1 /* 2 * include/types/listener.h 3 * This file defines the structures needed to manage listeners. 4 * 5 * Copyright (C) 2000-2012 Willy Tarreau - w@1wt.eu 6 * 7 * This library is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU Lesser General Public 9 * License as published by the Free Software Foundation, version 2.1 10 * exclusively. 11 * 12 * This library is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 * Lesser General Public License for more details. 16 * 17 * You should have received a copy of the GNU Lesser General Public 18 * License along with this library; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 */ 21 22 #ifndef _TYPES_LISTENER_H 23 #define _TYPES_LISTENER_H 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #ifdef USE_OPENSSL 29 #include <openssl/ssl.h> 30 #include <types/ssl_sock.h> 31 #endif 32 33 #include <common/config.h> 34 #include <common/mini-clist.h> 35 #include <common/hathreads.h> 36 #include <common/standard.h> 37 38 #include <types/obj_type.h> 39 #include <eb32tree.h> 40 41 /* Some pointer types reference below */ 42 struct task; 43 struct protocol; 44 struct xprt_ops; 45 struct proxy; 46 struct fe_counters; 47 48 /* listener state */ 49 enum li_state { 50 LI_NEW = 0, /* not initialized yet */ 51 LI_INIT, /* all parameters filled in, but not assigned yet */ 52 LI_ASSIGNED, /* assigned to the protocol, but not listening yet */ 53 LI_PAUSED, /* listener was paused, it's bound but not listening */ 54 LI_ZOMBIE, /* The listener doesn't belong to the process, but is kept opened */ 55 LI_LISTEN, /* started, listening but not enabled */ 56 LI_READY, /* started, listening and enabled */ 57 LI_FULL, /* reached its connection limit */ 58 LI_LIMITED, /* transient state: limits have been reached, listener is queued */ 59 } __attribute__((packed)); 60 61 /* Listener transitions 62 * calloc() set() add_listener() bind() 63 * -------> NEW ----> INIT ----------> ASSIGNED -----> LISTEN 64 * <------- <---- <---------- <----- 65 * free() bzero() del_listener() unbind() 66 * 67 * The file descriptor is valid only during these three states : 68 * 69 * disable() 70 * LISTEN <------------ READY 71 * A| ------------> |A 72 * || !max & enable() || 73 * || || 74 * || max || 75 * || max & enable() V| !max 76 * |+---------------> FULL 77 * +----------------- 78 * disable() 79 * 80 * The LIMITED state my be used when a limit has been detected just before 81 * using a listener. In this case, the listener MUST be queued into the 82 * appropriate wait queue (either the proxy's or the global one). It may be 83 * set back to the READY state at any instant and for any reason, so one must 84 * not rely on this state. 85 */ 86 87 /* listener socket options */ 88 #define LI_O_NONE 0x0000 89 #define LI_O_NOLINGER 0x0001 /* disable linger on this socket */ 90 #define LI_O_FOREIGN 0x0002 /* permit listening on foreign addresses ("transparent") */ 91 #define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */ 92 #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */ 93 #define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */ 94 #define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */ 95 #define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */ 96 #define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */ 97 #define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */ 98 #define LI_O_TCP_FO 0x0200 /* enable TCP Fast Open (linux >= 3.7) */ 99 #define LI_O_V6ONLY 0x0400 /* bind to IPv6 only on Linux >= 2.4.21 */ 100 #define LI_O_V4V6 0x0800 /* bind to IPv4/IPv6 on Linux >= 2.4.21 */ 101 #define LI_O_ACC_CIP 0x1000 /* find the proxied address in the NetScaler Client IP header */ 102 #define LI_O_INHERITED 0x2000 /* inherited FD from the parent process (fd@) */ 103 #define LI_O_MWORKER 0x4000 /* keep the FD open in the master but close it in the children */ 104 #define LI_O_NOSTOP 0x8000 /* keep the listener active even after a soft stop */ 105 106 /* Note: if a listener uses LI_O_UNLIMITED, it is highly recommended that it adds its own 107 * maxconn setting to the global.maxsock value so that its resources are reserved. 108 */ 109 110 #ifdef USE_OPENSSL 111 #define BC_SSL_O_NONE 0x0000 112 #define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ 113 #define BC_SSL_O_PREF_CLIE_CIPH 0x0200 /* prefer client ciphers */ 114 #endif 115 116 /* ssl "bind" settings */ 117 struct ssl_bind_conf { 118 #ifdef USE_OPENSSL 119 #ifdef OPENSSL_NPN_NEGOTIATED 120 char *npn_str; /* NPN protocol string */ 121 int npn_len; /* NPN protocol string length */ 122 #endif 123 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation 124 char *alpn_str; /* ALPN protocol string */ 125 int alpn_len; /* ALPN protocol string length */ 126 #endif 127 int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ 128 int no_ca_names:1; /* do not send ca names to clients (ca_file related) */ 129 int early_data:1; /* early data allowed */ 130 char *ca_file; /* CAfile to use on verify */ 131 char *crl_file; /* CRLfile to use on verify */ 132 char *ciphers; /* cipher suite to use if non-null */ 133 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) 134 char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ 135 #endif 136 char *curves; /* curves suite to use for ECDHE */ 137 char *ecdhe; /* named curve to use for ECDHE */ 138 struct tls_version_filter ssl_methods; /* ssl methods */ 139 #endif 140 }; 141 142 /* "bind" line settings */ 143 struct bind_conf { 144 #ifdef USE_OPENSSL 145 struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */ 146 unsigned long long ca_ignerr; /* ignored verify errors in handshake if depth > 0 */ 147 unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */ 148 SSL_CTX *initial_ctx; /* SSL context for initial negotiation */ 149 SSL_CTX *default_ctx; /* SSL context of first/default certificate */ 150 struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */ 151 int strict_sni; /* refuse negotiation if sni doesn't match a certificate */ 152 int ssl_options; /* ssl options */ 153 struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ 154 struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */ 155 struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */ 156 157 char *ca_sign_file; /* CAFile used to generate and sign server certificates */ 158 char *ca_sign_pass; /* CAKey passphrase */ 159 160 X509 *ca_sign_cert; /* CA certificate referenced by ca_file */ 161 EVP_PKEY *ca_sign_pkey; /* CA private key referenced by ca_key */ 162 #endif 163 struct proxy *frontend; /* the frontend all these listeners belong to, or NULL */ 164 const struct mux_proto_list *mux_proto; /* the mux to use for all incoming connections (specified by the "proto" keyword) */ 165 struct xprt_ops *xprt; /* transport-layer operations for all listeners */ 166 int is_ssl; /* SSL is required for these listeners */ 167 int generate_certs; /* 1 if generate-certificates option is set, else 0 */ 168 unsigned long bind_proc; /* bitmask of processes allowed to use these listeners */ 169 unsigned long bind_thread[LONGBITS]; /* bitmask of threads (per processes) allowed to use these listeners */ 170 struct { /* UNIX socket permissions */ 171 uid_t uid; /* -1 to leave unchanged */ 172 gid_t gid; /* -1 to leave unchanged */ 173 mode_t mode; /* 0 to leave unchanged */ 174 } ux; 175 int level; /* stats access level (ACCESS_LVL_*) */ 176 int severity_output; /* default severity output format in cli feedback messages */ 177 struct list by_fe; /* next binding for the same frontend, or NULL */ 178 struct list listeners; /* list of listeners using this bind config */ 179 uint32_t ns_cip_magic; /* Excepted NetScaler Client IP magic number */ 180 char *arg; /* argument passed to "bind" for better error reporting */ 181 char *file; /* file where the section appears */ 182 int line; /* line where the section appears */ 183 }; 184 185 /* The listener will be directly referenced by the fdtab[] which holds its 186 * socket. The listener provides the protocol-specific accept() function to 187 * the fdtab. 188 */ 189 struct listener { 190 enum obj_type obj_type; /* object type = OBJ_TYPE_LISTENER */ 191 enum li_state state; /* state: NEW, INIT, ASSIGNED, LISTEN, READY, FULL */ 192 short int nice; /* nice value to assign to the instanciated tasks */ 193 int fd; /* the listen socket */ 194 char *name; /* listener's name */ 195 int luid; /* listener universally unique ID, used for SNMP */ 196 int options; /* socket options : LI_O_* */ 197 struct fe_counters *counters; /* statistics counters */ 198 struct protocol *proto; /* protocol this listener belongs to */ 199 int nbconn; /* current number of connections on this listener */ 200 int maxconn; /* maximum connections allowed on this listener */ 201 unsigned int backlog; /* if set, listen backlog */ 202 int maxaccept; /* if set, max number of connections accepted at once (-1 when disabled) */ 203 struct list proto_list; /* list in the protocol header */ 204 int (*accept)(struct listener *l, int fd, struct sockaddr_storage *addr); /* upper layer's accept() */ 205 enum obj_type *default_target; /* default target to use for accepted sessions or NULL */ 206 struct list wait_queue; /* link element to make the listener wait for something (LI_LIMITED) */ 207 unsigned int analysers; /* bitmap of required protocol analysers */ 208 int maxseg; /* for TCP, advertised MSS */ 209 int tcp_ut; /* for TCP, user timeout */ 210 char *interface; /* interface name or NULL */ 211 212 __decl_hathreads(HA_SPINLOCK_T lock); 213 214 const struct netns_entry *netns; /* network namespace of the listener*/ 215 216 struct list by_fe; /* chaining in frontend's list of listeners */ 217 struct list by_bind; /* chaining in bind_conf's list of listeners */ 218 struct bind_conf *bind_conf; /* "bind" line settings, include SSL settings among other things */ 219 220 /* warning: this struct is huge, keep it at the bottom */ 221 struct sockaddr_storage addr; /* the address we listen to */ 222 struct { 223 struct eb32_node id; /* place in the tree of used IDs */ 224 } conf; /* config information */ 225 }; 226 227 /* Descriptor for a "bind" keyword. The ->parse() function returns 0 in case of 228 * success, or a combination of ERR_* flags if an error is encountered. The 229 * function pointer can be NULL if not implemented. The function also has an 230 * access to the current "bind" config line. The ->skip value tells the parser 231 * how many words have to be skipped after the keyword. 232 */ 233 struct bind_kw { 234 const char *kw; 235 int (*parse)(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err); 236 int skip; /* nb of args to skip */ 237 }; 238 struct ssl_bind_kw { 239 const char *kw; 240 int (*parse)(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err); 241 int skip; /* nb of args to skip */ 242 }; 243 244 /* 245 * A keyword list. It is a NULL-terminated array of keywords. It embeds a 246 * struct list in order to be linked to other lists, allowing it to easily 247 * be declared where it is needed, and linked without duplicating data nor 248 * allocating memory. It is also possible to indicate a scope for the keywords. 249 */ 250 struct bind_kw_list { 251 const char *scope; 252 struct list list; 253 struct bind_kw kw[VAR_ARRAY]; 254 }; 255 256 257 struct xfer_sock_list { 258 int fd; 259 char *iface; 260 char *namespace; 261 int options; /* socket options LI_O_* */ 262 struct xfer_sock_list *prev; 263 struct xfer_sock_list *next; 264 struct sockaddr_storage addr; 265 }; 266 267 #endif /* _TYPES_LISTENER_H */ 268 269 /* 270 * Local variables: 271 * c-indent-level: 8 272 * c-basic-offset: 8 273 * End: 274 */ 275