BUILD/MEDIUM: tcp: set-mark setting support for FreeBSD.

This platform has a similar socket option from Linux's SO_MARK, marking a socket with an id for packet filter purpose, DTrace monitoring and so on.
2025-04-20 14:05:31 +00:00 · 2021-06-26 12:04:36 +01:00 · 2021-06-26 12:04:36 +01:00 · f7f53afcf9
commit f7f53afcf9
parent ee9c98d81b
3 changed files with 31 additions and 25 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6503,13 +6503,14 @@ http-request set-map(<file-name>) <key fmt> <value fmt>
 http-request set-mark <mark> [ { if | unless } <condition> ]
-  This is used to set the Netfilter MARK on all packets sent to the client to
+  This is used to set the Netfilter/IPFW MARK on all packets sent to the client
-  the value passed in <mark> on platforms which support it. This value is an
+  to the value passed in <mark> on platforms which support it. This value is an
-  unsigned 32 bit value which can be matched by netfilter and by the routing
+  unsigned 32 bit value which can be matched by netfilter/ipfw and by the
-  table. It can be expressed both in decimal or hexadecimal format (prefixed by
+  routing table or monitoring the packets through DTrace. It can be expressed
-  "0x"). This can be useful to force certain packets to take a different route
+  both in decimal or hexadecimal format (prefixed by "0x").
-  (for example a cheaper network path for bulk downloads). This works on Linux
+  This can be useful to force certain packets to take a different route (for
-  kernels 2.6.32 and above and requires admin privileges.
+  example a cheaper network path for bulk downloads). This works on Linux
  kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD.
 http-request set-method <fmt> [ { if | unless } <condition> ]
@ -7163,13 +7164,14 @@ http-response set-map(<file-name>) <key fmt> <value fmt>
 http-response set-mark <mark> [ { if | unless } <condition> ]
-  This is used to set the Netfilter MARK on all packets sent to the client to
+  This is used to set the Netfilter/IPFW MARK on all packets sent to the client
-  the value passed in <mark> on platforms which support it. This value is an
+  to the value passed in <mark> on platforms which support it. This value is an
-  unsigned 32 bit value which can be matched by netfilter and by the routing
+  unsigned 32 bit value which can be matched by netfilter/ipfw and by the
-  table. It can be expressed both in decimal or hexadecimal format (prefixed
+  routing table or monitoring the packets through DTrace.
-  by "0x"). This can be useful to force certain packets to take a different
+  It can be expressed both in decimal or hexadecimal format (prefixed by "0x").
-  route (for example a cheaper network path for bulk downloads). This works on
+  This can be useful to force certain packets to take a different route (for
-  Linux kernels 2.6.32 and above and requires admin privileges.
+  example a cheaper network path for bulk downloads). This works on Linux
  kernels 2.6.32 and above and requires admin privileges, as well on FreeBSD.
 http-response set-nice <nice> [ { if | unless } <condition> ]
@ -11898,14 +11900,15 @@ tcp-request connection <action> [{if | unless} <condition>]
        fails and the actions evaluation continues.
    - set-mark <mark>:
-      Is used to set the Netfilter MARK in all packets sent to the client to
+      Is used to set the Netfilter/IPFW MARK in all packets sent to the client
-      the value passed in <mark> on platforms which support it. This value is
+      to the value passed in <mark> on platforms which support it. This value
-      an unsigned 32 bit value which can be matched by netfilter and by the
+      is an unsigned 32 bit value which can be matched by netfilter/ipfw and by
-      routing table. It can be expressed both in decimal or hexadecimal format
+      the routing table or monitoring the packets through DTrace.
-      (prefixed by "0x"). This can be useful to force certain packets to take a
+      It can be expressed both in decimal or hexadecimal format (prefixed by
-      different route (for example a cheaper network path for bulk
+      "0x"). This can be useful to force certain packets to take a different
-      downloads). This works on Linux kernels 2.6.32 and above and requires
+      route (for example a cheaper network path for bulk downloads). This works
-      admin privileges.
+      on Linux kernels 2.6.32 and above and requires admin privileges, as well
      on FreeBSD.
    - set-src <expr> :
      Is used to set the source IP address to the value of specified
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@ -694,8 +694,11 @@ static inline void conn_set_mark(const struct connection *conn, int mark)
 	if (!conn || !conn_ctrl_ready(conn))
 		return;
-#ifdef SO_MARK
+#if defined(SO_MARK)
 	setsockopt(conn->handle.fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark));
 #elif defined(SO_USER_COOKIE)
 	uint32_t mval = (uint32_t)mark;
 	setsockopt(conn->handle.fd, SOL_SOCKET, SO_USER_COOKIE, &mval, sizeof(mval));
 #endif
 }
--- a/src/tcp_act.c
+++ b/src/tcp_act.c
@ -305,7 +305,7 @@ static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg
 static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px,
 					     struct act_rule *rule, char **err)
 {
-#ifdef SO_MARK
+#if defined(SO_MARK) || defined(SO_USER_COOKIE)
 	char *endp;
 	unsigned int mark;
@ -328,7 +328,7 @@ static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, st
 	global.last_checks |= LSTCHK_NETADM;
 	return ACT_RET_PRS_OK;
 #else
-	memprintf(err, "not supported on this platform (SO_MARK undefined)");
+	memprintf(err, "not supported on this platform (SO_MARK|SO_USER_COOKIE undefined)");
 	return ACT_RET_PRS_ERR;
 #endif
 }