1 /* 2 * include/types/listener.h 3 * This file defines the structures needed to manage listeners. 4 * 5 * Copyright (C) 2000-2012 Willy Tarreau - w@1wt.eu 6 * 7 * This library is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU Lesser General Public 9 * License as published by the Free Software Foundation, version 2.1 10 * exclusively. 11 * 12 * This library is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 * Lesser General Public License for more details. 16 * 17 * You should have received a copy of the GNU Lesser General Public 18 * License along with this library; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 */ 21 22 #ifndef _TYPES_LISTENER_H 23 #define _TYPES_LISTENER_H 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #ifdef USE_OPENSSL 29 #include <openssl/ssl.h> 30 #include <types/ssl_sock.h> 31 #endif 32 33 #include <common/config.h> 34 #include <common/mini-clist.h> 35 #include <common/hathreads.h> 36 #include <common/standard.h> 37 38 #include <types/obj_type.h> 39 #include <eb32tree.h> 40 41 /* Some pointer types reference below */ 42 struct task; 43 struct protocol; 44 struct xprt_ops; 45 struct proxy; 46 struct fe_counters; 47 48 /* listener state */ 49 enum li_state { 50 LI_NEW = 0, /* not initialized yet */ 51 LI_INIT, /* all parameters filled in, but not assigned yet */ 52 LI_ASSIGNED, /* assigned to the protocol, but not listening yet */ 53 LI_PAUSED, /* listener was paused, it's bound but not listening */ 54 LI_ZOMBIE, /* The listener doesn't belong to the process, but is kept opened */ 55 LI_LISTEN, /* started, listening but not enabled */ 56 LI_READY, /* started, listening and enabled */ 57 LI_FULL, /* reached its connection limit */ 58 LI_LIMITED, /* transient state: limits have been reached, listener is queued */ 59 } __attribute__((packed)); 60 61 /* Listener transitions 62 * calloc() set() add_listener() bind() 63 * -------> NEW ----> INIT ----------> ASSIGNED -----> LISTEN 64 * <------- <---- <---------- <----- 65 * free() bzero() del_listener() unbind() 66 * 67 * The file descriptor is valid only during these three states : 68 * 69 * disable() 70 * LISTEN <------------ READY 71 * A| ------------> |A 72 * || !max & enable() || 73 * || || 74 * || max || 75 * || max & enable() V| !max 76 * |+---------------> FULL 77 * +----------------- 78 * disable() 79 * 80 * The LIMITED state my be used when a limit has been detected just before 81 * using a listener. In this case, the listener MUST be queued into the 82 * appropriate wait queue (either the proxy's or the global one). It may be 83 * set back to the READY state at any instant and for any reason, so one must 84 * not rely on this state. 85 */ 86 87 /* listener socket options */ 88 #define LI_O_NONE 0x0000 89 #define LI_O_NOLINGER 0x0001 /* disable linger on this socket */ 90 #define LI_O_FOREIGN 0x0002 /* permit listening on foreing addresses ("transparent") */ 91 #define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */ 92 #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */ 93 #define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */ 94 #define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */ 95 #define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */ 96 #define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */ 97 #define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */ 98 #define LI_O_TCP_FO 0x0200 /* enable TCP Fast Open (linux >= 3.7) */ 99 #define LI_O_V6ONLY 0x0400 /* bind to IPv6 only on Linux >= 2.4.21 */ 100 #define LI_O_V4V6 0x0800 /* bind to IPv4/IPv6 on Linux >= 2.4.21 */ 101 #define LI_O_ACC_CIP 0x1000 /* find the proxied address in the NetScaler Client IP header */ 102 #define LI_O_INHERITED 0x2000 /* inherited FD from the parent process (fd@) */ 103 104 /* Note: if a listener uses LI_O_UNLIMITED, it is highly recommended that it adds its own 105 * maxconn setting to the global.maxsock value so that its resources are reserved. 106 */ 107 108 #ifdef USE_OPENSSL 109 #define BC_SSL_O_NONE 0x0000 110 #define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ 111 #define BC_SSL_O_PREF_CLIE_CIPH 0x0200 /* prefer client ciphers */ 112 #endif 113 114 /* ssl "bind" settings */ 115 struct ssl_bind_conf { 116 #ifdef USE_OPENSSL 117 #ifdef OPENSSL_NPN_NEGOTIATED 118 char *npn_str; /* NPN protocol string */ 119 int npn_len; /* NPN protocol string length */ 120 #endif 121 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation 122 char *alpn_str; /* ALPN protocol string */ 123 int alpn_len; /* ALPN protocol string length */ 124 #endif 125 int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ 126 int no_ca_names:1; /* do not send ca names to clients (ca_file related) */ 127 int early_data:1; /* early data allowed */ 128 char *ca_file; /* CAfile to use on verify */ 129 char *crl_file; /* CRLfile to use on verify */ 130 char *ciphers; /* cipher suite to use if non-null */ 131 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) 132 char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ 133 #endif 134 char *curves; /* curves suite to use for ECDHE */ 135 char *ecdhe; /* named curve to use for ECDHE */ 136 struct tls_version_filter ssl_methods; /* ssl methods */ 137 #endif 138 }; 139 140 /* "bind" line settings */ 141 struct bind_conf { 142 #ifdef USE_OPENSSL 143 struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */ 144 unsigned long long ca_ignerr; /* ignored verify errors in handshake if depth > 0 */ 145 unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */ 146 SSL_CTX *initial_ctx; /* SSL context for initial negotiation */ 147 SSL_CTX *default_ctx; /* SSL context of first/default certificate */ 148 struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */ 149 int strict_sni; /* refuse negotiation if sni doesn't match a certificate */ 150 int ssl_options; /* ssl options */ 151 struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ 152 struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */ 153 struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */ 154 155 char *ca_sign_file; /* CAFile used to generate and sign server certificates */ 156 char *ca_sign_pass; /* CAKey passphrase */ 157 158 X509 *ca_sign_cert; /* CA certificate referenced by ca_file */ 159 EVP_PKEY *ca_sign_pkey; /* CA private key referenced by ca_key */ 160 #endif 161 struct proxy *frontend; /* the frontend all these listeners belong to, or NULL */ 162 struct xprt_ops *xprt; /* transport-layer operations for all listeners */ 163 int is_ssl; /* SSL is required for these listeners */ 164 int generate_certs; /* 1 if generate-certificates option is set, else 0 */ 165 unsigned long bind_proc; /* bitmask of processes allowed to use these listeners */ 166 unsigned long bind_thread[LONGBITS]; /* bitmask of threads (per processes) allowed to use these listeners */ 167 struct { /* UNIX socket permissions */ 168 uid_t uid; /* -1 to leave unchanged */ 169 gid_t gid; /* -1 to leave unchanged */ 170 mode_t mode; /* 0 to leave unchanged */ 171 } ux; 172 int level; /* stats access level (ACCESS_LVL_*) */ 173 int severity_output; /* default severity output format in cli feedback messages */ 174 struct list by_fe; /* next binding for the same frontend, or NULL */ 175 struct list listeners; /* list of listeners using this bind config */ 176 uint32_t ns_cip_magic; /* Excepted NetScaler Client IP magic number */ 177 char *arg; /* argument passed to "bind" for better error reporting */ 178 char *file; /* file where the section appears */ 179 int line; /* line where the section appears */ 180 }; 181 182 /* The listener will be directly referenced by the fdtab[] which holds its 183 * socket. The listener provides the protocol-specific accept() function to 184 * the fdtab. 185 */ 186 struct listener { 187 enum obj_type obj_type; /* object type = OBJ_TYPE_LISTENER */ 188 enum li_state state; /* state: NEW, INIT, ASSIGNED, LISTEN, READY, FULL */ 189 short int nice; /* nice value to assign to the instanciated tasks */ 190 int fd; /* the listen socket */ 191 char *name; /* listener's name */ 192 int luid; /* listener universally unique ID, used for SNMP */ 193 int options; /* socket options : LI_O_* */ 194 struct fe_counters *counters; /* statistics counters */ 195 struct protocol *proto; /* protocol this listener belongs to */ 196 int nbconn; /* current number of connections on this listener */ 197 int maxconn; /* maximum connections allowed on this listener */ 198 unsigned int backlog; /* if set, listen backlog */ 199 int maxaccept; /* if set, max number of connections accepted at once (-1 when disabled) */ 200 struct list proto_list; /* list in the protocol header */ 201 int (*accept)(struct listener *l, int fd, struct sockaddr_storage *addr); /* upper layer's accept() */ 202 enum obj_type *default_target; /* default target to use for accepted sessions or NULL */ 203 struct list wait_queue; /* link element to make the listener wait for something (LI_LIMITED) */ 204 unsigned int analysers; /* bitmap of required protocol analysers */ 205 int maxseg; /* for TCP, advertised MSS */ 206 int tcp_ut; /* for TCP, user timeout */ 207 char *interface; /* interface name or NULL */ 208 209 __decl_hathreads(HA_SPINLOCK_T lock); 210 211 const struct netns_entry *netns; /* network namespace of the listener*/ 212 213 struct list by_fe; /* chaining in frontend's list of listeners */ 214 struct list by_bind; /* chaining in bind_conf's list of listeners */ 215 struct bind_conf *bind_conf; /* "bind" line settings, include SSL settings among other things */ 216 217 /* warning: this struct is huge, keep it at the bottom */ 218 struct sockaddr_storage addr; /* the address we listen to */ 219 struct { 220 struct eb32_node id; /* place in the tree of used IDs */ 221 } conf; /* config information */ 222 }; 223 224 /* Descriptor for a "bind" keyword. The ->parse() function returns 0 in case of 225 * success, or a combination of ERR_* flags if an error is encountered. The 226 * function pointer can be NULL if not implemented. The function also has an 227 * access to the current "bind" config line. The ->skip value tells the parser 228 * how many words have to be skipped after the keyword. 229 */ 230 struct bind_kw { 231 const char *kw; 232 int (*parse)(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err); 233 int skip; /* nb of args to skip */ 234 }; 235 struct ssl_bind_kw { 236 const char *kw; 237 int (*parse)(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err); 238 int skip; /* nb of args to skip */ 239 }; 240 241 /* 242 * A keyword list. It is a NULL-terminated array of keywords. It embeds a 243 * struct list in order to be linked to other lists, allowing it to easily 244 * be declared where it is needed, and linked without duplicating data nor 245 * allocating memory. It is also possible to indicate a scope for the keywords. 246 */ 247 struct bind_kw_list { 248 const char *scope; 249 struct list list; 250 struct bind_kw kw[VAR_ARRAY]; 251 }; 252 253 254 struct xfer_sock_list { 255 int fd; 256 char *iface; 257 char *namespace; 258 int options; /* socket options LI_O_* */ 259 struct xfer_sock_list *prev; 260 struct xfer_sock_list *next; 261 struct sockaddr_storage addr; 262 }; 263 264 #endif /* _TYPES_LISTENER_H */ 265 266 /* 267 * Local variables: 268 * c-indent-level: 8 269 * c-basic-offset: 8 270 * End: 271 */ 272