Re: svn commit: r334719 - in head: cddl/lib/libdtrace lib/libc/sys sys/kern sys/netinet sys/netinet6 sys/sys
On Wed, Jun 06, 2018 at 03:45:57PM +, Sean Bruno wrote: > Author: sbruno > Date: Wed Jun 6 15:45:57 2018 > New Revision: 334719 > URL: https://svnweb.freebsd.org/changeset/base/334719 > > Log: > Load balance sockets with new SO_REUSEPORT_LB option. > > This patch adds a new socket option, SO_REUSEPORT_LB, which allow multiple > programs or threads to bind to the same port and incoming connections will > be > load balanced using a hash function. > > Most of the code was copied from a similar patch for DragonflyBSD. > > However, in DragonflyBSD, load balancing is a global on/off setting and can > not > be set per socket. This patch allows for simultaneous use of both the > current > SO_REUSEPORT and the new SO_REUSEPORT_LB options on the same system. > > Required changes to structures: > Globally change so_options from 16 to 32 bit value to allow for more > options. > Add hashtable in pcbinfo to hold all SO_REUSEPORT_LB sockets. > > Limitations: > As DragonflyBSD, a load balance group is limited to 256 pcbs (256 programs > or > threads sharing the same socket). > > This is a substantially different contribution as compared to its original > incarnation at svn r332894 and reverted at svn r332967. Thanks to rwatson@ > for the substantive feedback that is included in this commit. > > Submitted by: Johannes Lundberg > Obtained from: DragonflyBSD > Relnotes: Yes > Sponsored by: Limelight Networks > Differential Revision: https://reviews.freebsd.org/D11003 Hey Sean, This is a rather interesting and useful feature. Thank you for committing it. It seems there are some security trade-offs being made for applications that opt-in to this feature: third-party applications, potentially malicious, could bind to the port. I wonder if we could prevent malicious abuse of this feature by introducing a random cookie. When a developer sets this option, the developer must specify a random value as a cookie. Applications who want to share the port, then, must also specify the cookie (perhaps via another socket option?). What are your thoughts? I'm CC'ing Johannes to get his thoughts as well. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal:+1 443-546-8752 Tor+XMPP+OTR:latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
svn commit: r334719 - in head: cddl/lib/libdtrace lib/libc/sys sys/kern sys/netinet sys/netinet6 sys/sys
Author: sbruno Date: Wed Jun 6 15:45:57 2018 New Revision: 334719 URL: https://svnweb.freebsd.org/changeset/base/334719 Log: Load balance sockets with new SO_REUSEPORT_LB option. This patch adds a new socket option, SO_REUSEPORT_LB, which allow multiple programs or threads to bind to the same port and incoming connections will be load balanced using a hash function. Most of the code was copied from a similar patch for DragonflyBSD. However, in DragonflyBSD, load balancing is a global on/off setting and can not be set per socket. This patch allows for simultaneous use of both the current SO_REUSEPORT and the new SO_REUSEPORT_LB options on the same system. Required changes to structures: Globally change so_options from 16 to 32 bit value to allow for more options. Add hashtable in pcbinfo to hold all SO_REUSEPORT_LB sockets. Limitations: As DragonflyBSD, a load balance group is limited to 256 pcbs (256 programs or threads sharing the same socket). This is a substantially different contribution as compared to its original incarnation at svn r332894 and reverted at svn r332967. Thanks to rwatson@ for the substantive feedback that is included in this commit. Submitted by: Johannes Lundberg Obtained from:DragonflyBSD Relnotes: Yes Sponsored by: Limelight Networks Differential Revision:https://reviews.freebsd.org/D11003 Modified: head/cddl/lib/libdtrace/tcp.d head/lib/libc/sys/getsockopt.2 head/sys/kern/uipc_debug.c head/sys/kern/uipc_socket.c head/sys/netinet/in_pcb.c head/sys/netinet/in_pcb.h head/sys/netinet/ip_output.c head/sys/netinet/udp_usrreq.c head/sys/netinet6/in6_pcb.c head/sys/netinet6/in6_src.c head/sys/netinet6/ip6_output.c head/sys/netinet6/udp6_usrreq.c head/sys/sys/socket.h head/sys/sys/socketvar.h Modified: head/cddl/lib/libdtrace/tcp.d == --- head/cddl/lib/libdtrace/tcp.d Wed Jun 6 15:31:47 2018 (r334718) +++ head/cddl/lib/libdtrace/tcp.d Wed Jun 6 15:45:57 2018 (r334719) @@ -192,12 +192,12 @@ translator tcpsinfo_t < struct tcpcb *p > { tcps_rport =p == NULL ? 0 : ntohs(p->t_inpcb->inp_inc.inc_ie.ie_fport); tcps_laddr =p == NULL ? 0 : p->t_inpcb->inp_vflag == INP_IPV4 ? - inet_ntoa(>t_inpcb->inp_inc.inc_ie.ie_dependladdr.ie46_local.ia46_addr4.s_addr) : - inet_ntoa6(>t_inpcb->inp_inc.inc_ie.ie_dependladdr.ie6_local); + inet_ntoa(>t_inpcb->inp_inc.inc_ie.ie_dependladdr.id46_addr.ia46_addr4.s_addr) : + inet_ntoa6(>t_inpcb->inp_inc.inc_ie.ie_dependladdr.id6_addr); tcps_raddr =p == NULL ? 0 : p->t_inpcb->inp_vflag == INP_IPV4 ? - inet_ntoa(>t_inpcb->inp_inc.inc_ie.ie_dependfaddr.ie46_foreign.ia46_addr4.s_addr) : - inet_ntoa6(>t_inpcb->inp_inc.inc_ie.ie_dependfaddr.ie6_foreign); + inet_ntoa(>t_inpcb->inp_inc.inc_ie.ie_dependfaddr.id46_addr.ia46_addr4.s_addr) : + inet_ntoa6(>t_inpcb->inp_inc.inc_ie.ie_dependfaddr.id6_addr); tcps_state =p == NULL ? -1 : p->t_state; tcps_iss = p == NULL ? 0 : p->iss; tcps_irs = p == NULL ? 0 : p->irs; Modified: head/lib/libc/sys/getsockopt.2 == --- head/lib/libc/sys/getsockopt.2 Wed Jun 6 15:31:47 2018 (r334718) +++ head/lib/libc/sys/getsockopt.2 Wed Jun 6 15:45:57 2018 (r334719) @@ -152,6 +152,7 @@ and set with .It Dv SO_DEBUG Ta "enables recording of debugging information" .It Dv SO_REUSEADDR Ta "enables local address reuse" .It Dv SO_REUSEPORT Ta "enables duplicate address and port bindings" +.It Dv SO_REUSEPORT_LB Ta "enables duplicate address and port bindings with load balancing" .It Dv SO_KEEPALIVE Ta "enables keep connections alive" .It Dv SO_DONTROUTE Ta "enables routing bypass for outgoing messages" .It Dv SO_LINGER Ta "linger on close if data present" @@ -207,6 +208,15 @@ if they all set before binding the port. This option permits multiple instances of a program to each receive UDP/IP multicast or broadcast datagrams destined for the bound port. +.Pp +.Dv SO_REUSEPORT_LB +allows completely duplicate bindings by multiple processes +if they all set +.Dv SO_REUSEPORT_LB +before binding the port. +Incoming TCP and UDP connections are distributed among the sharing +processes based on a hash function of local port number, foreign IP +address and port number. A maximum of 256 processes can share one socket. .Pp .Dv SO_KEEPALIVE enables the Modified: head/sys/kern/uipc_debug.c == --- head/sys/kern/uipc_debug.c Wed Jun 6 15:31:47 2018(r334718) +++ head/sys/kern/uipc_debug.c Wed Jun 6 15:45:57 2018