mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 15:17:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: implement send-retry quic-initial rules

Browse Source 
Define a new quic-initial "send-retry" rule. This allows to force the
emission of a Retry packet on an initial without token instead of
instantiating a new QUIC connection.
This commit is contained in:
Amaury Denoyelle 2024-07-22 13:29:04 +02:00
parent 69d7e9f3b7
commit 08515af9df
4 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/configuration.txt
View File

@ -11010,6 +11010,7 @@ quic-initial <action> [ { if | unless } <condition> ]
- accept
- dgram-drop
- reject
- send-retry
rate-limit sessions <rate>
@ -14389,6 +14390,7 @@ sc-inc-gpc0 - X X X X X X
sc-inc-gpc1 - X X X X X X X
sc-set-gpt - X X X X X X X
sc-set-gpt0 - X X X X X X X
send-retry X - - - - - - -
send-spoe-group - - - X X X X -
set-bandwidth-limit - - - X X X X -
set-bc-mark - - - X - X - -
@ -15263,6 +15265,16 @@ sc-set-gpt0(<sc-id>) { <int> | <expr> }
See also the "sc-set-gpt" action.
send-retry
Usable in: QUIC Ini| TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft
X | - | - | - | - | - | - | -
This action forces the emission of a Retry packet in response to a client
Initial packet without token. This is useful to ensure client address is
validated prior to instantiating any connection elements and starting the
handshake.
send-spoe-group <engine-name> <group-name>
Usable in: QUIC Ini| TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft
- | - | - | X | X | X | X | -

1
include/haproxy/quic_sock-t.h
View File

@ -27,6 +27,7 @@ struct quic_receiver_buf {
};
#define QUIC_DGRAM_FL_REJECT 0x00000001
#define QUIC_DGRAM_FL_SEND_RETRY 0x00000002
/* QUIC datagram */
struct quic_dgram {

18
src/quic_rules.c
View File

@ -100,6 +100,14 @@ static enum act_return quic_init_action_reject(struct act_rule *rule, struct pro
return ACT_RET_DONE;
}
static enum act_return quic_init_action_send_retry(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct quic_dgram *dgram = __objt_dgram(sess->origin);
dgram->flags |= QUIC_DGRAM_FL_SEND_RETRY;
return ACT_RET_DONE;
}
static enum act_parse_ret parse_reject(const char **args, int *orig_arg,
struct proxy *px,
struct act_rule *rule, char **err)
@ -109,6 +117,15 @@ static enum act_parse_ret parse_reject(const char **args, int *orig_arg,
return ACT_RET_PRS_OK;
}
static enum act_parse_ret parse_send_retry(const char **args, int *orig_arg,
struct proxy *px,
struct act_rule *rule, char **err)
{
rule->action = ACT_CUSTOM;
rule->action_ptr = quic_init_action_send_retry;
return ACT_RET_PRS_OK;
}
/* List head of all known action keywords for "quic-initial" */
struct action_kw_list quic_init_actions_list = {
.list = LIST_HEAD_INIT(quic_init_actions_list.list)
@ -129,6 +146,7 @@ static struct action_kw_list quic_init_actions = { ILH, {
{ "accept", parse_accept, 0 },
{ "dgram-drop", parse_dgram_drop, 0 },
{ "reject", parse_reject, 0 },
{ "send-retry", parse_send_retry, 0 },
{ /* END */ },
}
};

3
src/quic_rx.c
View File

@ -1615,7 +1615,8 @@ static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,
/* No need to emit Retry if connection is refused. */
if (!pkt->token_len && !(dgram->flags & QUIC_DGRAM_FL_REJECT)) {
if ((l->bind_conf->options & BC_O_QUIC_FORCE_RETRY) ||
HA_ATOMIC_LOAD(&prx_counters->half_open_conn) >= global.tune.quic_retry_threshold) {
HA_ATOMIC_LOAD(&prx_counters->half_open_conn) >= global.tune.quic_retry_threshold ||
(dgram->flags & QUIC_DGRAM_FL_SEND_RETRY)) {
TRACE_PROTO("Initial without token, sending retry",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);