mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
96 lines
3.1 KiB
Groff
96 lines
3.1 KiB
Groff
.\"
|
|
.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org>
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\" "
|
|
.Dd April 24, 2024
|
|
.Dt ACCF_TLS 9
|
|
.Os
|
|
.Sh NAME
|
|
.Nm accf_tls
|
|
.Nd "buffer incoming connections until a TLS handshake like request arrives"
|
|
.Sh SYNOPSIS
|
|
.Nm options INET
|
|
.Nm options ACCEPT_FILTER_TLS
|
|
.Nm kldload accf_tls
|
|
.Sh DESCRIPTION
|
|
This is a filter to be placed on a socket that will be using
|
|
.Fn accept 2
|
|
to receive incoming HTTPS connections.
|
|
It prevents the application from receiving the connected descriptor via
|
|
.Fn accept 2
|
|
until a full TLS handshake has been buffered by the kernel.
|
|
The
|
|
.Nm
|
|
will first check that byte at offset 0 is
|
|
.Va 0x16 ,
|
|
which matches handshake type.
|
|
Then it will read 2-byte request length value at offset 3 and will
|
|
continue reading until reading the entire length of the handshake is buffered.
|
|
If something other than
|
|
.Va 0x16
|
|
is at offset 0, the kernel will allow the application to receive the
|
|
connection descriptor via
|
|
.Fn accept 2 .
|
|
.Pp
|
|
The utility of
|
|
.Nm
|
|
is such that a server will not have to context switch several times
|
|
before performing the initial parsing of the request.
|
|
This effectively reduces the amount of required CPU utilization
|
|
to handle incoming requests by keeping active
|
|
processes in preforking servers such as Apache low
|
|
and reducing the size of the file descriptor set that needs
|
|
to be managed by interfaces such as
|
|
.Fn select ,
|
|
.Fn poll
|
|
or
|
|
.Fn kevent
|
|
based servers.
|
|
.Sh EXAMPLES
|
|
Assuming ACCEPT_FILTER_TLS has been included in the kernel config
|
|
file or the
|
|
.Nm
|
|
module
|
|
has been loaded, this will enable the TLS accept filter
|
|
on the socket
|
|
.Fa sok .
|
|
.Bd -literal -offset 0i
|
|
struct accept_filter_arg afa;
|
|
|
|
bzero(&afa, sizeof(afa));
|
|
strcpy(afa.af_name, "tlsready");
|
|
setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa));
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr setsockopt 2 ,
|
|
.Xr accept_filter 9
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
accept filter was introduced in
|
|
.Fx 15.0 .
|
|
.Sh AUTHORS
|
|
The
|
|
.Nm
|
|
filter was written by
|
|
.An Maksim Yevmenkin .
|