[sr-dev] git:5.7:bf40176e: core/rthreads.h: use global ksr_tls_threads_mode to constrain thread

[Victor Seva via sr-dev]

Module: kamailio
Branch: 5.7
Commit: bf40176e34e869b567a0f36eab28739508797080
URL: 
https://github.com/kamailio/kamailio/commit/bf40176e34e869b567a0f36eab28739508797080

Author: S-P Chan 
Committer: Victor Seva 
Date: 2024-02-12T07:52:26+01:00

core/rthreads.h: use global ksr_tls_threads_mode to constrain thread
wrapping

- 0: run wrapped function directly
- 1: run wrapped function in thread for process#0 else run directly
- 2: always run wrapped function in thread

---

Modified: src/core/rthreads.h

---

Diff:  
https://github.com/kamailio/kamailio/commit/bf40176e34e869b567a0f36eab28739508797080.diff
Patch: 
https://github.com/kamailio/kamailio/commit/bf40176e34e869b567a0f36eab28739508797080.patch

---

diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index fa60ccef071..e96f45c9395 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -27,6 +27,7 @@
  */
 #include 
 
+#include "./globals.h"
 /*
  * prototype: void *fn(void *arg) { ... }
  */
@@ -39,9 +40,11 @@ static void *run_threadP(_thread_proto fn, void *arg)
pthread_t tid;
void *ret;
 
-   if(likely(process_no)) {
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg);
}
+
pthread_create(&tid, NULL, fn, arg);
pthread_join(tid, &ret);
 
@@ -73,7 +76,9 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int 
arg2)
 #ifdef USE_TLS
pthread_t tid;
void *ret;
-   if(likely(process_no)) {
+
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
 
@@ -84,7 +89,7 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int 
arg2)
return ret;
 #else
return fn(arg1, arg2);
-#endif /* USE_TLS */
+#endif
 }
 #endif
 
@@ -107,18 +112,19 @@ static void run_threadV(_thread_protoV fn)
 {
 #ifdef USE_TLS
pthread_t tid;
-   if(likely(process_no)) {
+
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn();
return;
}
 
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV,
&(struct _thread_argsV){fn});
pthread_join(tid, NULL);
 #else
fn();
-#endif /* USE_TLS */
+#endif
 }
 #endif
 
@@ -146,10 +152,10 @@ static int run_thread4PP(_thread_proto4PP fn, void *arg1, 
void *arg2)
pthread_t tid;
int ret;
 
-   if(likely(process_no)) {
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP,
&(struct _thread_args4PP){fn, arg1, arg2, &ret});
pthread_join(tid, NULL);
@@ -182,17 +188,17 @@ static void run_thread0P(_thread_proto0P fn, void *arg1)
 #ifdef USE_TLS
pthread_t tid;
 
-   if(likely(process_no)) {
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn(arg1);
return;
}
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P,
&(struct _thread_args0P){fn, arg1});
pthread_join(tid, NULL);
 #else
-   fn(arg1);
-#endif /* USE_TLS */
+   fn(arg1)
+#endif
 }
 #endif
 
@@ -234,7 +240,8 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void 
*arg1, void *arg2,
pthread_t tid;
int ret;
 
-   if(likely(process_no)) {
+   if(likely(ksr_tls_threads_mode == 0
+  || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9);
}
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4P5I2P2,

___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] git:5.7:253f13f1: tls: restore default to bypass thread guards

[Victor Seva via sr-dev]

Module: kamailio
Branch: 5.7
Commit: 253f13f18ec6853764d950d58f467c331d03425a
URL: 
https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c331d03425a

Author: S-P Chan 
Committer: Victor Seva 
Date: 2024-02-12T07:52:26+01:00

tls: restore default to bypass thread guards

- restore <= 5.7.3 behaviour
- require user to opt-in to libssl thread-guards
  with tls_threads_mode = 1|2

---

Modified: src/modules/tls/tls_mod.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c331d03425a.diff
Patch: 
https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c331d03425a.patch

---

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index beaf1b7b70b..3359aaffdcc 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -451,9 +451,9 @@ static int mod_child(int rank)
 #if OPENSSL_VERSION_NUMBER >= 0x010101000L
 /*
  * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
- * libssl in rank 0(thread#1)
+ * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config.
  */
-if(rank == PROC_SIPINIT) {
+if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == 
PROC_INIT && !ksr_tls_threads_mode)) {
 #else
 if(rank == PROC_INIT) {
 #endif

___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] git:5.7:2f0cca81: Sample etc/kamailio.cfg: global var tls_threads_mode

[Victor Seva via sr-dev]

Module: kamailio
Branch: 5.7
Commit: 2f0cca81bfc47783098e4c869b038229cd3e4ed0
URL: 
https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b038229cd3e4ed0

Author: S-P Chan 
Committer: Victor Seva 
Date: 2024-02-12T07:52:26+01:00

Sample etc/kamailio.cfg: global var tls_threads_mode
- load tls first if used
- global var tls_threads_mode

---

Modified: etc/kamailio.cfg

---

Diff:  
https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b038229cd3e4ed0.diff
Patch: 
https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b038229cd3e4ed0.patch

---

diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg
old mode 100644
new mode 100755
index fe7b111a012..a95a652b935
--- a/etc/kamailio.cfg
+++ b/etc/kamailio.cfg
@@ -220,6 +220,13 @@ enable_tls=yes
 
 /* upper limit for TLS connections */
 tls_max_connections=2048
+
+/* For OpenSSL 3 integration
+ * functions calling libssl3 can be invoked in a transient thread
+ * 0: disable threaded calls
+ * 1: use threads for process#0 only
+ * 2: use threads for all processes */
+tls_threads_mode=1
 #!endif
 
 /* set it to yes to enable sctp and load sctp.so module */
@@ -257,6 +264,12 @@ voicemail.srv_port = "5060" desc "VoiceMail Port"
 /* set paths to location of modules */
 # mpath="/usr/local/lib/kamailio/modules/"
 
+# when using TLS with OpenSSL it is recommended to load this module
+# first so that OpenSSL is initialized correctly
+#!ifdef WITH_TLS
+loadmodule "tls.so"
+#!endif
+
 #!ifdef WITH_MYSQL
 loadmodule "db_mysql.so"
 #!endif
@@ -319,10 +332,6 @@ loadmodule "rtpproxy.so"
 #!endif
 #!endif
 
-#!ifdef WITH_TLS
-loadmodule "tls.so"
-#!endif
-
 #!ifdef WITH_HTABLE
 loadmodule "htable.so"
 #!endif

___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] Re: [kamailio/kamailio] [5.7] Restore libssl default behaviour on stable; opt-in to libssl thread-guards required (PR #3754)

[Victor Seva via sr-dev]

Merged #3754 into 5.7.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/3754#event-11770580624
You are receiving this because you are subscribed to this thread.

Message ID: ___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] git:5.7:3697d763: core: added tls_threads_mode global parameter

[Victor Seva via sr-dev]

Module: kamailio
Branch: 5.7
Commit: 3697d763e340b7e88532a8b1920b0088c08fbc72
URL: 
https://github.com/kamailio/kamailio/commit/3697d763e340b7e88532a8b1920b0088c08fbc72

Author: Daniel-Constantin Mierla 
Committer: Victor Seva 
Date: 2024-02-12T07:52:26+01:00

core: added tls_threads_mode global parameter

- control how to execute functions that may be using libssl3 behind

---

Modified: src/core/cfg.lex
Modified: src/core/cfg.y
Modified: src/core/globals.h
Modified: src/main.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/3697d763e340b7e88532a8b1920b0088c08fbc72.diff
Patch: 
https://github.com/kamailio/kamailio/commit/3697d763e340b7e88532a8b1920b0088c08fbc72.patch

---

diff --git a/src/core/cfg.lex b/src/core/cfg.lex
index 82278d5447a..d342aa5143d 100644
--- a/src/core/cfg.lex
+++ b/src/core/cfg.lex
@@ -439,6 +439,7 @@ TCP_WAIT_DATA   "tcp_wait_data"
 TCP_SCRIPT_MODE"tcp_script_mode"
 DISABLE_TLS"disable_tls"|"tls_disable"
 ENABLE_TLS "enable_tls"|"tls_enable"
+TLS_THREADS_MODE   "tls_threads_mode"
 TLSLOG "tlslog"|"tls_log"
 TLS_PORT_NO"tls_port_no"
 TLS_METHOD "tls_method"
@@ -953,6 +954,7 @@ IMPORTFILE  "import_file"
 {TCP_SCRIPT_MODE} { count(); yylval.strval=yytext; return 
TCP_SCRIPT_MODE; }
 {DISABLE_TLS} { count(); yylval.strval=yytext; return DISABLE_TLS; }
 {ENABLE_TLS}  { count(); yylval.strval=yytext; return ENABLE_TLS; }
+{TLS_THREADS_MODE}{ count(); yylval.strval=yytext; return 
TLS_THREADS_MODE; }
 {TLSLOG}  { count(); yylval.strval=yytext; return 
TLS_PORT_NO; }
 {TLS_PORT_NO} { count(); yylval.strval=yytext; return TLS_PORT_NO; }
 {TLS_METHOD}  { count(); yylval.strval=yytext; return TLS_METHOD; }
diff --git a/src/core/cfg.y b/src/core/cfg.y
index 1f2ad7fb3fa..412fe5dece4 100644
--- a/src/core/cfg.y
+++ b/src/core/cfg.y
@@ -469,6 +469,7 @@ extern char *default_routename;
 %token TCP_SCRIPT_MODE
 %token DISABLE_TLS
 %token ENABLE_TLS
+%token TLS_THREADS_MODE
 %token TLSLOG
 %token TLS_PORT_NO
 %token TLS_METHOD
@@ -1440,6 +1441,14 @@ assign_stm:
#endif
}
| ENABLE_TLS EQUAL error { yyerror("boolean value expected"); }
+   | TLS_THREADS_MODE EQUAL NUMBER {
+   #ifdef USE_TLS
+   ksr_tls_threads_mode = $3;
+   #else
+   warn("tls support not compiled in");
+   #endif
+   }
+   | TLS_THREADS_MODE EQUAL error { yyerror("int value expected"); }
| TLSLOG EQUAL NUMBER {
#ifdef CORE_TLS
tls_log=$3;
diff --git a/src/core/globals.h b/src/core/globals.h
index 207205c9957..0487a3114eb 100644
--- a/src/core/globals.h
+++ b/src/core/globals.h
@@ -108,6 +108,7 @@ extern int ksr_tcp_script_mode;
 #ifdef USE_TLS
 extern int tls_disable;
 extern unsigned short tls_port_no;
+extern int ksr_tls_threads_mode;
 #endif
 #ifdef USE_SCTP
 extern int sctp_disable;
diff --git a/src/main.c b/src/main.c
index 8e34285fde2..f7cb643ea34 100644
--- a/src/main.c
+++ b/src/main.c
@@ -326,8 +326,9 @@ int tcp_disable = 0; /* 1 if tcp is disabled */
 int tls_disable = 0; /* tls enabled by default */
 #else
 int tls_disable = 1; /* tls disabled by default */
-#endif /* CORE_TLS */
-#endif /* USE_TLS */
+#endif   /* CORE_TLS */
+int ksr_tls_threads_mode = 0; /* threads execution mode for tls with libssl */
+#endif   /* USE_TLS */
 #ifdef USE_SCTP
 int sctp_children_no = 0;
 int sctp_disable = 2; /* 1 if sctp is disabled, 2 if auto mode, 0 enabled */

___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] Jenkins build is back to normal : kamailiodev-nightly-binaries » amd64,jammy #2598

[kamailio--- via sr-dev]

See 


___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] Re: [kamailio/kamailio] [5.7] Restore libssl default behaviour on stable; opt-in to libssl thread-guards required (PR #3754)

[space88man via sr-dev]

@space88man pushed 1 commit.

ca11f917a7803a20a19c1818134a660aae5b42ac  tls: restore default to bypass thread 
guards

-- 
View it on GitHub:
https://github.com/kamailio/kamailio/pull/3754/files/ee337115b47935bd81e0a4ab7e40ee338ca4c312..ca11f917a7803a20a19c1818134a660aae5b42ac
You are receiving this because you are subscribed to this thread.

Message ID: 
___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] [kamailio/kamailio] Restore libssl default behaviour on stable; opt-in to libssl thread-guards required (PR #3754)

[space88man via sr-dev]

 Pre-Submission Checklist



- [X] Commit message has the format required by CONTRIBUTING guide
- [X] Commits are split per component (core, individual modules, libs, utils, 
...)
- [X] Each component has a single commit (if not, squash them into one commit)
- [X] No commits to README files for modules (changes must be done to docbook 
files
in `doc/` subfolder, the README file is autogenerated)

 Type Of Change
- [ ] Small bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)

 Checklist:

- [ ] PR should be backported to stable branches
- [X] Tested changes locally
- [ ] Related to issue # (replace  with an open issue number)

 Description
This PR restores the default behaviour of stable branch and makes libssl 
thread-guard work opt-in.
- user's config from 5.7.3 will run unchanged
- backport tls_threads_mode = 0|1|2 from dev; user must explicitly opt-in to 
libssl changes

Scenario 1: user does not change 5.7.3 configuration; then libssl thread-guards 
will be disabled and Kamailio will run as before

Scenario 2: user must opt-in to libssl thread-guards; `tls_threads_mode` has 
been backported from dev and user must use `tls_threads_mode = 1` in the 
configuration. The default value is `tls_threads_mode = 0`




You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/3754

-- Commit Summary --

  * core: added tls_threads_mode global parameter
  * core/rthreads.h: use global ksr_tls_threads_mode to constrain thread
  * Sample etc/kamailio.cfg: global var tls_threads_mode
  * tls: restore default to bypass thread guards

-- File Changes --

M etc/kamailio.cfg (17)
M src/core/cfg.lex (2)
M src/core/cfg.y (9)
M src/core/globals.h (1)
M src/core/rthreads.h (33)
M src/main.c (5)
M src/modules/tls/tls_mod.c (4)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/3754.patch
https://github.com/kamailio/kamailio/pull/3754.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/3754
You are receiving this because you are subscribed to this thread.

Message ID: 
___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] Fwd: Reject TCP SYN

[David Villasmil via sr-dev]

Hello all,

Following up on this, I made a patch (attached), could you please review
and apply if it looks ok?
The patch creates a new core cfg variable which, if set, will reject any
incoming NEW tcp connection attempt, so we can use this to gracefully drain
kamailio.

Thanks & Regards,

David Villasmil
email: david.villasmil.w...@gmail.com
phone: +34669448337

Forwarded Conversation
Subject: Reject TCP SYN


From: David Villasmil 
Date: Thu, Feb 8, 2024 at 2:27 PM
To: Kamailio (SER) - Users Mailing List 


Hello all,

Is there any way of actually rejecting (RST) NEW tcp connection attempts,
while allowing the ongoing ones to finish naturally?

I’m thinking maybe we can add this feature?

Regards,

David Villasmil
email: david.villasmil.w...@gmail.com
phone: +34669448337


--
From: Henning Westerholt 
Date: Fri, Feb 9, 2024 at 2:08 PM
To: Kamailio (SER) - Users Mailing List 
Cc: David Villasmil 


Hello,



what about e.g. just using something like iptables, nftables etc..?



iptables -A INPUT -p tcp --syn --destination-port  -j REJECT
--reject-with icmp-host-prohibited



Cheers,



Henning


--
From: David Villasmil 
Date: Fri, Feb 9, 2024 at 2:42 PM
To: Henning Westerholt 
Cc: Kamailio (SER) - Users Mailing List 



Hey, Henning, yeah I thought about that, but thought that maybe there was a
better way to do it via Kamailio

Thanks!

Regards,

David Villasmil
email: david.villasmil.w...@gmail.com
phone: +34669448337


0001-core-tcp-reject-new-tcp-connections-if-reject_new_tc.patch
Description: Binary data
___
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org