MEDIUM: quic: count quic_conn for global sslconns

Similar to the previous commit which check for maxconn before allocating a QUIC connection, this patch checks for maxsslconn at the same step. This is necessary as a QUIC connection cannot run without a SSL context. This should be backported up to 2.6. It relies on the following patch : "BUG/MINOR: ssl: use a thread-safe sslconns increment"
2023-10-25 15:38:50 +02:00 · 2023-10-25 15:38:50 +02:00 · 4a89dba6d5
commit 4a89dba6d5
parent 7735cf3854
3 changed files with 19 additions and 4 deletions
--- a/include/haproxy/quic_ssl.h
+++ b/include/haproxy/quic_ssl.h
@ -43,6 +43,8 @@ static inline void qc_free_ssl_sock_ctx(struct ssl_sock_ctx **ctx)
 	SSL_free((*ctx)->ssl);
 	pool_free(pool_head_quic_ssl_sock_ctx, *ctx);
 	*ctx = NULL;
+
+	_HA_ATOMIC_DEC(&global.sslconns);
 }

 #endif /* _HAPROXY_QUIC_SSL_H */
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@ -26,6 +26,7 @@
 #include <haproxy/quic_tls.h>
 #include <haproxy/quic_trace.h>
 #include <haproxy/quic_tx.h>
+#include <haproxy/ssl_sock.h>
 #include <haproxy/trace.h>

 DECLARE_POOL(pool_head_quic_conn_rxbuf, "quic_conn_rxbuf", QUIC_CONN_RX_BUFSZ);
@ -1902,7 +1903,7 @@ static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,
 	struct quic_conn *qc = NULL;
 	struct proxy *prx;
 	struct quic_counters *prx_counters;
-	unsigned int next_actconn = 0;
+	unsigned int next_actconn = 0, next_sslconn = 0;

 	TRACE_ENTER(QUIC_EV_CONN_LPKT);

@ -1968,6 +1969,13 @@ static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,
 				goto err;
 			}

+			next_sslconn = increment_sslconn();
+			if (!next_sslconn) {
+				TRACE_STATE("drop packet on sslconn reached",
+				            QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
+				goto err;
+			}
+
 			/* Generate the first connection CID. This is derived from the client
 			 * ODCID and address. This allows to retrieve the connection from the
 			 * ODCID without storing it in the CID tree. This is an interesting
@ -1988,10 +1996,10 @@ static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,

 			/* Now quic_conn is allocated. If a future error
 			 * occurred it will be freed with quic_conn_release()
-			 * which also ensure actconn is decremented.
-			 * Reset guard value to prevent a double decrement.
+			 * which also ensure actconn/sslconns is decremented.
+			 * Reset guard values to prevent a double decrement.
 			 */
-			next_actconn = 0;
+			next_sslconn = next_actconn = 0;

 			/* Compute and store into the quic_conn the hash used to compute extra CIDs */
 			if (quic_hash64_from_cid)
@ -2046,6 +2054,8 @@ static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,
 	/* Reset active conn counter if needed. */
 	if (next_actconn)
 		_HA_ATOMIC_DEC(&actconn);
+	if (next_sslconn)
+		_HA_ATOMIC_DEC(&global.sslconns);

 	TRACE_LEAVE(QUIC_EV_CONN_LPKT);
 	return NULL;
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -726,6 +726,9 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc)
 	/* Store the allocated context in <qc>. */
 	qc->xprt_ctx = ctx;

+	/* global.sslconns is already incremented on INITIAL packet parsing. */
+	_HA_ATOMIC_INC(&global.totalsslconns);
+
 	ret = 1;
 leave:
 	TRACE_LEAVE(QUIC_EV_CONN_NEW, qc);