upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-15 15:12:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
haproxy/src/session.c

812 lines
25 KiB
C
Raw Normal View History

MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
/*
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
* Session management functions.
MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
*
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
* Copyright 2000-2015 Willy Tarreau <w@1wt.eu>
MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
#include <haproxy/ssl_sock-t.h>
REORG: include: update all files to use haproxy/api.h or api-t.h if needed All files that were including one of the following include files have been updated to only include haproxy/api.h or haproxy/api-t.h once instead: - common/config.h - common/compat.h - common/compiler.h - common/defaults.h - common/initcall.h - common/tools.h The choice is simple: if the file only requires type definitions, it includes api-t.h, otherwise it includes the full api.h. In addition, in these files, explicit includes for inttypes.h and limits.h were dropped since these are now covered by api.h and api-t.h. No other change was performed, given that this patch is large and affects 201 files. At least one (tools.h) was already freestanding and didn't get the new one added.
2020-05-27 06:58:42 -04:00
#include <haproxy/api.h>
REORG: include: move connection.h to haproxy/connection{,-t}.h The type file is becoming a mess, half of it is for the proxy protocol, another good part describes conn_streams and mux ops, it would deserve being split again. At least it was reordered so that elements are easier to find, with the PP-stuff left at the end. The MAX_SEND_FD macro was moved to compat.h as it's said to be the value for Linux.
2020-06-04 12:02:10 -04:00
#include <haproxy/connection.h>
REORG: include: split global.h into haproxy/global{,-t}.h global.h was one of the messiest files, it has accumulated tons of implicit dependencies and declares many globals that make almost all other file include it. It managed to silence a dependency loop between server.h and proxy.h by being well placed to pre-define the required structs, forcing struct proxy and struct server to be forward-declared in a significant number of files. It was split in to, one which is the global struct definition and the few macros and flags, and the rest containing the functions prototypes. The UNIX_MAX_PATH definition was moved to compat.h.
2020-06-04 11:05:57 -04:00
#include <haproxy/global.h>
REORG: include: split common/http.h into haproxy/http{,-t}.h So the enums and structs were placed into http-t.h and the functions into http.h. This revealed that several files were dependeng on http.h but not including it, as it was silently inherited via other files.
2020-06-02 13:11:26 -04:00
#include <haproxy/http.h>
REORG: include: move listener.h to haproxy/listener{,-t}.h stdlib and list were missing from listener.h, otherwise it was OK.
2020-06-04 08:58:24 -04:00
#include <haproxy/listener.h>
REORG: include: move log.h to haproxy/log{,-t}.h The current state of the logging is a real mess. The main problem is that almost all files include log.h just in order to have access to the alert/warning functions like ha_alert() etc, and don't care about logs. But log.h also deals with real logging as well as log-format and depends on stream.h and various other things. As such it forces a few heavy files like stream.h to be loaded early and to hide missing dependencies depending where it's loaded. Among the missing ones is syslog.h which was often automatically included resulting in no less than 3 users missing it. Among 76 users, only 5 could be removed, and probably 70 don't need the full set of dependencies. A good approach would consist in splitting that file in 3 parts: - one for error output ("errors" ?). - one for log_format processing - and one for actual logging.
2020-06-04 16:01:04 -04:00
#include <haproxy/log.h>
REORG: include: move common/memory.h to haproxy/pool.h Now the file is ready to be stored into its final destination. A few minor reorderings were performed to keep the file properly organized, making the various sections more visible (cache & lockless). In addition and to stay consistent, memory.c was renamed to pool.c.
2020-06-02 03:38:52 -04:00
#include <haproxy/pool.h>
MEDIUM: protocol: rely on AF_CUST_ABNS family to recognize ABNS sockets Now that we can easily distinguish regular UNIX socket from ABNS sockets by simply looking at the address family, stop looking at the first byte from addr->sun_path to guess if the socket is an ABNS one or not. Looking at the family is straightforward and will allow to differentiate between upcoming ABNSZ and ABNS (where looking at the first byte from path won't help anymore).
2024-10-24 08:20:01 -04:00
#include <haproxy/protocol.h>
REORG: include: move proxy.h to haproxy/proxy{,-t}.h This one is particularly difficult to split because it provides all the functions used to manipulate a proxy state and to retrieve names or IDs for error reporting, and as such, it was included in 73 files (down to 68 after cleanup). It would deserve a small cleanup though the cut points are not obvious at the moment given the number of structs involved in the struct proxy itself.
2020-06-04 16:29:18 -04:00
#include <haproxy/proxy.h>
REORG: include: move session.h to haproxy/session{,-t}.h Almost no change was needed beyond a little bit of reordering of the types file and adjustments to use session-t instead of session at a few places.
2020-06-04 12:58:52 -04:00
#include <haproxy/session.h>
REORG: include: move tcp_rules.h to haproxy/tcp_rules.h There's no type file on this one which is pretty simple.
2020-06-04 11:42:48 -04:00
#include <haproxy/tcp_rules.h>
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
#include <haproxy/thread.h>
BUILD: session: include tools.h in session.c The file session.c calls plenty of functions from tools.h but did not include it.
2021-05-08 07:03:04 -04:00
#include <haproxy/tools.h>
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
#include <haproxy/trace.h>
REORG: include: move vars.h to haproxy/vars{,-t}.h A few includes (sessions.h, stream.h, api-t.h) were added for arguments that were first declared in function prototypes.
2020-06-04 10:25:31 -04:00
#include <haproxy/vars.h>
MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
MEDIUM: session: update the session's stick counters upon session_free() Whenever session_free() is called, any possible stick counter stored in the session will be synchronized.
2015-04-04 10:31:16 -04:00
MEDIUM: tree-wide: replace most DECLARE_POOL with DECLARE_TYPED_POOL This will make the pools size and alignment automatically inherit the type declaration. It was done like this: sed -i -e 's:DECLARE_POOL(\([^,]*,[^,]*,\s*\)sizeof(\([^)]*\))):DECLARE_TYPED_POOL(\1\2):g' $(git grep -lw DECLARE_POOL src addons) sed -i -e 's:DECLARE_STATIC_POOL(\([^,]*,[^,]*,\s*\)sizeof(\([^)]*\))):DECLARE_STATIC_TYPED_POOL(\1\2):g' $(git grep -lw DECLARE_STATIC_POOL src addons) 81 replacements were made. The only remaining ones are those which set their own size without depending on a structure. The few ones with an extra size were manually handled. It also means that the requested alignments are now checked against the type's. Given that none is specified for now, no issue is reported. It was verified with "show pools detailed" that the definitions are exactly the same, and that the binaries are similar.
2025-08-06 10:43:27 -04:00
DECLARE_TYPED_POOL(pool_head_session, "session", struct session);
DECLARE_TYPED_POOL(pool_head_sess_priv_conns, "session priv conns list", struct sess_priv_conns);
MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
MEDIUM: connections: Get ride of the xprt_done callback. The xprt_done_cb callback was used to defer some connection initialization until we're connected and the handshake are done. As it mostly consists of creating the mux, instead of using the callback, introduce a conn_create_mux() function, that will just call conn_complete_session() for frontend, and create the mux for backend. In h2_wake(), make sure we call the wake method of the stream_interface, as we no longer wakeup the stream task.
2020-01-22 12:08:48 -05:00
int conn_complete_session(struct connection *conn);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
static const struct trace_event sess_trace_events[] = {
#define SESS_EV_NEW (1ULL << 0)
{ .mask = SESS_EV_NEW, .name = "sess_new", .desc = "new session creation" },
#define SESS_EV_END (1ULL << 1)
{ .mask = SESS_EV_END, .name = "sess_end", .desc = "session termination" },
#define SESS_EV_ERR (1ULL << 1)
{ .mask = SESS_EV_ERR, .name = "sess_err", .desc = "session error" },
{ }
};
static const struct name_desc sess_trace_lockon_args[4] = {
/* arg1 */ { /* already used by the session */ },
/* arg2 */ { },
/* arg3 */ { },
/* arg4 */ { }
};
static struct trace_source trace_sess __read_mostly = {
.name = IST("session"),
.desc = "client session management",
.arg_def = TRC_ARG1_SESS, // TRACE()'s first argument is always a session
.known_events = sess_trace_events,
.lockon_args = sess_trace_lockon_args,
.report_events = ~0, // report everything by default
};
#define TRACE_SOURCE &trace_sess
INITCALL1(STG_REGISTER, trace_register_source, TRACE_SOURCE);
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
/* Create a a new session and assign it to frontend <fe>, listener <li>,
* origin <origin>, set the current date and clear the stick counters pointers.
* Returns the session upon success or NULL. The session may be released using
MEDIUM: session: count the frontend's connections at a single place There are several places where we see feconn++, feconn--, totalconn++ and an increment on the frontend's number of connections and connection rate. This is done exactly once per session in each direction, so better take care of this counter in the session and simplify the callers. At least it ensures a better symmetry. It also ensures consistency as till now the lua/spoe/peers frontend didn't have these counters properly set, which can be useful at least for troubleshooting.
2017-09-15 04:25:14 -04:00
* session_free(). Note: <li> may be NULL.
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
*/
struct session *session_new(struct proxy *fe, struct listener *li, enum obj_type *origin)
{
struct session *sess;
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_ENTER(SESS_EV_NEW);
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
sess = pool_alloc(pool_head_session);
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
if (sess) {
sess->listener = li;
sess->fe = fe;
sess->origin = origin;
sess->accept_date = date; /* user-visible date for logging */
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
sess->accept_ts = now_ns; /* corrected date for internal use */
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
sess->stkctr = NULL;
if (pool_head_stk_ctr) {
sess->stkctr = pool_alloc(pool_head_stk_ctr);
if (!sess->stkctr)
goto out_fail_alloc;
memset(sess->stkctr, 0, sizeof(sess->stkctr[0]) * global.tune.nb_stk_ctr);
}
MINOR: vars: rename vars_init() to vars_init_head() The vars_init() name is particularly confusing as it does not initialize the variables code but the head of a list of variables passed in arguments. And we'll soon need to have proper initialization code, so let's rename it now.
2021-08-31 02:13:25 -04:00
vars_init_head(&sess->vars, SCOPE_SESS);
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
sess->task = NULL;
BUG/MEDIUM: session: fix reporting of handshake processing time in the logs The handshake processing time used to be stored per stream, which was valid when there was exactly one stream per session. With H2 and multiplexing it's not the case anymore and the reported handshake times are wrong in the logs as it's computed between the TCP accept() and the stream creation. Let's first move the handshake where it belongs, which is the session. However, this is not enough because we don't want to report an excessive idle time either for H2 (since many requests use the connection). So the solution used here is to have the stream retrieve sess->tv_accept and the handshake duration when the stream is created, and let the mux immediately reset them. This way, the handshake time becomes zero for the second and subsequent requests in H2 (which was already the case in H1), and the idle time exactly counts how long the connection remained unused while it could be used, so in H1 it runs from the end of the previous response and in H2 it runs from the end of the previous request since the channel is already available. This patch will need to be backported to 1.8.
2018-09-05 05:56:48 -04:00
sess->t_handshake = -1; /* handshake not done yet */
MINOR: session: Add the idle duration field into the session The idle duration between two streams is added to the session structure. It is not necessarily pertinent on all protocols. In fact, it is only defined for H1 connections. It is the duration between two H1 transactions. But the .get_cs_info() callback function on the multiplexers only exists because this duration is missing at the session level. So it is a simplification opportunity for a really low cost. To reduce the cost, a hole in the session structure is filled by moving .srv_list field at the end of the structure.
2020-09-30 04:28:02 -04:00
sess->t_idle = -1;
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&totalconn);
_HA_ATOMIC_INC(&jobs);
MINOR: session: rename private conns elements By default, backend connections are attached to a server instance. This allows to implement connection reuse. However, in some particular cases, connection cannot be shared accross several clients. These connections are considered and private and are attached to the session instance instead. These private connections are also indexed by the target server to not mix them. All of this is implemented via a dedicated structure previously named struct sess_srv_list. Rename it to better reflect its usage to struct sess_priv_conns. Also rename its internal members and all of the associated functions. This commit is only a renaming, thus no functional impact is expected.
2024-03-14 06:24:10 -04:00
LIST_INIT(&sess->priv_conns);
MEDIUM: sessions: Keep track of which connections are idle. Instead of keeping track of the number of connections we're responsible for, keep track of the number of connections we're responsible for that we are currently considering idling (ie that we are not using, they may be in use by other sessions), that way we can actually reuse connections when we have more connections than the max configured.
2018-12-28 12:50:57 -05:00
sess->idle_conns = 0;
MEDIUM: sessions: Introduce session flags. Add session flags, and add a new flag, SESS_FL_PREFER_LAST, to be set when we use NTLM authentication, and we should reuse the last connection. This should fix using NTLM with HTX. This totally replaces TX_PREFER_LAST. This should be backported to 1.9.
2019-05-29 09:01:50 -04:00
sess->flags = SESS_FL_NONE;
MINOR: session: Add src and dst addresses to the session For now, these addresses are never set. But the idea is to be able to set client source and destination addresses at the session level without updating the connection ones. Functions to fill these addresses have been added: sess_get_src() and sess_get_dst(). If not already set, these functions relies on conn_get_src() and conn_get_dst() to fill session addresses. And just like for conncetions, sess_src() and sess_dst() may be used to get source and destination addresses. However, if not set, the corresponding address from the underlying client connection is returned. When this happens, the addresses is filled in the connection object.
2021-10-22 09:41:57 -04:00
sess->src = NULL;
sess->dst = NULL;
OPTIM: stats: store fast sharded counters pointers at session and stream level Following commit 75e480d10 ("MEDIUM: stats: avoid 1 indirection by storing the shared stats directly in counters struct"), in order to minimize the impact of the recent sharded counters work, we try to push things a bit further in this patch by storing and using "fast" pointers at the session and stream levels when available to avoid costly indirections and systematic "tgid" resolution (which can not be cached by the CPU due to its THREAD-local nature). Indeed, we know that a session/stream is tied to a given CPU, thanks to this we know that the tgid for a given session/stream will never change. Given that, we are able to store sharded frontend and listener counters pointer at the session level (namely sess->fe_tgcounters and sess->li_tgcounters), and once the backend and the server are selected, we are also able to store backend and server sharded counters pointer at the stream level (namely s->be_tgcounters and s->sv_tgcounters) Everywhere we rely on these counters and the stream or session context is available, we use the fast pointers it instead of the indirect pointers path to make the pointer resolution a bit faster. This optimization proved to bring a few percents back, and together with the previous 75e480d10 commit we now fixed the performance regression (we are back to back with 3.2 stats performance)
2025-07-24 13:46:36 -04:00
sess->fe_tgcounters = sess->fe->fe_counters.shared.tg[tgid - 1];
if (sess->listener && sess->listener->counters)
sess->li_tgcounters = sess->listener->counters->shared.tg[tgid - 1];
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_STATE("new session", SESS_EV_NEW, sess);
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
}
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_LEAVE(SESS_EV_NEW);
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
return sess;
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
out_fail_alloc:
pool_free(pool_head_session, sess);
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_DEVEL("leaving in error", SESS_EV_NEW|SESS_EV_END|SESS_EV_ERR);
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
return NULL;
MINOR: session: introduce session_new() This one creates a new session and does the minimum initialization.
2015-04-04 18:38:48 -04:00
}
MINOR: session: implement session_free() and use it everywhere We want to call this one everywhere we have to kill a session so that future parts we move to the session can be released from there.
2015-04-04 09:54:03 -04:00
void session_free(struct session *sess)
{
MAJOR: sessions: Store multiple outgoing connections in the session. Instead of just storing the last connection in the session, store all of the connections, for at most MAX_SRV_LIST (currently 5) targets. That way we can do keepalive on more than 1 outgoing connection when the client uses HTTP/2.
2018-11-30 11:24:55 -05:00
struct connection *conn, *conn_back;
MINOR: session: rename private conns elements By default, backend connections are attached to a server instance. This allows to implement connection reuse. However, in some particular cases, connection cannot be shared accross several clients. These connections are considered and private and are attached to the session instance instead. These private connections are also indexed by the target server to not mix them. All of this is implemented via a dedicated structure previously named struct sess_srv_list. Rename it to better reflect its usage to struct sess_priv_conns. Also rename its internal members and all of the associated functions. This commit is only a renaming, thus no functional impact is expected.
2024-03-14 06:24:10 -04:00
struct sess_priv_conns *pconns, *pconns_back;
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
struct list conn_tmp_list = LIST_HEAD_INIT(conn_tmp_list);
MAJOR: connections: Detach connections from streams. Do not destroy the connection when we're about to destroy a stream. This prevents us from doing keepalive on server connections when the client is using HTTP/2, as a new stream is created for each request. Instead, the session is now responsible for destroying connections. When reusing connections, the attach() mux method is now used to create a new conn_stream.
2018-11-13 10:48:36 -05:00
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_ENTER(SESS_EV_END);
TRACE_STATE("releasing session", SESS_EV_END, sess);
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
if (sess->flags & SESS_FL_RELEASE_LI) {
/* listener must be set for session used to account FE conns. */
BUG_ON(!sess->listener);
MINOR: session: release the listener with the session, not the stream Since multiple streams can share one session attached to one listener, the listener_release() call must be done in session_free() and not in stream_free(), otherwise we end up with a negative count in H2.
2017-10-18 09:01:14 -04:00
listener_release(sess->listener);
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
}
MEDIUM: session: update the session's stick counters upon session_free() Whenever session_free() is called, any possible stick counter stored in the session will be synchronized.
2015-04-04 10:31:16 -04:00
session_store_counters(sess);
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
pool_free(pool_head_stk_ctr, sess->stkctr);
MEDIUM: vars: move the session variables to the session, not the stream It's important that the session-wide variables are in the session and not in the stream.
2015-06-19 05:59:02 -04:00
vars_prune_per_sess(&sess->vars);
MAJOR: connections: Detach connections from streams. Do not destroy the connection when we're about to destroy a stream. This prevents us from doing keepalive on server connections when the client is using HTTP/2, as a new stream is created for each request. Instead, the session is now responsible for destroying connections. When reusing connections, the attach() mux method is now used to create a new conn_stream.
2018-11-13 10:48:36 -05:00
conn = objt_conn(sess->origin);
if (conn != NULL && conn->mux)
MINOR: muxes: Pass the context of the mux to destroy() instead of the connection It is mandatory to handle mux upgrades, because during a mux upgrade, the connection will be reassigned to another multiplexer. So when the old one is destroyed, it does not own the connection anymore. Or in other words, conn->ctx does not point to the old mux's context when its destroy() callback is called. So we now rely on the multiplexer context do destroy it instead of the connection. In addition, h1_release() and h2_release() have also been updated in the same way.
2019-04-08 05:23:22 -04:00
conn->mux->destroy(conn->ctx);
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: rename private conns elements By default, backend connections are attached to a server instance. This allows to implement connection reuse. However, in some particular cases, connection cannot be shared accross several clients. These connections are considered and private and are attached to the session instance instead. These private connections are also indexed by the target server to not mix them. All of this is implemented via a dedicated structure previously named struct sess_srv_list. Rename it to better reflect its usage to struct sess_priv_conns. Also rename its internal members and all of the associated functions. This commit is only a renaming, thus no functional impact is expected.
2024-03-14 06:24:10 -04:00
list_for_each_entry_safe(pconns, pconns_back, &sess->priv_conns, sess_el) {
list_for_each_entry_safe(conn, conn_back, &pconns->conn_list, sess_el) {
LIST_DEL_INIT(&conn->sess_el);
MINOR: connection: implement conn_release() Several places reuse the same code to ensure a connection is properly freed, either via its MUX or by calling the proper set of functions. Factorize all of this in a new function conn_release(). This new function is now called via session_free() and session_accept_fd(). It will also be reused on delete server to proactively close idle connections.
2024-03-20 10:37:09 -04:00
conn->owner = NULL;
conn->flags &= ~CO_FL_SESS_IDLE;
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
LIST_APPEND(&conn_tmp_list, &conn->sess_el);
MAJOR: sessions: Store multiple outgoing connections in the session. Instead of just storing the last connection in the session, store all of the connections, for at most MAX_SRV_LIST (currently 5) targets. That way we can do keepalive on more than 1 outgoing connection when the client uses HTTP/2.
2018-11-30 11:24:55 -05:00
}
BUG/MAJOR: server: do not delete srv referenced by session A server can only be deleted if there is no elements which reference it. This is taken care via srv_check_for_deletion(), most notably for active and idle connections. A special case occurs for connections directly managed by a session. This is for so-called private connections, when using http-reuse never or H2 + http-reuse safe for example. In this case. server does not account these connections into its idle lists. This caused a bug as the server is deleted despite the session still being able to access it. To properly fix this, add a new referencing element into the server for these session connections. A mt_list has been chosen for this. On default http-reuse, private connections are typically not used so it won't make any difference. If using H2 servers, or more generally when dealing with private connections, insert/delete should typically occur only once per session lifetime so impact on performance should be minimal. This should be backported up to 2.4. Note that srv_check_for_deletion() was introduced in 3.0 dev tree. On backport, the extra condition in it should be placed in cli_parse_delete_server() instead.
2024-03-12 09:09:55 -04:00
MT_LIST_DELETE(&pconns->srv_el);
MINOR: session: rename private conns elements By default, backend connections are attached to a server instance. This allows to implement connection reuse. However, in some particular cases, connection cannot be shared accross several clients. These connections are considered and private and are attached to the session instance instead. These private connections are also indexed by the target server to not mix them. All of this is implemented via a dedicated structure previously named struct sess_srv_list. Rename it to better reflect its usage to struct sess_priv_conns. Also rename its internal members and all of the associated functions. This commit is only a renaming, thus no functional impact is expected.
2024-03-14 06:24:10 -04:00
pool_free(pool_head_sess_priv_conns, pconns);
MAJOR: connections: Defer mux creation for outgoing connection if alpn is set. If an ALPN (or a NPN) was chosen for a server, defer choosing the mux until after the SSL handshake is done, and the ALPN/NPN has been negociated, so that we know which mux to pick.
2018-11-20 18:16:29 -05:00
}
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
/* Release connections outside of idle lock. */
while (!LIST_ISEMPTY(&conn_tmp_list)) {
conn = LIST_ELEM(conn_tmp_list.n, struct connection *, sess_el);
/* Del-init sess_el to prevent session_unown_conn() via conn_backend_deinit(). */
LIST_DEL_INIT(&conn->sess_el);
conn_release(conn);
}
MINOR: session: Add src and dst addresses to the session For now, these addresses are never set. But the idea is to be able to set client source and destination addresses at the session level without updating the connection ones. Functions to fill these addresses have been added: sess_get_src() and sess_get_dst(). If not already set, these functions relies on conn_get_src() and conn_get_dst() to fill session addresses. And just like for conncetions, sess_src() and sess_dst() may be used to get source and destination addresses. However, if not set, the corresponding address from the underlying client connection is returned. When this happens, the addresses is filled in the connection object.
2021-10-22 09:41:57 -04:00
sockaddr_free(&sess->src);
sockaddr_free(&sess->dst);
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_free(pool_head_session, sess);
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_DEC(&jobs);
MINOR: session/trace: enable very minimal session tracing By having traces at the session level, it becomes possible to start traces on session creation and pause them on session end. Doing so will soon open new possibilties to synchronize multiple traces.
2024-08-06 10:12:11 -04:00
TRACE_LEAVE(SESS_EV_END);
MINOR: session: implement session_free() and use it everywhere We want to call this one everywhere we have to kill a session so that future parts we move to the session can be released from there.
2015-04-04 09:54:03 -04:00
}
MEDIUM: session: make use of the connection's destroy callback Now we don't remove the session when a stream dies, instead we detach the stream and let the mux decide to release the connection and call session_free() instead.
2017-10-08 05:26:30 -04:00
/* callback used from the connection/mux layer to notify that a connection is
CLEANUP: Fix a typo in the session subsystem Fixes a typo in the code comments of the session subsystem.
2018-11-25 14:22:10 -05:00
* going to be released.
MEDIUM: session: make use of the connection's destroy callback Now we don't remove the session when a stream dies, instead we detach the stream and let the mux decide to release the connection and call session_free() instead.
2017-10-08 05:26:30 -04:00
*/
void conn_session_free(struct connection *conn)
{
session_free(conn->owner);
BUG/MAJOR: connection: reset conn->owner when detaching from session list Baptiste reported a new crash affecting 2.3 which can be triggered when using H2 on the backend, with http-reuse always and with a tens of clients doing close only. There are a few combined cases which cause this to happen, but each time the issue is the same, an already freed session is dereferenced in session_unown_conn(). Two cases were identified to cause this: - a connection referencing a session as its owner, which is detached from the session's list and is destroyed after this session ends. The test on conn->owner before calling session_unown_conn() is not sufficent as the pointer is not null but is not valid anymore. - a connection that never goes idle and that gets killed form the mux, where session_free() is called first, then conn_free() calls session_unown_conn() which scans the just freed session for older connections. This one is only triggered with DEBUG_UAF The reason for this session to be present here is that it's needed during the connection setup, to be passed to conn_install_mux_be() to mux->init() as the owning session, but it's never deleted aftrewards. Furthermore, even conn_session_free() doesn't delete this pointer after freeing the session that lies there. Both do definitely result in a use-after-free that's more easily triggered under DEBUG_UAF. This patch makes sure that the owner is always deleted after detaching or killing the session. However it is currently not possible to clear the owner right after a synchronous init because the proxy protocol apparently needs it (a reg test checks this), and if we leave it past the connection setup with the session not attached anywhere, it's hard to catch the right moment to detach it. This means that the session may remain in conn->owner as long as the connection has never been added to nor removed from the session's idle list. Given that this patch needs to remain simple enough to be backported, instead it adds a workaround in session_unown_conn() to detect that the element is already not attached anywhere. This fix absolutely requires previous patch "CLEANUP: connection: do not use conn->owner when the session is known" otherwise the situation will be even worse, as some places used to rely on conn->owner instead of the session. The fix could theorically be backported as far as 1.8. However, the code in this area has significantly changed along versions and there are more risks of breaking working stuff than fixing real issues there. The issue was really woken up in two steps during 2.3-dev when slightly reworking the idle conns with commit 08016ab82 ("MEDIUM: connection: Add private connections synchronously in session server list") and when adding support for storing used H2 connections in the session and adding the necessary call to session_unown_conn() in the muxes. But the same test managed to crash 2.2 when built in DEBUG_UAF and patched like this, proving that we used to already leave dangling pointers behind us: | diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h | index f8f235c1a..dd30b5f80 100644 | --- a/include/haproxy/connection.h | +++ b/include/haproxy/connection.h | @@ -458,6 +458,10 @@ static inline void conn_free(struct connection *conn) | sess->idle_conns--; | session_unown_conn(sess, conn); | } | + else { | + struct session *sess = conn->owner; | + BUG_ON(sess && sess->origin != &conn->obj_type); | + } | | sockaddr_free(&conn->src); | sockaddr_free(&conn->dst); It's uncertain whether an existing code path there can lead to dereferencing conn->owner when it's bad, though certain suspicious memory corruption bugs make one think it's a likely candidate. The patch should not be hard to adapt there. Backports to 2.1 and older are left to the appreciation of the person doing the backport. A reproducer consists in this: global nbthread 1 listen l bind :9000 mode http http-reuse always server s 127.0.0.1:8999 proto h2 frontend f bind :8999 proto h2 mode http http-request return status 200 Then this will make it crash within 2-3 seconds: $ h1load -e -r 1 -c 10 http://0:9000/ If it does not, it might be that DEBUG_UAF was not used (it's harder then) and it might be useful to restart.
2020-11-20 11:22:44 -05:00
conn->owner = NULL;
MEDIUM: session: make use of the connection's destroy callback Now we don't remove the session when a stream dies, instead we detach the stream and let the mux decide to release the connection and call session_free() instead.
2017-10-08 05:26:30 -04:00
}
MINOR: session: maintain the session count stats in the session, not the stream This has nothing to do in the stream, as we'll face absurdities when chaining multiple streams. The session is where it must be accounted for.
2015-04-08 12:10:49 -04:00
/* count a new session to keep frontend, listener and track stats up to date */
static void session_count_new(struct session *sess)
{
struct stkctr *stkctr;
void *ptr;
int i;
proxy_inc_fe_sess_ctr(sess->listener, sess->fe);
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
for (i = 0; i < global.tune.nb_stk_ctr; i++) {
MINOR: session: maintain the session count stats in the session, not the stream This has nothing to do in the stream, as we'll face absurdities when chaining multiple streams. The session is where it must be accounted for.
2015-04-08 12:10:49 -04:00
stkctr = &sess->stkctr[i];
if (!stkctr_entry(stkctr))
continue;
ptr = stktable_data_ptr(stkctr->table, stkctr_entry(stkctr), STKTABLE_DT_SESS_CNT);
if (ptr)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
HA_ATOMIC_INC(&stktable_data_cast(ptr, std_t_uint));
MINOR: session: maintain the session count stats in the session, not the stream This has nothing to do in the stream, as we'll face absurdities when chaining multiple streams. The session is where it must be accounted for.
2015-04-08 12:10:49 -04:00
ptr = stktable_data_ptr(stkctr->table, stkctr_entry(stkctr), STKTABLE_DT_SESS_RATE);
if (ptr)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
update_freq_ctr_period(&stktable_data_cast(ptr, std_t_frqp),
MINOR: session: maintain the session count stats in the session, not the stream This has nothing to do in the stream, as we'll face absurdities when chaining multiple streams. The session is where it must be accounted for.
2015-04-08 12:10:49 -04:00
stkctr->table->data_arg[STKTABLE_DT_SESS_RATE].u, 1);
}
}
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
/* This function is called from the protocol layer accept() in order to
MINOR: Some spelling cleanup in the comments. Signed-off-by: Dave Chiluk <chiluk+haproxy@indeed.com>
2018-06-21 12:03:20 -04:00
* instantiate a new session on behalf of a given listener and frontend. It
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
* returns a positive value upon success, 0 if the connection can be ignored,
MEDIUM: listener: allocate the connection before queuing a new connection Till now we would keep a per-thread queue of pending incoming connections for which we would store: - the listener - the accepted FD - the source address - the source address' length And these elements were first used in session_accept_fd() running on the target thread to allocate a connection and duplicate them again. Doing this induces various problems. The first one is that session_accept_fd() may only run on file descriptors and cannot be reused for QUIC. The second issue is that it induces lots of memory copies and that the listerner queue thrashes a lot of cache, consuming 64 bytes per entry. This patch changes this by allocating the connection before queueing it, and by only placing the connection's pointer into the queue. Indeed, the first two calls used to initialize the connection already store all the information above, which can be retrieved from the connection pointer alone. So we just have to pop one pointer from the target thread, and pass it to session_accept_fd() which only needs the FD for the final settings. This starts to make the accept path a bit more transport-agnostic, and saves memory and CPU cycles at the same time (1% connection rate increase was noticed with 4 threads). Thanks to dividing the accept-queue entry size from 64 to 8 bytes, its size could be increased from 256 to 1024 connections while still dividing the overall size by two. No single queue full condition was met. One minor drawback is that connection may be allocated from one thread's pool to be used into another one. But this already happens a lot with connection reuse so there is really nothing new here.
2020-10-14 11:37:17 -04:00
* or a negative value upon critical failure. The accepted connection is
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
* closed if we return <= 0. If no handshake is needed, it immediately tries
MEDIUM: listener: allocate the connection before queuing a new connection Till now we would keep a per-thread queue of pending incoming connections for which we would store: - the listener - the accepted FD - the source address - the source address' length And these elements were first used in session_accept_fd() running on the target thread to allocate a connection and duplicate them again. Doing this induces various problems. The first one is that session_accept_fd() may only run on file descriptors and cannot be reused for QUIC. The second issue is that it induces lots of memory copies and that the listerner queue thrashes a lot of cache, consuming 64 bytes per entry. This patch changes this by allocating the connection before queueing it, and by only placing the connection's pointer into the queue. Indeed, the first two calls used to initialize the connection already store all the information above, which can be retrieved from the connection pointer alone. So we just have to pop one pointer from the target thread, and pass it to session_accept_fd() which only needs the FD for the final settings. This starts to make the accept path a bit more transport-agnostic, and saves memory and CPU cycles at the same time (1% connection rate increase was noticed with 4 threads). Thanks to dividing the accept-queue entry size from 64 to 8 bytes, its size could be increased from 256 to 1024 connections while still dividing the overall size by two. No single queue full condition was met. One minor drawback is that connection may be allocated from one thread's pool to be used into another one. But this already happens a lot with connection reuse so there is really nothing new here.
2020-10-14 11:37:17 -04:00
* to instantiate a new stream. The connection must already have been filled
* with the incoming connection handle (a fd), a target (the listener) and a
* source address.
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
*/
MEDIUM: listener: allocate the connection before queuing a new connection Till now we would keep a per-thread queue of pending incoming connections for which we would store: - the listener - the accepted FD - the source address - the source address' length And these elements were first used in session_accept_fd() running on the target thread to allocate a connection and duplicate them again. Doing this induces various problems. The first one is that session_accept_fd() may only run on file descriptors and cannot be reused for QUIC. The second issue is that it induces lots of memory copies and that the listerner queue thrashes a lot of cache, consuming 64 bytes per entry. This patch changes this by allocating the connection before queueing it, and by only placing the connection's pointer into the queue. Indeed, the first two calls used to initialize the connection already store all the information above, which can be retrieved from the connection pointer alone. So we just have to pop one pointer from the target thread, and pass it to session_accept_fd() which only needs the FD for the final settings. This starts to make the accept path a bit more transport-agnostic, and saves memory and CPU cycles at the same time (1% connection rate increase was noticed with 4 threads). Thanks to dividing the accept-queue entry size from 64 to 8 bytes, its size could be increased from 256 to 1024 connections while still dividing the overall size by two. No single queue full condition was met. One minor drawback is that connection may be allocated from one thread's pool to be used into another one. But this already happens a lot with connection reuse so there is really nothing new here.
2020-10-14 11:37:17 -04:00
int session_accept_fd(struct connection *cli_conn)
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
{
MEDIUM: listener: allocate the connection before queuing a new connection Till now we would keep a per-thread queue of pending incoming connections for which we would store: - the listener - the accepted FD - the source address - the source address' length And these elements were first used in session_accept_fd() running on the target thread to allocate a connection and duplicate them again. Doing this induces various problems. The first one is that session_accept_fd() may only run on file descriptors and cannot be reused for QUIC. The second issue is that it induces lots of memory copies and that the listerner queue thrashes a lot of cache, consuming 64 bytes per entry. This patch changes this by allocating the connection before queueing it, and by only placing the connection's pointer into the queue. Indeed, the first two calls used to initialize the connection already store all the information above, which can be retrieved from the connection pointer alone. So we just have to pop one pointer from the target thread, and pass it to session_accept_fd() which only needs the FD for the final settings. This starts to make the accept path a bit more transport-agnostic, and saves memory and CPU cycles at the same time (1% connection rate increase was noticed with 4 threads). Thanks to dividing the accept-queue entry size from 64 to 8 bytes, its size could be increased from 256 to 1024 connections while still dividing the overall size by two. No single queue full condition was met. One minor drawback is that connection may be allocated from one thread's pool to be used into another one. But this already happens a lot with connection reuse so there is really nothing new here.
2020-10-14 11:37:17 -04:00
struct listener *l = __objt_listener(cli_conn->target);
MEDIUM: move listener->frontend to bind_conf->frontend Historically, all listeners have a pointer to the frontend. But since the introduction of SSL, we now have an intermediary layer called bind_conf corresponding to a "bind" line. It makes no sense to have the frontend on each listener given that it's the same for all listeners belonging to a same bind_conf. Also certain parts like SSL can only operate on bind_conf and need the frontend. This patch fixes this by moving the frontend pointer from the listener to the bind_conf. The extra indirection is quite cheap given and the places were this is used are very scarce.
2016-12-21 18:13:31 -05:00
struct proxy *p = l->bind_conf->frontend;
MEDIUM: listener: allocate the connection before queuing a new connection Till now we would keep a per-thread queue of pending incoming connections for which we would store: - the listener - the accepted FD - the source address - the source address' length And these elements were first used in session_accept_fd() running on the target thread to allocate a connection and duplicate them again. Doing this induces various problems. The first one is that session_accept_fd() may only run on file descriptors and cannot be reused for QUIC. The second issue is that it induces lots of memory copies and that the listerner queue thrashes a lot of cache, consuming 64 bytes per entry. This patch changes this by allocating the connection before queueing it, and by only placing the connection's pointer into the queue. Indeed, the first two calls used to initialize the connection already store all the information above, which can be retrieved from the connection pointer alone. So we just have to pop one pointer from the target thread, and pass it to session_accept_fd() which only needs the FD for the final settings. This starts to make the accept path a bit more transport-agnostic, and saves memory and CPU cycles at the same time (1% connection rate increase was noticed with 4 threads). Thanks to dividing the accept-queue entry size from 64 to 8 bytes, its size could be increased from 256 to 1024 connections while still dividing the overall size by two. No single queue full condition was met. One minor drawback is that connection may be allocated from one thread's pool to be used into another one. But this already happens a lot with connection reuse so there is really nothing new here.
2020-10-14 11:37:17 -04:00
int cfd = cli_conn->handle.fd;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
struct session *sess;
int ret;
ret = -1; /* assume unrecoverable error by default */
MINOR: listener: prefer to retrieve the socket's settings via the receiver Some socket settings used to be retrieved via the listener and the bind_conf. Now instead we use the receiver and its settings whenever appropriate. This will simplify the removal of the dependency on the listener.
2020-09-03 01:50:19 -04:00
cli_conn->proxy_netns = l->rx.settings->netns;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
/* Active reversed connection has already been initialized before being
CLEANUP: assorted typo fixes in the code and comments This is 37th iteration of typo fixes
2023-11-21 13:54:16 -05:00
* accepted. It must not be reset.
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
* TODO use a dedicated accept_fd callback for reverse protocol
*/
if (!cli_conn->xprt) {
if (conn_prepare(cli_conn, l->rx.proto, l->bind_conf->xprt) < 0)
goto out_free_conn;
MEDIUM: connections: Introduce a new XPRT method, start(). Introduce a new XPRT method, start(). The init() method will now only initialize whatever is needed for the XPRT to run, but any action the XPRT has to do before being ready, such as handshakes, will be done in the new start() method. That way, we will be sure the full stack of xprt will be initialized before attempting to do anything. The init() call is also moved to conn_prepare(). There's no longer any reason to wait for the ctrl to be ready, any action will be deferred until start(), anyway. This means conn_xprt_init() is no longer needed.
2021-03-05 17:37:48 -05:00
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
conn_ctrl_init(cli_conn);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
/* wait for a PROXY protocol header */
if (l->bind_conf->options & BC_O_ACC_PROXY)
cli_conn->flags |= CO_FL_ACCEPT_PROXY;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
/* wait for a NetScaler client IP insertion protocol header */
if (l->bind_conf->options & BC_O_ACC_CIP)
cli_conn->flags |= CO_FL_ACCEPT_CIP;
MINOR: listener: add the "accept-netscaler-cip" option to the "bind" keyword When NetScaler application switch is used as L3+ switch, informations regarding the original IP and TCP headers are lost as a new TCP connection is created between the NetScaler and the backend server. NetScaler provides a feature to insert in the TCP data the original data that can then be consumed by the backend server. Specifications and documentations from NetScaler: https://support.citrix.com/article/CTX205670 https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/ When CIP is enabled on the NetScaler, then a TCP packet is inserted just after the TCP handshake. This is composed as: - CIP magic number : 4 bytes Both sender and receiver have to agree on a magic number so that they both handle the incoming data as a NetScaler Client IP insertion packet. - Header length : 4 bytes Defines the length on the remaining data. - IP header : >= 20 bytes if IPv4, 40 bytes if IPv6 Contains the header of the last IP packet sent by the client during TCP handshake. - TCP header : >= 20 bytes Contains the header of the last TCP packet sent by the client during TCP handshake.
2016-06-04 10:11:10 -04:00
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
/* Add the handshake pseudo-XPRT */
if (cli_conn->flags & (CO_FL_ACCEPT_PROXY | CO_FL_ACCEPT_CIP)) {
if (xprt_add_hs(cli_conn) != 0)
goto out_free_conn;
}
MEDIUM: connections: Introduce a handshake pseudo-XPRT. Add a new XPRT that is used when using non-SSL handshakes, such as proxy protocol or Netscaler, instead of taking care of it in conn_fd_handler(). This XPRT is installed when any of those is used, and it removes itself once the handshake is done. This should allow us to remove the distinction between CO_FL_SOCK* and CO_FL_XPRT*.
2019-05-27 06:09:19 -04:00
}
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
MEDIUM: rhttp: create session for active preconnect Modify rhttp preconnect by instantiating a new session for each connection attempt. Connection is thus linked to a session directly on its instantiation contrary to previously where no session existed until listener_accept(). This patch will allow to extend rhttp usage. Most notably, it will be useful to use various sample fetches on the server line and extend logging capabilities. Changes are minimal, yet consequences are considered not trivial as for the first time a FE connection session is instantiated before listener_accept(). This requires an extra explicit check in session_accept_fd() to not overwrite an existing session. Also, flag SESS_FL_RELEASE_LI is not set immediately as listener counters must note be decremented if connection and its session are freed before reversal is completed, or else listener counters will be invalid. conn_session_free() is used as connection destroy callback to ensure the session will be freed automatically on connection release.
2023-11-03 11:21:12 -04:00
/* Reversed conns already have an assigned session, do not recreate it. */
if (!(cli_conn->flags & CO_FL_REVERSED)) {
sess = session_new(p, l, &cli_conn->obj_type);
if (!sess)
goto out_free_conn;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MEDIUM: rhttp: create session for active preconnect Modify rhttp preconnect by instantiating a new session for each connection attempt. Connection is thus linked to a session directly on its instantiation contrary to previously where no session existed until listener_accept(). This patch will allow to extend rhttp usage. Most notably, it will be useful to use various sample fetches on the server line and extend logging capabilities. Changes are minimal, yet consequences are considered not trivial as for the first time a FE connection session is instantiated before listener_accept(). This requires an extra explicit check in session_accept_fd() to not overwrite an existing session. Also, flag SESS_FL_RELEASE_LI is not set immediately as listener counters must note be decremented if connection and its session are freed before reversal is completed, or else listener counters will be invalid. conn_session_free() is used as connection destroy callback to ensure the session will be freed automatically on connection release.
2023-11-03 11:21:12 -04:00
conn_set_owner(cli_conn, sess, NULL);
}
else {
sess = cli_conn->owner;
}
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
/* now evaluate the tcp-request layer4 rules. We only need a session
* and no stream for these rules.
*/
BUG/MINOR: session: Eval L4/L5 rules defined in the default section It is possible to define TCP/HTTP rules in a named default section to inherit from it in a proxy. However, there is an issue with L4/L5 rules. Only the lists of the current frontend are checked to know if an eval must be performed. Nothing is done for an empty list. Of course, the lists of the default proxy must also be checked to be sure to not ignored default L4/L5 rules. It is now fixed. This patch should fix the issue #2637. It must be backported as far as 2.6.
2024-07-12 09:21:21 -04:00
if (((sess->fe->defpx && !LIST_ISEMPTY(&sess->fe->defpx->tcp_req.l4_rules)) ||
!LIST_ISEMPTY(&p->tcp_req.l4_rules)) && !tcp_exec_l4_rules(sess)) {
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
/* let's do a no-linger now to close with a single RST. */
BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend Commit 0aba11e9e ("MINOR: quic: remove unnecessary quic_session_accept()") overlooked one problem, in session_accept_fd() at the end, there's a bunch of FD-specific stuff that either sets up or resets the socket at the TCP level. The tests are mostly performed for AF_INET/AF_INET6 families but they're only for one part (i.e. to avoid setting up TCP options on UNIX sockets). Other pieces continue to configure the socket regardless of its family. All of this directly acts on the FD, which is not correct since the FD is not valid here, it corresponds to the QUIC handle. The issue is much more visible when "option nolinger" is enabled in the frontend, because the access to fdatb[cfd].state immediately crashes on the first connection, as can be seen in github issue #2030. This patch bypasses this setup for FD-less connections, such as QUIC. However some of them could definitely be relevant to the QUIC stack, or even to UNIX sockets sometimes. A better long-term solution would consist in implementing a setsockopt() equivalent at the protocol layer that would be used to configure the socket, either the FD or the QUIC conn depending on the case. Some of them would not always be implemented but that would allow to unify all this code. This fix must be backported everywhere the commit above is backported, namely 2.6 and 2.7. Thanks to github user @twomoses for the nicely detailed report.
2023-02-09 11:53:41 -05:00
if (!(cli_conn->flags & CO_FL_FDLESS))
setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
ret = 0; /* successful termination */
goto out_free_sess;
}
MEDIUM: connections: Introduce a new XPRT method, start(). Introduce a new XPRT method, start(). The init() method will now only initialize whatever is needed for the XPRT to run, but any action the XPRT has to do before being ready, such as handshakes, will be done in the new start() method. That way, we will be sure the full stack of xprt will be initialized before attempting to do anything. The init() call is also moved to conn_prepare(). There's no longer any reason to wait for the ctrl to be ready, any action will be deferred until start(), anyway. This means conn_xprt_init() is no longer needed.
2021-03-05 17:37:48 -05:00
/* TCP rules may flag the connection as needing proxy protocol, now that it's done we can start ourxprt */
if (conn_xprt_start(cli_conn) < 0)
BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd() Andrew Suffield reported in issue #1596 that we've had a bug in session_accept_fd() since 2.4 with commit 1b3c931bf ("MEDIUM: connections: Introduce a new XPRT method, start().") where an error label is wrong and may cause the leak of the freshly allocated session in case conn_xprt_start() returns < 0. The code was checked there and the only two transport layers available at this point are raw_sock and ssl_sock. The former doesn't provide a ->start() method hence conn_xprt_start() will always return zero. The second does provide such a function, but it may only return <0 if the underlying transport (raw_sock) has such a method and fails, which is thus not the case. So fortunately it is not possible to trigger this leak. The patch above also touched the accept code in quic_sock() which was mostly a plain copy of the session code, but there the move didn't have this impact, and since then it was simplified and the next change moved it to its final destination with the proper error label. This should be backported as far as 2.4 as a long-term safety measure (e.g. if in the future we have a reason for making conn_xprt_start() to start failing), but will not have any positive nor negative effect in the short term.
2022-03-11 01:25:11 -05:00
goto out_free_sess;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend Commit 0aba11e9e ("MINOR: quic: remove unnecessary quic_session_accept()") overlooked one problem, in session_accept_fd() at the end, there's a bunch of FD-specific stuff that either sets up or resets the socket at the TCP level. The tests are mostly performed for AF_INET/AF_INET6 families but they're only for one part (i.e. to avoid setting up TCP options on UNIX sockets). Other pieces continue to configure the socket regardless of its family. All of this directly acts on the FD, which is not correct since the FD is not valid here, it corresponds to the QUIC handle. The issue is much more visible when "option nolinger" is enabled in the frontend, because the access to fdatb[cfd].state immediately crashes on the first connection, as can be seen in github issue #2030. This patch bypasses this setup for FD-less connections, such as QUIC. However some of them could definitely be relevant to the QUIC stack, or even to UNIX sockets sometimes. A better long-term solution would consist in implementing a setsockopt() equivalent at the protocol layer that would be used to configure the socket, either the FD or the QUIC conn depending on the case. Some of them would not always be implemented but that would allow to unify all this code. This fix must be backported everywhere the commit above is backported, namely 2.6 and 2.7. Thanks to github user @twomoses for the nicely detailed report.
2023-02-09 11:53:41 -05:00
/* FIXME/WTA: we should implement the setsockopt() calls at the proto
* level instead and let non-inet protocols implement their own equivalent.
*/
if (cli_conn->flags & CO_FL_FDLESS)
goto skip_fd_setup;
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
/* Adjust some socket options */
REORG: listener: move the listening address to a struct receiver The address will be specific to the receiver so let's move it there.
2020-08-27 01:48:42 -04:00
if (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6) {
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
setsockopt(cfd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one));
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
if (p->options & PR_O_TCP_CLI_KA) {
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
setsockopt(cfd, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(one));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#ifdef TCP_KEEPCNT
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
if (p->clitcpka_cnt)
setsockopt(cfd, IPPROTO_TCP, TCP_KEEPCNT, &p->clitcpka_cnt, sizeof(p->clitcpka_cnt));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#ifdef TCP_KEEPIDLE
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
if (p->clitcpka_idle)
setsockopt(cfd, IPPROTO_TCP, TCP_KEEPIDLE, &p->clitcpka_idle, sizeof(p->clitcpka_idle));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#ifdef TCP_KEEPINTVL
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
if (p->clitcpka_intvl)
setsockopt(cfd, IPPROTO_TCP, TCP_KEEPINTVL, &p->clitcpka_intvl, sizeof(p->clitcpka_intvl));
BUILD: tcp: condition TCP keepalive settings to platforms providing them Previous commit b24bc0d ("MINOR: tcp: Support TCP keepalive parameters customization") broke non-Linux builds as TCP_KEEP{CNT,IDLE,INTVL} are not necessarily defined elsewhere. This patch adds the required #ifdefs to condition the visibility of the keywords, and adds a mention in the doc about their dependency on Linux.
2020-07-08 23:58:51 -04:00
#endif
MINOR: tcp: Support TCP keepalive parameters customization It is now possible to customize TCP keepalive parameters. These correspond to the socket options TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and are valid for the defaults, listen, frontend and backend sections. This patch fixes GitHub issue #670.
2020-07-08 22:13:20 -04:00
}
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
if (p->options & PR_O_TCP_NOLING)
MINOR: fd: move .linger_risk into fdtab[].state No need to keep this flag apart any more, let's merge it into the global state. The CLI's output state was extended to 6 digits and the linger/cloned flags moved inside the parenthesis.
2021-04-06 11:49:19 -04:00
HA_ATOMIC_OR(&fdtab[cfd].state, FD_LINGER_RISK);
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
#if defined(TCP_MAXSEG)
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 12:42:49 -05:00
if (l->bind_conf->maxseg < 0) {
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
/* we just want to reduce the current MSS by that value */
int mss;
socklen_t mss_len = sizeof(mss);
if (getsockopt(cfd, IPPROTO_TCP, TCP_MAXSEG, &mss, &mss_len) == 0) {
MINOR: listener: move maxseg and tcp_ut to bind_conf These two arguments were only set and only used with tcpv4/tcpv6. Let's just store them into the bind_conf instead of duplicating them for all listeners since they're fixed per "bind" line.
2023-01-12 12:42:49 -05:00
mss += l->bind_conf->maxseg; /* remember, it's < 0 */
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
setsockopt(cfd, IPPROTO_TCP, TCP_MAXSEG, &mss, sizeof(mss));
}
}
#endif
}
if (global.tune.client_sndbuf)
setsockopt(cfd, SOL_SOCKET, SO_SNDBUF, &global.tune.client_sndbuf, sizeof(global.tune.client_sndbuf));
MINOR: tcp: add support for setting TCP_NOTSENT_LOWAT on both sides TCP_NOTSENT_LOWAT is very convenient as it indicates when to report EAGAIN on the sending side. It takes a margin on top of the estimated window, meaning that it's no longer needed to store too many data in socket buffers. Instead there's just enough to fill the send window and a little bit of margin to cover the scheduling time to restart sending. Experiments on a 100ms network have shown a 10-fold reduction in the memory used by socket buffers by just setting this value to tune.bufsize, without noticing any performance degradation. Theoretically the responsiveness on multiplexed protocols such as H2 should also be improved.
2025-04-29 05:43:46 -04:00
#if defined(TCP_NOTSENT_LOWAT)
if (global.tune.client_notsent_lowat && (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6))
setsockopt(cfd, IPPROTO_TCP, TCP_NOTSENT_LOWAT, &global.tune.client_notsent_lowat, sizeof(global.tune.client_notsent_lowat));
#endif
MEDIUM: frontend: move the fd-specific settings to session_accept_fd() The frontend is generic and does not depend on a file descriptor, so applying some socket options to the incoming fd is not its role. Let's move the setsockopt() calls earlier in session_accept_fd() where others are done as well.
2015-04-05 11:56:47 -04:00
if (global.tune.client_rcvbuf)
setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf));
BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend Commit 0aba11e9e ("MINOR: quic: remove unnecessary quic_session_accept()") overlooked one problem, in session_accept_fd() at the end, there's a bunch of FD-specific stuff that either sets up or resets the socket at the TCP level. The tests are mostly performed for AF_INET/AF_INET6 families but they're only for one part (i.e. to avoid setting up TCP options on UNIX sockets). Other pieces continue to configure the socket regardless of its family. All of this directly acts on the FD, which is not correct since the FD is not valid here, it corresponds to the QUIC handle. The issue is much more visible when "option nolinger" is enabled in the frontend, because the access to fdatb[cfd].state immediately crashes on the first connection, as can be seen in github issue #2030. This patch bypasses this setup for FD-less connections, such as QUIC. However some of them could definitely be relevant to the QUIC stack, or even to UNIX sockets sometimes. A better long-term solution would consist in implementing a setsockopt() equivalent at the protocol layer that would be used to configure the socket, either the FD or the QUIC conn depending on the case. Some of them would not always be implemented but that would allow to unify all this code. This fix must be backported everywhere the commit above is backported, namely 2.6 and 2.7. Thanks to github user @twomoses for the nicely detailed report.
2023-02-09 11:53:41 -05:00
skip_fd_setup:
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
/* OK, now either we have a pending handshake to execute with and then
* we must return to the I/O layer, or we can proceed with the end of
* the stream initialization. In case of handshake, we also set the I/O
* timeout to the frontend's client timeout and register a task in the
* session for this purpose. The connection's owner is left to the
* session during this period.
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
*
* At this point we set the relation between sess/task/conn this way :
*
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
* +----------------- task
* | |
* orig -- sess <-- context |
* | ^ | |
* v | | |
* conn -- owner ---> task <-----+
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
*/
MEDIUM: connection: use CO_FL_WAIT_XPRT more consistently than L4/L6/HANDSHAKE As mentioned in commit c192b0ab95 ("MEDIUM: connection: remove CO_FL_CONNECTED and only rely on CO_FL_WAIT_*"), there is a lack of consistency on which flags are checked among L4/L6/HANDSHAKE depending on the code areas. A number of sample fetch functions only check for L4L6 to report MAY_CHANGE, some places only check for HANDSHAKE and many check both L4L6 and HANDSHAKE. This patch starts to make all of this more consistent by introducing a new mask CO_FL_WAIT_XPRT which is the union of L4/L6/HANDSHAKE and reports whether the transport layer is ready or not. All inconsistent call places were updated to rely on this one each time the goal was to check for the readiness of the transport layer.
2020-01-23 10:27:54 -05:00
if (cli_conn->flags & (CO_FL_WAIT_XPRT | CO_FL_EARLY_SSL_HS)) {
MEDIUM: session: handshake timeout (TCP) Adapt session_accept_fd() called on accept() to set the handshake timeout from "hanshake-timeout" setting if set by configuration. If not set, continue to use the "client" timeout setting.
2023-11-15 08:24:10 -05:00
int timeout;
int clt_tmt = p->timeout.client;
MINOR: quic: Rename "handshake" timeout to "client-hs" Use a more specific name for this timeout to distinguish it from a possible future one on the server side. Also update the documentation.
2023-11-17 12:03:20 -05:00
int hs_tmt = p->timeout.client_hs;
MEDIUM: session: handshake timeout (TCP) Adapt session_accept_fd() called on accept() to set the handshake timeout from "hanshake-timeout" setting if set by configuration. If not set, continue to use the "client" timeout setting.
2023-11-15 08:24:10 -05:00
MINOR: task: provide 3 task_new_* wrappers to simplify the API We'll need to improve the API to pass other arguments in the future, so let's start to adapt better to the current use cases. task_new() is used: - 18 times as task_new(tid_bit) - 18 times as task_new(MAX_THREADS_MASK) - 2 times with a single bit (in a loop) - 1 in the debug code that uses a mask This patch provides 3 new functions to achieve this: - task_new_here() to create a task on the calling thread - task_new_anywhere() to create a task to be run anywhere - task_new_on() to create a task to run on a specific thread The change is trivial and will allow us to later concentrate the required adaptations to these 3 functions only. It's still possible to call task_new() if needed but a comment was added to encourage the use of the new ones instead. The debug code was not changed and still uses it.
2021-10-01 12:23:30 -04:00
if (unlikely((sess->task = task_new_here()) == NULL))
MEDIUM: stream: make stream_new() allocate its own task Currently a task is allocated in session_new() and serves two purposes : - either the handshake is complete and it is offered to the stream via the second arg of stream_new() - or the handshake is not complete and it's diverted to be used as a timeout handler for the embryonic session and repurposed once we land into conn_complete_session() Furthermore, the task's process() function was taken from the listener's handler in conn_complete_session() prior to being replaced by a call to stream_new(). This will become a serious mess with the mux. Since it's impossible to have a stream without a task, this patch removes the second arg from stream_new() and make this function allocate its own task. In session_accept_fd(), we now only allocate the task if needed for the embryonic session and delete it later.
2017-08-28 10:22:54 -04:00
goto out_free_sess;
MEDIUM: session: handshake timeout (TCP) Adapt session_accept_fd() called on accept() to set the handshake timeout from "hanshake-timeout" setting if set by configuration. If not set, continue to use the "client" timeout setting.
2023-11-15 08:24:10 -05:00
/* Handshake timeout as default timeout */
timeout = hs_tmt ? hs_tmt : clt_tmt;
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
sess->task->context = sess;
MINOR: listener: move the nice field to the bind_conf This is another bind line setting which can move to the bind_conf. Note that it leaves a 2-byte hole in the listener struct.
2023-01-12 13:32:45 -05:00
sess->task->nice = l->bind_conf->nice;
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
sess->task->process = session_expire_embryonic;
MEDIUM: session: handshake timeout (TCP) Adapt session_accept_fd() called on accept() to set the handshake timeout from "hanshake-timeout" setting if set by configuration. If not set, continue to use the "client" timeout setting.
2023-11-15 08:24:10 -05:00
sess->task->expire = tick_add_ifset(now_ms, timeout);
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
task_queue(sess->task);
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
/* Session is responsible to decrement listener conns counters. */
sess->flags |= SESS_FL_RELEASE_LI;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
return 1;
}
MINOR: session: set the CO_FL_CONNECTED flag on the connection once ready If we know there's no handshake, we must set the flag on the connection, it's not the job of the stream initializer to do it.
2015-04-04 19:04:01 -04:00
/* OK let's complete stream initialization since there is no handshake */
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
if (conn_complete_session(cli_conn) >= 0) {
/* Session is responsible to decrement listener conns counters. */
sess->flags |= SESS_FL_RELEASE_LI;
MEDIUM: session: factor out duplicated code for conn_complete_session session_accept_fd() may either successfully complete a session creation, or defer it to conn_complete_session() depending of whether a handshake remains to be performed or not. The problem is that all the code after the handshake was duplicated between the two functions. This patch make session_accept_fd() synchronously call conn_complete_session() to finish the session creation. It is only needed to check if the session's task has to be released or not at the end, which is fairly minimal. This way there is now a single place where the sessions are created.
2017-09-15 04:06:28 -04:00
return 1;
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
}
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
BUG/MEDIUM: session: do not report a failure when rejecting a session In session_accept_fd() we can perform a synchronous call to conn_complete_session() and if it succeeds the connection is accepted and turned into a session. If it fails we take it as an error while it is not, in this case, it's just that a tcp-request rule has decided to reject the incoming connection. The problem with reporting such an event as an error is that the failed status is passed down to the listener code which decides to disable accept() for 100ms in order to leave some time for transient issues to vanish, and that's not what we want to do here. This fix must be backported as far as 1.7. In 1.7 the code is a bit different as tcp_exec_l5_rules() is called directly from within session_new_fd() and ret=0 must be assigned there.
2020-01-07 12:03:09 -05:00
/* if we reach here we have deliberately decided not to keep this
* session (e.g. tcp-request rule), so that's not an error we should
* try to protect against.
*/
ret = 0;
MEDIUM: session: factor out duplicated code for conn_complete_session session_accept_fd() may either successfully complete a session creation, or defer it to conn_complete_session() depending of whether a handshake remains to be performed or not. The problem is that all the code after the handshake was duplicated between the two functions. This patch make session_accept_fd() synchronously call conn_complete_session() to finish the session creation. It is only needed to check if the session's task has to be released or not at the end, which is fairly minimal. This way there is now a single place where the sessions are created.
2017-09-15 04:06:28 -04:00
/* error unrolling */
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
out_free_sess:
MINOR: session: define flag to explicitely release listener on free When a session is allocated for a FE connection, session_free() is responsible to call listener_release() to decrement listener connection counters and resume listening. Until now, <listener> member of session was tested inside session_free() before invocating listener_release(). To highlight more explicitely the relation between sessions and listeners, introduce a new flag SESS_FL_RELEASE_LI. Only session with such flag set will invoke listener_release() on their cleanup. Flag is set inside session_accept_fd() on success. This patch has no functional change. However, it will be useful to implement session creation for rHTTP preconnect.
2024-05-21 10:44:26 -04:00
/* SESS_FL_RELEASE_LI must not be set here as listener_release() is
* called manually for all errors.
*/
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
session_free(sess);
MINOR: session: simplify error path in session_accept_fd() Now that this function is always called with an initialized connection and that the control layer is always initialized, we don't need to play games with fdtab[] to decide how to close, we can simply rely on the regular close path using conn_ctrl_close(), which can be fused with conn_xprt_close() into conn_full_close(). The code is cleaner because the FD is now used only for some protocol-specific setup (that will eventually have to move) and to try to send a hard-coded HTTP 500 error message on raw sockets.
2020-10-15 01:11:14 -04:00
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
out_free_conn:
BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 connection If session_accept_fd() fails for a raw HTTP socket, we try to send an HTTP error 500. But, we must also take care it is an HTTP/1 connection. We cannot rely on the mux at this stage, because the error, if any, happens before or during its creation. So, instead, we check if the mux_proto is specified or not. Indeed, the mux h1 cannot be forced on the bind line and there is no ALPN to choose another mux on a raw socket. So if there is no mux_proto defined for a raw HTTP socket, we are sure to have an HTTP/1 connection. This patch must be backported to 2.0 and 1.9.
2019-07-17 10:53:19 -04:00
if (ret < 0 && l->bind_conf->xprt == xprt_get(XPRT_RAW) &&
BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend Commit 0aba11e9e ("MINOR: quic: remove unnecessary quic_session_accept()") overlooked one problem, in session_accept_fd() at the end, there's a bunch of FD-specific stuff that either sets up or resets the socket at the TCP level. The tests are mostly performed for AF_INET/AF_INET6 families but they're only for one part (i.e. to avoid setting up TCP options on UNIX sockets). Other pieces continue to configure the socket regardless of its family. All of this directly acts on the FD, which is not correct since the FD is not valid here, it corresponds to the QUIC handle. The issue is much more visible when "option nolinger" is enabled in the frontend, because the access to fdatb[cfd].state immediately crashes on the first connection, as can be seen in github issue #2030. This patch bypasses this setup for FD-less connections, such as QUIC. However some of them could definitely be relevant to the QUIC stack, or even to UNIX sockets sometimes. A better long-term solution would consist in implementing a setsockopt() equivalent at the protocol layer that would be used to configure the socket, either the FD or the QUIC conn depending on the case. Some of them would not always be implemented but that would allow to unify all this code. This fix must be backported everywhere the commit above is backported, namely 2.6 and 2.7. Thanks to github user @twomoses for the nicely detailed report.
2023-02-09 11:53:41 -05:00
p->mode == PR_MODE_HTTP && l->bind_conf->mux_proto == NULL &&
!(cli_conn->flags & CO_FL_FDLESS)) {
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
/* critical error, no more memory, try to emit a 500 response */
BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 socket If session_accept_fd() fails for a raw HTTP socket, we try to send an HTTP error 500. But we must not rely on error messages of the proxy or on the array http_err_chunks because these are HTX messages. And it should be too expensive to convert an HTX message to a raw message at this place. So instead, we send a default HTTP error message from the array http_err_msgs. This patch must be backported to 2.0 and 1.9.
2019-07-17 15:36:33 -04:00
send(cfd, http_err_msgs[HTTP_ERR_500], strlen(http_err_msgs[HTTP_ERR_500]),
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
MSG_DONTWAIT|MSG_NOSIGNAL);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
}
MINOR: connection: implement conn_release() Several places reuse the same code to ensure a connection is properly freed, either via its MUX or by calling the proper set of functions. Factorize all of this in a new function conn_release(). This new function is now called via session_free() and session_accept_fd(). It will also be reused on delete server to proactively close idle connections.
2024-03-20 10:37:09 -04:00
/* Mux is already initialized for active reversed connection. */
conn_release(cli_conn);
MINOR: session: simplify error path in session_accept_fd() Now that this function is always called with an initialized connection and that the control layer is always initialized, we don't need to play games with fdtab[] to decide how to close, we can simply rely on the regular close path using conn_ctrl_close(), which can be fused with conn_xprt_close() into conn_full_close(). The code is cleaner because the FD is now used only for some protocol-specific setup (that will eventually have to move) and to try to send a hard-coded HTTP 500 error message on raw sockets.
2020-10-15 01:11:14 -04:00
listener_release(l);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
return ret;
}
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
/* prepare <out> buffer with a log prefix for session <sess>. It only works with
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
* embryonic sessions based on a real connection. This function requires that
* at sess->origin points to the incoming connection.
*/
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
static void session_prepare_log_prefix(struct session *sess, struct buffer *out)
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
{
MINOR: session: Rely on client source address at session level to log error When an embryonic session is killed, if no log format is defined for this error, a generic error is emitted. When this happens, we now rely on the session to get the client source address. For now, session addresses are never set. So, thanks to the fallback mechanism, no changes are expected with this patch. But its purpose is to rely on addresses at the session level when set instead of those at the connection level.
2021-10-22 11:47:14 -04:00
const struct sockaddr_storage *src;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
struct tm tm;
char pn[INET6_ADDRSTRLEN];
int ret;
char *end;
MINOR: session: Rely on client source address at session level to log error When an embryonic session is killed, if no log format is defined for this error, a generic error is emitted. When this happens, we now rely on the session to get the client source address. For now, session addresses are never set. So, thanks to the fallback mechanism, no changes are expected with this patch. But its purpose is to rely on addresses at the session level when set instead of those at the connection level.
2021-10-22 11:47:14 -04:00
src = sess_src(sess);
ret = (src ? addr_to_str(src, pn, sizeof(pn)) : 0);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
if (ret <= 0)
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_printf(out, "unknown [");
MEDIUM: protocol: make abns a custom unix socket address family This is a pre-requisite to adding the abnsz socket address family: in this patch we make use of protocol API rework started by 732913f ("MINOR: protocol: properly assign the sock_domain and sock_family") in order to implement a dedicated address family for ABNS sockets (based on UNIX parent family). Thanks to this, it will become trivial to implement a new ABNSZ (for abns zero) family which is essentially the same as ABNS but with a slight difference when it comes to path handling (ABNS uses the whole sun_path length, while ABNSZ's path is zero terminated and evaluation stops at 0) It was verified that this patch doesn't break reg-tests and behaves properly (tests performed on the CLI with show sess and show fd). Anywhere relevant, AF_CUST_ABNS is handled alongside AF_UNIX. If no distinction needs to be made, real_family() is used to fetch the proper real family type to handle it properly. Both stream and dgram were converted, so no functional change should be expected for this "internal" rework, except that proto will be displayed as "abns_{stream,dgram}" instead of "unix_{stream,dgram}". Before ("show sess" output): 0x64c35528aab0: proto=unix_stream src=unix:1 fe=GLOBAL be=<NONE> srv=<none> ts=00 epoch=0 age=0s calls=1 rate=0 cpu=0 lat=0 rq[f=848000h,i=0,an=00h,ax=] rp[f=80008000h,i=0,an=00h,ax=] scf=[8,0h,fd=21,rex=10s,wex=] scb=[8,1h,fd=-1,rex=,wex=] exp=10s rc=0 c_exp= After: 0x619da7ad74c0: proto=abns_stream src=unix:1 fe=GLOBAL be=<NONE> srv=<none> ts=00 epoch=0 age=0s calls=1 rate=0 cpu=0 lat=0 rq[f=848000h,i=0,an=00h,ax=] rp[f=80008000h,i=0,an=00h,ax=] scf=[8,0h,fd=22,rex=10s,wex=] scb=[8,1h,fd=-1,rex=,wex=] exp=10s rc=0 c_exp= Co-authored-by: Aurelien DARRAGON <adarragon@haproxy.com>
2024-08-09 12:48:14 -04:00
else if (real_family(ret) == AF_UNIX)
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_printf(out, "%s:%d [", pn, sess->listener->luid);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
else
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_printf(out, "%s:%d [", pn, get_host_port(src));
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
get_localtime(sess->accept_date.tv_sec, &tm);
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
end = date2str_log(out->area + out->data, &tm, &(sess->accept_date),
out->size - out->data);
out->data = end - out->area;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
if (sess->listener->name)
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_appendf(out, "] %s/%s", sess->fe->id, sess->listener->name);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
else
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_appendf(out, "] %s/%d", sess->fe->id, sess->listener->luid);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
}
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
/* fill <out> buffer with the string to use for send_log during
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
* session_kill_embryonic(). Add log prefix and error string.
*
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
* It expects that the session originates from a connection.
*
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
* The function is able to dump an SSL error string when CO_ER_SSL_HANDSHAKE
* is met.
*/
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
void session_embryonic_build_legacy_err(struct session *sess, struct buffer *out)
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
{
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
struct connection *conn = objt_conn(sess->origin);
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
const char *err_msg;
struct ssl_sock_ctx __maybe_unused *ssl_ctx;
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
BUG_ON(!conn);
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
err_msg = conn_err_code_str(conn);
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
session_prepare_log_prefix(sess, out);
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
#ifdef USE_OPENSSL
ssl_ctx = conn_get_ssl_sock_ctx(conn);
BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure It was reported in issue #2181, strange behavior during the new SSL hanshake failure logs. Errors were logged with the code 0, which is unknown to OpenSSL. This patch mades 2 changes: - It stops using ERR_error_string() when the SSL error code is 0 - It uses ERR_error_string_n() to be thread-safe Must be backported to 2.8.
2023-06-12 10:23:29 -04:00
/* when the SSL error code is present and during a SSL Handshake failure,
* try to dump the error string from OpenSSL */
if (conn->err_code == CO_ER_SSL_HANDSHAKE && ssl_ctx && ssl_ctx->error_code != 0) {
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_appendf(out, ": SSL handshake failure (");
ERR_error_string_n(ssl_ctx->error_code, b_orig(out)+b_data(out), b_room(out));
out->data = strlen(b_orig(out));
chunk_appendf(out, ")\n");
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
}
else
#endif /* ! USE_OPENSSL */
if (err_msg)
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_appendf(out, ": %s\n", err_msg);
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
else
MINOR: session: expose session_embryonic_build_legacy_err() function rename session_build_err_string() to session_embryonic_build_legacy_err() and add new <out> buffer argument to the prototype. <out> will be used as destination for the generated string instead of implicitly relying on the trash buffer. Finally, expose the new function through the header file so that it becomes usable from any source file. The function is expected to be called with a session originating from a connection and should not be used for applets.
2024-02-21 10:38:46 -05:00
chunk_appendf(out, ": unknown connection error (code=%d flags=%08x)\n",
MEDIUM: session/ssl: return the SSL error string during a SSL handshake error SSL hanshake error were unable to dump the OpenSSL error string by default, to do so it was mandatory to configure a error-log-format with the ssl_fc_err fetch. This patch implements the session_build_err_string() function which creates the error log to send during session_kill_embryonic(), a special case is made with CO_ER_SSL_HANDSHAKE which is able to dump the error string with ERR_error_string(). Before: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure After: <134>May 12 17:14:04 haproxy[183151]: 127.0.0.1:49346 [12/May/2023:17:14:04.571] frt2/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
2023-05-12 11:13:46 -04:00
conn->err_code, conn->flags);
return;
}
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
/* This function kills an existing embryonic session. It stops the connection's
* transport layer, releases assigned resources, resumes the listener if it was
* disabled and finally kills the file descriptor. This function requires that
* sess->origin points to the incoming connection.
*/
MEDIUM: task: extend the state field to 32 bits It's been too short for quite a while now and is now full. It's still time to extend it to 32-bits since we have room for this without wasting any space, so we now gained 16 new bits for future flags. The values were not reassigned just in case there would be a few hidden u16 or short somewhere in which these flags are placed (as it used to be the case with stream->pending_events). The patch is tagged MEDIUM because this required to update the task's process() prototype to use an int instead of a short, that's quite a bunch of places.
2021-03-02 10:09:26 -05:00
static void session_kill_embryonic(struct session *sess, unsigned int state)
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
{
struct connection *conn = __objt_conn(sess->origin);
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
struct task *task = sess->task;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
unsigned int log = sess->fe->to_log;
if (log && (sess->fe->options & PR_O_NULLNOLOG)) {
/* with "option dontlognull", we don't log connections with no transfer */
if (!conn->err_code ||
conn->err_code == CO_ER_PRX_EMPTY || conn->err_code == CO_ER_PRX_ABORT ||
MINOR: listener: add the "accept-netscaler-cip" option to the "bind" keyword When NetScaler application switch is used as L3+ switch, informations regarding the original IP and TCP headers are lost as a new TCP connection is created between the NetScaler and the backend server. NetScaler provides a feature to insert in the TCP data the original data that can then be consumed by the backend server. Specifications and documentations from NetScaler: https://support.citrix.com/article/CTX205670 https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/ When CIP is enabled on the NetScaler, then a TCP packet is inserted just after the TCP handshake. This is composed as: - CIP magic number : 4 bytes Both sender and receiver have to agree on a magic number so that they both handle the incoming data as a NetScaler Client IP insertion packet. - Header length : 4 bytes Defines the length on the remaining data. - IP header : >= 20 bytes if IPv4, 40 bytes if IPv6 Contains the header of the last IP packet sent by the client during TCP handshake. - TCP header : >= 20 bytes Contains the header of the last TCP packet sent by the client during TCP handshake.
2016-06-04 10:11:10 -04:00
conn->err_code == CO_ER_CIP_EMPTY || conn->err_code == CO_ER_CIP_ABORT ||
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
conn->err_code == CO_ER_SSL_EMPTY || conn->err_code == CO_ER_SSL_ABORT)
log = 0;
}
if (log) {
BUG/MINOR: tasks: make sure wakeup events are properly reported to subscribers The tasks API was changed in 1.9-dev1 with commit 9f6af3322 ("MINOR: tasks: Change the task API so that the callback takes 3 arguments."), causing the task's state not to be usable anymore and to have been replaced with an explicit argument in the callee. The task's state doesn't contain any trace of the wakeup cause anymore. But there were two places where the old task's state remained in use : - sessions, used to more accurately report timeouts in logs when seeing TASK_WOKEN_TIMEOUT ; - peers, used to finish resynchronization when seeing TASK_WOKEN_SIGNAL This commit fixes both occurrences by making sure we don't access task->state directly (should we rename it by the way ?). No backport is needed.
2018-11-05 09:09:47 -05:00
if (!conn->err_code && (state & TASK_WOKEN_TIMER)) {
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
if (conn->flags & CO_FL_ACCEPT_PROXY)
conn->err_code = CO_ER_PRX_TIMEOUT;
MINOR: listener: add the "accept-netscaler-cip" option to the "bind" keyword When NetScaler application switch is used as L3+ switch, informations regarding the original IP and TCP headers are lost as a new TCP connection is created between the NetScaler and the backend server. NetScaler provides a feature to insert in the TCP data the original data that can then be consumed by the backend server. Specifications and documentations from NetScaler: https://support.citrix.com/article/CTX205670 https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/ When CIP is enabled on the NetScaler, then a TCP packet is inserted just after the TCP handshake. This is composed as: - CIP magic number : 4 bytes Both sender and receiver have to agree on a magic number so that they both handle the incoming data as a NetScaler Client IP insertion packet. - Header length : 4 bytes Defines the length on the remaining data. - IP header : >= 20 bytes if IPv4, 40 bytes if IPv6 Contains the header of the last IP packet sent by the client during TCP handshake. - TCP header : >= 20 bytes Contains the header of the last TCP packet sent by the client during TCP handshake.
2016-06-04 10:11:10 -04:00
else if (conn->flags & CO_FL_ACCEPT_CIP)
conn->err_code = CO_ER_CIP_TIMEOUT;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
else if (conn->flags & CO_FL_SSL_WAIT_HS)
conn->err_code = CO_ER_SSL_TIMEOUT;
}
MEDIUM: log/session: handle embryonic session log within sess_log() Move the embryonic session logging logic down to sess_log() in preparation for log-profiles because then log preferences will be set per logger and not per proxy. Indeed, as each logger may come with its own log-profile that possibly overrides proxy logformat preferences, the check will need to be performed at a central place by lower sending functions. To ensure the change doesn't break existing behavior, a dedicated sess_log_embryonic() wrapper was added and is exclusively used by session_kill_embryonic() to indicate that a special logging logic must be performed under sess_log(). Also, thanks to this change, log-format-sd will now be taken into account for legacy embryonic session logging.
2024-02-21 11:26:52 -05:00
sess_log_embryonic(sess);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
}
/* kill the connection now */
MINOR: session: use conn_full_close() instead of conn_force_close() We simply disable tracking before calling it.
2017-10-05 12:12:51 -04:00
conn_stop_tracking(conn);
conn_full_close(conn);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
conn_free(conn);
MAJOR: connections: Detach connections from streams. Do not destroy the connection when we're about to destroy a stream. This prevents us from doing keepalive on server connections when the client is using HTTP/2, as a new stream is created for each request. Instead, the session is now responsible for destroying connections. When reusing connections, the attach() mux method is now used to create a new conn_stream.
2018-11-13 10:48:36 -05:00
sess->origin = NULL;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MEDIUM: tasks: Merge task_delete() and task_free() into task_destroy(). task_delete() was never used without calling task_free() just after, and task_free() was only used on error pathes to destroy a just-created task, so merge them into task_destroy(), that will remove the task from the wait queue, and make sure the task is either destroyed immediately if it's not in the run queue, or destroyed when it's supposed to run.
2019-04-17 16:51:06 -04:00
task_destroy(task);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
session_free(sess);
}
/* Manages the embryonic session timeout. It is only called when the timeout
MINOR: session: export session_expire_embryonic() This is only to make it resolve nicely in "show tasks".
2021-01-29 06:27:57 -05:00
* strikes and performs the required cleanup. It's only exported to make it
* resolve in "show tasks".
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
*/
MEDIUM: task: extend the state field to 32 bits It's been too short for quite a while now and is now full. It's still time to extend it to 32-bits since we have room for this without wasting any space, so we now gained 16 new bits for future flags. The values were not reassigned just in case there would be a few hidden u16 or short somewhere in which these flags are placed (as it used to be the case with stream->pending_events). The patch is tagged MEDIUM because this required to update the task's process() prototype to use an int instead of a short, that's quite a bunch of places.
2021-03-02 10:09:26 -05:00
struct task *session_expire_embryonic(struct task *t, void *context, unsigned int state)
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
{
MINOR: tasks: Change the task API so that the callback takes 3 arguments. In preparation for thread-specific runqueues, change the task API so that the callback takes 3 arguments, the task itself, the context, and the state, those were retrieved from the task before. This will allow these elements to change atomically in the scheduler while the application uses the copied value, and even to have NULL tasks later.
2018-05-25 08:04:04 -04:00
struct session *sess = context;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
BUG/MEDIUM: sessions: Don't use t->state. In session_expire_embryonic(), don't use t->state, use the "state" argument instead, as t->state has been cleaned before we're being called.
2018-08-16 13:03:50 -04:00
if (!(state & TASK_WOKEN_TIMER))
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
return t;
BUG/MINOR: tasks: make sure wakeup events are properly reported to subscribers The tasks API was changed in 1.9-dev1 with commit 9f6af3322 ("MINOR: tasks: Change the task API so that the callback takes 3 arguments."), causing the task's state not to be usable anymore and to have been replaced with an explicit argument in the callee. The task's state doesn't contain any trace of the wakeup cause anymore. But there were two places where the old task's state remained in use : - sessions, used to more accurately report timeouts in logs when seeing TASK_WOKEN_TIMEOUT ; - peers, used to finish resynchronization when seeing TASK_WOKEN_SIGNAL This commit fixes both occurrences by making sure we don't access task->state directly (should we rename it by the way ?). No backport is needed.
2018-11-05 09:09:47 -05:00
session_kill_embryonic(sess, state);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
return NULL;
}
/* Finish initializing a session from a connection, or kills it if the
MEDIUM: session: factor out duplicated code for conn_complete_session session_accept_fd() may either successfully complete a session creation, or defer it to conn_complete_session() depending of whether a handshake remains to be performed or not. The problem is that all the code after the handshake was duplicated between the two functions. This patch make session_accept_fd() synchronously call conn_complete_session() to finish the session creation. It is only needed to check if the session's task has to be released or not at the end, which is fairly minimal. This way there is now a single place where the sessions are created.
2017-09-15 04:06:28 -04:00
* connection shows and error. Returns <0 if the connection was killed. It may
MEDIUM: connections: Get ride of the xprt_done callback. The xprt_done_cb callback was used to defer some connection initialization until we're connected and the handshake are done. As it mostly consists of creating the mux, instead of using the callback, introduce a conn_create_mux() function, that will just call conn_complete_session() for frontend, and create the mux for backend. In h2_wake(), make sure we call the wake method of the stream_interface, as we no longer wakeup the stream task.
2020-01-22 12:08:48 -05:00
* be called either asynchronously when ssl handshake is done with an embryonic
MEDIUM: session: factor out duplicated code for conn_complete_session session_accept_fd() may either successfully complete a session creation, or defer it to conn_complete_session() depending of whether a handshake remains to be performed or not. The problem is that all the code after the handshake was duplicated between the two functions. This patch make session_accept_fd() synchronously call conn_complete_session() to finish the session creation. It is only needed to check if the session's task has to be released or not at the end, which is fairly minimal. This way there is now a single place where the sessions are created.
2017-09-15 04:06:28 -04:00
* session, or synchronously to finalize the session. The distinction is made
* on sess->task which is only set in the embryonic session case.
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
*/
MEDIUM: connections: Get ride of the xprt_done callback. The xprt_done_cb callback was used to defer some connection initialization until we're connected and the handshake are done. As it mostly consists of creating the mux, instead of using the callback, introduce a conn_create_mux() function, that will just call conn_complete_session() for frontend, and create the mux for backend. In h2_wake(), make sure we call the wake method of the stream_interface, as we no longer wakeup the stream task.
2020-01-22 12:08:48 -05:00
int conn_complete_session(struct connection *conn)
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
{
MEDIUM: session: add a pointer to a struct task in the session The session may need to enforce a timeout when waiting for a handshake. Till now we used a trick to avoid allocating a pointer, we used to set the connection's owner to the task and set the task's context to the session, so that it was possible to circle between all of them. The problem is that we'll really need to pass the pointer to the session to the upper layers during initialization and that the only place to store it is conn->owner, which is squatted for this trick. So this patch moves the struct task* into the session where it should always have been and ensures conn->owner points to the session until the data layer is properly initialized.
2017-08-28 13:02:51 -04:00
struct session *sess = conn->owner;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
sess->t_handshake = ns_to_ms(now_ns - sess->accept_ts);
BUG/MEDIUM: session: fix reporting of handshake processing time in the logs The handshake processing time used to be stored per stream, which was valid when there was exactly one stream per session. With H2 and multiplexing it's not the case anymore and the reported handshake times are wrong in the logs as it's computed between the TCP accept() and the stream creation. Let's first move the handshake where it belongs, which is the session. However, this is not enough because we don't want to report an excessive idle time either for H2 (since many requests use the connection). So the solution used here is to have the stream retrieve sess->tv_accept and the handshake duration when the stream is created, and let the mux immediately reset them. This way, the handshake time becomes zero for the second and subsequent requests in H2 (which was already the case in H1), and the idle time exactly counts how long the connection remained unused while it could be used, so in H1 it runs from the end of the previous response and in H2 it runs from the end of the previous request since the channel is already available. This patch will need to be backported to 1.8.
2018-09-05 05:56:48 -04:00
MEDIUM: stream: don't rely on the session's listener anymore in stream_new() When the stream is instanciated from an applet, it doesn't necessarily have a listener. The listener was sparsely used there, just to retrieve the task function, update the listeners' stats, and set the analysers and default target, both of which are often zero from applets. Thus these elements are now initialized with default values that the caller is free to change if desired.
2015-04-05 18:25:48 -04:00
if (conn->flags & CO_FL_ERROR)
goto fail;
MEDIUM: session: adjust the connection flags before stream_new() It's not the stream's job to manipulate the connection's flags, it's more related to the session that accepted the new connection. And the only case where we have to do it conditionally is based on the frontend which is known from the session, thus it makes sense to do it there.
2015-04-08 12:18:15 -04:00
/* if logs require transport layer information, note it on the connection */
if (sess->fe->to_log & LW_XPRT)
conn->flags |= CO_FL_XPRT_TRACKED;
MEDIUM: tcp: add registration and processing of TCP L5 rules This commit introduces "tcp-request session" rules. These are very much like "tcp-request connection" rules except that they're processed after the handshake, so it is possible to consider SSL information and addresses rewritten by the proxy protocol header in actions. This is particularly useful to track proxied sources as this was not possible before, given that tcp-request content rules are processed after each HTTP request. Similarly it is possible to assign the proxied source address or the client's cert to a variable.
2016-10-21 10:37:51 -04:00
/* we may have some tcp-request-session rules */
BUG/MINOR: session: Eval L4/L5 rules defined in the default section It is possible to define TCP/HTTP rules in a named default section to inherit from it in a proxy. However, there is an issue with L4/L5 rules. Only the lists of the current frontend are checked to know if an eval must be performed. Nothing is done for an empty list. Of course, the lists of the default proxy must also be checked to be sure to not ignored default L4/L5 rules. It is now fixed. This patch should fix the issue #2637. It must be backported as far as 2.6.
2024-07-12 09:21:21 -04:00
if (((sess->fe->defpx && !LIST_ISEMPTY(&sess->fe->defpx->tcp_req.l5_rules)) ||
!LIST_ISEMPTY(&sess->fe->tcp_req.l5_rules)) && !tcp_exec_l5_rules(sess))
MEDIUM: tcp: add registration and processing of TCP L5 rules This commit introduces "tcp-request session" rules. These are very much like "tcp-request connection" rules except that they're processed after the handshake, so it is possible to consider SSL information and addresses rewritten by the proxy protocol header in actions. This is particularly useful to track proxied sources as this was not possible before, given that tcp-request content rules are processed after each HTTP request. Similarly it is possible to assign the proxied source address or the client's cert to a variable.
2016-10-21 10:37:51 -04:00
goto fail;
MINOR: session: maintain the session count stats in the session, not the stream This has nothing to do in the stream, as we'll face absurdities when chaining multiple streams. The session is where it must be accounted for.
2015-04-08 12:10:49 -04:00
session_count_new(sess);
MINOR: connection: prepare init code paths for active reverse When an active reverse connection is initialized, it has no stream-conn attached to it contrary to other backend connections. This forces to add extra check on stream existence in conn_create_mux() and h2_init(). There is also extra checks required for session_accept_fd() after reverse and accept is done. This is because contrary to other frontend connections, reversed connections have already initialized their mux and transport layers. This forces us to skip the majority of session_accept_fd() initialization part. Finally, if session_accept_fd() is interrupted due to an early error, a reverse connection cannot be freed directly or else mux will remain alone. Instead, the mux destroy callback is used to free all connection elements properly.
2023-08-23 12:02:51 -04:00
if (!conn->mux) {
if (conn_install_mux_fe(conn, NULL) < 0)
goto fail;
}
MEDIUM: stream: don't rely on the session's listener anymore in stream_new() When the stream is instanciated from an applet, it doesn't necessarily have a listener. The listener was sparsely used there, just to retrieve the task function, update the listeners' stats, and set the analysers and default target, both of which are often zero from applets. Thus these elements are now initialized with default values that the caller is free to change if desired.
2015-04-05 18:25:48 -04:00
MEDIUM: stream: make stream_new() allocate its own task Currently a task is allocated in session_new() and serves two purposes : - either the handshake is complete and it is offered to the stream via the second arg of stream_new() - or the handshake is not complete and it's diverted to be used as a timeout handler for the embryonic session and repurposed once we land into conn_complete_session() Furthermore, the task's process() function was taken from the listener's handler in conn_complete_session() prior to being replaced by a call to stream_new(). This will become a serious mess with the mux. Since it's impossible to have a stream without a task, this patch removes the second arg from stream_new() and make this function allocate its own task. In session_accept_fd(), we now only allocate the task if needed for the embryonic session and delete it later.
2017-08-28 10:22:54 -04:00
/* the embryonic session's task is not needed anymore */
CLEANUP: task: remove unneeded tests before task_destroy() Since previous commit it's not needed anymore to test a task pointer before calling task_destory() so let's just remove these tests from the various callers before they become confusing. The function's arguments were also documented. The same should probably be done with tasklet_free() which involves a test in roughly half of the call places.
2019-05-07 13:05:35 -04:00
task_destroy(sess->task);
sess->task = NULL;
MEDIUM: session: make use of the connection's destroy callback Now we don't remove the session when a stream dies, instead we detach the stream and let the mux decide to release the connection and call session_free() instead.
2017-10-08 05:26:30 -04:00
conn_set_owner(conn, sess, conn_session_free);
MEDIUM: stream: don't rely on the session's listener anymore in stream_new() When the stream is instanciated from an applet, it doesn't necessarily have a listener. The listener was sparsely used there, just to retrieve the task function, update the listeners' stats, and set the analysers and default target, both of which are often zero from applets. Thus these elements are now initialized with default values that the caller is free to change if desired.
2015-04-05 18:25:48 -04:00
return 0;
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
MEDIUM: stream: don't rely on the session's listener anymore in stream_new() When the stream is instanciated from an applet, it doesn't necessarily have a listener. The listener was sparsely used there, just to retrieve the task function, update the listeners' stats, and set the analysers and default target, both of which are often zero from applets. Thus these elements are now initialized with default values that the caller is free to change if desired.
2015-04-05 18:25:48 -04:00
fail:
MEDIUM: session: factor out duplicated code for conn_complete_session session_accept_fd() may either successfully complete a session creation, or defer it to conn_complete_session() depending of whether a handshake remains to be performed or not. The problem is that all the code after the handshake was duplicated between the two functions. This patch make session_accept_fd() synchronously call conn_complete_session() to finish the session creation. It is only needed to check if the session's task has to be released or not at the end, which is fairly minimal. This way there is now a single place where the sessions are created.
2017-09-15 04:06:28 -04:00
if (sess->task)
BUG/MINOR: tasks: make sure wakeup events are properly reported to subscribers The tasks API was changed in 1.9-dev1 with commit 9f6af3322 ("MINOR: tasks: Change the task API so that the callback takes 3 arguments."), causing the task's state not to be usable anymore and to have been replaced with an explicit argument in the callee. The task's state doesn't contain any trace of the wakeup cause anymore. But there were two places where the old task's state remained in use : - sessions, used to more accurately report timeouts in logs when seeing TASK_WOKEN_TIMEOUT ; - peers, used to finish resynchronization when seeing TASK_WOKEN_SIGNAL This commit fixes both occurrences by making sure we don't access task->state directly (should we rename it by the way ?). No backport is needed.
2018-11-05 09:09:47 -05:00
session_kill_embryonic(sess, 0);
REORG: session: move the session parts out of stream.c This concerns everythins related to accepting a new session and expiring the embryonic session. There's still a hard-coded call to stream_accept_session() which could be set somewhere in the frontend, but for now it's not a problem.
2015-04-04 12:50:31 -04:00
return -1;
}
MINOR: session: add the necessary functions to update the per-session glitches This provides a new function session_add_glitch_ctr() that will update the glitch counter and rate for the session, if tracked at all.
2024-01-19 11:25:18 -05:00
/* Add <inc> to the number of cumulated glitches in the tracked counters for
* session <sess> which is known for being tracked, and implicitly update the
* rate if also tracked.
*/
void __session_add_glitch_ctr(struct session *sess, uint inc)
{
int i;
for (i = 0; i < global.tune.nb_stk_ctr; i++)
stkctr_add_glitch_ctr(&sess->stkctr[i], inc);
}
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* Session management of backend connections. */
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
/* Allocate a storage element into <sess> session which refers to <target>
* endpoint. This storage can be used to attach new connections
* to the session.
*
* Returns the allocated element or NULL on failure.
*/
static struct sess_priv_conns *sess_alloc_sess_conns(struct session *sess,
enum obj_type *target)
{
struct sess_priv_conns *pconns;
struct server *srv;
pconns = pool_alloc(pool_head_sess_priv_conns);
if (!pconns)
return NULL;
pconns->target = target;
LIST_INIT(&pconns->conn_list);
LIST_APPEND(&sess->priv_conns, &pconns->sess_el);
MT_LIST_INIT(&pconns->srv_el);
/* If <target> endpoint is a server, also attach storage element into it. */
if ((srv = objt_server(target)))
MT_LIST_APPEND(&srv->sess_conns, &pconns->srv_el);
pconns->tid = tid;
return pconns;
}
/* Retrieve the backend connections storage element from <sess> session which
* refers to <target> endpoint.
*
* This function usage must be protected with idle_conns lock.
*
* Returns the storage element or NULL if not found;
*/
static struct sess_priv_conns *sess_get_sess_conns(struct session *sess,
enum obj_type *target)
{
struct sess_priv_conns *pconns;
list_for_each_entry(pconns, &sess->priv_conns, sess_el) {
if (pconns->target == target)
return pconns;
}
return NULL;
}
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* Add the connection <conn> to the private conns list of session <sess>. Each
* connection is indexed by their respective target in the session. Nothing is
* performed if the connection is already in the session list.
*
* Returns true if conn is inserted or already present else false if a failure
* occurs during insertion.
*/
int session_add_conn(struct session *sess, struct connection *conn)
{
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
struct sess_priv_conns *pconns;
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
int ret = 0;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* Connection target is used to index it in the session. Only BE conns are expected in session list. */
BUG_ON(!conn->target || objt_listener(conn->target));
/* A connection cannot be attached already to another session.
*
* This is safe as BE connections are flagged as private immediately
* after being created during connect_server(). The only potential
* issue would be if a connection is turned private later on during its
* lifetime. Currently, this happens only on NTLM headers detection,
* however this case is only implemented with HTTP/1.1 which cannot
* multiplex several streams on the same connection.
*/
BUG_ON(conn->owner && conn->owner != sess);
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* Already attach to the session */
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
if (!LIST_ISEMPTY(&conn->sess_el)) {
ret = 1;
goto out;
}
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
pconns = sess_get_sess_conns(sess, conn->target);
if (!pconns) {
pconns = sess_alloc_sess_conns(sess, conn->target);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
if (!pconns)
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
goto out;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
LIST_APPEND(&pconns->conn_list, &conn->sess_el);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* Ensure owner is set for connection. It could have been reset
* prior on after a session_add_conn() failure.
*/
conn->owner = sess;
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
ret = 1;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
out:
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
return ret;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
/* Check that session <sess> is able to keep idle connection <conn>. This must
* be called each time a connection stored in a session becomes idle.
*
* Returns 0 if the connection is kept, else non-zero if the connection was
* explicitely removed from session.
*/
int session_check_idle_conn(struct session *sess, struct connection *conn)
{
/* Connection must be attached to session prior to this function call. */
BUG_ON(!conn->owner || conn->owner != sess);
/* Connection is not attached to a session. */
if (!conn->owner)
return 0;
/* Ensure conn is not already accounted as idle to prevent sess idle count excess increment. */
BUG_ON(conn->flags & CO_FL_SESS_IDLE);
if (sess->idle_conns >= sess->fe->max_out_conns) {
session_unown_conn(sess, conn);
conn->owner = NULL;
return -1;
}
else {
conn->flags |= CO_FL_SESS_IDLE;
sess->idle_conns++;
}
return 0;
}
/* Look for an available connection matching the target <target> in the server
* list of the session <sess>. It returns a connection if found. Otherwise it
* returns NULL.
*/
struct connection *session_get_conn(struct session *sess, void *target, int64_t hash)
{
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
struct connection *srv_conn, *res = NULL;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
struct sess_priv_conns *pconns;
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
pconns = sess_get_sess_conns(sess, target);
if (!pconns)
goto end;
/* Search into pconns for a connection with matching params and available streams. */
list_for_each_entry(srv_conn, &pconns->conn_list, sess_el) {
if ((srv_conn->hash_node && srv_conn->hash_node->node.key == hash) &&
srv_conn->mux &&
(srv_conn->mux->avail_streams(srv_conn) > 0) &&
!(srv_conn->flags & CO_FL_WAIT_XPRT)) {
if (srv_conn->flags & CO_FL_SESS_IDLE) {
srv_conn->flags &= ~CO_FL_SESS_IDLE;
sess->idle_conns--;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
res = srv_conn;
break;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
}
end:
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
return res;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
/* Remove the connection from the session list, and destroy sess_priv_conns
* element if it's now empty.
*/
void session_unown_conn(struct session *sess, struct connection *conn)
{
struct sess_priv_conns *pconns = NULL;
BUG_ON(objt_listener(conn->target));
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
/* WT: this currently is a workaround for an inconsistency between
* the link status of the connection in the session list and the
* connection's owner. This should be removed as soon as all this
* is addressed. Right now it's possible to enter here with a non-null
* conn->owner that points to a dead session, but in this case the
* element is not linked.
*/
if (!LIST_INLIST(&conn->sess_el))
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
goto out;
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
if (conn->flags & CO_FL_SESS_IDLE)
sess->idle_conns--;
LIST_DEL_INIT(&conn->sess_el);
conn->owner = NULL;
MINOR: session: refactor alloc/lookup of sess_conns elements By default backend connections are stored into idle/avail server trees. However, if such connections cannot be shared between multiple clients, session serves as the alternative storage. To be able to quickly reuse a backend conn from a session, they are indexed by their target, which is either a server or a backend proxy. This is the purpose of 'struct sess_priv_conns' intermediary stockage element. Lookup and allocation of these elements are performed in several session function, for example to add, get or remove a backend connection from a session. The purpose of this patch is to simplify this by providing two internal functions sess_alloc_sess_conns() and sess_get_sess_conns(). Along with this, a new BUG_ON() is added into session_unown_conn(), which ensure that sess_priv_conns element is found when the connection is removed from the session.
2025-08-21 09:59:33 -04:00
pconns = sess_get_sess_conns(sess, conn->target);
BUG_ON(!pconns); /* if conn is attached to session, its sess_conn must exists. */
if (LIST_ISEMPTY(&pconns->conn_list)) {
LIST_DELETE(&pconns->sess_el);
MT_LIST_DELETE(&pconns->srv_el);
pool_free(pool_head_sess_priv_conns, pconns);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
MEDIUM: session: protect sess conns list by idle_conns_lock Introduce idle_conns_lock usage to protect manipulation to <priv_conns> session member. This represents a list of intermediary elements used to store backend connections attached to a session to prevent their sharing across multiple clients. Currently, this patch is unneeded as sessions are only manipulated on a single-thread. Indeed, contrary to idle connections stored in servers, takeover is not implemented for connections attached to a session. However, a future patch will introduce purging of these connections, which is already performed for connections attached to servers. As this can be executed by any thread, it is necessary to introduce idle_conns_lock usage to protect their manipulation.
2025-08-08 09:54:21 -04:00
out:
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
MINOR: session: uninline functions related to BE conns management Move from header to source file functions related to session management of backend connections. These functions are big enough to remove inline attribute.
2025-08-20 04:01:46 -04:00
}
MINOR: session: start to reintroduce struct session There is now a pointer to the session in the stream, which is NULL for now. The session pool is created as well. Some parts will move from the stream to the session now.
2015-04-03 07:53:24 -04:00
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink