Add 14 metrics for TCP connections created for tunnels.

Add current and total metrics for TCP connetions towards clients for blind TCP tunnels, and TLS tunnel, forward,
and partial blind tunnel SNI-based tunnels.

Add current and total metrics for TCP connetions towards servers, for blind TCP tunnels and TLS tunnels.  Only
partial blind tunnel SNI-based tunnels are counted as TLS tunnels on the outgoing side, because they are only
SNI-based tunnels where ATS termitates the TLS connection form the client and originates a new one towards the
server.

Author: ywkaras

doc/admin-guide/monitoring/statistics/core/http-connection.en.rst

@@ -164,10 +164,33 @@ HTTP Connection
 
    Counts the number of times current parent or next parent was detected
 
+.. ts:stat:: global proxy.process.tunnel.total_client_connections_blind_tcp integer
+   :type: counter
+
+   Total number of non-TLS TCP connections for tunnels where the far end is the client
+   initiated with an HTTP request (such as a CONNECT or WebSocket request).
+
+.. ts:stat:: global proxy.process.tunnel.current_client_connections_blind_tcp integer
+   :type: counter
+
+   Current number of non-TLS TCP connections for tunnels where the far end is the client
+   initiated with an HTTP request (such as a CONNECT or WebSocket request).
+
+.. ts:stat:: global proxy.process.tunnel.total_server_connections_blind_tcp integer
+   :type: counter
+
+   Total number of TCP connections for tunnels where the far end is the server,
+   except for those counted by ``proxy.process.tunnel.total_server_connections_tls``
+
+.. ts:stat:: global proxy.process.tunnel.current_server_connections_blind_tcp integer
+   :type: counter
+
+   Current number of TCP connections for tunnels where the far end is the server,
+   except for those counted by ``proxy.process.tunnel.current_server_connections_tls``
+
 HTTP/2
 ------
 
-
 .. ts:stat:: global proxy.process.http2.total_client_connections integer
    :type: counter
 

doc/admin-guide/monitoring/statistics/core/ssl.en.rst

@@ -238,6 +238,66 @@ SSL/TLS
 
    A gauge of current active SNI Routing Tunnels.
 
+.. ts:stat:: global proxy.process.tunnel.total_client_connections_tls_tunnel integer
+   :type: counter
+
+   Total number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``tunnel_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.current_client_connections_tls_tunnel integer
+   :type: counter
+
+   Current number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``tunnel_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.total_client_connections_tls_forward integer
+   :type: counter
+
+   Total number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``forward_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.current_client_connections_tls_forward integer
+   :type: counter
+
+   Current number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``forward_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.total_client_connections_tls_partial_blind integer
+   :type: counter
+
+   Total number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``partial_blind_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.current_client_connections_tls_partial_blind integer
+   :type: counter
+
+   Current number of TCP connections for TLS tunnels where the far end is the client
+   created based on a ``partial_blind_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.total_client_connections_tls_http integer
+   :type: counter
+
+   Total number of TLS connections for tunnels where the far end is the client
+   initiated with an HTTP request.
+
+.. ts:stat:: global proxy.process.tunnel.current_client_connections_tls_http integer
+   :type: counter
+
+   Current number of TLS connections for tunnels where the far end is the client
+   initiated with an HTTP request.
+
+.. ts:stat:: global proxy.process.tunnel.total_server_connections_tls integer
+   :type: counter
+
+   Total number of TCP connections for TLS tunnels where the far end is the server
+   created based on a ``partial_blind_route`` key in a table in the :file:`sni.yaml` file.
+
+.. ts:stat:: global proxy.process.tunnel.current_server_connections_tls integer
+   :type: counter
+
+   Current number of TCP connections for TLS tunnels where the far end is the server
+   created based on a ``partial_blind_route`` key in a table in the :file:`sni.yaml` file.
+
 .. _pre-warming-tls-tunnel-stats:
 
 Pre-warming TLS Tunnel

iocore/eventsystem/I_VConnection.h

@@ -362,7 +362,13 @@ class VConnection : public Continuation
     return false;
   }
 
-public:
+  // This function should be called when the VConnection is a tunnel endpoint.  By default, a VConnection does not care if it
+  // is a tunnel endpoint.
+  virtual void
+  make_tunnel_endpoint()
+  {
+  }
+
   /**
     The error code from the last error.
 

iocore/net/Net.cc

@@ -98,13 +98,27 @@ register_net_stats()
   };
 
   const std::pair<const char *, Net_Stats> non_persistent[] = {
-    {"proxy.process.net.accepts_currently_open",              net_accepts_currently_open_stat        },
-    {"proxy.process.net.connections_currently_open",          net_connections_currently_open_stat    },
-    {"proxy.process.net.default_inactivity_timeout_applied",  default_inactivity_timeout_applied_stat},
-    {"proxy.process.net.default_inactivity_timeout_count",    default_inactivity_timeout_count_stat  },
-    {"proxy.process.net.dynamic_keep_alive_timeout_in_count", keep_alive_queue_timeout_count_stat    },
-    {"proxy.process.net.dynamic_keep_alive_timeout_in_total", keep_alive_queue_timeout_total_stat    },
-    {"proxy.process.socks.connections_currently_open",        socks_connections_currently_open_stat  },
+    {"proxy.process.net.accepts_currently_open",                          net_accepts_currently_open_stat                         },
+    {"proxy.process.net.connections_currently_open",                      net_connections_currently_open_stat                     },
+    {"proxy.process.net.default_inactivity_timeout_applied",              default_inactivity_timeout_applied_stat                 },
+    {"proxy.process.net.default_inactivity_timeout_count",                default_inactivity_timeout_count_stat                   },
+    {"proxy.process.net.dynamic_keep_alive_timeout_in_count",             keep_alive_queue_timeout_count_stat                     },
+    {"proxy.process.net.dynamic_keep_alive_timeout_in_total",             keep_alive_queue_timeout_total_stat                     },
+    {"proxy.process.socks.connections_currently_open",                    socks_connections_currently_open_stat                   },
+    {"proxy.process.tunnel.total_client_connections_blind_tcp",           tunnel_total_client_connections_blind_tcp_stat          },
+    {"proxy.process.tunnel.current_client_connections_blind_tcp",         tunnel_current_client_connections_blind_tcp_stat        },
+    {"proxy.process.tunnel.total_server_connections_blind_tcp",           tunnel_total_server_connections_blind_tcp_stat          },
+    {"proxy.process.tunnel.current_server_connections_blind_tcp",         tunnel_current_server_connections_blind_tcp_stat        },
+    {"proxy.process.tunnel.total_client_connections_tls_tunnel",          tunnel_total_client_connections_tls_tunnel_stat         },
+    {"proxy.process.tunnel.current_client_connections_tls_tunnel",        tunnel_current_client_connections_tls_tunnel_stat       },
+    {"proxy.process.tunnel.total_client_connections_tls_forward",         tunnel_total_client_connections_tls_forward_stat        },
+    {"proxy.process.tunnel.current_client_connections_tls_forward",       tunnel_current_client_connections_tls_forward_stat      },
+    {"proxy.process.tunnel.total_client_connections_tls_partial_blind",   tunnel_total_client_connections_tls_partial_blind_stat  },
+    {"proxy.process.tunnel.current_client_connections_tls_partial_blind", tunnel_current_client_connections_tls_partial_blind_stat},
+    {"proxy.process.tunnel.total_client_connections_tls_http",            tunnel_total_client_connections_tls_http_stat           },
+    {"proxy.process.tunnel.current_client_connections_tls_http",          tunnel_current_client_connections_tls_http_stat         },
+    {"proxy.process.tunnel.total_server_connections_tls",                 tunnel_total_server_connections_tls_stat                },
+    {"proxy.process.tunnel.current_server_connections_tls",               tunnel_current_server_connections_tls_stat              },
   };
 
   for (auto &p : persistent) {
@@ -129,6 +143,20 @@ register_net_stats()
   NET_CLEAR_DYN_STAT(keep_alive_queue_timeout_count_stat);
   NET_CLEAR_DYN_STAT(default_inactivity_timeout_count_stat);
   NET_CLEAR_DYN_STAT(default_inactivity_timeout_applied_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_client_connections_blind_tcp_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_client_connections_blind_tcp_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_server_connections_blind_tcp_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_server_connections_blind_tcp_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_client_connections_tls_tunnel_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_client_connections_tls_tunnel_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_client_connections_tls_forward_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_client_connections_tls_forward_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_client_connections_tls_partial_blind_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_client_connections_tls_partial_blind_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_client_connections_tls_http_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_client_connections_tls_http_stat);
+  NET_CLEAR_DYN_STAT(tunnel_total_server_connections_tls_stat);
+  NET_CLEAR_DYN_STAT(tunnel_current_server_connections_tls_stat);
 
   RecRegisterRawStat(net_rsb, RECT_PROCESS, "proxy.process.tcp.total_accepts", RECD_INT, RECP_NON_PERSISTENT,
                      static_cast<int>(net_tcp_accept_stat), RecRawStatSyncSum);

iocore/net/P_Net.h

@@ -57,6 +57,20 @@ enum Net_Stats {
   net_connections_throttled_in_stat,
   net_connections_throttled_out_stat,
   net_requests_max_throttled_in_stat,
+  tunnel_total_client_connections_blind_tcp_stat,
+  tunnel_current_client_connections_blind_tcp_stat,
+  tunnel_total_server_connections_blind_tcp_stat,
+  tunnel_current_server_connections_blind_tcp_stat,
+  tunnel_total_client_connections_tls_tunnel_stat,
+  tunnel_current_client_connections_tls_tunnel_stat,
+  tunnel_total_server_connections_tls_stat,
+  tunnel_current_server_connections_tls_stat,
+  tunnel_total_client_connections_tls_forward_stat,
+  tunnel_current_client_connections_tls_forward_stat,
+  tunnel_total_client_connections_tls_partial_blind_stat,
+  tunnel_current_client_connections_tls_partial_blind_stat,
+  tunnel_total_client_connections_tls_http_stat,
+  tunnel_current_client_connections_tls_http_stat,
   Net_Stat_Count
 };
 

iocore/net/P_SSLNetVConnection.h

@@ -482,6 +482,9 @@ class SSLNetVConnection : public UnixNetVConnection,
   ssl_error_t _ssl_write_buffer(const void *buf, int64_t nbytes, int64_t &nwritten);
   ssl_error_t _ssl_connect();
   ssl_error_t _ssl_accept();
+
+  void _in_context_tunnel() override;
+  void _out_context_tunnel() override;
 };
 
 typedef int (SSLNetVConnection::*SSLNetVConnHandler)(int, void *);

iocore/net/P_UnixNetVConnection.h

@@ -44,6 +44,8 @@ struct PollDescriptor;
 
 enum tcp_congestion_control_t { CLIENT_SIDE, SERVER_SIDE };
 
+// WARNING:  many or most of the member functions of UnixNetVConnection should only be used when it is instantiated
+// directly.  They should not be used when UnixNetVConnection is a base class.
 class UnixNetVConnection : public NetVConnection, public NetEvent
 {
 public:
@@ -225,9 +227,25 @@ class UnixNetVConnection : public NetVConnection, public NetEvent
 
   friend void write_to_net_io(NetHandler *, UnixNetVConnection *, EThread *);
 
+  // set_context() should be called before calling this member function.
+  void make_tunnel_endpoint() override;
+
+  bool
+  is_tunnel_endpoint() const
+  {
+    return _is_tunnel_endpoint;
+  }
+
 private:
   virtual void *_prepareForMigration();
   virtual NetProcessor *_getNetProcessor();
+  bool _is_tunnel_endpoint{false};
+
+  // Called by make_tunnel_endpiont() when the far end of the TCP connection is the active/client end.
+  virtual void _in_context_tunnel();
+
+  // Called by make_tunnel_endpiont() when the far end of the TCP connection is the passive/server end.
+  virtual void _out_context_tunnel();
 };
 
 extern ClassAllocator<UnixNetVConnection> netVCAllocator;

iocore/net/SSLNetVConnection.cc

@@ -996,6 +996,35 @@ SSLNetVConnection::free(EThread *t)
   }
   con.close();
 
+  if (is_tunnel_endpoint()) {
+    ink_assert(get_context() != NET_VCONNECTION_UNSET);
+
+    int c;
+
+    if (get_context() == NET_VCONNECTION_IN) {
+      switch (get_tunnel_type()) {
+      case SNIRoutingType::BLIND:
+        c = tunnel_current_client_connections_tls_tunnel_stat;
+        break;
+      case SNIRoutingType::FORWARD:
+        c = tunnel_current_client_connections_tls_forward_stat;
+        break;
+      case SNIRoutingType::PARTIAL_BLIND:
+        c = tunnel_current_client_connections_tls_partial_blind_stat;
+        break;
+      default:
+        c = tunnel_current_client_connections_tls_http_stat;
+        break;
+      }
+    } else { // NET_VCONNECTION_OUT
+      // Never a tunnel type for out (to server) context.
+      ink_assert(get_tunnel_type() == SNIRoutingType::NONE);
+
+      c = tunnel_current_server_connections_tls_stat;
+    }
+    NET_DECREMENT_DYN_STAT(c);
+  }
+
 #if TS_HAS_TLS_EARLY_DATA
   if (_early_data_reader != nullptr) {
     _early_data_reader->dealloc();
@@ -1908,6 +1937,47 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
   return EVENT_DONE;
 }
 
+void
+SSLNetVConnection::_in_context_tunnel()
+{
+  ink_assert(get_context() == NET_VCONNECTION_IN);
+
+  int t, c;
+
+  switch (get_tunnel_type()) {
+  case SNIRoutingType::BLIND:
+    t = tunnel_total_client_connections_tls_tunnel_stat;
+    c = tunnel_current_client_connections_tls_tunnel_stat;
+    break;
+  case SNIRoutingType::FORWARD:
+    t = tunnel_total_client_connections_tls_forward_stat;
+    c = tunnel_current_client_connections_tls_forward_stat;
+    break;
+  case SNIRoutingType::PARTIAL_BLIND:
+    t = tunnel_total_client_connections_tls_partial_blind_stat;
+    c = tunnel_current_client_connections_tls_partial_blind_stat;
+    break;
+  default:
+    t = tunnel_total_client_connections_tls_http_stat;
+    c = tunnel_current_client_connections_tls_http_stat;
+    break;
+  }
+  NET_INCREMENT_DYN_STAT(t);
+  NET_INCREMENT_DYN_STAT(c);
+}
+
+void
+SSLNetVConnection::_out_context_tunnel()
+{
+  ink_assert(get_context() == NET_VCONNECTION_OUT);
+
+  // Never a tunnel type for out (to server) context.
+  ink_assert(get_tunnel_type() == SNIRoutingType::NONE);
+
+  NET_INCREMENT_DYN_STAT(tunnel_total_server_connections_tls_stat);
+  NET_INCREMENT_DYN_STAT(tunnel_current_server_connections_tls_stat);
+}
+
 void
 SSLNetVConnection::increment_ssl_version_metric(int version) const
 {

iocore/net/UnixNetVConnection.cc

@@ -1288,6 +1288,8 @@ UnixNetVConnection::clear()
 void
 UnixNetVConnection::free(EThread *t)
 {
+  Debug("iocore_net", "Entering UnixNetVConnection::free()");
+
   ink_release_assert(t == this_ethread());
 
   // close socket fd
@@ -1296,6 +1298,23 @@ UnixNetVConnection::free(EThread *t)
   }
   con.close();
 
+  if (is_tunnel_endpoint()) {
+    Debug("iocore_net", "Freeing UnixNetVConnection that is tunnel endpoint");
+
+    int c;
+    switch (get_context()) {
+    case NET_VCONNECTION_IN:
+      c = tunnel_current_client_connections_blind_tcp_stat;
+      break;
+    case NET_VCONNECTION_OUT:
+      c = tunnel_current_server_connections_blind_tcp_stat;
+      break;
+    default:
+      ink_release_assert(false);
+    }
+    NET_DECREMENT_DYN_STAT(c);
+  }
+
   clear();
   SET_CONTINUATION_HANDLER(this, &UnixNetVConnection::startEvent);
   ink_assert(con.fd == NO_FD);
@@ -1495,3 +1514,38 @@ UnixNetVConnection::set_tcp_congestion_control(int side)
   return -1;
 #endif
 }
+
+void
+UnixNetVConnection::make_tunnel_endpoint()
+{
+  Debug("iocore_net", "Entering UnixNetVConnection::make_tunnel_endpoint()");
+
+  ink_assert(!_is_tunnel_endpoint);
+
+  _is_tunnel_endpoint = true;
+
+  switch (get_context()) {
+  case NET_VCONNECTION_IN:
+    _in_context_tunnel();
+    break;
+  case NET_VCONNECTION_OUT:
+    _out_context_tunnel();
+    break;
+  default:
+    ink_release_assert(false);
+  }
+}
+
+void
+UnixNetVConnection::_in_context_tunnel()
+{
+  NET_INCREMENT_DYN_STAT(tunnel_total_client_connections_blind_tcp_stat);
+  NET_INCREMENT_DYN_STAT(tunnel_current_client_connections_blind_tcp_stat);
+}
+
+void
+UnixNetVConnection::_out_context_tunnel()
+{
+  NET_INCREMENT_DYN_STAT(tunnel_total_server_connections_blind_tcp_stat);
+  NET_INCREMENT_DYN_STAT(tunnel_current_server_connections_blind_tcp_stat);
+}