address: IPv4/IPv6 dual bind.#2201
Conversation
This adds support for listening for both IPv4 and IPv6 when binding to ::. Signed-off-by: Harvey Tuch <[email protected]>
|
Feel free to review, I will work on an independent PR to convert the admin integration test to v2 so I can get the integration tests happening. |
|
FWIW I have that test 90% ported but the patch depends on 2185 landing |
include/envoy/network/address.h
Outdated
| /** | ||
| * @return IPv4-IPv6 mapping disabled for IPv6 addresses? | ||
| */ | ||
| virtual bool v6only() const PURE; |
There was a problem hiding this comment.
Should this be on class Ipv6 instead of here?
There was a problem hiding this comment.
Maybe? Need to do some dynamic casting to make use of where I needed it, but I agree it's cleaner at the interface level.
There was a problem hiding this comment.
Can't you pivot off of ipv6() being not-null in the cases that you need?
| } | ||
|
|
||
| InstanceConstSharedPtr addressFromFd(int fd) { | ||
| InstanceConstSharedPtr addressFromFd(int fd, bool v6only) { |
There was a problem hiding this comment.
In this case, shouldn't we getsockopt to determine if it is set, instead of having this as a parameter?
Signed-off-by: Harvey Tuch <[email protected]>
Signed-off-by: Harvey Tuch <[email protected]>
Signed-off-by: Harvey Tuch <[email protected]>
| int socket_v6only = 0; | ||
| socklen_t size_int = sizeof(socket_v6only); | ||
| rc = ::getsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &socket_v6only, &size_int); | ||
| if (rc != 0 && errno != EOPNOTSUPP) { |
There was a problem hiding this comment.
Is this safe on all platforms, ie do all platforms that don't support this option return EOPNOTSUPP? As much as it is distasteful, it's tempting to ignore all errors from this getsockopt and just assume the default value if it fails.
| int socket_v6only = 0; | ||
| socklen_t size_int = sizeof(socket_v6only); | ||
| rc = ::getsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &socket_v6only, &size_int); | ||
| if (rc != 0 && errno != EOPNOTSUPP) { |
There was a problem hiding this comment.
On second thought, there is a RELEASE_ASSERT that setting this sockopt does not fail, so I think you can treat any failure (ie ignore value of errno) as a failure here.
| if (ss.ss_family == AF_INET6) { | ||
| socklen_t size_int = sizeof(socket_v6only); | ||
| rc = ::getsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &socket_v6only, &size_int); | ||
| if (rc != 0) { |
There was a problem hiding this comment.
realistically can this ever fail? Should this be RELEASE_ASSERT?
|
AFAIK this represents IPv4 connections received on a [::] listener as having (IPv4 compatible) IPv6 addresses. I have an implementation on my work queue that returns an Address::Ipv4Instance instead in that case. I thought otherwise logging and possibly listener filter chain address matching would be impacted. Also, I would have assumed risk of existing deployments breaking due to v6 sockets accepting v4 connections being low, especially if the address would be internally treated as an IPv4 address like above. If this assumption holds there would be no need to do V6ONLY syscalls at all on platforms that default to accepting v4 connections on v6 sockets. Thoughs? |
|
I think for listener filter chain address matching, you just use the IPv4-in-IPv6 encoding in your configs and you're fine. The idea being you use the correct IP address representation matching what you are binding the listener to. For logging, I can see some advantage in either using an Ipv4Instance or just having an Address::Instance representation function that can do the IPv4 representation. If you have an implementation already in-flight, maybe post a rough PR and we can discuss? Otherwise I would be inclined to consider whether what we have there today is good enough. We agreed in envoyproxy/data-plane-api#332 to follow the haproxy convention of explicitly calling out dual bind in the listener socket options, is there a reason to change this? |
|
You can see my patch here, very simple but needs rebasing after these changes: |
|
As for the explicit dual bind, I had not thought it is necessary, but have no reason to request a change to the agreed solution. Apart from code complexity, but that is in the eye of the beholder anyway :-) |
|
On Jan 3, 2018, at 2:16 PM, jrajahalme ***@***.***> wrote:
You can see my patch here, very simple but needs rebasing after these changes:
***@***.*** <jrajahalme@baa4785>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#2201 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGN127mRk2Bmen1yji1epXMrZ7AWLjTwks5tG_xVgaJpZM4RAHLA>.
I’m rebasing this on top of the current master, will issue a PR after some local testing.
Jarno
|
|
… On Jan 3, 2018, at 3:01 PM, jrajahalme ***@***.***> wrote:
> On Jan 3, 2018, at 2:16 PM, jrajahalme ***@***.***> wrote:
>
> You can see my patch here, very simple but needs rebasing after these changes:
>
> ***@***.*** <jrajahalme@baa4785>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub <#2201 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGN127mRk2Bmen1yji1epXMrZ7AWLjTwks5tG_xVgaJpZM4RAHLA>.
>
I’m rebasing this on top of the current master, will issue a PR after some local testing.
Jarno
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#2201 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGN12w9EXpMIhd-1QLQWGrUKW6LNjxsxks5tHAbCgaJpZM4RAHLA>.
|
|
@jrajahalme I think there are some valid reasons for explicit dual bind; you might want to allow multiple processes to listen on the same port and have one process pick up the IPv4 incoming and the other the IPv6. Having the ability to decide whether you are listening only for IPv6 becomes useful to allow that to happen. So, yeah, I think we should keep that. Thanks for #2309, we can continue this thread there. |
Adding changes since 0.4.5 to release notes Signed-off-by: JP Simard <[email protected]>
Adding changes since 0.4.5 to release notes Signed-off-by: JP Simard <[email protected]>
5 participants
This adds support for listening for both IPv4 and IPv6 when binding to ::.
Risk Level: Low
Testing: Added unit tests for resolver and address implementations. No integration tests yet, need to convert the admin integration test to v2 first to allow for ipv4_compat to be set on the admin bind address.
API Changes: envoyproxy/data-plane-api#332
Signed-off-by: Harvey Tuch [email protected]