From: Willy Tarreau <w@1wt.eu>
Date: Tue, 2 Jun 2026 17:19:25 +0000 (+0200)
Subject: MINOR: haterm: enable ktls on the SSL bind line when supported
X-Git-Tag: v3.4.0~12
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d17fb63ce7f9617c67bbb8e26fbe650cc3a42891;p=thirdparty%2Fhaproxy.git

MINOR: haterm: enable ktls on the SSL bind line when supported

When both USE_LINUX_SPLICE and USE_KTLS are enabled, it's worth
enabling kTLS on the bind line as it significantly increases the
local bit rate as well as through TLS accelerators (up to x2/x3).
The -dT option remains available to disable it. It was verified to
gracefully downgrade when not supported (e.g. OpenSSL 3.0.1 does
this).
---

diff --git a/src/haterm_init.c b/src/haterm_init.c
index ad28ad81a..1dedb3bda 100644
--- a/src/haterm_init.c
+++ b/src/haterm_init.c
@@ -3,6 +3,7 @@
 #include <haproxy/chunk.h>
 #include <haproxy/errors.h>
 #include <haproxy/global.h>
+#include <haproxy/openssl-compat.h>
 #include <haproxy/version.h>
 
 static int haterm_debug;
@@ -259,6 +260,11 @@ void haproxy_init_args(int argc, char **argv)
 			else if (*opt == 'd' && *(opt+1) == 'S') {
 				global.tune.options &= ~GTUNE_USE_SPLICE;
 			}
+# if defined(HA_USE_KTLS)
+			else if (*opt == 'd' && *(opt+1) == 'T') {
+				global.tune.options |= GTUNE_NO_KTLS;
+			}
+# endif
 #endif
 			else if (*opt == 'd' && *(opt+1) == 'Z') {
 				global.tune.no_zero_copy_fwd |= NO_ZERO_COPY_FWD;
@@ -411,10 +417,16 @@ void haproxy_init_args(int argc, char **argv)
 					hbuf_appendf(&fbuf, "\tbind %s:%s shards by-thread ssl "
 					             "alpn h3,h2,http1.1,http1.0"
 					             " crt " HATERM_RSA_CERT_NAME
-					             " crt " HATERM_ECDSA_CERT_NAME "%s%s\n",
+					             " crt " HATERM_ECDSA_CERT_NAME "%s%s%s\n",
 					             ip, port2,
 					             tcp_bind_opt ? " " : "",
-					             tcp_bind_opt ? tcp_bind_opt : "");
+					             tcp_bind_opt ? tcp_bind_opt : "",
+# if defined(USE_LINUX_SPLICE) && defined(HA_USE_KTLS)
+						     " ktls on"
+# else
+						     "" /* no ktls */
+# endif
+						     );
 
 # if defined(USE_QUIC)
 					/* QUIC binding */
@@ -454,6 +466,10 @@ void haproxy_init_args(int argc, char **argv)
 		hbuf_appendf(&gbuf, "\ttune.memory.hot-size 3145728\n");
 		if (has_ssl)
 			hbuf_appendf(&gbuf, "\texpose-experimental-directives\n");
+#if defined(USE_LINUX_SPLICE) && defined(HA_USE_KTLS)
+		if (has_ssl)
+			hbuf_appendf(&gbuf, "\ttune.pipesize 262144\n");
+#endif
 	}
 
 	/* "global" section */