kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
864ac31174
haproxy/src/proto_tcp.c

835 lines
26 KiB
C
Raw Normal View History

[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/*
* AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
*
MEDIUM: samples: move payload-based fetches and ACLs to their own file The file acl.c is a real mess, it both contains functions to parse and process ACLs, and some sample extraction functions which act on buffers. Some other payload analysers were arbitrarily dispatched to proto_tcp.c. So now we're moving all payload-based fetches and ACLs to payload.c which is capable of extracting data from buffers and rely on everything that is protocol-independant. That way we can safely inflate this file and only use the other ones when some fetches are really specific (eg: HTTP, SSL, ...). As a result of this cleanup, the following new sample fetches became available even if they're not really useful : always_false, always_true, rep_ssl_hello_type, rdp_cookie_cnt, req_len, req_ssl_hello_type, req_ssl_sni, req_ssl_ver, wait_end The function 'acl_fetch_nothing' was wrong and never used anywhere so it was removed. The "rdp_cookie" sample fetch used to have a mandatory argument while it was optional in ACLs, which are supposed to iterate over RDP cookies. So we're making it optional as a fetch too, and it will return the first one.
2013-01-08 00:59:07 +04:00
* Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/types.h>
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
#include <netinet/tcp.h>
MEDIUM: tcp: add new tcp action "silent-drop" This stops the evaluation of the rules and makes the client-facing connection suddenly disappear using a system-dependant way that tries to prevent the client from being notified. The effect it then that the client still sees an established connection while there's none on HAProxy. The purpose is to achieve a comparable effect to "tarpit" except that it doesn't use any local resource at all on the machine running HAProxy. It can resist much higher loads than "tarpit", and slow down stronger attackers. It is important to undestand the impact of using this mechanism. All stateful equipments placed between the client and HAProxy (firewalls, proxies, load balancers) will also keep the established connection for a long time and may suffer from this action. On modern Linux systems running with enough privileges, the TCP_REPAIR socket option is used to block the emission of a TCP reset. On other systems, the socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first router, though it's still delivered to local networks.
2015-08-24 02:43:45 +03:00
#include <netinet/in.h>
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
REORG: include: update all files to use haproxy/api.h or api-t.h if needed All files that were including one of the following include files have been updated to only include haproxy/api.h or haproxy/api-t.h once instead: - common/config.h - common/compat.h - common/compiler.h - common/defaults.h - common/initcall.h - common/tools.h The choice is simple: if the file only requires type definitions, it includes api-t.h, otherwise it includes the full api.h. In addition, in these files, explicit includes for inttypes.h and limits.h were dropped since these are now covered by api.h and api-t.h. No other change was performed, given that this patch is large and affects 201 files. At least one (tools.h) was already freestanding and didn't get the new one added.
2020-05-27 13:58:42 +03:00
#include <haproxy/api.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 10:07:15 +03:00
#include <haproxy/arg.h>
REORG: include: move connection.h to haproxy/connection{,-t}.h The type file is becoming a mess, half of it is for the proxy protocol, another good part describes conn_streams and mux ops, it would deserve being split again. At least it was reordered so that elements are easier to find, with the PP-stuff left at the end. The MAX_SEND_FD macro was moved to compat.h as it's said to be the value for Linux.
2020-06-04 19:02:10 +03:00
#include <haproxy/connection.h>
REORG: include: move base64.h, errors.h and hash.h from common to to haproxy/ These ones do not depend on any other file. One used to include haproxy/api.h but that was solely for stddef.h.
2020-05-27 17:10:29 +03:00
#include <haproxy/errors.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 10:07:15 +03:00
#include <haproxy/fd.h>
REORG: include: split global.h into haproxy/global{,-t}.h global.h was one of the messiest files, it has accumulated tons of implicit dependencies and declares many globals that make almost all other file include it. It managed to silence a dependency loop between server.h and proxy.h by being well placed to pre-define the required structs, forcing struct proxy and struct server to be forward-declared in a significant number of files. It was split in to, one which is the global struct definition and the few macros and flags, and the rest containing the functions prototypes. The UNIX_MAX_PATH definition was moved to compat.h.
2020-06-04 18:05:57 +03:00
#include <haproxy/global.h>
REORG: include: split mini-clist into haproxy/list and list-t.h Half of the users of this include only need the type definitions and not the manipulation macros nor the inline functions. Moves the various types into mini-clist-t.h makes the files cleaner. The other one had all its includes grouped at the top. A few files continued to reference it without using it and were cleaned. In addition it was about time that we'd rename that file, it's not "mini" anymore and contains a bit more than just circular lists.
2020-05-27 19:01:47 +03:00
#include <haproxy/list.h>
REORG: include: move listener.h to haproxy/listener{,-t}.h stdlib and list were missing from listener.h, otherwise it was OK.
2020-06-04 15:58:24 +03:00
#include <haproxy/listener.h>
REORG: include: move log.h to haproxy/log{,-t}.h The current state of the logging is a real mess. The main problem is that almost all files include log.h just in order to have access to the alert/warning functions like ha_alert() etc, and don't care about logs. But log.h also deals with real logging as well as log-format and depends on stream.h and various other things. As such it forces a few heavy files like stream.h to be loaded early and to hide missing dependencies depending where it's loaded. Among the missing ones is syslog.h which was often automatically included resulting in no less than 3 users missing it. Among 76 users, only 5 could be removed, and probably 70 don't need the full set of dependencies. A good approach would consist in splitting that file in 3 parts: - one for error output ("errors" ?). - one for log_format processing - and one for actual logging.
2020-06-04 23:01:04 +03:00
#include <haproxy/log.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 10:07:15 +03:00
#include <haproxy/namespace.h>
#include <haproxy/port_range.h>
#include <haproxy/proto_tcp.h>
#include <haproxy/protocol.h>
REORG: include: move proxy.h to haproxy/proxy{,-t}.h This one is particularly difficult to split because it provides all the functions used to manipulate a proxy state and to retrieve names or IDs for error reporting, and as such, it was included in 73 files (down to 68 after cleanup). It would deserve a small cleanup though the cut points are not obvious at the moment given the number of structs involved in the struct proxy itself.
2020-06-04 23:29:18 +03:00
#include <haproxy/proxy-t.h>
REORG: sock: start to move some generic socket code to sock.c The new file sock.c will contain generic code for standard sockets relying on file descriptors. We currently have way too much duplication between proto_uxst, proto_tcp, proto_sockpair and proto_udp. For now only get_src, get_dst and sock_create_server_socket were moved, and are used where appropriate.
2020-08-28 13:07:22 +03:00
#include <haproxy/sock.h>
MINOR: tcp/udp/unix: make use of proto->addrcmp() to compare addresses The new addrcmp() protocol member points to the function to be used to compare two addresses of the same family. When picking an FD from a previous process, we can now use the address specific address comparison functions instead of having to rely on a local implementation. This will help move that code to a more central place.
2020-08-28 16:30:11 +03:00
#include <haproxy/sock_inet.h>
REORG: tools: split common/standard.h into haproxy/tools{,-t}.h And also rename standard.c to tools.c. The original split between tools.h and standard.h dates from version 1.3-dev and was mostly an accident. This patch moves the files back to what they were expected to be, and takes care of not changing anything else. However this time tools.h was split between functions and types, because it contains a small number of commonly used macros and structures (e.g. name_desc) which in turn cause the massive list of includes of tools.h to conflict with the callers. They remain the ugliest files of the whole project and definitely need to be cleaned and split apart. A few types are defined there only for functions provided there, and some parts are even OS-specific and should move somewhere else, such as the symbol resolution code.
2020-06-03 19:09:46 +03:00
#include <haproxy/tools.h>
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
[MEDIUM] Enhance message errors management on binds
2010-10-22 18:06:11 +04:00
static int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen);
MINOR: protocol: replace ->pause(listener) with ->rx_suspend(receiver) The ->pause method is inappropriate since it doesn't exactly "pause" a listener but rather temporarily disables it so that it's not visible at all to let another process take its place. The term "suspend" is more suitable, since the "pause" is actually what we'll need to apply to the FULL and LIMITED states which really need to make a pause in the accept process. And it goes well with the use of the "resume" function that will also need to be made per-protocol. Let's rename the function and make it act on the receiver since it's already what it essentially does, hence the prefix "_rx" to make it more explicit. The protocol struct was a bit reordered because it was becoming a real mess between the parts related to the listeners and those for the receivers.
2020-09-25 18:12:32 +03:00
static int tcp_suspend_receiver(struct receiver *rx);
MINOR: protocol: implement an ->rx_resume() method This one undoes ->rx_suspend(), it tries to restore an operational socket. It was only implemented for TCP since it's the only one we support right now.
2020-09-25 20:40:31 +03:00
static int tcp_resume_receiver(struct receiver *rx);
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
static void tcp_enable_listener(struct listener *listener);
static void tcp_disable_listener(struct listener *listener);
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/* Note: must not be declared <const> as its list will be overwritten */
MINOR: protocol: export protocol definitions The various protocols were made static since there was no point in exporting them in the past. Nowadays with QUIC relying on UDP we'll significantly benefit from UDP being exported and more generally from being able to declare some functions as being the same as other protocols'. In an ideal world it should not be these protocols which should be exported, but the intermediary levels: - socket layer (sock.c only right now), already exported as functions but nothing structured at the moment ; - family layer (sock_inet, sock_unix, sockpair etc): already structured and exported - binding layer (the part that relies on the receiver): currently fused within the protocol - connectiong layer (the part that manipulates connections): currently fused within the protocol - protocol (connection's control): shouldn't need to be exposed ultimately once the elements above are in an easily sharable way.
2020-12-08 16:13:11 +03:00
struct protocol proto_tcpv4 = {
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.name = "tcpv4",
/* connection layer */
MINOR: protocol: replace ctrl_type with xprt_type and clarify it There's been some great confusion between proto_type, ctrl_type and sock_type. It turns out that ctrl_type was improperly chosen because it's not the control layer that is of this or that type, but the transport layer, and it turns out that the transport layer doesn't (normally) denaturate the underlying control layer, except for QUIC which turns dgrams to streams. The fact that the SOCK_{DGRAM|STREAM} set of values was used added to the confusion. Let's replace it with xprt_type which reuses the later introduced PROTO_TYPE_* values, and update the comments to explain which one works at what level.
2022-05-20 17:36:46 +03:00
.xprt_type = PROTO_TYPE_STREAM,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.listen = tcp_bind_listener,
.enable = tcp_enable_listener,
.disable = tcp_disable_listener,
.add = default_add_listener,
.unbind = default_unbind_listener,
.suspend = default_suspend_listener,
.resume = default_resume_listener,
.accept_conn = sock_accept_conn,
MINOR: protocol: add a set of ctrl_init/ctrl_close methods for setup/teardown Currnetly conn_ctrl_init() does an fd_insert() and conn_ctrl_close() does an fd_delete(). These are the two only short-term obstacles against using a non-fd handle to set up a connection. Let's have pur these into the protocol layer, along with the other connection-level stuff so that the generic connection code uses them instead. This will allow to define new ones for other protocols (e.g. QUIC). Since we only support regular sockets at the moment, the code was placed into sock.c and shared with proto_tcp, proto_uxst and proto_sockpair.
2020-12-08 17:50:56 +03:00
.ctrl_init = sock_conn_ctrl_init,
.ctrl_close = sock_conn_ctrl_close,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.connect = tcp_connect_server,
MINOR: protocol: add a ->drain() function at the connection control layer This is what we need to drain pending incoming data from an connection. The code was taken from conn_sock_drain() without the connection-specific stuff. It still takes a connection for now for API simplicity.
2020-12-11 18:19:12 +03:00
.drain = sock_drain,
MINOR: protocol: add a pair of check_events/ignore_events functions at the ctrl layer Right now the connection subscribe/unsubscribe code needs to manipulate FDs, which is not compatible with QUIC. In practice what we need there is to be able to either subscribe or wake up depending on readiness at the moment of subscription. This commit introduces two new functions at the control layer, which are provided by the socket code, to check for FD readiness or subscribe to it at the control layer. For now it's not used.
2020-12-11 19:02:50 +03:00
.check_events = sock_check_events,
.ignore_events = sock_ignore_events,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
/* binding layer */
.rx_suspend = tcp_suspend_receiver,
.rx_resume = tcp_resume_receiver,
/* address family */
.fam = &proto_fam_inet4,
/* socket layer */
MINOR: protocols: add a new protocol type selector The protocol selection is currently performed based on the family, control type and socket type. But this is often not enough, as both only provide DGRAM or STREAM, leaving few variants. Protocols like SCTP for example might be indistinguishable from TCP here. Same goes for TCP extensions like MPTCP. This commit introduces a new enum proto_type that is placed in each and every protocol definition, that will usually more or less match the sock_type, but being an enum, will support additional values.
2021-10-27 18:05:36 +03:00
.proto_type = PROTO_TYPE_STREAM,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.sock_type = SOCK_STREAM,
.sock_prot = IPPROTO_TCP,
.rx_enable = sock_enable,
.rx_disable = sock_disable,
.rx_unbind = sock_unbind,
.rx_listening = sock_accepting_conn,
.default_iocb = sock_accept_iocb,
.receivers = LIST_HEAD_INIT(proto_tcpv4.receivers),
.nb_receivers = 0,
MINOR: protocol: move the global reuseport flag to the protocols Some protocol support SO_REUSEPORT and others not. Some have such a limitation in the kernel, and others in haproxy itself (e.g. sock_unix cannot support multiple bindings since each one will unbind the previous one). Also it's really protocol-dependent and not just family-dependent because on Linux for some time it was supported for TCP and not UDP. Let's move the definition to the protocols instead. Now it's preset in tcp/udp/quic when SO_REUSEPORT is defined, and is otherwise left unset. The enabled() config condition test validates IPv4 (generally sufficient), and -dR / noreuseport all protocols at once.
2023-04-22 16:09:07 +03:00
#ifdef SO_REUSEPORT
.flags = PROTO_F_REUSEPORT_SUPPORTED,
#endif
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 21:14:37 +03:00
INITCALL1(STG_REGISTER, protocol_register, &proto_tcpv4);
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/* Note: must not be declared <const> as its list will be overwritten */
MINOR: protocol: export protocol definitions The various protocols were made static since there was no point in exporting them in the past. Nowadays with QUIC relying on UDP we'll significantly benefit from UDP being exported and more generally from being able to declare some functions as being the same as other protocols'. In an ideal world it should not be these protocols which should be exported, but the intermediary levels: - socket layer (sock.c only right now), already exported as functions but nothing structured at the moment ; - family layer (sock_inet, sock_unix, sockpair etc): already structured and exported - binding layer (the part that relies on the receiver): currently fused within the protocol - connectiong layer (the part that manipulates connections): currently fused within the protocol - protocol (connection's control): shouldn't need to be exposed ultimately once the elements above are in an easily sharable way.
2020-12-08 16:13:11 +03:00
struct protocol proto_tcpv6 = {
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.name = "tcpv6",
/* connection layer */
MINOR: protocol: replace ctrl_type with xprt_type and clarify it There's been some great confusion between proto_type, ctrl_type and sock_type. It turns out that ctrl_type was improperly chosen because it's not the control layer that is of this or that type, but the transport layer, and it turns out that the transport layer doesn't (normally) denaturate the underlying control layer, except for QUIC which turns dgrams to streams. The fact that the SOCK_{DGRAM|STREAM} set of values was used added to the confusion. Let's replace it with xprt_type which reuses the later introduced PROTO_TYPE_* values, and update the comments to explain which one works at what level.
2022-05-20 17:36:46 +03:00
.xprt_type = PROTO_TYPE_STREAM,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.listen = tcp_bind_listener,
.enable = tcp_enable_listener,
.disable = tcp_disable_listener,
.add = default_add_listener,
.unbind = default_unbind_listener,
.suspend = default_suspend_listener,
.resume = default_resume_listener,
.accept_conn = sock_accept_conn,
MINOR: protocol: add a set of ctrl_init/ctrl_close methods for setup/teardown Currnetly conn_ctrl_init() does an fd_insert() and conn_ctrl_close() does an fd_delete(). These are the two only short-term obstacles against using a non-fd handle to set up a connection. Let's have pur these into the protocol layer, along with the other connection-level stuff so that the generic connection code uses them instead. This will allow to define new ones for other protocols (e.g. QUIC). Since we only support regular sockets at the moment, the code was placed into sock.c and shared with proto_tcp, proto_uxst and proto_sockpair.
2020-12-08 17:50:56 +03:00
.ctrl_init = sock_conn_ctrl_init,
.ctrl_close = sock_conn_ctrl_close,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.connect = tcp_connect_server,
MINOR: protocol: add a ->drain() function at the connection control layer This is what we need to drain pending incoming data from an connection. The code was taken from conn_sock_drain() without the connection-specific stuff. It still takes a connection for now for API simplicity.
2020-12-11 18:19:12 +03:00
.drain = sock_drain,
MINOR: protocol: add a pair of check_events/ignore_events functions at the ctrl layer Right now the connection subscribe/unsubscribe code needs to manipulate FDs, which is not compatible with QUIC. In practice what we need there is to be able to either subscribe or wake up depending on readiness at the moment of subscription. This commit introduces two new functions at the control layer, which are provided by the socket code, to check for FD readiness or subscribe to it at the control layer. For now it's not used.
2020-12-11 19:02:50 +03:00
.check_events = sock_check_events,
.ignore_events = sock_ignore_events,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
/* binding layer */
.rx_suspend = tcp_suspend_receiver,
.rx_resume = tcp_resume_receiver,
/* address family */
.fam = &proto_fam_inet6,
/* socket layer */
MINOR: protocols: add a new protocol type selector The protocol selection is currently performed based on the family, control type and socket type. But this is often not enough, as both only provide DGRAM or STREAM, leaving few variants. Protocols like SCTP for example might be indistinguishable from TCP here. Same goes for TCP extensions like MPTCP. This commit introduces a new enum proto_type that is placed in each and every protocol definition, that will usually more or less match the sock_type, but being an enum, will support additional values.
2021-10-27 18:05:36 +03:00
.proto_type = PROTO_TYPE_STREAM,
CLEANUP: protocol: group protocol struct members by usage For the sake of an improved readability, let's group the protocol field members according to where they're supposed to be defined: - connection layer (note: for now even UDP needs one) - binding layer - address family - socket layer Nothing else was changed.
2020-12-08 16:54:20 +03:00
.sock_type = SOCK_STREAM,
.sock_prot = IPPROTO_TCP,
.rx_enable = sock_enable,
.rx_disable = sock_disable,
.rx_unbind = sock_unbind,
.rx_listening = sock_accepting_conn,
.default_iocb = sock_accept_iocb,
.receivers = LIST_HEAD_INIT(proto_tcpv6.receivers),
.nb_receivers = 0,
MINOR: protocol: move the global reuseport flag to the protocols Some protocol support SO_REUSEPORT and others not. Some have such a limitation in the kernel, and others in haproxy itself (e.g. sock_unix cannot support multiple bindings since each one will unbind the previous one). Also it's really protocol-dependent and not just family-dependent because on Linux for some time it was supported for TCP and not UDP. Let's move the definition to the protocols instead. Now it's preset in tcp/udp/quic when SO_REUSEPORT is defined, and is otherwise left unset. The enabled() config condition test validates IPv4 (generally sufficient), and -dR / noreuseport all protocols at once.
2023-04-22 16:09:07 +03:00
#ifdef SO_REUSEPORT
.flags = PROTO_F_REUSEPORT_SUPPORTED,
#endif
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 21:14:37 +03:00
INITCALL1(STG_REGISTER, protocol_register, &proto_tcpv6);
[MEDIUM] add internal support for IPv6 server addresses This patch turns internal server addresses to sockaddr_storage to store IPv6 addresses, and makes the connect() function use it. This code already works but some caveats with getaddrinfo/gethostbyname still need to be sorted out while the changes had to be merged at this stage of internal architecture changes. So for now the config parser will not emit an IPv6 address yet so that user experience remains unchanged. This change should have absolutely zero user-visible effect, otherwise it's a bug introduced during the merge, that should be reported ASAP.
2011-03-11 00:26:24 +03:00
/* Binds ipv4/ipv6 address <local> to socket <fd>, unless <flags> is set, in which
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
* case we try to bind <remote>. <flags> is a 2-bit field consisting of :
* - 0 : ignore remote address (may even be a NULL pointer)
* - 1 : use provided address
* - 2 : use provided port
* - 3 : use both
*
* The function supports multiple foreign binding methods :
* - linux_tproxy: we directly bind to the foreign address
* The second one can be used as a fallback for the first one.
* This function returns 0 when everything's OK, 1 if it could not bind, to the
* local address, 2 if it could not bind to the foreign address.
*/
[MEDIUM] add internal support for IPv6 server addresses This patch turns internal server addresses to sockaddr_storage to store IPv6 addresses, and makes the connect() function use it. This code already works but some caveats with getaddrinfo/gethostbyname still need to be sorted out while the changes had to be merged at this stage of internal architecture changes. So for now the config parser will not emit an IPv6 address yet so that user experience remains unchanged. This change should have absolutely zero user-visible effect, otherwise it's a bug introduced during the merge, that should be reported ASAP.
2011-03-11 00:26:24 +03:00
int tcp_bind_socket(int fd, int flags, struct sockaddr_storage *local, struct sockaddr_storage *remote)
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
{
[MEDIUM] add internal support for IPv6 server addresses This patch turns internal server addresses to sockaddr_storage to store IPv6 addresses, and makes the connect() function use it. This code already works but some caveats with getaddrinfo/gethostbyname still need to be sorted out while the changes had to be merged at this stage of internal architecture changes. So for now the config parser will not emit an IPv6 address yet so that user experience remains unchanged. This change should have absolutely zero user-visible effect, otherwise it's a bug introduced during the merge, that should be reported ASAP.
2011-03-11 00:26:24 +03:00
struct sockaddr_storage bind_addr;
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
int foreign_ok = 0;
int ret;
BUG/MINOR: threads: Add missing THREAD_LOCAL on static here and there
2017-10-29 22:14:08 +03:00
static THREAD_LOCAL int ip_transp_working = 1;
static THREAD_LOCAL int ip6_transp_working = 1;
REORG: tproxy: prepare the transparent proxy defines for accepting other OSes This patch does not change the logic of the code, it only changes the way OS-specific defines are tested. At the moment the transparent proxy code heavily depends on Linux-specific defines. This first patch introduces a new define "CONFIG_HAP_TRANSPARENT" which is set every time the defines used by transparent proxy are present. This also means that with an up-to-date libc, it should not be necessary anymore to force CONFIG_HAP_LINUX_TPROXY during the build, as the flags will automatically be detected. The CTTPROXY flags still remain separate because this older API doesn't work the same way. A new line has been added in the version output for haproxy -vv to indicate what transparent proxy support is available.
2013-05-09 00:49:23 +04:00
MINOR: IPv6 support for transparent proxy Set socket option IPV6_TRANSPARENT on binding to enable transparent proxy on IPv6. This option is available from Linux 2.6.37.
2012-07-13 16:34:59 +04:00
switch (local->ss_family) {
case AF_INET:
if (flags && ip_transp_working) {
REORG: tproxy: prepare the transparent proxy defines for accepting other OSes This patch does not change the logic of the code, it only changes the way OS-specific defines are tested. At the moment the transparent proxy code heavily depends on Linux-specific defines. This first patch introduces a new define "CONFIG_HAP_TRANSPARENT" which is set every time the defines used by transparent proxy are present. This also means that with an up-to-date libc, it should not be necessary anymore to force CONFIG_HAP_LINUX_TPROXY during the build, as the flags will automatically be detected. The CTTPROXY flags still remain separate because this older API doesn't work the same way. A new line has been added in the version output for haproxy -vv to indicate what transparent proxy support is available.
2013-05-09 00:49:23 +04:00
/* This deserves some explanation. Some platforms will support
* multiple combinations of certain methods, so we try the
* supported ones until one succeeds.
*/
MINOR: sock_inet: move the IPv4/v6 transparent mode code to sock_inet This code was highly redundant, existing for TCP clients, TCP servers and UDP servers. Let's move it to sock_inet where it belongs. The new functions are sock_inet4_make_foreign() and sock_inet6_make_foreign().
2020-08-28 18:23:40 +03:00
if (sock_inet4_make_foreign(fd))
MINOR: IPv6 support for transparent proxy Set socket option IPV6_TRANSPARENT on binding to enable transparent proxy on IPv6. This option is available from Linux 2.6.37.
2012-07-13 16:34:59 +04:00
foreign_ok = 1;
else
ip_transp_working = 0;
}
break;
case AF_INET6:
if (flags && ip6_transp_working) {
MINOR: sock_inet: move the IPv4/v6 transparent mode code to sock_inet This code was highly redundant, existing for TCP clients, TCP servers and UDP servers. Let's move it to sock_inet where it belongs. The new functions are sock_inet4_make_foreign() and sock_inet6_make_foreign().
2020-08-28 18:23:40 +03:00
if (sock_inet6_make_foreign(fd))
MINOR: IPv6 support for transparent proxy Set socket option IPV6_TRANSPARENT on binding to enable transparent proxy on IPv6. This option is available from Linux 2.6.37.
2012-07-13 16:34:59 +04:00
foreign_ok = 1;
else
ip6_transp_working = 0;
}
break;
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
}
REORG: tproxy: prepare the transparent proxy defines for accepting other OSes This patch does not change the logic of the code, it only changes the way OS-specific defines are tested. At the moment the transparent proxy code heavily depends on Linux-specific defines. This first patch introduces a new define "CONFIG_HAP_TRANSPARENT" which is set every time the defines used by transparent proxy are present. This also means that with an up-to-date libc, it should not be necessary anymore to force CONFIG_HAP_LINUX_TPROXY during the build, as the flags will automatically be detected. The CTTPROXY flags still remain separate because this older API doesn't work the same way. A new line has been added in the version output for haproxy -vv to indicate what transparent proxy support is available.
2013-05-09 00:49:23 +04:00
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
if (flags) {
memset(&bind_addr, 0, sizeof(bind_addr));
[BUG] proto_tcp: fix address binding on remote source Mark Brooks reported that commit 1b4b7c broke tproxy in 1.5-dev6. Nick Chalk tracked the issue down to a missing address family setting in tcp_bind_socket() which resulted in a failure to use get_addr_len(). This issue is 1.5-specific.
2011-04-19 09:20:57 +04:00
bind_addr.ss_family = remote->ss_family;
[MEDIUM] add internal support for IPv6 server addresses This patch turns internal server addresses to sockaddr_storage to store IPv6 addresses, and makes the connect() function use it. This code already works but some caveats with getaddrinfo/gethostbyname still need to be sorted out while the changes had to be merged at this stage of internal architecture changes. So for now the config parser will not emit an IPv6 address yet so that user experience remains unchanged. This change should have absolutely zero user-visible effect, otherwise it's a bug introduced during the merge, that should be reported ASAP.
2011-03-11 00:26:24 +03:00
switch (remote->ss_family) {
case AF_INET:
if (flags & 1)
((struct sockaddr_in *)&bind_addr)->sin_addr = ((struct sockaddr_in *)remote)->sin_addr;
if (flags & 2)
((struct sockaddr_in *)&bind_addr)->sin_port = ((struct sockaddr_in *)remote)->sin_port;
break;
case AF_INET6:
if (flags & 1)
((struct sockaddr_in6 *)&bind_addr)->sin6_addr = ((struct sockaddr_in6 *)remote)->sin6_addr;
if (flags & 2)
((struct sockaddr_in6 *)&bind_addr)->sin6_port = ((struct sockaddr_in6 *)remote)->sin6_port;
break;
BUG: proto_tcp: don't try to bind to a foreign address if sin_family is unknown This is 1.5-specific. It causes issues with transparent source binding involving hdr_ip. We must not try to bind() to a foreign address when the family is not set, and we must set the family when an address is set.
2011-12-17 00:25:11 +04:00
default:
/* we don't want to try to bind to an unknown address family */
foreign_ok = 0;
[MEDIUM] add internal support for IPv6 server addresses This patch turns internal server addresses to sockaddr_storage to store IPv6 addresses, and makes the connect() function use it. This code already works but some caveats with getaddrinfo/gethostbyname still need to be sorted out while the changes had to be merged at this stage of internal architecture changes. So for now the config parser will not emit an IPv6 address yet so that user experience remains unchanged. This change should have absolutely zero user-visible effect, otherwise it's a bug introduced during the merge, that should be reported ASAP.
2011-03-11 00:26:24 +03:00
}
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
}
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
if (foreign_ok) {
MINOR: protocols: use is_inet_addr() when only INET addresses are desired We used to have is_addr() in place to validate sometimes the existence of an address, sometimes a valid IPv4 or IPv6 address. Replace them carefully so that is_inet_addr() is used wherever we can only use an IPv4/IPv6 address.
2014-05-10 00:56:10 +04:00
if (is_inet_addr(&bind_addr)) {
BUG/MEDIUM: tcp: transparent bind to the source only when address is set Thomas Heil reported that health checks did not work anymore when a backend or server has "usesrc clientip". This is because the source address is not set and tcp_bind_socket() tries to bind to that address anyway. The solution consists in explicitly clearing the source address in the checks and to make tcp_bind_socket() avoid binding when the address is not set. This also has an indirect benefit that a useless bind() syscall will be avoided when using "source 0.0.0.0 usesrc clientip" in health checks.
2012-10-26 21:57:58 +04:00
ret = bind(fd, (struct sockaddr *)&bind_addr, get_addr_len(&bind_addr));
if (ret < 0)
return 2;
}
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
}
else {
MINOR: protocols: use is_inet_addr() when only INET addresses are desired We used to have is_addr() in place to validate sometimes the existence of an address, sometimes a valid IPv4 or IPv6 address. Replace them carefully so that is_inet_addr() is used wherever we can only use an IPv4/IPv6 address.
2014-05-10 00:56:10 +04:00
if (is_inet_addr(local)) {
BUG/MEDIUM: tcp: transparent bind to the source only when address is set Thomas Heil reported that health checks did not work anymore when a backend or server has "usesrc clientip". This is because the source address is not set and tcp_bind_socket() tries to bind to that address anyway. The solution consists in explicitly clearing the source address in the checks and to make tcp_bind_socket() avoid binding when the address is not set. This also has an indirect benefit that a useless bind() syscall will be avoided when using "source 0.0.0.0 usesrc clientip" in health checks.
2012-10-26 21:57:58 +04:00
ret = bind(fd, (struct sockaddr *)local, get_addr_len(local));
if (ret < 0)
return 1;
}
[MEDIUM] fix server health checks source address selection The source address selection for health checks did not consider the new transparent proxy method. Rely on the same unified function as the other connect() calls. This patch also fixes a bug by which the proxy's source address was ignored if cttproxy was used.
2008-01-13 20:40:14 +03:00
}
if (!flags)
return 0;
if (!foreign_ok)
/* we could not bind to a foreign address */
return 2;
return 0;
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
/*
MEDIUM: proto_tcp: remove any dependence on stream_interface The last uses of the stream interfaces were in tcp_connect_server() and could easily and more appropriately be moved to its callers, si_connect() and connect_server(), making a lot more sense. Now the function should theorically be usable for health checks. It also appears more obvious that the file is split into two distinct parts : - the protocol layer used at the connection level - the tcp analysers executing tcp-* rules and their samples/acls.
2012-08-31 00:23:13 +04:00
* This function initiates a TCP connection establishment to the target assigned
MINOR: tcp: replace conn->addr.{from,to} with conn->{src,dst} Most of the locations were already safe, only two places needed to have one extra check to avoid assuming that cli_conn->src is necessarily set (it is in practice but let's stay safe).
2019-07-17 16:41:35 +03:00
* to connection <conn> using (si->{target,dst}). A source address may be
* pointed to by conn->src in case of transparent proxying. Normal source
MEDIUM: proto_tcp: remove any dependence on stream_interface The last uses of the stream interfaces were in tcp_connect_server() and could easily and more appropriately be moved to its callers, si_connect() and connect_server(), making a lot more sense. Now the function should theorically be usable for health checks. It also appears more obvious that the file is split into two distinct parts : - the protocol layer used at the connection level - the tcp analysers executing tcp-* rules and their samples/acls.
2012-08-31 00:23:13 +04:00
* bind addresses are still determined locally (due to the possible need of a
* source port). conn->target may point either to a valid server or to a backend,
MAJOR: connection: replace struct target with a pointer to an enum Instead of storing a couple of (int, ptr) in the struct connection and the struct session, we use a different method : we only store a pointer to an integer which is stored inside the target object and which contains a unique type identifier. That way, the pointer allows us to retrieve the object type (by dereferencing it) and the object's address (by computing the displacement in the target structure). The NULL pointer always corresponds to OBJ_TYPE_NONE. This reduces the size of the connection and session structs. It also simplifies target assignment and compare. In order to improve the generated code, we try to put the obj_type element at the beginning of all the structs (listener, server, proxy, si_applet), so that the original and target pointers are always equal. A lot of code was touched by massive replaces, but the changes are not that important.
2012-11-12 03:42:33 +04:00
* depending on conn->target. Only OBJ_TYPE_PROXY and OBJ_TYPE_SERVER are
MEDIUM: tcp: add explicit support for delayed ACK in connect() Commit 24db47e0 tried to improve support for delayed ACK upon connect but it was incomplete, because checks with the proxy protocol would always enable polling for data receive and there was no way of distinguishing data polling and delayed ack. So we add a distinct delack flag to the connect() function so that the caller decides whether or not to use a delayed ack regardless of pending data (eg: when send-proxy is in use). Doing so covers all combinations of { (check with data), (sendproxy), (smart-connect) }.
2012-11-24 13:24:27 +04:00
* supported. The <data> parameter is a boolean indicating whether there are data
* waiting for being sent or not, in order to adjust data write polling and on
MEDIUM: proto: Change the prototype of the connect() method. The connect() method had 2 arguments, "data", that tells if there's pending data to be sent, and "delack" that tells if we have to use a delayed ack inconditionally, or if the backend is configured with tcp-smart-connect. Turn that into one argument, "flags". That way it'll be easier to provide more informations to connect() without adding extra arguments.
2019-05-06 19:32:29 +03:00
* some platforms, the ability to avoid an empty initial ACK. The <flags> argument
* allows the caller to force using a delayed ACK when establishing the connection
MEDIUM: tcp: add explicit support for delayed ACK in connect() Commit 24db47e0 tried to improve support for delayed ACK upon connect but it was incomplete, because checks with the proxy protocol would always enable polling for data receive and there was no way of distinguishing data polling and delayed ack. So we add a distinct delack flag to the connect() function so that the caller decides whether or not to use a delayed ack regardless of pending data (eg: when send-proxy is in use). Doing so covers all combinations of { (check with data), (sendproxy), (smart-connect) }.
2012-11-24 13:24:27 +04:00
* - 0 = no delayed ACK unless data are advertised and backend has tcp-smart-connect
MEDIUM: proto: Change the prototype of the connect() method. The connect() method had 2 arguments, "data", that tells if there's pending data to be sent, and "delack" that tells if we have to use a delayed ack inconditionally, or if the backend is configured with tcp-smart-connect. Turn that into one argument, "flags". That way it'll be easier to provide more informations to connect() without adding extra arguments.
2019-05-06 19:32:29 +03:00
* - CONNECT_DELACK_SMART_CONNECT = delayed ACK if backend has tcp-smart-connect, regardless of data
* - CONNECT_DELACK_ALWAYS = delayed ACK regardless of backend options
[MEDIUM] backend: move the transparent proxy address selection to backend The transparent proxy address selection was set in the TCP connect function which is not the most appropriate place since this function has limited access to the amount of parameters which could produce a source address. Instead, now we determine the source address in backend.c:connect_server(), right after calling assign_server_address() and we assign this address in the session and pass it to the TCP connect function. This cannot be performed in assign_server_address() itself because in some cases (transparent mode, dispatch mode or http_proxy mode), we assign the address somewhere else. This change will open the ability to bind to addresses extracted from many other criteria (eg: from a header).
2010-03-29 21:36:59 +04:00
*
MINOR: connection: check for send_proxy during the connect(), not the SI It's cleaner to check for a pending send_proxy_ofs while establishing the connection (which already checks it anyway) and not in the stream interface.
2013-10-24 23:45:00 +04:00
* Note that a pending send_proxy message accounts for data.
*
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
* It can return one of :
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
* - SF_ERR_NONE if everything's OK
* - SF_ERR_SRVTO if there are no more servers
* - SF_ERR_SRVCL if the connection was refused by the server
* - SF_ERR_PRXCOND if the connection has been limited by the proxy (maxconn)
* - SF_ERR_RESOURCE if a system resource is lacking (eg: fd limits, ports, ...)
* - SF_ERR_INTERNAL for any other purely internal errors
DOC: Spelling fixes [wt: this contains spelling fixes for both doc and code comments, should be backported, ignoring the parts which don't apply]
2016-11-29 04:15:19 +03:00
* Additionally, in the case of SF_ERR_RESOURCE, an emergency log will be emitted.
BUG/MEDIUM: checks: mark the check as stopped after a connect error Health checks currently still use the connection's fd to know whether a check is running (this needs to change). When a health check immediately fails during connect() because of a lack of local resource (eg: port), we failed to unset the fd, so each time the process_chk woken up after such an error, it believed a check was still running and used to close the fd again instead of starting a new check. This could result in other connections being closed because they were assigned the same fd value. The bug is only marked medium because when this happens, the system is already in a bad state. A comment was added above tcp_connect_server() to clarify that the fd is *not* valid on error.
2012-11-23 11:51:32 +04:00
*
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
* The connection's fd is inserted only when SF_ERR_NONE is returned, otherwise
BUG/MEDIUM: checks: mark the check as stopped after a connect error Health checks currently still use the connection's fd to know whether a check is running (this needs to change). When a health check immediately fails during connect() because of a lack of local resource (eg: port), we failed to unset the fd, so each time the process_chk woken up after such an error, it believed a check was still running and used to close the fd again instead of starting a new check. This could result in other connections being closed because they were assigned the same fd value. The bug is only marked medium because when this happens, the system is already in a bad state. A comment was added above tcp_connect_server() to clarify that the fd is *not* valid on error.
2012-11-23 11:51:32 +04:00
* it's invalid and the caller has nothing to do.
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
*/
[REORG] tcp: make tcpv4_connect_server() take the target address from the SI The address is now available in the stream interface, no need to pass it by argument.
2011-03-03 20:27:32 +03:00
MEDIUM: proto: Change the prototype of the connect() method. The connect() method had 2 arguments, "data", that tells if there's pending data to be sent, and "delack" that tells if we have to use a delayed ack inconditionally, or if the backend is configured with tcp-smart-connect. Turn that into one argument, "flags". That way it'll be easier to provide more informations to connect() without adding extra arguments.
2019-05-06 19:32:29 +03:00
int tcp_connect_server(struct connection *conn, int flags)
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
{
int fd;
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
struct server *srv;
struct proxy *be;
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
struct conn_src *src;
MEDIUM: tcp: add the "tfo" option to support TCP fastopen on the server This implements support for the new API which relies on a call to setsockopt(). On systems that support it (currently, only Linux >= 4.11), this enables using TCP fast open when connecting to server. Please note that you should use the retry-on "conn-failure", "empty-response" and "response-timeout" keywords, or the request won't be able to be retried on failure. Co-authored-by: Olivier Houchard <ohouchard@haproxy.com>
2017-01-24 01:36:45 +03:00
int use_fastopen = 0;
MEDIUM: connection: Upstream SOCKS4 proxy support Have "socks4" and "check-via-socks4" server keyword added. Implement handshake with SOCKS4 proxy server for tcp stream connection. See issue #82. I have the "SOCKS: A protocol for TCP proxy across firewalls" doc found at "https://www.openssh.com/txt/socks4.protocol". Please reference to it. [wt: for now connecting to the SOCKS4 proxy over unix sockets is not supported, and mixing IPv4/IPv6 is discouraged; indeed, the control layer is unique for a connection and will be used both for connecting and for target address manipulation. As such it may for example report incorrect destination addresses in logs if the proxy is reached over IPv6]
2019-05-22 14:44:48 +03:00
struct sockaddr_storage *addr;
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
CLEANUP: protocol: make sure the connect_* functions always receive a dst Some of the protocol-level ->connect() functions currently dereference the connection's destination address while others test it and return an error. There's normally no more non-bogus code path that calls such functions without a valid destination address on the connection, so let's unify these functions and just place a BUG_ON() there, and drop the useless test that's supposed to return an internal error.
2022-05-02 18:45:12 +03:00
BUG_ON(!conn->dst);
BUG/MEDIUM: connections: Don't reset the conn flags in *connect_server(). In the various connect_server() functions, don't reset the connection flags, as some may have been set before. The flags are initialized in conn_init(), anyway.
2018-11-23 16:23:07 +03:00
conn->flags |= CO_FL_WAIT_L4_CONN; /* connection in progress */
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
MAJOR: connection: replace struct target with a pointer to an enum Instead of storing a couple of (int, ptr) in the struct connection and the struct session, we use a different method : we only store a pointer to an integer which is stored inside the target object and which contains a unique type identifier. That way, the pointer allows us to retrieve the object type (by dereferencing it) and the object's address (by computing the displacement in the target structure). The NULL pointer always corresponds to OBJ_TYPE_NONE. This reduces the size of the connection and session structs. It also simplifies target assignment and compare. In order to improve the generated code, we try to put the obj_type element at the beginning of all the structs (listener, server, proxy, si_applet), so that the original and target pointers are always equal. A lot of code was touched by massive replaces, but the changes are not that important.
2012-11-12 03:42:33 +04:00
switch (obj_type(conn->target)) {
case OBJ_TYPE_PROXY:
BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types At many places we use construct such as: if (objt_server(blah)) do_something(objt_server(blah)); At -O2 the compiler manages to simplify the operation and see that the second one returns the same result as the first one. But at -O1 that's not always the case, and the compiler is able to emit a second expression and sees the potential null that results from it, and may warn about a potential null deref (e.g. with gcc-6.5). There are two solutions to this: - either the result of the first test has to be passed to a local variable - or the second reference ought to be unchecked using the __objt_* variant. This patch fixes all occurrences at once by taking the second approach (the least intrusive). For constructs like: objt_server(blah) ? objt_server(blah)->name : "no name" a macro could be useful. It would for example take the object type (server), the field name (name) and the default value. But there are probably not enough occurrences across the whole code for this to really matter. This should be backported wherever it applies.
2021-12-06 10:01:02 +03:00
be = __objt_proxy(conn->target);
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
srv = NULL;
break;
MAJOR: connection: replace struct target with a pointer to an enum Instead of storing a couple of (int, ptr) in the struct connection and the struct session, we use a different method : we only store a pointer to an integer which is stored inside the target object and which contains a unique type identifier. That way, the pointer allows us to retrieve the object type (by dereferencing it) and the object's address (by computing the displacement in the target structure). The NULL pointer always corresponds to OBJ_TYPE_NONE. This reduces the size of the connection and session structs. It also simplifies target assignment and compare. In order to improve the generated code, we try to put the obj_type element at the beginning of all the structs (listener, server, proxy, si_applet), so that the original and target pointers are always equal. A lot of code was touched by massive replaces, but the changes are not that important.
2012-11-12 03:42:33 +04:00
case OBJ_TYPE_SERVER:
BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types At many places we use construct such as: if (objt_server(blah)) do_something(objt_server(blah)); At -O2 the compiler manages to simplify the operation and see that the second one returns the same result as the first one. But at -O1 that's not always the case, and the compiler is able to emit a second expression and sees the potential null that results from it, and may warn about a potential null deref (e.g. with gcc-6.5). There are two solutions to this: - either the result of the first test has to be passed to a local variable - or the second reference ought to be unchecked using the __objt_* variant. This patch fixes all occurrences at once by taking the second approach (the least intrusive). For constructs like: objt_server(blah) ? objt_server(blah)->name : "no name" a macro could be useful. It would for example take the object type (server), the field name (name) and the default value. But there are probably not enough occurrences across the whole code for this to really matter. This should be backported wherever it applies.
2021-12-06 10:01:02 +03:00
srv = __objt_server(conn->target);
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
be = srv->proxy;
MEDIUM: tcp: add the "tfo" option to support TCP fastopen on the server This implements support for the new API which relies on a call to setsockopt(). On systems that support it (currently, only Linux >= 4.11), this enables using TCP fast open when connecting to server. Please note that you should use the retry-on "conn-failure", "empty-response" and "response-timeout" keywords, or the request won't be able to be retried on failure. Co-authored-by: Olivier Houchard <ohouchard@haproxy.com>
2017-01-24 01:36:45 +03:00
/* Make sure we check that we have data before activating
* TFO, or we could trigger a kernel issue whereby after
* a successful connect() == 0, any subsequent connect()
* will return EINPROGRESS instead of EISCONN.
*/
use_fastopen = (srv->flags & SRV_F_FASTOPEN) &&
((flags & (CONNECT_CAN_USE_TFO | CONNECT_HAS_DATA)) ==
(CONNECT_CAN_USE_TFO | CONNECT_HAS_DATA));
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
break;
default:
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_INTERNAL;
[MEDIUM] stream_interface: store the target pointer and type When doing a connect() on a stream interface, some information is needed from the server and from the backend. In some situations, we don't have a server and only a backend (eg: peers). In other cases, we know we have an applet and we don't want to connect to anything, but we'd still like to have the info about the applet being used. For this, we now store a pointer to the "target" into the stream interface. The target describes what's on the other side before trying to connect. It can be a server, a proxy or an applet for now. Later we'll probably have descriptors for multiple-stage chains so that the final information may still be found. This will help removing many specific cases in the code. It already made it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
2011-03-05 00:04:29 +03:00
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
REORG: sock: start to move some generic socket code to sock.c The new file sock.c will contain generic code for standard sockets relying on file descriptors. We currently have way too much duplication between proto_uxst, proto_tcp, proto_sockpair and proto_udp. For now only get_src, get_dst and sock_create_server_socket were moved, and are used where appropriate.
2020-08-28 13:07:22 +03:00
fd = conn->handle.fd = sock_create_server_socket(conn);
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 17:11:45 +03:00
if (fd == -1) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
qfprintf(stderr, "Cannot get a server socket.\n");
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
if (errno == ENFILE) {
conn->err_code = CO_ER_SYS_FDLIM;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
send_log(be, LOG_EMERG,
MINOR: fd: don't report maxfd in alert messages The listeners and connectors may complain that process-wide or system-wide FD limits have been reached and will in this case report maxfd as the limit. This is wrong in fact since there's no reason for the whole FD space to be contiguous when the total # of FD is reached. A better approach would consist in reporting the accurate number of opened FDs, but this is pointless as what matters here is to give a hint about what might be wrong. So let's simply report the configured maxsock, which will generally explain why the process' limits were reached, which is the most common reason. This removes another dependency on maxfd.
2018-01-29 17:06:04 +03:00
"Proxy %s reached system FD limit (maxsock=%d). Please check system tunables.\n",
be->id, global.maxsock);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
}
else if (errno == EMFILE) {
conn->err_code = CO_ER_PROC_FDLIM;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
send_log(be, LOG_EMERG,
MINOR: fd: don't report maxfd in alert messages The listeners and connectors may complain that process-wide or system-wide FD limits have been reached and will in this case report maxfd as the limit. This is wrong in fact since there's no reason for the whole FD space to be contiguous when the total # of FD is reached. A better approach would consist in reporting the accurate number of opened FDs, but this is pointless as what matters here is to give a hint about what might be wrong. So let's simply report the configured maxsock, which will generally explain why the process' limits were reached, which is the most common reason. This removes another dependency on maxfd.
2018-01-29 17:06:04 +03:00
"Proxy %s reached process FD limit (maxsock=%d). Please check 'ulimit-n' and restart.\n",
be->id, global.maxsock);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
}
else if (errno == ENOBUFS || errno == ENOMEM) {
conn->err_code = CO_ER_SYS_MEMLIM;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
send_log(be, LOG_EMERG,
MINOR: fd: don't report maxfd in alert messages The listeners and connectors may complain that process-wide or system-wide FD limits have been reached and will in this case report maxfd as the limit. This is wrong in fact since there's no reason for the whole FD space to be contiguous when the total # of FD is reached. A better approach would consist in reporting the accurate number of opened FDs, but this is pointless as what matters here is to give a hint about what might be wrong. So let's simply report the configured maxsock, which will generally explain why the process' limits were reached, which is the most common reason. This removes another dependency on maxfd.
2018-01-29 17:06:04 +03:00
"Proxy %s reached system memory limit (maxsock=%d). Please check system tunables.\n",
be->id, global.maxsock);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
}
else if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) {
conn->err_code = CO_ER_NOPROTO;
}
else
conn->err_code = CO_ER_SOCK_ERR;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
/* this is a resource error */
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_RESOURCE;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
if (fd >= global.maxsock) {
/* do not log anything there, it's a normal condition when this option
* is used to serialize connections to a server !
*/
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 18:50:31 +03:00
ha_alert("socket(): not enough free sockets. Raise -n argument. Giving up.\n");
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
close(fd);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_CONF_FDLIM;
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_PRXCOND; /* it is a configuration limit */
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec() This gets rid of most open-coded fcntl() calls, some of which were passed through DISGUISE() to avoid a useless test. The FD_CLOEXEC was most often set without preserving previous flags, which could become a problem once new flags are created. Now this will not happen anymore.
2022-04-26 11:24:14 +03:00
if (fd_set_nonblock(fd) == -1 ||
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
(setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one)) == -1)) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
qfprintf(stderr,"Cannot set client socket to non blocking mode.\n");
close(fd);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_SOCK_ERR;
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_INTERNAL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec() This gets rid of most open-coded fcntl() calls, some of which were passed through DISGUISE() to avoid a useless test. The FD_CLOEXEC was most often set without preserving previous flags, which could become a problem once new flags are created. Now this will not happen anymore.
2022-04-26 11:24:14 +03:00
if (master == 1 && fd_set_cloexec(fd) == -1) {
BUG/MEDIUM: mworker: avoid leak of client socket If the master was reloaded and there was a established connection to a server, the FD resulting from the accept was leaking. There was no CLOEXEC flag set on the FD of the socketpair created during a connect call. This is specific to the socketpair in the master process but it should be applied to every protocol in case we use them in the master at some point. No backport needed.
2018-11-27 14:02:37 +03:00
ha_alert("Cannot set CLOEXEC on client socket.\n");
close(fd);
conn->err_code = CO_ER_SOCK_ERR;
conn->flags |= CO_FL_ERROR;
return SF_ERR_INTERNAL;
}
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
if (be->options & PR_O_TCP_SRV_KA) {
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one));
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#ifdef TCP_KEEPCNT
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
if (be->srvtcpka_cnt)
setsockopt(fd, IPPROTO_TCP, TCP_KEEPCNT, &be->srvtcpka_cnt, sizeof(be->srvtcpka_cnt));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#ifdef TCP_KEEPIDLE
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
if (be->srvtcpka_idle)
setsockopt(fd, IPPROTO_TCP, TCP_KEEPIDLE, &be->srvtcpka_idle, sizeof(be->srvtcpka_idle));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#ifdef TCP_KEEPINTVL
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
if (be->srvtcpka_intvl)
setsockopt(fd, IPPROTO_TCP, TCP_KEEPINTVL, &be->srvtcpka_intvl, sizeof(be->srvtcpka_intvl));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-09 06:58:51 +03:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-09 05:13:20 +03:00
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
/* allow specific binding :
* - server-specific at first
* - proxy-specific next
*/
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
if (srv && srv->conn_src.opts & CO_SRC_BIND)
src = &srv->conn_src;
else if (be->conn_src.opts & CO_SRC_BIND)
src = &be->conn_src;
else
src = NULL;
if (src) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
int ret, flags = 0;
MINOR: tcp: replace conn->addr.{from,to} with conn->{src,dst} Most of the locations were already safe, only two places needed to have one extra check to avoid assuming that cli_conn->src is necessarily set (it is in practice but let's stay safe).
2019-07-17 16:41:35 +03:00
if (conn->src && is_inet_addr(conn->src)) {
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
switch (src->opts & CO_SRC_TPROXY_MASK) {
MEDIUM: connection: introduce "struct conn_src" for servers and proxies Both servers and proxies share a common set of parameters for outgoing connections, and since they're not stored in a similar structure, a lot of code is duplicated in the connection setup, which is one sensible area. Let's first define a common struct for these settings and make use of it. Next patches will de-duplicate code. This change also fixes a build breakage that happens when USE_LINUX_TPROXY is not set but USE_CTTPROXY is set, which seem to be very unlikely considering that the issue was introduced almost 2 years ago an never reported.
2012-12-09 01:29:20 +04:00
case CO_SRC_TPROXY_CLI:
MINOR: connection: add a new flag CO_FL_PRIVATE This flag is set on an outgoing connection when this connection gets some properties that must not be shared with other connections, such as dynamic transparent source binding, SNI or a proxy protocol header, or an authentication challenge from the server. This will be needed later to implement connection reuse.
2015-08-04 20:24:13 +03:00
case CO_SRC_TPROXY_ADDR:
BUG/MEDIUM: tcp: transparent bind to the source only when address is set Thomas Heil reported that health checks did not work anymore when a backend or server has "usesrc clientip". This is because the source address is not set and tcp_bind_socket() tries to bind to that address anyway. The solution consists in explicitly clearing the source address in the checks and to make tcp_bind_socket() avoid binding when the address is not set. This also has an indirect benefit that a useless bind() syscall will be avoided when using "source 0.0.0.0 usesrc clientip" in health checks.
2012-10-26 21:57:58 +04:00
flags = 3;
break;
MEDIUM: connection: introduce "struct conn_src" for servers and proxies Both servers and proxies share a common set of parameters for outgoing connections, and since they're not stored in a similar structure, a lot of code is duplicated in the connection setup, which is one sensible area. Let's first define a common struct for these settings and make use of it. Next patches will de-duplicate code. This change also fixes a build breakage that happens when USE_LINUX_TPROXY is not set but USE_CTTPROXY is set, which seem to be very unlikely considering that the issue was introduced almost 2 years ago an never reported.
2012-12-09 01:29:20 +04:00
case CO_SRC_TPROXY_CIP:
case CO_SRC_TPROXY_DYN:
BUG/MEDIUM: tcp: transparent bind to the source only when address is set Thomas Heil reported that health checks did not work anymore when a backend or server has "usesrc clientip". This is because the source address is not set and tcp_bind_socket() tries to bind to that address anyway. The solution consists in explicitly clearing the source address in the checks and to make tcp_bind_socket() avoid binding when the address is not set. This also has an indirect benefit that a useless bind() syscall will be avoided when using "source 0.0.0.0 usesrc clientip" in health checks.
2012-10-26 21:57:58 +04:00
flags = 1;
break;
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
[MEDIUM] backend: move the transparent proxy address selection to backend The transparent proxy address selection was set in the TCP connect function which is not the most appropriate place since this function has limited access to the amount of parameters which could produce a source address. Instead, now we determine the source address in backend.c:connect_server(), right after calling assign_server_address() and we assign this address in the session and pass it to the TCP connect function. This cannot be performed in assign_server_address() itself because in some cases (transparent mode, dispatch mode or http_proxy mode), we assign the address somewhere else. This change will open the ability to bind to addresses extracted from many other criteria (eg: from a header).
2010-03-29 21:36:59 +04:00
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
#ifdef SO_BINDTODEVICE
/* Note: this might fail if not CAP_NET_RAW */
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
if (src->iface_name)
setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, src->iface_name, src->iface_len + 1);
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
#endif
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
if (src->sport_range) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
int attempts = 10; /* should be more than enough to find a spare port */
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
struct sockaddr_storage sa;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
ret = 1;
BUG/MAJOR: fix listening IP address storage for frontends When compiled with GCC 6, the IP address specified for a frontend was ignored and HAProxy was listening on all addresses instead. This is caused by an incomplete copy of a "struct sockaddr_storage". With the GNU Libc, "struct sockaddr_storage" is defined as this: struct sockaddr_storage { sa_family_t ss_family; unsigned long int __ss_align; char __ss_padding[(128 - (2 * sizeof (unsigned long int)))]; }; Doing an aggregate copy (ss1 = ss2) is different than using memcpy(): only members of the aggregate have to be copied. Notably, padding can be or not be copied. In GCC 6, some optimizations use this fact and if a "struct sockaddr_storage" contains a "struct sockaddr_in", the port and the address are part of the padding (between sa_family and __ss_align) and can be not copied over. Therefore, we replace any aggregate copy by a memcpy(). There is another place using the same pattern. We also fix a function receiving a "struct sockaddr_storage" by copy instead of by reference. Since it only needs a read-only copy, the function is converted to request a reference.
2016-05-18 17:17:44 +03:00
memcpy(&sa, &src->source_addr, sizeof(sa));
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
do {
/* note: in case of retry, we may have to release a previously
* allocated port, hence this loop's construct.
*/
[OPTIM] move some rarely used fields out of fdtab Some rarely information are stored in fdtab, making it larger for no reason (source port ranges, remote address, ...). Such information lie there because the checks can't find them anywhere else. The goal will be to move these information to the stream interface once the checks make use of it. For now, we move them to an fdinfo array. This simple change might have improved the cache hit ratio a little bit because a 0.5% of performance increase has measured.
2009-10-18 09:25:52 +04:00
port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
fdinfo[fd].port_range = NULL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
if (!attempts)
break;
attempts--;
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
fdinfo[fd].local_port = port_range_alloc_port(src->sport_range);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
if (!fdinfo[fd].local_port) {
conn->err_code = CO_ER_PORT_RANGE;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
break;
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
fdinfo[fd].port_range = src->sport_range;
set_host_port(&sa, fdinfo[fd].local_port);
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
MINOR: tcp: replace conn->addr.{from,to} with conn->{src,dst} Most of the locations were already safe, only two places needed to have one extra check to avoid assuming that cli_conn->src is necessarily set (it is in practice but let's stay safe).
2019-07-17 16:41:35 +03:00
ret = tcp_bind_socket(fd, flags, &sa, conn->src);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
if (ret != 0)
conn->err_code = CO_ER_CANT_BIND;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
} while (ret != 0); /* binding NOK */
}
else {
MINOR: enable IP_BIND_ADDRESS_NO_PORT on backend connections Enable IP_BIND_ADDRESS_NO_PORT on backend connections when the source address is specified without port or port ranges. This is supported since Linux 4.2/libc 2.23. If the kernel supports it but the libc doesn't, we can define it at build time: make [...] DEFINE=-DIP_BIND_ADDRESS_NO_PORT=24 For more informations about this feature, see Linux commit 90c337da
2016-09-13 12:51:15 +03:00
#ifdef IP_BIND_ADDRESS_NO_PORT
BUG/MINOR: threads: Add missing THREAD_LOCAL on static here and there
2017-10-29 22:14:08 +03:00
static THREAD_LOCAL int bind_address_no_port = 1;
CLEANUP: socket: replace SOL_IP/IPV6/TCP with IPPROTO_IP/IPV6/TCP Historically we've used SOL_IP/SOL_IPV6/SOL_TCP everywhere as the socket level value in getsockopt() and setsockopt() but as we've seen over time it regularly broke the build and required to have them defined to their IPPROTO_* equivalent. The Linux ip(7) man page says: Using the SOL_IP socket options level isn't portable; BSD-based stacks use the IPPROTO_IP level. And it indeed looks like a pure linuxism inherited from old examples and documentation. strace also reports SOL_* instead of IPPROTO_*, which does not help... A check to linux/in.h shows they have the same values. Only SOL_SOCKET and other non-IP values make sense since there is no IPPROTO equivalent. Let's get rid of this annoying confusion by removing all redefinitions of SOL_IP/IPV6/TCP and using IPPROTO_* instead, just like any other operating system. This also removes duplicated tests for the same value. Note that this should not result in exposing syscalls to other OSes as the only ones that were still conditionned to SOL_IPV6 were for IPV6_UNICAST_HOPS which already had an IPPROTO_IPV6 equivalent, and IPV6_TRANSPARENT which is Linux-specific.
2021-03-31 09:45:47 +03:00
setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, (const void *) &bind_address_no_port, sizeof(int));
MINOR: enable IP_BIND_ADDRESS_NO_PORT on backend connections Enable IP_BIND_ADDRESS_NO_PORT on backend connections when the source address is specified without port or port ranges. This is supported since Linux 4.2/libc 2.23. If the kernel supports it but the libc doesn't, we can define it at build time: make [...] DEFINE=-DIP_BIND_ADDRESS_NO_PORT=24 For more informations about this feature, see Linux commit 90c337da
2016-09-13 12:51:15 +03:00
#endif
MINOR: tcp: replace conn->addr.{from,to} with conn->{src,dst} Most of the locations were already safe, only two places needed to have one extra check to avoid assuming that cli_conn->src is necessarily set (it is in practice but let's stay safe).
2019-07-17 16:41:35 +03:00
ret = tcp_bind_socket(fd, flags, &src->source_addr, conn->src);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
if (ret != 0)
conn->err_code = CO_ER_CANT_BIND;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
if (unlikely(ret != 0)) {
[OPTIM] move some rarely used fields out of fdtab Some rarely information are stored in fdtab, making it larger for no reason (source port ranges, remote address, ...). Such information lie there because the checks can't find them anywhere else. The goal will be to move these information to the stream interface once the checks make use of it. For now, we move them to an fdinfo array. This simple change might have improved the cache hit ratio a little bit because a 0.5% of performance increase has measured.
2009-10-18 09:25:52 +04:00
port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
fdinfo[fd].port_range = NULL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
close(fd);
if (ret == 1) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 18:50:31 +03:00
ha_alert("Cannot bind to source address before connect() for backend %s. Aborting.\n",
be->id);
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
send_log(be, LOG_EMERG,
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
"Cannot bind to source address before connect() for backend %s.\n",
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
be->id);
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 18:50:31 +03:00
ha_alert("Cannot bind to tproxy source address before connect() for backend %s. Aborting.\n",
be->id);
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
send_log(be, LOG_EMERG,
CLEANUP: proto_tcp: use the same code to bind servers and backends The tproxy and source binding code has now be factored out for servers and backends. A nice effect is that the code now supports having backends use source port ranges, though the config does not support it yet. This change has reduced the executable by around 700 bytes.
2012-12-09 01:49:11 +04:00
"Cannot bind to tproxy source address before connect() for backend %s.\n",
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
be->id);
}
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_RESOURCE;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
}
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
#if defined(TCP_QUICKACK)
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
/* disabling tcp quick ack now allows the first request to leave the
* machine with the first ACK. We only do this if there are pending
MEDIUM: tcp: add explicit support for delayed ACK in connect() Commit 24db47e0 tried to improve support for delayed ACK upon connect but it was incomplete, because checks with the proxy protocol would always enable polling for data receive and there was no way of distinguishing data polling and delayed ack. So we add a distinct delack flag to the connect() function so that the caller decides whether or not to use a delayed ack regardless of pending data (eg: when send-proxy is in use). Doing so covers all combinations of { (check with data), (sendproxy), (smart-connect) }.
2012-11-24 13:24:27 +04:00
* data in the buffer.
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
*/
MEDIUM: proto: Change the prototype of the connect() method. The connect() method had 2 arguments, "data", that tells if there's pending data to be sent, and "delack" that tells if we have to use a delayed ack inconditionally, or if the backend is configured with tcp-smart-connect. Turn that into one argument, "flags". That way it'll be easier to provide more informations to connect() without adding extra arguments.
2019-05-06 19:32:29 +03:00
if (flags & (CONNECT_DELACK_ALWAYS) ||
((flags & CONNECT_DELACK_SMART_CONNECT ||
(flags & CONNECT_HAS_DATA) || conn->send_proxy_ofs) &&
(be->options2 & PR_O2_SMARTCON)))
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &zero, sizeof(zero));
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
#endif
MEDIUM: server: implement TCP_USER_TIMEOUT on the server This is equivalent to commit 2af207a ("MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT") except that this time it works on the server side. The purpose is to detect dead server connections even when checks are rare, disabled, or after a soft reload (since checks are disabled there as well), and to ensure client connections will get killed faster.
2015-10-13 17:16:41 +03:00
#ifdef TCP_USER_TIMEOUT
/* there is not much more we can do here when it fails, it's still minor */
if (srv && srv->tcp_ut)
setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &srv->tcp_ut, sizeof(srv->tcp_ut));
#endif
MEDIUM: tcp: add the "tfo" option to support TCP fastopen on the server This implements support for the new API which relies on a call to setsockopt(). On systems that support it (currently, only Linux >= 4.11), this enables using TCP fast open when connecting to server. Please note that you should use the retry-on "conn-failure", "empty-response" and "response-timeout" keywords, or the request won't be able to be retried on failure. Co-authored-by: Olivier Houchard <ohouchard@haproxy.com>
2017-01-24 01:36:45 +03:00
if (use_fastopen) {
#if defined(TCP_FASTOPEN_CONNECT)
setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, &one, sizeof(one));
#endif
}
[MINOR] add the ability to force kernel socket buffer size. Sometimes we need to be able to change the default kernel socket buffer size (recv and send). Four new global settings have been added for this : - tune.rcvbuf.client - tune.rcvbuf.server - tune.sndbuf.client - tune.sndbuf.server Those can be used to reduce kernel memory footprint with large numbers of concurrent connections, and to reduce risks of write timeouts with very slow clients due to excessive kernel buffering.
2010-01-21 19:43:04 +03:00
if (global.tune.server_sndbuf)
setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &global.tune.server_sndbuf, sizeof(global.tune.server_sndbuf));
if (global.tune.server_rcvbuf)
setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &global.tune.server_rcvbuf, sizeof(global.tune.server_rcvbuf));
MINOR: tcp: replace conn->addr.{from,to} with conn->{src,dst} Most of the locations were already safe, only two places needed to have one extra check to avoid assuming that cli_conn->src is necessarily set (it is in practice but let's stay safe).
2019-07-17 16:41:35 +03:00
addr = (conn->flags & CO_FL_SOCKS4) ? &srv->socks4_addr : conn->dst;
MEDIUM: connection: Upstream SOCKS4 proxy support Have "socks4" and "check-via-socks4" server keyword added. Implement handshake with SOCKS4 proxy server for tcp stream connection. See issue #82. I have the "SOCKS: A protocol for TCP proxy across firewalls" doc found at "https://www.openssh.com/txt/socks4.protocol". Please reference to it. [wt: for now connecting to the SOCKS4 proxy over unix sockets is not supported, and mixing IPv4/IPv6 is discouraged; indeed, the control layer is unique for a connection and will be used both for connecting and for target address manipulation. As such it may for example report incorrect destination addresses in logs if the proxy is reached over IPv6]
2019-05-22 14:44:48 +03:00
if (connect(fd, (const struct sockaddr *)addr, get_addr_len(addr)) == -1) {
BUG/MEDIUM: tcp: don't poll for write when connect() succeeds While testing a tcp_fastopen related change, it appeared that in the rare case where connect() can immediately succeed, we still subscribe to write notifications on the socket, causing the conn_fd_handler() to immediately be called and a second call to connect() to be attempted to double-check the connection. In fact this issue had already been met with unix sockets (which often respond immediately) and partially addressed but incorrect so another patch will follow. But for TCP nothing was done. The fix consists in removing the WAIT_L4_CONN flag if connect() succeeds and to subscribe for writes only if some handshakes or L4_CONN are still needed. In addition in order not to fail raw TCP health checks, we have to continue to enable polling for data when nothing is scheduled for leaving and the connection is already established, otherwise the caller will never be notified. This fix should be backported to 1.7 and 1.6.
2017-01-25 16:12:22 +03:00
if (errno == EINPROGRESS || errno == EALREADY) {
/* common case, let's wait for connect status */
conn->flags |= CO_FL_WAIT_L4_CONN;
}
else if (errno == EISCONN) {
/* should normally not happen but if so, indicates that it's OK */
conn->flags &= ~CO_FL_WAIT_L4_CONN;
}
MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN Some older systems may routinely return EWOULDBLOCK for some syscalls while we tend to check only for EAGAIN nowadays. Modern systems define EWOULDBLOCK as EAGAIN so that solves it, but on a few older ones (AIX, VMS etc) both are different, and for portability we'd need to test for both or we never know if we risk to confuse some status codes with plain errors. There were few entries, the most annoying ones are the switch/case because they require to only add the entry when it differs, but the other ones are really trivial.
2022-04-25 21:32:15 +03:00
else if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EADDRINUSE || errno == EADDRNOTAVAIL) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
char *msg;
MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN Some older systems may routinely return EWOULDBLOCK for some syscalls while we tend to check only for EAGAIN nowadays. Modern systems define EWOULDBLOCK as EAGAIN so that solves it, but on a few older ones (AIX, VMS etc) both are different, and for portability we'd need to test for both or we never know if we risk to confuse some status codes with plain errors. There were few entries, the most annoying ones are the switch/case because they require to only add the entry when it differs, but the other ones are really trivial.
2022-04-25 21:32:15 +03:00
if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EADDRNOTAVAIL) {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
msg = "no free ports";
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_FREE_PORTS;
}
else {
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
msg = "local address already in use";
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_ADDR_INUSE;
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
BUG/MEDIUM: tcp: process could theorically crash on lack of source ports When connect() fails with EAGAIN or EADDRINUSE, an error message is sent to logs and uses srv->id to indicate the server name (this is very old code). Since version 1.4, it is possible to have srv == NULL, so the message could cause a crash when connect() returns EAGAIN or EADDRINUSE. However in practice this does not happen because on lack of source ports, EADDRNOTAVAIL is returned instead, so this code is never called. This fix consists in not displaying the server name anymore, and in adding the test for EADDRNOTAVAIL. Also, the log level was lowered from LOG_EMERG to LOG_ERR in order not to spam all consoles when source ports are missing for a given target. This fix should be backported to 1.4.
2012-12-09 02:03:28 +04:00
qfprintf(stderr,"Connect() failed for backend %s: %s.\n", be->id, msg);
[OPTIM] move some rarely used fields out of fdtab Some rarely information are stored in fdtab, making it larger for no reason (source port ranges, remote address, ...). Such information lie there because the checks can't find them anywhere else. The goal will be to move these information to the stream interface once the checks make use of it. For now, we move them to an fdinfo array. This simple change might have improved the cache hit ratio a little bit because a 0.5% of performance increase has measured.
2009-10-18 09:25:52 +04:00
port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
fdinfo[fd].port_range = NULL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
close(fd);
BUG/MEDIUM: tcp: process could theorically crash on lack of source ports When connect() fails with EAGAIN or EADDRINUSE, an error message is sent to logs and uses srv->id to indicate the server name (this is very old code). Since version 1.4, it is possible to have srv == NULL, so the message could cause a crash when connect() returns EAGAIN or EADDRINUSE. However in practice this does not happen because on lack of source ports, EADDRNOTAVAIL is returned instead, so this code is never called. This fix consists in not displaying the server name anymore, and in adding the test for EADDRNOTAVAIL. Also, the log level was lowered from LOG_EMERG to LOG_ERR in order not to spam all consoles when source ports are missing for a given target. This fix should be backported to 1.4.
2012-12-09 02:03:28 +04:00
send_log(be, LOG_ERR, "Connect() failed for backend %s: %s.\n", be->id, msg);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_RESOURCE;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
} else if (errno == ETIMEDOUT) {
//qfprintf(stderr,"Connect(): ETIMEDOUT");
[OPTIM] move some rarely used fields out of fdtab Some rarely information are stored in fdtab, making it larger for no reason (source port ranges, remote address, ...). Such information lie there because the checks can't find them anywhere else. The goal will be to move these information to the stream interface once the checks make use of it. For now, we move them to an fdinfo array. This simple change might have improved the cache hit ratio a little bit because a 0.5% of performance increase has measured.
2009-10-18 09:25:52 +04:00
port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
fdinfo[fd].port_range = NULL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
close(fd);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_SOCK_ERR;
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_SRVTO;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
} else {
// (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EACCES || errno == EPERM)
//qfprintf(stderr,"Connect(): %d", errno);
[OPTIM] move some rarely used fields out of fdtab Some rarely information are stored in fdtab, making it larger for no reason (source port ranges, remote address, ...). Such information lie there because the checks can't find them anywhere else. The goal will be to move these information to the stream interface once the checks make use of it. For now, we move them to an fdinfo array. This simple change might have improved the cache hit ratio a little bit because a 0.5% of performance increase has measured.
2009-10-18 09:25:52 +04:00
port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
fdinfo[fd].port_range = NULL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
close(fd);
MEDIUM: tcp: report connection error at the connection level Now when a connection error happens, it is reported in the connection so that upper layers know exactly what happened. This is particularly useful with health checks and resources exhaustion.
2014-01-24 19:08:19 +04:00
conn->err_code = CO_ER_SOCK_ERR;
conn->flags |= CO_FL_ERROR;
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_SRVCL;
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
}
BUG/MEDIUM: tcp: don't poll for write when connect() succeeds While testing a tcp_fastopen related change, it appeared that in the rare case where connect() can immediately succeed, we still subscribe to write notifications on the socket, causing the conn_fd_handler() to immediately be called and a second call to connect() to be attempted to double-check the connection. In fact this issue had already been met with unix sockets (which often respond immediately) and partially addressed but incorrect so another patch will follow. But for TCP nothing was done. The fix consists in removing the WAIT_L4_CONN flag if connect() succeeds and to subscribe for writes only if some handshakes or L4_CONN are still needed. In addition in order not to fail raw TCP health checks, we have to continue to enable polling for data when nothing is scheduled for leaving and the connection is already established, otherwise the caller will never be notified. This fix should be backported to 1.7 and 1.6.
2017-01-25 16:12:22 +03:00
else {
/* connect() == 0, this is great! */
conn->flags &= ~CO_FL_WAIT_L4_CONN;
}
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
MAJOR: connection: add two new flags to indicate readiness of control/transport Currently the control and transport layers of a connection are supposed to be initialized when their respective pointers are not NULL. This will not work anymore when we plan to reuse connections, because there is an asymmetry between the accept() side and the connect() side : - on accept() side, the fd is set first, then the ctrl layer then the transport layer ; upon error, they must be undone in the reverse order, then the FD must be closed. The FD must not be deleted if the control layer was not yet initialized ; - on the connect() side, the fd is set last and there is no reliable way to know if it has been initialized or not. In practice it's initialized to -1 first but this is hackish and supposes that local FDs only will be used forever. Also, there are even less solutions for keeping trace of the transport layer's state. Also it is possible to support delayed close() when something (eg: logs) tracks some information requiring the transport and/or control layers, making it even more difficult to clean them. So the proposed solution is to add two flags to the connection : - CO_FL_CTRL_READY is set when the control layer is initialized (fd_insert) and cleared after it's released (fd_delete). - CO_FL_XPRT_READY is set when the control layer is initialized (xprt->init) and cleared after it's released (xprt->close). The functions have been adapted to rely on this and not on the pointers anymore. conn_xprt_close() was unused and dangerous : it did not close the control layer (eg: the socket itself) but still marks the transport layer as closed, preventing any future call to conn_full_close() from finishing the job. The problem comes from conn_full_close() in fact. It needs to close the xprt and ctrl layers independantly. After that we're still having an issue : we don't know based on ->ctrl alone whether the fd was registered or not. For this we use the two new flags CO_FL_XPRT_READY and CO_FL_CTRL_READY. We now rely on this and not on conn->xprt nor conn->ctrl anymore to decide what remains to be done on the connection. In order not to miss some flag assignments, we introduce conn_ctrl_init() to initialize the control layer, register the fd using fd_insert() and set the flag, and conn_ctrl_close() which unregisters the fd and removes the flag, but only if the transport layer was closed. Similarly, at the transport layer, conn_xprt_init() calls ->init and sets the flag, while conn_xprt_close() checks the flag, calls ->close and clears the flag, regardless xprt_ctx or xprt_st. This also ensures that the ->init and the ->close functions are called only once each and in the correct order. Note that conn_xprt_close() does nothing if the transport layer is still tracked. conn_full_close() now simply calls conn_xprt_close() then conn_full_close() in turn, which do nothing if CO_FL_XPRT_TRACKED is set. In order to handle the error path, we also provide conn_force_close() which ignores CO_FL_XPRT_TRACKED and closes the transport and the control layers in turns. All relevant instances of fd_delete() have been replaced with conn_force_close(). Now we always know what state the connection is in and we can expect to split its initialization.
2013-10-21 18:30:56 +04:00
conn_ctrl_init(conn); /* registers the FD */
MINOR: fd: move .linger_risk into fdtab[].state No need to keep this flag apart any more, let's merge it into the global state. The CLI's output state was extended to 6 digits and the linger/cloned flags moved inside the parenthesis.
2021-04-06 18:49:19 +03:00
HA_ATOMIC_OR(&fdtab[fd].state, FD_LINGER_RISK); /* close hard if needed */
MEDIUM: connection: add an ->init function to data layer SSL need to initialize the data layer before proceeding with data. At the moment, this data layer is automatically initialized from itself, which will not be possible once we extract connection from sessions since we'll only create the data layer once the handshake is finished. So let's have the application layer initialize the data layer before using it.
2012-08-31 15:54:11 +04:00
MINOR: tcp/uxst/sockpair: only ask for I/O when really waiting for a connect() Now that the stream-interface properly handles synchonous connects, there is no more reason for subscribing and doing nothing.
2020-03-04 18:38:00 +03:00
if (conn->flags & CO_FL_WAIT_L4_CONN) {
fd_want_send(fd);
fd_cant_send(fd);
MINOR: connection: avoid a useless recvfrom() on outgoing connections When a connect() doesn't immediately succeed (i.e. most of the times), fd_cant_send() is called to enable polling. But given that we don't mark that we cannot receive either, we end up performing a failed recvfrom() immediately when the connect() is finally confirmed, as indicated in issue #253. This patch simply adds fd_cant_recv() as well so that we're only notified once the recv path is ready. The reason it was not there is purely historic, as in the past when there was the fd cache, doing it would have caused a pending recv request to be placed into the fd cache, hence a useless recvfrom() upon success (i.e. what happens now). Without this patch, forwarding 100k connections does this: % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 17.51 0.704229 7 100000 100000 connect 16.75 0.673875 3 200000 sendto 16.24 0.653222 3 200036 close 10.82 0.435082 1 300000 100000 recvfrom 10.37 0.417266 1 300012 setsockopt 7.12 0.286511 1 199954 epoll_ctl 6.80 0.273447 2 100000 shutdown 5.34 0.214942 2 100005 socket 4.65 0.187137 1 105002 5002 accept4 3.35 0.134757 1 100004 fcntl 0.61 0.024585 4 5858 epoll_wait With the patch: % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 18.04 0.697365 6 100000 100000 connect 17.40 0.672471 3 200000 sendto 17.03 0.658134 3 200036 close 10.57 0.408459 1 300012 setsockopt 7.69 0.297270 1 200000 recvfrom 7.32 0.282934 1 199922 epoll_ctl 7.09 0.274027 2 100000 shutdown 5.59 0.216041 2 100005 socket 4.87 0.188352 1 104697 4697 accept4 3.35 0.129641 1 100004 fcntl 0.65 0.024959 4 5337 1 epoll_wait Note the total disappearance of 1/3 of failed recvfrom() *without* adding any extra syscall anywhere else. The trace of an HTTP health check is now totally clean, with no useless syscall at all anymore: 09:14:21.959255 connect(9, {sa_family=AF_INET, sin_port=htons(8000), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 09:14:21.959292 epoll_ctl(4, EPOLL_CTL_ADD, 9, {EPOLLIN|EPOLLOUT|EPOLLRDHUP, {u32=9, u64=9}}) = 0 09:14:21.959315 epoll_wait(4, [{EPOLLOUT, {u32=9, u64=9}}], 200, 1000) = 1 09:14:21.959376 sendto(9, "OPTIONS / HTTP/1.0\r\ncontent-leng"..., 41, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 41 09:14:21.959436 epoll_wait(4, [{EPOLLOUT, {u32=9, u64=9}}], 200, 1000) = 1 09:14:21.959456 epoll_ctl(4, EPOLL_CTL_MOD, 9, {EPOLLIN|EPOLLRDHUP, {u32=9, u64=9}}) = 0 09:14:21.959512 epoll_wait(4, [{EPOLLIN|EPOLLRDHUP, {u32=9, u64=9}}], 200, 1000) = 1 09:14:21.959548 recvfrom(9, "HTTP/1.0 200\r\nContent-length: 0\r"..., 16320, 0, NULL, NULL) = 126 09:14:21.959570 close(9) = 0 With the edge-triggered poller, it gets even better: 09:29:15.776201 connect(9, {sa_family=AF_INET, sin_port=htons(8000), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 09:29:15.776256 epoll_ctl(4, EPOLL_CTL_ADD, 9, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=9, u64=9}}) = 0 09:29:15.776287 epoll_wait(4, [{EPOLLOUT, {u32=9, u64=9}}], 200, 1000) = 1 09:29:15.776320 sendto(9, "OPTIONS / HTTP/1.0\r\ncontent-leng"..., 41, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 41 09:29:15.776374 epoll_wait(4, [{EPOLLIN|EPOLLOUT|EPOLLRDHUP, {u32=9, u64=9}}], 200, 1000) = 1 09:29:15.776406 recvfrom(9, "HTTP/1.0 200\r\nContent-length: 0\r"..., 16320, 0, NULL, NULL) = 126 09:29:15.776434 close(9) = 0 It could make sense to backport this patch to 2.2 and maybe 2.1 after it has been sufficiently checked for absence of side effects in 2.3-dev, as some people had reported an extra overhead like in issue #168.
2020-07-31 09:59:09 +03:00
fd_cant_recv(fd);
MINOR: tcp/uxst/sockpair: only ask for I/O when really waiting for a connect() Now that the stream-interface properly handles synchonous connects, there is no more reason for subscribing and doing nothing.
2020-03-04 18:38:00 +03:00
}
MEDIUM: connection: enable reading only once the connection is confirmed In order to address the absurd polling sequence described in issue #253, let's make sure we disable receiving on a connection until it's established. Previously with bottom-top I/Os, we were almost certain that a connection was ready when the first I/O was confirmed. Now we can enter various functions, including process_stream(), which will attempt to read something, will fail, and will then subscribe. But we don't want them to try to receive if we know the connection didn't complete. The first prerequisite for this is to mark the connection as not ready for receiving until it's validated. But we don't want to mark it as not ready for sending because we know that attempting I/Os later is extremely likely to work without polling. Once the connection is confirmed we re-enable recv readiness. In order for this event to be taken into account, the call to tcp_connect_probe() was moved earlier, between the attempt to send() and the attempt to recv(). This way if tcp_connect_probe() enables reading, we have a chance to immediately fall back to this and read the possibly pending data. Now the trace looks like the following. It's far from being perfect but we've already saved one recvfrom() and one epollctl(): epoll_wait(3, [], 200, 0) = 0 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 7 fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 setsockopt(7, SOL_TCP, TCP_NODELAY, [1], 4) = 0 connect(7, {sa_family=AF_INET, sin_port=htons(8000), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) epoll_ctl(3, EPOLL_CTL_ADD, 7, {EPOLLIN|EPOLLOUT|EPOLLRDHUP, {u32=7, u64=7}}) = 0 epoll_wait(3, [{EPOLLOUT, {u32=7, u64=7}}], 200, 1000) = 1 connect(7, {sa_family=AF_INET, sin_port=htons(8000), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 getsockopt(7, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 sendto(7, "OPTIONS / HTTP/1.0\r\n\r\n", 22, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 22 epoll_ctl(3, EPOLL_CTL_MOD, 7, {EPOLLIN|EPOLLRDHUP, {u32=7, u64=7}}) = 0 epoll_wait(3, [{EPOLLIN|EPOLLRDHUP, {u32=7, u64=7}}], 200, 1000) = 1 getsockopt(7, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 getsockopt(7, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 recvfrom(7, "HTTP/1.0 200\r\nContent-length: 0\r\nX-req: size=22, time=0 ms\r\nX-rsp: id=dummy, code=200, cache=1, size=0, time=0 ms (0 real)\r\n\r\n", 16384, 0, NULL, NULL) = 126 close(7) = 0
2019-09-05 18:05:05 +03:00
REORG/MEDIUM: stream: rename stream flags from SN_* to SF_* This is in order to keep things consistent.
2015-04-03 02:14:29 +03:00
return SF_ERR_NONE; /* connection is OK */
[MEDIUM] move connection establishment from backend to the SI. The connection establishment was completely handled by backend.c which normally just handles LB algos. Since it's purely TCP, it must move to proto_tcp.c. Also, instead of calling it directly, we now call it via the stream interface, which will later help us unify session handling.
2009-08-16 16:02:45 +04:00
}
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
CLEANUP: tcp/unix: remove useless NULL check in {tcp,unix}_bind_listener() errmsg may only be NULL if errlen is zero. Clarify this in the comment too. Reported-by: Dinko Korunic <dkorunic@reflected.net>
2013-01-24 04:41:38 +04:00
* an error message in <errmsg> if the message is at most <errlen> bytes long
* (including '\0'). Note that <errmsg> may be NULL if <errlen> is also zero.
* The return value is composed from ERR_ABORT, ERR_WARN,
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
* ERR_ALERT, ERR_RETRYABLE and ERR_FATAL. ERR_NONE indicates that everything
* was alright and that no message was returned. ERR_RETRYABLE means that an
* error occurred but that it may vanish after a retry (eg: port in use), and
CLEANUP: Fix some minor whitespace issues
2012-04-07 04:39:26 +04:00
* ERR_FATAL indicates a non-fixable error. ERR_WARN and ERR_ALERT do not alter
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
* the meaning of the error, but just indicate that a message is present which
* should be displayed with the respective level. Last, ERR_ABORT indicates
* that it's pointless to try to start other listeners. No error message is
* returned if errlen is NULL.
*/
int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
{
int fd, err;
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
int ready;
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
struct buffer *msg = alloc_trash_chunk();
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
MEDIUM: protocol: do not call proto->bind() anymore from bind_listener() All protocol's listeners now only take care of themselves and not of the receiver anymore since that's already being done in proto_bind_all(). Now it finally becomes obvious that UDP doesn't need a listener, as the only thing it does is to set the listener's state to LI_LISTEN!
2020-09-02 19:40:02 +03:00
err = ERR_NONE;
BUG/MINOR: listener: add an error check for unallocatable trash Coverity noticed in issue #1416 that a missing allocation error was introduced in tcp_bind_listener() with the rework of error messages by commit ed1748553 ("MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors"). In practice nobody will ever face it but better address it anyway. No backport is needed.
2021-10-16 15:54:19 +03:00
if (!msg) {
if (errlen)
snprintf(errmsg, errlen, "out of memory");
return ERR_ALERT | ERR_FATAL;
}
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/* ensure we never return garbage */
CLEANUP: tcp/unix: remove useless NULL check in {tcp,unix}_bind_listener() errmsg may only be NULL if errlen is zero. Clarify this in the comment too. Reported-by: Dinko Korunic <dkorunic@reflected.net>
2013-01-24 04:41:38 +04:00
if (errlen)
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
*errmsg = 0;
if (listener->state != LI_ASSIGNED)
return ERR_NONE; /* already bound */
MEDIUM: protocol: do not call proto->bind() anymore from bind_listener() All protocol's listeners now only take care of themselves and not of the receiver anymore since that's already being done in proto_bind_all(). Now it finally becomes obvious that UDP doesn't need a listener, as the only thing it does is to set the listener's state to LI_LISTEN!
2020-09-02 19:40:02 +03:00
if (!(listener->rx.flags & RX_F_BOUND)) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%sreceiving socket not bound", msg->data ? ", " : "");
MEDIUM: protocol: do not call proto->bind() anymore from bind_listener() All protocol's listeners now only take care of themselves and not of the receiver anymore since that's already being done in proto_bind_all(). Now it finally becomes obvious that UDP doesn't need a listener, as the only thing it does is to set the listener's state to LI_LISTEN!
2020-09-02 19:40:02 +03:00
goto tcp_return;
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
}
MINOR: proto: skip socket setup for duped FDs It's not strictly necessary, but it's still better to avoid setting up the same socket multiple times when it's being duplicated to a few FDs. We don't change that for inherited ones however since they may really need to be set up, so we only skip duplicated ones.
2023-02-27 18:40:54 +03:00
if (listener->rx.flags & RX_F_MUST_DUP)
goto done;
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
fd = listener->rx.fd;
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
MINOR: listener: move the NOLINGER option to the bind_conf It's currently declared per-frontend, though it would make sense to support it per-line but in no case per-listener. Let's move the option to a bind_conf option BC_O_NOLINGER.
2023-01-12 21:37:07 +03:00
if (listener->bind_conf->options & BC_O_NOLINGER)
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
setsockopt(fd, SOL_SOCKET, SO_LINGER, &nolinger, sizeof(struct linger));
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
else {
struct linger tmplinger;
socklen_t len = sizeof(tmplinger);
if (getsockopt(fd, SOL_SOCKET, SO_LINGER, &tmplinger, &len) == 0 &&
(tmplinger.l_onoff == 1 || tmplinger.l_linger == 0)) {
tmplinger.l_onoff = 0;
tmplinger.l_linger = 0;
setsockopt(fd, SOL_SOCKET, SO_LINGER, &tmplinger,
sizeof(tmplinger));
}
}
[MEDIUM] extract TCP request processing from HTTP The TCP analyser has moved to proto_tcp.c. Breaking the function has required finer use of the return value and adding some tests to process_session().
2008-12-01 01:15:34 +03:00
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
#if defined(TCP_MAXSEG)
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 20:42:49 +03:00
if (listener->bind_conf->maxseg > 0) {
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
if (setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG,
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 20:42:49 +03:00
&listener->bind_conf->maxseg, sizeof(listener->bind_conf->maxseg)) == -1) {
chunk_appendf(msg, "%scannot set MSS to %d", msg->data ? ", " : "", listener->bind_conf->maxseg);
[MEDIUM] add support for TCP MSS adjustment for listeners Sometimes it can be useful to limit the advertised TCP MSS on incoming connections, for instance when requests come through a VPN or when the system is running with jumbo frames enabled. Passing the "mss <value>" arguments to a "bind" line will set the value. This works under Linux >= 2.6.28, and maybe a few earlier ones, though due to an old kernel bug most of earlier versions will probably ignore it. It is also possible that some other OSes will support this.
2009-06-14 20:48:19 +04:00
err |= ERR_WARN;
}
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
} else {
/* we may want to try to restore the default MSS if the socket was inherited */
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
int tmpmaxseg = -1;
int defaultmss;
socklen_t len = sizeof(tmpmaxseg);
REORG: listener: move the listening address to a struct receiver The address will be specific to the receiver so let's move it there.
2020-08-27 08:48:42 +03:00
if (listener->rx.addr.ss_family == AF_INET)
REORG: sock_inet: move default_tcp_maxseg from proto_tcp.c Let's determine it at boot time instead of doing it on first use. It also saves us from having to keep it thread local. It's been moved to the new sock_inet_prepare() function, and the variables were renamed to sock_inet_tcp_maxseg_default and sock_inet6_tcp_maxseg_default.
2020-08-28 19:03:10 +03:00
defaultmss = sock_inet_tcp_maxseg_default;
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
else
REORG: sock_inet: move default_tcp_maxseg from proto_tcp.c Let's determine it at boot time instead of doing it on first use. It also saves us from having to keep it thread local. It's been moved to the new sock_inet_prepare() function, and the variables were renamed to sock_inet_tcp_maxseg_default and sock_inet6_tcp_maxseg_default.
2020-08-28 19:03:10 +03:00
defaultmss = sock_inet6_tcp_maxseg_default;
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
getsockopt(fd, IPPROTO_TCP, TCP_MAXSEG, &tmpmaxseg, &len);
BUG/MINOR: tcp: don't try to set defaultmss when value is negative when `getsockopt` previously failed, we were trying to set defaultmss with -2 value. this is a followup of github issue #499 this should be backported to all versions >= v1.8 Fixes: 153659f1ae69a1 ("MINOR: tcp: When binding socket, attempt to reuse one from the old proc.") Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2020-02-12 17:53:04 +03:00
if (defaultmss > 0 &&
tmpmaxseg != defaultmss &&
setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG, &defaultmss, sizeof(defaultmss)) == -1) {
MINOR: proto_tcp: also report the attempted MSS values in error message The MSS errors are the only ones not indicating what was attempted, let's report the value that was tried, as it can help users spot them in the config (particularly if a default value was used).
2021-10-14 12:39:18 +03:00
chunk_appendf(msg, "%scannot set MSS to %d", msg->data ? ", " : "", defaultmss);
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
err |= ERR_WARN;
}
[MEDIUM] add support for TCP MSS adjustment for listeners Sometimes it can be useful to limit the advertised TCP MSS on incoming connections, for instance when requests come through a VPN or when the system is running with jumbo frames enabled. Passing the "mss <value>" arguments to a "bind" line will set the value. This works under Linux >= 2.6.28, and maybe a few earlier ones, though due to an old kernel bug most of earlier versions will probably ignore it. It is also possible that some other OSes will support this.
2009-06-14 20:48:19 +04:00
}
[MINOR] tcp: add support for the defer_accept bind option This can ensure that data is readily available on a socket when we accept it, but a bug in the kernel ignores the timeout so the socket can remain pending as long as the client does not talk. Use with care.
2009-10-13 09:34:14 +04:00
#endif
MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT On Linux since 2.6.37, it's possible to set the socket timeout for pending outgoing data, with an accuracy of 1 millisecond. This is pretty handy to deal with dead connections to clients and or servers. For now we only implement it on the frontend side (bind line) so that when a client disappears from the net, we're able to quickly get rid of its connection and possibly release a server connection. This can be useful with long-lived connections where an application level timeout is not suited because long pauses are expected (remote terminals, connection pools, etc). Thanks to Thijs Houtenbos and John Eckersberg for the suggestion.
2015-02-04 02:45:58 +03:00
#if defined(TCP_USER_TIMEOUT)
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 20:42:49 +03:00
if (listener->bind_conf->tcp_ut) {
MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT On Linux since 2.6.37, it's possible to set the socket timeout for pending outgoing data, with an accuracy of 1 millisecond. This is pretty handy to deal with dead connections to clients and or servers. For now we only implement it on the frontend side (bind line) so that when a client disappears from the net, we're able to quickly get rid of its connection and possibly release a server connection. This can be useful with long-lived connections where an application level timeout is not suited because long pauses are expected (remote terminals, connection pools, etc). Thanks to Thijs Houtenbos and John Eckersberg for the suggestion.
2015-02-04 02:45:58 +03:00
if (setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT,
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 20:42:49 +03:00
&listener->bind_conf->tcp_ut, sizeof(listener->bind_conf->tcp_ut)) == -1) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot set TCP User Timeout", msg->data ? ", " : "");
MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT On Linux since 2.6.37, it's possible to set the socket timeout for pending outgoing data, with an accuracy of 1 millisecond. This is pretty handy to deal with dead connections to clients and or servers. For now we only implement it on the frontend side (bind line) so that when a client disappears from the net, we're able to quickly get rid of its connection and possibly release a server connection. This can be useful with long-lived connections where an application level timeout is not suited because long pauses are expected (remote terminals, connection pools, etc). Thanks to Thijs Houtenbos and John Eckersberg for the suggestion.
2015-02-04 02:45:58 +03:00
err |= ERR_WARN;
}
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
} else
setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &zero,
sizeof(zero));
MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT On Linux since 2.6.37, it's possible to set the socket timeout for pending outgoing data, with an accuracy of 1 millisecond. This is pretty handy to deal with dead connections to clients and or servers. For now we only implement it on the frontend side (bind line) so that when a client disappears from the net, we're able to quickly get rid of its connection and possibly release a server connection. This can be useful with long-lived connections where an application level timeout is not suited because long pauses are expected (remote terminals, connection pools, etc). Thanks to Thijs Houtenbos and John Eckersberg for the suggestion.
2015-02-04 02:45:58 +03:00
#endif
[MINOR] tcp: add support for the defer_accept bind option This can ensure that data is readily available on a socket when we accept it, but a bug in the kernel ignores the timeout so the socket can remain pending as long as the client does not talk. Use with care.
2009-10-13 09:34:14 +04:00
#if defined(TCP_DEFER_ACCEPT)
MINOR: listener: move the DEF_ACCEPT option to the bind_conf This option is set per bind line, and was only set stored when the address family is AF_INET4 or AF_INET6. That's pointless since it's used only in tcp_bind_listener() which is only used for such families as well, so it can now be moved to the bind_conf under the name BC_O_DEF_ACCEPT.
2023-01-12 21:42:48 +03:00
if (listener->bind_conf->options & BC_O_DEF_ACCEPT) {
[MINOR] tcp: add support for the defer_accept bind option This can ensure that data is readily available on a socket when we accept it, but a bug in the kernel ignores the timeout so the socket can remain pending as long as the client does not talk. Use with care.
2009-10-13 09:34:14 +04:00
/* defer accept by up to one second */
int accept_delay = 1;
if (setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &accept_delay, sizeof(accept_delay)) == -1) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot enable DEFER_ACCEPT", msg->data ? ", " : "");
[MINOR] tcp: add support for the defer_accept bind option This can ensure that data is readily available on a socket when we accept it, but a bug in the kernel ignores the timeout so the socket can remain pending as long as the client does not talk. Use with care.
2009-10-13 09:34:14 +04:00
err |= ERR_WARN;
}
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
} else
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &zero,
sizeof(zero));
MEDIUM: tcp: enable TCP Fast Open on systems which support it If TCP_FASTOPEN is defined, then the "tfo" option is supported on "bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 18:21:00 +04:00
#endif
#if defined(TCP_FASTOPEN)
MINOR: listener: move TCP_FO to bind_conf It's set per bind line ("tfo") and only used in tcp_bind_listener() so there's no point keeping the address family tests, let's just store the flag in the bind_conf under the name BC_O_TCP_FO.
2023-01-12 21:45:58 +03:00
if (listener->bind_conf->options & BC_O_TCP_FO) {
MEDIUM: tcp: enable TCP Fast Open on systems which support it If TCP_FASTOPEN is defined, then the "tfo" option is supported on "bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 18:21:00 +04:00
/* TFO needs a queue length, let's use the configured backlog */
MINOR: listener: introduce listener_backlog() to report the backlog value In an attempt to try to provide automatic maxconn settings, we need to decorrelate a listner's backlog and maxconn so that these values can be independent. This introduces a listener_backlog() function which retrieves the backlog value from the listener's backlog, the frontend's, the listener's maxconn, the frontend's or falls back to 1024. This corresponds to what was done in cfgparse.c to force a value there except the last fallback which was not set since the frontend's maxconn is always known.
2019-02-27 17:39:41 +03:00
int qlen = listener_backlog(listener);
MEDIUM: tcp: enable TCP Fast Open on systems which support it If TCP_FASTOPEN is defined, then the "tfo" option is supported on "bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 18:21:00 +04:00
if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) == -1) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot enable TCP_FASTOPEN", msg->data ? ", " : "");
MEDIUM: tcp: enable TCP Fast Open on systems which support it If TCP_FASTOPEN is defined, then the "tfo" option is supported on "bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 18:21:00 +04:00
err |= ERR_WARN;
}
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
} else {
socklen_t len;
int qlen;
len = sizeof(qlen);
/* Only disable fast open if it was enabled, we don't want
* the kernel to create a fast open queue if there's none.
*/
if (getsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &qlen, &len) == 0 &&
qlen != 0) {
if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &zero,
sizeof(zero)) == -1) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot disable TCP_FASTOPEN", msg->data ? ", " : "");
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
err |= ERR_WARN;
}
}
MEDIUM: tcp: enable TCP Fast Open on systems which support it If TCP_FASTOPEN is defined, then the "tfo" option is supported on "bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 18:21:00 +04:00
}
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
#endif
CLEANUP: tcp: make use of sock_accept_conn() where relevant This allows to get rid of two getsockopt(SO_ACCEPTCONN).
2020-10-13 18:42:21 +03:00
MINOR: sock: rename sock_accept_conn() to sock_accepting_conn() This call was introduced by commit 5ced3e887 ("MINOR: sock: add sock_accept_conn() to test a listening socket") but is actually quite confusing because it makes one think the socket will accept a connection (which is what we want to have in a new function) while it only tells whether it's configured to accept connections. Let's call it sock_accepting_conn() instead. The same change was applied to sockpair which had the same issue.
2020-10-15 10:19:43 +03:00
ready = sock_accepting_conn(&listener->rx) > 0;
MAJOR: listener: support inheriting a listening fd from the parent Using the address syntax "fd@<num>", a listener may inherit a file descriptor that the caller process has already bound and passed as this number. The fd's socket family is detected using getsockname(), and the usual initialization is performed through the existing code for that family, but the socket creation is skipped. Whether the parent has performed the listen() call or not is not important as this is detected. For UNIX sockets, we immediately clear the path after preparing a socket so that we never remove it in case an abort would happen due to a late error during startup.
2013-03-11 02:51:38 +04:00
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
if (!ready && /* only listen if not already done by external process */
MINOR: listener: introduce listener_backlog() to report the backlog value In an attempt to try to provide automatic maxconn settings, we need to decorrelate a listner's backlog and maxconn so that these values can be independent. This introduces a listener_backlog() function which retrieves the backlog value from the listener's backlog, the frontend's, the listener's maxconn, the frontend's or falls back to 1024. This corresponds to what was done in cfgparse.c to force a value there except the last fallback which was not set since the frontend's maxconn is always known.
2019-02-27 17:39:41 +03:00
listen(fd, listener_backlog(listener)) == -1) {
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
err |= ERR_RETRYABLE | ERR_ALERT;
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot listen to socket", msg->data ? ", " : "");
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
goto tcp_close_return;
}
[MEDIUM] extract TCP request processing from HTTP The TCP analyser has moved to proto_tcp.c. Breaking the function has required finer use of the return value and adding some tests to process_session().
2008-12-01 01:15:34 +03:00
MINOR: tcp: add support for defer-accept on FreeBSD. FreeBSD has a kernel feature (accf) and a sockopt flag similar to the Linux's TCP_DEFER_ACCEPT to filter incoming data upon ACK. The main difference is the filter needs to be placed when the socket actually listens.
2021-02-06 15:11:11 +03:00
#if !defined(TCP_DEFER_ACCEPT) && defined(SO_ACCEPTFILTER)
/* the socket needs to listen first */
MINOR: listener: move the DEF_ACCEPT option to the bind_conf This option is set per bind line, and was only set stored when the address family is AF_INET4 or AF_INET6. That's pointless since it's used only in tcp_bind_listener() which is only used for such families as well, so it can now be moved to the bind_conf under the name BC_O_DEF_ACCEPT.
2023-01-12 21:42:48 +03:00
if (listener->bind_conf->options & BC_O_DEF_ACCEPT) {
MINOR: tcp: add support for defer-accept on FreeBSD. FreeBSD has a kernel feature (accf) and a sockopt flag similar to the Linux's TCP_DEFER_ACCEPT to filter incoming data upon ACK. The main difference is the filter needs to be placed when the socket actually listens.
2021-02-06 15:11:11 +03:00
struct accept_filter_arg accept;
memset(&accept, 0, sizeof(accept));
BUG/MEDIUM: listeners: Use the right parameters for strlcpy2(). When calls to strcpy() were replaced with calls to strlcpy2(), one of them was replaced wrong, and the source and size were inverted. Correct that. This should fix issue #2110.
2023-04-08 15:58:53 +03:00
strlcpy2(accept.af_name, "dataready", sizeof(accept.af_name));
MINOR: tcp: add support for defer-accept on FreeBSD. FreeBSD has a kernel feature (accf) and a sockopt flag similar to the Linux's TCP_DEFER_ACCEPT to filter incoming data upon ACK. The main difference is the filter needs to be placed when the socket actually listens.
2021-02-06 15:11:11 +03:00
if (setsockopt(fd, SOL_SOCKET, SO_ACCEPTFILTER, &accept, sizeof(accept)) == -1) {
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
chunk_appendf(msg, "%scannot enable ACCEPT_FILTER", msg->data ? ", " : "");
MINOR: tcp: add support for defer-accept on FreeBSD. FreeBSD has a kernel feature (accf) and a sockopt flag similar to the Linux's TCP_DEFER_ACCEPT to filter incoming data upon ACK. The main difference is the filter needs to be placed when the socket actually listens.
2021-02-06 15:11:11 +03:00
err |= ERR_WARN;
}
}
#endif
[BUILD] compilation of haproxy-1.4-dev2 on FreeBSD Please consider the following patches. They are required to compile haproxy-1.4-dev2 on FreeBSD. Summary: 1) include <sys/types.h> before <netinet/tcp.h> 2) Use IPPROTO_TCP instead of SOL_TCP (they are both defined as 6, TCP protocol number)
2009-08-24 15:11:06 +04:00
#if defined(TCP_QUICKACK)
MINOR: listener: move the NOQUICKACK option to the bind_conf It solely depends on the bind line so let's move it there under the name BC_O_NOQUICKACK.
2023-01-12 21:40:42 +03:00
if (listener->bind_conf->options & BC_O_NOQUICKACK)
[CLEANUP] Remove unnecessary casts There is no need to cast when going to or from void *
2011-06-24 10:11:37 +04:00
setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &zero, sizeof(zero));
MINOR: tcp: When binding socket, attempt to reuse one from the old proc. Try to reuse any socket from the old process, provided by the "-x" flag, before binding a new one, assuming it is compatible. "Compatible" here means same address and port, same namspace if any, same interface if any, and that the following flags are the same : LI_O_FOREIGN, LI_O_V6ONLY and LI_O_V4V6. Also change tcp_bind_listener() to always enable/disable socket options, instead of just doing so if it is in the configuration file, as the option may have been removed, ie TCP_FASTOPEN may have been set in the old process, and removed from the new configuration, so we have to disable it.
2017-04-05 23:39:56 +03:00
else
setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &one, sizeof(one));
[MEDIUM] implement option tcp-smart-accept at the frontend This option disables TCP quick ack upon accept. It is also automatically enabled in HTTP mode, unless the option is explicitly disabled with "no option tcp-smart-accept". This saves one packet per connection which can bring reasonable amounts of bandwidth for servers processing small requests.
2009-06-14 14:07:01 +04:00
#endif
MINOR: proto: skip socket setup for duped FDs It's not strictly necessary, but it's still better to avoid setting up the same socket multiple times when it's being duplicated to a few FDs. We don't change that for inherited ones however since they may really need to be set up, so we only skip duplicated ones.
2023-02-27 18:40:54 +03:00
done:
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/* the socket is ready */
MINOR: listeners: introduce listener_set_state() This function is used as a wrapper to set a listener's state everywhere. We'll use it later to maintain some counters in a consistent state when switching state so it's capital that all state changes go through it. No functional change was made beyond calling the wrapper.
2020-09-24 08:23:45 +03:00
listener_set_state(listener, LI_LISTEN);
BUG/MINOR: proto_tcp: Report warning messages when listeners are bound When a TCP listener is bound, in the tcp_bind_listener() function, a warning message may be reported and should be displayed on verbose mode. But the warning message is actually lost if the socket is successfully bound because we don't fill the <errmsg> variable in this case. This patch should fix the issue #863. No backport is needed.
2020-10-07 12:14:47 +03:00
goto tcp_return;
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
tcp_close_return:
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
free_trash_chunk(msg);
msg = NULL;
MEDIUM: tcp: make use of sock_inet_bind_receiver() This removes all the AF_INET-specific code from tcp_bind_listener() and now simply relies on sock_inet_bind_listener() to do the same job. The function was now roughly cut in half and its error path significantly simplified.
2020-09-01 17:12:50 +03:00
close(fd);
MEDIUM: protocol: do not call proto->bind() anymore from bind_listener() All protocol's listeners now only take care of themselves and not of the receiver anymore since that's already being done in proto_bind_all(). Now it finally becomes obvious that UDP doesn't need a listener, as the only thing it does is to set the listener's state to LI_LISTEN!
2020-09-02 19:40:02 +03:00
tcp_return:
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
if (msg && errlen && msg->data) {
[MINOR] startup: print the proxy socket which caused an error Add the address and port to the error message of the proxy socket that caused the error. This can be helpful when several listening addresses are used in a proxy. Edit: since we now also support unix sockets (which already report their path), better move the address reporting to proto_tcp.c by analogy. -Willy
2010-11-01 21:26:01 +03:00
char pn[INET6_ADDRSTRLEN];
REORG: listener: move the listening address to a struct receiver The address will be specific to the receiver so let's move it there.
2020-08-27 08:48:42 +03:00
addr_to_str(&listener->rx.addr, pn, sizeof(pn));
MINOR: protocol: uniformize protocol errors Some protocols fail with "error blah [ip:port]" and other fail with "[ip:port] error blah". All this already appears in a "starting" or "binding" context after a proxy name. Let's choose a more universal approach like below where the ip:port remains at the end of the line prefixed with "for". [WARNING] (18632) : Binding [binderr.cfg:10] for proxy http: cannot bind receiver to device 'eth2' (No such device) for [0.0.0.0:1080] [WARNING] (18632) : Starting [binderr.cfg:10] for proxy http: cannot set MSS to 12 for [0.0.0.0:1080]
2021-10-14 12:59:15 +03:00
snprintf(errmsg, errlen, "%s for [%s:%d]", msg->area, pn, get_host_port(&listener->rx.addr));
[MINOR] startup: print the proxy socket which caused an error Add the address and port to the error message of the proxy socket that caused the error. This can be helpful when several listening addresses are used in a proxy. Edit: since we now also support unix sockets (which already report their path), better move the address reporting to proto_tcp.c by analogy. -Willy
2010-11-01 21:26:01 +03:00
}
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors Right now only the last warning or error is reported from tcp_bind_listener(), but it is useful to report all warnings and no only the last one, so we now emit them delimited by commas. Previously we used a fixed buffer of 100 bytes, which was too small to store more than one message, so let's extend it. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-01-12 21:24:43 +03:00
free_trash_chunk(msg);
msg = NULL;
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
return err;
}
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
/* Enable receipt of incoming connections for listener <l>. The receiver must
MEDIUM: listeners: make use of fd_want_recv_safe() to enable early receivers We used to refrain from calling fd_want_recv() if fd_updt was not allocated but it's not the right solution as this does not allow the FD to be set. Instead, let's use the new fd_want_recv_safe() which will update the FD and create an update entry only if possible. In addition, the equivalent test before calling fd_stop_recv() was removed as totally useless since there's not fd_updt creation in this case.
2020-11-04 15:59:04 +03:00
* still be valid.
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
*/
static void tcp_enable_listener(struct listener *l)
{
MEDIUM: listeners: make use of fd_want_recv_safe() to enable early receivers We used to refrain from calling fd_want_recv() if fd_updt was not allocated but it's not the right solution as this does not allow the FD to be set. Instead, let's use the new fd_want_recv_safe() which will update the FD and create an update entry only if possible. In addition, the equivalent test before calling fd_stop_recv() was removed as totally useless since there's not fd_updt creation in this case.
2020-11-04 15:59:04 +03:00
fd_want_recv_safe(l->rx.fd);
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
}
/* Disable receipt of incoming connections for listener <l>. The receiver must
MEDIUM: listeners: make use of fd_want_recv_safe() to enable early receivers We used to refrain from calling fd_want_recv() if fd_updt was not allocated but it's not the right solution as this does not allow the FD to be set. Instead, let's use the new fd_want_recv_safe() which will update the FD and create an update entry only if possible. In addition, the equivalent test before calling fd_stop_recv() was removed as totally useless since there's not fd_updt creation in this case.
2020-11-04 15:59:04 +03:00
* still be valid.
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
*/
static void tcp_disable_listener(struct listener *l)
{
MEDIUM: listeners: make use of fd_want_recv_safe() to enable early receivers We used to refrain from calling fd_want_recv() if fd_updt was not allocated but it's not the right solution as this does not allow the FD to be set. Instead, let's use the new fd_want_recv_safe() which will update the FD and create an update entry only if possible. In addition, the equivalent test before calling fd_stop_recv() was removed as totally useless since there's not fd_updt creation in this case.
2020-11-04 15:59:04 +03:00
fd_stop_recv(l->rx.fd);
MINOR: protocol: add a new pair of enable/disable methods for listeners These methods will be used to enable/disable accepting new connections so that listeners do not play with FD directly anymore. Since all the currently supported protocols work on socket for now, these are identical to the rx_enable/rx_disable functions. However they were not defined in sock.c since it's likely that some will quickly start to differ. At the moment they're not used. We have to take care of fd_updt before calling fd_{want,stop}_recv() because it's allocated fairly late in the boot process and some such functions may be called very early (e.g. to stop a disabled frontend's listeners).
2020-09-25 20:27:39 +03:00
}
MINOR: protocol: replace ->pause(listener) with ->rx_suspend(receiver) The ->pause method is inappropriate since it doesn't exactly "pause" a listener but rather temporarily disables it so that it's not visible at all to let another process take its place. The term "suspend" is more suitable, since the "pause" is actually what we'll need to apply to the FULL and LIMITED states which really need to make a pause in the accept process. And it goes well with the use of the "resume" function that will also need to be made per-protocol. Let's rename the function and make it act on the receiver since it's already what it essentially does, hence the prefix "_rx" to make it more explicit. The protocol struct was a bit reordered because it was becoming a real mess between the parts related to the listeners and those for the receivers.
2020-09-25 18:12:32 +03:00
/* Suspend a receiver. Returns < 0 in case of failure, 0 if the receiver
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
* was totally stopped, or > 0 if correctly suspended. Note that inherited FDs
* are neither suspended nor resumed, we only enable/disable polling on them.
MEDIUM: listener: implement a per-protocol pause() function In order to fix the abstact socket pause mechanism during soft restarts, we'll need to proceed differently depending on the socket protocol. The pause_listener() function already supports some protocol-specific handling for the TCP case. This commit makes this cleaner by adding a new ->pause() function to the protocol struct, which, if defined, may be used to pause a listener of a given protocol. For now, only TCP has been adapted, with the specific code moved from pause_listener() to tcp_pause_listener().
2014-07-07 22:22:12 +04:00
*/
MINOR: protocol: replace ->pause(listener) with ->rx_suspend(receiver) The ->pause method is inappropriate since it doesn't exactly "pause" a listener but rather temporarily disables it so that it's not visible at all to let another process take its place. The term "suspend" is more suitable, since the "pause" is actually what we'll need to apply to the FULL and LIMITED states which really need to make a pause in the accept process. And it goes well with the use of the "resume" function that will also need to be made per-protocol. Let's rename the function and make it act on the receiver since it's already what it essentially does, hence the prefix "_rx" to make it more explicit. The protocol struct was a bit reordered because it was becoming a real mess between the parts related to the listeners and those for the receivers.
2020-09-25 18:12:32 +03:00
static int tcp_suspend_receiver(struct receiver *rx)
MEDIUM: listener: implement a per-protocol pause() function In order to fix the abstact socket pause mechanism during soft restarts, we'll need to proceed differently depending on the socket protocol. The pause_listener() function already supports some protocol-specific handling for the TCP case. This commit makes this cleaner by adding a new ->pause() function to the protocol struct, which, if defined, may be used to pause a listener of a given protocol. For now, only TCP has been adapted, with the specific code moved from pause_listener() to tcp_pause_listener().
2014-07-07 22:22:12 +04:00
{
CLEANUP: protocol: intitialize all of the sockaddr when disconnecting In issue #894, Coverity suspects uninitialized values for a socket's address whose family is AF_UNSPEC but it doesn't know that the address is not used in this case. It's not on a critical path and working around it is trivial, let's fully declare the address. We're doing it for both TCP and UDP, because the same principle appears at two places.
2020-10-14 11:50:41 +03:00
const struct sockaddr sa = { .sa_family = AF_UNSPEC };
CLEANUP: tcp: make use of sock_accept_conn() where relevant This allows to get rid of two getsockopt(SO_ACCEPTCONN).
2020-10-13 18:42:21 +03:00
int ret;
MEDIUM: proto_tcp: make the pause() more robust in multi-process In multi-process, the TCP pause is very brittle and we never noticed it because the error was lost in the upper layers. The problem is that shutdown() may fail if another process already did it, and will cause a process to fail to pause. What we do here in case of error is that we double-check the socket's state to verify if it's still accepting connections, and if not, we can conclude that another process already did the job in parallel. The difficulty here is that we're trying to eliminate false positives where some OSes will silently report a success on shutdown() while they don't shut the socket down, hence this dance of shutw/listen/shutr that only keeps the compatible ones. Probably that a new approach relying on connect(AF_UNSPEC) would provide better results.
2020-10-08 17:51:09 +03:00
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
/* We never disconnect a shared FD otherwise we'd break it in the
BUG/MEDIUM: listener: never suspend inherited sockets It is not acceptable to suspend an inherited socket because we'd kill its listening state, making it possibly unrecoverable for future processes. The situation which can trigger this is when there is an abns socket in a config and an inherited FD on another listener. Upon soft reload, the abns fails to bind, a SIGTTOU is sent to the old process which suspends everything, including the inherited FD, then the new process can bind and tell the old one to quit. Except that the new FD was not set back to the listen state, which is detected by listener_accept() which can pause it. It's only upon second reload that the FD works again. The solution is to refrain from suspending such FDs since we don't own them. And the next process will get them right anyway from its config. For now only TCP and UDP face this issue so it's better to address this on a protocol basis No backport is needed, this is related to the new listeners in 2.3.
2020-11-04 16:14:55 +03:00
* parent process and any possible subsequent worker inheriting it.
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
* Thus we just stop receiving from it.
BUG/MEDIUM: listener: never suspend inherited sockets It is not acceptable to suspend an inherited socket because we'd kill its listening state, making it possibly unrecoverable for future processes. The situation which can trigger this is when there is an abns socket in a config and an inherited FD on another listener. Upon soft reload, the abns fails to bind, a SIGTTOU is sent to the old process which suspends everything, including the inherited FD, then the new process can bind and tell the old one to quit. Except that the new FD was not set back to the listen state, which is detected by listener_accept() which can pause it. It's only upon second reload that the FD works again. The solution is to refrain from suspending such FDs since we don't own them. And the next process will get them right anyway from its config. For now only TCP and UDP face this issue so it's better to address this on a protocol basis No backport is needed, this is related to the new listeners in 2.3.
2020-11-04 16:14:55 +03:00
*/
if (rx->flags & RX_F_INHERITED)
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
goto done;
BUG/MEDIUM: listener: never suspend inherited sockets It is not acceptable to suspend an inherited socket because we'd kill its listening state, making it possibly unrecoverable for future processes. The situation which can trigger this is when there is an abns socket in a config and an inherited FD on another listener. Upon soft reload, the abns fails to bind, a SIGTTOU is sent to the old process which suspends everything, including the inherited FD, then the new process can bind and tell the old one to quit. Except that the new FD was not set back to the listen state, which is detected by listener_accept() which can pause it. It's only upon second reload that the FD works again. The solution is to refrain from suspending such FDs since we don't own them. And the next process will get them right anyway from its config. For now only TCP and UDP face this issue so it's better to address this on a protocol basis No backport is needed, this is related to the new listeners in 2.3.
2020-11-04 16:14:55 +03:00
MINOR: proto-tcp: make use of connect(AF_UNSPEC) for the pause Currently the suspend/resume mechanism for listeners only works on Linux and we resort to a number of tricks involving shutdown+listen+shutdown to try to detect failures on other operating systems that do not support it. But on Linux connect(AF_UNSPEC) also works pretty well and is much cleaner. It still doesn't work on other operating systems but the error is easier to detect and appears safer. So let's switch to this.
2020-10-13 17:34:19 +03:00
if (connect(rx->fd, &sa, sizeof(sa)) < 0)
goto check_already_done;
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
done:
MINOR: protocol: replace ->pause(listener) with ->rx_suspend(receiver) The ->pause method is inappropriate since it doesn't exactly "pause" a listener but rather temporarily disables it so that it's not visible at all to let another process take its place. The term "suspend" is more suitable, since the "pause" is actually what we'll need to apply to the FULL and LIMITED states which really need to make a pause in the accept process. And it goes well with the use of the "resume" function that will also need to be made per-protocol. Let's rename the function and make it act on the receiver since it's already what it essentially does, hence the prefix "_rx" to make it more explicit. The protocol struct was a bit reordered because it was becoming a real mess between the parts related to the listeners and those for the receivers.
2020-09-25 18:12:32 +03:00
fd_stop_recv(rx->fd);
MEDIUM: listener: implement a per-protocol pause() function In order to fix the abstact socket pause mechanism during soft restarts, we'll need to proceed differently depending on the socket protocol. The pause_listener() function already supports some protocol-specific handling for the TCP case. This commit makes this cleaner by adding a new ->pause() function to the protocol struct, which, if defined, may be used to pause a listener of a given protocol. For now, only TCP has been adapted, with the specific code moved from pause_listener() to tcp_pause_listener().
2014-07-07 22:22:12 +04:00
return 1;
MEDIUM: proto_tcp: make the pause() more robust in multi-process In multi-process, the TCP pause is very brittle and we never noticed it because the error was lost in the upper layers. The problem is that shutdown() may fail if another process already did it, and will cause a process to fail to pause. What we do here in case of error is that we double-check the socket's state to verify if it's still accepting connections, and if not, we can conclude that another process already did the job in parallel. The difficulty here is that we're trying to eliminate false positives where some OSes will silently report a success on shutdown() while they don't shut the socket down, hence this dance of shutw/listen/shutr that only keeps the compatible ones. Probably that a new approach relying on connect(AF_UNSPEC) would provide better results.
2020-10-08 17:51:09 +03:00
check_already_done:
/* in case one of the shutdown() above fails, it might be because we're
* dealing with a socket that is shared with other processes doing the
* same. Let's check if it's still accepting connections.
*/
MINOR: sock: rename sock_accept_conn() to sock_accepting_conn() This call was introduced by commit 5ced3e887 ("MINOR: sock: add sock_accept_conn() to test a listening socket") but is actually quite confusing because it makes one think the socket will accept a connection (which is what we want to have in a new function) while it only tells whether it's configured to accept connections. Let's call it sock_accepting_conn() instead. The same change was applied to sockpair which had the same issue.
2020-10-15 10:19:43 +03:00
ret = sock_accepting_conn(rx);
CLEANUP: tcp: make use of sock_accept_conn() where relevant This allows to get rid of two getsockopt(SO_ACCEPTCONN).
2020-10-13 18:42:21 +03:00
if (ret <= 0) {
/* unrecoverable or paused by another process */
MINOR: protocol: replace ->pause(listener) with ->rx_suspend(receiver) The ->pause method is inappropriate since it doesn't exactly "pause" a listener but rather temporarily disables it so that it's not visible at all to let another process take its place. The term "suspend" is more suitable, since the "pause" is actually what we'll need to apply to the FULL and LIMITED states which really need to make a pause in the accept process. And it goes well with the use of the "resume" function that will also need to be made per-protocol. Let's rename the function and make it act on the receiver since it's already what it essentially does, hence the prefix "_rx" to make it more explicit. The protocol struct was a bit reordered because it was becoming a real mess between the parts related to the listeners and those for the receivers.
2020-09-25 18:12:32 +03:00
fd_stop_recv(rx->fd);
CLEANUP: tcp: make use of sock_accept_conn() where relevant This allows to get rid of two getsockopt(SO_ACCEPTCONN).
2020-10-13 18:42:21 +03:00
return ret == 0;
MINOR: listeners: move fd_stop_recv() to the receiver's socket code fd_stop_recv() has nothing to do in the generic listener code, it's per protocol as some don't need it. For instance with abns@ it could even lead to fd_stop_recv(-1). And later with QUIC we don't want to touch the fd at all! It used to be that since commit f2cb169487 delegating fd manipulation to their respective threads it wasn't possible to call it down there but it's not the case anymore, so let's perform the action in the protocol-specific code.
2020-09-24 19:20:37 +03:00
}
MEDIUM: proto_tcp: make the pause() more robust in multi-process In multi-process, the TCP pause is very brittle and we never noticed it because the error was lost in the upper layers. The problem is that shutdown() may fail if another process already did it, and will cause a process to fail to pause. What we do here in case of error is that we double-check the socket's state to verify if it's still accepting connections, and if not, we can conclude that another process already did the job in parallel. The difficulty here is that we're trying to eliminate false positives where some OSes will silently report a success on shutdown() while they don't shut the socket down, hence this dance of shutw/listen/shutr that only keeps the compatible ones. Probably that a new approach relying on connect(AF_UNSPEC) would provide better results.
2020-10-08 17:51:09 +03:00
CLEANUP: tcp: make use of sock_accept_conn() where relevant This allows to get rid of two getsockopt(SO_ACCEPTCONN).
2020-10-13 18:42:21 +03:00
/* still listening, that's not good */
MEDIUM: proto_tcp: make the pause() more robust in multi-process In multi-process, the TCP pause is very brittle and we never noticed it because the error was lost in the upper layers. The problem is that shutdown() may fail if another process already did it, and will cause a process to fail to pause. What we do here in case of error is that we double-check the socket's state to verify if it's still accepting connections, and if not, we can conclude that another process already did the job in parallel. The difficulty here is that we're trying to eliminate false positives where some OSes will silently report a success on shutdown() while they don't shut the socket down, hence this dance of shutw/listen/shutr that only keeps the compatible ones. Probably that a new approach relying on connect(AF_UNSPEC) would provide better results.
2020-10-08 17:51:09 +03:00
return -1;
MEDIUM: listener: implement a per-protocol pause() function In order to fix the abstact socket pause mechanism during soft restarts, we'll need to proceed differently depending on the socket protocol. The pause_listener() function already supports some protocol-specific handling for the TCP case. This commit makes this cleaner by adding a new ->pause() function to the protocol struct, which, if defined, may be used to pause a listener of a given protocol. For now, only TCP has been adapted, with the specific code moved from pause_listener() to tcp_pause_listener().
2014-07-07 22:22:12 +04:00
}
MINOR: protocol: implement an ->rx_resume() method This one undoes ->rx_suspend(), it tries to restore an operational socket. It was only implemented for TCP since it's the only one we support right now.
2020-09-25 20:40:31 +03:00
/* Resume a receiver. Returns < 0 in case of failure, 0 if the receiver
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
* was totally stopped, or > 0 if correctly resumed. Note that inherited FDs
* are neither suspended nor resumed, we only enable/disable polling on them.
MINOR: protocol: implement an ->rx_resume() method This one undoes ->rx_suspend(), it tries to restore an operational socket. It was only implemented for TCP since it's the only one we support right now.
2020-09-25 20:40:31 +03:00
*/
static int tcp_resume_receiver(struct receiver *rx)
{
struct listener *l = LIST_ELEM(rx, struct listener *, rx);
if (rx->fd < 0)
return 0;
BUG/MINOR: listeners: fix suspend/resume of inherited FDs FDs inherited from a parent process do not deal well with suspend/resume since commit 59b5da487 ("BUG/MEDIUM: listener: never suspend inherited sockets") introduced in 2.3. The problem is that we now report that they cannot be suspended at all, and they return a failure. As such, if a new process fails to bind and sends SIGTTOU to the previous process, that one will notice the failure and instantly switch to soft-stop, leaving no chance to the new process to give up later and signal its failure. What we need to do, however, is to stop receiving new connections from such inherited FDs, which just means that the FD must be unsubscribed from the poller (and resubscribed later if finally it has to stay). With this a new process can start on the already bound FD without problem thanks to the absence of polling, and when the old process stops the new process will be alone on it. This may be backported as far as 2.4.
2023-01-16 13:47:01 +03:00
if ((rx->flags & RX_F_INHERITED) || listen(rx->fd, listener_backlog(l)) == 0) {
MINOR: protocol: implement an ->rx_resume() method This one undoes ->rx_suspend(), it tries to restore an operational socket. It was only implemented for TCP since it's the only one we support right now.
2020-09-25 20:40:31 +03:00
fd_want_recv(l->rx.fd);
return 1;
}
return -1;
}
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-29 03:09:36 +03:00
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in New Issue Copy Permalink