Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy protocol #923

Merged
merged 21 commits into from
Dec 8, 2023
Merged

Proxy protocol #923

merged 21 commits into from
Dec 8, 2023

Conversation

ywc689
Copy link
Collaborator

@ywc689 ywc689 commented Nov 15, 2023

No description provided.

@ywc689 ywc689 changed the base branch from master to devel November 15, 2023 08:54
@ywc689
Copy link
Collaborator Author

ywc689 commented Nov 21, 2023
edited
Loading

toa uoa (ipo) uoa (opp) proxy protocol (v1) proxy protocol (v2)
FNAT44
FNAT66 ×
FNAT64 ×
TCP × ×
UDP × ×
toa uoa (ipo mode) uoa (opp mode) proxy protocol (v1 & v2)
configuration switch always on global, default off global, default on per-service, toa/uoa mutal exclusive
where client address resides tcp option ipv4 option private ip protocol tcp/udp beginnig payload
standardization private standard private implementation private implementation defacto standard
application intrusiveness transparent transparent (only fnat44 supported) transparent when uoa.ko installed intrusive
client address resolution intrusiveness transparent for fnat44/fnat66; intrusive for fnat64 intrusive intrusive intrusive
client source address resolution support support support support
client destination address resolution not support not support not support support
kernel module requirement on realserver toa.ko, not compulsory when client addresses aren't concerned uoa.ko uoa.ko no kernel module required
load balancer cascading not support not support not support support
retransmission support fixed times, default 3 fixed times, default 3 support for tcp, not support for udp
underlay network supports good bad medium good
client address loss cases when no enough tcp option room in first ack seg general udp packet loss general udp packet loss no loss for tcp, general udp packet loss for udp
well-known application supports - - - haproxy, nginx, envoy, ...
intrusive application server examples fnat64 udp_serv udp_serv tcp_server, udp_server, official sample code

@ywc689 ywc689 added the pr/to-review-codes review codes line by line and check if problem exists. label Nov 21, 2023
@ywc689 ywc689 mentioned this pull request Nov 21, 2023
Closed
ytwang0320
ytwang0320 approved these changes Dec 6, 2023
View reviewed changes
src/ipvs/ip_vs_proto_tcp.c
return EDPVS_OK;
}

if (unlikely(EDPVS_OK != proxy_proto_parse(mbuf, offset, &ppinfo)))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If DPVS receives invalid proxy_protocol data, should DPVS terminate the connection or reconstruct the proxy_protocol data?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we did. If the proxy protocol data is invalid in the original packets, ppinfo.datalen is set to zero in proxy_proto_parse, and then the following proxy_proto_insert will add a new one later.

But fragile proxy protocol data may not removed if not recognized. But I think it's reasonable to pass the unknown data to backends in the case.

@ywc689 ywc689 added pr/codes-reviewed-ok code review passed and no problem found pr/codes-tested-ok compile ok and specified tests passed pr/accepted the pr passed all review stages and await to be merged and removed pr/to-review-codes review codes line by line and check if problem exists. labels Dec 7, 2023
@ywc689
route: remove fragile implementation of strategy routing codes for snat
6b23bdc 
Signed-off-by: ywc689 <[email protected]>
@ywc689
keepalived: fix dpvs crash problem in issue #911
6d8161e 
Signed-off-by: ywc689 <[email protected]>
@ywc689
test: add demo servers for proxy protocol
f2ff83a 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: support proxy protocol config
bbf9b98 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: proxy protocol implementation
bdec65f
@ywc689
tools: add supports for proxy protocol
5ece4a6 
Signed-off-by: ywc689 <[email protected]>
@ywc689
keepalived: fix a crash problem caused by the missing allowlist/denylist
8fb267e 
Signed-off-by: ywc689 <[email protected]>
@ywc689
healtcheck: upd_check supports ppv2
9cb7db6 
Signed-off-by: ywc689 <[email protected]>
@ywc689
test: fix serveral trivial problems in proxy protocol test programs
098d25c 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: fix problems found in debug of proxy protocol implementation
070cbd0 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: fix standalone tcp proxy protocol packet sent problem
1b23ef6
@ywc689
ipvs: forbid sending proxy protocol data in pure tcp ack packets
85dffff 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: fix serveral problems in sending standalone proxy protocol packets
0ef9c86 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: fix dozens of problems found in proxy protocol cascading test
9845528 
Signed-off-by: ywc689 <[email protected]>
@ywc689
test: add test checklist for proxy protocol
e09136f 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: fix issues in proxy protocol v2 parsing
a4b6f0e
@ywc689
test: update checklist for proxy protocol
be5ff4c
@ywc689
tools: add more supports for proxy protocol
bf67945 
Signed-off-by: ywc689 <[email protected]>
@ywc689
tools: dpvs-agent supports proxy protocol config
c3a6e8e 
Signed-off-by: ywc689 <[email protected]>
@ywc689
ipvs: protect proxy protocol from source address spoofing attack
5c5aace 
Two versions -- v1-insecure and v2-insecure -- ared added for the proxy cascading
case where the proxy protocol addresses should remain unchanged in the backend
proxy server. Meanwhile, the v1 and v2 versions are always using the addresses
from client's ip header of inbound packets.

Signed-off-by: ywc689 <[email protected]>
@ywc689 ywc689 merged commit 486ed1e into devel Dec 8, 2023
@ywc689 ywc689 deleted the proxy-protocol branch December 13, 2023 06:20
@jobcespedes jobcespedes mentioned this pull request Aug 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ytwang0320 ytwang0320 ytwang0320 approved these changes

Assignees
No one assigned
Labels
pr/accepted the pr passed all review stages and await to be merged pr/codes-reviewed-ok code review passed and no problem found pr/codes-tested-ok compile ok and specified tests passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ywc689 @ytwang0320