[management,proxy,client] Add L4 capabilities (TLS/TCP/UDP) (#5530)

2026-04-19 16:56:39 +00:00 · 2026-03-14 01:36:44 +08:00
parent fe9b844511
commit 3e6baea405
90 changed files with 9611 additions and 1397 deletions
--- a/proxy/internal/tcp/bench_test.go
+++ b/proxy/internal/tcp/bench_test.go
@@ -0,0 +1,133 @@
+package tcp
+
+import (
+	"bytes"
+	"crypto/tls"
+	"io"
+	"net"
+	"testing"
+)
+
+// BenchmarkPeekClientHello_TLS measures the overhead of peeking at a real
+// TLS ClientHello and extracting the SNI. This is the per-connection cost
+// added to every TLS connection on the main listener.
+func BenchmarkPeekClientHello_TLS(b *testing.B) {
+	// Pre-generate a ClientHello by capturing what crypto/tls sends.
+	clientConn, serverConn := net.Pipe()
+	go func() {
+		tlsConn := tls.Client(clientConn, &tls.Config{
+			ServerName:         "app.example.com",
+			InsecureSkipVerify: true, //nolint:gosec
+		})
+		_ = tlsConn.Handshake()
+	}()
+
+	var hello []byte
+	buf := make([]byte, 16384)
+	n, _ := serverConn.Read(buf)
+	hello = make([]byte, n)
+	copy(hello, buf[:n])
+	clientConn.Close()
+	serverConn.Close()
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for b.Loop() {
+		r := bytes.NewReader(hello)
+		conn := &readerConn{Reader: r}
+		sni, wrapped, err := PeekClientHello(conn)
+		if err != nil {
+			b.Fatal(err)
+		}
+		if sni != "app.example.com" {
+			b.Fatalf("unexpected SNI: %q", sni)
+		}
+		// Simulate draining the peeked bytes (what the HTTP server would do).
+		_, _ = io.Copy(io.Discard, wrapped)
+	}
+}
+
+// BenchmarkPeekClientHello_NonTLS measures peek overhead for non-TLS
+// connections that hit the fast non-handshake exit path.
+func BenchmarkPeekClientHello_NonTLS(b *testing.B) {
+	httpReq := []byte("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for b.Loop() {
+		r := bytes.NewReader(httpReq)
+		conn := &readerConn{Reader: r}
+		_, wrapped, err := PeekClientHello(conn)
+		if err != nil {
+			b.Fatal(err)
+		}
+		_, _ = io.Copy(io.Discard, wrapped)
+	}
+}
+
+// BenchmarkPeekedConn_Read measures the read overhead of the peekedConn
+// wrapper compared to a plain connection read. The peeked bytes use
+// io.MultiReader which adds one indirection per Read call.
+func BenchmarkPeekedConn_Read(b *testing.B) {
+	data := make([]byte, 4096)
+	peeked := make([]byte, 512)
+	buf := make([]byte, 1024)
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for b.Loop() {
+		r := bytes.NewReader(data)
+		conn := &readerConn{Reader: r}
+		pc := newPeekedConn(conn, peeked)
+		for {
+			_, err := pc.Read(buf)
+			if err != nil {
+				break
+			}
+		}
+	}
+}
+
+// BenchmarkExtractSNI measures just the in-memory SNI parsing cost,
+// excluding I/O.
+func BenchmarkExtractSNI(b *testing.B) {
+	clientConn, serverConn := net.Pipe()
+	go func() {
+		tlsConn := tls.Client(clientConn, &tls.Config{
+			ServerName:         "app.example.com",
+			InsecureSkipVerify: true, //nolint:gosec
+		})
+		_ = tlsConn.Handshake()
+	}()
+
+	buf := make([]byte, 16384)
+	n, _ := serverConn.Read(buf)
+	payload := make([]byte, n-tlsRecordHeaderLen)
+	copy(payload, buf[tlsRecordHeaderLen:n])
+	clientConn.Close()
+	serverConn.Close()
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for b.Loop() {
+		sni := extractSNI(payload)
+		if sni != "app.example.com" {
+			b.Fatalf("unexpected SNI: %q", sni)
+		}
+	}
+}
+
+// readerConn wraps an io.Reader as a net.Conn for benchmarking.
+// Only Read is functional; all other methods are no-ops.
+type readerConn struct {
+	io.Reader
+	net.Conn
+}
+
+func (c *readerConn) Read(b []byte) (int, error) {
+	return c.Reader.Read(b)
+}