Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy protocol #281

Merged
merged 39 commits into from
Oct 3, 2023
Merged

Proxy protocol #281

merged 39 commits into from
Oct 3, 2023

Conversation

wcawijngaards
Copy link
Member

@wcawijngaards wcawijngaards commented May 23, 2023
edited
Loading

This is an implementation of PROXYv2 for NSD.

It can be configured with proxy-protocol-port: <portnum> with the port number of the interface on which proxy traffic is handled. The interface can support proxy traffic for UDP, TCP and TLS.

It uses code from Unbound, that implements the proxy protocol specs, in NLnetLabs/unbound#881 .

@wcawijngaards
- proxy-protocol, add the proxy protocol generic code proxy_protocol.…
4abbe52 
…c and

  proxy_protocol.h.
@wcawijngaards
- proxy-protocol, adjust Makefile.in for util/proxy_protocol.c.
1115cc6
@wcawijngaards
- proxy-protocol, init proxy protocol write function callbacks.
5a4128e
@wcawijngaards
- proxy-protocol, change to store proxy address in struct query.
bedea96
@wcawijngaards
- proxy-protocol, adjust generic header for IPv6 support with ifdef.
abbd396
@wcawijngaards
- proxy-protocol, handle udp proxy header.
3ca39bd
@wcawijngaards
- proxy-protocol, check size for safety.
5ae3828
@wcawijngaards
- proxy-protocol, take care with unaligned reads for safety.
80caade
@wcawijngaards
- proxy-protocol, verbose error output for header read failure.
8726df8
@wcawijngaards
- proxy-protocol, add unit test for proxy protocol.
c38971b
@wcawijngaards
- proxy-protocol, remove whitespace from test text file.
a011f8e
@wcawijngaards
- proxy-protocol, use proxy address for access list block checks.
69abf73
@wcawijngaards
- proxy-protocol, remove unused whitespace.
ff8cd98
@wcawijngaards
- proxy-protocol, error output easier to read.
4009e11
@wcawijngaards
- proxy-protocol, unit test for allow query interaction with proxy ad…
ace0429 
…dress.
@wcawijngaards
- proxy-protocol, unit test for provide-xfr interaction with proxy ad…
bd3108b 
…dress.
@wcawijngaards
- proxy-protocol, unit test for allow-notify interfaction with proxy …
42d490b 
…address.

  Fix for printout of refusal in log.
@wcawijngaards
Merge branch 'master' into proxy-protocol
f7299a8
@wcawijngaards
- proxy-protocol, make depend.
4f34f3f
@wcawijngaards
- proxy-protocol, fix compile.
82f9433
@wcawijngaards
- proxy-protocol, handle tcp proxy header.
b8df903
@wcawijngaards
- proxy-protocol, add zone file to test case.
4548045
@wcawijngaards
- proxy-protocol, unit test for tcp.
fda5e2f
@wcawijngaards
- proxy-protocol, remove debug output of log err.
b0d7732
@wcawijngaards
Merge branch 'master' into proxy-protocol
badcb2e
@wcawijngaards
- proxy-protocol, test setup for TLS.
2505471
@wcawijngaards
- proxy-protocol, handle tls proxy header.
82e5d8c
@wcawijngaards
- proxy-protocol, do not log proxy addr if the query is not proxied.
3cff8db
@wcawijngaards
- proxy-protocol, unit test for tls.
d6814a0
@wcawijngaards
- proxy-protocol, proxy-protocol-port: portno option.
30417e3
@wcawijngaards wcawijngaards self-assigned this May 23, 2023
k0ekk0ek
k0ekk0ek approved these changes May 31, 2023
View reviewed changes
Copy link
Contributor

@k0ekk0ek k0ekk0ek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small remarks about things that stood out. Nothing blocking.

server.c Outdated Show resolved Hide resolved
server.c Show resolved Hide resolved
server.c Outdated Show resolved Hide resolved
options.c Show resolved Hide resolved
util/proxy_protocol.c Outdated Show resolved Hide resolved
util/proxy_protocol.c Outdated Show resolved Hide resolved
util/proxy_protocol.h Show resolved Hide resolved
server.c Outdated Show resolved Hide resolved
@pettai
Copy link

pettai commented Sep 19, 2023

Hi,
Any update on when this is going to be merged into the main branch?

@k0ekk0ek
Copy link
Contributor

Hi @pettai, it's waiting for one more review to complete. Expect this to be merged soon.

@pettai pettai mentioned this pull request Sep 22, 2023
Closed
@pettai
Copy link

pettai commented Sep 22, 2023

I noted an issue #297 then merging this branch to the latest git version of NSD, so apart from the review, this also needs to be fixed before merging. Thx

@wcawijngaards
- proxy-protocol, Fix #297, NSD: handle_tcp_reading: Assertion `buffe…
dfcdadb 
…r_remaining(data->query->packet) > 0' failed.
@wcawijngaards
Copy link
Member Author

The commit dfcdadb fixes the issue. The buffer was not reset properly between queries, the commit fixes that.

gthess
gthess approved these changes Sep 29, 2023
View reviewed changes
Copy link
Member

@gthess gthess left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR looks nice!
Just replied on @k0ekk0ek 's suggestions.

util/proxy_protocol.c Outdated Show resolved Hide resolved
util/proxy_protocol.h Show resolved Hide resolved
util/proxy_protocol.c Outdated Show resolved Hide resolved
gthess and others added 2 commits September 29, 2023 15:03
@gthess
proxy-protocol, review comments:
d8a47b1 
- more generic switch statement for address families;
- comment the protocol values as such in their definitions;
- less hardcoded values for address family and protocol combinations.
@wcawijngaards
proxy-protocol, guard AF_INET6 use with ifdef.
ebb0192
@wcawijngaards wcawijngaards merged commit 7a3a604 into master Oct 3, 2023
4 checks passed
wcawijngaards added a commit that referenced this pull request Oct 3, 2023
@wcawijngaards
Changelog note for #281
42208cc 
- Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
  It can be configured with proxy-protocol-port: portnum with the
  port number of the interface on which proxy traffic is handled.
  The interface can support proxy traffic for UDP, TCP and TLS.
@pettai
Copy link

pettai commented Oct 3, 2023

So it has been done 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gthess gthess gthess approved these changes

@k0ekk0ek k0ekk0ek k0ekk0ek approved these changes

Assignees

@wcawijngaards wcawijngaards

Labels
None yet
Projects
No open projects
NSD proxy-protocol
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wcawijngaards @pettai @k0ekk0ek @gthess @and0x000