- noevports
- nogetaddrinfo
- nokqueue
+ - noktls
- nopoll
- noreuseport
- nosplice
equivalent to the command-line argument "-dk". The next polling system
used will generally be "poll". See also "nopoll".
+noktls
+ Disables the use of ktls. It is equivalent to the command line argument
+ "-dT".
+
nopoll
Disables the use of the "poll" event polling system. It is equivalent to the
command-line argument "-dp". The next polling system used will be "select".
using strace to see the forwarded data (which do not appear when using
splice()).
+ -dT : disable the use of ktls. It is equivalent to the "global" section's
+ keyword "noktls". It is mostly useful when suspecting a bug related to
+ ktls.
+
-dV : disable SSL verify on the server side. It is equivalent to having
"ssl-server-verify none" in the "global" section. This is useful when
trying to reproduce production issues out of the production
#define GTUNE_LISTENER_MQ_FAIR (1<<27)
#define GTUNE_LISTENER_MQ_OPT (1<<28)
#define GTUNE_LISTENER_MQ_ANY (GTUNE_LISTENER_MQ_FAIR | GTUNE_LISTENER_MQ_OPT)
+#define GTUNE_NO_KTLS (1<<29)
/* subsystem-specific debugging options for tune.debug */
#define GDBG_CPU_AFFINITY (1U<< 0)
return 0;
}
+static int cfg_parse_global_disable_ktls(char **args, int section_type,
+ struct proxy *curpx, const struct proxy *defpx,
+ const char *file, int line, char **err)
+{
+ if (!(global.mode & MODE_DISCOVERY))
+ return 0;
+
+ if (too_many_args(0, args, err, NULL))
+ return -1;
+
+ global.tune.options |= GTUNE_NO_KTLS;
+
+ return 0;
+}
+
/* Disable certain poller if set */
static int cfg_parse_global_disable_poller(char **args, int section_type,
struct proxy *curpx, const struct proxy *defpx,
{ CFG_GLOBAL, "noepoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
{ CFG_GLOBAL, "noevports", cfg_parse_global_disable_poller, KWF_DISCOVERY },
{ CFG_GLOBAL, "nokqueue", cfg_parse_global_disable_poller, KWF_DISCOVERY },
+ { CFG_GLOBAL, "noktls", cfg_parse_global_disable_ktls, KWF_DISCOVERY },
{ CFG_GLOBAL, "nopoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
{ CFG_GLOBAL, "pidfile", cfg_parse_global_pidfile, KWF_DISCOVERY },
{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
" -dF disable fast-forward\n"
" -dI enable insecure fork\n"
" -dZ disable zero-copy forwarding\n"
+#if defined(HA_USE_KTLS)
+ " -dT disable kTLS\n"
+#endif
" -sf/-st [pid ]* finishes/terminates old pids.\n"
" -x <unix_socket> get listening sockets from a unix socket\n"
" -S <bind>[,<bind options>...] new master CLI\n"
trace_parse_cmd(NULL, NULL);
}
}
+#ifdef HA_USE_KTLS
+ else if (*flag == 'd' && flag[1] == 'T') {
+ global.tune.options |= GTUNE_NO_KTLS;
+ }
+#endif
else if (*flag == 'd')
arg_mode |= MODE_DEBUG;
else if (*flag == 'c' && flag[1] == 'c') {
HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
#ifdef HA_USE_KTLS
- if (srv->ssl_ctx.options & SRV_SSL_O_KTLS) {
+ if ((srv->ssl_ctx.options & SRV_SSL_O_KTLS) && !(global.tune.options & GTUNE_NO_KTLS)) {
#ifdef HAVE_VANILLA_OPENSSL
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
#endif
#endif
#ifdef HA_USE_KTLS
- if (bc->ssl_conf.ktls) {
+ if (bc->ssl_conf.ktls && !(global.tune.options & GTUNE_NO_KTLS)) {
#ifdef HAVE_VANILLA_OPENSSL
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
#endif
projects / thirdparty / haproxy.git / commitdiff
