ip_vs实现分析(2)

本文档的Copyleft归yfydz所有，使用GPL发布，可以自由拷贝，转载，转载时请保持文档的完整性，严禁用于任何商业用途。
msn: yfydz_no1@hotmail.com
来源：http://yfydz.cublog.cn

4. 模块初始化

初始化函数先初始化ipvs的各种处理机制，然后将ipvs的处理函数挂接到netfilter架构中。

/* net/ipv4/ipvs/ip_vs_core.c */

static int __init ip_vs_init(void)
{
 int ret;
// ioctl初始化
 ret = ip_vs_control_init();
 if (ret < 0) {
  IP_VS_ERR("can't setup control.\n");
  goto cleanup_nothing;
 }
// 协议初始化
 ip_vs_protocol_init();

// 应用层辅助协议初始化
 ret = ip_vs_app_init();
 if (ret < 0) {
  IP_VS_ERR("can't setup application helper.\n");
  goto cleanup_protocol;
 }

// ipvs连接初始化
 ret = ip_vs_conn_init();
 if (ret < 0) {
  IP_VS_ERR("can't setup connection table.\n");
  goto cleanup_app;
 }

// 下面分别挂接各个处理点到netfilter架构中
 ret = nf_register_hook(&ip_vs_in_ops);
 if (ret < 0) {
  IP_VS_ERR("can't register in hook.\n");
  goto cleanup_conn;
 }

ret = nf_register_hook(&ip_vs_out_ops);
 if (ret < 0) {
  IP_VS_ERR("can't register out hook.\n");
  goto cleanup_inops;
 }
 ret = nf_register_hook(&ip_vs_post_routing_ops);
 if (ret < 0) {
  IP_VS_ERR("can't register post_routing hook.\n");
  goto cleanup_outops;
 }
 ret = nf_register_hook(&ip_vs_forward_icmp_ops);
 if (ret < 0) {
  IP_VS_ERR("can't register forward_icmp hook.\n");
  goto cleanup_postroutingops;
 }

IP_VS_INFO("ipvs loaded.\n");
 return ret;
// 以下是如果初始化出现失败时依次进行释放
  cleanup_postroutingops:
 nf_unregister_hook(&ip_vs_post_routing_ops);
  cleanup_outops:
 nf_unregister_hook(&ip_vs_out_ops);
  cleanup_inops:
 nf_unregister_hook(&ip_vs_in_ops);
  cleanup_conn:
 ip_vs_conn_cleanup();
  cleanup_app:
 ip_vs_app_cleanup();
  cleanup_protocol:
 ip_vs_protocol_cleanup();
 ip_vs_control_cleanup();
  cleanup_nothing:
 return ret;
}

4.1 ip_vs_control_init

/* net/ipv4/ipvs/ip_vs_ctl.c */
int ip_vs_control_init(void)
{
 int ret;
 int idx;

EnterFunction(2);

// 登记ipvs的sockopt控制,这样用户空间可通过setsockopt函数来和ipvs进行通信
 ret = nf_register_sockopt(&ip_vs_sockopts);
 if (ret) {
  IP_VS_ERR("cannot register sockopt.\n");
  return ret;
 }

// 建立/proc/net/ip_vs和/proc/net/ip_vs_stats只读项
 proc_net_fops_create("ip_vs", 0, &ip_vs_info_fops);
 proc_net_fops_create("ip_vs_stats",0, &ip_vs_stats_fops);

// 建立/proc/sys/net/ipv4/vs目录下的各可读写控制参数
 sysctl_header = register_sysctl_table(vs_root_table, 0);

// 初始化各种双向链表
// svc_table是根据协议地址端口等信息进行服务结构struct ip_vs_service查找的HASH表
// svc_fwm_table是根据数据包的nfmark信息进行服务结构struct ip_vs_service查找的HASH表
 /* Initialize ip_vs_svc_table, ip_vs_svc_fwm_table, ip_vs_rtable */
 for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++)  {
  INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
  INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
 }
// rtable是目的结构struct ip_vs_dest的HASH链表
 for(idx = 0; idx < IP_VS_RTAB_SIZE; idx++)  {
  INIT_LIST_HEAD(&ip_vs_rtable[idx]);
 }

// ipvs统计信息
 memset(&ip_vs_stats, 0, sizeof(ip_vs_stats));
// 统计锁
 spin_lock_init(&ip_vs_stats.lock);
// 对当前统计信息建立一个预估器,可用于计算服务器的性能参数
 ip_vs_new_estimator(&ip_vs_stats);

/* Hook the defense timer */
// 挂一个定时操作，根据系统当前负载情况定时调整系统参数
 schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);

LeaveFunction(2);
 return 0;
}

4.2 ip_vs_protocol_init

/* net/ipv4/ipvs/ip_vs_proto.c */
int ip_vs_protocol_init(void)
{
// 挂接ipvs能进行均衡处理的各种协议,目前支持TCP/UDP/AH/ESP
// 最好还要增加GRE,在PPTP服务器中使用
 char protocols[64];
#define REGISTER_PROTOCOL(p)   \
 do {     \
  register_ip_vs_protocol(p); \
  strcat(protocols, ", "); \
  strcat(protocols, (p)->name); \
 } while (0)

// 0,1字符是给", "预留的
 protocols[0] = '\0';
 protocols[2] = '\0';

// 登记各种协议
#ifdef CONFIG_IP_VS_PROTO_TCP
 REGISTER_PROTOCOL(&ip_vs_protocol_tcp);
#endif
#ifdef CONFIG_IP_VS_PROTO_UDP
 REGISTER_PROTOCOL(&ip_vs_protocol_udp);
#endif
#ifdef CONFIG_IP_VS_PROTO_AH
 REGISTER_PROTOCOL(&ip_vs_protocol_ah);
#endif
#ifdef CONFIG_IP_VS_PROTO_ESP
 REGISTER_PROTOCOL(&ip_vs_protocol_esp);
#endif
// 第0,1字符分别为逗号','和空格' ',从第2字符起才是真正数据串
 IP_VS_INFO("Registered protocols (%s)\n", &protocols[2]);

return 0;
}

register_ip_vs_protocol()函数就是把ip_vs_protocol结构挂接到协议HASH表中，不过其实没几个协议，没必要用HASH，直接数组就行了，Linux内核中缺省好象也只支持32种IP协议。

/*
 * register an ipvs protocol
 */
static int register_ip_vs_protocol(struct ip_vs_protocol *pp)
{
 unsigned hash = IP_VS_PROTO_HASH(pp->protocol);

// 把新协议节点挂接到HASH链表头
 pp->next = ip_vs_proto_table[hash];
 ip_vs_proto_table[hash] = pp;

// 调用该协议的初始化函数
 if (pp->init != NULL)
  pp->init(pp);

return 0;
}

4.3 ip_vs_app_init

IPVS应用初始化

/* net/ipv4/ipvs/ip_vs_app.c */
int ip_vs_app_init(void)
{
 /* we will replace it with proc_net_ipvs_create() soon */
// 该函数就是建立一个/proc/net/ip_vs_app项
 proc_net_fops_create("ip_vs_app", 0, &ip_vs_app_fops);
 return 0;
}

4.4 ip_vs_conn_init

IPVS连接初始化

/* net/ipv4/ipvs/ip_vs_conn.c */
int ip_vs_conn_init(void)
{
 int idx;

/*
  * Allocate the connection hash table and initialize its list heads
  */
// ipvs连接HASH表
 ip_vs_conn_tab = vmalloc(IP_VS_CONN_TAB_SIZE*sizeof(struct list_head));
 if (!ip_vs_conn_tab)
  return -ENOMEM;

/* Allocate ip_vs_conn slab cache */
// ipvs连接cache,由于使用cache在内存块释放时并不真正释放，而是cache起来，
// 因此重新分配时速度更快
 ip_vs_conn_cachep = kmem_cache_create("ip_vs_conn",
           sizeof(struct ip_vs_conn), 0,
           SLAB_HWCACHE_ALIGN, NULL, NULL);
 if (!ip_vs_conn_cachep) {
  vfree(ip_vs_conn_tab);
  return -ENOMEM;
 }

IP_VS_INFO("Connection hash table configured "
     "(size=%d, memory=%ldKbytes)\n",
     IP_VS_CONN_TAB_SIZE,
     (long)(IP_VS_CONN_TAB_SIZE*sizeof(struct list_head))/1024);
 IP_VS_DBG(0, "Each connection entry needs %Zd bytes at least\n",
    sizeof(struct ip_vs_conn));
// 初始化各HASH链表头
 for (idx = 0; idx < IP_VS_CONN_TAB_SIZE; idx++) {
  INIT_LIST_HEAD(&ip_vs_conn_tab[idx]);
 }
// 初始化各读写锁
 for (idx = 0; idx < CT_LOCKARRAY_SIZE; idx++)  {
  rwlock_init(&__ip_vs_conntbl_lock_array[idx].l);
 }

// 建立/proc/net/ip_vs_conn项
 proc_net_fops_create("ip_vs_conn", 0, &ip_vs_conn_fops);

/* calculate the random value for connection hash */
// 初始随机数
 get_random_bytes(&ip_vs_conn_rnd, sizeof(ip_vs_conn_rnd));

return 0;
}

4.5 netfilter挂接点

nf_hook_ops分别在FORWARD点挂2个, INPUT点和POST_ROUTING点各挂一个

/* net/ipv4/ipvs/ip_vs_core.c */

4.5.1 ip_vs_in_ops

/* After packet filtering, forward packet through VS/DR, VS/TUN,
   or VS/NAT(change destination), so that filtering rules can be
   applied to IPVS. */
static struct nf_hook_ops ip_vs_in_ops = {
 .hook  = ip_vs_in,
 .owner  = THIS_MODULE,
 .pf  = PF_INET,
// INPUT点
 .hooknum        = NF_IP_LOCAL_IN,
// 此优先级低于filter
 .priority       = 100,
};

ip_vs_in()这个函数对进入本机的包进行处理.

/* net/ipv4/ipvs/ip_vs_core.c */

/*
 * Check if it's for virtual services, look it up,
 * and send it on its way...
 */
static unsigned int
ip_vs_in(unsigned int hooknum, struct sk_buff **pskb,
  const struct net_device *in, const struct net_device *out,
  int (*okfn)(struct sk_buff *))
{
 struct sk_buff *skb = *pskb;
 struct iphdr *iph;
 struct ip_vs_protocol *pp;
 struct ip_vs_conn *cp;
 int ret, restart;
 int ihl;

/*
  * Big tappo: only PACKET_HOST (neither loopback nor mcasts)
  * ... don't know why 1st test DOES NOT include 2nd (?)
  */
 if (unlikely(skb->pkt_type != PACKET_HOST
       || skb->dev == &loopback_dev || skb->sk)) {
// input不处理目的非本机的包
  IP_VS_DBG(12, "packet type=%d proto=%d daddr=%d.%d.%d.%d ignored\n",
     skb->pkt_type,
     skb->nh.iph->protocol,
     NIPQUAD(skb->nh.iph->daddr));
  return NF_ACCEPT;
 }

iph = skb->nh.iph;
 if (unlikely(iph->protocol == IPPROTO_ICMP)) {
// 如果是ICMP，可能是指示连接错误的ICMP信息，调用ip_vs_in_icmp进行检查
// 是否是相关的ICMP信息
  int related, verdict = ip_vs_in_icmp(pskb, &related, hooknum);

if (related)
   return verdict;
// 非相关ICMP，恢复处理流程
// 但其实ipvs是不均衡ICMP信息的，后面就返回了
  skb = *pskb;
  iph = skb->nh.iph;
 }

/* Protocol supported? */
// 获取协议支持模块，由于只支持TCP、UDP、AH和ESP，如果是ICMP，返回为NULL
 pp = ip_vs_proto_get(iph->protocol);
 if (unlikely(!pp))
  return NF_ACCEPT;

ihl = iph->ihl << 2;

/*
  * Check if the packet belongs to an existing connection entry
  */
// 找到和该skb相关的ipvs连接，类似netfilter的根据tuple查找连接，
// 不过sk_buff结构中没有增加nfct那样能直接指向连接的成员
// 对TCP协议来说是tcp_conn_in_get()
 cp = pp->conn_in_get(skb, pp, iph, ihl, 0);

if (unlikely(!cp)) {
  int v;
// 如果没有连接, 表明是新连接, 调用IPVS连接的conn_schedule调度连接分配和处理
// 连接调度要根据调度算法选择一个真实目的服务器，然后建立新的IPVS连接
// 对TCP协议来说是tcp_conn_schedule()
  if (!pp->conn_schedule(skb, pp, &v, &cp))
   return v;
 }

if (unlikely(!cp)) {
// 这种情况主要是没内存空间了，IPVS没提供主动删除连接的机制
  /* sorry, all this trouble for a no-hit :) */
  IP_VS_DBG_PKT(12, pp, skb, 0,
         "packet continues traversal as normal");
  return NF_ACCEPT;
 }

IP_VS_DBG_PKT(11, pp, skb, 0, "Incoming packet");

/* Check the server status */
 if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
  /* the destination server is not available */
// 对于目的服务器失效的包丢弃
  if (sysctl_ip_vs_expire_nodest_conn) {
   /* try to expire the connection immediately */
   ip_vs_conn_expire_now(cp);
  }
  /* don't restart its timer, and silently
     drop the packet. */
  __ip_vs_conn_put(cp);
  return NF_DROP;
 }
// 连接信息统计
 ip_vs_in_stats(cp, skb);

// 进行连接状态的迁移, restart这个参数其实没用
// 对TCP协议来说是调用tcp_state_transition
 restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);

if (cp->packet_xmit)
// 将包发送出去, 具体xmit的实现在ip_vs_xmit.c中实现,
// NAT模式下为 ip_vs_nat_xmit;
// 通道模式下为 ip_vs_tunnel_xmit;
// 直接路由模式下为:  ip_vs_dr_xmit;
// 本机数据为: ip_vs_null_xmit;
// 旁路模式下为: ip_vs_bypass_xmit;
// 函数成功时基本都返回NF_STOLEN使netfilter不再处理该包
// 所以对于NAT模式，应该是不需要配置DNAT规则的，请求方向数据也不经过FORWARD链
  ret = cp->packet_xmit(skb, cp, pp);
  /* do not touch skb anymore */
 else {
  IP_VS_DBG_RL("warning: packet_xmit is null");
  ret = NF_ACCEPT;
 }

/* increase its packet counter and check if it is needed
    to be synchronized */
 atomic_inc(&cp->in_pkts);

// 在进行均衡器热备时将连接信息要从MASTER传递到SLAVE，使系统切换时
// 连接不丢弃，但还是要有一定条件才进行同步
 if ((ip_vs_sync_state & IP_VS_STATE_MASTER) &&
// 同步状态类型为主机
     (cp->protocol != IPPROTO_TCP ||
      cp->state == IP_VS_TCP_S_ESTABLISHED) &&
// 非TCP连接或是已经建立的连接
     (atomic_read(&cp->in_pkts) % sysctl_ip_vs_sync_threshold[1]
      == sysctl_ip_vs_sync_threshold[0]))
// 当前连接的包数为N*thres[1]+thres[0]时
// 进行连接的同步
  ip_vs_sync_conn(cp);
// 调整连接超时,释放连接计数
 ip_vs_conn_put(cp);
 return ret;
}

4.5.2 ip_vs_out_ops

/* After packet filtering, change source only for VS/NAT */
static struct nf_hook_ops ip_vs_out_ops = {
 .hook  = ip_vs_out,
 .owner  = THIS_MODULE,
 .pf  = PF_INET,
// FORWARD点
 .hooknum        = NF_IP_FORWARD,
// 此优先级低于filter
 .priority       = 100,
};

ip_vs_out()这个函数对转发包进行处理, 只用在NAT模式的均衡处理，TUNNEL和DR方式下都是直接发送了，实际处理的只是服务器返回的回应包，而客户端请求的包是不经过这里的，但如果设置了DNAT规则，数据包在PREROUTING点进行了目的地址修改，这样就不会再进入INPUT点而是直接转到FORWARD点处理，这时时针对该包的IPVS连接是没有建立的。

/* net/ipv4/ipvs/ip_vs_core.c */

/*
 * It is hooked at the NF_IP_FORWARD chain, used only for VS/NAT.
 * Check if outgoing packet belongs to the established ip_vs_conn,
 *      rewrite addresses of the packet and send it on its way...
 */
static unsigned int
ip_vs_out(unsigned int hooknum, struct sk_buff **pskb,
   const struct net_device *in, const struct net_device *out,
   int (*okfn)(struct sk_buff *))
{
 struct sk_buff  *skb = *pskb;
 struct iphdr *iph;
 struct ip_vs_protocol *pp;
 struct ip_vs_conn *cp;
 int ihl;

EnterFunction(11);
// 这个标志只占一位
// 标志设上就是已经经过IPVS处理了，直接返回
 if (skb->ipvs_property)
  return NF_ACCEPT;

iph = skb->nh.iph;
 if (unlikely(iph->protocol == IPPROTO_ICMP)) {
// 处理可能的连接相关ICMP错误信息,如地址端口不可达等
  int related, verdict = ip_vs_out_icmp(pskb, &related);

if (related)
   return verdict;
  skb = *pskb;
  iph = skb->nh.iph;
 }
// 取得IPVS协议, tcp/udp/ah/esp之一
 pp = ip_vs_proto_get(iph->protocol);
 if (unlikely(!pp))
  return NF_ACCEPT;

/* reassemble IP fragments */
 if (unlikely(iph->frag_off & __constant_htons(IP_MF|IP_OFFSET) &&
       !pp->dont_defrag)) {
// 如果是碎片包进行重组,基本不可能,因为数据包进入netfilter时就要进行碎片重组
  skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
  if (!skb)
   return NF_STOLEN;
  iph = skb->nh.iph;
  *pskb = skb;
 }

ihl = iph->ihl << 2;

/*
  * Check if the packet belongs to an existing entry
  */
// 查找IPVS连接
 cp = pp->conn_out_get(skb, pp, iph, ihl, 0);

if (unlikely(!cp)) {
// 没找到IPVS连接,可能是请求方向的包经过DNAT过来的
  if (sysctl_ip_vs_nat_icmp_send &&
      (pp->protocol == IPPROTO_TCP ||
       pp->protocol == IPPROTO_UDP)) {
   __u16 _ports[2], *pptr;

pptr = skb_header_pointer(skb, ihl,
        sizeof(_ports), _ports);
   if (pptr == NULL)
    return NF_ACCEPT; /* Not for me */
// 用源地址，源端口来查真实服务器结构，如果是请求方向是找不到的
// 这种情况下数据包就不再被IPVS处理
   if (ip_vs_lookup_real_service(iph->protocol,
            iph->saddr, pptr[0])) {
    /*
     * Notify the real server: there is no
     * existing entry if it is not RST
     * packet or not TCP packet.
     */
    if (iph->protocol != IPPROTO_TCP
        || !is_tcp_reset(skb)) {
     icmp_send(skb,ICMP_DEST_UNREACH,
        ICMP_PORT_UNREACH, 0);
     return NF_DROP;
    }
   }
  }
  IP_VS_DBG_PKT(12, pp, skb, 0,
         "packet continues traversal as normal");
  return NF_ACCEPT;
 }
// 找到连接，该包是服务器的回应包
 IP_VS_DBG_PKT(11, pp, skb, 0, "Outgoing packet");
// skb数据包要求是可写的
 if (!ip_vs_make_skb_writable(pskb, ihl))
  goto drop;

/* mangle the packet */
// 修改协议部分信息，如TCP、UDP的端口
 if (pp->snat_handler && !pp->snat_handler(pskb, pp, cp))
  goto drop;
// 修改源地址, 由于是服务器的返回包，只修改源地址
 skb = *pskb;
 skb->nh.iph->saddr = cp->vaddr;
 ip_send_check(skb->nh.iph);

IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");

// IPVS输出统计
 ip_vs_out_stats(cp, skb);
 ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
 ip_vs_conn_put(cp);

// 对该包设置标志表示IPVS处理过了
 skb->ipvs_property = 1;

LeaveFunction(11);
 return NF_ACCEPT;

drop:
 ip_vs_conn_put(cp);
 kfree_skb(*pskb);
 return NF_STOLEN;
}

4.5.3 ip_vs_post_routing_ops

/* Before the netfilter connection tracking, exit from POST_ROUTING */
static struct nf_hook_ops ip_vs_post_routing_ops = {
 .hook  = ip_vs_post_routing,
 .owner  = THIS_MODULE,
 .pf  = PF_INET,
// POSTROUTING点
 .hooknum        = NF_IP_POST_ROUTING,
// 在源NAT之前进行
 .priority       = NF_IP_PRI_NAT_SRC-1,
};

ip_vs_post_routing()这个函数对最后要发出的包进行检查，这个包是经过FORWARD链的，源地址已经被IPVS修改过了，不用再被netfilter进行修改。如果是IPVS处理过的包,直接跳出POSTROUTING点, 不再继续可能的该点的更低优先级的hook点操作，即不用进行netfilter标准的SNAT操作。

/* net/ipv4/ipvs/ip_vs_core.c */

/*
 *      It is hooked before NF_IP_PRI_NAT_SRC at the NF_IP_POST_ROUTING
 *      chain, and is used for VS/NAT.
 *      It detects packets for VS/NAT connections and sends the packets
 *      immediately. This can avoid that iptable_nat mangles the packets
 *      for VS/NAT.
 */
static unsigned int ip_vs_post_routing(unsigned int hooknum,
           struct sk_buff **pskb,
           const struct net_device *in,
           const struct net_device *out,
           int (*okfn)(struct sk_buff *))
{
// 如果没被IPVS处理过，继续后续hook点操作
 if (!((*pskb)->ipvs_property))
  return NF_ACCEPT;
 /* The packet was sent from IPVS, exit this chain */
// NF_STOP和NF_ACCEPT的区别就是STOP就不继续后面的低优先级的hook_ops的操作了
 return NF_STOP;
}

4.5.4 ip_vs_forward_icmp_ops

/* After packet filtering (but before ip_vs_out_icmp), catch icmp
   destined for 0.0.0.0/0, which is for incoming IPVS connections */
static struct nf_hook_ops ip_vs_forward_icmp_ops = {
 .hook  = ip_vs_forward_icmp,
 .owner  = THIS_MODULE,
 .pf  = PF_INET,
// FORWARD点
 .hooknum        = NF_IP_FORWARD,
// 在ip_vs_out_ops之前进行
 .priority       = 99,
};

ip_vs_forward_icmp()这个函数对转发的ICMP包进行处理, 处理由于服务器失效而引起的网络或端口不可达的ICMP信息,其他和服务器无关的ICMP信息不处理

/* net/ipv4/ipvs/ip_vs_core.c */

/*
 * It is hooked at the NF_IP_FORWARD chain, in order to catch ICMP
 *      related packets destined for 0.0.0.0/0.
 *      When fwmark-based virtual service is used, such as transparent
 *      cache cluster, TCP packets can be marked and routed to ip_vs_in,
 *      but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
 *      sent to ip_vs_in_icmp. So, catch them at the NF_IP_FORWARD chain
 *      and send them to ip_vs_in_icmp.
 */
static unsigned int
ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff **pskb,
     const struct net_device *in, const struct net_device *out,
     int (*okfn)(struct sk_buff *))
{
 int r;

if ((*pskb)->nh.iph->protocol != IPPROTO_ICMP)
  return NF_ACCEPT;
// 实际调用ip_vs_in_icmp()来处理数据包
 return ip_vs_in_icmp(pskb, &r, hooknum);
}

/*
 * Handle ICMP messages in the outside-to-inside direction (incoming).
 * Find any that might be relevant, check against existing connections,
 * forward to the right destination host if relevant.
 * Currently handles error types - unreachable, quench, ttl exceeded.
 */
static int 
ip_vs_in_icmp(struct sk_buff **pskb, int *related, unsigned int hooknum)
{
 struct sk_buff *skb = *pskb;
 struct iphdr *iph;
 struct icmphdr _icmph, *ic;
 struct iphdr _ciph, *cih; /* The ip header contained within the ICMP */
 struct ip_vs_conn *cp;
 struct ip_vs_protocol *pp;
 unsigned int offset, ihl, verdict;

// 这个参数指示该ICMP包是否和IPVS的连接相关
 *related = 1;

/* reassemble IP fragments */
 if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
// 进行碎片重组
  skb = ip_vs_gather_frags(skb,
                           hooknum == NF_IP_LOCAL_IN ?
      IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD);
  if (!skb)
   return NF_STOLEN;
  *pskb = skb;
 }

iph = skb->nh.iph;
 offset = ihl = iph->ihl * 4;
 ic = skb_header_pointer(skb, offset, sizeof(_icmph), &_icmph);
 if (ic == NULL)
  return NF_DROP;

IP_VS_DBG(12, "Incoming ICMP (%d,%d) %u.%u.%u.%u->%u.%u.%u.%u\n",
    ic->type, ntohs(icmp_id(ic)),
    NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));

/*
  * Work through seeing if this is for us.
  * These checks are supposed to be in an order that means easy
  * things are checked first to speed up processing.... however
  * this means that some packets will manage to get a long way
  * down this stack and then be rejected, but that's life.
  */
 if ((ic->type != ICMP_DEST_UNREACH) &&
     (ic->type != ICMP_SOURCE_QUENCH) &&
     (ic->type != ICMP_TIME_EXCEEDED)) {
// 如果不是这三种ICMP信息,则该skb与IPVS无关
  *related = 0;
  return NF_ACCEPT;
 }

/* Now find the contained IP header */
 offset += sizeof(_icmph);
 cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
 if (cih == NULL)
  return NF_ACCEPT; /* The packet looks wrong, ignore */
// 找的是ICMP信息中包含的原始包中的协议,而不是ICMP
 pp = ip_vs_proto_get(cih->protocol);
 if (!pp)
  return NF_ACCEPT;

/* Is the embedded protocol header present? */
// 如果是碎片不处理直接返回
 if (unlikely(cih->frag_off & __constant_htons(IP_OFFSET) &&
       pp->dont_defrag))
  return NF_ACCEPT;

IP_VS_DBG_PKT(11, pp, skb, offset, "Checking incoming ICMP for");

offset += cih->ihl * 4;

/* The embedded headers contain source and dest in reverse order */
// 查找IPVS连接
 cp = pp->conn_in_get(skb, pp, cih, offset, 1);
 if (!cp)
  return NF_ACCEPT;

// 缺省的裁定结果是丢弃包
 verdict = NF_DROP;

/* Ensure the checksum is correct */
 if (skb->ip_summed != CHECKSUM_UNNECESSARY &&
// 检查一下IP头的校验和
     ip_vs_checksum_complete(skb, ihl)) {
  /* Failed checksum! */
  IP_VS_DBG(1, "Incoming ICMP: failed checksum from %d.%d.%d.%d!\n",
     NIPQUAD(iph->saddr));
  goto out;
 }

/* do the statistics and put it back */
// 进行输入统计
 ip_vs_in_stats(cp, skb);
// 如果内部协议是TCP/UDP,发送偏移量要包括前4个字节: 源端口和目的端口
 if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
  offset += 2 * sizeof(__u16);
// 发送ICMP
 verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
 /* do not touch skb anymore */

out:
 __ip_vs_conn_put(cp);

return verdict;
}

/* net/ipv4/ipvs/ip_vs_xmit.c */

/*
 * ICMP packet transmitter
 * called by the ip_vs_in_icmp
 */
int
ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
  struct ip_vs_protocol *pp, int offset)
{
 struct rtable *rt; /* Route to the other host */
 int mtu;
 int rc;

EnterFunction(10);

/* The ICMP packet for VS/TUN, VS/DR and LOCALNODE will be
    forwarded directly here, because there is no need to
    translate address/port back */
 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) {
// 如果不是NAT情况的IPVS连接, 即是TUNNEL或DR，直接调用连接的发送函数发送
  if (cp->packet_xmit)
   rc = cp->packet_xmit(skb, cp, pp);
  else
   rc = NF_ACCEPT;
  /* do not touch skb anymore */
  atomic_inc(&cp->in_pkts);
  goto out;
 }

/*
  * mangle and send the packet here (only for VS/NAT)
  */
// 查找路由
 if (!(rt = __ip_vs_get_out_rt(cp, RT_TOS(skb->nh.iph->tos))))
  goto tx_error_icmp;

/* MTU checking */
 mtu = dst_mtu(&rt->u.dst);
 if ((skb->len > mtu) && (skb->nh.iph->frag_off&__constant_htons(IP_DF))) {
// 数据包过长超过MTU,但又是不允许分片的,发送ICMP出错包
  ip_rt_put(rt);
  icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
  IP_VS_DBG_RL("ip_vs_in_icmp(): frag needed\n");
  goto tx_error;
 }

/* copy-on-write the packet before mangling it */
// 让skb可写
 if (!ip_vs_make_skb_writable(&skb, offset))
  goto tx_error_put;

// skb留出足够的硬件头空间
 if (skb_cow(skb, rt->u.dst.dev->hard_header_len))
  goto tx_error_put;

/* drop the old route when skb is not shared */
 dst_release(skb->dst);
 skb->dst = &rt->u.dst;
// 修改ICMP包
 ip_vs_nat_icmp(skb, pp, cp, 0);

/* Another hack: avoid icmp_send in ip_fragment */
 skb->local_df = 1;

// 将该包用OUTPUT点的hook_ops进行处理
 IP_VS_XMIT(skb, rt);

// NF_STOLEN表示该skb不用返回到正常的IP栈了
 rc = NF_STOLEN;
 goto out;

tx_error_icmp:
 dst_link_failure(skb);
  tx_error:
 dev_kfree_skb(skb);
 rc = NF_STOLEN;
  out:
 LeaveFunction(10);
 return rc;
  tx_error_put:
 ip_rt_put(rt);
 goto tx_error;
}