Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
On Mon, Sep 7, 2015 at 10:07 AM, Dmitry Sivachenkowrote: > >> On 7 сент. 2015 г., at 9:36, Lukas Tribus wrote: >> >> >> >> Best would be to strace this, but this is Freebsd amd64, >> so that doesn't work. Can you trace the syscalls with >> the strace equivalent at least? > > > It fails that way: > > socket(PF_INET,SOCK_DGRAM,17)= 4 (0x4) > connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument' > > 3rd argument for connect() looks wrong for ipv4: > > ERRORS > The connect() system call fails if: > > [EINVAL] The namelen argument is not a valid length for the > address family. > > Ok, excellent. I wonder how this could happen :) Let me check tonight and com back to you. Baptiste
Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
> On 7 сент. 2015 г., at 9:36, Lukas Tribuswrote: > > > > Best would be to strace this, but this is Freebsd amd64, > so that doesn't work. Can you trace the syscalls with > the strace equivalent at least? It fails that way: socket(PF_INET,SOCK_DGRAM,17)= 4 (0x4) connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument' 3rd argument for connect() looks wrong for ipv4: ERRORS The connect() system call fails if: [EINVAL] The namelen argument is not a valid length for the address family.
Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
> On 7 сент. 2015 г., at 1:46, PiBa-NLwrote: > > Hi guys, > > Hoping someone can shed some light on what i might be doing wrong? > Or is there something in FreeBSD that might be causing the trouble with the > new resolvers options? > > Thanks in advance. > PiBa-NL > > haproxy -f /var/haproxy.cfg -d > [ALERT] 248/222758 (22942) : SSLv3 support requested but unavailable. > Note: setting global.maxconn to 2000. > Available polling systems : > kqueue : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result FAILED Also interesting is why you have test for select=FAILED, though in your haproxy -vv output below this rest result is OK. > Total: 3 (2 usable), will use kqueue. > Using kqueue() as the polling mechanism. > [ALERT] 248/222808 (22942) : Starting [globalresolvers/googleA] nameserver: > can't connect socket. > > > defaults >modehttp >timeout connect3 >timeout server3 >timeout client3 > > resolvers globalresolvers >nameserver googleA 8.8.8.8:53 >resolve_retries 3 >timeout retry 1s >hold valid 10s > > listen www >bind 0.0.0.0:80 >logglobal >servergooglesite www.google.com:80 check inter 1000 resolvers > globalresolvers > > > # uname -a > FreeBSD OPNsense.localdomain 10.1-RELEASE-p18 FreeBSD 10.1-RELEASE-p18 #0 > 71275cd(stable/15.7): Sun Aug 23 20:32:26 CEST 2015 > root@sensey64:/usr/obj/usr/src/sys/SMP amd64 > > # haproxy -vv > [ALERT] 248/221747 (72984) : SSLv3 support requested but unavailable. > HA-Proxy version 1.6-dev4-b7ce424 2015/09/03 > Copyright 2000-2015 Willy Tarreau > > Build options : > TARGET = freebsd > CPU = generic > CC = cc > CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -DFREEBSD_PORTS > OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 > USE_STATIC_PCRE=1 USE_PCRE_JIT=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015 > Running on OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.37 2015-04-28 > PCRE library supports JIT : yes > Built with Lua version : Lua 5.3.0 > Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY > > Available polling systems : > kqueue : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use kqueue. > >
Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
Hi, On 09/07/2015 10:47 AM, Baptiste wrote: >> It fails that way: >> >> socket(PF_INET,SOCK_DGRAM,17)= (0x4) >> connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument' >> >> 3rd argument for connect() looks wrong for ipv4: >> >> ERRORS >> The connect() system call fails if: >> >> [EINVAL] The namelen argument is not a valid length for the >> address family. >> >> > > Ok, excellent. > I wonder how this could happen :) It looks like this code is passing the size of a struct sockaddr_storage to connect(), instead of the size corresponding to the underlying socket family. Some OS are forgiving, other not so much :) diff --git a/src/dns.c b/src/dns.c index 4bc5448..f725ff4 100644 --- a/src/dns.c +++ b/src/dns.c @@ -819,7 +819,7 @@ int dns_init_resolvers(void) } /* "connect" the UDP socket to the name server IP */ - if (connect(fd, (struct sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) { + if (connect(fd, (struct sockaddr*)>addr, get_addr_len(>addr)) == -1) { Alert("Starting [%s/%s] nameserver: can't connect socket.\n", curr_resolvers->id, curnameserver->id); close(fd); signature.asc Description: OpenPGP digital signature
Re: Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
On Mon, Sep 7, 2015 at 12:32 PM, Remi Gacognewrote: > Hi, > > On 09/07/2015 10:47 AM, Baptiste wrote: >>> It fails that way: >>> >>> socket(PF_INET,SOCK_DGRAM,17)= (0x4) >>> connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument' >>> >>> 3rd argument for connect() looks wrong for ipv4: >>> >>> ERRORS >>> The connect() system call fails if: >>> >>> [EINVAL] The namelen argument is not a valid length for the >>> address family. >>> >>> >> >> Ok, excellent. >> I wonder how this could happen :) > > It looks like this code is passing the size of a struct > sockaddr_storage to connect(), instead of the size corresponding to the > underlying socket family. Some OS are forgiving, other not so much :) > > diff --git a/src/dns.c b/src/dns.c > index 4bc5448..f725ff4 100644 > --- a/src/dns.c > +++ b/src/dns.c > @@ -819,7 +819,7 @@ int dns_init_resolvers(void) > } > > /* "connect" the UDP socket to the name server IP */ > - if (connect(fd, (struct > sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) { > + if (connect(fd, (struct > sockaddr*)>addr, get_addr_len(>addr)) == -1) { > Alert("Starting [%s/%s] nameserver: > can't connect socket.\n", curr_resolvers->id, > curnameserver->id); > close(fd); > > > Thanks a lot Remi! Piba, could you please check it works with Remi's feedback? If yes, I'll send a patch to Willy with the fix. Baptiste
Re: haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
Hi Remi & Baptiste, Op 7-9-2015 om 12:36 schreef Baptiste: On Mon, Sep 7, 2015 at 12:32 PM, Remi Gacognewrote: Hi, On 09/07/2015 10:47 AM, Baptiste wrote: It fails that way: socket(PF_INET,SOCK_DGRAM,17)= (0x4) connect(4,{ AF_INET 8.8.8.8:53 },128)ERR#22 'Invalid argument' 3rd argument for connect() looks wrong for ipv4: ERRORS The connect() system call fails if: [EINVAL] The namelen argument is not a valid length for the address family. Ok, excellent. I wonder how this could happen :) It looks like this code is passing the size of a struct sockaddr_storage to connect(), instead of the size corresponding to the underlying socket family. Some OS are forgiving, other not so much :) diff --git a/src/dns.c b/src/dns.c index 4bc5448..f725ff4 100644 --- a/src/dns.c +++ b/src/dns.c @@ -819,7 +819,7 @@ int dns_init_resolvers(void) } /* "connect" the UDP socket to the name server IP */ - if (connect(fd, (struct sockaddr*)>addr, sizeof(curnameserver->addr)) == -1) { + if (connect(fd, (struct sockaddr*)>addr, get_addr_len(>addr)) == -1) { Alert("Starting [%s/%s] nameserver: can't connect socket.\n", curr_resolvers->id, curnameserver->id); close(fd); Thanks a lot Remi! Piba, could you please check it works with Remi's feedback? If yes, I'll send a patch to Willy with the fix. Baptiste The fix works. At least now dns requests are send and 'some' reply comes back. A new mail following about that.. PiBa-NL
haproxy resolvers "nameserver: can't connect socket" (on FreeBSD)
Hi guys, Hoping someone can shed some light on what i might be doing wrong? Or is there something in FreeBSD that might be causing the trouble with the new resolvers options? Thanks in advance. PiBa-NL haproxy -f /var/haproxy.cfg -d [ALERT] 248/222758 (22942) : SSLv3 support requested but unavailable. Note: setting global.maxconn to 2000. Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use kqueue. Using kqueue() as the polling mechanism. [ALERT] 248/222808 (22942) : Starting [globalresolvers/googleA] nameserver: can't connect socket. defaults modehttp timeout connect3 timeout server3 timeout client3 resolvers globalresolvers nameserver googleA 8.8.8.8:53 resolve_retries 3 timeout retry 1s hold valid 10s listen www bind 0.0.0.0:80 logglobal servergooglesite www.google.com:80 check inter 1000 resolvers globalresolvers # uname -a FreeBSD OPNsense.localdomain 10.1-RELEASE-p18 FreeBSD 10.1-RELEASE-p18 #0 71275cd(stable/15.7): Sun Aug 23 20:32:26 CEST 2015 root@sensey64:/usr/obj/usr/src/sys/SMP amd64 # haproxy -vv [ALERT] 248/221747 (72984) : SSLv3 support requested but unavailable. HA-Proxy version 1.6-dev4-b7ce424 2015/09/03 Copyright 2000-2015 Willy TarreauBuild options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -DFREEBSD_PORTS OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015 Running on OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.37 2015-04-28 PCRE library supports JIT : yes Built with Lua version : Lua 5.3.0 Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue.