called from FORWARD
17  * - not all connections have destination server, for example,
18  * connections in backup server when fwmark is used
19  * - bypass connections use daddr from packet
20  * LOCAL_OUT rules:
21  * - skb->dev is NULL, skb->protocol is not set (both are set in POST_ROUTING)
22  * - skb->pkt_type is not set yet
23  * - the only place where we can see skb->sk != NULL
24  */
25
26 #define KMSG_COMPONENT "IPVS"
27 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
28
29 #include <linux/kernel.h>
30 #include <linux/slab.h>
31 #include <linux/tcp.h>                  /* for tcphdr */
32 #include <net/ip.h>
33 #include <net/tcp.h>                    /* for csum_tcpudp_magic */
34 #include <net/udp.h>
35 #include <net/icmp.h>                   /* for icmp_send */
36 #include <net/route.h>                  /* for ip_route_output */
37 #include <net/ipv6.h>
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <linux/icmpv6.h>
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv4.h>
43
44 #include <net/ip_vs.h>
45
46
47 /*
48  *      Destination cache to speed up outgoing route lookup
49  */
50 static inline void
51 __ip_vs_dst_set(struct ip_vs_dest *dest, u32 rtos, struct dst_entry *dst,
52                 u32 dst_cookie)
53 {
54         struct dst_entry *old_dst;
55
56         old_dst = dest->dst_cache;
57         dest->dst_cache = dst;
58         dest->dst_rtos = rtos;
59         dest->dst_cookie = dst_cookie;
60         dst_release(old_dst);
61 }
62
63 static inline struct dst_entry *
64 __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
65 {
66         struct dst_entry *dst = dest->dst_cache;
67
68         if (!dst)
69                 return NULL;
70         if ((dst->obsolete || rtos != dest->dst_rtos) &&
71             dst->ops->check(dst, dest->dst_cookie) == NULL) {
72                 dest->dst_cache = NULL;
73                 dst_release(dst);
74                 return NULL;
75         }
76         dst_hold(dst);
77         return dst;
78 }
79
80 /*
81  * Get route to destination or remote server
82  * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
83  *          &4=Allow redirect from remote daddr to local
84  */
85 static struct rtable *
86 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
87                    __be32 daddr, u32 rtos, int rt_mode)
88 {
89         struct net *net = dev_net(skb_dst(skb)->dev);
90         struct rtable *rt;                      /* Route to the other host */
91         struct rtable *ort;                     /* Original route */
92         int local;
93
94         if (dest) {
95                 spin_lock(&dest->dst_lock);
96                 if (!(rt = (struct rtable *)
97                       __ip_vs_dst_check(dest, rtos))) {
98                         struct flowi fl = {
99                                 .oif = 0,
100                                 .nl_u = {
101                                         .ip4_u = {
102                                                 .daddr = dest->addr.ip,
103                                                 .saddr = 0,
104                                                 .tos = rtos, } },
105                         };
106
107                         if (ip_route_output_key(net, &rt, &fl)) {
108                                 spin_unlock(&dest->dst_lock);
109                                 IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
110                                              &dest->addr.ip);
111                                 return NULL;
112                         }
113                         __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
114                         IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
115                                   &dest->addr.ip,
116                                   atomic_read(&rt->dst.__refcnt), rtos);
117                 }
118                 spin_unlock(&dest->dst_lock);
119         } else {
120                 struct flowi fl = {
121                         .oif = 0,
122                         .nl_u = {
123                                 .ip4_u = {
124                                         .daddr = daddr,
125                                         .saddr = 0,
126                                         .tos = rtos, } },
127                 };
128
129                 if (ip_route_output_key(net, &rt, &fl)) {
130                         IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
131                                      &daddr);
132                         return NULL;
133                 }
134         }
135
136         local = rt->rt_flags & RTCF_LOCAL;
137         if (!((local ? 1 : 2) & rt_mode)) {
138                 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
139                              (rt->rt_flags & RTCF_LOCAL) ?
140                              "local":"non-local", &rt->rt_dst);
141                 ip_rt_put(rt);
142                 return NULL;
143         }
144         if (local && !(rt_mode & 4) && !((ort = skb_rtable(skb)) &&
145                                          ort->rt_flags & RTCF_LOCAL)) {
146                 IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
147                              "requires NAT method, dest: %pI4\n",
148                              &ip_hdr(skb)->daddr, &rt->rt_dst);
149                 ip_rt_put(rt);
150                 return NULL;
151         }
152         if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
153                 IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
154                              "to non-local address, dest: %pI4\n",
155                              &ip_hdr(skb)->saddr, &rt->rt_dst);
156                 ip_rt_put(rt);
157                 return NULL;
158         }
159
160         return rt;
161 }
162
163 /* Reroute packet to local IPv4 stack after DNAT */
164 static int
165 __ip_vs_reroute_locally(struct sk_buff *skb)
166 {
167         struct rtable *rt = skb_rtable(skb);
168         struct net_device *dev = rt->dst.dev;
169         struct net *net = dev_net(dev);
170         struct iphdr *iph = ip_hdr(skb);
171
172         if (rt_is_input_route(rt)) {
173                 unsigned long orefdst = skb->_skb_refdst;
174
175                 if (ip_route_input(skb, iph->daddr, iph->saddr,
176                                    iph->tos, skb->dev))
177                         return 0;
178                 refdst_drop(orefdst);
179         } else {
180                 struct flowi fl = {
181                         .oif = 0,
182                         .nl_u = {
183                                 .ip4_u = {
184                                         .daddr = iph->daddr,
185                                         .saddr = iph->saddr,
186                                         .tos = RT_TOS(iph->tos),
187                                 }
188                         },
189                         .mark = skb->mark,
190                 };
191                 struct rtable *rt;
192
193                 if (ip_route_output_key(net, &rt, &fl))
194                         return 0;
195                 if (!(rt->rt_flags & RTCF_LOCAL)) {
196                         ip_rt_put(rt);
197                         return 0;
198                 }
199                 /* Drop old route. */
200                 skb_dst_drop(skb);
201                 skb_dst_set(skb, &rt->dst);
202         }
203         return 1;
204 }
205
206 #ifdef CONFIG_IP_VS_IPV6
207
208 static inline int __ip_vs_is_local_route6(struct rt6_info *rt)
209 {
210         return rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK;
211 }
212
213 static struct dst_entry *
214 __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
215                         struct in6_addr *ret_saddr, int do_xfrm)
216 {
217         struct dst_entry *dst;
218         struct flowi fl = {
219                 .oif = 0,
220                 .nl_u = {
221                         .ip6_u = {
222                                 .daddr = *daddr,
223                         },
224                 },
225         };
226
227         dst = ip6_route_output(net, NULL, &fl);
228         if (dst->error)
229                 goto out_err;
230         if (!ret_saddr)
231                 return dst;
232         if (ipv6_addr_any(&fl.fl6_src) &&
233             ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
234                                &fl.fl6_dst, 0, &fl.fl6_src) < 0)
235                 goto out_err;
236         if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0)
237                 goto out_err;
238         ipv6_addr_copy(ret_saddr, &fl.fl6_src);
239         return dst;
240
241 out_err:
242         dst_release(dst);
243         IP_VS_DBG_RL("ip6_route_output error, dest: %pI6\n", daddr);
244         return NULL;
245 }
246
247 /*
248  * Get route to destination or remote server
249  * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
250  *          &4=Allow redirect from remote daddr to local
251  */
252 static struct rt6_info *
253 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
254                       struct in6_addr *daddr, struct in6_addr *ret_saddr,
255                       int do_xfrm, int rt_mode)
256 {
257         struct net *net = dev_net(skb_dst(skb)->dev);
258         struct rt6_info *rt;                    /* Route to the other host */
259         struct rt6_info *ort;                   /* Original route */
260         struct dst_entry *dst;
261         int local;
262
263         if (dest) {
264                 spin_lock(&dest->dst_lock);
265                 rt = (struct rt6_info *)__ip_vs_dst_check(dest, 0);
266                 if (!rt) {
267                         u32 cookie;
268
269                         dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
270                                                       &dest->dst_saddr,
271                                                       do_xfrm);
272                         if (!dst) {
273                                 spin_unlock(&dest->dst_lock);
274                                 return NULL;
275                         }
276                         rt = (struct rt6_info *) dst;
277                         cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
278                         __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
279                         IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
280                                   &dest->addr.in6, &dest->dst_saddr,
281                                   atomic_read(&rt->dst.__refcnt));
282                 }
283                 if (ret_saddr)
284                         ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
285                 spin_unlock(&dest->dst_lock);
286         } else {
287                 dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
288                 if (!dst)
289                         return NULL;
290                 rt = (struct rt6_info *) dst;
291         }
292
293         local = __ip_vs_is_local_route6(rt);
294         if (!((local ? 1 : 2) & rt_mode)) {
295                 IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
296                              local ? "local":"non-local", daddr);
297                 dst_release(&rt->dst);
298                 return NULL;
299         }
300         if (local && !(rt_mode & 4) &&
301             !((ort = (struct rt6_info *) skb_dst(skb)) &&
302               __ip_vs_is_local_route6(ort))) {
303                 IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
304                              "requires NAT method, dest: %pI6\n",
305                              &ipv6_hdr(skb)->daddr, daddr);
306                 dst_release(&rt->dst);
307                 return NULL;
308         }
309         if (unlikely(!local && (!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
310                      ipv6_addr_type(&ipv6_hdr(skb)->saddr) &
311                                     IPV6_ADDR_LOOPBACK)) {
312                 IP_VS_DBG_RL("Stopping traffic from loopback address %pI6 "
313                              "to non-local address, dest: %pI6\n",
314                              &ipv6_hdr(skb)->saddr, daddr);
315                 dst_release(&rt->dst);
316                 return NULL;
317         }
318
319         return rt;
320 }
321 #endif
322
323
324 /*
325  *      Release dest->dst_cache before a dest is removed
326  */
327 void
328 ip_vs_dst_reset(struct ip_vs_dest *dest)
329 {
330         struct dst_entry *old_dst;
331
332         old_dst = dest->dst_cache;
333         dest->dst_cache = NULL;
334         dst_release(old_dst);
335 }
336
337 #define IP_VS_XMIT_TUNNEL(skb, cp)                              \
338 ({                                                              \
339         int __ret = NF_ACCEPT;                                  \
340                                                                 \
341         (skb)->ipvs_property = 1;                               \
342         if (unlikely((cp)->flags & IP_VS_CONN_F_NFCT))          \
343                 __ret = ip_vs_confirm_conntrack(skb, cp);       \
344         if (__ret == NF_ACCEPT) {                               \
345                 nf_reset(skb);                                  \
346                 skb_forward_csum(skb);                          \
347         }                                                       \
348         __ret;                                                  \
349 })
350
351 #define IP_VS_XMIT_NAT(pf, skb, cp, local)              \
352 do {                                                    \
353         (skb)->ipvs_property = 1;                       \
354         if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
355                 ip_vs_notrack(skb);                     \
356         else                                            \
357                 ip_vs_update_conntrack(skb, cp, 1);     \
358         if (local)                                      \
359                 return NF_ACCEPT;                       \
360         skb_forward_csum(skb);                          \
361         NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL,     \
362                 skb_dst(skb)->dev, dst_output);         \
363 } while (0)
364
365 #define IP_VS_XMIT(pf, skb, cp, local)                  \
366 do {                                                    \
367         (skb)->ipvs_property = 1;                       \
368         if (likely(!((cp)->flags & IP_VS_CONN_F_NFCT))) \
369                 ip_vs_notrack(skb);                     \
370         if (local)                                      \
371                 return NF_ACCEPT;                       \
372         skb_forward_csum(skb);                          \
373         NF_HOOK(pf, NF_INET_LOCAL_OUT, (skb), NULL,     \
374                 skb_dst(skb)->dev, dst_output);         \
375 } while (0)
376
377
378 /*
379  *      NULL transmitter (do nothing except return NF_ACCEPT)
380  */
381 int
382 ip_vs_null_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
383                 struct ip_vs_protocol *pp)
384 {
385         /* we do not touch skb and do not need pskb ptr */
386         IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
387 }
388
389
390 /*
391  *      Bypass transmitter
392  *      Let packets bypass the destination when the destination is not
393  *      available, it may be only used in transparent cache cluster.
394  */
395 int
396 ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
397                   struct ip_vs_protocol *pp)
398 {
399         struct rtable *rt;                      /* Route to the other host */
400         struct iphdr  *iph = ip_hdr(skb);
401         int    mtu;
402
403         EnterFunction(10);
404
405         if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr,
406                                       RT_TOS(iph->tos), 2)))
407                 goto tx_error_icmp;
408
409         /* MTU checking */
410         mtu = dst_mtu(&rt->dst);
411         if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
412                 ip_rt_put(rt);
413                 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
414                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
415                 goto tx_error;
416         }
417
418         /*
419          * Call ip_send_check because we are not sure it is called
420          * after ip_defrag. Is copy-on-write needed?
421          */
422         if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
423                 ip_rt_put(rt);
424                 return NF_STOLEN;
425         }
426         ip_send_check(ip_hdr(skb));
427
428         /* drop old route */
429         skb_dst_drop(skb);
430         skb_dst_set(skb, &rt->dst);
431
432         /* Another hack: avoid icmp_send in ip_fragment */
433         skb->local_df = 1;
434
435         IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
436
437         LeaveFunction(10);
438         return NF_STOLEN;
439
440  tx_error_icmp:
441         dst_link_failure(skb);
442  tx_error:
443         kfree_skb(skb);
444         LeaveFunction(10);
445         return NF_STOLEN;
446 }
447
448 #ifdef CONFIG_IP_VS_IPV6
449 int
450 ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
451                      struct ip_vs_protocol *pp)
452 {
453         struct rt6_info *rt;                    /* Route to the other host */
454         struct ipv6hdr  *iph = ipv6_hdr(skb);
455         int    mtu;
456
457         EnterFunction(10);
458
459         if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
460                 goto tx_error_icmp;
461
462         /* MTU checking */
463         mtu = dst_mtu(&rt->dst);
464         if (skb->len > mtu) {
465                 if (!skb->dev) {
466                         struct net *net = dev_net(skb_dst(skb)->dev);
467
468                         skb->dev = net->loopback_dev;
469                 }
470                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
471                 dst_release(&rt->dst);
472                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
473                 goto tx_error;
474         }
475
476         /*
477          * Call ip_send_check because we are not sure it is called
478          * after ip_defrag. Is copy-on-write needed?
479          */
480         skb = skb_share_check(skb, GFP_ATOMIC);
481         if (unlikely(skb == NULL)) {
482                 dst_release(&rt->dst);
483                 return NF_STOLEN;
484         }
485
486         /* drop old route */
487         skb_dst_drop(skb);
488         skb_dst_set(skb, &rt->dst);
489
490         /* Another hack: avoid icmp_send in ip_fragment */
491         skb->local_df = 1;
492
493         IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
494
495         LeaveFunction(10);
496         return NF_STOLEN;
497
498  tx_error_icmp:
499         dst_link_failure(skb);
500  tx_error:
501         kfree_skb(skb);
502         LeaveFunction(10);
503         return NF_STOLEN;
504 }
505 #endif
506
507 /*
508  *      NAT transmitter (only for outside-to-inside nat forwarding)
509  *      Not used for related ICMP
510  */
511 int
512 ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
513                struct ip_vs_protocol *pp)
514 {
515         struct rtable *rt;              /* Route to the other host */
516         int mtu;
517         struct iphdr *iph = ip_hdr(skb);
518         int local;
519
520         EnterFunction(10);
521
522         /* check if it is a connection of no-client-port */
523         if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
524                 __be16 _pt, *p;
525                 p = skb_header_pointer(skb, iph->ihl*4, sizeof(_pt), &_pt);
526                 if (p == NULL)
527                         goto tx_error;
528                 ip_vs_conn_fill_cport(cp, *p);
529                 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
530         }
531
532         if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
533                                       RT_TOS(iph->tos), 1|2|4)))
534                 goto tx_error_icmp;
535         local = rt->rt_flags & RTCF_LOCAL;
536         /*
537          * Avoid duplicate tuple in reply direction for NAT traffic
538          * to local address when connection is sync-ed
539          */
540 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
541         if (cp->flags & IP_VS_CONN_F_SYNC && local) {
542                 enum ip_conntrack_info ctinfo;
543                 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
544
545                 if (ct && !nf_ct_is_untracked(ct)) {
546                         IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, 0,
547                                          "ip_vs_nat_xmit(): "
548                                          "stopping DNAT to local address");
549                         goto tx_error_put;
550                 }
551         }
552 #endif
553
554         /* From world but DNAT to loopback address? */
555         if (local && ipv4_is_loopback(rt->rt_dst) &&
556             rt_is_input_route(skb_rtable(skb))) {
557                 IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
558                                  "stopping DNAT to loopback address");
559                 goto tx_error_put;
560         }
561
562         /* MTU checking */
563         mtu = dst_mtu(&rt->dst);
564         if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
565                 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
566                 IP_VS_DBG_RL_PKT(0, AF_INET, pp, skb, 0,
567                                  "ip_vs_nat_xmit(): frag needed for");
568                 goto tx_error_put;
569         }
570
571         /* copy-on-write the packet before mangling it */
572         if (!skb_make_writable(skb, sizeof(struct iphdr)))
573                 goto tx_error_put;
574
575         if (skb_cow(skb, rt->dst.dev->hard_header_len))
576                 goto tx_error_put;
577
578         /* mangle the packet */
579         if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
580                 goto tx_error_put;
581         ip_hdr(skb)->daddr = cp->daddr.ip;
582         ip_send_check(ip_hdr(skb));
583
584         if (!local) {
585                 /* drop old route */
586                 skb_dst_drop(skb);
587                 skb_dst_set(skb, &rt->dst);
588         } else {
589                 ip_rt_put(rt);
590                 /*
591                  * Some IPv4 replies get local address from routes,
592                  * not from iph, so while we DNAT after routing
593                  * we need this second input/output route.
594                  */
595                 if (!__ip_vs_reroute_locally(skb))
596                         goto tx_error;
597         }
598
599         IP_VS_DBG_PKT(10, AF_INET, pp, skb, 0, "After DNAT");
600
601         /* FIXME: when application helper enlarges the packet and the length
602            is larger than the MTU of outgoing device, there will be still
603            MTU problem. */
604
605         /* Another hack: avoid icmp_send in ip_fragment */
606         skb->local_df = 1;
607
608         IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
609
610         LeaveFunction(10);
611         return NF_STOLEN;
612
613   tx_error_icmp:
614         dst_link_failure(skb);
615   tx_error:
616         kfree_skb(skb);
617         LeaveFunction(10);
618         return NF_STOLEN;
619   tx_error_put:
620         ip_rt_put(rt);
621         goto tx_error;
622 }
623
624 #ifdef CONFIG_IP_VS_IPV6
625 int
626 ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
627                   struct ip_vs_protocol *pp)
628 {
629         struct rt6_info *rt;            /* Route to the other host */
630         int mtu;
631         int local;
632
633         EnterFunction(10);
634
635         /* check if it is a connection of no-client-port */
636         if (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {
637                 __be16 _pt, *p;
638                 p = skb_header_pointer(skb, sizeof(struct ipv6hdr),
639                                        sizeof(_pt), &_pt);
640                 if (p == NULL)
641                         goto tx_error;
642                 ip_vs_conn_fill_cport(cp, *p);
643                 IP_VS_DBG(10, "filled cport=%d\n", ntohs(*p));
644         }
645
646         if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
647                                          0, 1|2|4)))
648                 goto tx_error_icmp;
649         local = __ip_vs_is_local_route6(rt);
650         /*
651          * Avoid duplicate tuple in reply direction for NAT traffic
652          * to local address when connection is sync-ed
653          */
654 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
655         if (cp->flags & IP_VS_CONN_F_SYNC && local) {
656                 enum ip_conntrack_info ctinfo;
657                 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
658
659                 if (ct && !nf_ct_is_untracked(ct)) {
660                         IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, 0,
661                                          "ip_vs_nat_xmit_v6(): "
662                                          "stopping DNAT to local address");
663                         goto tx_error_put;
664                 }
665         }
666 #endif
667
668         /* From world but DNAT to loopback address? */
669         if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
670             ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
671                 IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, 0,
672                                  "ip_vs_nat_xmit_v6(): "
673                                  "stopping DNAT to loopback address");
674                 goto tx_error_put;
675         }
676
677         /* MTU checking */
678         mtu = dst_mtu(&rt->dst);
679         if (skb->len > mtu) {
680                 if (!skb->dev) {
681                         struct net *net = dev_net(skb_dst(skb)->dev);
682
683                         skb->dev = net->loopback_dev;
684                 }
685                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
686                 IP_VS_DBG_RL_PKT(0, AF_INET6, pp, skb, 0,
687                                  "ip_vs_nat_xmit_v6(): frag needed for");
688                 goto tx_error_put;
689         }
690
691         /* copy-on-write the packet before mangling it */
692         if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
693                 goto tx_error_put;
694
695         if (skb_cow(skb, rt->dst.dev->hard_header_len))
696                 goto tx_error_put;
697
698         /* mangle the packet */
699         if (pp->dnat_handler && !pp->dnat_handler(skb, pp, cp))
700                 goto tx_error;
701         ipv6_addr_copy(&ipv6_hdr(skb)->daddr, &cp->daddr.in6);
702
703         if (!local || !skb->dev) {
704                 /* drop the old route when skb is not shared */
705                 skb_dst_drop(skb);
706                 skb_dst_set(skb, &rt->dst);
707         } else {
708                 /* destined to loopback, do we need to change route? */
709                 dst_release(&rt->dst);
710         }
711
712         IP_VS_DBG_PKT(10, AF_INET6, pp, skb, 0, "After DNAT");
713
714         /* FIXME: when application helper enlarges the packet and the length
715            is larger than the MTU of outgoing device, there will be still
716            MTU problem. */
717
718         /* Another hack: avoid icmp_send in ip_fragment */
719         skb->local_df = 1;
720
721         IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
722
723         LeaveFunction(10);
724         return NF_STOLEN;
725
726 tx_error_icmp:
727         dst_link_failure(skb);
728 tx_error:
729         LeaveFunction(10);
730         kfree_skb(skb);
731         return NF_STOLEN;
732 tx_error_put:
733         dst_release(&rt->dst);
734         goto tx_error;
735 }
736 #endif
737
738
739 /*
740  *   IP Tunneling transmitter
741  *
742  *   This function encapsulates the packet in a new IP packet, its
743  *   destination will be set to cp->daddr. Most code of this function
744  *   is taken from ipip.c.
745  *
746  *   It is used in VS/TUN cluster. The load balancer selects a real
747  *   server from a cluster based on a scheduling algorithm,
748  *   encapsulates the request packet and forwards it to the selected
749  *   server. For example, all real servers are configured with
750  *   "ifconfig tunl0 <Virtual IP Address> up". When the server receives
751  *   the encapsulated packet, it will decapsulate the packet, processe
752  *   the request and return the response packets directly to the client
753  *   without passing the load balancer. This can greatly increase the
754  *   scalability of virtual server.
755  *
756  *   Used for ANY protocol
757  */
758 int
759 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
760                   struct ip_vs_protocol *pp)
761 {
762         struct rtable *rt;                      /* Route to the other host */
763         struct net_device *tdev;                /* Device to other host */
764         struct iphdr  *old_iph = ip_hdr(skb);
765         u8     tos = old_iph->tos;
766         __be16 df = old_iph->frag_off;
767         struct iphdr  *iph;                     /* Our new IP header */
768         unsigned int max_headroom;              /* The extra header space needed */
769         int    mtu;
770         int ret;
771
772         EnterFunction(10);
773
774         if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
775                                       RT_TOS(tos), 1|2)))
776                 goto tx_error_icmp;
777         if (rt->rt_flags & RTCF_LOCAL) {
778                 ip_rt_put(rt);
779                 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
780         }
781
782         tdev = rt->dst.dev;
783
784         mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr);
785         if (mtu < 68) {
786                 IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
787                 goto tx_error_put;
788         }
789         if (skb_dst(skb))
790                 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
791
792         df |= (old_iph->frag_off & htons(IP_DF));
793
794         if ((old_iph->frag_off & htons(IP_DF))
795             && mtu < ntohs(old_iph->tot_len)) {
796                 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
797                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
798                 goto tx_error_put;
799         }
800
801         /*
802          * Okay, now see if we can stuff it in the buffer as-is.
803          */
804         max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr);
805
806         if (skb_headroom(skb) < max_headroom
807             || skb_cloned(skb) || skb_shared(skb)) {
808                 struct sk_buff *new_skb =
809                         skb_realloc_headroom(skb, max_headroom);
810                 if (!new_skb) {
811                         ip_rt_put(rt);
812                         kfree_skb(skb);
813                         IP_VS_ERR_RL("%s(): no memory\n", __func__);
814                         return NF_STOLEN;
815                 }
816                 kfree_skb(skb);
817                 skb = new_skb;
818                 old_iph = ip_hdr(skb);
819         }
820
821         skb->transport_header = skb->network_header;
822
823         /* fix old IP header checksum */
824         ip_send_check(old_iph);
825
826         skb_push(skb, sizeof(struct iphdr));
827         skb_reset_network_header(skb);
828         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
829
830         /* drop old route */
831         skb_dst_drop(skb);
832         skb_dst_set(skb, &rt->dst);
833
834         /*
835          *      Push down and install the IPIP header.
836          */
837         iph                     =       ip_hdr(skb);
838         iph->version            =       4;
839         iph->ihl                =       sizeof(struct iphdr)>>2;
840         iph->frag_off           =       df;
841         iph->protocol           =       IPPROTO_IPIP;
842         iph->tos                =       tos;
843         iph->daddr              =       rt->rt_dst;
844         iph->saddr              =       rt->rt_src;
845         iph->ttl                =       old_iph->ttl;
846         ip_select_ident(iph, &rt->dst, NULL);
847
848         /* Another hack: avoid icmp_send in ip_fragment */
849         skb->local_df = 1;
850
851         ret = IP_VS_XMIT_TUNNEL(skb, cp);
852         if (ret == NF_ACCEPT)
853                 ip_local_out(skb);
854         else if (ret == NF_DROP)
855                 kfree_skb(skb);
856
857         LeaveFunction(10);
858
859         return NF_STOLEN;
860
861   tx_error_icmp:
862         dst_link_failure(skb);
863   tx_error:
864         kfree_skb(skb);
865         LeaveFunction(10);
866         return NF_STOLEN;
867 tx_error_put:
868         ip_rt_put(rt);
869         goto tx_error;
870 }
871
872 #ifdef CONFIG_IP_VS_IPV6
873 int
874 ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
875                      struct ip_vs_protocol *pp)
876 {
877         struct rt6_info *rt;            /* Route to the other host */
878         struct in6_addr saddr;          /* Source for tunnel */
879         struct net_device *tdev;        /* Device to other host */
880         struct ipv6hdr  *old_iph = ipv6_hdr(skb);
881         struct ipv6hdr  *iph;           /* Our new IP header */
882         unsigned int max_headroom;      /* The extra header space needed */
883         int    mtu;
884         int ret;
885
886         EnterFunction(10);
887
888         if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
889                                          &saddr, 1, 1|2)))
890                 goto tx_error_icmp;
891         if (__ip_vs_is_local_route6(rt)) {
892                 dst_release(&rt->dst);
893                 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
894         }
895
896         tdev = rt->dst.dev;
897
898         mtu = dst_mtu(&rt->dst) - sizeof(struct ipv6hdr);
899         if (mtu < IPV6_MIN_MTU) {
900                 IP_VS_DBG_RL("%s(): mtu less than %d\n", __func__,
901                              IPV6_MIN_MTU);
902                 goto tx_error_put;
903         }
904         if (skb_dst(skb))
905                 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
906
907         if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
908                 if (!skb->dev) {
909                         struct net *net = dev_net(skb_dst(skb)->dev);
910
911                         skb->dev = net->loopback_dev;
912                 }
913                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
914                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
915                 goto tx_error_put;
916         }
917
918         /*
919          * Okay, now see if we can stuff it in the buffer as-is.
920          */
921         max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr);
922
923         if (skb_headroom(skb) < max_headroom
924             || skb_cloned(skb) || skb_shared(skb)) {
925                 struct sk_buff *new_skb =
926                         skb_realloc_headroom(skb, max_headroom);
927                 if (!new_skb) {
928                         dst_release(&rt->dst);
929                         kfree_skb(skb);
930                         IP_VS_ERR_RL("%s(): no memory\n", __func__);
931                         return NF_STOLEN;
932                 }
933                 kfree_skb(skb);
934                 skb = new_skb;
935                 old_iph = ipv6_hdr(skb);
936         }
937
938         skb->transport_header = skb->network_header;
939
940         skb_push(skb, sizeof(struct ipv6hdr));
941         skb_reset_network_header(skb);
942         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
943
944         /* drop old route */
945         skb_dst_drop(skb);
946         skb_dst_set(skb, &rt->dst);
947
948         /*
949          *      Push down and install the IPIP header.
950          */
951         iph                     =       ipv6_hdr(skb);
952         iph->version            =       6;
953         iph->nexthdr            =       IPPROTO_IPV6;
954         iph->payload_len        =       old_iph->payload_len;
955         be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
956         iph->priority           =       old_iph->priority;
957         memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
958         ipv6_addr_copy(&iph->daddr, &cp->daddr.in6);
959         ipv6_addr_copy(&iph->saddr, &saddr);
960         iph->hop_limit          =       old_iph->hop_limit;
961
962         /* Another hack: avoid icmp_send in ip_fragment */
963         skb->local_df = 1;
964
965         ret = IP_VS_XMIT_TUNNEL(skb, cp);
966         if (ret == NF_ACCEPT)
967                 ip6_local_out(skb);
968         else if (ret == NF_DROP)
969                 kfree_skb(skb);
970
971         LeaveFunction(10);
972
973         return NF_STOLEN;
974
975 tx_error_icmp:
976         dst_link_failure(skb);
977 tx_error:
978         kfree_skb(skb);
979         LeaveFunction(10);
980         return NF_STOLEN;
981 tx_error_put:
982         dst_release(&rt->dst);
983         goto tx_error;
984 }
985 #endif
986
987
988 /*
989  *      Direct Routing transmitter
990  *      Used for ANY protocol
991  */
992 int
993 ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
994               struct ip_vs_protocol *pp)
995 {
996         struct rtable *rt;                      /* Route to the other host */
997         struct iphdr  *iph = ip_hdr(skb);
998         int    mtu;
999
1000         EnterFunction(10);
1001
1002         if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1003                                       RT_TOS(iph->tos), 1|2)))
1004                 goto tx_error_icmp;
1005         if (rt->rt_flags & RTCF_LOCAL) {
1006                 ip_rt_put(rt);
1007                 IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 1);
1008         }
1009
1010         /* MTU checking */
1011         mtu = dst_mtu(&rt->dst);
1012         if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
1013                 icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
1014                 ip_rt_put(rt);
1015                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1016                 goto tx_error;
1017         }
1018
1019         /*
1020          * Call ip_send_check because we are not sure it is called
1021          * after ip_defrag. Is copy-on-write needed?
1022          */
1023         if (unlikely((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)) {
1024                 ip_rt_put(rt);
1025                 return NF_STOLEN;
1026         }
1027         ip_send_check(ip_hdr(skb));
1028
1029         /* drop old route */
1030         skb_dst_drop(skb);
1031         skb_dst_set(skb, &rt->dst);
1032
1033         /* Another hack: avoid icmp_send in ip_fragment */
1034         skb->local_df = 1;
1035
1036         IP_VS_XMIT(NFPROTO_IPV4, skb, cp, 0);
1037
1038         LeaveFunction(10);
1039         return NF_STOLEN;
1040
1041   tx_error_icmp:
1042         dst_link_failure(skb);
1043   tx_error:
1044         kfree_skb(skb);
1045         LeaveFunction(10);
1046         return NF_STOLEN;
1047 }
1048
1049 #ifdef CONFIG_IP_VS_IPV6
1050 int
1051 ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1052                  struct ip_vs_protocol *pp)
1053 {
1054         struct rt6_info *rt;                    /* Route to the other host */
1055         int    mtu;
1056
1057         EnterFunction(10);
1058
1059         if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1060                                          0, 1|2)))
1061                 goto tx_error_icmp;
1062         if (__ip_vs_is_local_route6(rt)) {
1063                 dst_release(&rt->dst);
1064                 IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 1);
1065         }
1066
1067         /* MTU checking */
1068         mtu = dst_mtu(&rt->dst);
1069         if (skb->len > mtu) {
1070                 if (!skb->dev) {
1071                         struct net *net = dev_net(skb_dst(skb)->dev);
1072
1073                         skb->dev = net->loopback_dev;
1074                 }
1075                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1076                 dst_release(&rt->dst);
1077                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1078                 goto tx_error;
1079         }
1080
1081         /*
1082          * Call ip_send_check because we are not sure it is called
1083          * after ip_defrag. Is copy-on-write needed?
1084          */
1085         skb = skb_share_check(skb, GFP_ATOMIC);
1086         if (unlikely(skb == NULL)) {
1087                 dst_release(&rt->dst);
1088                 return NF_STOLEN;
1089         }
1090
1091         /* drop old route */
1092         skb_dst_drop(skb);
1093         skb_dst_set(skb, &rt->dst);
1094
1095         /* Another hack: avoid icmp_send in ip_fragment */
1096         skb->local_df = 1;
1097
1098         IP_VS_XMIT(NFPROTO_IPV6, skb, cp, 0);
1099
1100         LeaveFunction(10);
1101         return NF_STOLEN;
1102
1103 tx_error_icmp:
1104         dst_link_failure(skb);
1105 tx_error:
1106         kfree_skb(skb);
1107         LeaveFunction(10);
1108         return NF_STOLEN;
1109 }
1110 #endif
1111
1112
1113 /*
1114  *      ICMP packet transmitter
1115  *      called by the ip_vs_in_icmp
1116  */
1117 int
1118 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
1119                 struct ip_vs_protocol *pp, int offset)
1120 {
1121         struct rtable   *rt;    /* Route to the other host */
1122         int mtu;
1123         int rc;
1124         int local;
1125
1126         EnterFunction(10);
1127
1128         /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1129            forwarded directly here, because there is no need to
1130            translate address/port back */
1131         if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1132                 if (cp->packet_xmit)
1133                         rc = cp->packet_xmit(skb, cp, pp);
1134                 else
1135                         rc = NF_ACCEPT;
1136                 /* do not touch skb anymore */
1137                 atomic_inc(&cp->in_pkts);
1138                 goto out;
1139         }
1140
1141         /*
1142          * mangle and send the packet here (only for VS/NAT)
1143          */
1144
1145         if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
1146                                       RT_TOS(ip_hdr(skb)->tos), 1|2|4)))
1147                 goto tx_error_icmp;
1148         local = rt->rt_flags & RTCF_LOCAL;
1149
1150         /*
1151          * Avoid duplicate tuple in reply direction for NAT traffic
1152          * to local address when connection is sync-ed
1153          */
1154 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1155         if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1156                 enum ip_conntrack_info ctinfo;
1157                 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1158
1159                 if (ct && !nf_ct_is_untracked(ct)) {
1160                         IP_VS_DBG(10, "%s(): "
1161                                   "stopping DNAT to local address %pI4\n",
1162                                   __func__, &cp->daddr.ip);
1163                         goto tx_error_put;
1164                 }
1165         }
1166 #endif
1167
1168         /* From world but DNAT to loopback address? */
1169         if (local && ipv4_is_loopback(rt->rt_dst) &&
1170             rt_is_input_route(skb_rtable(skb))) {
1171                 IP_VS_DBG(1, "%s(): "
1172                           "stopping DNAT to loopback %pI4\n",
1173                           __func__, &cp->daddr.ip);
1174                 goto tx_error_put;
1175         }
1176
1177         /* MTU checking */
1178         mtu = dst_mtu(&rt->dst);
1179         if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
1180                 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
1181                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1182                 goto tx_error_put;
1183         }
1184
1185         /* copy-on-write the packet before mangling it */
1186         if (!skb_make_writable(skb, offset))
1187                 goto tx_error_put;
1188
1189         if (skb_cow(skb, rt->dst.dev->hard_header_len))
1190                 goto tx_error_put;
1191
1192         ip_vs_nat_icmp(skb, pp, cp, 0);
1193
1194         if (!local) {
1195                 /* drop the old route when skb is not shared */
1196                 skb_dst_drop(skb);
1197                 skb_dst_set(skb, &rt->dst);
1198         } else {
1199                 ip_rt_put(rt);
1200                 /*
1201                  * Some IPv4 replies get local address from routes,
1202                  * not from iph, so while we DNAT after routing
1203                  * we need this second input/output route.
1204                  */
1205                 if (!__ip_vs_reroute_locally(skb))
1206                         goto tx_error;
1207         }
1208
1209         /* Another hack: avoid icmp_send in ip_fragment */
1210         skb->local_df = 1;
1211
1212         IP_VS_XMIT_NAT(NFPROTO_IPV4, skb, cp, local);
1213
1214         rc = NF_STOLEN;
1215         goto out;
1216
1217   tx_error_icmp:
1218         dst_link_failure(skb);
1219   tx_error:
1220         dev_kfree_skb(skb);
1221         rc = NF_STOLEN;
1222   out:
1223         LeaveFunction(10);
1224         return rc;
1225   tx_error_put:
1226         ip_rt_put(rt);
1227         goto tx_error;
1228 }
1229
1230 #ifdef CONFIG_IP_VS_IPV6
1231 int
1232 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
1233                 struct ip_vs_protocol *pp, int offset)
1234 {
1235         struct rt6_info *rt;    /* Route to the other host */
1236         int mtu;
1237         int rc;
1238         int local;
1239
1240         EnterFunction(10);
1241
1242         /* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
1243            forwarded directly here, because there is no need to
1244            translate address/port back */
1245         if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
1246                 if (cp->packet_xmit)
1247                         rc = cp->packet_xmit(skb, cp, pp);
1248                 else
1249                         rc = NF_ACCEPT;
1250                 /* do not touch skb anymore */
1251                 atomic_inc(&cp->in_pkts);
1252                 goto out;
1253         }
1254
1255         /*
1256          * mangle and send the packet here (only for VS/NAT)
1257          */
1258
1259         if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
1260                                          0, 1|2|4)))
1261                 goto tx_error_icmp;
1262
1263         local = __ip_vs_is_local_route6(rt);
1264         /*
1265          * Avoid duplicate tuple in reply direction for NAT traffic
1266          * to local address when connection is sync-ed
1267          */
1268 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1269         if (cp->flags & IP_VS_CONN_F_SYNC && local) {
1270                 enum ip_conntrack_info ctinfo;
1271                 struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
1272
1273                 if (ct && !nf_ct_is_untracked(ct)) {
1274                         IP_VS_DBG(10, "%s(): "
1275                                   "stopping DNAT to local address %pI6\n",
1276                                   __func__, &cp->daddr.in6);
1277                         goto tx_error_put;
1278                 }
1279         }
1280 #endif
1281
1282         /* From world but DNAT to loopback address? */
1283         if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
1284             ipv6_addr_type(&rt->rt6i_dst.addr) & IPV6_ADDR_LOOPBACK) {
1285                 IP_VS_DBG(1, "%s(): "
1286                           "stopping DNAT to loopback %pI6\n",
1287                           __func__, &cp->daddr.in6);
1288                 goto tx_error_put;
1289         }
1290
1291         /* MTU checking */
1292         mtu = dst_mtu(&rt->dst);
1293         if (skb->len > mtu) {
1294                 if (!skb->dev) {
1295                         struct net *net = dev_net(skb_dst(skb)->dev);
1296
1297                         skb->dev = net->loopback_dev;
1298                 }
1299                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1300                 IP_VS_DBG_RL("%s(): frag needed\n", __func__);
1301                 goto tx_error_put;
1302         }
1303
1304         /* copy-on-write the packet before mangling it */
1305         if (!skb_make_writable(skb, offset))
1306                 goto tx_error_put;
1307
1308         if (skb_cow(skb, rt->dst.dev->hard_header_len))
1309                 goto tx_error_put;
1310
1311         ip_vs_nat_icmp_v6(skb, pp, cp, 0);
1312
1313         if (!local || !skb->dev) {
1314                 /* drop the old route when skb is not shared */
1315                 skb_dst_drop(skb);
1316                 skb_dst_set(skb, &rt->dst);
1317         } else {
1318                 /* destined to loopback, do we need to change route? */
1319                 dst_release(&rt->dst);
1320         }
1321
1322         /* Another hack: avoid icmp_send in ip_fragment */
1323         skb->local_df = 1;
1324
1325         IP_VS_XMIT_NAT(NFPROTO_IPV6, skb, cp, local);
1326
1327         rc = NF_STOLEN;
1328         goto out;
1329
1330 tx_error_icmp:
1331         dst_link_failure(skb);
1332 tx_error:
1333         dev_kfree_skb(skb);
1334         rc = NF_STOLEN;
1335 out:
1336         LeaveFunction(10);
1337         return rc;
1338 tx_error_put:
1339         dst_release(&rt->dst);
1340         goto tx_error;
1341 }
1342 #endif