LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

package: haproxy bump to latest stable 1.7.4 

[RELEASE] Released version 1.7.4

    Released version 1.7.4 with the following main changes :
        - MINOR: config: warn when some HTTP rules are used in a TCP proxy
        - BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters
        - BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section
        - BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file
        - BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
        - BUG/MINOR: Fix "get map <map> <value>" CLI command
        - BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer
        - BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING
        - BUG/MINOR: checks: attempt clean shutw for SSL check
        - CONTRIB: tcploop: add limits.h to fix build issue with some compilers
        - CONTRIB: tcploop: make it build on FreeBSD
        - CONTRIB: tcploop: fix time format to silence build warnings
        - CONTRIB: tcploop: report action 'K' (kill) in usage message
        - CONTRIB: tcploop: fix connect's address length
        - CONTRIB: tcploop: use the trash instead of NULL for recv()
        - BUG/MEDIUM: listener: do not try to rebind another process' socket
        - BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze
        - BUG/MAJOR: stream-int: do not depend on connection flags to detect connection
        - BUG/MEDIUM: connection: ensure to always report the end of handshakes
        - BUG: payload: fix payload not retrieving arbitrary lengths
        - BUG/MAJOR: http: fix typo in http_apply_redirect_rule
        - MINOR: doc: 2.4. Examples should be 2.5. Examples
        - BUG/MEDIUM: stream: fix client-fin/server-fin handling
        - MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller
        - BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available
        - DOC/MINOR: Fix typos in proxy protocol doc
        - DOC: Protocol doc: add checksum, TLV type ranges
        - DOC: Protocol doc: add SSL TLVs, rename CHECKSUM
        - DOC: Protocol doc: add noop TLV
        - MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time
        - BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity().
        - MINOR: server: irrelevant error message with 'default-server' config file keyword.
        - MINOR: doc: fix use-server example (imap vs mail)
        - BUG/MEDIUM: tcp: don't require privileges to bind to device
        - BUILD: make the release script use shortlog for the final changelog
        - BUILD: scripts: fix typo in announce-release error message

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
lilik-openwrt-22.03
Thomas Heil 8 years ago
parent
4a4b1ba07c
commit
bb33a56225
8 changed files with 3 additions and 363 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -3
      net/haproxy/Makefile
  2. +0
    -61
      net/haproxy/patches/0001-MINOR-config-warn-when-some-HTTP-rules-are-used-in-a.patch
  3. +0
    -58
      net/haproxy/patches/0002-BUG-MINOR-spoe-Fix-soft-stop-handler-using-a-specifi.patch
  4. +0
    -33
      net/haproxy/patches/0003-BUG-MINOR-spoe-Fix-parsing-of-arguments-in-spoe-mess.patch
  5. +0
    -44
      net/haproxy/patches/0004-BUG-MEDIUM-ssl-Clear-OpenSSL-error-stack-after-tryin.patch
  6. +0
    -32
      net/haproxy/patches/0005-BUG-MEDIUM-cli-Prevent-double-free-in-CLI-ACL-lookup.patch
  7. +0
    -32
      net/haproxy/patches/0006-BUG-MINOR-Fix-get-map-map-value-CLI-command.patch
  8. +0
    -100
      net/haproxy/patches/0007-BUG-MAJOR-connection-update-CO_FL_CONNECTED-before-c.patch

+ 3
- 3
net/haproxy/Makefile View File

@ -9,12 +9,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.7.3
PKG_RELEASE:=07
PKG_VERSION:=1.7.4
PKG_RELEASE:=01
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.7/src/
PKG_MD5SUM:=e529c240c08e4004c6e9dcf3fd6b3ab
PKG_MD5SUM:=dfdb293217f5077696d034564043a3ae
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0


+ 0
- 61
net/haproxy/patches/0001-MINOR-config-warn-when-some-HTTP-rules-are-used-in-a.patch View File

@ -1,61 +0,0 @@
From 91715c09a4595af6451ad97c43bf41fec107c69e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 10 Mar 2017 11:49:21 +0100
Subject: [PATCH 1/7] MINOR: config: warn when some HTTP rules are used in a
TCP proxy
Surprizingly, http-request, http-response, block, redirect, and capture
rules did not cause a warning to be emitted when used in a TCP proxy, so
let's fix this.
This patch may be backported to older versions as it helps spotting
configuration issues.
(cherry picked from commit de7dc88c517e22d3ae02ce8a8a23046ab2c62238)
---
src/cfgparse.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index fc6e149..d8d2fda 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8681,6 +8681,36 @@ out_uri_auth_compat:
curproxy->uri_auth = NULL;
}
+ if (curproxy->capture_name) {
+ Warning("config : 'capture' statement ignored for %s '%s' as it requires HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->http_req_rules)) {
+ Warning("config : 'http-request' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->http_res_rules)) {
+ Warning("config : 'http-response' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->block_rules)) {
+ Warning("config : 'block' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
+ if (!LIST_ISEMPTY(&curproxy->redirect_rules)) {
+ Warning("config : 'redirect' rules ignored for %s '%s' as they require HTTP mode.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
if (curproxy->options & (PR_O_FWDFOR | PR_O_FF_ALWAYS)) {
Warning("config : 'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
"forwardfor", proxy_type_str(curproxy), curproxy->id);
--
2.10.2

+ 0
- 58
net/haproxy/patches/0002-BUG-MINOR-spoe-Fix-soft-stop-handler-using-a-specifi.patch View File

@ -1,58 +0,0 @@
From 8253b517585a664be53718f1522e24291f553d95 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 23 Feb 2017 10:17:15 +0100
Subject: [PATCH 2/7] BUG/MINOR: spoe: Fix soft stop handler using a specific
id for spoe filters
During a soft stop, we need to wakeup all SPOE applets to stop them. So we loop
on all proxies, and for each proxy, on all filters. But we must be sure to only
handle SPOE filters here. To do so, we use a specific id.
(cherry picked from commit 3b386a318f699def6f37b4d3199cd1d72c481a0f)
---
src/flt_spoe.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index aa6414a..2a96c65 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -235,6 +235,9 @@ struct spoe_context {
unsigned int process_exp; /* expiration date to process an event */
};
+/* SPOE filter id. Used to identify SPOE filters */
+const char *spoe_filter_id = "SPOE filter";
+
/* Set if the handle on SIGUSR1 is registered */
static int sighandler_registered = 0;
@@ -2286,10 +2289,16 @@ sig_stop_spoe(struct sig_handler *sh)
struct flt_conf *fconf;
list_for_each_entry(fconf, &p->filter_configs, list) {
- struct spoe_config *conf = fconf->conf;
- struct spoe_agent *agent = conf->agent;
+ struct spoe_config *conf;
+ struct spoe_agent *agent;
struct appctx *appctx;
+ if (fconf->id != spoe_filter_id)
+ continue;
+
+ conf = fconf->conf;
+ agent = conf->agent;
+
list_for_each_entry(appctx, &agent->cache, ctx.spoe.list) {
si_applet_want_get(appctx->owner);
si_applet_want_put(appctx->owner);
@@ -3178,6 +3187,7 @@ parse_spoe_flt(char **args, int *cur_arg, struct proxy *px,
}
*cur_arg = pos;
+ fconf->id = spoe_filter_id;
fconf->ops = &spoe_ops;
fconf->conf = conf;
return 0;
--
2.10.2

+ 0
- 33
net/haproxy/patches/0003-BUG-MINOR-spoe-Fix-parsing-of-arguments-in-spoe-mess.patch View File

@ -1,33 +0,0 @@
From a208d4dd73794b67a59dae7e3077378473650d6c Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 23 Feb 2017 22:41:09 +0100
Subject: [PATCH 3/7] BUG/MINOR: spoe: Fix parsing of arguments in spoe-message
section
The array of pointers passed to sample_parse_expr was not really an array but a
pointer to pointer. So it can easily lead to a segfault during the configuration
parsing.
(cherry picked from commit b0b42388259224be54bf504fa559803b39d6453c)
---
src/flt_spoe.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 2a96c65..57fb1da 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -2966,8 +2966,9 @@ cfg_parse_spoe_message(const char *file, int linenum, char **args, int kwm)
arg->name_len = delim - args[cur_arg];
delim++;
}
-
- arg->expr = sample_parse_expr(&delim, &idx, file, linenum, &errmsg, &curproxy->conf.args);
+ arg->expr = sample_parse_expr((char*[]){delim, NULL},
+ &idx, file, linenum, &errmsg,
+ &curproxy->conf.args);
if (arg->expr == NULL) {
Alert("parsing [%s:%d] : '%s': %s.\n", file, linenum, args[0], errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
--
2.10.2

+ 0
- 44
net/haproxy/patches/0004-BUG-MEDIUM-ssl-Clear-OpenSSL-error-stack-after-tryin.patch View File

@ -1,44 +0,0 @@
From 821d3a9f513a63b06f1696352392996391807c16 Mon Sep 17 00:00:00 2001
From: Janusz Dziemidowicz <rraptorr@nails.eu.org>
Date: Wed, 8 Mar 2017 16:59:41 +0100
Subject: [PATCH 4/7] BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying
to parse OCSP file
Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.
Following configuration:
bind :443 ssl crt crt1.pem crt crt2.pem
With following files:
crt1.pem
crt1.pem.ocsp - empty one
crt2.pem.rsa
crt2.pem.ecdsa
Will fail to load.
This patch should be backported to 1.7.
(cherry picked from commit 8d7104982e1c41f7dc4d75ae7f7d2bbb96052d40)
---
src/ssl_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cc2dc12..daa584c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -433,6 +433,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
ret = 0;
out:
+ ERR_clear_error();
+
if (bs)
OCSP_BASICRESP_free(bs);
--
2.10.2

+ 0
- 32
net/haproxy/patches/0005-BUG-MEDIUM-cli-Prevent-double-free-in-CLI-ACL-lookup.patch View File

@ -1,32 +0,0 @@
From e9607769d56373cf29c4df040f605191603beb50 Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmerdan@haproxy.com>
Date: Sun, 12 Mar 2017 22:01:35 +0100
Subject: [PATCH 5/7] BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
The memory is released by cli_release_mlook, which also properly sets the
pointer to NULL. This was introduced with a big code reorganization
involving moving to the new keyword registration form in commit ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <nmerdan@haproxy.com>
(cherry picked from commit 24f45d8e34797ed9c16ac3fa6d89f3eed435e706)
---
src/map.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/map.c b/src/map.c
index b6fce4d..90deb08 100644
--- a/src/map.c
+++ b/src/map.c
@@ -524,7 +524,6 @@ static int cli_io_handler_map_lookup(struct appctx *appctx)
default:
appctx->st2 = STAT_ST_FIN;
- free(appctx->ctx.map.chunk.str);
return 1;
}
}
--
2.10.2

+ 0
- 32
net/haproxy/patches/0006-BUG-MINOR-Fix-get-map-map-value-CLI-command.patch View File

@ -1,32 +0,0 @@
From e1008f22fbb9c08080aad9f998a557170b96f3f9 Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmerdan@haproxy.com>
Date: Sun, 12 Mar 2017 22:01:36 +0100
Subject: [PATCH 6/7] BUG/MINOR: Fix "get map <map> <value>" CLI command
The said form of the CLI command didn't return anything since commit
ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <nmerdan@haproxy.com>
(cherry picked from commit 96c15719434a4eb46e191fcf1dafcb051065a76e)
---
src/map.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/map.c b/src/map.c
index 90deb08..e8c6a2a 100644
--- a/src/map.c
+++ b/src/map.c
@@ -906,7 +906,7 @@ static struct cli_kw_list cli_kws = {{ },{
{ { "add", "map", NULL }, "add map : add map entry", cli_parse_add_map, NULL },
{ { "clear", "map", NULL }, "clear map <id> : clear the content of this map", cli_parse_clear_map, NULL },
{ { "del", "map", NULL }, "del map : delete map entry", cli_parse_del_map, NULL },
- { { "get", "map", NULL }, "get map : report the keys and values matching a sample for a map", cli_parse_get_map, NULL },
+ { { "get", "map", NULL }, "get map : report the keys and values matching a sample for a map", cli_parse_get_map, cli_io_handler_map_lookup, cli_release_mlook },
{ { "set", "map", NULL }, "set map : modify map entry", cli_parse_set_map, NULL },
{ { "show", "map", NULL }, "show map [id] : report available maps or dump a map's contents", cli_parse_show_map, NULL },
{ { NULL }, NULL, NULL, NULL }
--
2.10.2

+ 0
- 100
net/haproxy/patches/0007-BUG-MAJOR-connection-update-CO_FL_CONNECTED-before-c.patch View File

@ -1,100 +0,0 @@
From afbf56b951967e8fa4d509e423fdcb11c27d40e2 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 14 Mar 2017 20:19:29 +0100
Subject: [PATCH 7/7] BUG/MAJOR: connection: update CO_FL_CONNECTED before
calling the data layer
Matthias Fechner reported a regression in 1.7.3 brought by the backport
of commit 819efbf ("BUG/MEDIUM: tcp: don't poll for write when connect()
succeeds"), causing some connections to fail to establish once in a while.
While this commit itself was a fix for a bad sequencing of connection
events, it in fact unveiled a much deeper bug going back to the connection
rework era in v1.5-dev12 : 8f8c92f ("MAJOR: connection: add a new
CO_FL_CONNECTED flag").
It's worth noting that in a lab reproducing a similar environment as
Matthias' about only 1 every 19000 connections exhibit this behaviour,
making the issue not so easy to observe. A trick to make the problem
more observable consists in disabling non-blocking mode on the socket
before calling connect() and re-enabling it later, so that connect()
always succeeds. Then it becomes 100% reproducible.
The problem is that this CO_FL_CONNECTED flag is tested after deciding to
call the data layer (typically the stream interface but might be a health
check as well), and that the decision to call the data layer relies on a
change of one of the flags covered by the CO_FL_CONN_STATE set, which is
made of CO_FL_CONNECTED among others.
Before the fix above, this bug couldn't appear with TCP but it could
appear with Unix sockets. Indeed, connect() was always considered
blocking so the CO_FL_WAIT_L4_CONN connection flag was always set, and
polling for write events was always enabled. This used to guarantee that
the conn_fd_handler() could detect a change among the CO_FL_CONN_STATE
flags.
Now with the fix above, if a connect() immediately succeeds for non-ssl
connection with send-proxy enabled, and no data in the buffer (thus TCP
mode only), the CO_FL_WAIT_L4_CONN flag is not set, the lack of data in
the buffer doesn't enable polling flags for the data layer, the
CO_FL_CONNECTED flag is not set due to send-proxy still being pending,
and once send-proxy is done, its completion doesn't cause the data layer
to be woken up due to the fact that CO_FL_CONNECT is still not present
and that the CO_FL_SEND_PROXY flag is not watched in CO_FL_CONN_STATE.
Then no progress is made when data are received from the client (and
attempted to be forwarded), because a CF_WRITE_NULL (or CF_WRITE_PARTIAL)
flag is needed for the stream-interface state to turn from SI_ST_CON to
SI_ST_EST, allowing ->chk_snd() to be called when new data arrive. And
the only way to set this flag is to call the data layer of course.
After the connect timeout, the connection gets killed and if in the mean
time some data have accumulated in the buffer, the retry will succeed.
This patch fixes this situation by simply placing the update of
CO_FL_CONNECTED where it should have been, before the check for a flag
change needed to wake up the data layer and not after.
This fix must be backported to 1.7, 1.6 and 1.5. Versions not having
the patch above are still affected for unix sockets.
Special thanks to Matthias Fechner who provided a very detailed bug
report with a bisection designating the faulty patch, and to Olivier
Houchard for providing full access to a pretty similar environment where
the issue could first be reproduced.
(cherry picked from commit 7bf3fa3c23f6a1b7ed1212783507ac50f7e27544)
---
src/connection.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 26fc5f6..1e4c9aa 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -131,6 +131,13 @@ void conn_fd_handler(int fd)
}
leave:
+ /* Verify if the connection just established. The CO_FL_CONNECTED flag
+ * being included in CO_FL_CONN_STATE, its change will be noticed by
+ * the next block and be used to wake up the data layer.
+ */
+ if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
+ conn->flags |= CO_FL_CONNECTED;
+
/* The wake callback may be used to process a critical error and abort the
* connection. If so, we don't want to go further as the connection will
* have been released and the FD destroyed.
@@ -140,10 +147,6 @@ void conn_fd_handler(int fd)
conn->data->wake(conn) < 0)
return;
- /* Last check, verify if the connection just established */
- if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
- conn->flags |= CO_FL_CONNECTED;
-
/* remove the events before leaving */
fdtab[fd].ev &= FD_POLL_STICKY;
--
2.10.2

Write Preview
Loading…
Cancel
Save