From f7f53afcf9d367d194edfb6dfdc378efbc641d69 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 26 Jun 2021 12:04:36 +0100 Subject: [PATCH] BUILD/MEDIUM: tcp: set-mark setting support for FreeBSD. This platform has a similar socket option from Linux's SO_MARK, marking a socket with an id for packet filter purpose, DTrace monitoring and so on. --- doc/configuration.txt | 47 +++++++++++++++++++----------------- include/haproxy/connection.h | 5 +++- src/tcp_act.c | 4 +-- 3 files changed, 31 insertions(+), 25 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 9ffcc7581..060d78426 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6503,13 +6503,14 @@ http-request set-map() http-request set-mark [ { if | unless } ] - This is used to set the Netfilter MARK on all packets sent to the client to - the value passed in on platforms which support it. This value is an - unsigned 32 bit value which can be matched by netfilter and by the routing - table. It can be expressed both in decimal or hexadecimal format (prefixed by - "0x"). This can be useful to force certain packets to take a different route - (for example a cheaper network path for bulk downloads). This works on Linux - kernels 2.6.32 and above and requires admin privileges. + This is used to set the Netfilter/IPFW MARK on all packets sent to the client + to the value passed in on platforms which support it. This value is an + unsigned 32 bit value which can be matched by netfilter/ipfw and by the + routing table or monitoring the packets through DTrace. It can be expressed + both in decimal or hexadecimal format (prefixed by "0x"). + This can be useful to force certain packets to take a different route (for + example a cheaper network path for bulk downloads). This works on Linux + kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD. http-request set-method [ { if | unless } ] @@ -7163,13 +7164,14 @@ http-response set-map() http-response set-mark [ { if | unless } ] - This is used to set the Netfilter MARK on all packets sent to the client to - the value passed in on platforms which support it. This value is an - unsigned 32 bit value which can be matched by netfilter and by the routing - table. It can be expressed both in decimal or hexadecimal format (prefixed - by "0x"). This can be useful to force certain packets to take a different - route (for example a cheaper network path for bulk downloads). This works on - Linux kernels 2.6.32 and above and requires admin privileges. + This is used to set the Netfilter/IPFW MARK on all packets sent to the client + to the value passed in on platforms which support it. This value is an + unsigned 32 bit value which can be matched by netfilter/ipfw and by the + routing table or monitoring the packets through DTrace. + It can be expressed both in decimal or hexadecimal format (prefixed by "0x"). + This can be useful to force certain packets to take a different route (for + example a cheaper network path for bulk downloads). This works on Linux + kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD. http-response set-nice [ { if | unless } ] @@ -11898,14 +11900,15 @@ tcp-request connection [{if | unless} ] fails and the actions evaluation continues. - set-mark : - Is used to set the Netfilter MARK in all packets sent to the client to - the value passed in on platforms which support it. This value is - an unsigned 32 bit value which can be matched by netfilter and by the - routing table. It can be expressed both in decimal or hexadecimal format - (prefixed by "0x"). This can be useful to force certain packets to take a - different route (for example a cheaper network path for bulk - downloads). This works on Linux kernels 2.6.32 and above and requires - admin privileges. + Is used to set the Netfilter/IPFW MARK in all packets sent to the client + to the value passed in on platforms which support it. This value + is an unsigned 32 bit value which can be matched by netfilter/ipfw and by + the routing table or monitoring the packets through DTrace. + It can be expressed both in decimal or hexadecimal format (prefixed by + "0x"). This can be useful to force certain packets to take a different + route (for example a cheaper network path for bulk downloads). This works + on Linux kernels 2.6.32 and above and requires admin privileges, as well + on FreeBSD. - set-src : Is used to set the source IP address to the value of specified diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h index d4843462f..02096b036 100644 --- a/include/haproxy/connection.h +++ b/include/haproxy/connection.h @@ -694,8 +694,11 @@ static inline void conn_set_mark(const struct connection *conn, int mark) if (!conn || !conn_ctrl_ready(conn)) return; -#ifdef SO_MARK +#if defined(SO_MARK) setsockopt(conn->handle.fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark)); +#elif defined(SO_USER_COOKIE) + uint32_t mval = (uint32_t)mark; + setsockopt(conn->handle.fd, SOL_SOCKET, SO_USER_COOKIE, &mval, sizeof(mval)); #endif } diff --git a/src/tcp_act.c b/src/tcp_act.c index ff521d2c2..a6c58fb88 100644 --- a/src/tcp_act.c +++ b/src/tcp_act.c @@ -305,7 +305,7 @@ static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px, struct act_rule *rule, char **err) { -#ifdef SO_MARK +#if defined(SO_MARK) || defined(SO_USER_COOKIE) char *endp; unsigned int mark; @@ -328,7 +328,7 @@ static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, st global.last_checks |= LSTCHK_NETADM; return ACT_RET_PRS_OK; #else - memprintf(err, "not supported on this platform (SO_MARK undefined)"); + memprintf(err, "not supported on this platform (SO_MARK|SO_USER_COOKIE undefined)"); return ACT_RET_PRS_ERR; #endif }