Browse Source

package: haproxy

- bump to stable 1.7.3 and pending patches from upstream

Signed-off-by: heil <heil@terminal-consulting.de>
lilik-openwrt-22.03
heil 8 years ago
parent
commit
0f73eff96a
9 changed files with 369 additions and 45 deletions
  1. +9
    -9
      net/haproxy/Makefile
  2. +0
    -36
      net/haproxy/patches/0001-BUG-MINOR-stream-Fix-how-backend-specific-analyzers-.patch
  3. +61
    -0
      net/haproxy/patches/0001-MINOR-config-warn-when-some-HTTP-rules-are-used-in-a.patch
  4. +58
    -0
      net/haproxy/patches/0002-BUG-MINOR-spoe-Fix-soft-stop-handler-using-a-specifi.patch
  5. +33
    -0
      net/haproxy/patches/0003-BUG-MINOR-spoe-Fix-parsing-of-arguments-in-spoe-mess.patch
  6. +44
    -0
      net/haproxy/patches/0004-BUG-MEDIUM-ssl-Clear-OpenSSL-error-stack-after-tryin.patch
  7. +32
    -0
      net/haproxy/patches/0005-BUG-MEDIUM-cli-Prevent-double-free-in-CLI-ACL-lookup.patch
  8. +32
    -0
      net/haproxy/patches/0006-BUG-MINOR-Fix-get-map-map-value-CLI-command.patch
  9. +100
    -0
      net/haproxy/patches/0007-BUG-MAJOR-connection-update-CO_FL_CONNECTED-before-c.patch

+ 9
- 9
net/haproxy/Makefile View File

@ -9,12 +9,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.7.2
PKG_RELEASE:=01
PKG_VERSION:=1.7.3
PKG_RELEASE:=07
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.7/src/
PKG_MD5SUM:=7330b36f3764ebe409e9305803dc30e2
PKG_MD5SUM:=e529c240c08e4004c6e9dcf3fd6b3ab
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0
@ -120,16 +120,16 @@ define Build/Compile
$(MAKE) TARGET=$(LINUX_TARGET) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \
CC="$(TARGET_CC)" \
$(ADDON)
CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
LD="$(TARGET_LD)" \
LDFLAGS="$(TARGET_LDFLAGS) -lcurses -lreadline" \
PCREDIR="$(STAGING_DIR)/usr/include" \
SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \
USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 \
USE_ZLIB=yes USE_PCRE=1 \
USE_ZLIB=yes USE_PCRE=1 USE_PCRE_JIT=1\
VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
IGNOREGIT=1
$(ADDON)
CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
LD="$(TARGET_LD)" \
LDFLAGS="$(TARGET_LDFLAGS) -lcurses -lreadline" \
GNOREGIT=1
$(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \


+ 0
- 36
net/haproxy/patches/0001-BUG-MINOR-stream-Fix-how-backend-specific-analyzers-.patch View File

@ -1,36 +0,0 @@
From 7a03968243dbad8cab1a3bdd75794c4d7cc18d96 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 9 Jan 2017 16:33:19 +0100
Subject: [PATCH] BUG/MINOR: stream: Fix how backend-specific analyzers are set
on a stream
When the stream's backend was defined, the request's analyzers flag was always
set to 0 if the stream had no listener. This bug was introduced with the filter
API but never triggered (I think so).
Because of the commit 5820a366, it is now possible to encountered it. For
example, this happens when the trace filter is enabled on a SPOE backend. The
fix is pretty trivial.
This fix must be backported to 1.7.
(cherry picked from commit 70e2f272127a931a7b245a95e3a022879145e1dd)
---
src/proxy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/proxy.c b/src/proxy.c
index fec2555..a84a08f 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -1156,7 +1156,7 @@ int stream_set_backend(struct stream *s, struct proxy *be)
* be more reliable to store the list of analysers that have been run,
* but what we do here is OK for now.
*/
- s->req.analysers |= be->be_req_ana & (strm_li(s) ? ~strm_li(s)->analysers : 0);
+ s->req.analysers |= be->be_req_ana & ~(strm_li(s) ? strm_li(s)->analysers : 0);
/* If the target backend requires HTTP processing, we have to allocate
* the HTTP transaction and hdr_idx if we did not have one.
--
2.10.2

+ 61
- 0
net/haproxy/patches/0001-MINOR-config-warn-when-some-HTTP-rules-are-used-in-a.patch View File

@ -0,0 +1,61 @@
From 91715c09a4595af6451ad97c43bf41fec107c69e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 10 Mar 2017 11:49:21 +0100
Subject: [PATCH 1/7] MINOR: config: warn when some HTTP rules are used in a
TCP proxy
Surprizingly, http-request, http-response, block, redirect, and capture
rules did not cause a warning to be emitted when used in a TCP proxy, so
let's fix this.
This patch may be backported to older versions as it helps spotting
configuration issues.
(cherry picked from commit de7dc88c517e22d3ae02ce8a8a23046ab2c62238)
---
src/cfgparse.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index fc6e149..d8d2fda 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8681,6 +8681,36 @@ out_uri_auth_compat:
curproxy->uri_auth = NULL;
}
+ if (curproxy->capture_name) {
+ Warning("config : 'capture' statement ignored for %s '%s' as it requires HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->http_req_rules)) {
+ Warning("config : 'http-request' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->http_res_rules)) {
+ Warning("config : 'http-response' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->block_rules)) {
+ Warning("config : 'block' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->redirect_rules)) {
+ Warning("config : 'redirect' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
if (curproxy->options & (PR_O_FWDFOR | PR_O_FF_ALWAYS)) {
Warning("config : 'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
"forwardfor", proxy_type_str(curproxy), curproxy->id);
--
2.10.2

+ 58
- 0
net/haproxy/patches/0002-BUG-MINOR-spoe-Fix-soft-stop-handler-using-a-specifi.patch View File

@ -0,0 +1,58 @@
From 8253b517585a664be53718f1522e24291f553d95 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 23 Feb 2017 10:17:15 +0100
Subject: [PATCH 2/7] BUG/MINOR: spoe: Fix soft stop handler using a specific
id for spoe filters
During a soft stop, we need to wakeup all SPOE applets to stop them. So we loop
on all proxies, and for each proxy, on all filters. But we must be sure to only
handle SPOE filters here. To do so, we use a specific id.
(cherry picked from commit 3b386a318f699def6f37b4d3199cd1d72c481a0f)
---
src/flt_spoe.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index aa6414a..2a96c65 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -235,6 +235,9 @@ struct spoe_context {
unsigned int process_exp; /* expiration date to process an event */
};
+/* SPOE filter id. Used to identify SPOE filters */
+const char *spoe_filter_id = "SPOE filter";
+
/* Set if the handle on SIGUSR1 is registered */
static int sighandler_registered = 0;
@@ -2286,10 +2289,16 @@ sig_stop_spoe(struct sig_handler *sh)
struct flt_conf *fconf;
list_for_each_entry(fconf, &p->filter_configs, list) {
- struct spoe_config *conf = fconf->conf;
- struct spoe_agent *agent = conf->agent;
+ struct spoe_config *conf;
+ struct spoe_agent *agent;
struct appctx *appctx;
+ if (fconf->id != spoe_filter_id)
+ continue;
+
+ conf = fconf->conf;
+ agent = conf->agent;
+
list_for_each_entry(appctx, &agent->cache, ctx.spoe.list) {
si_applet_want_get(appctx->owner);
si_applet_want_put(appctx->owner);
@@ -3178,6 +3187,7 @@ parse_spoe_flt(char **args, int *cur_arg, struct proxy *px,
}
*cur_arg = pos;
+ fconf->id = spoe_filter_id;
fconf->ops = &spoe_ops;
fconf->conf = conf;
return 0;
--
2.10.2

+ 33
- 0
net/haproxy/patches/0003-BUG-MINOR-spoe-Fix-parsing-of-arguments-in-spoe-mess.patch View File

@ -0,0 +1,33 @@
From a208d4dd73794b67a59dae7e3077378473650d6c Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 23 Feb 2017 22:41:09 +0100
Subject: [PATCH 3/7] BUG/MINOR: spoe: Fix parsing of arguments in spoe-message
section
The array of pointers passed to sample_parse_expr was not really an array but a
pointer to pointer. So it can easily lead to a segfault during the configuration
parsing.
(cherry picked from commit b0b42388259224be54bf504fa559803b39d6453c)
---
src/flt_spoe.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 2a96c65..57fb1da 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -2966,8 +2966,9 @@ cfg_parse_spoe_message(const char *file, int linenum, char **args, int kwm)
arg->name_len = delim - args[cur_arg];
delim++;
}
-
- arg->expr = sample_parse_expr(&delim, &idx, file, linenum, &errmsg, &curproxy->conf.args);
+ arg->expr = sample_parse_expr((char*[]){delim, NULL},
+ &idx, file, linenum, &errmsg,
+ &curproxy->conf.args);
if (arg->expr == NULL) {
Alert("parsing [%s:%d] : '%s': %s.\n", file, linenum, args[0], errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
--
2.10.2

+ 44
- 0
net/haproxy/patches/0004-BUG-MEDIUM-ssl-Clear-OpenSSL-error-stack-after-tryin.patch View File

@ -0,0 +1,44 @@
From 821d3a9f513a63b06f1696352392996391807c16 Mon Sep 17 00:00:00 2001
From: Janusz Dziemidowicz <rraptorr@nails.eu.org>
Date: Wed, 8 Mar 2017 16:59:41 +0100
Subject: [PATCH 4/7] BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying
to parse OCSP file
Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.
Following configuration:
bind :443 ssl crt crt1.pem crt crt2.pem
With following files:
crt1.pem
crt1.pem.ocsp - empty one
crt2.pem.rsa
crt2.pem.ecdsa
Will fail to load.
This patch should be backported to 1.7.
(cherry picked from commit 8d7104982e1c41f7dc4d75ae7f7d2bbb96052d40)
---
src/ssl_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cc2dc12..daa584c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -433,6 +433,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
ret = 0;
out:
+ ERR_clear_error();
+
if (bs)
OCSP_BASICRESP_free(bs);
--
2.10.2

+ 32
- 0
net/haproxy/patches/0005-BUG-MEDIUM-cli-Prevent-double-free-in-CLI-ACL-lookup.patch View File

@ -0,0 +1,32 @@
From e9607769d56373cf29c4df040f605191603beb50 Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmerdan@haproxy.com>
Date: Sun, 12 Mar 2017 22:01:35 +0100
Subject: [PATCH 5/7] BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
The memory is released by cli_release_mlook, which also properly sets the
pointer to NULL. This was introduced with a big code reorganization
involving moving to the new keyword registration form in commit ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <nmerdan@haproxy.com>
(cherry picked from commit 24f45d8e34797ed9c16ac3fa6d89f3eed435e706)
---
src/map.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/map.c b/src/map.c
index b6fce4d..90deb08 100644
--- a/src/map.c
+++ b/src/map.c
@@ -524,7 +524,6 @@ static int cli_io_handler_map_lookup(struct appctx *appctx)
default:
appctx->st2 = STAT_ST_FIN;
- free(appctx->ctx.map.chunk.str);
return 1;
}
}
--
2.10.2

+ 32
- 0
net/haproxy/patches/0006-BUG-MINOR-Fix-get-map-map-value-CLI-command.patch View File

@ -0,0 +1,32 @@
From e1008f22fbb9c08080aad9f998a557170b96f3f9 Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmerdan@haproxy.com>
Date: Sun, 12 Mar 2017 22:01:36 +0100
Subject: [PATCH 6/7] BUG/MINOR: Fix "get map <map> <value>" CLI command
The said form of the CLI command didn't return anything since commit
ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <nmerdan@haproxy.com>
(cherry picked from commit 96c15719434a4eb46e191fcf1dafcb051065a76e)
---
src/map.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/map.c b/src/map.c
index 90deb08..e8c6a2a 100644
--- a/src/map.c
+++ b/src/map.c
@@ -906,7 +906,7 @@ static struct cli_kw_list cli_kws = {{ },{
{ { "add", "map", NULL }, "add map : add map entry", cli_parse_add_map, NULL },
{ { "clear", "map", NULL }, "clear map <id> : clear the content of this map", cli_parse_clear_map, NULL },
{ { "del", "map", NULL }, "del map : delete map entry", cli_parse_del_map, NULL },
- { { "get", "map", NULL }, "get map : report the keys and values matching a sample for a map", cli_parse_get_map, NULL },
+ { { "get", "map", NULL }, "get map : report the keys and values matching a sample for a map", cli_parse_get_map, cli_io_handler_map_lookup, cli_release_mlook },
{ { "set", "map", NULL }, "set map : modify map entry", cli_parse_set_map, NULL },
{ { "show", "map", NULL }, "show map [id] : report available maps or dump a map's contents", cli_parse_show_map, NULL },
{ { NULL }, NULL, NULL, NULL }
--
2.10.2

+ 100
- 0
net/haproxy/patches/0007-BUG-MAJOR-connection-update-CO_FL_CONNECTED-before-c.patch View File

@ -0,0 +1,100 @@
From afbf56b951967e8fa4d509e423fdcb11c27d40e2 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 14 Mar 2017 20:19:29 +0100
Subject: [PATCH 7/7] BUG/MAJOR: connection: update CO_FL_CONNECTED before
calling the data layer
Matthias Fechner reported a regression in 1.7.3 brought by the backport
of commit 819efbf ("BUG/MEDIUM: tcp: don't poll for write when connect()
succeeds"), causing some connections to fail to establish once in a while.
While this commit itself was a fix for a bad sequencing of connection
events, it in fact unveiled a much deeper bug going back to the connection
rework era in v1.5-dev12 : 8f8c92f ("MAJOR: connection: add a new
CO_FL_CONNECTED flag").
It's worth noting that in a lab reproducing a similar environment as
Matthias' about only 1 every 19000 connections exhibit this behaviour,
making the issue not so easy to observe. A trick to make the problem
more observable consists in disabling non-blocking mode on the socket
before calling connect() and re-enabling it later, so that connect()
always succeeds. Then it becomes 100% reproducible.
The problem is that this CO_FL_CONNECTED flag is tested after deciding to
call the data layer (typically the stream interface but might be a health
check as well), and that the decision to call the data layer relies on a
change of one of the flags covered by the CO_FL_CONN_STATE set, which is
made of CO_FL_CONNECTED among others.
Before the fix above, this bug couldn't appear with TCP but it could
appear with Unix sockets. Indeed, connect() was always considered
blocking so the CO_FL_WAIT_L4_CONN connection flag was always set, and
polling for write events was always enabled. This used to guarantee that
the conn_fd_handler() could detect a change among the CO_FL_CONN_STATE
flags.
Now with the fix above, if a connect() immediately succeeds for non-ssl
connection with send-proxy enabled, and no data in the buffer (thus TCP
mode only), the CO_FL_WAIT_L4_CONN flag is not set, the lack of data in
the buffer doesn't enable polling flags for the data layer, the
CO_FL_CONNECTED flag is not set due to send-proxy still being pending,
and once send-proxy is done, its completion doesn't cause the data layer
to be woken up due to the fact that CO_FL_CONNECT is still not present
and that the CO_FL_SEND_PROXY flag is not watched in CO_FL_CONN_STATE.
Then no progress is made when data are received from the client (and
attempted to be forwarded), because a CF_WRITE_NULL (or CF_WRITE_PARTIAL)
flag is needed for the stream-interface state to turn from SI_ST_CON to
SI_ST_EST, allowing ->chk_snd() to be called when new data arrive. And
the only way to set this flag is to call the data layer of course.
After the connect timeout, the connection gets killed and if in the mean
time some data have accumulated in the buffer, the retry will succeed.
This patch fixes this situation by simply placing the update of
CO_FL_CONNECTED where it should have been, before the check for a flag
change needed to wake up the data layer and not after.
This fix must be backported to 1.7, 1.6 and 1.5. Versions not having
the patch above are still affected for unix sockets.
Special thanks to Matthias Fechner who provided a very detailed bug
report with a bisection designating the faulty patch, and to Olivier
Houchard for providing full access to a pretty similar environment where
the issue could first be reproduced.
(cherry picked from commit 7bf3fa3c23f6a1b7ed1212783507ac50f7e27544)
---
src/connection.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 26fc5f6..1e4c9aa 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -131,6 +131,13 @@ void conn_fd_handler(int fd)
}
leave:
+ /* Verify if the connection just established. The CO_FL_CONNECTED flag
+ * being included in CO_FL_CONN_STATE, its change will be noticed by
+ * the next block and be used to wake up the data layer.
+ */
+ if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
+ conn->flags |= CO_FL_CONNECTED;
+
/* The wake callback may be used to process a critical error and abort the
* connection. If so, we don't want to go further as the connection will
* have been released and the FD destroyed.
@@ -140,10 +147,6 @@ void conn_fd_handler(int fd)
conn->data->wake(conn) < 0)
return;
- /* Last check, verify if the connection just established */
- if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
- conn->flags |= CO_FL_CONNECTED;
-
/* remove the events before leaving */
fdtab[fd].ev &= FD_POLL_STICKY;
--
2.10.2

Loading…
Cancel
Save