Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / bca5a4e0a83ce12946952f32baf7a783dcc96281
commitbca5a4e0a83ce12946952f32baf7a783dcc96281[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Wed Aug 26 09:29:21 2020 +0200
committerWilly Tarreau <w@1wt.eu>Wed Aug 26 10:32:51 2020 +0200
tree449ab1d253d7ac74c8ff3e9d8787ff649b6922ce
parentbbb284d6752c94817e37be9a26b5aea92e506612 [diff]
BUG/MINOR: reload: detect the OS's v6only status before choosing an old socket

The v4v6 and v6only options are passed as data during the socket transfer
between processes so that the new process can decide whether it wants to
reuse a socket or not. But this actually misses one point: if no such option
is set and the OS defaults are changed between the reloads, then the socket
will still be inherited and will never be rebound using the new options.

This can be seen by starting the following config:

  global
    stats socket /tmp/haproxy.sock level admin expose-fd listeners

  frontend testme
    bind :::1234
    timeout client          2000ms

Having a look at the OS settins, v6only is disabled:

  $ cat /proc/sys/net/ipv6/bindv6only
  0

A first check shows it's indeed bound to v4 and v6:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                   *:1234             *:*

Reloading the process doesn't change anything (which is expected). Now let's set
bindv6only:

  $ echo 1 | sudo tee /proc/sys/net/ipv6/bindv6only
  1
  $ cat /proc/sys/net/ipv6/bindv6only
  1

Reloading gives the same state:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                   *:1234             *:*

However a restart properly shows a correct bind:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                [::]:1234          [::]:*

This one doesn't change once bindv6only is reset, for the same reason.

This patch attacks this problem differently. Instead of passing the two
options at once for each listening fd, it ignores the options and reads
the socket's current state for the IPV6_V6ONLY flag and sets it only.
Then before looking for a compatible FD, it checks the OS's defaults
before deciding which of the v4v6 and v6only needs to be kept on the
listener. And the selection is only made on this.

First, it addresses this issue. Second, it also ensures that if such
options are changed between reloads to identical states, the socket
can still be inherited. For example adding v4v6 when bindv6only is not
set will allow the socket to still be usable. Third, it avoids an
undesired dependency on the LI_O_* bit values between processes across
a reload (for these ones at least).

It might make sense to backport this to some recent stable versions, but
quite frankly the likelyhood that anyone will ever notice it is extremely
faint.
2 files changed
tree: 449ab1d253d7ac74c8ff3e9d8787ff649b6922ce
  1. .github/
  2. contrib/
  3. doc/
  4. examples/
  5. include/
  6. reg-tests/
  7. scripts/
  8. src/
  9. tests/
  10. .cirrus.yml
  11. .gitignore
  12. .travis.yml
  13. BRANCHES
  14. CHANGELOG
  15. CONTRIBUTING
  16. INSTALL
  17. LICENSE
  18. MAINTAINERS
  19. Makefile
  20. README
  21. ROADMAP
  22. SUBVERS
  23. VERDATE
  24. VERSION