diff options
| author | Vladimir Homutov <vl@nginx.com> | 2022-01-19 22:39:24 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2022-01-19 22:39:24 +0300 |
| commit | 8a4a267d74fa31e4693691a1a8788b0773329481 (patch) | |
| tree | 9977ce66a227ef0369b9e5e6541b175b70c892e4 /src/event/quic/ngx_event_quic_output.c | |
| parent | 1f97aa71ecaa75dfd646495a13534b10405b500c (diff) | |
| download | nginx-8a4a267d74fa31e4693691a1a8788b0773329481.tar.gz nginx-8a4a267d74fa31e4693691a1a8788b0773329481.tar.bz2 | |
QUIC: reworked migration handling.
The quic connection now holds active, backup and probe paths instead
of sockets. The number of migration paths is now limited and cannot
be inflated by a bad client or an attacker.
The client id is now associated with path rather than socket. This allows
to simplify processing of output and connection ids handling.
New migration abandons any previously started migrations. This allows to
free consumed client ids and request new for use in future migrations and
make progress in case when connection id limit is hit during migration.
A path now can be revalidated without losing its state.
The patch also fixes various issues with NAT rebinding case handling:
- paths are now validated (previously, there was no validation
and paths were left in limited state)
- attempt to reuse id on different path is now again verified
(this was broken in 40445fc7c403)
- former path is now validated in case of apparent migration
Diffstat (limited to 'src/event/quic/ngx_event_quic_output.c')
| -rw-r--r-- | src/event/quic/ngx_event_quic_output.c | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c index 5599cdeb1..d4b079125 100644 --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -51,7 +51,7 @@ static ssize_t ngx_quic_send_segments(ngx_connection_t *c, u_char *buf, static ssize_t ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, u_char *data, size_t max, size_t min); static void ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, - ngx_quic_header_t *pkt); + ngx_quic_header_t *pkt, ngx_quic_path_t *path); static ngx_uint_t ngx_quic_get_padding_level(ngx_connection_t *c); static ssize_t ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len, struct sockaddr *sockaddr, socklen_t socklen); @@ -131,7 +131,7 @@ ngx_quic_create_datagrams(ngx_connection_t *c) qc = ngx_quic_get_connection(c); cg = &qc->congestion; - path = qc->socket->path; + path = qc->path; while (cg->in_flight < cg->window) { @@ -269,7 +269,7 @@ ngx_quic_allow_segmentation(ngx_connection_t *c) return 0; } - if (qc->socket->path->limited) { + if (qc->path->limited) { /* don't even try to be faster on non-validated paths */ return 0; } @@ -325,7 +325,7 @@ ngx_quic_create_segments(ngx_connection_t *c) qc = ngx_quic_get_connection(c); cg = &qc->congestion; - path = qc->socket->path; + path = qc->path; ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); @@ -505,17 +505,18 @@ static ssize_t ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, u_char *data, size_t max, size_t min) { - size_t len, pad, min_payload, max_payload; - u_char *p; - ssize_t flen; - ngx_str_t res; - ngx_int_t rc; - ngx_uint_t nframes, expand; - ngx_msec_t now; - ngx_queue_t *q; - ngx_quic_frame_t *f; - ngx_quic_header_t pkt; - static u_char src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; + size_t len, pad, min_payload, max_payload; + u_char *p; + ssize_t flen; + ngx_str_t res; + ngx_int_t rc; + ngx_uint_t nframes, expand; + ngx_msec_t now; + ngx_queue_t *q; + ngx_quic_frame_t *f; + ngx_quic_header_t pkt; + ngx_quic_connection_t *qc; + static u_char src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; if (ngx_queue_empty(&ctx->frames)) { return 0; @@ -525,7 +526,9 @@ ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, "quic output %s packet max:%uz min:%uz", ngx_quic_level_name(ctx->level), max, min); - ngx_quic_init_packet(c, ctx, &pkt); + qc = ngx_quic_get_connection(c); + + ngx_quic_init_packet(c, ctx, &pkt, qc->path); min_payload = ngx_quic_payload_size(&pkt, min); max_payload = ngx_quic_payload_size(&pkt, max); @@ -668,14 +671,14 @@ ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, static void ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, - ngx_quic_header_t *pkt) + ngx_quic_header_t *pkt, ngx_quic_path_t *path) { ngx_quic_socket_t *qsock; ngx_quic_connection_t *qc; qc = ngx_quic_get_connection(c); - qsock = qc->socket; + qsock = ngx_quic_get_socket(c); ngx_memzero(pkt, sizeof(ngx_quic_header_t)); @@ -693,8 +696,8 @@ ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx, } } - pkt->dcid.data = qsock->cid->id; - pkt->dcid.len = qsock->cid->len; + pkt->dcid.data = path->cid->id; + pkt->dcid.len = path->cid->len; pkt->scid.data = qsock->sid.id; pkt->scid.len = qsock->sid.len; @@ -1202,7 +1205,7 @@ ngx_quic_frame_sendto(ngx_connection_t *c, ngx_quic_frame_t *frame, qc = ngx_quic_get_connection(c); ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); - ngx_quic_init_packet(c, ctx, &pkt); + ngx_quic_init_packet(c, ctx, &pkt, path); min = ngx_quic_path_limit(c, path, min); |