BUILD/MEDIUM: tcp: set-mark setting support for FreeBSD.

This platform has a similar socket option from Linux's SO_MARK, marking a socket with an id for packet filter purpose, DTrace monitoring and so on.
2025-02-17 02:56:51 +00:00 · 2021-06-26 12:04:36 +01:00 · 2021-06-26 12:04:36 +01:00 · f7f53afcf9
commit f7f53afcf9
parent ee9c98d81b
3 changed files with 31 additions and 25 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6503,13 +6503,14 @@ http-request set-map(<file-name>) <key fmt> <value fmt>

 http-request set-mark <mark> [ { if | unless } <condition> ]

-  This is used to set the Netfilter MARK on all packets sent to the client to
-  the value passed in <mark> on platforms which support it. This value is an
-  unsigned 32 bit value which can be matched by netfilter and by the routing
-  table. It can be expressed both in decimal or hexadecimal format (prefixed by
-  "0x"). This can be useful to force certain packets to take a different route
-  (for example a cheaper network path for bulk downloads). This works on Linux
-  kernels 2.6.32 and above and requires admin privileges.
+  This is used to set the Netfilter/IPFW MARK on all packets sent to the client
+  to the value passed in <mark> on platforms which support it. This value is an
+  unsigned 32 bit value which can be matched by netfilter/ipfw and by the
+  routing table or monitoring the packets through DTrace. It can be expressed
+  both in decimal or hexadecimal format (prefixed by "0x").
+  This can be useful to force certain packets to take a different route (for
+  example a cheaper network path for bulk downloads). This works on Linux
+  kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD.

 http-request set-method <fmt> [ { if | unless } <condition> ]

@ -7163,13 +7164,14 @@ http-response set-map(<file-name>) <key fmt> <value fmt>

 http-response set-mark <mark> [ { if | unless } <condition> ]

-  This is used to set the Netfilter MARK on all packets sent to the client to
-  the value passed in <mark> on platforms which support it. This value is an
-  unsigned 32 bit value which can be matched by netfilter and by the routing
-  table. It can be expressed both in decimal or hexadecimal format (prefixed
-  by "0x"). This can be useful to force certain packets to take a different
-  route (for example a cheaper network path for bulk downloads). This works on
-  Linux kernels 2.6.32 and above and requires admin privileges.
+  This is used to set the Netfilter/IPFW MARK on all packets sent to the client
+  to the value passed in <mark> on platforms which support it. This value is an
+  unsigned 32 bit value which can be matched by netfilter/ipfw and by the
+  routing table or monitoring the packets through DTrace.
+  It can be expressed both in decimal or hexadecimal format (prefixed by "0x").
+  This can be useful to force certain packets to take a different route (for
+  example a cheaper network path for bulk downloads). This works on Linux
+  kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD.

 http-response set-nice <nice> [ { if | unless } <condition> ]

@ -11898,14 +11900,15 @@ tcp-request connection <action> [{if | unless} <condition>]
        fails and the actions evaluation continues.

    - set-mark <mark>:
-      Is used to set the Netfilter MARK in all packets sent to the client to
-      the value passed in <mark> on platforms which support it. This value is
-      an unsigned 32 bit value which can be matched by netfilter and by the
-      routing table. It can be expressed both in decimal or hexadecimal format
-      (prefixed by "0x"). This can be useful to force certain packets to take a
-      different route (for example a cheaper network path for bulk
-      downloads). This works on Linux kernels 2.6.32 and above and requires
-      admin privileges.
+      Is used to set the Netfilter/IPFW MARK in all packets sent to the client
+      to the value passed in <mark> on platforms which support it. This value
+      is an unsigned 32 bit value which can be matched by netfilter/ipfw and by
+      the routing table or monitoring the packets through DTrace.
+      It can be expressed both in decimal or hexadecimal format (prefixed by
+      "0x"). This can be useful to force certain packets to take a different
+      route (for example a cheaper network path for bulk downloads). This works
+      on Linux kernels 2.6.32 and above and requires admin privileges, as well
+      on FreeBSD.

    - set-src <expr> :
      Is used to set the source IP address to the value of specified
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@ -694,8 +694,11 @@ static inline void conn_set_mark(const struct connection *conn, int mark)
 	if (!conn || !conn_ctrl_ready(conn))
 		return;

-#ifdef SO_MARK
+#if defined(SO_MARK)
 	setsockopt(conn->handle.fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark));
+#elif defined(SO_USER_COOKIE)
+	uint32_t mval = (uint32_t)mark;
+	setsockopt(conn->handle.fd, SOL_SOCKET, SO_USER_COOKIE, &mval, sizeof(mval));
 #endif
 }

--- a/src/tcp_act.c
+++ b/src/tcp_act.c
@ -305,7 +305,7 @@ static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg
 static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px,
 					     struct act_rule *rule, char **err)
 {
-#ifdef SO_MARK
+#if defined(SO_MARK) || defined(SO_USER_COOKIE)
 	char *endp;
 	unsigned int mark;

@ -328,7 +328,7 @@ static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, st
 	global.last_checks |= LSTCHK_NETADM;
 	return ACT_RET_PRS_OK;
 #else
-	memprintf(err, "not supported on this platform (SO_MARK undefined)");
+	memprintf(err, "not supported on this platform (SO_MARK|SO_USER_COOKIE undefined)");
 	return ACT_RET_PRS_ERR;
 #endif
 }