Hi Sander,
Patch applied, thank you Lukas!
I will test the patch. Stupid question, but is it really supported
from 3.3 and higher? A quick test with dev22 yesterday seemed to be
working but I didn't put any traffic through it. It was late so I
didn't give it enough attention ;-)
Just tested it with plain dev22 and 3.2 and IPv6 seems to work nicely.
What does the patch do? Because I don't quite understand.
Sorry for the confusion. In your case, as long as you start haproxy
initially as root, you don't need this patch and you don't need linux 3.3.
All you need is start haproxy as root, it will set IPV6_TRANSPARENT on the
socket and it will work in all kernels starting with 2.6.37.
The problem with the behavior before this patch was that IPV6_TRANSPARENT
requires superuser privileges (or more specifically the CAP_NET_ADMIN
capability).
There are 2 use cases where we may not have this capability:
- when HAProxy is not started as root initially (and listens only to ports
1024) - I suspect this is not very common
- when HAProxy drops root privileges after the initial setup, and the
socket option is needed on backend connections (which are not setup at
HAproxy start of course, but when the connection is actually needed, but
at that point we don't have the capabilities anymore)
IP_FREEBIND doesn't need special privileges, so this fixes those 2 cases.
In your case however you don't need IP_FREEBIND, because:
- you only need the socket options on frontend connections (specified on the
bind line) - which are setup before dropping to a normal user
- you start haproxy with root privileges (most likely you bind to port 80
or 443, so you need to start privileged anyway)
So the patch is not necessary for you. IP_FREEBIND on IPv6 sockets requires
Linux 3.3, but IPV6_TRANSPARENT only requires 2.6.37.
Regards,
Lukas
