Bug 238739 - www/nginx www/nginx-devel: add support for FreeBSD accept filters
Summary: www/nginx www/nginx-devel: add support for FreeBSD accept filters
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-21 08:53 UTC by Jeremy Chadwick
Modified: 2019-06-21 10:28 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)


Attachments
nginx.in diff (for both www/nginx and www/nginx-devel) (2.49 KB, patch)
2019-06-21 08:53 UTC, Jeremy Chadwick
no flags Details | Diff
nginx.in diff (for both www/nginx and www/nginx-devel) (2.59 KB, patch)
2019-06-21 09:24 UTC, Jeremy Chadwick
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2019-06-21 08:53:51 UTC
Created attachment 205253 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

I noticed that nginx's rc.d script had no support for loading accf_http.ko and accf_data.ko kernel modules (see accf_http(9) and accf_data(9)) dynamically at start.

nginx can use these via the "accept_filter=xxx" argument in the "listen" directive.  Reference: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

Attached is an svn diff/patch for www/{nginx,nginx-devel}/files/nginx.in that adds loading of this module when nginx_http_accept_enable="yes" in rc.conf.  It is based on www/apache24/files/apache24.in which has worked for literally decades.

I did not add the "eval" line supporting this shim via nginx profiles because I don't use/understand them.  But it should be a single line if needed.

Note: testing this was annoying because for whatever reason on stable/11, once accf_http.ko and accf_data.ko are loaded, they cannot be unloaded (Operation not permitted, even when kern.securelevel == -1, no processes using the filters are even running nor any lingering TCP sessions in TIME_WAIT or other states).  Just something to be aware of.

Thanks.
Comment 1 Jeremy Chadwick 2019-06-21 08:55:15 UTC
Adding osa@ (www/nginx-devel maintainer).
Comment 2 Jeremy Chadwick 2019-06-21 09:24:12 UTC
Created attachment 205256 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

Updated patch to make use of rc.subr's required_modules and thus load_kld; cleaner and more standardised.  This method was partially based on /etc/rc.d/ipfw.  Testing showed this does work properly.

Also moved the checkyesno conditional *before* nginx_checkconfig, since I'm not sure if nginx -t would test to see if a valid accept_filter was available or not; maybe that's only done at runtime/without -t?