1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
.\"
.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org>
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" "
.Dd April 24, 2024
.Dt ACCF_TLS 9
.Os
.Sh NAME
.Nm accf_tls
.Nd "buffer incoming connections until a TLS handshake like requests arrive"
.Sh SYNOPSIS
.Nm options INET
.Nm options ACCEPT_FILTER_TLS
.Nm kldload accf_tls
.Sh DESCRIPTION
This is a filter to be placed on a socket that will be using
.Fn accept 2
to receive incoming HTTPS connections.
It prevents the application from receiving the connected descriptor via
.Fn accept 2
until a full TLS handshake has been buffered by the kernel.
The
.Nm
will first check that byte at offset 0 is
.Va 0x16 ,
which matches handshake type.
Then it will read 2-byte request length value at offset 3 and will
continue reading until reading the entire length of the handshake is buffered.
If something other than
.Va 0x16
is at offset 0, the kernel will allow the application to receive the
connection descriptor via
.Fn accept 2 .
.Pp
The utility of
.Nm
is such that a server will not have to context switch several times
before performing the initial parsing of the request.
This effectively reduces the amount of required CPU utilization
to handle incoming requests by keeping active
processes in preforking servers such as Apache low
and reducing the size of the file descriptor set that needs
to be managed by interfaces such as
.Fn select ,
.Fn poll
or
.Fn kevent
based servers.
.Sh EXAMPLES
Assuming ACCEPT_FILTER_TLS has been included in the kernel config
file or the
.Nm
module
has been loaded, this will enable the TLS accept filter
on the socket
.Fa sok .
.Bd -literal -offset 0i
struct accept_filter_arg afa;
bzero(&afa, sizeof(afa));
strcpy(afa.af_name, "tlsready");
setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa));
.Ed
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr accept_filter 9
.Sh HISTORY
The
.Nm
accept filter was introduced in
.Fx 15.0 .
.Sh AUTHORS
The
.Nm
filter was written by
.An Maksim Yevmenkin .
|
