haproxy: remove old patches

- remove old patches from 1.6 - fix download url for 1.7 - fixes #3687 Signed-off-by: heil <heil@terminal-consulting.de>
8 years ago · 0f9bf14e66
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -13,7 +13,7 @@ PKG_VERSION:=1.7.1
 PKG_RELEASE:=00

 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.6/src/
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.7/src/
 PKG_MD5SUM:=d0acaae02e444039e11892ea31dde478

 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
--- a/net/haproxy/patches/0001-BUG-MINOR-Fix-OSX-compilation-errors.patch
+++ b/net/haproxy/patches/0001-BUG-MINOR-Fix-OSX-compilation-errors.patch
@ -1,53 +0,0 @@
 From 42ccea00f69abdd1bb748494f7e17d8369ccae31 Mon Sep 17 00:00:00 2001
 From: Dinko Korunic <dinko.korunic@gmail.com>
 Date: Fri, 9 Sep 2016 09:41:15 +0200
 Subject: [PATCH 01/26] BUG/MINOR: Fix OSX compilation errors

 SOL_IPV6 is not defined on OSX, breaking the compile. Also libcrypt is
 not available for installation neither in Macports nor as a Brew recipe,
 so we're disabling implicit dependancy.

 Signed-off-by: Dinko Korunic <dinko.korunic@gmail.com>
 (cherry picked from commit 7276f3aa3d687fca64bb9becc66c8e0dbb8b378a)
 ---
 Makefile        | 1 -
 src/proto_tcp.c | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

 diff --git a/Makefile b/Makefile
 index 1bf778d..1d0f2bc 100644
 --- a/Makefile
 +++ b/Makefile
@@ -301,7 +301,6 @@ ifeq ($(TARGET),osx)
   USE_POLL       = implicit
   USE_KQUEUE     = implicit
   USE_TPROXY     = implicit
 -  USE_LIBCRYPT   = implicit
 else
 ifeq ($(TARGET),openbsd)
   # This is for OpenBSD >= 3.0
 diff --git a/src/proto_tcp.c b/src/proto_tcp.c
 index 2c81fb4..4f5d88d 100644
 --- a/src/proto_tcp.c
 +++ b/src/proto_tcp.c
@@ -206,7 +206,7 @@ int tcp_bind_socket(int fd, int flags, struct sockaddr_storage *local, struct so
 	case AF_INET6:
 		if (flags && ip6_transp_working) {
 			if (0
 -#if defined(IPV6_TRANSPARENT)
 +#if defined(IPV6_TRANSPARENT) && defined(SOL_IPV6)
 			    || (setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT, &one, sizeof(one)) == 0)
 #endif
 #if defined(IP_FREEBIND)
@@ -854,7 +854,7 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
 		break;
 		case AF_INET6:
 			if (1
 -#if defined(IPV6_TRANSPARENT)
 +#if defined(IPV6_TRANSPARENT) && defined(SOL_IPV6)
 			    && (setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT, &one, sizeof(one)) == -1)
 #endif
 #if defined(IP_FREEBIND)
 -- 
 2.7.3

--- a/net/haproxy/patches/0002-BUG-MINOR-displayed-PCRE-version-is-running-release.patch
+++ b/net/haproxy/patches/0002-BUG-MINOR-displayed-PCRE-version-is-running-release.patch
@ -1,31 +0,0 @@
 From 3a011f15a8d61cd0088cc0e46743bdc7699db1af Mon Sep 17 00:00:00 2001
 From: Lukas Tribus <luky-37@hotmail.com>
 Date: Mon, 12 Sep 2016 21:42:00 +0000
 Subject: [PATCH 02/26] BUG/MINOR: displayed PCRE version is running release

 pcre_version() returns the running PCRE release, not the release
 haproxy was built with.

 This simple string fix should be backported to supported releases,
 as the output may be confusing.
 (cherry picked from commit d64788d9c610163756cac6c91220875e51cba3ef)
 ---
 src/haproxy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/haproxy.c b/src/haproxy.c
 index d70cf63..44d32b9 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -347,7 +347,7 @@ void display_build_opts()
 #endif
 
 #ifdef USE_PCRE
 -	printf("Built with PCRE version : %s", pcre_version());
 +	printf("Running on PCRE version : %s", pcre_version());
 	printf("\nPCRE library supports JIT : ");
 #ifdef USE_PCRE_JIT
 	{
 -- 
 2.7.3

--- a/net/haproxy/patches/0003-MINOR-show-Built-with-PCRE-version.patch
+++ b/net/haproxy/patches/0003-MINOR-show-Built-with-PCRE-version.patch
@ -1,49 +0,0 @@
 From dcdd2ae7d6809f45c5f6bbe2ba6fe9c70802bb42 Mon Sep 17 00:00:00 2001
 From: Lukas Tribus <luky-37@hotmail.com>
 Date: Mon, 12 Sep 2016 21:42:07 +0000
 Subject: [PATCH 03/26] MINOR: show Built with PCRE version

 Inspired by PCRE's pcre_version.c and improved with Willy's
 suggestions. Reusable parts have been added to
 include/common/standard.h.
 (cherry picked from commit dcbc5c5ecf6506b5ad55b98bbec910b29f011f14)
 ---
 include/common/standard.h | 9 +++++++++
 src/haproxy.c             | 3 +++
 2 files changed, 12 insertions(+)

 diff --git a/include/common/standard.h b/include/common/standard.h
 index 6098550..26a52ff 100644
 --- a/include/common/standard.h
 +++ b/include/common/standard.h
@@ -1065,4 +1065,13 @@ static inline void *my_realloc2(void *ptr, size_t size)
 	return ret;
 }
 
 +/* HAP_STRING() makes a string from a literal while HAP_XSTRING() first
 + * evaluates the argument and is suited to pass macros.
 + *
 + * They allow macros like PCRE_MAJOR to be defined without quotes, which
 + * is convenient for applications that want to test its value.
 + */
 +#define HAP_STRING(...) #__VA_ARGS__
 +#define HAP_XSTRING(...) HAP_STRING(__VA_ARGS__)
 +
 #endif /* _COMMON_STANDARD_H */
 diff --git a/src/haproxy.c b/src/haproxy.c
 index 44d32b9..37d700b 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -347,6 +347,9 @@ void display_build_opts()
 #endif
 
 #ifdef USE_PCRE
 +	printf("Built with PCRE version : %s\n", (HAP_XSTRING(Z PCRE_PRERELEASE)[1] == 0)?
 +		HAP_XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) :
 +		HAP_XSTRING(PCRE_MAJOR.PCRE_MINOR) HAP_XSTRING(PCRE_PRERELEASE PCRE_DATE));
 	printf("Running on PCRE version : %s", pcre_version());
 	printf("\nPCRE library supports JIT : ");
 #ifdef USE_PCRE_JIT
 -- 
 2.7.3

--- a/net/haproxy/patches/0004-MINOR-show-Running-on-zlib-version.patch
+++ b/net/haproxy/patches/0004-MINOR-show-Running-on-zlib-version.patch
@ -1,25 +0,0 @@
 From 9d59ff222cc81ee356594cfa780349dd91376fd9 Mon Sep 17 00:00:00 2001
 From: Lukas Tribus <luky-37@hotmail.com>
 Date: Mon, 12 Sep 2016 21:42:14 +0000
 Subject: [PATCH 04/26] MINOR: show Running on zlib version

 (cherry picked from commit 255cc5184dc8483e4377d9de25670bd6e226cdba)
 ---
 src/haproxy.c | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/haproxy.c b/src/haproxy.c
 index 37d700b..9f5878a 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -287,6 +287,7 @@ void display_build_opts()
 
 #ifdef USE_ZLIB
 	printf("Built with zlib version : " ZLIB_VERSION "\n");
 +	printf("Running on zlib version : %s\n", zlibVersion());
 #elif defined(USE_SLZ)
 	printf("Built with libslz for stateless compression.\n");
 #else /* USE_ZLIB */
 -- 
 2.7.3

--- a/net/haproxy/patches/0005-MINOR-Add-fe_req_rate-sample-fetch.patch
+++ b/net/haproxy/patches/0005-MINOR-Add-fe_req_rate-sample-fetch.patch
@ -1,66 +0,0 @@
 From 7397526d0c80251b3006b1b45af754f5ad7adb76 Mon Sep 17 00:00:00 2001
 From: Nenad Merdanovic <nmerdan@anine.io>
 Date: Mon, 3 Oct 2016 04:57:37 +0200
 Subject: [PATCH 05/26] MINOR: Add fe_req_rate sample fetch

 The fe_req_rate is similar to fe_sess_rate, but fetches the number
 of HTTP requests per second instead of connections/sessions per second.

 Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
 (cherry picked from commit ad9a7e9770e673a70fb56ab95be18bf88666d92a)
 ---
 doc/configuration.txt |  5 +++++
 src/frontend.c        | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index d4b1744..d18c399 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -12253,6 +12253,11 @@ fe_conn([<frontend>]) : integer
   statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
   "fe_sess_rate" fetches.
 
 +fe_req_rate([<frontend>]) : integer
 +  Returns an integer value corresponding to the number of HTTP requests per
 +  second sent to a frontend. This number can differ from "fe_sess_rate" in
 +  situations where client-side keep-alive is enabled.
 +
 fe_sess_rate([<frontend>]) : integer
   Returns an integer value corresponding to the sessions creation rate on the
   frontend, in number of new sessions per second. This is used with ACLs to
 diff --git a/src/frontend.c b/src/frontend.c
 index 74ec0ab..5cc6202 100644
 --- a/src/frontend.c
 +++ b/src/frontend.c
@@ -167,6 +167,19 @@ smp_fetch_fe_id(const struct arg *args, struct sample *smp, const char *kw, void
 	return 1;
 }
 
 +/* set temp integer to the number of HTTP requests per second reaching the frontend.
 + * Accepts exactly 1 argument. Argument is a frontend, other types will cause
 + * an undefined behaviour.
 + */
 +static int
 +smp_fetch_fe_req_rate(const struct arg *args, struct sample *smp, const char *kw, void *private)
 +{
 +	smp->flags = SMP_F_VOL_TEST;
 +	smp->data.type = SMP_T_SINT;
 +	smp->data.u.sint = read_freq_ctr(&args->data.prx->fe_req_per_sec);
 +	return 1;
 +}
 +
 /* set temp integer to the number of connections per second reaching the frontend.
  * Accepts exactly 1 argument. Argument is a frontend, other types will cause
  * an undefined behaviour.
@@ -200,6 +213,7 @@ smp_fetch_fe_conn(const struct arg *args, struct sample *smp, const char *kw, vo
 static struct sample_fetch_kw_list smp_kws = {ILH, {
 	{ "fe_conn",      smp_fetch_fe_conn,      ARG1(1,FE), NULL, SMP_T_SINT, SMP_USE_INTRN, },
 	{ "fe_id",        smp_fetch_fe_id,        0,          NULL, SMP_T_SINT, SMP_USE_FTEND, },
 +	{ "fe_req_rate",  smp_fetch_fe_req_rate,  ARG1(1,FE), NULL, SMP_T_SINT, SMP_USE_INTRN, },
 	{ "fe_sess_rate", smp_fetch_fe_sess_rate, ARG1(1,FE), NULL, SMP_T_SINT, SMP_USE_INTRN, },
 	{ /* END */ },
 }};
 -- 
 2.7.3

--- a/net/haproxy/patches/0006-MEDIUM-make-SO_REUSEPORT-configurable.patch
+++ b/net/haproxy/patches/0006-MEDIUM-make-SO_REUSEPORT-configurable.patch
@ -1,134 +0,0 @@
 From 3dd981c016ac7ad636ee546c2b9b685f7e8500d4 Mon Sep 17 00:00:00 2001
 From: Lukas Tribus <luky-37@hotmail.com>
 Date: Mon, 12 Sep 2016 21:42:20 +0000
 Subject: [PATCH 06/26] MEDIUM: make SO_REUSEPORT configurable

 With Linux officially introducing SO_REUSEPORT support in 3.9 and
 its mainstream adoption we have seen more people running into strange
 SO_REUSEPORT related issues (a process management issue turning into
 hard to diagnose problems because the kernel load-balances between the
 new and an obsolete haproxy instance).

 Also some people simply want the guarantee that the bind fails when
 the old process is still bound.

 This change makes SO_REUSEPORT configurable, introducing the command
 line argument "-dR" and the noreuseport configuration directive.

 A backport to 1.6 should be considered.
 (cherry picked from commit a0bcbdcb04d52c3ca71045f90aac33d9dd7965bf)
 ---
 doc/configuration.txt  |  5 +++++
 include/types/global.h |  1 +
 src/cfgparse.c         |  5 +++++
 src/haproxy.c          | 10 ++++++++++
 src/proto_tcp.c        |  6 +++---
 5 files changed, 24 insertions(+), 3 deletions(-)

 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index d18c399..e725ce2 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -570,6 +570,7 @@ The following keywords are supported in the "global" section :
    - nopoll
    - nosplice
    - nogetaddrinfo
 +   - noreuseport
    - spread-checks
    - server-state-base
    - server-state-file
@@ -1090,6 +1091,10 @@ nogetaddrinfo
   Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
   the command line argument "-dG". Deprecated gethostbyname(3) will be used.
 
 +noreuseport
 +  Disables the use of SO_REUSEPORT - see socket(7). It is equivalent to the
 +  command line argument "-dR".
 +
 spread-checks <0..50, in percent>
   Sometimes it is desirable to avoid sending agent and health checks to
   servers at exact intervals, for instance when many logical servers are
 diff --git a/include/types/global.h b/include/types/global.h
 index 61f0391..2e24d3f 100644
 --- a/include/types/global.h
 +++ b/include/types/global.h
@@ -63,6 +63,7 @@
 /* platform-specific options */
 #define GTUNE_USE_SPLICE         (1<<4)
 #define GTUNE_USE_GAI            (1<<5)
 +#define GTUNE_USE_REUSEPORT      (1<<6)
 
 /* Access level for a stats socket */
 #define ACCESS_LVL_NONE     0
 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index 55086fd..f2a104d 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -662,6 +662,11 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 			goto out;
 		global.tune.options &= ~GTUNE_USE_GAI;
 	}
 +	else if (!strcmp(args[0], "noreuseport")) {
 +		if (alertif_too_many_args(0, file, linenum, args, &err_code))
 +			goto out;
 +		global.tune.options &= ~GTUNE_USE_REUSEPORT;
 +	}
 	else if (!strcmp(args[0], "quiet")) {
 		if (alertif_too_many_args(0, file, linenum, args, &err_code))
 			goto out;
 diff --git a/src/haproxy.c b/src/haproxy.c
 index 9f5878a..a657dc4 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -452,6 +452,9 @@ void usage(char *name)
 #if defined(USE_GETADDRINFO)
 		"        -dG disables getaddrinfo() usage\n"
 #endif
 +#if defined(SO_REUSEPORT)
 +		"        -dR disables SO_REUSEPORT usage\n"
 +#endif
 		"        -dV disables SSL verify on servers side\n"
 		"        -sf/-st [pid ]* finishes/terminates old pids.\n"
 		"\n",
@@ -623,6 +626,9 @@ void init(int argc, char **argv)
 #if defined(USE_GETADDRINFO)
 	global.tune.options |= GTUNE_USE_GAI;
 #endif
 +#if defined(SO_REUSEPORT)
 +	global.tune.options |= GTUNE_USE_REUSEPORT;
 +#endif
 
 	pid = getpid();
 	progname = *argv;
@@ -666,6 +672,10 @@ void init(int argc, char **argv)
 			else if (*flag == 'd' && flag[1] == 'G')
 				global.tune.options &= ~GTUNE_USE_GAI;
 #endif
 +#if defined(SO_REUSEPORT)
 +			else if (*flag == 'd' && flag[1] == 'R')
 +				global.tune.options &= ~GTUNE_USE_REUSEPORT;
 +#endif
 			else if (*flag == 'd' && flag[1] == 'V')
 				global.ssl_server_verify = SSL_SERVER_VERIFY_NONE;
 			else if (*flag == 'V')
 diff --git a/src/proto_tcp.c b/src/proto_tcp.c
 index 4f5d88d..0f20fde 100644
 --- a/src/proto_tcp.c
 +++ b/src/proto_tcp.c
@@ -824,10 +824,10 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
 		setsockopt(fd, SOL_SOCKET, SO_LINGER, &nolinger, sizeof(struct linger));
 
 #ifdef SO_REUSEPORT
 -	/* OpenBSD supports this. As it's present in old libc versions of Linux,
 -	 * it might return an error that we will silently ignore.
 +	/* OpenBSD and Linux 3.9 support this. As it's present in old libc versions of
 +	 * Linux, it might return an error that we will silently ignore.
 	 */
 -	if (!ext)
 +	if (!ext && (global.tune.options & GTUNE_USE_REUSEPORT))
 		setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one));
 #endif
 
 -- 
 2.7.3

--- a/net/haproxy/patches/0007-BUG-MINOR-vars-use-sess-and-not-s-sess-in-action_sto.patch
+++ b/net/haproxy/patches/0007-BUG-MINOR-vars-use-sess-and-not-s-sess-in-action_sto.patch
@ -1,29 +0,0 @@
 From 21877a43afd6300518140c415ccec2dba0a0591f Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Fri, 21 Oct 2016 17:13:24 +0200
 Subject: [PATCH 07/26] BUG/MINOR: vars: use sess and not s->sess in
 action_store()

 This causes the stream to be dereferenced when not needed. It will
 cause trouble when variables are used outside of a stream.
 (cherry picked from commit 108a8fd8be0c78a4bf147a2028fd9bda3343c93c)
 ---
 src/vars.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/vars.c b/src/vars.c
 index 56fade5..b22c3bf 100644
 --- a/src/vars.c
 +++ b/src/vars.c
@@ -507,7 +507,7 @@ static enum act_return action_store(struct act_rule *rule, struct proxy *px,
 
 	/* Process the expression. */
 	memset(&smp, 0, sizeof(smp));
 -	if (!sample_process(px, s->sess, s, dir|SMP_OPT_FINAL,
 +	if (!sample_process(px, sess, s, dir|SMP_OPT_FINAL,
 	                    rule->arg.vars.expr, &smp))
 		return ACT_RET_CONT;
 
 -- 
 2.7.3

--- a/net/haproxy/patches/0008-BUG-MINOR-vars-make-smp_fetch_var-more-robust-agains.patch
+++ b/net/haproxy/patches/0008-BUG-MINOR-vars-make-smp_fetch_var-more-robust-agains.patch
@ -1,47 +0,0 @@
 From ff403602edc917b8bef2062dc0d5dec2017e3232 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Fri, 21 Oct 2016 17:14:35 +0200
 Subject: [PATCH 08/26] BUG/MINOR: vars: make smp_fetch_var() more robust
 against misuses

 smp_fetch_var() may be called from everywhere since it just reads a
 variable. It must ensure that the stream exists before trying to return
 a stream-dependant variable. For now there is no impact but it will
 cause trouble with tcp-request session rules.
 (cherry picked from commit 7513d001c8a6b7d1cf8e7d5469942cd39d6e8160)
 ---
 src/vars.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

 diff --git a/src/vars.c b/src/vars.c
 index b22c3bf..4a0c4ed 100644
 --- a/src/vars.c
 +++ b/src/vars.c
@@ -242,11 +242,21 @@ static int smp_fetch_var(const struct arg *args, struct sample *smp, const char
 
 	/* Check the availibity of the variable. */
 	switch (var_desc->scope) {
 -	case SCOPE_SESS: vars = &smp->sess->vars;  break;
 -	case SCOPE_TXN:  vars = &smp->strm->vars_txn;    break;
 +	case SCOPE_SESS:
 +		vars = &smp->sess->vars;
 +		break;
 +	case SCOPE_TXN:
 +		if (!smp->strm)
 +			return 0;
 +		vars = &smp->strm->vars_txn;
 +		break;
 	case SCOPE_REQ:
 	case SCOPE_RES:
 -	default:         vars = &smp->strm->vars_reqres; break;
 +	default:
 +		if (!smp->strm)
 +			return 0;
 +		vars = &smp->strm->vars_reqres;
 +		break;
 	}
 	if (vars->scope != var_desc->scope)
 		return 0;
 -- 
 2.7.3

--- a/net/haproxy/patches/0009-BUG-MINOR-vars-smp_fetch_var-doesn-t-depend-on-HTTP-.patch
+++ b/net/haproxy/patches/0009-BUG-MINOR-vars-smp_fetch_var-doesn-t-depend-on-HTTP-.patch
@ -1,31 +0,0 @@
 From 3810ab9e71a19e7f04a9e18580abc77c276d0ff1 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Fri, 21 Oct 2016 17:17:18 +0200
 Subject: [PATCH 09/26] BUG/MINOR: vars: smp_fetch_var() doesn't depend on HTTP
 but on the session

 Thus the SMP_USE_HTTP_ANY dependency is incorrect, we have to depend on
 SMP_USE_L5_CLI (the session). It's particularly important for session-wide
 variables which are kept across HTTP requests. For now there is no impact
 but it will make a difference with tcp-request session rules.
 (cherry picked from commit 87846e42a478fe2aa0fbc1e162ba5fb227be49b7)
 ---
 src/vars.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/vars.c b/src/vars.c
 index 4a0c4ed..a3dd85c 100644
 --- a/src/vars.c
 +++ b/src/vars.c
@@ -654,7 +654,7 @@ static int vars_max_size_reqres(char **args, int section_type, struct proxy *cur
 
 static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 
 -	{ "var", smp_fetch_var, ARG1(1,STR), smp_check_var, SMP_T_STR, SMP_USE_HTTP_ANY },
 +	{ "var", smp_fetch_var, ARG1(1,STR), smp_check_var, SMP_T_STR, SMP_USE_L5CLI },
 	{ /* END */ },
 }};
 
 -- 
 2.7.3

--- a/net/haproxy/patches/0010-BUG-MINOR-ssl-Check-malloc-return-code.patch
+++ b/net/haproxy/patches/0010-BUG-MINOR-ssl-Check-malloc-return-code.patch
@ -1,29 +0,0 @@
 From 2d7ed4ae91383cd35fe07cd34d01c23b4a5d03f5 Mon Sep 17 00:00:00 2001
 From: "Thierry FOURNIER / OZON.IO" <thierry.fournier@ozon.io>
 Date: Thu, 6 Oct 2016 10:35:29 +0200
 Subject: [PATCH 10/26] BUG/MINOR: ssl: Check malloc return code

 If malloc() can't allocate memory and return NULL, a segfaut will raises.

 This patch should be backported in the 1.6 and 1.5 version.
 (cherry picked from commit 7a3bd3b9dc43509bb1869389dcf91e35c0155f9b)
 ---
 src/ssl_sock.c | 2 ++
 1 file changed, 2 insertions(+)

 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index 0535a3b..5f9a203 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -1572,6 +1572,8 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name,
 		int j, len;
 		len = strlen(name);
 		sc = malloc(sizeof(struct sni_ctx) + len + 1);
 +		if (!sc)
 +			return order;
 		for (j = 0; j < len; j++)
 			sc->name.key[j] = tolower(name[j]);
 		sc->name.key[len] = 0;
 -- 
 2.7.3

--- a/net/haproxy/patches/0011-BUG-MINOR-ssl-prevent-multiple-entries-for-the-same-.patch
+++ b/net/haproxy/patches/0011-BUG-MINOR-ssl-prevent-multiple-entries-for-the-same-.patch
@ -1,70 +0,0 @@
 From b2b0eab46a8ae36f2dd49159e65c90c1089a0f96 Mon Sep 17 00:00:00 2001
 From: "Thierry FOURNIER / OZON.IO" <thierry.fournier@ozon.io>
 Date: Thu, 6 Oct 2016 10:56:48 +0200
 Subject: [PATCH 11/26] BUG/MINOR: ssl: prevent multiple entries for the same
 certificate

 Today, the certificate are indexed int he SNI tree using their CN and the
 list of thier AltNames. So, Some certificates have the same names in the
 CN and one of the AltNames entries.

 Typically Let's Encrypt duplicate the the DNS name in the CN and the
 AltName.

 This patch prevents the creation of identical entries in the trees. It
 checks the same DNS name and the same SSL context.

 If the same certificate is registered two time it will be duplicated.

 This patch should be backported in the 1.6 and 1.5 version.
 (cherry picked from commit 07c3d78c2c0693ee37db71c34723597638b6ab3f)
 ---
 src/ssl_sock.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index 5f9a203..ad8054d 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -1556,6 +1556,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name,
 {
 	struct sni_ctx *sc;
 	int wild = 0, neg = 0;
 +	struct ebmb_node *node;
 
 	if (*name == '!') {
 		neg = 1;
@@ -1571,12 +1572,27 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name,
 	if (*name) {
 		int j, len;
 		len = strlen(name);
 +		for (j = 0; j < len && j < trash.size; j++)
 +			trash.str[j] = tolower(name[j]);
 +		if (j >= trash.size)
 +			return order;
 +		trash.str[j] = 0;
 +
 +		/* Check for duplicates. */
 +		if (wild)
 +			node = ebst_lookup(&s->sni_w_ctx, trash.str);
 +		else
 +			node = ebst_lookup(&s->sni_ctx, trash.str);
 +		for (; node; node = ebmb_next_dup(node)) {
 +			sc = ebmb_entry(node, struct sni_ctx, name);
 +			if (sc->ctx == ctx && sc->neg == neg)
 +				return order;
 +		}
 +
 		sc = malloc(sizeof(struct sni_ctx) + len + 1);
 		if (!sc)
 			return order;
 -		for (j = 0; j < len; j++)
 -			sc->name.key[j] = tolower(name[j]);
 -		sc->name.key[len] = 0;
 +		memcpy(sc->name.key, trash.str, len + 1);
 		sc->ctx = ctx;
 		sc->order = order++;
 		sc->neg = neg;
 -- 
 2.7.3

--- a/net/haproxy/patches/0012-BUG-MINOR-systemd-make-the-wrapper-return-a-non-null.patch
+++ b/net/haproxy/patches/0012-BUG-MINOR-systemd-make-the-wrapper-return-a-non-null.patch
@ -1,31 +0,0 @@
 From 03c706d71e2d314670d2ebb4dfa48fd3b793b361 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Tue, 25 Oct 2016 15:50:47 +0200
 Subject: [PATCH 12/26] BUG/MINOR: systemd: make the wrapper return a non-null
 status code on error

 When execv() fails to execute the haproxy executable, it's important to
 return an error instead of pretending everything is cool. This fix should
 be backported to 1.6 and 1.5 in order to improve the overall reliability
 under systemd.
 (cherry picked from commit 7643d09dca4d0eed97ba3c29d4f4fd1f037f96ae)
 ---
 src/haproxy-systemd-wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index d118ec6..a78e75b 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -94,7 +94,7 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 		fprintf(stderr, "\n");
 
 		execv(argv[0], argv);
 -		exit(0);
 +		exit(1);
 	}
 }
 
 -- 
 2.7.3

--- a/net/haproxy/patches/0013-BUG-MINOR-systemd-always-restore-signals-before-exec.patch
+++ b/net/haproxy/patches/0013-BUG-MINOR-systemd-always-restore-signals-before-exec.patch
@ -1,117 +0,0 @@
 From 7a7eada6f4ecfc54325a18cf20c3035994a901c4 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Tue, 25 Oct 2016 16:49:31 +0200
 Subject: [PATCH 13/26] BUG/MINOR: systemd: always restore signals before
 execve()

 Since signals are inherited, we must restore them before calling execve()
 and intercept them again after a failed execve(). In order to cleanly deal
 with the SIGUSR2/SIGHUP loops where we re-exec the wrapper, we ignore these
 two signals during a re-exec, and restore them to defaults when spawning
 haproxy.

 This should be backported to 1.6 and 1.5.
 (cherry picked from commit 4351ea61fbddf88c960179d60b0e0f1b090f0b70)
 ---
 src/haproxy-systemd-wrapper.c | 49 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 8 deletions(-)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index a78e75b..84d2e17 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -28,6 +28,11 @@ static char *pid_file = "/run/haproxy.pid";
 static int wrapper_argc;
 static char **wrapper_argv;
 
 +static void setup_signal_handler();
 +static void pause_signal_handler();
 +static void reset_signal_handler();
 +
 +
 /* returns the path to the haproxy binary into <buffer>, whose size indicated
  * in <buffer_size> must be at least 1 byte long.
  */
@@ -76,6 +81,8 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 		char **argv = calloc(4 + main_argc + nb_pid + 1, sizeof(char *));
 		int i;
 		int argno = 0;
 +
 +		reset_signal_handler();
 		locate_haproxy(haproxy_bin, 512);
 		argv[argno++] = haproxy_bin;
 		for (i = 0; i < main_argc; ++i)
@@ -127,6 +134,34 @@ static void signal_handler(int signum)
 		caught_signal = signum;
 }
 
 +static void setup_signal_handler()
 +{
 +	struct sigaction sa;
 +
 +	memset(&sa, 0, sizeof(struct sigaction));
 +	sa.sa_handler = &signal_handler;
 +	sigaction(SIGUSR2, &sa, NULL);
 +	sigaction(SIGHUP, &sa, NULL);
 +	sigaction(SIGINT, &sa, NULL);
 +	sigaction(SIGTERM, &sa, NULL);
 +}
 +
 +static void pause_signal_handler()
 +{
 +	signal(SIGUSR2, SIG_IGN);
 +	signal(SIGHUP,  SIG_IGN);
 +	signal(SIGINT,  SIG_DFL);
 +	signal(SIGTERM, SIG_DFL);
 +}
 +
 +static void reset_signal_handler()
 +{
 +	signal(SIGUSR2, SIG_DFL);
 +	signal(SIGHUP,  SIG_DFL);
 +	signal(SIGINT,  SIG_DFL);
 +	signal(SIGTERM, SIG_DFL);
 +}
 +
 /* handles SIGUSR2 and SIGHUP only */
 static void do_restart(int sig)
 {
@@ -134,7 +169,11 @@ static void do_restart(int sig)
 	fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: re-executing on %s.\n",
 	        sig == SIGUSR2 ? "SIGUSR2" : "SIGHUP");
 
 +	/* don't let the other process take one of those signals by accident */
 +	pause_signal_handler();
 	execv(wrapper_argv[0], wrapper_argv);
 +	/* failed, let's reinstall the signal handler and continue */
 +	setup_signal_handler();
 }
 
 /* handles SIGTERM and SIGINT only */
@@ -168,7 +207,8 @@ static void init(int argc, char **argv)
 int main(int argc, char **argv)
 {
 	int status;
 -	struct sigaction sa;
 +
 +	setup_signal_handler();
 
 	wrapper_argc = argc;
 	wrapper_argv = argv;
@@ -176,13 +216,6 @@ int main(int argc, char **argv)
 	--argc; ++argv;
 	init(argc, argv);
 
 -	memset(&sa, 0, sizeof(struct sigaction));
 -	sa.sa_handler = &signal_handler;
 -	sigaction(SIGUSR2, &sa, NULL);
 -	sigaction(SIGHUP, &sa, NULL);
 -	sigaction(SIGINT, &sa, NULL);
 -	sigaction(SIGTERM, &sa, NULL);
 -
 	if (getenv(REEXEC_FLAG) != NULL) {
 		/* We are being re-executed: restart HAProxy gracefully */
 		int i;
 -- 
 2.7.3

--- a/net/haproxy/patches/0014-BUG-MINOR-systemd-check-return-value-of-calloc.patch
+++ b/net/haproxy/patches/0014-BUG-MINOR-systemd-check-return-value-of-calloc.patch
@ -1,41 +0,0 @@
 From 106cb89907ea6eab0073708bb8d6f56d7fc64509 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Tue, 25 Oct 2016 17:05:56 +0200
 Subject: [PATCH 14/26] BUG/MINOR: systemd: check return value of calloc()

 The wrapper is not the best reliable thing in the universe, so start
 by adding at least the minimum expected controls :-/

 To be backported to 1.5 and 1.6.
 (cherry picked from commit 3747ea07ce6b647b86559383f7d09b42550d42f3)
 ---
 src/haproxy-systemd-wrapper.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index 84d2e17..15c48ca 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -77,11 +77,17 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 
 	pid = fork();
 	if (!pid) {
 -		/* 3 for "haproxy -Ds -sf" */
 -		char **argv = calloc(4 + main_argc + nb_pid + 1, sizeof(char *));
 +		char **argv;
 		int i;
 		int argno = 0;
 
 +		/* 3 for "haproxy -Ds -sf" */
 +		argv = calloc(4 + main_argc + nb_pid + 1, sizeof(char *));
 +		if (!argv) {
 +			fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: failed to calloc(), please try again later.\n");
 +			exit(1);
 +		}
 +
 		reset_signal_handler();
 		locate_haproxy(haproxy_bin, 512);
 		argv[argno++] = haproxy_bin;
 -- 
 2.7.3

--- a/net/haproxy/patches/0015-MINOR-systemd-report-it-when-execve-fails.patch
+++ b/net/haproxy/patches/0015-MINOR-systemd-report-it-when-execve-fails.patch
@ -1,41 +0,0 @@
 From 3bc0a399d2875e9e0627a70906c1403eef60ec60 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Tue, 25 Oct 2016 16:51:40 +0200
 Subject: [PATCH 15/26] MINOR: systemd: report it when execve() fails

 It's important to know that a signal sent to the wrapper had no effect
 because something failed during execve(). Ideally more info (strerror)
 should be reported. It would be nice to backport this to 1.6 and 1.5.
 (cherry picked from commit a785269b4e09114224062081f02b443b6008c524)
 ---
 src/haproxy-systemd-wrapper.c | 5 +++++
 1 file changed, 5 insertions(+)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index 15c48ca..f4fcab1 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -107,8 +107,12 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 		fprintf(stderr, "\n");
 
 		execv(argv[0], argv);
 +		fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: execv(%s) failed, please try again later.\n", argv[0]);
 		exit(1);
 	}
 +	else if (pid == -1) {
 +		fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: failed to fork(), please try again later.\n");
 +	}
 }
 
 static int read_pids(char ***pid_strv)
@@ -180,6 +184,7 @@ static void do_restart(int sig)
 	execv(wrapper_argv[0], wrapper_argv);
 	/* failed, let's reinstall the signal handler and continue */
 	setup_signal_handler();
 +	fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: re-exec(%s) failed.\n", wrapper_argv[0]);
 }
 
 /* handles SIGTERM and SIGINT only */
 -- 
 2.7.3

--- a/net/haproxy/patches/0016-BUG-MEDIUM-systemd-let-the-wrapper-know-that-haproxy.patch
+++ b/net/haproxy/patches/0016-BUG-MEDIUM-systemd-let-the-wrapper-know-that-haproxy.patch
@ -1,144 +0,0 @@
 From ff81ac47267c4e0227d1e3fbc5b1dedfd81a2a2f Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Tue, 25 Oct 2016 17:20:24 +0200
 Subject: [PATCH 16/26] BUG/MEDIUM: systemd: let the wrapper know that haproxy
 has completed or failed

 Pierre Cheynier found that there's a persistent issue with the systemd
 wrapper. Too fast reloads can lead to certain old processes not being
 signaled at all and continuing to run. The problem was tracked down as
 a race between the startup and the signal processing : nothing prevents
 the wrapper from starting new processes while others are still starting,
 and the resulting pid file will only contain the latest pids in this
 case. This can happen with large configs and/or when a lot of SSL
 certificates are involved.

 In order to solve this we want the wrapper to wait for the new processes
 to complete their startup. But we also want to ensure it doesn't wait for
 nothing in case of error.

 The solution found here is to create a pipe between the wrapper and the
 sub-processes. The wrapper waits on the pipe and the sub-processes are
 expected to close this pipe once they completed their startup. That way
 we don't queue up new processes until the previous ones have registered
 their pids to the pid file. And if anything goes wrong, the wrapper is
 immediately released. The only thing is that we need the sub-processes
 to know the pipe's file descriptor. We pass it in an environment variable
 called HAPROXY_WRAPPER_FD.

 It was confirmed both by Pierre and myself that this completely solves
 the "zombie" process issue so that only the new processes continue to
 listen on the sockets.

 It seems that in the future this stuff could be moved to the haproxy
 master process, also getting rid of an environment variable.

 This fix needs to be backported to 1.6 and 1.5.
 (cherry picked from commit b957109727f7fed556c049d40bacf45f0df211db)
 ---
 src/haproxy-systemd-wrapper.c | 36 ++++++++++++++++++++++++++++++++++++
 src/haproxy.c                 | 10 ++++++++++
 2 files changed, 46 insertions(+)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index f4fcab1..b426f96 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -65,16 +65,30 @@ static void locate_haproxy(char *buffer, size_t buffer_size)
 	return;
 }
 
 +/* Note: this function must not exit in case of error (except in the child), as
 + * it is only dedicated the starting a new haproxy process. By keeping the
 + * process alive it will ensure that future signal delivery may get rid of
 + * the issue. If the first startup fails, the wrapper will notice it and
 + * return an error thanks to wait() returning ECHILD.
 + */
 static void spawn_haproxy(char **pid_strv, int nb_pid)
 {
 	char haproxy_bin[512];
 	pid_t pid;
 	int main_argc;
 	char **main_argv;
 +	int pipefd[2];
 +	char fdstr[20];
 +	int ret;
 
 	main_argc = wrapper_argc - 1;
 	main_argv = wrapper_argv + 1;
 
 +	if (pipe(pipefd) != 0) {
 +		fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: failed to create a pipe, please try again later.\n");
 +		return;
 +	}
 +
 	pid = fork();
 	if (!pid) {
 		char **argv;
@@ -89,6 +103,15 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 		}
 
 		reset_signal_handler();
 +
 +		close(pipefd[0]); /* close the read side */
 +
 +		snprintf(fdstr, sizeof(fdstr), "%d", pipefd[1]);
 +		if (setenv("HAPROXY_WRAPPER_FD", fdstr, 1) != 0) {
 +			fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: failed to setenv(), please try again later.\n");
 +			exit(1);
 +		}
 +
 		locate_haproxy(haproxy_bin, 512);
 		argv[argno++] = haproxy_bin;
 		for (i = 0; i < main_argc; ++i)
@@ -113,6 +136,19 @@ static void spawn_haproxy(char **pid_strv, int nb_pid)
 	else if (pid == -1) {
 		fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: failed to fork(), please try again later.\n");
 	}
 +
 +	/* The parent closes the write side and waits for the child to close it
 +	 * as well. Also deal the case where the fd would unexpectedly be 1 or 2
 +	 * by silently draining all data.
 +	 */
 +	close(pipefd[1]);
 +
 +	do {
 +		char c;
 +		ret = read(pipefd[0], &c, sizeof(c));
 +	} while ((ret > 0) || (ret == -1 && errno == EINTR));
 +	/* the child has finished starting up */
 +	close(pipefd[0]);
 }
 
 static int read_pids(char ***pid_strv)
 diff --git a/src/haproxy.c b/src/haproxy.c
 index a657dc4..2d476f2 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -1843,6 +1843,7 @@ int main(int argc, char **argv)
 		int ret = 0;
 		int *children = calloc(global.nbproc, sizeof(int));
 		int proc;
 +		char *wrapper_fd;
 
 		/* the father launches the required number of processes */
 		for (proc = 0; proc < global.nbproc; proc++) {
@@ -1879,6 +1880,15 @@ int main(int argc, char **argv)
 			close(pidfd);
 		}
 
 +		/* each child must notify the wrapper that it's ready by closing the requested fd */
 +		wrapper_fd = getenv("HAPROXY_WRAPPER_FD");
 +		if (wrapper_fd) {
 +			int pipe_fd = atoi(wrapper_fd);
 +
 +			if (pipe_fd >= 0)
 +				close(pipe_fd);
 +		}
 +
 		/* We won't ever use this anymore */
 		free(oldpids);        oldpids = NULL;
 		free(global.chroot);  global.chroot = NULL;
 -- 
 2.7.3

--- a/net/haproxy/patches/0017-BUILD-protocol-fix-some-build-errors-on-OpenBSD.patch
+++ b/net/haproxy/patches/0017-BUILD-protocol-fix-some-build-errors-on-OpenBSD.patch
@ -1,32 +0,0 @@
 From 4fc2ce4a4bb83862679e40c09c684dbf266099f2 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 10 Aug 2016 18:24:48 +0200
 Subject: [PATCH 17/26] BUILD: protocol: fix some build errors on OpenBSD

 Building 1.6 and above on OpenBSD 5.2 fails due to protocol.c not
 including sys/types.h before sys/socket.h :

  In file included from src/protocol.c:14:
  /usr/include/sys/socket.h:162: error: expected specifier-qualifier-list before 'u_int8_t'

 This fix needs to be backported to 1.6.
 (cherry picked from commit a6e3be7ae977ba907ec6ed028c5ab50a6a51886a)
 ---
 src/protocol.c | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/protocol.c b/src/protocol.c
 index 3caccb6..7884ef7 100644
 --- a/src/protocol.c
 +++ b/src/protocol.c
@@ -10,6 +10,7 @@
  *
  */
 
 +#include <sys/types.h>
 #include <sys/socket.h>
 
 #include <common/config.h>
 -- 
 2.7.3

--- a/net/haproxy/patches/0018-BUILD-log-iovec-requires-to-include-sys-uio.h-on-Ope.patch
+++ b/net/haproxy/patches/0018-BUILD-log-iovec-requires-to-include-sys-uio.h-on-Ope.patch
@ -1,32 +0,0 @@
 From 27f28950d4f9e44e776db5a5d2bc8d07df45eb30 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 10 Aug 2016 18:30:56 +0200
 Subject: [PATCH 18/26] BUILD: log: iovec requires to include sys/uio.h on
 OpenBSD

 The following commit merged into 1.6-dev6 broke the build on OpenBSD :

  609ac2a ("MEDIUM: log: replace sendto() with sendmsg() in __send_log()")

 Including sys/uio.h is enough to fix this. This fix needs to be backported
 to 1.6.
 (cherry picked from commit 077edcba2e5c25524b720f905417d9f0616cd252)
 ---
 src/log.c | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/log.c b/src/log.c
 index 1ddc06d..293a034 100644
 --- a/src/log.c
 +++ b/src/log.c
@@ -22,6 +22,7 @@
 #include <errno.h>
 
 #include <sys/time.h>
 +#include <sys/uio.h>
 
 #include <common/config.h>
 #include <common/compat.h>
 -- 
 2.7.3

--- a/net/haproxy/patches/0019-BUILD-tcp-do-not-include-netinet-ip.h-for-IP_TTL.patch
+++ b/net/haproxy/patches/0019-BUILD-tcp-do-not-include-netinet-ip.h-for-IP_TTL.patch
@ -1,32 +0,0 @@
 From 2a63a2b7e32bba4a33c5f4081647124565929f6a Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 10 Aug 2016 18:42:17 +0200
 Subject: [PATCH 19/26] BUILD: tcp: do not include netinet/ip.h for IP_TTL

 On OpenBSD, netinet/ip.h fails unless in_systm.h is included. This
 include was added by the silent-drop feature introduced with commit
 2d392c2 ("MEDIUM: tcp: add new tcp action "silent-drop"") in 1.6-dev6,
 but we don't need it, IP_TTL is defined in netinet/in.h, so let's drop
 this useless include.

 This fix needs to be backported to 1.6.
 (cherry picked from commit 7f3e3c0159401cdf47575bc82304696b3a98a2ab)
 ---
 src/proto_tcp.c | 1 -
 1 file changed, 1 deletion(-)

 diff --git a/src/proto_tcp.c b/src/proto_tcp.c
 index 0f20fde..83b862a 100644
 --- a/src/proto_tcp.c
 +++ b/src/proto_tcp.c
@@ -31,7 +31,6 @@
 
 #include <netinet/tcp.h>
 #include <netinet/in.h>
 -#include <netinet/ip.h>
 
 #include <common/cfgparse.h>
 #include <common/compat.h>
 -- 
 2.7.3

--- a/net/haproxy/patches/0020-BUILD-checks-remove-the-last-strcat-and-eliminate-a-.patch
+++ b/net/haproxy/patches/0020-BUILD-checks-remove-the-last-strcat-and-eliminate-a-.patch
@ -1,48 +0,0 @@
 From a581cf03110f13c61faeaf87efa5b4e2777087d0 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 10 Aug 2016 19:29:09 +0200
 Subject: [PATCH 20/26] BUILD: checks: remove the last strcat and eliminate a
 warning on OpenBSD

 OpenBSD emits warnings on usages of strcpy, strcat and sprintf (and
 probably a few others). Here we have a single such warning in all the code
 reintroduced by commit 0ba0e4a ("MEDIUM: Support sending email alerts") in
 1.6-dev1. Let's get rid of it, the open-coding of strcat is as small as its
 usage and the the result is even more efficient.

 This fix needs to be backported to 1.6.
 (cherry picked from commit 64345aaaf0dc2739983902cce4667089ad926a49)
 ---
 src/checks.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

 diff --git a/src/checks.c b/src/checks.c
 index 80b2fc3..55c13a9 100644
 --- a/src/checks.c
 +++ b/src/checks.c
@@ -3164,6 +3164,8 @@ static int add_tcpcheck_expect_str(struct list *list, const char *str)
 static int add_tcpcheck_send_strs(struct list *list, const char * const *strs)
 {
 	struct tcpcheck_rule *tcpcheck;
 +	const char *in;
 +	char *dst;
 	int i;
 
 	tcpcheck = calloc(1, sizeof *tcpcheck);
@@ -3181,10 +3183,11 @@ static int add_tcpcheck_send_strs(struct list *list, const char * const *strs)
 		free(tcpcheck);
 		return 0;
 	}
 -	tcpcheck->string[0] = '\0';
 
 +	dst = tcpcheck->string;
 	for (i = 0; strs[i]; i++)
 -		strcat(tcpcheck->string, strs[i]);
 +		for (in = strs[i]; (*dst = *in++); dst++);
 +	*dst = 0;
 
 	LIST_ADDQ(list, &tcpcheck->list);
 	return 1;
 -- 
 2.7.3

--- a/net/haproxy/patches/0021-BUILD-poll-remove-unused-hap_fd_isset-which-causes-a.patch
+++ b/net/haproxy/patches/0021-BUILD-poll-remove-unused-hap_fd_isset-which-causes-a.patch
@ -1,39 +0,0 @@
 From a19f5bfb0d1e606dc2eb80af903c229ca41d5057 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 10 Aug 2016 21:21:57 +0200
 Subject: [PATCH 21/26] BUILD: poll: remove unused hap_fd_isset() which causes
 a warning with clang

 Clang reports that this function is not used :

 src/ev_poll.c:34:28: warning: unused function 'hap_fd_isset' [-Wunused-function]
 static inline unsigned int hap_fd_isset(int fd, unsigned int *evts)

 It's been true since the rework of the pollers in 1.5 and it's unlikely we'll
 ever need it anymore, so better remove it now to provide clean builds.

 This fix can be backported to 1.6 and 1.5 now.
 (cherry picked from commit 091e86e1ee8ec51bd5a3c1935666a822a51b9051)
 ---
 src/ev_poll.c | 5 -----
 1 file changed, 5 deletions(-)

 diff --git a/src/ev_poll.c b/src/ev_poll.c
 index 44a2b9b..80d88eb 100644
 --- a/src/ev_poll.c
 +++ b/src/ev_poll.c
@@ -31,11 +31,6 @@ static unsigned int *fd_evts[2];
 static struct pollfd *poll_events = NULL;
 
 
 -static inline unsigned int hap_fd_isset(int fd, unsigned int *evts)
 -{
 -	return evts[fd / (8*sizeof(*evts))] & (1U << (fd & (8*sizeof(*evts) - 1)));
 -}
 -
 static inline void hap_fd_set(int fd, unsigned int *evts)
 {
 	evts[fd / (8*sizeof(*evts))] |= 1U << (fd & (8*sizeof(*evts) - 1));
 -- 
 2.7.3

--- a/net/haproxy/patches/0022-MINOR-cfgparse-few-memory-leaks-fixes.patch
+++ b/net/haproxy/patches/0022-MINOR-cfgparse-few-memory-leaks-fixes.patch
@ -1,48 +0,0 @@
 From e871cc2f15ad121e1e840191f59c6c86d6d0580d Mon Sep 17 00:00:00 2001
 From: David Carlier <devnexen@gmail.com>
 Date: Mon, 22 Aug 2016 23:27:42 +0100
 Subject: [PATCH 22/26] MINOR: cfgparse: few memory leaks fixes.

 Some minor memory leak during the config parsing.
 (cherry picked from commit 70d604593d507f50fd99cebecee4b2c47c1d9b73)
 ---
 src/cfgparse.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index f2a104d..b8289a2 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -1597,6 +1597,7 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 			if (logsrv->format < 0) {
 				Alert("parsing [%s:%d] : unknown log format '%s'\n", file, linenum, args[arg+3]);
 				err_code |= ERR_ALERT | ERR_FATAL;
 +				free(logsrv);
 				goto out;
 			}
 
@@ -6777,9 +6778,10 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)
 		}
 
 		ag->name = strdup(args[1]);
 -		if (!ag) {
 +		if (!ag->name) {
 			Alert("parsing [%s:%d]: out of memory.\n", file, linenum);
 			err_code |= ERR_ALERT | ERR_ABORT;
 +			free(ag);
 			goto out;
 		}
 
@@ -6794,6 +6796,9 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)
 				Alert("parsing [%s:%d]: '%s' only supports 'users' option.\n",
 				      file, linenum, args[0]);
 				err_code |= ERR_ALERT | ERR_FATAL;
 +				free(ag->groupusers);
 +				free(ag->name);
 +				free(ag);
 				goto out;
 			}
 		}
 -- 
 2.7.3

--- a/net/haproxy/patches/0023-MINOR-build-Allow-linking-to-device-atlas-library-fi.patch
+++ b/net/haproxy/patches/0023-MINOR-build-Allow-linking-to-device-atlas-library-fi.patch
@ -1,33 +0,0 @@
 From 5370c6774a333b2b3989639275d4093fdc541db9 Mon Sep 17 00:00:00 2001
 From: Bertrand Jacquin <bertrand@jacquin.bzh>
 Date: Thu, 6 Oct 2016 00:32:39 +0100
 Subject: [PATCH 23/26] MINOR: build: Allow linking to device-atlas library
 file

 DeviceAtlas might be installed in a location where a user might not have
 enough permissions to write json.o and dac.o
 (cherry picked from commit 3a2661d6b4218704c828c8a712c87d651bfe29b5)
 ---
 Makefile | 4 ++++
 1 file changed, 4 insertions(+)

 diff --git a/Makefile b/Makefile
 index 1d0f2bc..0242cae 100644
 --- a/Makefile
 +++ b/Makefile
@@ -615,8 +615,12 @@ endif
 DEVICEATLAS_SRC =
 DEVICEATLAS_INC = $(DEVICEATLAS_SRC)
 DEVICEATLAS_LIB = $(DEVICEATLAS_SRC)
 +ifeq ($(DEVICEATLAS_SRC),)
 +OPTIONS_LDFLAGS += -lda
 +else
 OPTIONS_OBJS	+= $(DEVICEATLAS_LIB)/json.o
 OPTIONS_OBJS	+= $(DEVICEATLAS_LIB)/dac.o
 +endif
 OPTIONS_OBJS	+= src/da.o
 OPTIONS_CFLAGS += -DUSE_DEVICEATLAS $(if $(DEVICEATLAS_INC),-I$(DEVICEATLAS_INC))
 BUILD_OPTIONS  += $(call ignore_implicit,USE_DEVICEATLAS)
 -- 
 2.7.3

--- a/net/haproxy/patches/0024-DOC-Fix-typo-in-description-of-st-parameter-in-man-p.patch
+++ b/net/haproxy/patches/0024-DOC-Fix-typo-in-description-of-st-parameter-in-man-p.patch
@ -1,32 +0,0 @@
 From f95dc972e2e9e3c245862e45336ff4f014ad5666 Mon Sep 17 00:00:00 2001
 From: Jorrit Schippers <jorrit@ncode.nl>
 Date: Sat, 9 Apr 2016 20:30:38 +0200
 Subject: [PATCH 24/26] DOC: Fix typo in description of `-st` parameter in man
 page

 extra "wait".
 (cherry picked from commit 1458fdbe974562158fc40fd72d745d5fd644c939)
 ---
 doc/haproxy.1 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

 diff --git a/doc/haproxy.1 b/doc/haproxy.1
 index a836d5d..20c9343 100644
 --- a/doc/haproxy.1
 +++ b/doc/haproxy.1
@@ -149,9 +149,9 @@ PIDs. Technically speaking, \fBSIGTTOU\fP and \fBSIGUSR1\fP are sent.
 .TP
 \fB\-st <pidlist>\fP
 Send TERMINATE signal to the pids in pidlist after startup. The processes
 -which receive this signal will wait immediately terminate, closing all
 -active sessions. This option must be specified last, followed by any number
 -of PIDs. Technically speaking, \fBSIGTTOU\fP and \fBSIGTERM\fP are sent.
 +which receive this signal will terminate immediately, closing all active
 +sessions. This option must be specified last, followed by any number of
 +PIDs. Technically speaking, \fBSIGTTOU\fP and \fBSIGTERM\fP are sent.
 
 .SH LOGGING
 Since HAProxy can run inside a chroot, it cannot reliably access /dev/log.
 -- 
 2.7.3

--- a/net/haproxy/patches/0025-BUG-MEDIUM-peers-on-shutdown-wake-up-the-appctx-not-.patch
+++ b/net/haproxy/patches/0025-BUG-MEDIUM-peers-on-shutdown-wake-up-the-appctx-not-.patch
@ -1,39 +0,0 @@
 From 6026323cd0c235d6ab7ec039e5d735e7ea2e28bf Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Mon, 31 Oct 2016 17:32:20 +0100
 Subject: [PATCH 25/26] BUG/MEDIUM: peers: on shutdown, wake up the appctx, not
 the stream

 This part was missed when peers were ported to the new applet
 infrastructure in 1.6, the main stream is woken up instead of the
 appctx. This creates a race condition by which it is possible to
 wake the stream at the wrong moment and miss an event. This bug
 might be at least partially responsible for some of the CLOSE_WAIT
 that were reported on peers session upon reload in version 1.6.

 This fix must be backported to 1.6.
 (cherry picked from commit 78c0c50705a5e9d48607b9377adf030bb9d97b34)
 ---
 src/peers.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

 diff --git a/src/peers.c b/src/peers.c
 index 7e1523f..db1f608 100644
 --- a/src/peers.c
 +++ b/src/peers.c
@@ -1637,11 +1637,9 @@ static void peer_session_forceshutdown(struct stream * stream)
 	if (ps)
 		ps->reconnect = tick_add(now_ms, MS_TO_TICKS(50 + random() % 2000));
 
 -	/* call release to reinit resync states if needed */
 -	peer_session_release(appctx);
 	appctx->st0 = PEER_SESS_ST_END;
 	appctx->ctx.peers.ptr = NULL;
 -	task_wakeup(stream->task, TASK_WOKEN_MSG);
 +	appctx_wakeup(appctx);
 }
 
 /* Pre-configures a peers frontend to accept incoming connections */
 -- 
 2.7.3

--- a/net/haproxy/patches/0026-BUG-MEDIUM-peers-fix-use-after-free-in-peer_session_.patch
+++ b/net/haproxy/patches/0026-BUG-MEDIUM-peers-fix-use-after-free-in-peer_session_.patch
@ -1,64 +0,0 @@
 From ab45181e36b6c4f7d31c5284035937c2d0be37eb Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Mon, 31 Oct 2016 17:46:57 +0100
 Subject: [PATCH 26/26] BUG/MEDIUM: peers: fix use after free in
 peer_session_create()

 In case of resource allocation error, peer_session_create() frees
 everything allocated and returns a pointer to the stream/session that
 was put back into the free pool. This stream/session is then assigned
 to ps->{stream,session} with no error control. This means that it is
 perfectly possible to have a new stream or session being both used for
 a regular communication and for a peer at the same time.

 In fact it is the only way (for now) to explain a CLOSE_WAIT on peers
 connections that was caught in this dump with the stream interface in
 SI_ST_CON state while the error field proves the state ought to have
 been SI_ST_DIS, very likely indicating two concurrent accesses on the
 same area :

  0x7dbd50: [31/Oct/2016:17:53:41.267510] id=0 proto=tcpv4
    flags=0x23006, conn_retries=0, srv_conn=(nil), pend_pos=(nil)
    frontend=myhost2 (id=4294967295 mode=tcp), listener=? (id=0)
    backend=<NONE> (id=-1 mode=-) addr=127.0.0.1:41432
    server=<NONE> (id=-1) addr=127.0.0.1:8521
    task=0x7dbcd8 (state=0x08 nice=0 calls=2 exp=<NEVER> age=1m5s)
    si[0]=0x7dbf48 (state=CLO flags=0x4040 endp0=APPCTX:0x7d99c8 exp=<NEVER>, et=0x000)
    si[1]=0x7dbf68 (state=CON flags=0x50 endp1=CONN:0x7dc0b8 exp=<NEVER>, et=0x020)
    app0=0x7d99c8 st0=11 st1=0 st2=0 applet=<PEER>
    co1=0x7dc0b8 ctrl=tcpv4 xprt=RAW data=STRM target=PROXY:0x7fe62028a010
        flags=0x0020b310 fd=7 fd.state=22 fd.cache=0 updt=0
    req=0x7dbd60 (f=0x80a020 an=0x0 pipe=0 tofwd=0 total=0)
        an_exp=<NEVER> rex=<NEVER> wex=<NEVER>
        buf=0x78a3c0 data=0x78a3d4 o=0 p=0 req.next=0 i=0 size=0
    res=0x7dbda0 (f=0x80402020 an=0x0 pipe=0 tofwd=0 total=0)
        an_exp=<NEVER> rex=<NEVER> wex=<NEVER>
        buf=0x78a3c0 data=0x78a3d4 o=0 p=0 rsp.next=0 i=0 size=0

 Special thanks to Arnaud Gavara who provided lots of valuable input and
 ran some validation testing on this patch.

 This fix must be backported to 1.6 and 1.5. Note that in 1.5 the
 session is not assigned from within the function so some extra checks
 may be needed in the callers.
 (cherry picked from commit b21d08e2492bfbf9d2341ce9f148cb9845927862)
 ---
 src/peers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/peers.c b/src/peers.c
 index db1f608..c8be59a 100644
 --- a/src/peers.c
 +++ b/src/peers.c
@@ -1747,7 +1747,7 @@ static struct stream *peer_session_create(struct peers *peers, struct peer *peer
  out_free_appctx:
 	appctx_free(appctx);
  out_close:
 -	return s;
 +	return NULL;
 }
 
 /*
 -- 
 2.7.3

--- a/net/haproxy/patches/0027-BUG-MEDIUM-systemd-wrapper-return-correct-exit-codes.patch
+++ b/net/haproxy/patches/0027-BUG-MEDIUM-systemd-wrapper-return-correct-exit-codes.patch
@ -1,70 +0,0 @@
 From 0a2117dc29147ed990732d1b2fc9779835820f3e Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Thu, 3 Nov 2016 20:31:40 +0100
 Subject: [PATCH 27/31] BUG/MEDIUM: systemd-wrapper: return correct exit codes

 Gabriele Cerami reported the the exit codes of the systemd-wrapper are
 wrong. In short, it directly returns the output of the wait syscall's
 status, which is a composite value made of error code an signal numbers.
 In general it contains the signal number on the lower bits and the error
 code on the higher bits, but exit() truncates it to the lowest 8 bits,
 causing config validations to incorrectly report a success. Example :

  $ ./haproxy-systemd-wrapper -c -f /dev/null
  <7>haproxy-systemd-wrapper: executing /tmp/haproxy -c -f /dev/null -Ds
  Configuration file has no error but will not start (no listener) => exit(2).
  <5>haproxy-systemd-wrapper: exit, haproxy RC=512
  $ echo $?
  0

 If the process is killed however, the signal number is directly reported
 in the exit code.

 Let's fix all this to ensure that the exit code matches what the shell does,
 which means that codes 0..127 are for exit codes, codes 128..254 for signals,
 and code 255 for unknown exit code. Now the return code is correct :

  $ ./haproxy-systemd-wrapper -c -f /dev/null
  <7>haproxy-systemd-wrapper: executing /tmp/haproxy -c -f /dev/null -Ds
  Configuration file has no error but will not start (no listener) => exit(2).
  <5>haproxy-systemd-wrapper: exit, haproxy RC=2
  $ echo $?
  2

  $ ./haproxy-systemd-wrapper -f /tmp/cfg.conf
  <7>haproxy-systemd-wrapper: executing /tmp/haproxy -f /dev/null -Ds
  ^C
  <5>haproxy-systemd-wrapper: exit, haproxy RC=130
  $ echo $?
  130

 This fix must be backported to 1.6 and 1.5.
 (cherry picked from commit f7659cb10cb0420c7ca06fad1067207021d2a078)
 ---
 src/haproxy-systemd-wrapper.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

 diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
 index b426f96..f6a9c85 100644
 --- a/src/haproxy-systemd-wrapper.c
 +++ b/src/haproxy-systemd-wrapper.c
@@ -295,6 +295,16 @@ int main(int argc, char **argv)
 		}
 	}
 
 +	/* return either exit code or signal+128 */
 +	if (WIFEXITED(status))
 +		status = WEXITSTATUS(status);
 +	else if (WIFSIGNALED(status))
 +		status = 128 + WTERMSIG(status);
 +	else if (WIFSTOPPED(status))
 +		status = 128 + WSTOPSIG(status);
 +	else
 +		status = 255;
 +
 	fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: exit, haproxy RC=%d\n",
 			status);
 	return status;
 -- 
 2.7.3

--- a/net/haproxy/patches/0028-BUG-MEDIUM-srv-state-properly-restore-the-DRAIN-stat.patch
+++ b/net/haproxy/patches/0028-BUG-MEDIUM-srv-state-properly-restore-the-DRAIN-stat.patch
@ -1,72 +0,0 @@
 From 74ffd0cd0cecaeec3cfa848cbc03beb08999cc72 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Thu, 3 Nov 2016 18:19:49 +0100
 Subject: [PATCH 28/31] BUG/MEDIUM: srv-state: properly restore the DRAIN state

 There were seveal reports about the DRAIN state not being properly
 restored upon reload.

 It happens that the condition in the code does exactly the opposite
 of what the comment says, and the comment is right so the code is
 wrong.

 It's worth noting that the conditions are complex here due to the 2
 available methods to set the drain state (CLI/agent, and config's
 weight). To paraphrase the updated comment in the code, there are
 two possible reasons for FDRAIN to have been present :
  - previous config weight was zero
  - "set server b/s drain" was sent to the CLI

 In the first case, we simply want to drop this drain state if the new
 weight is not zero anymore, meaning the administrator has intentionally
 turned the weight back to a positive value to enable the server again
 after an operation. In the second case, the drain state was forced on
 the CLI regardless of the config's weight so we don't want a change to
 the config weight to lose this status. What this means is :
  - if previous weight was 0 and new one is >0, drop the DRAIN state.
  - if the previous weight was >0, keep it.

 This fix must be backported to 1.6.
 (cherry picked from commit 22cace2f4c3cbeca27c1941c647e7ae38ec8c0c0)
 ---
 src/server.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

 diff --git a/src/server.c b/src/server.c
 index 79b3cb2..b9e72b7 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -2093,15 +2093,23 @@ static void srv_update_state(struct server *srv, int version, char **params)
 			/* apply drain mode if server is currently enabled */
 			if (!(srv->admin & SRV_ADMF_FMAINT) && (srv_admin_state & SRV_ADMF_FDRAIN)) {
 				/* The SRV_ADMF_FDRAIN flag is inherited when srv->iweight is 0
 -				 * (srv->iweight is the weight set up in configuration)
 -				 * so we don't want to apply it when srv_iweight is 0 and
 -				 * srv->iweight is greater than 0. Purpose is to give the
 -				 * chance to the admin to re-enable this server from configuration
 -				 * file by setting a new weight > 0.
 +				 * (srv->iweight is the weight set up in configuration).
 +				 * There are two possible reasons for FDRAIN to have been present :
 +				 *   - previous config weight was zero
 +				 *   - "set server b/s drain" was sent to the CLI
 +				 *
 +				 * In the first case, we simply want to drop this drain state
 +				 * if the new weight is not zero anymore, meaning the administrator
 +				 * has intentionally turned the weight back to a positive value to
 +				 * enable the server again after an operation. In the second case,
 +				 * the drain state was forced on the CLI regardless of the config's
 +				 * weight so we don't want a change to the config weight to lose this
 +				 * status. What this means is :
 +				 *   - if previous weight was 0 and new one is >0, drop the DRAIN state.
 +				 *   - if the previous weight was >0, keep it.
 				 */
 -				if ((srv_iweight == 0) && (srv->iweight > 0)) {
 +				if (srv_iweight > 0 || srv->iweight == 0)
 					srv_adm_set_drain(srv);
 -				}
 			}
 
 			srv->last_change = date.tv_sec - srv_last_time_change;
 -- 
 2.7.3

--- a/net/haproxy/patches/0029-BUG-MINOR-srv-state-allow-to-have-both-CMAINT-and-FD.patch
+++ b/net/haproxy/patches/0029-BUG-MINOR-srv-state-allow-to-have-both-CMAINT-and-FD.patch
@ -1,33 +0,0 @@
 From d6649c499b8ca4fb0bf93153c2a149c78e8a76f8 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Thu, 3 Nov 2016 18:33:25 +0100
 Subject: [PATCH 29/31] BUG/MINOR: srv-state: allow to have both CMAINT and
 FDRAIN flags

 CMAINT indicates that the server was *initially* disabled in the
 configuration via the "disabled" keyword. FDRAIN indicates that the
 server was switched to the DRAIN state from the CLI or the agent.
 This it's perfectly valid to have both of them in the state file,
 so the parser must not reject this combination.

 This fix must be backported to 1.6.
 (cherry picked from commit e1bde1492a30f5036ca58248e50c27a9e116d9cc)
 ---
 src/server.c | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/server.c b/src/server.c
 index b9e72b7..b0c7bbe 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -1961,6 +1961,7 @@ static void srv_update_state(struct server *srv, int version, char **params)
 			     srv_admin_state != SRV_ADMF_IMAINT &&
 			     srv_admin_state != SRV_ADMF_CMAINT &&
 			     srv_admin_state != (SRV_ADMF_CMAINT | SRV_ADMF_FMAINT) &&
 +			     srv_admin_state != (SRV_ADMF_CMAINT | SRV_ADMF_FDRAIN) &&
 			     srv_admin_state != SRV_ADMF_FDRAIN &&
 			     srv_admin_state != SRV_ADMF_IDRAIN)) {
 				chunk_appendf(msg, ", invalid srv_admin_state value '%s'", params[2]);
 -- 
 2.7.3

--- a/net/haproxy/patches/0030-BUG-MEDIUM-servers-properly-propagate-the-maintenanc.patch
+++ b/net/haproxy/patches/0030-BUG-MEDIUM-servers-properly-propagate-the-maintenanc.patch
@ -1,172 +0,0 @@
 From c449c9835e7d9e02cf0aeafc482364d5090db543 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Thu, 3 Nov 2016 19:22:19 +0100
 Subject: [PATCH 30/31] BUG/MEDIUM: servers: properly propagate the maintenance
 states during startup

 Right now there is an issue with the way the maintenance flags are
 propagated upon startup. They are not propagate, just copied from the
 tracked server. This implies that depending on the server's order, some
 tracking servers may not be marked down. For example this configuration
 does not work as expected :

        server s1 1.1.1.1:8000 track s2
        server s2 1.1.1.1:8000 track s3
        server s3 1.1.1.1:8000 track s4
        server s4 wtap:8000 check inter 1s disabled

 It results in s1/s2 being up, and s3/s4 being down, while all of them
 should be down.

 The only clean way to process this is to run through all "root" servers
 (those not tracking any other server), and to propagate their state down
 to all their trackers. This is the same algorithm used to propagate the
 state changes. It has to be done both to compute the IDRAIN flag and the
 IMAINT flag. However, doing so requires that tracking servers are not
 marked as inherited maintenance anymore while parsing the configuration
 (and given that it is wrong, better drop it).

 This fix also addresses another side effect of the bug above which is
 that the IDRAIN/IMAINT flags are stored in the state files, and if
 restored while the tracked server doesn't have the equivalent flag,
 the servers may end up in a situation where it's impossible to remove
 these flags. For example in the configuration above, after removing
 "disabled" on server s4, the other servers would have remained down,
 and not anymore with this fix. Similarly, the combination of IMAINT
 or IDRAIN with their respective forced modes was not accepted on
 reload, which is wrong as well.

 This bug has been present at least since 1.5, maybe even 1.4 (it came
 with tracking support). The fix needs to be backported there, though
 the srv-state parts are irrelevant.

 This commit relies on previous patch to silence warnings on startup.
 (cherry picked from commit 757478e900ebc1e67c1fe060b9b561d276cab3e1)
 ---
 include/proto/server.h |  1 +
 src/cfgparse.c         |  7 -------
 src/haproxy.c          |  4 ++++
 src/server.c           | 42 +++++++++++++++++++++++++++++++++++++++---
 4 files changed, 44 insertions(+), 10 deletions(-)

 diff --git a/include/proto/server.h b/include/proto/server.h
 index d75cc9f..b6572ba 100644
 --- a/include/proto/server.h
 +++ b/include/proto/server.h
@@ -44,6 +44,7 @@ struct server *server_find_by_id(struct proxy *bk, int id);
 struct server *server_find_by_name(struct proxy *bk, const char *name);
 struct server *server_find_best_match(struct proxy *bk, char *name, int id, int *diff);
 void apply_server_state(void);
 +void srv_compute_all_admin_states(struct proxy *px);
 
 /* functions related to server name resolution */
 int snr_update_srv_status(struct server *s);
 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index b8289a2..365b283 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -8275,13 +8275,6 @@ out_uri_auth_compat:
 					goto next_srv;
 				}
 
 -				/* if the other server is forced disabled, we have to do the same here */
 -				if (srv->admin & SRV_ADMF_MAINT) {
 -					newsrv->admin |= SRV_ADMF_IMAINT;
 -					newsrv->state = SRV_ST_STOPPED;
 -					newsrv->check.health = 0;
 -				}
 -
 				newsrv->track = srv;
 				newsrv->tracknext = srv->trackers;
 				srv->trackers = newsrv;
 diff --git a/src/haproxy.c b/src/haproxy.c
 index 2d476f2..1699132 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -566,6 +566,7 @@ void init(int argc, char **argv)
 	struct wordlist *wl;
 	char *progname;
 	char *change_dir = NULL;
 +	struct proxy *px;
 
 	chunk_init(&trash, malloc(global.tune.bufsize), global.tune.bufsize);
 	alloc_trash_buffers(global.tune.bufsize);
@@ -852,6 +853,9 @@ void init(int argc, char **argv)
 	/* Apply server states */
 	apply_server_state();
 
 +	for (px = proxy; px; px = px->next)
 +		srv_compute_all_admin_states(px);
 +
 	global_listener_queue_task = task_new();
 	if (!global_listener_queue_task) {
 		Alert("Out of memory when initializing global task\n");
 diff --git a/src/server.c b/src/server.c
 index b0c7bbe..f2923ae 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -705,6 +705,40 @@ void srv_clr_admin_flag(struct server *s, enum srv_admin mode)
 		srv_clr_admin_flag(srv, mode);
 }
 
 +/* principle: propagate maint and drain to tracking servers. This is useful
 + * upon startup so that inherited states are correct.
 + */
 +static void srv_propagate_admin_state(struct server *srv)
 +{
 +	struct server *srv2;
 +
 +	if (!srv->trackers)
 +		return;
 +
 +	for (srv2 = srv->trackers; srv2; srv2 = srv2->tracknext) {
 +		if (srv->admin & (SRV_ADMF_MAINT | SRV_ADMF_CMAINT))
 +			srv_set_admin_flag(srv2, SRV_ADMF_IMAINT);
 +
 +		if (srv->admin & SRV_ADMF_DRAIN)
 +			srv_set_admin_flag(srv2, SRV_ADMF_IDRAIN);
 +	}
 +}
 +
 +/* Compute and propagate the admin states for all servers in proxy <px>.
 + * Only servers *not* tracking another one are considered, because other
 + * ones will be handled when the server they track is visited.
 + */
 +void srv_compute_all_admin_states(struct proxy *px)
 +{
 +	struct server *srv;
 +
 +	for (srv = px->srv; srv; srv = srv->next) {
 +		if (srv->track)
 +			continue;
 +		srv_propagate_admin_state(srv);
 +	}
 +}
 +
 /* Note: must not be declared <const> as its list will be overwritten.
  * Please take care of keeping this list alphabetically sorted, doing so helps
  * all code contributors.
@@ -1955,15 +1989,17 @@ static void srv_update_state(struct server *srv, int version, char **params)
 			p = NULL;
 			errno = 0;
 			srv_admin_state = strtol(params[2], &p, 10);
 +
 +			/* inherited statuses will be recomputed later */
 +			srv_admin_state &= ~SRV_ADMF_IDRAIN & ~SRV_ADMF_IMAINT;
 +
 			if ((p == params[2]) || errno == EINVAL || errno == ERANGE ||
 			    (srv_admin_state != 0 &&
 			     srv_admin_state != SRV_ADMF_FMAINT &&
 -			     srv_admin_state != SRV_ADMF_IMAINT &&
 			     srv_admin_state != SRV_ADMF_CMAINT &&
 			     srv_admin_state != (SRV_ADMF_CMAINT | SRV_ADMF_FMAINT) &&
 			     srv_admin_state != (SRV_ADMF_CMAINT | SRV_ADMF_FDRAIN) &&
 -			     srv_admin_state != SRV_ADMF_FDRAIN &&
 -			     srv_admin_state != SRV_ADMF_IDRAIN)) {
 +			     srv_admin_state != SRV_ADMF_FDRAIN)) {
 				chunk_appendf(msg, ", invalid srv_admin_state value '%s'", params[2]);
 			}
 
 -- 
 2.7.3

--- a/net/haproxy/patches/0031-BUG-vars-Fix-set-var-converter-because-of-a-typo.patch
+++ b/net/haproxy/patches/0031-BUG-vars-Fix-set-var-converter-because-of-a-typo.patch
@ -1,37 +0,0 @@
 From 9c017e541bb3cee2e2884cdc53a4cb4627be5dad Mon Sep 17 00:00:00 2001
 From: Christopher Faulet <cfaulet@haproxy.com>
 Date: Wed, 9 Nov 2016 16:15:32 +0100
 Subject: [PATCH 31/31] BUG: vars: Fix 'set-var' converter because of a typo

 The 'set-var' converter uses function smp_conv_store (vars.c). In this function,
 we should use the first argument (index 0) to retrieve the variable name and its
 scope. But because of a typo, we get the scope of the second argument (index
 1). In this case, there is no second argument. So the scope used was always 0
 (SCOPE_SESS), always setting the variable in the session scope.

 So, due to this bug, this rules

  tcp-request content accept if { src,set-var(txn.foo) -m found }

 always set the variable 'sess.foo' instead of 'txn.foo'.
 (cherry picked from commit 0099a8ca9d58cb4cff943bf6374b55b42a23fbfb)
 ---
 src/vars.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/vars.c b/src/vars.c
 index a3dd85c..8645905 100644
 --- a/src/vars.c
 +++ b/src/vars.c
@@ -379,7 +379,7 @@ static inline int sample_store_stream(const char *name, enum vars_scope scope, s
 /* Returns 0 if fails, else returns 1. */
 static int smp_conv_store(const struct arg *args, struct sample *smp, void *private)
 {
 -	return sample_store_stream(args[0].data.var.name, args[1].data.var.scope, smp);
 +	return sample_store_stream(args[0].data.var.name, args[0].data.var.scope, smp);
 }
 
 /* This fucntions check an argument entry and fill it with a variable
 -- 
 2.7.3