BUG/MINOR: reload: detect the OS's v6only status before choosing an old socket

The v4v6 and v6only options are passed as data during the socket transfer
between processes so that the new process can decide whether it wants to
reuse a socket or not. But this actually misses one point: if no such option
is set and the OS defaults are changed between the reloads, then the socket
will still be inherited and will never be rebound using the new options.

This can be seen by starting the following config:

  global
    stats socket /tmp/haproxy.sock level admin expose-fd listeners

  frontend testme
    bind :::1234
    timeout client          2000ms

Having a look at the OS settins, v6only is disabled:

  $ cat /proc/sys/net/ipv6/bindv6only
  0

A first check shows it's indeed bound to v4 and v6:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                   *:1234             *:*

Reloading the process doesn't change anything (which is expected). Now let's set
bindv6only:

  $ echo 1 | sudo tee /proc/sys/net/ipv6/bindv6only
  1
  $ cat /proc/sys/net/ipv6/bindv6only
  1

Reloading gives the same state:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                   *:1234             *:*

However a restart properly shows a correct bind:

  $ ss -an -6|grep 1234
  tcp   LISTEN 0      2035                                [::]:1234          [::]:*

This one doesn't change once bindv6only is reset, for the same reason.

This patch attacks this problem differently. Instead of passing the two
options at once for each listening fd, it ignores the options and reads
the socket's current state for the IPV6_V6ONLY flag and sets it only.
Then before looking for a compatible FD, it checks the OS's defaults
before deciding which of the v4v6 and v6only needs to be kept on the
listener. And the selection is only made on this.

First, it addresses this issue. Second, it also ensures that if such
options are changed between reloads to identical states, the socket
can still be inherited. For example adding v4v6 when bindv6only is not
set will allow the socket to still be usable. Third, it avoids an
undesired dependency on the LI_O_* bit values between processes across
a reload (for these ones at least).

It might make sense to backport this to some recent stable versions, but
quite frankly the likelyhood that anyone will ever notice it is extremely
faint.
2 files changed