Google Git
Sign in
apache / trafficserver / e65cf23015fd743cd790d9f7868a3731d62fc2a8^! / .
commite65cf23015fd743cd790d9f7868a3731d62fc2a8[log] [tgz]
authorValentín Gutiérrez <vgutierrez@apache.org>Mon Oct 26 17:33:58 2020 +0000
committerGitHub <noreply@github.com>Mon Oct 26 17:33:58 2020 +0000
tree500b3b8defd93695d8b4f01fe4f87405c96844f7
parentbf45adf8b6089838538bf526347283285c991b18 [diff]
Allow disabling SO_MARK and IP_TOS usage (#7292)

Add two socket option flags to allow disabling SO_MARK and IP_TOS
usage on configuration time. This is pretty handy on environments
where you don't wish to grant CAP_NET_ADMIN to TS.
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 7e4a97e..42764a0 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst

@@ -4273,6 +4273,8 @@
         SO_KEEPALIVE (2)
         SO_LINGER (4) - with a timeout of 0 seconds
         TCP_FASTOPEN (8)
+        PACKET_MARK (16)
+        PACKET_TOS (32)
 
 .. note::
 
@@ -4305,6 +4307,8 @@
         SO_KEEPALIVE (2)
         SO_LINGER (4) - with a timeout of 0 seconds
         TCP_FASTOPEN (8)
+        PACKET_MARK (16)
+        PACKET_TOS (32)
 
 .. note::
 

diff --git a/iocore/net/I_NetVConnection.h b/iocore/net/I_NetVConnection.h
index fac5762..c2aa346 100644
--- a/iocore/net/I_NetVConnection.h
+++ b/iocore/net/I_NetVConnection.h

@@ -174,6 +174,10 @@
   static uint32_t const SOCK_OPT_LINGER_ON = 4;
   /// Value for TCP Fast open @c sockopt_flags
   static uint32_t const SOCK_OPT_TCP_FAST_OPEN = 8;
+  /// Value for SO_MARK @c sockopt_flags
+  static uint32_t const SOCK_OPT_PACKET_MARK = 16;
+  /// Value for IP_TOS @c sockopt_flags
+  static uint32_t const SOCK_OPT_PACKET_TOS = 32;
 
   uint32_t packet_mark;
   uint32_t packet_tos;

diff --git a/iocore/net/UnixConnection.cc b/iocore/net/UnixConnection.cc
index 6d68ff7..eb13f79 100644
--- a/iocore/net/UnixConnection.cc
+++ b/iocore/net/UnixConnection.cc

@@ -414,16 +414,20 @@
   }
 
 #if TS_HAS_SO_MARK
-  uint32_t mark = opt.packet_mark;
-  safe_setsockopt(fd, SOL_SOCKET, SO_MARK, reinterpret_cast<char *>(&mark), sizeof(uint32_t));
+  if (opt.sockopt_flags & NetVCOptions::SOCK_OPT_PACKET_MARK) {
+    uint32_t mark = opt.packet_mark;
+    safe_setsockopt(fd, SOL_SOCKET, SO_MARK, reinterpret_cast<char *>(&mark), sizeof(uint32_t));
+  }
 #endif
 
 #if TS_HAS_IP_TOS
-  uint32_t tos = opt.packet_tos;
-  if (addr.isIp4()) {
-    safe_setsockopt(fd, IPPROTO_IP, IP_TOS, reinterpret_cast<char *>(&tos), sizeof(uint32_t));
-  } else if (addr.isIp6()) {
-    safe_setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, reinterpret_cast<char *>(&tos), sizeof(uint32_t));
+  if (opt.sockopt_flags & NetVCOptions::SOCK_OPT_PACKET_TOS) {
+    uint32_t tos = opt.packet_tos;
+    if (addr.isIp4()) {
+      safe_setsockopt(fd, IPPROTO_IP, IP_TOS, reinterpret_cast<char *>(&tos), sizeof(uint32_t));
+    } else if (addr.isIp6()) {
+      safe_setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, reinterpret_cast<char *>(&tos), sizeof(uint32_t));
+    }
   }
 #endif
 }