subject:"haproxy resolvers \"nameserver\: can't connect socket\" \(on FreeBSD\)"

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread Baptiste

On Mon, Sep 7, 2015 at 10:07 AM, Dmitry Sivachenko  wrote:
>
>> On 7 сент. 2015 г., at 9:36, Lukas Tribus  wrote:
>>
>>
>>
>> Best would be to strace this, but this is Freebsd amd64,
>> so that doesn't work. Can you trace the syscalls with
>> the strace equivalent at least?
>
>
> It fails that way:
>
> socket(PF_INET,SOCK_DGRAM,17)= 4 (0x4)
> connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument'
>
> 3rd argument for connect() looks wrong for ipv4:
>
> ERRORS
>  The connect() system call fails if:
>
>  [EINVAL]   The namelen argument is not a valid length for the
> address family.
>
>

Ok, excellent.
I wonder how this could happen :)

Let me check tonight and com back to you.

Baptiste

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread Dmitry Sivachenko


> On 7 сент. 2015 г., at 9:36, Lukas Tribus  wrote:
> 
> 
> 
> Best would be to strace this, but this is Freebsd amd64,
> so that doesn't work. Can you trace the syscalls with
> the strace equivalent at least?


It fails that way:

socket(PF_INET,SOCK_DGRAM,17)= 4 (0x4)
connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument'

3rd argument for connect() looks wrong for ipv4:

ERRORS
 The connect() system call fails if:

 [EINVAL]   The namelen argument is not a valid length for the
address family.

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread Dmitry Sivachenko


> On 7 сент. 2015 г., at 1:46, PiBa-NL  wrote:
> 
> Hi guys,
> 
> Hoping someone can shed some light on what i might be doing wrong?
> Or is there something in FreeBSD that might be causing the trouble with the 
> new resolvers options?
> 
> Thanks in advance.
> PiBa-NL
> 
> haproxy -f /var/haproxy.cfg -d
> [ALERT] 248/222758 (22942) : SSLv3 support requested but unavailable.
> Note: setting global.maxconn to 2000.
> Available polling systems :
> kqueue : pref=300,  test result OK
>   poll : pref=200,  test result OK
> select : pref=150,  test result FAILED


Also interesting is why you have test for select=FAILED, though in your haproxy 
-vv output below this rest result is OK.


> Total: 3 (2 usable), will use kqueue.
> Using kqueue() as the polling mechanism.
> [ALERT] 248/222808 (22942) : Starting [globalresolvers/googleA] nameserver: 
> can't connect socket.
> 
> 
> defaults
>modehttp
>timeout connect3
>timeout server3
>timeout client3
> 
> resolvers globalresolvers
>nameserver googleA 8.8.8.8:53
>resolve_retries   3
>timeout retry 1s
>hold valid   10s
> 
> listen www
>bind 0.0.0.0:80
>logglobal
>servergooglesite www.google.com:80 check inter 1000 resolvers 
> globalresolvers
> 
> 
> # uname -a
> FreeBSD OPNsense.localdomain 10.1-RELEASE-p18 FreeBSD 10.1-RELEASE-p18 #0 
> 71275cd(stable/15.7): Sun Aug 23 20:32:26 CEST 2015 
> root@sensey64:/usr/obj/usr/src/sys/SMP  amd64
> 
> # haproxy -vv
> [ALERT] 248/221747 (72984) : SSLv3 support requested but unavailable.
> HA-Proxy version 1.6-dev4-b7ce424 2015/09/03
> Copyright 2000-2015 Willy Tarreau 
> 
> Build options :
>  TARGET  = freebsd
>  CPU = generic
>  CC  = cc
>  CFLAGS  = -O2 -pipe -fstack-protector -fno-strict-aliasing -DFREEBSD_PORTS
>  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 
> USE_STATIC_PCRE=1 USE_PCRE_JIT=1
> 
> Default settings :
>  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Compression algorithms supported : identity("identity"), deflate("deflate"), 
> raw-deflate("deflate"), gzip("gzip")
> Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
> Running on OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.37 2015-04-28
> PCRE library supports JIT : yes
> Built with Lua version : Lua 5.3.0
> Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
> 
> Available polling systems :
> kqueue : pref=300,  test result OK
>   poll : pref=200,  test result OK
> select : pref=150,  test result OK
> Total: 3 (3 usable), will use kqueue.
> 
>

Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread Remi Gacogne

Hi,

On 09/07/2015 10:47 AM, Baptiste wrote:
>> It fails that way:
>>
>> socket(PF_INET,SOCK_DGRAM,17)= (0x4)
>> connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument'
>>
>> 3rd argument for connect() looks wrong for ipv4:
>>
>> ERRORS
>>  The connect() system call fails if:
>>
>>  [EINVAL]   The namelen argument is not a valid length for the
>> address family.
>>
>>
> 
> Ok, excellent.
> I wonder how this could happen :)

It looks like this code is passing the size of a struct
sockaddr_storage to connect(), instead of the size corresponding to the
underlying socket family. Some OS are forgiving, other not so much :)

diff --git a/src/dns.c b/src/dns.c
index 4bc5448..f725ff4 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -819,7 +819,7 @@ int dns_init_resolvers(void)
}

/* "connect" the UDP socket to the name server IP */
-   if (connect(fd, (struct
sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) {
+   if (connect(fd, (struct
sockaddr*)>addr, get_addr_len(>addr)) == -1) {
Alert("Starting [%s/%s] nameserver:
can't connect socket.\n", curr_resolvers->id,
curnameserver->id);
close(fd);





signature.asc
Description: OpenPGP digital signature

Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread Baptiste

On Mon, Sep 7, 2015 at 12:32 PM, Remi Gacogne  wrote:
> Hi,
>
> On 09/07/2015 10:47 AM, Baptiste wrote:
>>> It fails that way:
>>>
>>> socket(PF_INET,SOCK_DGRAM,17)= (0x4)
>>> connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument'
>>>
>>> 3rd argument for connect() looks wrong for ipv4:
>>>
>>> ERRORS
>>>  The connect() system call fails if:
>>>
>>>  [EINVAL]   The namelen argument is not a valid length for the
>>> address family.
>>>
>>>
>>
>> Ok, excellent.
>> I wonder how this could happen :)
>
> It looks like this code is passing the size of a struct
> sockaddr_storage to connect(), instead of the size corresponding to the
> underlying socket family. Some OS are forgiving, other not so much :)
>
> diff --git a/src/dns.c b/src/dns.c
> index 4bc5448..f725ff4 100644
> --- a/src/dns.c
> +++ b/src/dns.c
> @@ -819,7 +819,7 @@ int dns_init_resolvers(void)
> }
>
> /* "connect" the UDP socket to the name server IP */
> -   if (connect(fd, (struct
> sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) {
> +   if (connect(fd, (struct
> sockaddr*)>addr, get_addr_len(>addr)) == -1) {
> Alert("Starting [%s/%s] nameserver:
> can't connect socket.\n", curr_resolvers->id,
> curnameserver->id);
> close(fd);
>
>
>

Thanks a lot Remi!

Piba, could you please check it works with Remi's feedback?
If yes, I'll send a patch to Willy with the fix.

Baptiste

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-07 Thread PiBa-NL


Hi Remi & Baptiste,

Op 7-9-2015 om 12:36 schreef Baptiste:

On Mon, Sep 7, 2015 at 12:32 PM, Remi Gacogne  wrote:

Hi,

On 09/07/2015 10:47 AM, Baptiste wrote:

It fails that way:

socket(PF_INET,SOCK_DGRAM,17)= (0x4)
connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument'

3rd argument for connect() looks wrong for ipv4:

ERRORS
  The connect() system call fails if:

  [EINVAL]   The namelen argument is not a valid length for the
 address family.



Ok, excellent.
I wonder how this could happen :)

It looks like this code is passing the size of a struct
sockaddr_storage to connect(), instead of the size corresponding to the
underlying socket family. Some OS are forgiving, other not so much :)

diff --git a/src/dns.c b/src/dns.c
index 4bc5448..f725ff4 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -819,7 +819,7 @@ int dns_init_resolvers(void)
 }

 /* "connect" the UDP socket to the name server IP */
-   if (connect(fd, (struct
sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) {
+   if (connect(fd, (struct
sockaddr*)>addr, get_addr_len(>addr)) == -1) {
 Alert("Starting [%s/%s] nameserver:
can't connect socket.\n", curr_resolvers->id,
 curnameserver->id);
 close(fd);




Thanks a lot Remi!

Piba, could you please check it works with Remi's feedback?
If yes, I'll send a patch to Willy with the fix.

Baptiste


The fix works.

At least now dns requests are send and 'some' reply comes back. A new 
mail following about that..


PiBa-NL

haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

2015-09-06 Thread PiBa-NL


Hi guys,

Hoping someone can shed some light on what i might be doing wrong?
Or is there something in FreeBSD that might be causing the trouble with 
the new resolvers options?


Thanks in advance.
PiBa-NL

haproxy -f /var/haproxy.cfg -d
[ALERT] 248/222758 (22942) : SSLv3 support requested but unavailable.
Note: setting global.maxconn to 2000.
Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.
Using kqueue() as the polling mechanism.
[ALERT] 248/222808 (22942) : Starting [globalresolvers/googleA] 
nameserver: can't connect socket.



defaults
modehttp
timeout connect3
timeout server3
timeout client3

resolvers globalresolvers
nameserver googleA 8.8.8.8:53
resolve_retries   3
timeout retry 1s
hold valid   10s

listen www
bind 0.0.0.0:80
logglobal
servergooglesite www.google.com:80 check inter 1000 
resolvers globalresolvers



# uname -a
FreeBSD OPNsense.localdomain 10.1-RELEASE-p18 FreeBSD 10.1-RELEASE-p18 
#0 71275cd(stable/15.7): Sun Aug 23 20:32:26 CEST 2015 
root@sensey64:/usr/obj/usr/src/sys/SMP  amd64


# haproxy -vv
[ALERT] 248/221747 (72984) : SSLv3 support requested but unavailable.
HA-Proxy version 1.6-dev4-b7ce424 2015/09/03
Copyright 2000-2015 Willy Tarreau 

Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -pipe -fstack-protector -fno-strict-aliasing 
-DFREEBSD_PORTS
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 
USE_STATIC_PCRE=1 USE_PCRE_JIT=1


Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
Running on OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.37 2015-04-28
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.0
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)

7 matches

Site Navigation

Mail list logo

Footer information