-
Notifications
You must be signed in to change notification settings - Fork 381
VIP15: Specifying source address for outgoing sockets
Make it possible to specify source address for outgoing TCP connections (backends, -M)
Traffic engineering.
This is the hard bit. Ideally the IETF had paid more attention to how one specifies network addresses, but as the long list of RFC's on how to write IPv6 addresses document, they are morons.
The best proposal I can come up with is something like:
IP [PORT] '/' IP [PORT]
The trivial way to implement this would be to double the size of struct suckaddr which has merits as it could then be used to have all the info about a TCP connection, but it is a major API breakage fest.
A less intrusive way is to special-case it for -M and backend definitions, which "only" breaks that backend API for VMODS.
Regarding API considerations, I think suckaddr should not be concerned with source addresses, and endpoints where need to track both destinations and sources should have suckaddrs for both. We probably want a separate function for this source address use case:
int
VTCP_connect_from(const struct suckaddr *dest, const struct suckaddr *src, int msec);
For source address usage, we should mimic timeouts and start from runtime parameters:
ipv[46]_source_address
- default value:
auto
(don't bind, leave it to the operating system) - syntax:
CIDR
akaIP[/PREFIX]
- this should probably be limited to IP literals (read
AI_NUMERICHOST
)
- this should probably be limited to IP literals (read
The CIDR notation would simply be a convenience to zero the bits after the subnet. The actual subnet would be configured at the operating system level anyway.
We could then override at the backend level:
backend be {
.host = "IP";
.ipv4_source_address = "auto | CIDR";
.ipv6_source_address = "auto | CIDR";
}
And finally, override at the task level:
sub vcl_backend_fetch {
set bereq.ipv4_source_address = "auto | CIDR";
set bereq.ipv6_source_address = "auto | CIDR";
}
This implies that we don't generalize a syntax for -M
or other features in this setup.
It has no effect on unix-domain sockets.
We need to define the desired effect on connection pooling. The configured source address should probably be part of the pool key, not the effective address bound by the operating system.