Hi Willy, I tried to enable tfo on the bind line today, however, it failed even on recent kernels for me.
At first it was failing with: [ALERT] 042/223418 (1141) : parsing [haproxy.cfg:14] : 'bind *:1234' unknown keyword 'tfo'. Registered keywords : Since this pointed to a trivial parser issue, I checked the code and believe to have fixed that particular issue by adding a missing tfo related line in src/proto_tcp.c (NULL parse function): (yes, this patch is mangled too, but it didn't fix all the issues anyway) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 60b111c..3d3c678 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1910,6 +1910,7 @@ static struct bind_kw_list bind_kws = { "TCP", { }, { { "defer-accept", NULL, 0 }, { "interface", NULL, 1 }, { "mss", NULL, 1 }, + { "tfo", NULL, 0 }, { "transparent", NULL, 0 }, { "v4v6", NULL, 0 }, { "v6only", NULL, 0 }, The patch did fix the error message above, but after that, tfo still doesn't work and haproxy fails with "'tfo' option is not implemented in this version (check build options)". I don't see any obvious errors with my config (kernel is 3.8-rc7 and /proc/sys/net/ipv4/tcp_fastopen is set to 2, haproxy is latest snapshot). Exact error message, build options, and strace (after applying the patch above): lukas@ubuntuvm:~/haproxy-ss-20130125$ sudo ./haproxy -f haproxy.cfg -c [ALERT] 043/000311 (2004) : parsing [haproxy.cfg:14] : 'bind :1234' : 'tfo' option is not implemented in this version (check build options). [ALERT] 043/000311 (2004) : Error(s) found in configuration file : haproxy.cfg [ALERT] 043/000311 (2004) : Fatal errors found in configuration. lukas@ubuntuvm:~/haproxy-ss-20130125$ sudo ./haproxy -vv HA-Proxy version 1.5-ss-20130125 2013/01/25 Copyright 2000-2012 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. lukas@ubuntuvm:~/haproxy-ss-20130125$ cat /proc/sys/net/ipv4/tcp_fastopen 2 lukas@ubuntuvm:~/haproxy-ss-20130125$ cat /proc/version Linux version 3.8.0-030800rc7-generic (root@gomeisa) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #201302081635 SMP Fri Feb 8 21:36:17 UTC 2013 lukas@ubuntuvm:~/haproxy-ss-20130125$ root@ubuntuvm:/home/lukas/haproxy-ss-20130125# strace ./haproxy -f haproxy.cfg -c execve("./haproxy", ["./haproxy", "-f", "haproxy.cfg", "-c"], [/* 16 vars */]) = 0 brk(0) = 0x20ad000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde9000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=22502, ...}) = 0 mmap(NULL, 22502, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6edcde3000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\n\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=43288, ...}) = 0 mmap(NULL, 2327040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edc990000 mprotect(0x7f6edc999000, 2097152, PROT_NONE) = 0 mmap(0x7f6edcb99000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f6edcb99000 mmap(0x7f6edcb9b000, 184832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6edcb9b000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P \0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=92720, ...}) = 0 mmap(NULL, 2187824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edc779000 mprotect(0x7f6edc78f000, 2093056, PROT_NONE) = 0 mmap(0x7f6edc98e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f6edc98e000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220)\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=374608, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde2000 mmap(NULL, 2469936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edc51d000 mprotect(0x7f6edc56f000, 2097152, PROT_NONE) = 0 mmap(0x7f6edc76f000, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x52000) = 0x7f6edc76f000 mmap(0x7f6edc778000, 48, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6edc778000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\367\5\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=1852792, ...}) = 0 mmap(NULL, 3963320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edc155000 mprotect(0x7f6edc2f4000, 2093056, PROT_NONE) = 0 mmap(0x7f6edc4f3000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19e000) = 0x7f6edc4f3000 mmap(0x7f6edc519000, 14776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6edc519000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libpcreposix.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\t\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=10264, ...}) = 0 mmap(NULL, 2105440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edbf52000 mprotect(0x7f6edbf54000, 2093056, PROT_NONE) = 0 mmap(0x7f6edc153000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6edc153000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\30\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1811128, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde1000 mmap(NULL, 3925208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edbb93000 mprotect(0x7f6edbd48000, 2093056, PROT_NONE) = 0 mmap(0x7f6edbf47000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b4000) = 0x7f6edbf47000 mmap(0x7f6edbf4d000, 17624, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6edbf4d000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0 mmap(NULL, 2109704, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edb98f000 mprotect(0x7f6edb991000, 2097152, PROT_NONE) = 0 mmap(0x7f6edbb91000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f6edbb91000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=247896, ...}) = 0 mmap(NULL, 2343080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6edb752000 mprotect(0x7f6edb78e000, 2093056, PROT_NONE) = 0 mmap(0x7f6edb98d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3b000) = 0x7f6edb98d000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde0000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcddf000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcdde000 arch_prctl(ARCH_SET_FS, 0x7f6edcddf700) = 0 mprotect(0x7f6edbf47000, 16384, PROT_READ) = 0 mprotect(0x7f6edb98d000, 4096, PROT_READ) = 0 mprotect(0x7f6edbb91000, 4096, PROT_READ) = 0 mprotect(0x7f6edc153000, 4096, PROT_READ) = 0 mprotect(0x7f6edc98e000, 4096, PROT_READ) = 0 mprotect(0x7f6edc4f3000, 110592, PROT_READ) = 0 mprotect(0x7f6edc76f000, 12288, PROT_READ) = 0 mprotect(0x7f6edcb99000, 4096, PROT_READ) = 0 mprotect(0x689000, 4096, PROT_READ) = 0 mprotect(0x7f6edcdeb000, 4096, PROT_READ) = 0 munmap(0x7f6edcde3000, 22502) = 0 brk(0) = 0x20ad000 brk(0x20ce000) = 0x20ce000 uname({sys="Linux", node="ubuntuvm", ...}) = 0 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2652, ...}) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=2652, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde8000 read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 2652 lseek(3, -1701, SEEK_CUR) = 951 read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"..., 4096) = 1701 close(3) = 0 munmap(0x7f6edcde8000, 4096) = 0 getpid() = 2125 open("haproxy.cfg", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0664, st_size=621, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6edcde8000 read(3, "global\n maxconn 70000\n "..., 4096) = 621 write(2, "[ALERT] 043/001428 (2125) : ", 28[ALERT] 043/001428 (2125) : ) = 28 write(2, "parsing [haproxy.cfg:14] : 'bind"..., 113parsing [haproxy.cfg:14] : 'bind :1234' : 'tfo' option is not implemented in this version (check build options). ) = 113 brk(0x20ef000) = 0x20ef000 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f6edcde8000, 4096) = 0 write(2, "[ALERT] 043/001428 (2125) : ", 28[ALERT] 043/001428 (2125) : ) = 28 write(2, "Error(s) found in configuration "..., 51Error(s) found in configuration file : haproxy.cfg ) = 51 write(2, "[ALERT] 043/001428 (2125) : ", 28[ALERT] 043/001428 (2125) : ) = 28 write(2, "Fatal errors found in configurat"..., 37Fatal errors found in configuration. ) = 37 exit_group(1) = ? root@ubuntuvm:/home/lukas/haproxy-ss-20130125# I'm not sure whats missing here ... any help would be appreciated. btw: 2 minor cosmetic issues about the tfo commit : - support for server side TFO was actually introduced in linux-3.7, linux-3.6 just has TFO client support: doc/configuration.txt and a code comment in include/types/listener.h will need to be updated - a small copy&paste issue in src/proto_tcp.c: the code comment above "static int bind_parse_tfo" actually indicates the defer-accept keyword, not the tfo keyword. If you want I can send patches, but I will have to fix the mailer first. Lukas