Hi Sander,
>>> Patch applied, thank you Lukas! >> >> I will test the patch. Stupid question, but is it really supported >> from 3.3 and higher? A quick test with dev22 yesterday seemed to be >> working but I didn't put any traffic through it. It was late so I >> didn't give it enough attention ;-) > > > Just tested it with plain dev22 and 3.2 and IPv6 seems to work nicely. > What does the patch do? Because I don't quite understand. Sorry for the confusion. In your case, as long as you start haproxy initially as root, you don't need this patch and you don't need linux 3.3. All you need is start haproxy as root, it will set IPV6_TRANSPARENT on the socket and it will work in all kernels starting with 2.6.37. The problem with the behavior before this patch was that IPV6_TRANSPARENT requires superuser privileges (or more specifically the CAP_NET_ADMIN capability). There are 2 use cases where we may not have this capability: - when HAProxy is not started as root initially (and listens only to ports >1024) - I suspect this is not very common - when HAProxy drops root privileges after the initial setup, and the socket option is needed on backend connections (which are not setup at HAproxy start of course, but when the connection is actually needed, but at that point we don't have the capabilities anymore) IP_FREEBIND doesn't need special privileges, so this fixes those 2 cases. In your case however you don't need IP_FREEBIND, because: - you only need the socket options on frontend connections (specified on the bind line) - which are setup before dropping to a normal user - you start haproxy with root privileges (most likely you bind to port 80 or 443, so you need to start privileged anyway) So the patch is not necessary for you. IP_FREEBIND on IPv6 sockets requires Linux 3.3, but IPV6_TRANSPARENT only requires 2.6.37. Regards, Lukas
