1.\" 2.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org> 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 14.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 17.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" " 24.Dd April 24, 2024 25.Dt ACCF_TLS 9 26.Os 27.Sh NAME 28.Nm accf_tls 29.Nd "buffer incoming connections until a TLS handshake like request arrives" 30.Sh SYNOPSIS 31.Cd options INET 32.Cd options ACCEPT_FILTER_TLS 33.Pp 34In 35.Xr rc.conf 5 : 36.Cd kld_list="accf_tls" 37.Sh DESCRIPTION 38This is a filter to be placed on a socket that will be using 39.Fn accept 2 40to receive incoming HTTPS connections. 41It prevents the application from receiving the connected descriptor via 42.Fn accept 2 43until a full TLS handshake has been buffered by the kernel. 44The 45.Nm 46will first check that byte at offset 0 is 47.Va 0x16 , 48which matches handshake type. 49Then it will read 2-byte request length value at offset 3 and will 50continue reading until reading the entire length of the handshake is buffered. 51If something other than 52.Va 0x16 53is at offset 0, the kernel will allow the application to receive the 54connection descriptor via 55.Fn accept 2 . 56.Pp 57The utility of 58.Nm 59is such that a server will not have to context switch several times 60before performing the initial parsing of the request. 61This effectively reduces the amount of required CPU utilization 62to handle incoming requests by keeping active 63processes in preforking servers such as Apache low 64and reducing the size of the file descriptor set that needs 65to be managed by interfaces such as 66.Fn select , 67.Fn poll 68or 69.Fn kevent 70based servers. 71.Sh EXAMPLES 72Assuming ACCEPT_FILTER_TLS has been included in the kernel config 73file or the 74.Nm 75module 76has been loaded, this will enable the TLS accept filter 77on the socket 78.Fa sok . 79.Bd -literal -offset 0i 80 struct accept_filter_arg afa; 81 82 bzero(&afa, sizeof(afa)); 83 strcpy(afa.af_name, "tlsready"); 84 setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)); 85.Ed 86.Sh SEE ALSO 87.Xr setsockopt 2 , 88.Xr accept_filter 9 89.Sh HISTORY 90The 91.Nm 92accept filter was introduced in 93.Fx 15.0 . 94.Sh AUTHORS 95The 96.Nm 97filter was written by 98.An Maksim Yevmenkin . 99