trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject [trafficserver] branch master updated: Added VConn args support Changed TS_VCONN_PRE_ACCEPT to TS_VCONN_START Added TS_VCONN_CLOSE hooks Fixed docs for TS_VCONN_PRE_ACCEPT renaming to TS_VCONN_START and added docs for TSVconnArgs Added an example plugin vconn_args to test
Date Thu, 29 Mar 2018 22:42:55 GMT
This is an automated email from the ASF dual-hosted git repository.

amc pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 8d01164  Added VConn args support Changed TS_VCONN_PRE_ACCEPT to TS_VCONN_START Added
TS_VCONN_CLOSE hooks Fixed docs for TS_VCONN_PRE_ACCEPT renaming to TS_VCONN_START and added
docs for TSVconnArgs Added an example plugin vconn_args to test
8d01164 is described below

commit 8d01164257417434b667021365b5f07d0ec596e0
Author: dyrock <zeyuany@gmail.com>
AuthorDate: Tue Mar 13 16:12:17 2018 -0500

    Added VConn args support
    Changed TS_VCONN_PRE_ACCEPT to TS_VCONN_START
    Added TS_VCONN_CLOSE hooks
    Fixed docs for TS_VCONN_PRE_ACCEPT renaming to TS_VCONN_START and added docs for TSVconnArgs
    Added an example plugin vconn_args to test
    
    Added vconn args man page
    
    Make VCONN_PRE_ACCEPT deprecated but still compatible
---
 .../api/functions/TSVConnArgs.en.rst               |  82 ++++++++++++++++
 .../api/functions/TSVConnTunnel.en.rst             |   2 +-
 doc/developer-guide/api/types/TSEvent.en.rst       |   4 +-
 doc/developer-guide/api/types/TSHttpHookID.en.rst  |   6 +-
 .../hooks-and-transactions/ssl-hooks.en.rst        |  24 +++--
 example/Makefile.am                                |   4 +-
 example/ssl_preaccept/ssl_preaccept.cc             |   6 +-
 example/vconn_args/vconn_args.cc                   | 104 +++++++++++++++++++++
 iocore/eventsystem/I_VConnection.h                 |  39 +++++++-
 iocore/net/I_NetVConnection.h                      |   4 +-
 iocore/net/P_SSLNetVConnection.h                   |   8 +-
 iocore/net/SSLNetVConnection.cc                    |  25 +++--
 lib/ts/apidefs.h.in                                |  16 ++--
 .../ssl_cert_loader/ssl-cert-loader.cc             |   4 +-
 proxy/InkAPI.cc                                    |  49 +++++++++-
 proxy/InkAPIInternal.h                             |   3 +-
 proxy/InkAPITest.cc                                |   5 +-
 proxy/api/ts/ts.h                                  |   5 +
 proxy/http/HttpDebugNames.cc                       |   6 +-
 tests/tools/plugins/ssl_hook_test.cc               |  12 +--
 20 files changed, 352 insertions(+), 56 deletions(-)

diff --git a/doc/developer-guide/api/functions/TSVConnArgs.en.rst b/doc/developer-guide/api/functions/TSVConnArgs.en.rst
new file mode 100644
index 0000000..6f912b3
--- /dev/null
+++ b/doc/developer-guide/api/functions/TSVConnArgs.en.rst
@@ -0,0 +1,82 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed
+   with this work for additional information regarding copyright
+   ownership.  The ASF licenses this file to you under the Apache
+   License, Version 2.0 (the "License"); you may not use this file
+   except in compliance with the License.  You may obtain a copy of
+   the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied.  See the License for the specific language governing
+   permissions and limitations under the License.
+
+.. include:: ../common.defs
+.. default-domain:: c
+
+.. _TSVConnArgs:
+
+TSVConnArgs
+************
+
+Synopsis
+========
+
+`#include <ts/ts.h>`
+
+.. function:: TSReturnCode TSVConnArgIndexReserve(const char * name, const char * description,
int * arg_idx)
+.. function:: TSReturnCode TSVConnArgIndexNameLookup(const char * name, int * arg_idx, const
char ** description)
+.. function:: TSReturnCode TSVConnArgIndexLookup(int arg_idx, const char ** name, const char
** description)
+.. function:: void TSVConnArgSet(TSVConn vc, int arg_idx, void * arg)
+.. function:: void * TSVConnArgGet(TSVConn vc, int arg_idx)
+
+Description
+===========
+
+Virtual connection objects (API type :c:type:`TSVConn`) support an array of :code:`void *`
values that
+are controlled entirely by plugins. These are not used in any way by the core. This allows
plugins
+to store data associated with a specific virtual connection for later retrieval by the same
plugin
+in a different hook or by another plugin. Because the core does not interact with these values
any
+cleanup is the responsibility of the plugin.
+
+To avoid collisions between plugins a plugin should first *reserve* an index in the array
by calling
+:func:`TSVConnArgIndexReserve` passing it an identifying name, a description, and a pointer
to an
+integer which will get the reserved index. The function returns :code:`TS_SUCCESS` if an
index was
+reserved, :code:`TS_ERROR` if not (most likely because all of the indices have already been
+reserved). Generally this will be a file or library scope global which is set at plugin
+initialization. Note the reservation is by convention - nothing stops a plugin from interacting
with
+a :code:`TSVConn` arg it has not reserved.
+
+To look up the owner of a reserved index use :func:`TSVConnArgIndexNameLookup`. If the :arg:`name`
is
+found as an owner, the function returns :code:`TS_SUCCESS` and :arg:`arg_index` is updated
with the
+index reserved under that name. If :arg:`description` is not :code:`nullptr` then it will
be updated
+with the description for that reserved index. This enables communication between plugins
where
+plugin "A" reserves an index under a well known name and plugin "B" locates the index by
looking it
+up under that name.
+
+The owner of a reserved index can be found with :func:`TSVConnArgIndexLookup`. If :arg:`arg_index`
is
+reserved then the function returns :code:`TS_SUCCESS` and :arg:`name` and :arg:`description`
are
+updated. :arg:`name` must point at a valid character pointer but :arg:`description` can be
+:code:`nullptr`.
+
+Manipulating the array is simple. :func:`TSVConnArgSet` sets the array slot at :arg:`arg_idx`
for
+the :arg:`vc` to the value :arg:`arg`. Note this sets the value only for the specific
+:c:type:`TSVConn`. The values can be retrieved with :func:`TSVConnArgGet` which returns the
+specified value. Values that have not been set are :code:`nullptr`.
+
+Hooks
+=====
+
+Although these can be used from any hook that has access to a :c:type:`TSVConn` it will generally
be
+the case that :func:`TSVConnArgSet` will be used in early intervention hooks and
+:func:`TSVConnArgGet` in session / transaction hooks. Cleanup should be done on the
+:code:`TS_VCONN_CLOSE_HOOK`.
+
+.. rubric:: Appendix
+
+.. note::
+   This is originally from `Issue 2388 <https://github.com/apache/trafficserver/issues/2388>`__.
It
+   has been extended based on discussions with Kees and Leif Hedstrom at the ATS summit.
diff --git a/doc/developer-guide/api/functions/TSVConnTunnel.en.rst b/doc/developer-guide/api/functions/TSVConnTunnel.en.rst
index 85fa184..e27b811 100644
--- a/doc/developer-guide/api/functions/TSVConnTunnel.en.rst
+++ b/doc/developer-guide/api/functions/TSVConnTunnel.en.rst
@@ -32,5 +32,5 @@ Description
 ===========
 
 Set the SSL connection :arg:`svc` to convert to a blind tunnel. Can be called
-from :member:`TS_VCONN_PRE_ACCEPT_HOOK`, :member:`TS_SSL_SERVERNAME_HOOK`, or :member:`TS_SSL_SNI_HOOK`
/ :member:`TS_SSL_CERT_HOOK`.
+from :member:`TS_VCONN_START_HOOK`, :member:`TS_SSL_SERVERNAME_HOOK`, or :member:`TS_SSL_SNI_HOOK`
/ :member:`TS_SSL_CERT_HOOK`.
 
diff --git a/doc/developer-guide/api/types/TSEvent.en.rst b/doc/developer-guide/api/types/TSEvent.en.rst
index e4abf84..96e8b73 100644
--- a/doc/developer-guide/api/types/TSEvent.en.rst
+++ b/doc/developer-guide/api/types/TSEvent.en.rst
@@ -177,7 +177,9 @@ Enumeration Members
 
 .. c:macro:: TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED
 
-.. c:macro:: TS_EVENT_VCONN_PRE_ACCEPT
+.. c:macro:: TS_EVENT_VCONN_START
+
+.. c:macro:: TS_EVENT_VCONN_CLOSE
 
 .. c:macro:: TS_EVENT_MGMT_UPDATE
 
diff --git a/doc/developer-guide/api/types/TSHttpHookID.en.rst b/doc/developer-guide/api/types/TSHttpHookID.en.rst
index 85c6f02..f03444a 100644
--- a/doc/developer-guide/api/types/TSHttpHookID.en.rst
+++ b/doc/developer-guide/api/types/TSHttpHookID.en.rst
@@ -70,7 +70,9 @@ Enumeration Members
 
 .. c:macro:: TSHttpHookID TS_SSL_FIRST_HOOK
 
-.. c:macro:: TSHttpHookID TS_VCONN_PRE_ACCEPT_HOOK
+.. c:macro:: TSHttpHookID TS_VCONN_START_HOOK
+
+.. c:macro:: TSHttpHookID TS_VCONN_CLOSE_HOOK
 
 .. c:macro:: TSHttpHookID TS_SSL_SNI_HOOK
 
@@ -97,7 +99,7 @@ to be deprecated and removed, plugins using this should change to :macro:`TS_SSL
    :macro:`TS_SSL_SERVERNAME_HOOK` is invoked for the openssl servername callback.
    :macro:`TS_SSL_SNI_HOOK` and :macro:`TS_SSL_CERT_HOOK` are invoked for the openssl certificate
    callback which is not guaranteed to be invoked for a TLS transaction.
-   
+
    This is a behavior change dependent on the version of openssl. To avoid problems use
    :macro:`TS_SSL_SERVERNAME_HOOK` to get called back for all TLS transaction and
    :macro:`TS_SSL_CERT_HOOK` to get called back only to select a certificate.
diff --git a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
index cb026c8..518d0e8 100644
--- a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
+++ b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
@@ -22,10 +22,10 @@
 TLS User Agent Hooks
 ********************
 
-In addition to the HTTP oriented hooks, a plugin can add hooks to trigger code 
+In addition to the HTTP oriented hooks, a plugin can add hooks to trigger code
 during the TLS handshake with the user agent.  This TLS handshake occurs well before
 the HTTP transaction is available, so a separate state machine is required to track the
-TLS hooks.  
+TLS hooks.
 
 TLS Hooks
 ---------
@@ -45,7 +45,7 @@ The following actions are valid from these callbacks.
   * Find SSL context by address - :c:func:`TSSslContextFindByAddr`
   * Determine whether the TSVConn is really representing a SSL connection - :c:func:`TSVConnIsSsl`
 
-TS_VCONN_PRE_ACCEPT_HOOK
+TS_VCONN_START_HOOK
 ------------------------
 
 This hook is invoked after the client has connected to ATS and before the SSL handshake is
started, i.e., before any bytes have been read from the client. The data for the callback
is a TSVConn instance which represents the client connection. There is no HTTP transaction
as no headers have been read.
@@ -55,10 +55,15 @@ In theory this hook could apply and be useful for non-SSL connections
as well, b
 The TLS handshake processing will not proceed until :c:func:`TSSslVConnReenable()` is called
either from within the hook
 callback or from another piece of code.
 
+TS_VCONN_CLOSE_HOOK
+------------------------
+
+This hook is invoked after the SSL handshake is done and when the IO is closing. The TSVConnArgs
should be cleaned up here.
+
 TS_SSL_SERVERNAME_HOOK
 ----------------------
 
-This hook is called if the client provides SNI information in the SSL handshake. If called
it will always be called after TS_VCONN_PRE_ACCEPT_HOOK.
+This hook is called if the client provides SNI information in the SSL handshake. If called
it will always be called after TS_VCONN_START_HOOK.
 
 The Traffic Server core first evaluates the settings in the ssl_multicert.config file based
on the server name. Then the core SNI callback executes the plugin registered SNI callback
code. The plugin callback can access the servername by calling the openssl function SSL_get_servername().
 
@@ -72,12 +77,12 @@ This hook is called as the server certificate is selected for the TLS
handshake.
 code to create or select the certificate that should be used for the TLS handshake.  This
will override the default
 Traffic Server certificate selection.
 
-If you are running with openssl 1.0.2 or later, you can control whether the TLS handshake
processing will 
-continue after the certificate hook callback execute by calling :c:func:`TSSslVConnReenable()`
or not.  The TLS 
+If you are running with openssl 1.0.2 or later, you can control whether the TLS handshake
processing will
+continue after the certificate hook callback execute by calling :c:func:`TSSslVConnReenable()`
or not.  The TLS
 handshake processing will not proceed until :c:func:`TSSslVConnReenable()` is called.
 
 It may be useful to delay the TLS handshake processing if other resources must be consulted
to select or create
-a certificate. 
+a certificate.
 
 TLS Hook State Diagram
 ----------------------
@@ -86,11 +91,11 @@ TLS Hook State Diagram
    :alt: TLS Hook State Diagram
 
    digraph tls_hook_state_diagram{
-     HANDSHAKE_HOOKS_PRE -> TS_VCONN_PRE_ACCEPT_HOOK;
+     HANDSHAKE_HOOKS_PRE -> TS_VCONN_START_HOOK;
      HANDSHAKE_HOOKS_PRE -> TS_SSL_CERT_HOOK;
      HANDSHAKE_HOOKS_PRE -> TS_SSL_SERVERNAME_HOOK;
      HANDSHAKE_HOOKS_PRE -> HANDSHAKE_HOOKS_DONE;
-     TS_VCONN_PRE_ACCEPT_HOOK -> HANDSHAKE_HOOKS_PRE_INVOKE;
+     TS_VCONN_START_HOOK -> HANDSHAKE_HOOKS_PRE_INVOKE;
      HANDSHAKE_HOOKS_PRE_INVOKE -> TSSslVConnReenable;
      TSSslVConnReenable -> HANDSHAKE_HOOKS_PRE;
      TS_SSL_SERVERNAME_HOOK -> HANDSHAKE_HOOKS_SNI;
@@ -102,6 +107,7 @@ TLS Hook State Diagram
      HANDSHAKE_HOOKS_CERT_INVOKE -> TSSslVConnReenable2;
      TSSslVConnReenable2 -> HANDSHAKE_HOOKS_CERT;
      HANDSHAKE_HOOKS_CERT -> HANDSHAKE_HOOKS_DONE;
+     HANDSHAKE_HOOKS_DONE -> TS_VCONN_CLOSE_HOOK;
 
      HANDSHAKE_HOOKS_PRE [shape=box];
      HANDSHAKE_HOOKS_PRE_INVOKE [shape=box];
diff --git a/example/Makefile.am b/example/Makefile.am
index 6c816ee..5134873 100644
--- a/example/Makefile.am
+++ b/example/Makefile.am
@@ -62,7 +62,8 @@ example_Plugins = \
 	txn_data_sink.la \
 	version.la \
 	disable_http2.la \
-	verify_cert.la
+	verify_cert.la \
+	vconn_args.la
 
 example_Plugins += \
 	cppapi/AsyncHttpFetch.la \
@@ -133,6 +134,7 @@ txn_data_sink_la_SOURCES = txn_data_sink/txn_data_sink.c
 version_la_SOURCES = version/version.c
 redirect_1_la_SOURCES = redirect_1/redirect_1.c
 session_hooks_la_SOURCES = session_hooks/session_hooks.c
+vconn_args_la_SOURCES = vconn_args/vconn_args.cc
 
 cppapi_AsyncHttpFetchStreaming_la_SOURCES = cppapi/async_http_fetch_streaming/AsyncHttpFetchStreaming.cc
 cppapi_AsyncHttpFetch_la_SOURCES = cppapi/async_http_fetch/AsyncHttpFetch.cc
diff --git a/example/ssl_preaccept/ssl_preaccept.cc b/example/ssl_preaccept/ssl_preaccept.cc
index 4bc822c..55c9595 100644
--- a/example/ssl_preaccept/ssl_preaccept.cc
+++ b/example/ssl_preaccept/ssl_preaccept.cc
@@ -143,8 +143,8 @@ CB_Pre_Accept(TSCont, TSEvent event, void *edata)
   }
 
   TSDebug(PLUGIN_NAME, "Pre accept callback %p - event is %s, target address %s, client address
%s%s", ssl_vc,
-          event == TS_EVENT_VCONN_PRE_ACCEPT ? "good" : "bad", ip.toString(buff, sizeof(buff)),
-          ip_client.toString(buff2, sizeof(buff2)), proxy_tunnel ? "" : " blind tunneled");
+          event == TS_EVENT_VCONN_START ? "good" : "bad", ip.toString(buff, sizeof(buff)),
ip_client.toString(buff2, sizeof(buff2)),
+          proxy_tunnel ? "" : " blind tunneled");
 
   // All done, reactivate things
   TSVConnReenable(ssl_vc);
@@ -193,7 +193,7 @@ TSPluginInit(int argc, const char *argv[])
   } else if (nullptr == (cb_pa = TSContCreate(&CB_Pre_Accept, TSMutexCreate()))) {
     TSError(PCP "Failed to pre-accept callback");
   } else {
-    TSHttpHookAdd(TS_VCONN_PRE_ACCEPT_HOOK, cb_pa);
+    TSHttpHookAdd(TS_VCONN_START_HOOK, cb_pa);
     success = true;
   }
 
diff --git a/example/vconn_args/vconn_args.cc b/example/vconn_args/vconn_args.cc
new file mode 100644
index 0000000..a997a98
--- /dev/null
+++ b/example/vconn_args/vconn_args.cc
@@ -0,0 +1,104 @@
+/** @file
+
+  VConn Args test plugin.
+
+  Tests VConn arg reserve/lookup/set/get.
+
+  @section license License
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+*/
+#include <cstdio>
+
+#include "ts/ts.h"
+
+const char *PLUGIN_NAME = "vconn_arg_test";
+static int last_arg     = 0;
+
+static int
+vconn_arg_handler(TSCont contp, TSEvent event, void *edata)
+{
+  TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata);
+  switch (event) {
+  case TS_EVENT_VCONN_START: {
+    // Testing set argument
+    int idx = 0;
+    while (TSVConnArgIndexReserve(PLUGIN_NAME, "test", &idx) == TS_SUCCESS) {
+      char *buf = (char *)TSmalloc(64);
+      snprintf(buf, 64, "Test Arg Idx %d", idx);
+      TSVConnArgSet(ssl_vc, idx, (void *)buf);
+      TSDebug(PLUGIN_NAME, "Successfully reserve and set arg #%d", idx);
+    }
+    last_arg = idx;
+    break;
+  }
+  case TS_EVENT_SSL_SERVERNAME: {
+    // Testing lookup argument
+    int idx = 0;
+    while (idx <= last_arg) {
+      const char *name = nullptr;
+      const char *desc = nullptr;
+      if (TSVConnArgIndexLookup(idx, &name, &desc) == TS_SUCCESS) {
+        TSDebug(PLUGIN_NAME, "Successful lookup for arg #%d: [%s] [%s]", idx, name, desc);
+      } else {
+        TSDebug(PLUGIN_NAME, "Failed lookup for arg #%d", idx);
+      }
+      idx++;
+    }
+    break;
+  }
+  case TS_EVENT_VCONN_CLOSE: {
+    // Testing argget and delete
+    int idx = 0;
+    while (idx <= last_arg) {
+      char *buf = (char *)TSVConnArgGet(ssl_vc, idx);
+      if (buf) {
+        TSDebug(PLUGIN_NAME, "Successfully retrieve vconn arg #%d: %s", idx, buf);
+        TSfree(buf);
+      } else {
+        TSDebug(PLUGIN_NAME, "Failed to retrieve vconn arg #%d", idx);
+      }
+      idx++;
+    }
+  } break;
+  default: {
+    TSDebug(PLUGIN_NAME, "Unexpected event %d", event);
+    break;
+  }
+  }
+  TSVConnReenable(ssl_vc);
+  return 0;
+}
+
+void
+TSPluginInit(int argc, const char *argv[])
+{
+  TSDebug(PLUGIN_NAME, "Initializing plugin.");
+  TSPluginRegistrationInfo info;
+  info.plugin_name   = PLUGIN_NAME;
+  info.vendor_name   = "Oath";
+  info.support_email = "zeyuany@oath.com";
+
+  if (TSPluginRegister(&info) != TS_SUCCESS) {
+    TSError("[%s] Unable to initialize plugin. Failed to register.", PLUGIN_NAME);
+  } else {
+    TSCont cb = TSContCreate(vconn_arg_handler, nullptr);
+    TSHttpHookAdd(TS_VCONN_START_HOOK, cb);
+    TSHttpHookAdd(TS_SSL_SERVERNAME_HOOK, cb);
+    TSHttpHookAdd(TS_VCONN_CLOSE_HOOK, cb);
+  }
+}
diff --git a/iocore/eventsystem/I_VConnection.h b/iocore/eventsystem/I_VConnection.h
index 374302e..006867f 100644
--- a/iocore/eventsystem/I_VConnection.h
+++ b/iocore/eventsystem/I_VConnection.h
@@ -32,6 +32,10 @@
 #error "include I_VIO.h"
 #endif
 
+#include <array>
+
+static constexpr int TS_VCONN_MAX_USER_ARG = 4;
+
 //
 // Data Types
 //
@@ -374,7 +378,38 @@ public:
   int lerrno;
 };
 
-struct DummyVConnection : public VConnection {
+/**
+  Subclass of VConnection to provide support for user arguments
+
+  Inherited by DummyVConnection (down to INKContInternal) and NetVConnection
+*/
+class AnnotatedVConnection : public VConnection
+{
+  using self_type  = AnnotatedVConnection;
+  using super_type = VConnection;
+
+public:
+  AnnotatedVConnection(ProxyMutex *aMutex) : super_type(aMutex){};
+  AnnotatedVConnection(Ptr<ProxyMutex> &aMutex) : super_type(aMutex){};
+
+  void *
+  get_user_arg(unsigned ix) const
+  {
+    ink_assert(ix < user_args.size());
+    return this->user_args[ix];
+  };
+  void
+  set_user_arg(unsigned ix, void *arg)
+  {
+    ink_assert(ix < user_args.size());
+    user_args[ix] = arg;
+  };
+
+protected:
+  std::array<void *, TS_VCONN_MAX_USER_ARG> user_args;
+};
+
+struct DummyVConnection : public AnnotatedVConnection {
   virtual VIO *
   do_io_write(Continuation * /* c ATS_UNUSED */, int64_t /* nbytes ATS_UNUSED */, IOBufferReader
* /* buf ATS_UNUSED */,
               bool /* owner ATS_UNUSED */)
@@ -405,7 +440,7 @@ struct DummyVConnection : public VConnection {
                 "cannot use default implementation");
   }
 
-  DummyVConnection(ProxyMutex *m) : VConnection(m) {}
+  DummyVConnection(ProxyMutex *m) : AnnotatedVConnection(m) {}
 };
 
 #endif /*_I_VConnection_h_*/
diff --git a/iocore/net/I_NetVConnection.h b/iocore/net/I_NetVConnection.h
index 12b1448..62e6754 100644
--- a/iocore/net/I_NetVConnection.h
+++ b/iocore/net/I_NetVConnection.h
@@ -258,7 +258,7 @@ struct NetVCOptions {
   stream IO to be done based on a single read or write call.
 
 */
-class NetVConnection : public VConnection
+class NetVConnection : public AnnotatedVConnection
 {
 public:
   // How many bytes have been queued to the OS for sending by haven't been sent yet
@@ -661,7 +661,7 @@ protected:
 };
 
 inline NetVConnection::NetVConnection()
-  : VConnection(nullptr),
+  : AnnotatedVConnection(nullptr),
     attributes(0),
     thread(nullptr),
     got_local_addr(0),
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index ac1cd51..797a689 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -230,14 +230,14 @@ public:
     switch (this->sslHandshakeHookState) {
     case HANDSHAKE_HOOKS_PRE:
     case HANDSHAKE_HOOKS_PRE_INVOKE:
-      if (eventId == TS_EVENT_VCONN_PRE_ACCEPT) {
+      if (eventId == TS_EVENT_VCONN_START) {
         if (curHook) {
           retval = true;
         }
       }
       break;
     case HANDSHAKE_HOOKS_SNI:
-      if (eventId == TS_EVENT_VCONN_PRE_ACCEPT) {
+      if (eventId == TS_EVENT_VCONN_START) {
         retval = true;
       } else if (eventId == TS_EVENT_SSL_SERVERNAME) {
         if (curHook) {
@@ -247,7 +247,7 @@ public:
       break;
     case HANDSHAKE_HOOKS_CERT:
     case HANDSHAKE_HOOKS_CERT_INVOKE:
-      if (eventId == TS_EVENT_VCONN_PRE_ACCEPT || eventId == TS_EVENT_SSL_SERVERNAME) {
+      if (eventId == TS_EVENT_VCONN_START || eventId == TS_EVENT_SSL_SERVERNAME) {
         retval = true;
       } else if (eventId == TS_EVENT_SSL_CERT) {
         if (curHook) {
@@ -257,7 +257,7 @@ public:
       break;
     case HANDSHAKE_HOOKS_CLIENT_CERT:
     case HANDSHAKE_HOOKS_CLIENT_CERT_INVOKE:
-      if (eventId == TS_EVENT_SSL_VERIFY_CLIENT || eventId == TS_EVENT_VCONN_PRE_ACCEPT)
{
+      if (eventId == TS_EVENT_SSL_VERIFY_CLIENT || eventId == TS_EVENT_VCONN_START) {
         retval = true;
       }
       break;
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 0bd0bc3..7e1b169 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -122,11 +122,16 @@ public:
        )
   {
     EThread *eth = this_ethread();
-    MUTEX_TRY_LOCK(lock, target->mutex, eth);
-    if (lock.is_locked()) {
+    if (!target->mutex) {
+      // If there's no mutex, plugin doesn't care about locking so why should we?
       target->handleEvent(eventId, edata);
     } else {
-      eventProcessor.schedule_imm(new ContWrapper(mutex, target, eventId, edata), ET_NET);
+      MUTEX_TRY_LOCK(lock, target->mutex, eth);
+      if (lock.is_locked()) {
+        target->handleEvent(eventId, edata);
+      } else {
+        eventProcessor.schedule_imm(new ContWrapper(mutex, target, eventId, edata), ET_NET);
+      }
     }
   }
 
@@ -820,6 +825,7 @@ void
 SSLNetVConnection::do_io_close(int lerrno)
 {
   if (this->ssl != nullptr && sslHandShakeComplete) {
+    callHooks(TS_EVENT_VCONN_CLOSE);
     int shutdown_mode = SSL_get_shutdown(ssl);
     Debug("ssl-shutdown", "previous shutdown state 0x%x", shutdown_mode);
     int new_shutdown_mode = shutdown_mode | SSL_RECEIVED_SHUTDOWN;
@@ -1042,7 +1048,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
   if (sslHandshakeHookState == HANDSHAKE_HOOKS_PRE) {
     if (!curHook) {
       Debug("ssl", "Initialize preaccept curHook from NULL");
-      curHook = ssl_hooks->get(TS_VCONN_PRE_ACCEPT_INTERNAL_HOOK);
+      curHook = ssl_hooks->get(TS_VCONN_START_INTERNAL_HOOK);
     } else {
       curHook = curHook->next();
     }
@@ -1051,7 +1057,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
       sslHandshakeHookState = HANDSHAKE_HOOKS_SNI;
     } else {
       sslHandshakeHookState = HANDSHAKE_HOOKS_PRE_INVOKE;
-      ContWrapper::wrap(nh->mutex.get(), curHook->m_cont, TS_EVENT_VCONN_PRE_ACCEPT,
this);
+      ContWrapper::wrap(nh->mutex.get(), curHook->m_cont, TS_EVENT_VCONN_START, this);
       return SSL_WAIT_FOR_HOOK;
     }
   }
@@ -1470,7 +1476,7 @@ SSLNetVConnection::reenable(NetHandler *nh)
     } else if (sslHandshakeHookState == HANDSHAKE_HOOKS_PRE) {
       Debug("ssl", "Reenable preaccept");
       sslHandshakeHookState = HANDSHAKE_HOOKS_PRE_INVOKE;
-      ContWrapper::wrap(nh->mutex.get(), curHook->m_cont, TS_EVENT_VCONN_PRE_ACCEPT,
this);
+      ContWrapper::wrap(nh->mutex.get(), curHook->m_cont, TS_EVENT_VCONN_START, this);
     }
     return;
   } else {
@@ -1518,7 +1524,7 @@ SSLNetVConnection::callHooks(TSEvent eventId)
 {
   // Only dealing with the SNI/CERT hook so far.
   ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME || eventId
== TS_EVENT_SSL_SERVER_VERIFY_HOOK ||
-             eventId == TS_EVENT_SSL_VERIFY_CLIENT);
+             eventId == TS_EVENT_SSL_VERIFY_CLIENT || eventId == TS_EVENT_VCONN_CLOSE);
   Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState);
 
   // Move state if it is appropriate
@@ -1579,6 +1585,11 @@ SSLNetVConnection::callHooks(TSEvent eventId)
     } else {
       curHook = curHook->next();
     }
+  // fallthrough
+  case HANDSHAKE_HOOKS_DONE:
+    if (eventId == TS_EVENT_VCONN_CLOSE) {
+      curHook = ssl_hooks->get(TS_VCONN_CLOSE_INTERNAL_HOOK);
+    }
     break;
   default:
     curHook                     = nullptr;
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index a035812..164dc95 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -257,9 +257,9 @@ typedef enum {
 
     The two transform hooks can ONLY be added as transaction hooks.
 
-    TS_VCONN_PRE_ACCEPT_HOOK - Called before the SSL hand
-    shake starts.  No handshake data has been read or sent (from the
-    proxy) at this point
+    TS_VCONN_START_HOOK - called just after the connection is created,
+    before other activity such as I/O or TLS handshakes  No handshake
+    data has been read or sent (from the proxy) at this point
 
     TS_HTTP_LAST_HOOK _must_ be the last element. Only right place
     to insert a new element is just before TS_HTTP_LAST_HOOK.
@@ -286,7 +286,9 @@ typedef enum {
   // Putting the SSL hooks in the same enum space
   // So both sets of hooks can be set by the same Hook function
   TS_SSL_FIRST_HOOK,
-  TS_VCONN_PRE_ACCEPT_HOOK = TS_SSL_FIRST_HOOK,
+  TS_VCONN_START_HOOK = TS_SSL_FIRST_HOOK,
+  TS_VCONN_PRE_ACCEPT_HOOK = TS_VCONN_START_HOOK, // Deprecated but compatible for now.
+  TS_VCONN_CLOSE_HOOK,
   TS_SSL_SNI_HOOK,
   TS_SSL_CERT_HOOK = TS_SSL_SNI_HOOK,
   TS_SSL_SERVERNAME_HOOK,
@@ -294,7 +296,7 @@ typedef enum {
   TS_SSL_VERIFY_CLIENT_HOOK,
   TS_SSL_SESSION_HOOK,
   TS_SSL_LAST_HOOK = TS_SSL_SESSION_HOOK,
-  TS_HTTP_REQUEST_BUFFER_READ_COMPLETE_HOOK = 23,
+  TS_HTTP_REQUEST_BUFFER_READ_COMPLETE_HOOK = 24,
   TS_HTTP_LAST_HOOK
 } TSHttpHookID;
 
@@ -451,7 +453,9 @@ typedef enum {
   TS_EVENT_LIFECYCLE_CACHE_READY                = 60020,
   TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED = 60021,
   TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED = 60022,
-  TS_EVENT_VCONN_PRE_ACCEPT                     = 60023,
+  TS_EVENT_VCONN_START                          = 60023,
+  TS_EVENT_VCONN_PRE_ACCEPT                     = TS_EVENT_VCONN_START, // Deprecated but
still compatible
+  TS_EVENT_VCONN_CLOSE                          = 60026,
   TS_EVENT_LIFECYCLE_MSG                        = 60024,
   TS_EVENT_HTTP_REQUEST_BUFFER_COMPLETE         = 60025,
   TS_EVENT_MGMT_UPDATE                          = 60100,
diff --git a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
index c3aacff..9108485 100644
--- a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
+++ b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
@@ -391,7 +391,7 @@ CB_Pre_Accept(TSCont /*contp*/, TSEvent event, void *edata)
   char buff2[INET6_ADDRSTRLEN];
 
   TSDebug(PN, "Pre accept callback %p - event is %s, target address %s, client address %s",
ssl_vc,
-          event == TS_EVENT_VCONN_PRE_ACCEPT ? "good" : "bad", ip.toString(buff, sizeof(buff)),
+          event == TS_EVENT_VCONN_START ? "good" : "bad", ip.toString(buff, sizeof(buff)),
           ip_client.toString(buff2, sizeof(buff2)));
 
   // Is there a cert already defined for this IP?
@@ -534,7 +534,7 @@ TSPluginInit(int argc, const char *argv[])
     TSError(PCP "Failed to create SNI callback");
   } else {
     TSLifecycleHookAdd(TS_LIFECYCLE_PORTS_INITIALIZED_HOOK, cb_lc);
-    TSHttpHookAdd(TS_VCONN_PRE_ACCEPT_HOOK, cb_pa);
+    TSHttpHookAdd(TS_VCONN_START_HOOK, cb_pa);
     TSHttpHookAdd(TS_SSL_SNI_HOOK, cb_sni);
     success = true;
   }
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 77c7b03..7b79473 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -97,9 +97,10 @@ static std::type_info const &TYPE_INFO_MGMT_FLOAT = typeid(MgmtFloat);
 struct UserArg {
   /// Types of user args.
   enum Type {
-    TXN,  ///< Transaction based.
-    SSN,  ///< Session based
-    COUNT ///< Fake enum, # of valid entries.
+    TXN,   ///< Transaction based.
+    SSN,   ///< Session based
+    VCONN, ///< VConnection based
+    COUNT  ///< Fake enum, # of valid entries.
   };
 
   std::string name;        ///< Name of reserving plugin.
@@ -5929,9 +5930,10 @@ TSHttpArgIndexReserve(UserArg::Type type, const char *name, const char
*descript
   sdk_assert(sdk_sanity_check_null_ptr(name) == TS_SUCCESS);
   sdk_assert(0 <= type && type < UserArg::Type::COUNT);
 
-  int idx = UserArgIdx[type]++;
+  int idx   = UserArgIdx[type]++;
+  int limit = (type == UserArg::Type::VCONN) ? TS_VCONN_MAX_USER_ARG : TS_HTTP_MAX_USER_ARG;
 
-  if (idx < TS_HTTP_MAX_USER_ARG) {
+  if (idx < limit) {
     UserArg &arg(UserArgTable[type][idx]);
     arg.name = name;
     if (description)
@@ -6018,6 +6020,24 @@ TSHttpSsnArgIndexNameLookup(const char *name, int *arg_idx, const char
**descrip
   return TSHttpArgIndexNameLookup(UserArg::SSN, name, arg_idx, description);
 }
 
+TSReturnCode
+TSVConnArgIndexReserve(const char *name, const char *description, int *arg_idx)
+{
+  return TSHttpArgIndexReserve(UserArg::VCONN, name, description, arg_idx);
+}
+
+TSReturnCode
+TSVConnArgIndexLookup(int arg_idx, const char **name, const char **description)
+{
+  return TSHttpArgIndexLookup(UserArg::VCONN, arg_idx, name, description);
+}
+
+TSReturnCode
+TSVConnArgIndexNameLookup(const char *name, int *arg_idx, const char **description)
+{
+  return TSHttpArgIndexNameLookup(UserArg::VCONN, name, arg_idx, description);
+}
+
 void
 TSHttpTxnArgSet(TSHttpTxn txnp, int arg_idx, void *arg)
 {
@@ -6060,6 +6080,25 @@ TSHttpSsnArgGet(TSHttpSsn ssnp, int arg_idx)
 }
 
 void
+TSVConnArgSet(TSVConn connp, int arg_idx, void *arg)
+{
+  sdk_assert(sdk_sanity_check_iocore_structure(connp) == TS_SUCCESS);
+  sdk_assert(arg_idx >= 0 && arg_idx < TS_VCONN_MAX_USER_ARG);
+  AnnotatedVConnection *avc = reinterpret_cast<AnnotatedVConnection *>(connp);
+  avc->set_user_arg(arg_idx, arg);
+}
+
+void *
+TSVConnArgGet(TSVConn connp, int arg_idx)
+{
+  sdk_assert(sdk_sanity_check_iocore_structure(connp) == TS_SUCCESS);
+  sdk_assert(arg_idx >= 0 && arg_idx < TS_VCONN_MAX_USER_ARG);
+
+  AnnotatedVConnection *avc = reinterpret_cast<AnnotatedVConnection *>(connp);
+  return avc->get_user_arg(arg_idx);
+}
+
+void
 TSHttpTxnSetHttpRetStatus(TSHttpTxn txnp, TSHttpStatus http_retstatus)
 {
   sdk_assert(sdk_sanity_check_txn(txnp) == TS_SUCCESS);
diff --git a/proxy/InkAPIInternal.h b/proxy/InkAPIInternal.h
index 34c23be..4b2e58d 100644
--- a/proxy/InkAPIInternal.h
+++ b/proxy/InkAPIInternal.h
@@ -278,7 +278,8 @@ class HttpAPIHooks : public FeatureAPIHooks<TSHttpHookID, TS_HTTP_LAST_HOOK>
 
 typedef enum {
   TS_SSL_INTERNAL_FIRST_HOOK,
-  TS_VCONN_PRE_ACCEPT_INTERNAL_HOOK = TS_SSL_INTERNAL_FIRST_HOOK,
+  TS_VCONN_START_INTERNAL_HOOK = TS_SSL_INTERNAL_FIRST_HOOK,
+  TS_VCONN_CLOSE_INTERNAL_HOOK,
   TS_SSL_CERT_INTERNAL_HOOK,
   TS_SSL_SERVERNAME_INTERNAL_HOOK,
   TS_SSL_SERVER_VERIFY_INTERNAL_HOOK,
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index 8bcdae8..00b79b9 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -5540,14 +5540,15 @@ typedef enum {
   ORIG_TS_HTTP_POST_REMAP_HOOK,
   ORIG_TS_HTTP_RESPONSE_CLIENT_HOOK,
   ORIG_TS_SSL_FIRST_HOOK,
-  ORIG_TS_VCONN_PRE_ACCEPT_HOOK = ORIG_TS_SSL_FIRST_HOOK,
+  ORIG_TS_VCONN_START_HOOK = ORIG_TS_SSL_FIRST_HOOK,
+  ORIG_TS_VCONN_CLOSE_HOOK,
   ORIG_TS_SSL_SNI_HOOK,
   ORIG_TS_SSL_SERVERNAME_HOOK,
   ORIG_TS_SSL_SERVER_VERIFY_HOOK,
   ORIG_TS_SSL_VERIFY_CLIENT_HOOK,
   ORIG_TS_SSL_SESSION_HOOK,
   ORIG_TS_SSL_LAST_HOOK                          = ORIG_TS_SSL_SESSION_HOOK,
-  ORIG_TS_HTTP_REQUEST_BUFFER_READ_COMPLETE_HOOK = 23,
+  ORIG_TS_HTTP_REQUEST_BUFFER_READ_COMPLETE_HOOK = 24,
   ORIG_TS_HTTP_LAST_HOOK
 } ORIG_TSHttpHookID;
 
diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h
index 2f07c64..1d6314f 100644
--- a/proxy/api/ts/ts.h
+++ b/proxy/api/ts/ts.h
@@ -1529,6 +1529,8 @@ tsapi void TSHttpTxnArgSet(TSHttpTxn txnp, int arg_idx, void *arg);
 tsapi void *TSHttpTxnArgGet(TSHttpTxn txnp, int arg_idx);
 tsapi void TSHttpSsnArgSet(TSHttpSsn ssnp, int arg_idx, void *arg);
 tsapi void *TSHttpSsnArgGet(TSHttpSsn ssnp, int arg_idx);
+tsapi void TSVConnArgSet(TSVConn connp, int arg_idx, void *arg);
+tsapi void *TSVConnArgGet(TSVConn connp, int arg_idx);
 
 /* The reserve API should only be use in TSAPI plugins, during plugin initialization! */
 /* The lookup methods can be used anytime, but are best used during initialization as well,
@@ -1539,6 +1541,9 @@ tsapi TSReturnCode TSHttpTxnArgIndexLookup(int arg_idx, const char **name,
const
 tsapi TSReturnCode TSHttpSsnArgIndexReserve(const char *name, const char *description, int
*arg_idx);
 tsapi TSReturnCode TSHttpSsnArgIndexNameLookup(const char *name, int *arg_idx, const char
**description);
 tsapi TSReturnCode TSHttpSsnArgIndexLookup(int arg_idx, const char **name, const char **description);
+tsapi TSReturnCode TSVConnArgIndexReserve(const char *name, const char *description, int
*arg_idx);
+tsapi TSReturnCode TSVConnArgIndexNameLookup(const char *name, int *arg_idx, const char **description);
+tsapi TSReturnCode TSVConnArgIndexLookup(int arg_idx, const char **name, const char **description);
 
 /* ToDo: This is a leftover from olden days, can we eliminate? */
 tsapi void TSHttpTxnSetHttpRetStatus(TSHttpTxn txnp, TSHttpStatus http_retstatus);
diff --git a/proxy/http/HttpDebugNames.cc b/proxy/http/HttpDebugNames.cc
index cfb5012..8937eb6 100644
--- a/proxy/http/HttpDebugNames.cc
+++ b/proxy/http/HttpDebugNames.cc
@@ -460,8 +460,10 @@ HttpDebugNames::get_api_hook_name(TSHttpHookID t)
     return "TS_HTTP_RESPONSE_CLIENT_HOOK";
   case TS_HTTP_LAST_HOOK:
     return "TS_HTTP_LAST_HOOK";
-  case TS_VCONN_PRE_ACCEPT_HOOK:
-    return "TS_VCONN_PRE_ACCEPT_HOOK";
+  case TS_VCONN_START_HOOK:
+    return "TS_VCONN_START_HOOK";
+  case TS_VCONN_CLOSE_HOOK:
+    return "TS_VCONN_CLOSE_HOOK";
   case TS_SSL_CERT_HOOK:
     return "TS_SSL_CERT_HOOK";
   case TS_SSL_SERVERNAME_HOOK:
diff --git a/tests/tools/plugins/ssl_hook_test.cc b/tests/tools/plugins/ssl_hook_test.cc
index e8ae055..7321b9c 100644
--- a/tests/tools/plugins/ssl_hook_test.cc
+++ b/tests/tools/plugins/ssl_hook_test.cc
@@ -51,7 +51,7 @@ CB_Pre_Accept(TSCont cont, TSEvent event, void *edata)
 
   int count = reinterpret_cast<intptr_t>(TSContDataGet(cont));
 
-  TSDebug(PN, "Pre accept callback %d %p - event is %s", count, ssl_vc, event == TS_EVENT_VCONN_PRE_ACCEPT
? "good" : "bad");
+  TSDebug(PN, "Pre accept callback %d %p - event is %s", count, ssl_vc, event == TS_EVENT_VCONN_START
? "good" : "bad");
 
   // All done, reactivate things
   TSVConnReenable(ssl_vc);
@@ -65,7 +65,7 @@ CB_Pre_Accept_Delay(TSCont cont, TSEvent event, void *edata)
 
   int count = reinterpret_cast<intptr_t>(TSContDataGet(cont));
 
-  TSDebug(PN, "Pre accept delay callback %d %p - event is %s", count, ssl_vc, event == TS_EVENT_VCONN_PRE_ACCEPT
? "good" : "bad");
+  TSDebug(PN, "Pre accept delay callback %d %p - event is %s", count, ssl_vc, event == TS_EVENT_VCONN_START
? "good" : "bad");
 
   TSCont cb = TSContCreate(&ReenableSSL, TSMutexCreate());
 
@@ -180,18 +180,18 @@ setup_callbacks(TSHttpTxn txn, int preaccept_count, int sni_count, int
cert_coun
     cb = TSContCreate(&CB_Pre_Accept, TSMutexCreate());
     TSContDataSet(cb, (void *)(intptr_t)i);
     if (txn) {
-      TSHttpTxnHookAdd(txn, TS_VCONN_PRE_ACCEPT_HOOK, cb);
+      TSHttpTxnHookAdd(txn, TS_VCONN_START_HOOK, cb);
     } else {
-      TSHttpHookAdd(TS_VCONN_PRE_ACCEPT_HOOK, cb);
+      TSHttpHookAdd(TS_VCONN_START_HOOK, cb);
     }
   }
   for (i = 0; i < preaccept_count_delay; i++) {
     cb = TSContCreate(&CB_Pre_Accept_Delay, TSMutexCreate());
     TSContDataSet(cb, (void *)(intptr_t)i);
     if (txn) {
-      TSHttpTxnHookAdd(txn, TS_VCONN_PRE_ACCEPT_HOOK, cb);
+      TSHttpTxnHookAdd(txn, TS_VCONN_START_HOOK, cb);
     } else {
-      TSHttpHookAdd(TS_VCONN_PRE_ACCEPT_HOOK, cb);
+      TSHttpHookAdd(TS_VCONN_START_HOOK, cb);
     }
   }
   for (i = 0; i < sni_count; i++) {

-- 
To stop receiving notification emails like this one, please contact
amc@apache.org.

Mime
View raw message