#include <ngx_event_quic_connection.h>
+#define NGX_QUIC_PATH_MTU_DELAY 100
+#define NGX_QUIC_PATH_MTU_PRECISION 16
+
+
static void ngx_quic_set_connection_path(ngx_connection_t *c,
ngx_quic_path_t *path);
static ngx_int_t ngx_quic_validate_path(ngx_connection_t *c,
static ngx_int_t ngx_quic_send_path_challenge(ngx_connection_t *c,
ngx_quic_path_t *path);
static void ngx_quic_set_path_timer(ngx_connection_t *c);
+static ngx_int_t ngx_quic_expire_path_validation(ngx_connection_t *c,
+ ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_expire_path_mtu_delay(ngx_connection_t *c,
+ ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_expire_path_mtu_discovery(ngx_connection_t *c,
+ ngx_quic_path_t *path);
static ngx_quic_path_t *ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag);
+static ngx_int_t ngx_quic_send_path_mtu_probe(ngx_connection_t *c,
+ ngx_quic_path_t *path);
ngx_int_t
{
path = ngx_queue_data(q, ngx_quic_path_t, queue);
- if (!path->validating) {
+ if (path->state != NGX_QUIC_PATH_VALIDATING) {
continue;
}
{
/* address did not change */
rst = 0;
+
+ path->mtu = prev->mtu;
+ path->max_mtu = prev->max_mtu;
}
}
ngx_quic_path_dbg(c, "is validated", path);
path->validated = 1;
- path->validating = 0;
- ngx_quic_set_path_timer(c);
+ ngx_quic_discover_path_mtu(c, path);
return NGX_OK;
}
path->addr_text.len = ngx_sock_ntop(sockaddr, socklen, path->text,
NGX_SOCKADDR_STRLEN, 1);
+ path->mtu = NGX_QUIC_MIN_INITIAL_SIZE;
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic path seq:%uL created addr:%V",
path->seqnum, &path->addr_text);
ngx_quic_set_connection_path(c, next);
- if (!next->validated && !next->validating) {
+ if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) {
if (ngx_quic_validate_path(c, next) != NGX_OK) {
return NGX_ERROR;
}
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic initiated validation of path seq:%uL", path->seqnum);
- path->validating = 1;
path->tries = 0;
if (RAND_bytes(path->challenge1, 8) != 1) {
pto = ngx_max(ngx_quic_pto(c, ctx), 1000);
path->expires = ngx_current_msec + pto;
+ path->state = NGX_QUIC_PATH_VALIDATING;
ngx_quic_set_path_timer(c);
}
+void
+ngx_quic_discover_path_mtu(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+ ngx_quic_connection_t *qc;
+
+ qc = ngx_quic_get_connection(c);
+
+ if (path->max_mtu) {
+ if (path->max_mtu - path->mtu <= NGX_QUIC_PATH_MTU_PRECISION) {
+ path->state = NGX_QUIC_PATH_IDLE;
+ ngx_quic_set_path_timer(c);
+ return;
+ }
+
+ path->mtud = (path->mtu + path->max_mtu) / 2;
+
+ } else {
+ path->mtud = path->mtu * 2;
+
+ if (path->mtud >= qc->ctp.max_udp_payload_size) {
+ path->mtud = qc->ctp.max_udp_payload_size;
+ path->max_mtu = qc->ctp.max_udp_payload_size;
+ }
+ }
+
+ path->state = NGX_QUIC_PATH_WAITING;
+ path->expires = ngx_current_msec + NGX_QUIC_PATH_MTU_DELAY;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL schedule mtu:%uz",
+ path->seqnum, path->mtud);
+
+ ngx_quic_set_path_timer(c);
+}
+
+
static void
ngx_quic_set_path_timer(ngx_connection_t *c)
{
{
path = ngx_queue_data(q, ngx_quic_path_t, queue);
- if (!path->validating) {
+ if (path->state == NGX_QUIC_PATH_IDLE) {
continue;
}
void
-ngx_quic_path_validation_handler(ngx_event_t *ev)
+ngx_quic_path_handler(ngx_event_t *ev)
{
ngx_msec_t now;
ngx_queue_t *q;
- ngx_msec_int_t left, next, pto;
- ngx_quic_path_t *path, *bkp;
+ ngx_msec_int_t left;
+ ngx_quic_path_t *path;
ngx_connection_t *c;
- ngx_quic_send_ctx_t *ctx;
ngx_quic_connection_t *qc;
c = ev->data;
qc = ngx_quic_get_connection(c);
- ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
-
- next = -1;
now = ngx_current_msec;
q = ngx_queue_head(&qc->paths);
path = ngx_queue_data(q, ngx_quic_path_t, queue);
q = ngx_queue_next(q);
- if (!path->validating) {
+ if (path->state == NGX_QUIC_PATH_IDLE) {
continue;
}
left = path->expires - now;
if (left > 0) {
+ continue;
+ }
- if (next == -1 || left < next) {
- next = left;
+ switch (path->state) {
+ case NGX_QUIC_PATH_VALIDATING:
+ if (ngx_quic_expire_path_validation(c, path) != NGX_OK) {
+ goto failed;
}
- continue;
- }
+ break;
- if (++path->tries < NGX_QUIC_PATH_RETRIES) {
- pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries;
+ case NGX_QUIC_PATH_WAITING:
+ if (ngx_quic_expire_path_mtu_delay(c, path) != NGX_OK) {
+ goto failed;
+ }
- path->expires = ngx_current_msec + pto;
+ break;
- if (next == -1 || pto < next) {
- next = pto;
+ case NGX_QUIC_PATH_MTUD:
+ if (ngx_quic_expire_path_mtu_discovery(c, path) != NGX_OK) {
+ goto failed;
}
- /* retransmit */
- (void) ngx_quic_send_path_challenge(c, path);
+ break;
- continue;
+ default:
+ break;
}
+ }
- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ev->log, 0,
- "quic path seq:%uL validation failed", path->seqnum);
+ ngx_quic_set_path_timer(c);
- /* found expired path */
+ return;
- path->validated = 0;
- path->validating = 0;
+failed:
+ ngx_quic_close_connection(c, NGX_ERROR);
+}
- /* RFC 9000, 9.3.2. On-Path Address Spoofing
- *
- * To protect the connection from failing due to such a spurious
- * migration, an endpoint MUST revert to using the last validated
- * peer address when validation of a new peer address fails.
- */
- if (qc->path == path) {
- /* active path validation failed */
+static ngx_int_t
+ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+ ngx_msec_int_t pto;
+ ngx_quic_path_t *bkp;
+ ngx_quic_send_ctx_t *ctx;
+ ngx_quic_connection_t *qc;
- bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP);
+ qc = ngx_quic_get_connection(c);
+ ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
- if (bkp == NULL) {
- qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH;
- qc->error_reason = "no viable path";
- ngx_quic_close_connection(c, NGX_ERROR);
- return;
- }
+ if (++path->tries < NGX_QUIC_PATH_RETRIES) {
+ pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries;
+ path->expires = ngx_current_msec + pto;
+
+ (void) ngx_quic_send_path_challenge(c, path);
+
+ return NGX_OK;
+ }
- qc->path = bkp;
- qc->path->tag = NGX_QUIC_PATH_ACTIVE;
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL validation failed", path->seqnum);
- ngx_quic_set_connection_path(c, qc->path);
+ /* found expired path */
+
+ path->validated = 0;
+
+
+ /* RFC 9000, 9.3.2. On-Path Address Spoofing
+ *
+ * To protect the connection from failing due to such a spurious
+ * migration, an endpoint MUST revert to using the last validated
+ * peer address when validation of a new peer address fails.
+ */
- ngx_log_error(NGX_LOG_INFO, c->log, 0,
- "quic path seq:%uL addr:%V is restored from backup",
- qc->path->seqnum, &qc->path->addr_text);
+ if (qc->path == path) {
+ /* active path validation failed */
- ngx_quic_path_dbg(c, "is active", qc->path);
+ bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP);
+
+ if (bkp == NULL) {
+ qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH;
+ qc->error_reason = "no viable path";
+ return NGX_ERROR;
}
- if (ngx_quic_free_path(c, path) != NGX_OK) {
- ngx_quic_close_connection(c, NGX_ERROR);
- return;
+ qc->path = bkp;
+ qc->path->tag = NGX_QUIC_PATH_ACTIVE;
+
+ ngx_quic_set_connection_path(c, qc->path);
+
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "quic path seq:%uL addr:%V is restored from backup",
+ qc->path->seqnum, &qc->path->addr_text);
+
+ ngx_quic_path_dbg(c, "is active", qc->path);
+ }
+
+ return ngx_quic_free_path(c, path);
+}
+
+
+static ngx_int_t
+ngx_quic_expire_path_mtu_delay(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+ ngx_int_t rc;
+ ngx_uint_t i;
+ ngx_msec_t pto;
+ ngx_quic_send_ctx_t *ctx;
+ ngx_quic_connection_t *qc;
+
+ qc = ngx_quic_get_connection(c);
+ ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+
+ path->tries = 0;
+
+ for ( ;; ) {
+
+ for (i = 0; i < NGX_QUIC_PATH_RETRIES; i++) {
+ path->mtu_pnum[i] = NGX_QUIC_UNSET_PN;
+ }
+
+ rc = ngx_quic_send_path_mtu_probe(c, path);
+
+ if (rc == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ if (rc == NGX_OK) {
+ pto = ngx_quic_pto(c, ctx);
+ path->expires = ngx_current_msec + pto;
+ path->state = NGX_QUIC_PATH_MTUD;
+ return NGX_OK;
+ }
+
+ /* rc == NGX_DECLINED */
+
+ path->max_mtu = path->mtud;
+
+ if (path->max_mtu - path->mtu <= NGX_QUIC_PATH_MTU_PRECISION) {
+ path->state = NGX_QUIC_PATH_IDLE;
+ return NGX_OK;
}
+
+ path->mtud = (path->mtu + path->max_mtu) / 2;
}
+}
- if (next != -1) {
- ngx_add_timer(&qc->path_validation, next);
+
+static ngx_int_t
+ngx_quic_expire_path_mtu_discovery(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+ ngx_int_t rc;
+ ngx_msec_int_t pto;
+ ngx_quic_send_ctx_t *ctx;
+ ngx_quic_connection_t *qc;
+
+ qc = ngx_quic_get_connection(c);
+ ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+
+ if (++path->tries < NGX_QUIC_PATH_RETRIES) {
+ rc = ngx_quic_send_path_mtu_probe(c, path);
+
+ if (rc == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ if (rc == NGX_OK) {
+ pto = ngx_quic_pto(c, ctx) << path->tries;
+ path->expires = ngx_current_msec + pto;
+ return NGX_OK;
+ }
+
+ /* rc == NGX_DECLINED */
}
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL expired mtu:%uz",
+ path->seqnum, path->mtud);
+
+ path->max_mtu = path->mtud;
+
+ ngx_quic_discover_path_mtu(c, path);
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_send_path_mtu_probe(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+ ngx_int_t rc;
+ ngx_uint_t log_error;
+ ngx_quic_frame_t frame;
+ ngx_quic_send_ctx_t *ctx;
+ ngx_quic_connection_t *qc;
+
+ ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+
+ frame.level = ssl_encryption_application;
+ frame.type = NGX_QUIC_FT_PING;
+
+ qc = ngx_quic_get_connection(c);
+ ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+ path->mtu_pnum[path->tries] = ctx->pnum;
+
+ ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL send probe "
+ "mtu:%uz pnum:%uL tries:%ui",
+ path->seqnum, path->mtud, ctx->pnum, path->tries);
+
+ log_error = c->log_error;
+ c->log_error = NGX_ERROR_IGNORE_EMSGSIZE;
+
+ rc = ngx_quic_frame_sendto(c, &frame, path->mtud, path);
+ c->log_error = log_error;
+
+ if (rc == NGX_ERROR) {
+ if (c->write->error) {
+ c->write->error = 0;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL rejected mtu:%uz",
+ path->seqnum, path->mtud);
+
+ return NGX_DECLINED;
+ }
+
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_path_mtu(ngx_connection_t *c, ngx_quic_path_t *path,
+ uint64_t min, uint64_t max)
+{
+ uint64_t pnum;
+ ngx_uint_t i;
+
+ if (path->state != NGX_QUIC_PATH_MTUD) {
+ return NGX_OK;
+ }
+
+ for (i = 0; i < NGX_QUIC_PATH_RETRIES; i++) {
+ pnum = path->mtu_pnum[i];
+
+ if (pnum == NGX_QUIC_UNSET_PN) {
+ break;
+ }
+
+ if (pnum < min || pnum > max) {
+ continue;
+ }
+
+ path->mtu = path->mtud;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic path seq:%uL ack mtu:%uz",
+ path->seqnum, path->mtu);
+
+ ngx_quic_discover_path_mtu(c, path);
+
+ break;
+ }
+
+ return NGX_OK;
}
projects / nginx.git / commitdiff