Mercurial > hg > nginx
view auto/os/linux @ 8913:40445fc7c403 quic
QUIC: fixed migration during NAT rebinding.
The RFC 9000 allows a packet from known CID arrive from unknown path:
These requirements regarding connection ID reuse apply only to the
sending of packets, as unintentional changes in path without a change
in connection ID are possible. For example, after a period of
network inactivity, NAT rebinding might cause packets to be sent on a
new path when the client resumes sending.
Before the patch, such packets were rejected with an error in the
ngx_quic_check_migration() function. Removing the check makes the
separate function excessive - remaining checks are early migration
check and "disable_active_migration" check. The latter is a transport
parameter sent to client and it should not be used by server.
The server should send "disable_active_migration" "if the endpoint does
not support active connection migration" (18.2). The support status depends
on nginx configuration: to have migration working with multiple workers,
you need bpf helper, available on recent Linux systems. The patch does
not set "disable_active_migration" automatically and leaves it for the
administrator. By default, active migration is enabled.
RFC 900 says that it is ok to migrate if the peer violates
"disable_active_migration" flag requirements:
If the peer violates this requirement,
the endpoint MUST either drop the incoming packets on that path without
generating a Stateless Reset
OR
proceed with path validation and allow the peer to migrate. Generating a
Stateless Reset or closing the connection would allow third parties in the
network to cause connections to close by spoofing or otherwise manipulating
observed traffic.
So, nginx adheres to the second option and proceeds to path validation.
Note:
The ngtcp2 may be used for testing both active migration and NAT rebinding:
ngtcp2/client --change-local-addr=200ms --delay-stream=500ms <ip> <port> <url>
ngtcp2/client --change-local-addr=200ms --delay-stream=500ms --nat-rebinding \
<ip> <port> <url>
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 29 Nov 2021 11:51:14 +0300 |
parents | bb5152ed045b |
children | 9ec96ceaf484 |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. have=NGX_LINUX . auto/have_headers CORE_INCS="$UNIX_INCS" CORE_DEPS="$UNIX_DEPS $LINUX_DEPS" CORE_SRCS="$UNIX_SRCS $LINUX_SRCS" ngx_spacer=' ' cc_aux_flags="$CC_AUX_FLAGS" CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64" # Linux kernel version version=$((`uname -r \ | sed -n -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*/ \ \1*256*256+\2*256+\3/p' \ -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*/\1*256*256+\2*256/p'`)) version=${version:-0} # posix_fadvise64() had been implemented in 2.5.60 if [ $version -lt 132412 ]; then have=NGX_HAVE_POSIX_FADVISE . auto/nohave fi # epoll, EPOLLET version ngx_feature="epoll" ngx_feature_name="NGX_HAVE_EPOLL" ngx_feature_run=yes ngx_feature_incs="#include <sys/epoll.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int efd = 0; struct epoll_event ee; ee.events = EPOLLIN|EPOLLOUT|EPOLLET; ee.data.ptr = NULL; (void) ee; efd = epoll_create(100); if (efd == -1) return 1;" . auto/feature if [ $ngx_found = yes ]; then have=NGX_HAVE_CLEAR_EVENT . auto/have CORE_SRCS="$CORE_SRCS $EPOLL_SRCS" EVENT_MODULES="$EVENT_MODULES $EPOLL_MODULE" EVENT_FOUND=YES # EPOLLRDHUP appeared in Linux 2.6.17, glibc 2.8 ngx_feature="EPOLLRDHUP" ngx_feature_name="NGX_HAVE_EPOLLRDHUP" ngx_feature_run=no ngx_feature_incs="#include <sys/epoll.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int efd = 0, fd = 0; struct epoll_event ee; ee.events = EPOLLIN|EPOLLRDHUP|EPOLLET; ee.data.ptr = NULL; epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ee)" . auto/feature # EPOLLEXCLUSIVE appeared in Linux 4.5, glibc 2.24 ngx_feature="EPOLLEXCLUSIVE" ngx_feature_name="NGX_HAVE_EPOLLEXCLUSIVE" ngx_feature_run=no ngx_feature_incs="#include <sys/epoll.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int efd = 0, fd = 0; struct epoll_event ee; ee.events = EPOLLIN|EPOLLEXCLUSIVE; ee.data.ptr = NULL; epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ee)" . auto/feature # eventfd() ngx_feature="eventfd()" ngx_feature_name="NGX_HAVE_EVENTFD" ngx_feature_run=no ngx_feature_incs="#include <sys/eventfd.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="(void) eventfd(0, 0)" . auto/feature if [ $ngx_found = yes ]; then have=NGX_HAVE_SYS_EVENTFD_H . auto/have fi if [ $ngx_found = no ]; then ngx_feature="eventfd() (SYS_eventfd)" ngx_feature_incs="#include <sys/syscall.h>" ngx_feature_test="(void) SYS_eventfd" . auto/feature fi fi # O_PATH and AT_EMPTY_PATH were introduced in 2.6.39, glibc 2.14 ngx_feature="O_PATH" ngx_feature_name="NGX_HAVE_O_PATH" ngx_feature_run=no ngx_feature_incs="#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int fd; struct stat sb; fd = openat(AT_FDCWD, \".\", O_PATH|O_DIRECTORY|O_NOFOLLOW); if (fstatat(fd, \"\", &sb, AT_EMPTY_PATH) != 0) return 1" . auto/feature # sendfile() CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE" ngx_feature="sendfile()" ngx_feature_name="NGX_HAVE_SENDFILE" ngx_feature_run=yes ngx_feature_incs="#include <sys/sendfile.h> #include <errno.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int s = 0, fd = 1; ssize_t n; off_t off = 0; n = sendfile(s, fd, &off, 1); if (n == -1 && errno == ENOSYS) return 1" . auto/feature if [ $ngx_found = yes ]; then CORE_SRCS="$CORE_SRCS $LINUX_SENDFILE_SRCS" fi # sendfile64() CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64" ngx_feature="sendfile64()" ngx_feature_name="NGX_HAVE_SENDFILE64" ngx_feature_run=yes ngx_feature_incs="#include <sys/sendfile.h> #include <errno.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="int s = 0, fd = 1; ssize_t n; off_t off = 0; n = sendfile(s, fd, &off, 1); if (n == -1 && errno == ENOSYS) return 1" . auto/feature ngx_include="sys/prctl.h"; . auto/include # prctl(PR_SET_DUMPABLE) ngx_feature="prctl(PR_SET_DUMPABLE)" ngx_feature_name="NGX_HAVE_PR_SET_DUMPABLE" ngx_feature_run=yes ngx_feature_incs="#include <sys/prctl.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) == -1) return 1" . auto/feature # prctl(PR_SET_KEEPCAPS) ngx_feature="prctl(PR_SET_KEEPCAPS)" ngx_feature_name="NGX_HAVE_PR_SET_KEEPCAPS" ngx_feature_run=yes ngx_feature_incs="#include <sys/prctl.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) return 1" . auto/feature # capabilities ngx_feature="capabilities" ngx_feature_name="NGX_HAVE_CAPABILITIES" ngx_feature_run=no ngx_feature_incs="#include <linux/capability.h> #include <sys/syscall.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="struct __user_cap_data_struct data; struct __user_cap_header_struct header; header.version = _LINUX_CAPABILITY_VERSION_1; data.effective = CAP_TO_MASK(CAP_NET_RAW); data.permitted = 0; (void) header; (void) data; (void) SYS_capset" . auto/feature # crypt_r() ngx_feature="crypt_r()" ngx_feature_name="NGX_HAVE_GNU_CRYPT_R" ngx_feature_run=no ngx_feature_incs="#include <crypt.h>" ngx_feature_path= ngx_feature_libs=-lcrypt ngx_feature_test="struct crypt_data cd; crypt_r(\"key\", \"salt\", &cd);" . auto/feature ngx_include="sys/vfs.h"; . auto/include CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64" # (E)BPF ngx_feature="BPF support" ngx_feature_name="NGX_HAVE_BPF" ngx_feature_run=no ngx_feature_incs="#include <linux/bpf.h> #include <sys/syscall.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test=" union bpf_attr attr = { 0 }; /* only declare BPF support if all required features found */ attr.map_flags = 0; attr.map_type = BPF_MAP_TYPE_SOCKHASH; syscall(__NR_bpf, 0, &attr, 0);" . auto/feature if [ $ngx_found = yes ]; then BPF_FOUND=YES CORE_SRCS="$CORE_SRCS src/core/ngx_bpf.c" CORE_DEPS="$CORE_DEPS src/core/ngx_bpf.h" fi # SO_COOKIE socket option ngx_feature="SO_COOKIE" ngx_feature_name="NGX_HAVE_SO_COOKIE" ngx_feature_run=no ngx_feature_incs="#include <sys/socket.h> #include <stdint.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="socklen_t optlen = sizeof(uint64_t); uint64_t cookie; getsockopt(0, SOL_SOCKET, SO_COOKIE, &cookie, &optlen)" . auto/feature if [ $ngx_found = yes ]; then SO_COOKIE_FOUND=YES have=NGX_HAVE_SO_COOKIE . auto/have fi # UDP_SEGMENT socket option is used for segmentation offloading ngx_feature="UDP_SEGMENT" ngx_feature_name="NGX_HAVE_UDP_SEGMENT" ngx_feature_run=no ngx_feature_incs="#include <sys/socket.h> #include <stdint.h> #include <netinet/udp.h>" ngx_feature_path= ngx_feature_libs= ngx_feature_test="socklen_t optlen = sizeof(int); int val; getsockopt(0, SOL_UDP, UDP_SEGMENT, &val, &optlen)" . auto/feature if [ $ngx_found = yes ]; then UDP_SEGMENT_FOUND=YES have=NGX_HAVE_UDP_SEGMENT . auto/have fi # ngx_quic_bpf module uses sockhash to select socket from reuseport group, # support appeared in Linux-5.7: # # commit: 9fed9000c5c6cacfcaaa48aff74818072ae294cc # bpf: Allow selecting reuseport socket from a SOCKMAP/SOCKHASH # if [ $NGX_QUIC_BPF$BPF_FOUND = YESYES ]; then echo $ngx_n "checking for kernel with reuseport/BPF support...$ngx_c" if [ $version -lt 329472 ]; then echo " not found (at least 5.7 is required)" NGX_QUIC_BPF=NO else echo " found" fi fi