Pim van Pelt
450391af6b
SO_BINDTODEVICE pins both ingress *and* egress to the bound interface — the kernel uses the listening socket's device binding when choosing the output interface for the SYN-ACK, which is sent before accept() returns and therefore can't be fixed up in userspace. That's fatal for maglev / DSR deployments where the SYN arrives through a GRE tunnel but the return path has to leave via the default route; the SYN-ACK goes out the GRE and is dropped by the uplink, so every new connection times out. Rework the listen plumbing so the module never touches SO_BINDTODEVICE. init_module now enables IP_PKTINFO and IPV6_RECVPKTINFO on every HTTP listening socket and resolves each configured `device=` name to an ifindex. At request time resolve_source calls getsockopt(IP_PKTOPTIONS) on the accepted fd to read the per-connection in(6)_pktinfo cmsg the kernel stashed during the handshake, then matches (ifindex, family) against the bindings table. The listening sockets remain plain wildcards, so the return path follows the normal routing table and DSR works. The wrapper also no longer clones or rebinds sockets: it still dedups per (cscf, sockaddr) so multiple device-tagged listens in a single server block coexist, and dedups bindings on (device, family) so the same device can carry different tags for v4 and v6 (e.g. tag2-v4 / tag2-v6) but not pointlessly duplicate when a listen include is shared across server blocks. Drive-by fixes to unblock `make pkg-deb` after a prior `make build-asan`: - debian/rules overrides dh_clean to exclude build/, since nginx-asan's install creates nobody:0700 temp dirs dh_clean can't traverse. - Makefile's build-asan removes those unused runtime temp dirs so the tree is clean afterwards. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
47 lines
1.6 KiB
Makefile
Executable File
47 lines
1.6 KiB
Makefile
Executable File
#!/usr/bin/make -f
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
# debian/rules for nginx-ipng-stats-plugin
|
|
#
|
|
# The actual module build is driven by the top-level Makefile, which
|
|
# copies /usr/share/nginx/src (from nginx-dev) into a writable
|
|
# build/nginx-src/ and runs the out-of-tree --add-dynamic-module dance
|
|
# against it. debian/rules just delegates to `make build` and installs
|
|
# the resulting .so into the package tree.
|
|
|
|
export DH_VERBOSE = 1
|
|
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
|
|
|
MODULE_NAME := ngx_http_ipng_stats_module
|
|
PKG := libnginx-mod-http-ipng-stats
|
|
|
|
%:
|
|
dh $@
|
|
|
|
override_dh_auto_configure:
|
|
# No-op: configure happens inside `make build`.
|
|
|
|
override_dh_auto_build:
|
|
$(MAKE) build
|
|
|
|
override_dh_auto_install:
|
|
install -D -m 0644 \
|
|
$(CURDIR)/build/$(MODULE_NAME).so \
|
|
$(CURDIR)/debian/$(PKG)/usr/lib/nginx/modules/$(MODULE_NAME).so
|
|
install -D -m 0644 \
|
|
$(CURDIR)/debian/mod-http-ipng-stats.conf \
|
|
$(CURDIR)/debian/$(PKG)/etc/nginx/modules-available/50-mod-http-ipng-stats.conf
|
|
|
|
override_dh_auto_clean:
|
|
# Intentionally a no-op: dh_auto_clean would call the top-level
|
|
# Makefile's `clean` target, which wipes build/ wholesale — and
|
|
# that includes build/nginx-asan/ from a prior `make build-asan`.
|
|
# Users who want a fresh reset run `make clean` at the top level.
|
|
|
|
override_dh_clean:
|
|
# `dh_clean` recurses from the package root to remove junk files
|
|
# (editor backups, autom4te caches, etc.). `make build-asan`
|
|
# produces build/nginx-asan/{fastcgi,proxy,scgi,uwsgi}_temp owned
|
|
# by "nobody" with mode 0700, which the current user can't
|
|
# traverse — so we exclude anything under build/ from dh_clean.
|
|
dh_clean -X build/
|