diff options
Diffstat (limited to 'net')
92 files changed, 519 insertions, 3736 deletions
diff --git a/net/acme/Makefile b/net/acme/Makefile index 4d5275a12..d20bad1f2 100644 --- a/net/acme/Makefile +++ b/net/acme/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme -PKG_VERSION:=2.8.3 -PKG_RELEASE:=4 +PKG_VERSION:=2.8.5 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/Neilpang/acme.sh/tar.gz/$(PKG_VERSION)? -PKG_HASH:=bdec71377a764919ac277e26d71ef7e24087f7f05171921888b70de6ab6e2cbc +PKG_HASH:=45d964de8970096dae06aaa45dba2d9d09a41c0a43355191ee627eb00ba5db45 PKG_BUILD_DIR:=$(BUILD_DIR)/acme.sh-$(PKG_VERSION) PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk> diff --git a/net/apache/patches/020-openssl-deprecated.patch b/net/apache/patches/020-openssl-deprecated.patch new file mode 100644 index 000000000..e583cde19 --- /dev/null +++ b/net/apache/patches/020-openssl-deprecated.patch @@ -0,0 +1,177 @@ +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void) + + static apr_status_t ssl_cleanup_pre_config(void *data) + { ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + /* + * Try to kill the internals of the SSL library. + */ +@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data) + #if OPENSSL_VERSION_NUMBER >= 0x1000200fL + #ifndef OPENSSL_NO_COMP + SSL_COMP_free_compression_methods(); +-#endif + #endif + + /* Usually needed per thread, but this parent process is single-threaded */ +-#if MODSSL_USE_OPENSSL_PRE_1_1_API + #if OPENSSL_VERSION_NUMBER >= 0x1000000fL + ERR_remove_thread_state(NULL); + #else +@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data) + * (when enabled) at this late stage in the game: + * CRYPTO_mem_leaks_fp(stderr); + */ ++#endif + return APR_SUCCESS; + } + +@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, + #else + OPENSSL_malloc_init(); + #endif ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); ++ OpenSSL_add_all_algorithms(); ++ OPENSSL_load_builtin_modules(); ++#endif + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_load_builtin_engines(); + #endif +- OpenSSL_add_all_algorithms(); +- OPENSSL_load_builtin_modules(); + + if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { + (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) + + return 1; + } ++ ++#define OpenSSL_version_num SSLeay + #endif + + /* +@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + apr_status_t rv; + apr_array_header_t *pphrases; + +- if (SSLeay() < MODSSL_LIBRARY_VERSION) { ++ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) + "Init: this version of mod_ssl was compiled against " + "a newer library (%s, version currently loaded is %s)" +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + if (dc->proxy->ssl_check_peer_expire != FALSE) { + if (!cert + || (X509_cmp_current_time( +- X509_get_notBefore(cert)) >= 0) ++ X509_get0_notBefore(cert)) >= 0) + || (X509_cmp_current_time( +- X509_get_notAfter(cert)) <= 0)) { ++ X509_get0_notAfter(cert)) <= 0)) { + proxy_ssl_check_peer_ok = FALSE; + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004) + "SSL Proxy: Peer certificate is expired"); +--- a/modules/ssl/ssl_engine_log.c ++++ b/modules/ssl/ssl_engine_log.c +@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level, + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); +- ASN1_TIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); +- ASN1_TIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); + + BIO_puts(bio, "]"); + +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + result = ssl_var_lookup_ssl_cert_serial(p, xs); + } + else if (strcEQ(var, "V_START")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs)); + } + else if (strcEQ(var, "V_END")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs)); + } + else if (strcEQ(var, "V_REMAIN")) { +- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs)); + resdup = FALSE; + } + else if (*var && strcEQ(var+1, "_DN")) { +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -92,6 +92,8 @@ + #include <openssl/x509.h> + #include <openssl/pem.h> + #include <openssl/crypto.h> ++#include <openssl/bn.h> ++#include <openssl/dh.h> + #include <openssl/evp.h> + #include <openssl/rand.h> + #include <openssl/x509v3.h> +@@ -234,6 +236,10 @@ + #define BIO_get_shutdown(x) (x->shutdown) + #define BIO_set_shutdown(x,v) (x->shutdown=v) + #define DH_bits(x) (BN_num_bits(x->p)) ++#define X509_get0_notBefore X509_get_notBefore ++#define X509_get0_notAfter X509_get_notAfter ++#define X509_getm_notBefore X509_get_notBefore ++#define X509_getm_notAfter X509_get_notAfter + #else + void init_bio_methods(void); + void free_bio_methods(void); +--- a/support/ab.c ++++ b/support/ab.c +@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE; + #define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_get0_notBefore X509_get_notBefore ++#define X509_get0_notAfter X509_get_notAfter ++#endif + #endif + + #include <math.h> +@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert) + + BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1); + BIO_printf(bio,"Valid from: "); +- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert)); + BIO_printf(bio,"\n"); + + BIO_printf(bio,"Valid to : "); +- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert)); + BIO_printf(bio,"\n"); + + pk = X509_get_pubkey(cert); +@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[]) + CRYPTO_malloc_init(); + #endif + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_load_error_strings(); + SSL_library_init(); ++#endif + bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); + bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); + diff --git a/net/cgi-io/Makefile b/net/cgi-io/Makefile index 27bdf737f..c8e4164ef 100644 --- a/net/cgi-io/Makefile +++ b/net/cgi-io/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cgi-io -PKG_RELEASE:=16 +PKG_RELEASE:=17 PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/cgi-io/src/main.c b/net/cgi-io/src/main.c index 7cf8d7b23..6e9112c0f 100644 --- a/net/cgi-io/src/main.c +++ b/net/cgi-io/src/main.c @@ -38,6 +38,7 @@ #include "multipart_parser.h" #define READ_BLOCK 4096 +#define POST_LIMIT 131072 enum part { PART_UNKNOWN, @@ -223,55 +224,86 @@ urldecode(char *buf) return true; } -static bool +static char * postdecode(char **fields, int n_fields) { - char *p; const char *var; - static char buf[1024]; - int i, len, field, found = 0; + char *p, *postbuf; + int i, field, found = 0; + ssize_t len = 0, rlen = 0, content_length = 0; var = getenv("CONTENT_TYPE"); if (!var || strncmp(var, "application/x-www-form-urlencoded", 33)) - return false; + return NULL; + + var = getenv("CONTENT_LENGTH"); + + if (!var) + return NULL; + + content_length = strtol(var, &p, 10); + + if (p == var || content_length <= 0 || content_length >= POST_LIMIT) + return NULL; + + postbuf = calloc(1, content_length + 1); + + if (postbuf == NULL) + return NULL; + + for (len = 0; len < content_length; ) + { + rlen = read(0, postbuf + len, content_length - len); + + if (rlen <= 0) + break; - memset(buf, 0, sizeof(buf)); + len += rlen; + } - if ((len = read(0, buf, sizeof(buf) - 1)) > 0) + if (len < content_length) { - for (p = buf, i = 0; i <= len; i++) + free(postbuf); + return NULL; + } + + for (p = postbuf, i = 0; i <= len; i++) + { + if (postbuf[i] == '=') { - if (buf[i] == '=') - { - buf[i] = 0; + postbuf[i] = 0; - for (field = 0; field < (n_fields * 2); field += 2) + for (field = 0; field < (n_fields * 2); field += 2) + { + if (!strcmp(p, fields[field])) { - if (!strcmp(p, fields[field])) - { - fields[field + 1] = buf + i + 1; - found++; - } + fields[field + 1] = postbuf + i + 1; + found++; } } - else if (buf[i] == '&' || buf[i] == '\0') - { - buf[i] = 0; + } + else if (postbuf[i] == '&' || postbuf[i] == '\0') + { + postbuf[i] = 0; - if (found >= n_fields) - break; + if (found >= n_fields) + break; - p = buf + i + 1; - } + p = postbuf + i + 1; } } for (field = 0; field < (n_fields * 2); field += 2) + { if (!urldecode(fields[field + 1])) - return false; + { + free(postbuf); + return NULL; + } + } - return (found >= n_fields); + return postbuf; } static char * @@ -658,6 +690,14 @@ main_upload(int argc, char *argv[]) return 0; } +static void +free_charp(char **ptr) +{ + free(*ptr); +} + +#define autochar __attribute__((__cleanup__(free_charp))) char + static int main_download(int argc, char **argv) { @@ -668,7 +708,7 @@ main_download(int argc, char **argv) struct stat s; int rfd; - postdecode(fields, 4); + autochar *post = postdecode(fields, 4); if (!fields[1] || !session_access(fields[1], "cgi-io", "download", "read")) return failure(403, 0, "Download permission denied"); @@ -706,29 +746,39 @@ main_download(int argc, char **argv) if (fields[5]) printf("Content-Disposition: attachment; filename=\"%s\"\r\n", fields[5]); - printf("Content-Length: %llu\r\n\r\n", size); - fflush(stdout); + if (size > 0) { + printf("Content-Length: %llu\r\n\r\n", size); + fflush(stdout); - while (size > 0) { - len = sendfile(1, rfd, NULL, size); + while (size > 0) { + len = sendfile(1, rfd, NULL, size); - if (len == -1) { - if (errno == ENOSYS || errno == EINVAL) { - while ((len = read(rfd, buf, sizeof(buf))) > 0) - fwrite(buf, len, 1, stdout); + if (len == -1) { + if (errno == ENOSYS || errno == EINVAL) { + while ((len = read(rfd, buf, sizeof(buf))) > 0) + fwrite(buf, len, 1, stdout); - fflush(stdout); - break; + fflush(stdout); + break; + } + + if (errno == EINTR || errno == EAGAIN) + continue; } - if (errno == EINTR || errno == EAGAIN) - continue; + if (len <= 0) + break; + + size -= len; } + } + else { + printf("\r\n"); - if (len <= 0) - break; + while ((len = read(rfd, buf, sizeof(buf))) > 0) + fwrite(buf, len, 1, stdout); - size -= len; + fflush(stdout); } close(rfd); @@ -749,7 +799,9 @@ main_backup(int argc, char **argv) char hostname[64] = { 0 }; char *fields[] = { "sessionid", NULL }; - if (!postdecode(fields, 1) || !session_access(fields[1], "cgi-io", "backup", "read")) + autochar *post = postdecode(fields, 1); + + if (!fields[1] || !session_access(fields[1], "cgi-io", "backup", "read")) return failure(403, 0, "Backup permission denied"); if (pipe(fds)) @@ -929,7 +981,7 @@ main_exec(int argc, char **argv) char *p, **args; pid_t pid; - postdecode(fields, 4); + autochar *post = postdecode(fields, 4); if (!fields[1] || !session_access(fields[1], "cgi-io", "exec", "read")) return failure(403, 0, "Exec permission denied"); diff --git a/net/cifs-utils/Makefile b/net/cifs-utils/Makefile index 0c3d84c30..03f5acac5 100644 --- a/net/cifs-utils/Makefile +++ b/net/cifs-utils/Makefile @@ -8,18 +8,19 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cifs-utils -PKG_VERSION:=6.9 -PKG_RELEASE:=2 +PKG_VERSION:=6.10 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://download.samba.org/pub/linux-cifs/cifs-utils/ -PKG_HASH:=18d8f1bf92c13c4d611502dbd6759e3a766ddc8467ec8a2eda3f589e40b9ac9c +PKG_HASH:=92fc29c8e9039637f3344267500f1fa381e2cccd7d10142f0c1676fa575904a7 PKG_MAINTAINER:= -PKG_LICENSE:=GPL-3.0 +PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:debian:cifs-utils +PKG_FIXUP:=autoreconf PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 @@ -64,6 +65,7 @@ endef define Package/cifsmount/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/mount.cifs $(1)/usr/sbin/ + $(LN) /usr/sbin/mount.cifs $(1)/usr/sbin/mount.smb3 endef define Package/smbinfo/install diff --git a/net/cifs-utils/patches/010-no-libtalloc.patch b/net/cifs-utils/patches/010-no-libtalloc.patch index 859a5c539..29de8f138 100644 --- a/net/cifs-utils/patches/010-no-libtalloc.patch +++ b/net/cifs-utils/patches/010-no-libtalloc.patch @@ -1,5 +1,3 @@ -diff --git a/data_blob.h b/data_blob.h -index 3d96147..c20749d 100644 --- a/data_blob.h +++ b/data_blob.h @@ -23,7 +23,7 @@ diff --git a/net/cifs-utils/patches/020-no-smb3.patch b/net/cifs-utils/patches/020-no-smb3.patch new file mode 100644 index 000000000..bb20af422 --- /dev/null +++ b/net/cifs-utils/patches/020-no-smb3.patch @@ -0,0 +1,13 @@ +--- a/Makefile.am ++++ b/Makefile.am +@@ -119,10 +119,8 @@ endif + SUBDIRS = contrib + + install-exec-hook: +- (cd $(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3) + + install-data-hook: +- (cd $(man8dir) && ln -sf mount.cifs.8 mount.smb3.8) + + uninstall-hook: + (cd $(ROOTSBINDIR) && rm -f $(ROOTSBINDIR)/mount.smb3) diff --git a/net/dnsdist/Makefile b/net/dnsdist/Makefile index 217c978de..6d4ffb1a5 100644 --- a/net/dnsdist/Makefile +++ b/net/dnsdist/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsdist PKG_VERSION:=1.4.0 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/ @@ -14,7 +14,9 @@ PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:powerdns:dnsdist PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_ASLR_PIE:=0 PKG_BUILD_DEPENDS:=protobuf/host PKG_CONFIG_DEPENDS:= \ @@ -103,6 +105,7 @@ CONFIGURE_ARGS+= \ --enable-dnscrypt \ --enable-dnstap \ --with-libsodium \ + --with-pic \ --with-protobuf \ --with-re2 \ --with-lua=lua \ diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index e8e63515c..36001edaa 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.1.2 +PKG_VERSION:=2.1.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.1/src -PKG_HASH:=6079b08a8905ade5a9a2835ead8963ee10a855d8508a85efb7181eea2d310b77 +PKG_HASH:=bb678e550374d0d9d9312885fb9d270b501dae9e3b336f0a4379c667dae00b59 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>, \ Christian Lachner <gladiac@gmail.com> diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index dd13348ee..9fb537893 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/sh CLONEURL=https://git.haproxy.org/git/haproxy-2.1.git -BASE_TAG=v2.1.2 +BASE_TAG=v2.1.3 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/haproxy/patches/000-BUG-MINOR-checks-refine-which-errno-values-are-really-errors.patch b/net/haproxy/patches/000-BUG-MINOR-checks-refine-which-errno-values-are-really-errors.patch deleted file mode 100644 index 4b6e1ee72..000000000 --- a/net/haproxy/patches/000-BUG-MINOR-checks-refine-which-errno-values-are-really-errors.patch +++ /dev/null @@ -1,101 +0,0 @@ -commit 4b50ea9da7c098b22a4572f7b609bed7bab03cdb -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Dec 27 12:03:27 2019 +0100 - - BUG/MINOR: checks: refine which errno values are really errors. - - Two regtest regularly fail in a random fashion depending on the machine's - load (one could really wonder if it's really worth keeping such - unreproducible tests) : - - tcp-check_multiple_ports.vtc - - 4be_1srv_smtpchk_httpchk_layer47errors.vtc - - It happens that one of the reason is the time it takes to connect to - the local socket (hence the load-dependent aspect): if connect() on the - loopback returns EINPROGRESS then this status is reported instead of a - real error. Normally such a test is expected to see the error cleaned - by tcp_connect_probe() but it really depends on the timing and instead - we may very well send() first and see this error. The problem is that - everything is collected based on errno, hoping it won't get molested - in the way from the last unsuccesful syscall to wake_srv_chk(), which - obviously is hard to guarantee. - - This patch at least makes sure that a few non-errors are reported as - zero just like EAGAIN. It doesn't fix the root cause but makes it less - likely to report incorrect failures. - - This fix could be backported as far as 1.9. - - (cherry picked from commit c8dc20a825644bb4003ecb62e0eb2d20c8eaf6c8) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/checks.c b/src/checks.c -index ac39fec91..083aebbe0 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -137,6 +137,17 @@ static const struct analyze_status analyze_statuses[HANA_STATUS_SIZE] = { /* 0: - [HANA_STATUS_HTTP_BROKEN_PIPE] = { "Close from server (http)", { 0, 1 }}, - }; - -+/* checks if <err> is a real error for errno or one that can be ignored, and -+ * return 0 for these ones or <err> for real ones. -+ */ -+static inline int unclean_errno(int err) -+{ -+ if (err == EAGAIN || err == EINPROGRESS || -+ err == EISCONN || err == EALREADY) -+ return 0; -+ return err; -+} -+ - /* - * Convert check_status code to description - */ -@@ -548,7 +559,7 @@ static int retrieve_errno_from_socket(struct connection *conn) - int skerr; - socklen_t lskerr = sizeof(skerr); - -- if (conn->flags & CO_FL_ERROR && ((errno && errno != EAGAIN) || !conn->ctrl)) -+ if (conn->flags & CO_FL_ERROR && (unclean_errno(errno) || !conn->ctrl)) - return 1; - - if (!conn_ctrl_ready(conn)) -@@ -557,8 +568,7 @@ static int retrieve_errno_from_socket(struct connection *conn) - if (getsockopt(conn->handle.fd, SOL_SOCKET, SO_ERROR, &skerr, &lskerr) == 0) - errno = skerr; - -- if (errno == EAGAIN) -- errno = 0; -+ errno = unclean_errno(errno); - - if (!errno) { - /* we could not retrieve an error, that does not mean there is -@@ -599,8 +609,8 @@ static void chk_report_conn_err(struct check *check, int errno_bck, int expired) - if (check->result != CHK_RES_UNKNOWN) - return; - -- errno = errno_bck; -- if (conn && (!errno || errno == EAGAIN)) -+ errno = unclean_errno(errno_bck); -+ if (conn && errno) - retrieve_errno_from_socket(conn); - - if (conn && !(conn->flags & CO_FL_ERROR) && -@@ -644,7 +654,7 @@ static void chk_report_conn_err(struct check *check, int errno_bck, int expired) - } - - if (conn && conn->err_code) { -- if (errno && errno != EAGAIN) -+ if (unclean_errno(errno)) - chunk_printf(&trash, "%s (%s)%s", conn_err_code_str(conn), strerror(errno), - chk->area); - else -@@ -653,7 +663,7 @@ static void chk_report_conn_err(struct check *check, int errno_bck, int expired) - err_msg = trash.area; - } - else { -- if (errno && errno != EAGAIN) { -+ if (unclean_errno(errno)) { - chunk_printf(&trash, "%s%s", strerror(errno), - chk->area); - err_msg = trash.area; diff --git a/net/haproxy/patches/055-OPENWRT-add-uclibc-support.patch b/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch index 30030cec3..3a22ebb88 100644 --- a/net/haproxy/patches/055-OPENWRT-add-uclibc-support.patch +++ b/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch @@ -1,6 +1,6 @@ --- a/Makefile +++ b/Makefile -@@ -337,6 +337,15 @@ ifeq ($(TARGET),linux-glibc) +@@ -339,6 +339,15 @@ ifeq ($(TARGET),linux-glibc) USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_GETADDRINFO) endif diff --git a/net/haproxy/patches/001-BUG-MEDIUM-checks-Only-attempt-to-do-handshakes-if-the-connection-is-ready.patch b/net/haproxy/patches/001-BUG-MEDIUM-checks-Only-attempt-to-do-handshakes-if-the-connection-is-ready.patch deleted file mode 100644 index 466f2a9c0..000000000 --- a/net/haproxy/patches/001-BUG-MEDIUM-checks-Only-attempt-to-do-handshakes-if-the-connection-is-ready.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit 68265b3993d68cc7af5fc0f70bcfa35d52ffa99d -Author: Olivier Houchard <cognet@ci0.org> -Date: Mon Dec 30 15:13:42 2019 +0100 - - BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. - - When creating a new check connection, only attempt to add an handshake - connection if the connection has fully been initialized. It can not be the - case if a DNS resolution is still pending, and thus we don't yet have the - address for the server, as the handshake code assumes the connection is fully - initialized and would otherwise crash. - This is not ideal, the check shouldn't probably run until we have an address, - as it leads to check failures with "Socket error". - While I'm there, also add an xprt handshake if we're using socks4, otherwise - checks wouldn't be able to use socks4 properly. - This should fix github issue #430 - - This should be backported to 2.0 and 2.1. - - (cherry picked from commit 37d7897aafc412f3c4a4a68a1dccbd6b5d6cb180) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/checks.c b/src/checks.c -index 083aebbe0..2b7fc09c6 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1715,6 +1715,9 @@ static int connect_conn_chk(struct task *t) - if (s->check.send_proxy && !(check->state & CHK_ST_AGENT)) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SEND_PROXY; -+ } -+ if (conn->flags & (CO_FL_SEND_PROXY | CO_FL_SOCKS4) && -+ conn_ctrl_ready(conn)) { - if (xprt_add_hs(conn) < 0) - ret = SF_ERR_RESOURCE; - } -@@ -2960,7 +2963,8 @@ static int tcpcheck_main(struct check *check) - if (proto && proto->connect) - ret = proto->connect(conn, - CONNECT_HAS_DATA /* I/O polling is always needed */ | (next && next->action == TCPCHK_ACT_EXPECT) ? 0 : CONNECT_DELACK_ALWAYS); -- if (check->current_step->conn_opts & TCPCHK_OPT_SEND_PROXY) { -+ if (conn_ctrl_ready(conn) && -+ check->current_step->conn_opts & TCPCHK_OPT_SEND_PROXY) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SEND_PROXY; - if (xprt_add_hs(conn) < 0) diff --git a/net/haproxy/patches/002-BUG-MEDIUM-connections-Hold-the-lock-when-wanting-to-kill-a-connection.patch b/net/haproxy/patches/002-BUG-MEDIUM-connections-Hold-the-lock-when-wanting-to-kill-a-connection.patch deleted file mode 100644 index 531cde94a..000000000 --- a/net/haproxy/patches/002-BUG-MEDIUM-connections-Hold-the-lock-when-wanting-to-kill-a-connection.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 000f227a4cfdb019575e889638f9e0e5a53bbb0b -Author: Olivier Houchard <cognet@ci0.org> -Date: Mon Dec 30 18:15:40 2019 +0100 - - BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. - - In connect_server(), when we decide we want to kill the connection of - another thread because there are too many idle connections, hold the - toremove_lock of the corresponding thread, othervise, there's a small race - condition where we could try to add the connection to the toremove_connections - list while it has already been free'd. - - This should be backported to 2.0 and 2.1. - - (cherry picked from commit 140237471e408736bb7162e68c572c710a66a526) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/backend.c b/src/backend.c -index ebc5050cb..be081a5e1 100644 ---- a/src/backend.c -+++ b/src/backend.c -@@ -1295,6 +1295,7 @@ int connect_server(struct stream *s) - // see it possibly larger. - ALREADY_CHECKED(i); - -+ HA_SPIN_LOCK(OTHER_LOCK, &toremove_lock[tid]); - tokill_conn = MT_LIST_POP(&srv->idle_orphan_conns[i], - struct connection *, list); - if (tokill_conn) { -@@ -1305,6 +1306,7 @@ int connect_server(struct stream *s) - task_wakeup(idle_conn_cleanup[i], TASK_WOKEN_OTHER); - break; - } -+ HA_SPIN_UNLOCK(OTHER_LOCK, &toremove_lock[tid]); - } - } - diff --git a/net/haproxy/patches/003-MINOR-config-disable-busy-polling-on-old-processes.patch b/net/haproxy/patches/003-MINOR-config-disable-busy-polling-on-old-processes.patch deleted file mode 100644 index bdce8cdaf..000000000 --- a/net/haproxy/patches/003-MINOR-config-disable-busy-polling-on-old-processes.patch +++ /dev/null @@ -1,47 +0,0 @@ -commit 493c8d8d3c2f710d47b2bdd6a8ea582a84c1cf72 -Author: William Dauchy <w.dauchy@criteo.com> -Date: Sat Dec 28 15:36:02 2019 +0100 - - MINOR: config: disable busy polling on old processes - - in the context of seamless reload and busy polling, older processes will - create unecessary cpu conflicts; we can assume there is no need for busy - polling for old processes which are waiting to be terminated. - - This patch is not a bug fix itself but might be a good stability - improvment when you are un the context of frequent seamless reloads with - a high "hard-stop-after" value; for that reasons I think this patch - should be backported in all 2.x versions. - - Signed-off-by: William Dauchy <w.dauchy@criteo.com> - (cherry picked from commit 3894d97fb8b66e247c5a326c6b3aa75816c597dc) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index d34ed808b..3f381e386 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -1436,6 +1436,10 @@ busy-polling - prefixing it with the "no" keyword. It is ignored by the "select" and - "poll" pollers. - -+ This option is automatically disabled on old processes in the context of -+ seamless reload; it avoids too much cpu conflicts when multiple processes -+ stay around for some time waiting for the end of their current connections. -+ - max-spread-checks <delay in milliseconds> - By default, haproxy tries to spread the start of health checks across the - smallest health check interval of all the servers in a farm. The principle is -diff --git a/src/proxy.c b/src/proxy.c -index 7ba6b5839..1abd6654f 100644 ---- a/src/proxy.c -+++ b/src/proxy.c -@@ -1117,6 +1117,8 @@ void soft_stop(void) - struct task *task; - - stopping = 1; -+ /* disable busy polling to avoid cpu eating for the new process */ -+ global.tune.options &= ~GTUNE_BUSY_POLLING; - if (tick_isset(global.hard_stop_after)) { - task = task_new(MAX_THREADS_MASK); - if (task) { diff --git a/net/haproxy/patches/004-MINOR-ssl-Remove-unused-variable-need_out.patch b/net/haproxy/patches/004-MINOR-ssl-Remove-unused-variable-need_out.patch deleted file mode 100644 index 9730278ae..000000000 --- a/net/haproxy/patches/004-MINOR-ssl-Remove-unused-variable-need_out.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit fbe15b7184da09c0d71051bf3978540f63aba5cc -Author: Olivier Houchard <cognet@ci0.org> -Date: Sun Jan 5 16:45:14 2020 +0100 - - MINOR: ssl: Remove unused variable "need_out". - - The "need_out" variable was used to let the ssl code know we're done - reading early data, and we should start the handshake. - Now that the handshake function is responsible for taking care of reading - early data, all that logic has been removed from ssl_sock_to_buf(), but - need_out was forgotten, and left. Remove it know. - This patch was submitted by William Dauchy <w.dauchy@criteo.com>, and should - fix github issue #434. - This should be backported to 2.0 and 2.1. - - (cherry picked from commit 7f4f7f140f6b03b61d1b38260962db235c42c121) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 7c62299a0..1fac2d905 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -6385,7 +6385,6 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu - * EINTR too. - */ - while (count > 0) { -- int need_out = 0; - - try = b_contig_space(buf); - if (!try) -@@ -6443,8 +6442,6 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu - /* otherwise it's a real error */ - goto out_error; - } -- if (need_out) -- break; - } - leave: - return done; diff --git a/net/haproxy/patches/005-BUG-MINOR-h1-Report-the-right-error-position-when-a-header-value-is-invalid.patch b/net/haproxy/patches/005-BUG-MINOR-h1-Report-the-right-error-position-when-a-header-value-is-invalid.patch deleted file mode 100644 index 4a8c2b1b8..000000000 --- a/net/haproxy/patches/005-BUG-MINOR-h1-Report-the-right-error-position-when-a-header-value-is-invalid.patch +++ /dev/null @@ -1,55 +0,0 @@ -commit e313c1bd5901b721bdfd23714c432235625a87a8 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Mon Jan 6 13:41:01 2020 +0100 - - BUG/MINOR: h1: Report the right error position when a header value is invalid - - During H1 messages parsing, when the parser has finished to parse a full header - line, some tests are performed on its value, depending on its name, to be sure - it is valid. The content-length is checked and converted in integer and the host - header is also checked. If an error occurred during this step, the error - position must point on the header value. But from the parser point of view, we - are already on the start of the next header. Thus the effective reported - position in the error capture is the beginning of the unparsed header line. It - is a bit confusing when we try to figure out why a message is rejected. - - Now, the parser state is updated to point on the invalid value. This way, the - error position really points on the right position. - - This patch must be backported as far as 1.9. - - (cherry picked from commit 1703478e2dd6bd12bb03b0a0fdcc7cd4a611dafc) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/h1.c b/src/h1.c -index 15827db56..63fbee8c0 100644 ---- a/src/h1.c -+++ b/src/h1.c -@@ -819,6 +819,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop, - - if (ret < 0) { - state = H1_MSG_HDR_L2_LWS; -+ ptr = v.ptr; /* Set ptr on the error */ - goto http_msg_invalid; - } - else if (ret == 0) { -@@ -841,16 +842,18 @@ int h1_headers_to_hdr_list(char *start, const char *stop, - if (authority.len && !isteqi(v, authority)) { - if (h1m->err_pos < -1) { - state = H1_MSG_HDR_L2_LWS; -+ ptr = v.ptr; /* Set ptr on the error */ - goto http_msg_invalid; - } - if (h1m->err_pos == -1) /* capture the error pointer */ -- h1m->err_pos = ptr - start + skip; /* >= 0 now */ -+ h1m->err_pos = v.ptr - start + skip; /* >= 0 now */ - } - host_idx = hdr_count; - } - else { - if (!isteqi(v, hdr[host_idx].v)) { - state = H1_MSG_HDR_L2_LWS; -+ ptr = v.ptr; /* Set ptr on the error */ - goto http_msg_invalid; - } - /* if the same host, skip it */ diff --git a/net/haproxy/patches/006-BUG-MINOR-proxy-Fix-input-data-copy-when-an-error-is-captured.patch b/net/haproxy/patches/006-BUG-MINOR-proxy-Fix-input-data-copy-when-an-error-is-captured.patch deleted file mode 100644 index f32c5ef67..000000000 --- a/net/haproxy/patches/006-BUG-MINOR-proxy-Fix-input-data-copy-when-an-error-is-captured.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 8015ba0c4a9333967059bdf7c302f7a71e5ec5ea -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Mon Jan 6 11:37:00 2020 +0100 - - BUG/MINOR: proxy: Fix input data copy when an error is captured - - In proxy_capture_error(), input data are copied in the error snapshot. The copy - must take care of the data wrapping. But the length of the first block is - wrong. It should be the amount of contiguous input data that can be copied - starting from the input's beginning. But the mininum between the input length - and the buffer size minus the input length is used instead. So it is a problem - if input data are wrapping or if more than the half of the buffer is used by - input data. - - This patch must be backported as far as 1.9. - - (cherry picked from commit 47a7210b9d377d91777f39241fab54d5f83b2728) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/proxy.c b/src/proxy.c -index 1abd6654f..2d02b1b5d 100644 ---- a/src/proxy.c -+++ b/src/proxy.c -@@ -1546,7 +1546,7 @@ void proxy_capture_error(struct proxy *proxy, int is_back, - es->buf_len = buf_len; - es->ev_id = ev_id; - -- len1 = b_size(buf) - buf_len; -+ len1 = b_size(buf) - b_peek_ofs(buf, buf_out); - if (len1 > buf_len) - len1 = buf_len; - diff --git a/net/haproxy/patches/007-BUG-MEDIUM-http-ana-Truncate-the-response-when-a-redirect-rule-is-applied.patch b/net/haproxy/patches/007-BUG-MEDIUM-http-ana-Truncate-the-response-when-a-redirect-rule-is-applied.patch deleted file mode 100644 index c3f57af25..000000000 --- a/net/haproxy/patches/007-BUG-MEDIUM-http-ana-Truncate-the-response-when-a-redirect-rule-is-applied.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 219f7cb9e3eb061103c3c013a6ecf13d38281247 -Author: Kevin Zhu <ip0tcp@gmail.com> -Date: Tue Jan 7 09:42:55 2020 +0100 - - BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied - - When a redirect rule is executed on the response path, we must truncate the - received response. Otherwise, the redirect is appended after the response, which - is sent to the client. So it is obviously a bug because the redirect is not - performed. With bodyless responses, it is the "only" bug. But if the response - has a body, the result may be invalid. If the payload is not fully received yet - when the redirect is performed, an internal error is reported. - - It must be backported as far as 1.9. - - (cherry picked from commit 96b363963f4a4a63823718966798f177a72936b6) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/http_ana.c b/src/http_ana.c -index ee00d2c76..268796d2e 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -2526,6 +2526,8 @@ int http_apply_redirect_rule(struct redirect_rule *rule, struct stream *s, struc - close = 1; - - htx = htx_from_buf(&res->buf); -+ /* Trim any possible response */ -+ channel_htx_truncate(&s->res, htx); - flags = (HTX_SL_F_IS_RESP|HTX_SL_F_VER_11|HTX_SL_F_XFER_LEN|HTX_SL_F_BODYLESS); - sl = htx_add_stline(htx, HTX_BLK_RES_SL, flags, ist("HTTP/1.1"), status, reason); - if (!sl) -@@ -2553,6 +2555,8 @@ int http_apply_redirect_rule(struct redirect_rule *rule, struct stream *s, struc - if (!htx_add_endof(htx, HTX_BLK_EOH) || !htx_add_endof(htx, HTX_BLK_EOM)) - goto fail; - -+ htx_to_buf(htx, &res->buf); -+ - /* let's log the request time */ - s->logs.tv_request = now; - diff --git a/net/haproxy/patches/008-BUG-MINOR-channel-inject-output-data-at-the-end-of-output.patch b/net/haproxy/patches/008-BUG-MINOR-channel-inject-output-data-at-the-end-of-output.patch deleted file mode 100644 index 8dec92fa9..000000000 --- a/net/haproxy/patches/008-BUG-MINOR-channel-inject-output-data-at-the-end-of-output.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit a96cbaa1e30e23bf91b7a4fb46857b4b2823deea -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Tue Jan 7 10:01:57 2020 +0100 - - BUG/MINOR: channel: inject output data at the end of output - - In co_inject(), data must be inserted at the end of output, not the end of - input. For the record, this function does not take care of input data which are - supposed to not exist. But the caller may reset input data after or before the - call. It is its own choice. - - This bug, among other effects, is visible when a redirect is performed on - the response path, on legacy HTTP mode (so for HAProxy < 2.1). The redirect - response is appended after the server response when it should overwrite it. - - Thanks to Kevin Zhu <ip0tcp@gmail.com> to report the bug. It must be backported - as far as 1.9. - - (cherry picked from commit 584348be636fcc9f41b80ef0fde03c7899d75cd7) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/channel.c b/src/channel.c -index d4a46ffed..8b0854ef5 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -96,7 +96,7 @@ int co_inject(struct channel *chn, const char *msg, int len) - if (len > max) - return max; - -- memcpy(ci_tail(chn), msg, len); -+ memcpy(co_tail(chn), msg, len); - b_add(&chn->buf, len); - c_adv(chn, len); - chn->total += len; diff --git a/net/haproxy/patches/009-BUG-MEDIUM-session-do-not-report-a-failure-when-rejecting-a-session.patch b/net/haproxy/patches/009-BUG-MEDIUM-session-do-not-report-a-failure-when-rejecting-a-session.patch deleted file mode 100644 index e4bd2a1b1..000000000 --- a/net/haproxy/patches/009-BUG-MEDIUM-session-do-not-report-a-failure-when-rejecting-a-session.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 1d12549a19c06f84c934c87487a58b8f63d205ea -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Jan 7 18:03:09 2020 +0100 - - BUG/MEDIUM: session: do not report a failure when rejecting a session - - In session_accept_fd() we can perform a synchronous call to - conn_complete_session() and if it succeeds the connection is accepted - and turned into a session. If it fails we take it as an error while it - is not, in this case, it's just that a tcp-request rule has decided to - reject the incoming connection. The problem with reporting such an event - as an error is that the failed status is passed down to the listener code - which decides to disable accept() for 100ms in order to leave some time - for transient issues to vanish, and that's not what we want to do here. - - This fix must be backported as far as 1.7. In 1.7 the code is a bit - different as tcp_exec_l5_rules() is called directly from within - session_new_fd() and ret=0 must be assigned there. - - (cherry picked from commit e5891ca6c14c46d5f3a2169ede75b7fbb225216f) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/session.c b/src/session.c -index 126ba78a6..111fc61e3 100644 ---- a/src/session.c -+++ b/src/session.c -@@ -288,6 +288,12 @@ int session_accept_fd(struct listener *l, int cfd, struct sockaddr_storage *addr - if (conn_complete_session(cli_conn) >= 0) - return 1; - -+ /* if we reach here we have deliberately decided not to keep this -+ * session (e.g. tcp-request rule), so that's not an error we should -+ * try to protect against. -+ */ -+ ret = 0; -+ - /* error unrolling */ - out_free_sess: - /* prevent call to listener_release during session_free. It will be diff --git a/net/haproxy/patches/010-BUG-MINOR-stream-int-Dont-trigger-L7-retry-if-max-retries-is-already-reached.patch b/net/haproxy/patches/010-BUG-MINOR-stream-int-Dont-trigger-L7-retry-if-max-retries-is-already-reached.patch deleted file mode 100644 index 311937c02..000000000 --- a/net/haproxy/patches/010-BUG-MINOR-stream-int-Dont-trigger-L7-retry-if-max-retries-is-already-reached.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 48cd95b6a516562af382930adcc0eabfdb652487 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Thu Jan 9 14:31:13 2020 +0100 - - BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached - - When an HTTP response is received, at the stream-interface level, if a L7 retry - must be triggered because of the status code, the response is trashed and a read - error is reported on the response channel. Then the stream handles this error - and perform the retry. Except if the maximum connection retries is reached. In - this case, an error is reported. Because the server response was already trashed - by the stream-interface, a generic 502 error is returned to the client instead - of the server's one. - - Now, the stream-interface triggers a L7 retry only if the maximum connection - retries is not already reached. Thus, at the end, the last server's response is - returned. - - This patch must be backported to 2.1 and 2.0. It should fix the issue #439. - - (cherry picked from commit 48726b78e57a69bfcdce624a3a5905c781d5eec0) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/stream_interface.c b/src/stream_interface.c -index 1d84ca9ad..012ac71e0 100644 ---- a/src/stream_interface.c -+++ b/src/stream_interface.c -@@ -1372,7 +1372,8 @@ int si_cs_recv(struct conn_stream *cs) - break; - } - -- if (si->flags & SI_FL_L7_RETRY) { -+ /* L7 retries enabled and maximum connection retries not reached */ -+ if ((si->flags & SI_FL_L7_RETRY) && si->conn_retries) { - struct htx *htx; - struct htx_sl *sl; - diff --git a/net/haproxy/patches/011-BUG-MEDIUM-tasks-Use-the-MT-macros-in-tasklet_free.patch b/net/haproxy/patches/011-BUG-MEDIUM-tasks-Use-the-MT-macros-in-tasklet_free.patch deleted file mode 100644 index 444cabbc6..000000000 --- a/net/haproxy/patches/011-BUG-MEDIUM-tasks-Use-the-MT-macros-in-tasklet_free.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit 5e06a678544b1fde2517a10041e802265f098e0b -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Fri Jan 10 16:46:48 2020 +0100 - - BUG/MEDIUM: tasks: Use the MT macros in tasklet_free(). - - In tasklet_free(), to attempt to remove ourself, use MT_LIST_DEL, we can't - just use LIST_DEL(), as we theorically could be in the shared tasklet list. - - This should be backported to 2.1. - - (cherry picked from commit 3c4f40acbf6cd33b874b224a89ee2a64eb3035d5) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/include/proto/task.h b/include/proto/task.h -index bba71930c..f237d0dd2 100644 ---- a/include/proto/task.h -+++ b/include/proto/task.h -@@ -397,10 +397,8 @@ static inline void task_destroy(struct task *t) - /* Should only be called by the thread responsible for the tasklet */ - static inline void tasklet_free(struct tasklet *tl) - { -- if (!LIST_ISEMPTY(&tl->list)) { -- LIST_DEL(&tl->list); -+ if (MT_LIST_DEL((struct mt_list *)&tl->list)) - _HA_ATOMIC_SUB(&tasks_run_queue, 1); -- } - - pool_free(pool_head_tasklet, tl); - if (unlikely(stopping)) diff --git a/net/haproxy/patches/012-BUG-MINOR-mux-h2-use-a-safe-list_for_each_entry-in-h2_send.patch b/net/haproxy/patches/012-BUG-MINOR-mux-h2-use-a-safe-list_for_each_entry-in-h2_send.patch deleted file mode 100644 index c96da6b45..000000000 --- a/net/haproxy/patches/012-BUG-MINOR-mux-h2-use-a-safe-list_for_each_entry-in-h2_send.patch +++ /dev/null @@ -1,153 +0,0 @@ -commit 449f28322fb45688dacc80bead89fe75f3dd75db -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 10 17:01:29 2020 +0100 - - BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() - - h2_send() uses list_for_each_entry() to scan paused streams and resume - them, but happily deletes any leftover from a previous failed unsubscribe, - which is obviously not safe and would corrupt the list. In practice this - is a proof that this doesn't happen, but it's not the best way to prove it. - In order to fix this and reduce the maintenance burden caused by code - duplication (this list walk exists at 3 places), let's introduce a new - function h2_resume_each_sending_h2s() doing exactly this and use it at - all 3 places. - - This bug was introduced as a side effect of fix 998410a41b ("BUG/MEDIUM: - h2: Revamp the way send subscriptions works.") so it should be backported - as far as 1.9. - - (cherry picked from commit 989539b048bef502a474553a8e330a3d318edb6c) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index be9dae928..92a50da24 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -3251,13 +3251,41 @@ static void h2_process_demux(struct h2c *h2c) - TRACE_LEAVE(H2_EV_H2C_WAKE, h2c->conn); - } - -+/* resume each h2s eligible for sending in list head <head> */ -+static void h2_resume_each_sending_h2s(struct h2c *h2c, struct list *head) -+{ -+ struct h2s *h2s, *h2s_back; -+ -+ TRACE_ENTER(H2_EV_H2C_SEND|H2_EV_H2S_WAKE, h2c->conn); -+ -+ list_for_each_entry_safe(h2s, h2s_back, head, list) { -+ if (h2c->mws <= 0 || -+ h2c->flags & H2_CF_MUX_BLOCK_ANY || -+ h2c->st0 >= H2_CS_ERROR) -+ break; -+ -+ h2s->flags &= ~H2_SF_BLK_ANY; -+ /* For some reason, the upper layer failed to subscribe again, -+ * so remove it from the send_list -+ */ -+ if (!h2s->send_wait) { -+ LIST_DEL_INIT(&h2s->list); -+ continue; -+ } -+ -+ h2s->send_wait->events &= ~SUB_RETRY_SEND; -+ LIST_ADDQ(&h2c->sending_list, &h2s->sending_list); -+ tasklet_wakeup(h2s->send_wait->tasklet); -+ } -+ -+ TRACE_LEAVE(H2_EV_H2C_SEND|H2_EV_H2S_WAKE, h2c->conn); -+} -+ - /* process Tx frames from streams to be multiplexed. Returns > 0 if it reached - * the end. - */ - static int h2_process_mux(struct h2c *h2c) - { -- struct h2s *h2s, *h2s_back; -- - TRACE_ENTER(H2_EV_H2C_WAKE, h2c->conn); - - if (unlikely(h2c->st0 < H2_CS_FRAME_H)) { -@@ -3290,47 +3318,8 @@ static int h2_process_mux(struct h2c *h2c) - * waiting there were already elected for immediate emission but were - * blocked just on this. - */ -- -- list_for_each_entry_safe(h2s, h2s_back, &h2c->fctl_list, list) { -- if (h2c->mws <= 0 || h2c->flags & H2_CF_MUX_BLOCK_ANY || -- h2c->st0 >= H2_CS_ERROR) -- break; -- -- if (LIST_ADDED(&h2s->sending_list)) -- continue; -- -- h2s->flags &= ~H2_SF_BLK_ANY; -- /* For some reason, the upper layer failed to subsribe again, -- * so remove it from the send_list -- */ -- if (!h2s->send_wait) { -- LIST_DEL_INIT(&h2s->list); -- continue; -- } -- h2s->send_wait->events &= ~SUB_RETRY_SEND; -- LIST_ADDQ(&h2c->sending_list, &h2s->sending_list); -- tasklet_wakeup(h2s->send_wait->tasklet); -- } -- -- list_for_each_entry_safe(h2s, h2s_back, &h2c->send_list, list) { -- if (h2c->st0 >= H2_CS_ERROR || h2c->flags & H2_CF_MUX_BLOCK_ANY) -- break; -- -- if (LIST_ADDED(&h2s->sending_list)) -- continue; -- -- /* For some reason, the upper layer failed to subsribe again, -- * so remove it from the send_list -- */ -- if (!h2s->send_wait) { -- LIST_DEL_INIT(&h2s->list); -- continue; -- } -- h2s->flags &= ~H2_SF_BLK_ANY; -- h2s->send_wait->events &= ~SUB_RETRY_SEND; -- LIST_ADDQ(&h2c->sending_list, &h2s->sending_list); -- tasklet_wakeup(h2s->send_wait->tasklet); -- } -+ h2_resume_each_sending_h2s(h2c, &h2c->fctl_list); -+ h2_resume_each_sending_h2s(h2c, &h2c->send_list); - - fail: - if (unlikely(h2c->st0 >= H2_CS_ERROR)) { -@@ -3514,30 +3503,9 @@ static int h2_send(struct h2c *h2c) - /* We're not full anymore, so we can wake any task that are waiting - * for us. - */ -- if (!(h2c->flags & (H2_CF_MUX_MFULL | H2_CF_DEM_MROOM)) && h2c->st0 >= H2_CS_FRAME_H) { -- struct h2s *h2s; -- -- list_for_each_entry(h2s, &h2c->send_list, list) { -- if (h2c->st0 >= H2_CS_ERROR || h2c->flags & H2_CF_MUX_BLOCK_ANY) -- break; -- -- if (LIST_ADDED(&h2s->sending_list)) -- continue; -+ if (!(h2c->flags & (H2_CF_MUX_MFULL | H2_CF_DEM_MROOM)) && h2c->st0 >= H2_CS_FRAME_H) -+ h2_resume_each_sending_h2s(h2c, &h2c->send_list); - -- /* For some reason, the upper layer failed to subsribe again, -- * so remove it from the send_list -- */ -- if (!h2s->send_wait) { -- LIST_DEL_INIT(&h2s->list); -- continue; -- } -- h2s->flags &= ~H2_SF_BLK_ANY; -- h2s->send_wait->events &= ~SUB_RETRY_SEND; -- TRACE_DEVEL("waking up pending stream", H2_EV_H2C_SEND|H2_EV_H2S_WAKE, h2c->conn, h2s); -- tasklet_wakeup(h2s->send_wait->tasklet); -- LIST_ADDQ(&h2c->sending_list, &h2s->sending_list); -- } -- } - /* We're done, no more to send */ - if (!br_data(h2c->mbuf)) { - TRACE_DEVEL("leaving with everything sent", H2_EV_H2C_SEND, h2c->conn); diff --git a/net/haproxy/patches/013-BUG-MEDIUM-mux-h2-fix-missing-test-on-sending_list-in-previous-patch.patch b/net/haproxy/patches/013-BUG-MEDIUM-mux-h2-fix-missing-test-on-sending_list-in-previous-patch.patch deleted file mode 100644 index 1457cbd54..000000000 --- a/net/haproxy/patches/013-BUG-MEDIUM-mux-h2-fix-missing-test-on-sending_list-in-previous-patch.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit d6c19ac2c0458445e521fd08eded304c26eecfe7 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 10 18:20:15 2020 +0100 - - BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch - - Previous commit 989539b048 ("BUG/MINOR: mux-h2: use a safe - list_for_each_entry in h2_send()") accidently lost its sending_list test, - resulting in some elements to be woken up again while already in the - sending_list and h2_unsubscribe() crashing on integrity tests (only - when built with DEBUG_DEV). - - If the fix above is backported this one must be as well. - - (cherry picked from commit 70c5b0e5fd5ad243f4645b37a0f89068de97e90e) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index 92a50da24..d46a316ac 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -3265,6 +3265,10 @@ static void h2_resume_each_sending_h2s(struct h2c *h2c, struct list *head) - break; - - h2s->flags &= ~H2_SF_BLK_ANY; -+ -+ if (LIST_ADDED(&h2s->sending_list)) -+ continue; -+ - /* For some reason, the upper layer failed to subscribe again, - * so remove it from the send_list - */ diff --git a/net/haproxy/patches/014-BUG-MEDIUM-mux-h2-dont-stop-sending-when-crossing-a-buffer-boundary.patch b/net/haproxy/patches/014-BUG-MEDIUM-mux-h2-dont-stop-sending-when-crossing-a-buffer-boundary.patch deleted file mode 100644 index 4457f80a3..000000000 --- a/net/haproxy/patches/014-BUG-MEDIUM-mux-h2-dont-stop-sending-when-crossing-a-buffer-boundary.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit eb134e46e41b06f6022f1c9a481205a8180515bd -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Jan 14 11:42:59 2020 +0100 - - BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary - - In version 2.0, after commit 9c218e7521 ("MAJOR: mux-h2: switch to next - mux buffer on buffer full condition."), the H2 mux started to use a ring - buffer for the output data in order to reduce competition between streams. - However, one corner case was suboptimally covered: when crossing a buffer - boundary, we have to shrink the outgoing frame size to the one left in - the output buffer, but this shorter size is later used as a signal of - incomplete send due to a buffer full condition (which used to be true when - using a single buffer). As a result, function h2s_frt_make_resp_data() - used to return less than requested, which in turn would cause h2_snd_buf() - to stop sending and leave some unsent data in the buffer, and si_cs_send() - to subscribe for sending more later. - - But it goes a bit further than this, because subscribing to send again - causes the mux's send_list not to be empty anymore, hence extra streams - can be denied the access to the mux till the first stream is woken again. - This causes a nasty wakeup-sleep dance between streams that makes it - totally impractical to try to remove the sending list. A test showed - that it was possible to observe 3 million h2_snd_buf() giveups for only - 100k requests when using 100 concurrent streams on 20kB objects. - - It doesn't seem likely that a stream could get blocked and time out due - to this bug, though it's not possible either to demonstrate the opposite. - One risk is that incompletely sent streams do not have any blocking flags - so they may not be identified as blocked. However on first scan of the - send_list they meet all conditions for a wakeup. - - This patch simply allows to continue on a new frame after a partial - frame. with only this change, the number of failed h2_snd_buf() was - divided by 800 (4% of calls). And by slightly increasing the H2C_MBUF_CNT - size, it can go down to zero. - - This fix must be backported to 2.1 and 2.0. - - (cherry picked from commit c7ce4e3e7fb2d7f9f037b4df318df7d6e23e8f7a) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index d46a316ac..8a82f60fd 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -5157,6 +5157,7 @@ static size_t h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf, size_t - struct htx_blk *blk; - enum htx_blk_type type; - int idx; -+ int trunc_out; /* non-zero if truncated on out buf */ - - TRACE_ENTER(H2_EV_TX_FRAME|H2_EV_TX_DATA, h2c->conn, h2s); - -@@ -5183,6 +5184,7 @@ static size_t h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf, size_t - type = htx_get_blk_type(blk); // DATA or EOM - bsize = htx_get_blksz(blk); - fsize = bsize; -+ trunc_out = 0; - - if (type == HTX_BLK_EOM) { - if (h2s->flags & H2_SF_ES_SENT) { -@@ -5345,6 +5347,7 @@ static size_t h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf, size_t - b_data(mbuf) <= MAX_DATA_REALIGN) - goto realign_again; - fsize = outbuf.size - 9; -+ trunc_out = 1; - - if (fsize <= 0) { - /* no need to send an empty frame here */ -@@ -5402,6 +5405,8 @@ static size_t h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf, size_t - } else { - /* we've truncated this block */ - htx_cut_data_blk(htx, blk, fsize); -+ if (trunc_out) -+ goto new_frame; - } - - if (es_now) { diff --git a/net/haproxy/patches/015-BUG-MINOR-cli-mworker-cant-start-haproxy-with-2-programs.patch b/net/haproxy/patches/015-BUG-MINOR-cli-mworker-cant-start-haproxy-with-2-programs.patch deleted file mode 100644 index 5acb1f3bb..000000000 --- a/net/haproxy/patches/015-BUG-MINOR-cli-mworker-cant-start-haproxy-with-2-programs.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 796ff4d975bde2bb7fda2876a31bbdc697c2b2ba -Author: William Lallemand <wlallemand@haproxy.com> -Date: Tue Jan 14 15:25:02 2020 +0100 - - BUG/MINOR: cli/mworker: can't start haproxy with 2 programs - - When trying to start HAProxy with the master CLI and more than one - program in the configuration, it refuses to start with: - - [ALERT] 013/132926 (1378) : parsing [cur--1:0] : proxy 'MASTER', another server named 'cur--1' was already defined at line 0, please use distinct names. - [ALERT] 013/132926 (1378) : Fatal errors found in configuration. - - The problem is that haproxy tries to create a server for the MASTER - proxy but only the worker are supposed to be in the server list. - - Fix issue #446. - - Must be backported as far as 2.0. - - (cherry picked from commit a31b09e982a76cdf8761edb25d1569cb76a8ff37) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/cli.c b/src/cli.c -index 77db8be88..d68e2b299 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -2455,6 +2455,10 @@ int mworker_cli_proxy_create() - int port1, port2, port; - struct protocol *proto; - -+ /* only the workers support the master CLI */ -+ if (!(child->options & PROC_O_TYPE_WORKER)) -+ continue; -+ - newsrv = new_server(mworker_proxy); - if (!newsrv) - goto error; diff --git a/net/haproxy/patches/016-REGTEST-mcli-mcli_start_progs-start-2-programs.patch b/net/haproxy/patches/016-REGTEST-mcli-mcli_start_progs-start-2-programs.patch deleted file mode 100644 index b53669569..000000000 --- a/net/haproxy/patches/016-REGTEST-mcli-mcli_start_progs-start-2-programs.patch +++ /dev/null @@ -1,60 +0,0 @@ -commit df8af5b0953791cb27c73a7f67b8101fedab4ca0 -Author: William Lallemand <wlallemand@haproxy.com> -Date: Tue Jan 14 15:38:43 2020 +0100 - - REGTEST: mcli/mcli_start_progs: start 2 programs - - This regtest tests the issue #446 by starting 2 programs and checking if - they exist in the "show proc" of the master CLI. - - Should be backported as far as 2.0. - - (cherry picked from commit 25b569302167e71b32e569a2366027e8e320e80a) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/reg-tests/mcli/mcli_start_progs.vtc b/reg-tests/mcli/mcli_start_progs.vtc -new file mode 100644 -index 000000000..bda9b9601 ---- /dev/null -+++ b/reg-tests/mcli/mcli_start_progs.vtc -@@ -0,0 +1,40 @@ -+varnishtest "Try to start a master CLI with 2 programs" -+#REGTEST_TYPE=bug -+#REQUIRE_VERSION=2.0 -+#REQUIRE_BINARIES=sleep -+ -+feature ignore_unknown_macro -+ -+# Do nothing. Is there only to create s1_* macros -+server s1 { -+} -start -+ -+haproxy h1 -W -S -conf { -+ global -+ nbproc 1 -+ defaults -+ mode http -+ ${no-htx} option http-use-htx -+ timeout connect 1s -+ timeout client 1s -+ timeout server 1s -+ -+ frontend myfrontend -+ bind "fd@${my_fe}" -+ default_backend test -+ -+ backend test -+ server www1 ${s1_addr}:${s1_port} -+ -+ program foo -+ command sleep 10 -+ -+ program bar -+ command sleep 10 -+ -+} -start -+ -+haproxy h1 -mcli { -+ send "show proc" -+ expect ~ ".*foo.*\n.*bar.*\n" -+} -wait diff --git a/net/haproxy/patches/017-BUG-MEDIUM-mworker-remain-in-mworker-mode-during-reload.patch b/net/haproxy/patches/017-BUG-MEDIUM-mworker-remain-in-mworker-mode-during-reload.patch deleted file mode 100644 index 67ac115ca..000000000 --- a/net/haproxy/patches/017-BUG-MEDIUM-mworker-remain-in-mworker-mode-during-reload.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 6869fa88766cdb07564f321905c39f191da9035b -Author: William Lallemand <wlallemand@haproxy.com> -Date: Tue Jan 14 17:58:18 2020 +0100 - - BUG/MEDIUM: mworker: remain in mworker mode during reload - - If you reload an haproxy started in master-worker mode with - "master-worker" in the configuration, and no "-W" argument, - the new process lost the fact that is was in master-worker mode - resulting in weird behaviors. - - The bigest problem is that if it is reloaded with an bad configuration, - the master will exits instead of remaining in waitpid mode. - - This problem was discovered in bug #443. - - Should be backported in every version using the master-worker mode. - (as far as 1.8) - - (cherry picked from commit 24c928c8bd86f6899d39dd5cd04b3e50b4b993a8) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/haproxy.c b/src/haproxy.c -index 10ba128d0..a66a184dc 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -1501,6 +1501,10 @@ static void init(int argc, char **argv) - memcpy(localpeer, hostname, (sizeof(hostname) > sizeof(localpeer) ? sizeof(localpeer) : sizeof(hostname)) - 1); - setenv("HAPROXY_LOCALPEER", localpeer, 1); - -+ /* we were in mworker mode, we should restart in mworker mode */ -+ if (getenv("HAPROXY_MWORKER_REEXEC") != NULL) -+ global.mode |= MODE_MWORKER; -+ - /* - * Initialize the previously static variables. - */ diff --git a/net/haproxy/patches/018-BUG-MEDIUM-mux_h1-Dont-call-h1_send-if-we-subscribed.patch b/net/haproxy/patches/018-BUG-MEDIUM-mux_h1-Dont-call-h1_send-if-we-subscribed.patch deleted file mode 100644 index 2b2bc15e1..000000000 --- a/net/haproxy/patches/018-BUG-MEDIUM-mux_h1-Dont-call-h1_send-if-we-subscribed.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit da6d362ab057217dfdd61a581c6596af4d0ac767 -Author: Olivier Houchard <cognet@ci0.org> -Date: Wed Jan 15 19:13:32 2020 +0100 - - BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). - - In h1_snd_buf(), only attempt to call h1_send() if we haven't - already subscribed. - It makes no sense to do it if we subscribed, as we know we failed - to send before, and will create a useless call to sendto(), and - in 2.2, the call to raw_sock_from_buf() will disable polling if - it is enabled. - - This should be backported to 2.2, 2.1, 2.0 and 1.9. - - (cherry picked from commit 68787ef70a2e0fe19d0ab753dab8ed5c90cb4398) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index b44204845..d93a7eab5 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -2670,7 +2670,7 @@ static size_t h1_snd_buf(struct conn_stream *cs, struct buffer *buf, size_t coun - break; - total += ret; - count -= ret; -- if (!h1_send(h1c)) -+ if ((h1c->wait_event.events & SUB_RETRY_SEND) || !h1_send(h1c)) - break; - } - diff --git a/net/haproxy/patches/019-BUG-MAJOR-hashes-fix-the-signedness-of-the-hash-inputs.patch b/net/haproxy/patches/019-BUG-MAJOR-hashes-fix-the-signedness-of-the-hash-inputs.patch deleted file mode 100644 index 969a5ad5d..000000000 --- a/net/haproxy/patches/019-BUG-MAJOR-hashes-fix-the-signedness-of-the-hash-inputs.patch +++ /dev/null @@ -1,141 +0,0 @@ -commit e1275ddb8b427c88fb3cb3d8f7cd6ec576ce1e2d -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Jan 15 10:54:42 2020 +0100 - - BUG/MAJOR: hashes: fix the signedness of the hash inputs - - Wietse Venema reported in the thread below that we have a signedness - issue with our hashes implementations: due to the use of const char* - for the input key that's often text, the crc32, sdbm, djb2, and wt6 - algorithms return a platform-dependent value for binary input keys - containing bytes with bit 7 set. This means that an ARM or PPC - platform will hash binary inputs differently from an x86 typically. - Worse, some algorithms are well defined in the industry (like CRC32) - and do not provide the expected result on x86, possibly causing - interoperability issues (e.g. a user-agent would fail to compare the - CRC32 of a message body against the one computed by haproxy). - - Fortunately, and contrary to the first impression, the CRC32c variant - used in the PROXY protocol processing is not affected. Thus the impact - remains very limited (the vast majority of input keys are text-based, - such as user-agent headers for exmaple). - - This patch addresses the issue by fixing all hash functions' prototypes - (even those not affected, for API consistency). A reg test will follow - in another patch. - - The vast majority of users do not use these hashes. And among those - using them, very few will pass them on binary inputs. However, for the - rare ones doing it, this fix MAY have an impact during the upgrade. For - example if the package is upgraded on one LB then on another one, and - the CRC32 of a binary input is used as a stick table key (why?) then - these CRCs will not match between both nodes. Similarly, if - "hash-type ... crc32" is used, LB inconsistency may appear during the - transition. For this reason it is preferable to apply the patch on all - nodes using such hashes at the same time. Systems upgraded via their - distros will likely observe the least impact since they're expected to - be upgraded within a short time frame. - - And it is important for distros NOT to skip this fix, in order to avoid - distributing an incompatible implementation of a hash. This is the - reason why this patch is tagged as MAJOR, eventhough it's extremely - unlikely that anyone will ever notice a change at all. - - This patch must be backported to all supported branches since the - hashes were introduced in 1.5-dev20 (commit 98634f0c). Some parts - may be dropped since implemented later. - - Link to Wietse's report: - https://marc.info/?l=postfix-users&m=157879464518535&w=2 - - (cherry picked from commit 340b07e8686ed0095291e937628d064bdcc7a3dd) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/include/common/hash.h b/include/common/hash.h -index 78fd87b96..c17f8c9ff 100644 ---- a/include/common/hash.h -+++ b/include/common/hash.h -@@ -24,10 +24,10 @@ - - #include <inttypes.h> - --unsigned int hash_djb2(const char *key, int len); --unsigned int hash_wt6(const char *key, int len); --unsigned int hash_sdbm(const char *key, int len); --unsigned int hash_crc32(const char *key, int len); --uint32_t hash_crc32c(const char *key, int len); -+unsigned int hash_djb2(const void *input, int len); -+unsigned int hash_wt6(const void *input, int len); -+unsigned int hash_sdbm(const void *input, int len); -+unsigned int hash_crc32(const void *input, int len); -+uint32_t hash_crc32c(const void *input, int len); - - #endif /* _COMMON_HASH_H_ */ -diff --git a/src/hash.c b/src/hash.c -index 70451579b..8984ef36d 100644 ---- a/src/hash.c -+++ b/src/hash.c -@@ -17,8 +17,9 @@ - #include <common/hash.h> - - --unsigned int hash_wt6(const char *key, int len) -+unsigned int hash_wt6(const void *input, int len) - { -+ const unsigned char *key = input; - unsigned h0 = 0xa53c965aUL; - unsigned h1 = 0x5ca6953aUL; - unsigned step0 = 6; -@@ -27,7 +28,7 @@ unsigned int hash_wt6(const char *key, int len) - for (; len > 0; len--) { - unsigned int t; - -- t = ((unsigned int)*key); -+ t = *key; - key++; - - h0 = ~(h0 ^ t); -@@ -44,8 +45,9 @@ unsigned int hash_wt6(const char *key, int len) - return h0 ^ h1; - } - --unsigned int hash_djb2(const char *key, int len) -+unsigned int hash_djb2(const void *input, int len) - { -+ const unsigned char *key = input; - unsigned int hash = 5381; - - /* the hash unrolled eight times */ -@@ -72,8 +74,9 @@ unsigned int hash_djb2(const char *key, int len) - return hash; - } - --unsigned int hash_sdbm(const char *key, int len) -+unsigned int hash_sdbm(const void *input, int len) - { -+ const unsigned char *key = input; - unsigned int hash = 0; - int c; - -@@ -92,8 +95,9 @@ unsigned int hash_sdbm(const char *key, int len) - * this hash already sustains gigabit speed which is far faster than what - * we'd ever need. Better preserve the CPU's cache instead. - */ --unsigned int hash_crc32(const char *key, int len) -+unsigned int hash_crc32(const void *input, int len) - { -+ const unsigned char *key = input; - unsigned int hash; - int bit; - -@@ -174,8 +178,9 @@ static const uint32_t crctable[256] = { - 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L - }; - --uint32_t hash_crc32c(const char *buf, int len) -+uint32_t hash_crc32c(const void *input, int len) - { -+ const unsigned char *buf = input; - uint32_t crc = 0xffffffff; - while (len-- > 0) { - crc = (crc >> 8) ^ crctable[(crc ^ (*buf++)) & 0xff]; diff --git a/net/haproxy/patches/020-REGTEST-add-sample_fetches-hashes-vtc-to-validate-hashes.patch b/net/haproxy/patches/020-REGTEST-add-sample_fetches-hashes-vtc-to-validate-hashes.patch deleted file mode 100644 index a72ec440e..000000000 --- a/net/haproxy/patches/020-REGTEST-add-sample_fetches-hashes-vtc-to-validate-hashes.patch +++ /dev/null @@ -1,127 +0,0 @@ -commit 2a8ac8c1000ffe0e2e874146aed012409a0ce251 -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Jan 15 11:31:01 2020 +0100 - - REGTEST: add sample_fetches/hashes.vtc to validate hashes - - This regtest validates all hashes that we support, on all input bytes from - 0x00 to 0xFF. Those supporting avalanche are tested as well. It also tests - len(), hex() and base64(). It purposely does not enable sha2() because this - one relies on OpenSSL and there's no point in validating that OpenSSL knows - how to hash, what matters is that we can test our hashing functions in all - cases. However since the tests were written, they're still present and - commented out in case that helps. - - It may be backported to supported versions, possibly dropping a few algos - that were not supported (e.g. crc32c requires 1.9 minimum). - - Note that this test will fail on crc32/djb2/sdbm/wt6 unless patches - "BUG/MINOR: stream: init variables when the list is empty" and - "BUG/MAJOR: hashes: fix the signedness of the hash inputs" are included. - - (cherry picked from commit ec9ac54982841d49859747f6a535bf7444284bc3) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/reg-tests/sample_fetches/hashes.vtc b/reg-tests/sample_fetches/hashes.vtc -new file mode 100644 -index 000000000..874f81e41 ---- /dev/null -+++ b/reg-tests/sample_fetches/hashes.vtc -@@ -0,0 +1,97 @@ -+varnishtest "Hash validity test" -+ -+#REQUIRE_VERSION=1.9 -+ -+feature ignore_unknown_macro -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+haproxy h1 -conf { -+ defaults -+ mode http -+ timeout connect 1s -+ timeout client 1s -+ timeout server 1s -+ -+ frontend fe -+ bind "fd@${fe}" -+ -+ # base64 encoding of \x00\x01\x02...\xFF -+ http-response set-var(res.key) "str(AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/w==),b64dec" -+ -+ # length (start:0, next:255) -+ http-response set-header x-len0 "%[var(res.key),length]" -+ http-response set-header x-len1 "%[var(res.key),bytes(1),length]" -+ -+ # text-based encoding -+ http-response set-header x-hex "%[var(res.key),hex]" -+ http-response set-header x-b64 "%[var(res.key),base64]" -+ -+ # SHA family -+ http-response set-header x-sha1 "%[var(res.key),sha1,hex]" -+ #http-response set-header x-sha2 "%[var(res.key),sha2,hex]" -+ #http-response set-header x-sha2-224 "%[var(res.key),sha2(224),hex]" -+ #http-response set-header x-sha2-256 "%[var(res.key),sha2(256),hex]" -+ #http-response set-header x-sha2-384 "%[var(res.key),sha2(384),hex]" -+ #http-response set-header x-sha2-512 "%[var(res.key),sha2(512),hex]" -+ -+ # 32-bit hashes, and their avalanche variants -+ http-response set-header x-crc32 "%[var(res.key),crc32]" -+ http-response set-header x-crc32-1 "%[var(res.key),crc32(1)]" -+ -+ http-response set-header x-crc32c "%[var(res.key),crc32c]" -+ http-response set-header x-crc32c-1 "%[var(res.key),crc32c(1)]" -+ -+ http-response set-header x-djb2 "%[var(res.key),djb2]" -+ http-response set-header x-djb2-1 "%[var(res.key),djb2(1)]" -+ -+ http-response set-header x-sdbm "%[var(res.key),sdbm]" -+ http-response set-header x-sdbm-1 "%[var(res.key),sdbm(1)]" -+ -+ http-response set-header x-wt6 "%[var(res.key),wt6]" -+ http-response set-header x-wt6-1 "%[var(res.key),wt6(1)]" -+ -+ # 32/64-bit hashes, with seed variant -+ http-response set-header x-xxh32 "%[var(res.key),xxh32]" -+ http-response set-header x-xxh32-1 "%[var(res.key),xxh32(1)]" -+ http-response set-header x-xxh64 "%[var(res.key),xxh64]" -+ http-response set-header x-xxh64-1 "%[var(res.key),xxh64(1)]" -+ default_backend be -+ -+ backend be -+ server srv1 ${s1_addr}:${s1_port} -+} -start -+ -+client c1 -connect ${h1_fe_sock} { -+ txreq -url "/" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.x-len0 == "0" -+ expect resp.http.x-len1 == "255" -+ expect resp.http.x-hex == "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF" -+ expect resp.http.x-b64 == "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/w==" -+ -+ expect resp.http.x-sha1 == "4916D6BDB7F78E6803698CAB32D1586EA457DFC8" -+ #expect resp.http.x-sha2 == "40AFF2E9D2D8922E47AFD4648E6967497158785FBD1DA870E7110266BF944880" -+ #expect resp.http.x-sha2-224 == "88702E63237824C4EB0D0FCFE41469A462493E8BEB2A75BBE5981734" -+ #expect resp.http.x-sha2-256 == "40AFF2E9D2D8922E47AFD4648E6967497158785FBD1DA870E7110266BF944880" -+ #expect resp.http.x-sha2-384 == "FFDAEBFF65ED05CF400F0221C4CCFB4B2104FB6A51F87E40BE6C4309386BFDEC2892E9179B34632331A59592737DB5C5" -+ #expect resp.http.x-sha2-512 == "1E7B80BC8EDC552C8FEEB2780E111477E5BC70465FAC1A77B29B35980C3F0CE4A036A6C9462036824BD56801E62AF7E9FEBA5C22ED8A5AF877BF7DE117DCAC6D" -+ expect resp.http.x-crc32 == "688229491" -+ expect resp.http.x-crc32-1 == "4230317029" -+ expect resp.http.x-crc32c == "2621708363" -+ expect resp.http.x-crc32c-1 == "2242979626" -+ expect resp.http.x-djb2 == "2589693061" -+ expect resp.http.x-djb2-1 == "600622701" -+ expect resp.http.x-sdbm == "905707648" -+ expect resp.http.x-sdbm-1 == "3103804144" -+ expect resp.http.x-wt6 == "4090277559" -+ expect resp.http.x-wt6-1 == "1192658767" -+ expect resp.http.x-xxh32 == "1497633363" -+ expect resp.http.x-xxh32-1 == "1070421674" -+ expect resp.http.x-xxh64 == "2282408585429094475" -+ expect resp.http.x-xxh64-1 == "-4689339368900765961" -+} -run diff --git a/net/haproxy/patches/021-BUG-MEDIUM-cli-_getsocks-must-send-the-peers-sockets.patch b/net/haproxy/patches/021-BUG-MEDIUM-cli-_getsocks-must-send-the-peers-sockets.patch deleted file mode 100644 index 0c4e385d5..000000000 --- a/net/haproxy/patches/021-BUG-MEDIUM-cli-_getsocks-must-send-the-peers-sockets.patch +++ /dev/null @@ -1,156 +0,0 @@ -commit 53f802b06a8c165c39cb1b9a3455366e1293d1ed -Author: William Lallemand <wlallemand@haproxy.org> -Date: Thu Jan 16 15:32:08 2020 +0100 - - BUG/MEDIUM: cli: _getsocks must send the peers sockets - - This bug prevents to reload HAProxy when you have both the seamless - reload (-x / expose-fd listeners) and the peers. - - Indeed the _getsocks command does not send the FDs of the peers - listeners, so if no reuseport is possible during the bind, the new - process will fail to bind and exits. - - With this feature, it is not possible to fallback on the SIGTTOU method - if we didn't receive all the sockets, because you can't close() the - sockets of the new process without closing those of the previous - process, they are the same. - - Should fix bug #443. - - Must be backported as far as 1.8. - - (cherry picked from commit 5fd3b28c9c071376a9bffb427b25872ffc068601) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/cli.c b/src/cli.c -index d68e2b299..2dca17552 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -1612,6 +1612,7 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - int *tmpfd; - int tot_fd_nb = 0; - struct proxy *px; -+ struct peers *prs; - int i = 0; - int fd = -1; - int curoff = 0; -@@ -1664,6 +1665,22 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - } - px = px->next; - } -+ prs = cfg_peers; -+ while (prs) { -+ if (prs->peers_fe) { -+ struct listener *l; -+ -+ list_for_each_entry(l, &prs->peers_fe->conf.listeners, by_fe) { -+ /* Only transfer IPv4/IPv6/UNIX sockets */ -+ if (l->state >= LI_ZOMBIE && -+ (l->proto->sock_family == AF_INET || -+ l->proto->sock_family == AF_INET6 || -+ l->proto->sock_family == AF_UNIX)) -+ tot_fd_nb++; -+ } -+ } -+ prs = prs->next; -+ } - if (tot_fd_nb == 0) - goto out; - -@@ -1687,7 +1704,6 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - cmsg->cmsg_type = SCM_RIGHTS; - tmpfd = (int *)CMSG_DATA(cmsg); - -- px = proxies_list; - /* For each socket, e message is sent, containing the following : - * Size of the namespace name (or 0 if none), as an unsigned char. - * The namespace name, if any -@@ -1704,6 +1720,7 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - goto out; - } - iov.iov_base = tmpbuf; -+ px = proxies_list; - while (px) { - struct listener *l; - -@@ -1737,7 +1754,6 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - sizeof(l->options)); - curoff += sizeof(l->options); - -- - i++; - } else - continue; -@@ -1758,10 +1774,70 @@ static int _getsocks(char **args, char *payload, struct appctx *appctx, void *pr - } - curoff = 0; - } -- - } - px = px->next; - } -+ /* should be done for peers too */ -+ prs = cfg_peers; -+ while (prs) { -+ if (prs->peers_fe) { -+ struct listener *l; -+ -+ list_for_each_entry(l, &prs->peers_fe->conf.listeners, by_fe) { -+ int ret; -+ /* Only transfer IPv4/IPv6 sockets */ -+ if (l->state >= LI_ZOMBIE && -+ (l->proto->sock_family == AF_INET || -+ l->proto->sock_family == AF_INET6 || -+ l->proto->sock_family == AF_UNIX)) { -+ memcpy(&tmpfd[i % MAX_SEND_FD], &l->fd, sizeof(l->fd)); -+ if (!l->netns) -+ tmpbuf[curoff++] = 0; -+#ifdef USE_NS -+ else { -+ char *name = l->netns->node.key; -+ unsigned char len = l->netns->name_len; -+ tmpbuf[curoff++] = len; -+ memcpy(tmpbuf + curoff, name, len); -+ curoff += len; -+ } -+#endif -+ if (l->interface) { -+ unsigned char len = strlen(l->interface); -+ tmpbuf[curoff++] = len; -+ memcpy(tmpbuf + curoff, l->interface, len); -+ curoff += len; -+ } else -+ tmpbuf[curoff++] = 0; -+ memcpy(tmpbuf + curoff, &l->options, -+ sizeof(l->options)); -+ curoff += sizeof(l->options); -+ -+ i++; -+ } else -+ continue; -+ if ((!(i % MAX_SEND_FD))) { -+ iov.iov_len = curoff; -+ if (sendmsg(fd, &msghdr, 0) != curoff) { -+ ha_warning("Failed to transfer sockets\n"); -+ goto out; -+ } -+ /* Wait for an ack */ -+ do { -+ ret = recv(fd, &tot_fd_nb, -+ sizeof(tot_fd_nb), 0); -+ } while (ret == -1 && errno == EINTR); -+ if (ret <= 0) { -+ ha_warning("Unexpected error while transferring sockets\n"); -+ goto out; -+ } -+ curoff = 0; -+ } -+ } -+ } -+ prs = prs->next; -+ } -+ - if (i % MAX_SEND_FD) { - iov.iov_len = curoff; - cmsg->cmsg_len = CMSG_LEN((i % MAX_SEND_FD) * sizeof(int)); diff --git a/net/haproxy/patches/022-BUG-MINOR-stream-dont-mistake-match-rules-for-store-request-rules.patch b/net/haproxy/patches/022-BUG-MINOR-stream-dont-mistake-match-rules-for-store-request-rules.patch deleted file mode 100644 index 1926abc7b..000000000 --- a/net/haproxy/patches/022-BUG-MINOR-stream-dont-mistake-match-rules-for-store-request-rules.patch +++ /dev/null @@ -1,70 +0,0 @@ -commit 791df6f59a268e432ef7bc675084acaa6f1a2ed8 -Author: Jerome Magnin <jmagnin@haproxy.com> -Date: Thu Jan 16 17:37:21 2020 +0100 - - BUG/MINOR: stream: don't mistake match rules for store-request rules - - In process_sticking_rules() we only want to apply the first store-request - rule for a given table, but when doing so we need to make sure we only - count actual store-request rules when we list the sticking rules. - - Failure to do so leads to not being able to write store-request and match - sticking rules in any order as a match rule after a store-request rule - will be ignored. - - The following configuration reproduces the issue: - - global - stats socket /tmp/foobar - - defaults - mode http - - frontend in - bind *:8080 - default_backend bar - - backend bar - server s1 127.0.0.1:21212 - server s2 127.0.0.1:21211 - stick store-request req.hdr(foo) - stick match req.hdr(foo) - stick-table type string size 10 - - listen foo - bind *:21212 - bind *:21211 - http-request deny deny_status 200 if { dst_port 21212 } - http-request deny - - This patch fixes issue #448 and should be backported as far as 1.6. - - (cherry picked from commit bee00ad080ff9359df8a670e891a6c2bce4acc39) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/stream.c b/src/stream.c -index 4efc16bd7..2dd7141aa 100644 ---- a/src/stream.c -+++ b/src/stream.c -@@ -1786,13 +1786,15 @@ static int process_sticking_rules(struct stream *s, struct channel *req, int an_ - * An example could be a store of the IP address from an HTTP - * header first, then from the source if not found. - */ -- for (i = 0; i < s->store_count; i++) { -- if (rule->table.t == s->store[i].table) -- break; -- } -+ if (rule->flags & STK_IS_STORE) { -+ for (i = 0; i < s->store_count; i++) { -+ if (rule->table.t == s->store[i].table) -+ break; -+ } - -- if (i != s->store_count) -- continue; -+ if (i != s->store_count) -+ continue; -+ } - - if (rule->cond) { - ret = acl_exec_cond(rule->cond, px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL); diff --git a/net/haproxy/patches/023-BUG-MEDIUM-connection-add-a-mux-flag-to-indicate-splice-usability.patch b/net/haproxy/patches/023-BUG-MEDIUM-connection-add-a-mux-flag-to-indicate-splice-usability.patch deleted file mode 100644 index da4548eba..000000000 --- a/net/haproxy/patches/023-BUG-MEDIUM-connection-add-a-mux-flag-to-indicate-splice-usability.patch +++ /dev/null @@ -1,145 +0,0 @@ -commit 7195d4b9396687e67da196cb92ef25b4bd6938d8 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 17 16:19:34 2020 +0100 - - BUG/MEDIUM: connection: add a mux flag to indicate splice usability - - Commit c640ef1a7d ("BUG/MINOR: stream-int: avoid calling rcv_buf() when - splicing is still possible") fixed splicing in TCP and legacy mode but - broke it badly in HTX mode. - - What happens in HTX mode is that the channel's to_forward value remains - set to CHN_INFINITE_FORWARD during the whole transfer, and as such it is - not a reliable signal anymore to indicate whether more data are expected - or not. Thus, when data are spliced out of the mux using rcv_pipe(), even - when the end is reached (that only the mux knows about), the call to - rcv_buf() to get the final HTX blocks completing the message were skipped - and there was often no new event to wake this up, resulting in transfer - timeouts at the end of large objects. - - All this goes down to the fact that the channel has no more information - about whether it can splice or not despite being the one having to take - the decision to call rcv_pipe() or not. And we cannot afford to call - rcv_buf() inconditionally because, as the commit above showed, this - reduces the forwarding performance by 2 to 3 in TCP and legacy modes - due to data lying in the buffer preventing splicing from being used - later. - - The approach taken by this patch consists in offering the muxes the ability - to report a bit more information to the upper layers via the conn_stream. - This information could simply be to indicate that more data are awaited - but the real need being to distinguish splicing and receiving, here - instead we clearly report the mux's willingness to be called for splicing - or not. Hence the flag's name, CS_FL_MAY_SPLICE. - - The mux sets this flag when it knows that its buffer is empty and that - data waiting past what is currently known may be spliced, and clears it - when it knows there's no more data or that the caller must fall back to - rcv_buf() instead. - - The stream-int code now uses this to determine if splicing may be used - or not instead of looking at the rcv_pipe() callbacks through the whole - chain. And after the rcv_pipe() call, it checks the flag again to decide - whether it may safely skip rcv_buf() or not. - - All this bitfield dance remains a bit complex and it starts to appear - obvious that splicing vs reading should be a decision of the mux based - on permission granted by the data layer. This would however increase - the API's complexity but definitely need to be thought about, and should - even significantly simplify the data processing layer. - - The way it was integrated in mux-h1 will also result in no more calls - to rcv_pipe() on chunked encoded data, since these ones are currently - disabled at the mux level. However once the issue with chunks+splice - is fixed, it will be important to explicitly check for curr_len|CHNK - to set MAY_SPLICE, so that we don't call rcv_buf() after each chunk. - - This fix must be backported to 2.1 and 2.0. - - (cherry picked from commit 17ccd1a3560a634a17d276833ff41b8063b72206) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/include/types/connection.h b/include/types/connection.h -index 165a683ae..f2aa63c33 100644 ---- a/include/types/connection.h -+++ b/include/types/connection.h -@@ -95,7 +95,7 @@ enum { - CS_FL_EOS = 0x00001000, /* End of stream delivered to data layer */ - /* unused: 0x00002000 */ - CS_FL_EOI = 0x00004000, /* end-of-input reached */ -- /* unused: 0x00008000 */ -+ CS_FL_MAY_SPLICE = 0x00008000, /* caller may use rcv_pipe() only if this flag is set */ - CS_FL_WAIT_FOR_HS = 0x00010000, /* This stream is waiting for handhskae */ - CS_FL_KILL_CONN = 0x00020000, /* must kill the connection when the CS closes */ - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index d93a7eab5..b76a58fe4 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -489,6 +489,9 @@ static struct conn_stream *h1s_new_cs(struct h1s *h1s) - if (h1s->flags & H1S_F_NOT_FIRST) - cs->flags |= CS_FL_NOT_FIRST; - -+ if (global.tune.options & GTUNE_USE_SPLICE) -+ cs->flags |= CS_FL_MAY_SPLICE; -+ - if (stream_create_from_cs(cs) < 0) { - TRACE_DEVEL("leaving on stream creation failure", H1_EV_STRM_NEW|H1_EV_STRM_END|H1_EV_STRM_ERR, h1s->h1c->conn, h1s); - goto err; -@@ -1275,6 +1278,11 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx **htx - goto end; - } - -+ if (h1m->state == H1_MSG_DATA && h1m->curr_len && h1s->cs) -+ h1s->cs->flags |= CS_FL_MAY_SPLICE; -+ else if (h1s->cs) -+ h1s->cs->flags &= ~CS_FL_MAY_SPLICE; -+ - *ofs += ret; - - end: -@@ -2725,6 +2733,9 @@ static int h1_rcv_pipe(struct conn_stream *cs, struct pipe *pipe, unsigned int c - TRACE_STATE("read0 on connection", H1_EV_STRM_RECV, cs->conn, h1s); - } - -+ if (h1m->state != H1_MSG_DATA || !h1m->curr_len) -+ cs->flags &= ~CS_FL_MAY_SPLICE; -+ - TRACE_LEAVE(H1_EV_STRM_RECV, cs->conn, h1s); - return ret; - } -diff --git a/src/mux_pt.c b/src/mux_pt.c -index 6cbc689ce..2ac7d4715 100644 ---- a/src/mux_pt.c -+++ b/src/mux_pt.c -@@ -111,6 +111,8 @@ static int mux_pt_init(struct connection *conn, struct proxy *prx, struct sessio - conn->ctx = ctx; - ctx->cs = cs; - cs->flags |= CS_FL_RCV_MORE; -+ if (global.tune.options & GTUNE_USE_SPLICE) -+ cs->flags |= CS_FL_MAY_SPLICE; - return 0; - - fail_free: -diff --git a/src/stream_interface.c b/src/stream_interface.c -index 012ac71e0..a2ea7d779 100644 ---- a/src/stream_interface.c -+++ b/src/stream_interface.c -@@ -1268,7 +1268,7 @@ int si_cs_recv(struct conn_stream *cs) - /* First, let's see if we may splice data across the channel without - * using a buffer. - */ -- if (conn->xprt->rcv_pipe && conn->mux->rcv_pipe && -+ if (cs->flags & CS_FL_MAY_SPLICE && - (ic->pipe || ic->to_forward >= MIN_SPLICE_FORWARD) && - ic->flags & CF_KERN_SPLICING) { - if (c_data(ic)) { -@@ -1327,7 +1327,7 @@ int si_cs_recv(struct conn_stream *cs) - ic->pipe = NULL; - } - -- if (ic->pipe && ic->to_forward && !(flags & CO_RFL_BUF_FLUSH)) { -+ if (ic->pipe && ic->to_forward && !(flags & CO_RFL_BUF_FLUSH) && cs->flags & CS_FL_MAY_SPLICE) { - /* don't break splicing by reading, but still call rcv_buf() - * to pass the flag. - */ diff --git a/net/haproxy/patches/024-BUG-MINOR-pattern-handle-errors-from-fgets-when-trying-to-load-patterns.patch b/net/haproxy/patches/024-BUG-MINOR-pattern-handle-errors-from-fgets-when-trying-to-load-patterns.patch deleted file mode 100644 index fa022985e..000000000 --- a/net/haproxy/patches/024-BUG-MINOR-pattern-handle-errors-from-fgets-when-trying-to-load-patterns.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit bfa549da979e13f6c6a2e2defb7bbda5efa908f5 -Author: Jerome Magnin <jmagnin@haproxy.com> -Date: Fri Jan 17 16:09:33 2020 +0100 - - BUG/MINOR: pattern: handle errors from fgets when trying to load patterns - - We need to do some error handling after we call fgets to make sure everything - went fine. If we don't users can be fooled into thinking they can load pattens - from directory because cfgparse doesn't flinch. This applies to acl patterns - map files. - - This should be backported to all supported versions. - - (cherry picked from commit 3c79d4bdc47e151a97d7acdd99382bd9ca3927a5) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/pattern.c b/src/pattern.c -index ec7e9556a..33e0e17f2 100644 ---- a/src/pattern.c -+++ b/src/pattern.c -@@ -2328,6 +2328,11 @@ int pat_ref_read_from_file_smp(struct pat_ref *ref, const char *filename, char * - } - } - -+ if (ferror(file)) { -+ memprintf(err, "error encountered while reading <%s> : %s", -+ filename, strerror(errno)); -+ goto out_close; -+ } - /* succes */ - ret = 1; - -@@ -2385,6 +2390,11 @@ int pat_ref_read_from_file(struct pat_ref *ref, const char *filename, char **err - } - } - -+ if (ferror(file)) { -+ memprintf(err, "error encountered while reading <%s> : %s", -+ filename, strerror(errno)); -+ goto out_close; -+ } - ret = 1; /* success */ - - out_close: diff --git a/net/haproxy/patches/025-BUG-MINOR-cache-Fix-leak-of-cache-name-in-error-path.patch b/net/haproxy/patches/025-BUG-MINOR-cache-Fix-leak-of-cache-name-in-error-path.patch deleted file mode 100644 index 9c187aaaa..000000000 --- a/net/haproxy/patches/025-BUG-MINOR-cache-Fix-leak-of-cache-name-in-error-path.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit 09582bac29264997d71fcfb897d045c2dcac72f6 -Author: Tim Duesterhus <tim@bastelstu.be> -Date: Sat Jan 18 01:46:18 2020 +0100 - - BUG/MINOR: cache: Fix leak of cache name in error path - - This issue was introduced in commit 99a17a2d91f9044ea20bba6617048488aed80555 - which first appeared in tag v1.9-dev11. This bugfix should be backported - to HAProxy 1.9+. - - (cherry picked from commit d34b1ce5a20ce8f62b234f9696a621aaebe694c1) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/cache.c b/src/cache.c -index 8e2acd1cb..dc11cf532 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -1452,7 +1452,7 @@ parse_cache_flt(char **args, int *cur_arg, struct proxy *px, - cconf = NULL; - memprintf(err, "%s: multiple explicit declarations of the cache filter '%s'", - px->id, name); -- return -1; -+ goto error; - } - - /* Remove the implicit filter. <cconf> is kept for the explicit one */ diff --git a/net/haproxy/patches/026-BUG-MINOR-dns-Make-dns_query_id_seed-unsigned.patch b/net/haproxy/patches/026-BUG-MINOR-dns-Make-dns_query_id_seed-unsigned.patch deleted file mode 100644 index 8ae21552f..000000000 --- a/net/haproxy/patches/026-BUG-MINOR-dns-Make-dns_query_id_seed-unsigned.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit bf61c6cd41f59e68221eda04e0e4a10d9fafab48 -Author: Tim Duesterhus <tim@bastelstu.be> -Date: Sat Jan 18 02:04:12 2020 +0100 - - BUG/MINOR: dns: Make dns_query_id_seed unsigned - - Left shifting of large signed values and negative values is undefined. - - In a test script clang's ubsan rightfully complains: - - > runtime error: left shift of 1934242336581872173 by 13 places cannot be represented in type 'int64_t' (aka 'long') - - This bug was introduced in the initial version of the DNS resolver - in 325137d603aa81bd24cbd8c99d816dd42291daa7. The fix must be backported - to HAProxy 1.6+. - - (cherry picked from commit fcac33d0c1138ef22914c3b36518c1df105c9b72) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/dns.c b/src/dns.c -index 8ea6fb271..a7e43dfe3 100644 ---- a/src/dns.c -+++ b/src/dns.c -@@ -54,7 +54,7 @@ - struct list dns_resolvers = LIST_HEAD_INIT(dns_resolvers); - struct list dns_srvrq_list = LIST_HEAD_INIT(dns_srvrq_list); - --static THREAD_LOCAL int64_t dns_query_id_seed = 0; /* random seed */ -+static THREAD_LOCAL uint64_t dns_query_id_seed = 0; /* random seed */ - - DECLARE_STATIC_POOL(dns_answer_item_pool, "dns_answer_item", sizeof(struct dns_answer_item)); - DECLARE_STATIC_POOL(dns_resolution_pool, "dns_resolution", sizeof(struct dns_resolution)); diff --git a/net/haproxy/patches/027-BUG-MINOR-51d-Fix-bug-when-HTX-is-enabled.patch b/net/haproxy/patches/027-BUG-MINOR-51d-Fix-bug-when-HTX-is-enabled.patch deleted file mode 100644 index 551983dd9..000000000 --- a/net/haproxy/patches/027-BUG-MINOR-51d-Fix-bug-when-HTX-is-enabled.patch +++ /dev/null @@ -1,92 +0,0 @@ -commit 84a6e9e474e3435849b4341a066079b7b93cd8e9 -Author: Ben51Degrees <Ben@51Degrees.com> -Date: Mon Jan 20 11:25:11 2020 +0000 - - BUG/MINOR: 51d: Fix bug when HTX is enabled - - When HTX is enabled, the sample flags were set too early. When matching for - multiple HTTP headers, the sample is fetched more than once, meaning that the - flags would need to be set again. Instead, the flags are now set last (just - before the outermost function returns). This could be further improved by - passing around the message without calling prefetch again. - - This patch must be backported as far as 1.9. it should fix bug #450. - - (cherry picked from commit 6bf06727116eb48825cf4c4b65970b8305591925) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/51d.c b/src/51d.c -index 96bbb6639..b00f01844 100644 ---- a/src/51d.c -+++ b/src/51d.c -@@ -395,6 +395,21 @@ static void _51d_process_match(const struct arg *args, struct sample *smp, fifty - smp->data.u.str.data = temp->data; - } - -+/* Sets the sample data as a constant string. This ensures that the -+ * string will be processed correctly. -+ */ -+static void _51d_set_smp(struct sample *smp) -+{ -+ /* -+ * Data type has to be set to ensure the string output is processed -+ * correctly. -+ */ -+ smp->data.type = SMP_T_STR; -+ -+ /* Flags the sample to show it uses constant memory. */ -+ smp->flags |= SMP_F_CONST; -+} -+ - static int _51d_fetch(const struct arg *args, struct sample *smp, const char *kw, void *private) - { - #ifdef FIFTYONEDEGREES_H_PATTERN_INCLUDED -@@ -413,14 +428,6 @@ static int _51d_fetch(const struct arg *args, struct sample *smp, const char *kw - if (!htx) - return 0; - -- /* -- * Data type has to be reset to ensure the string output is processed -- * correctly. -- */ -- smp->data.type = SMP_T_STR; -- -- /* Flags the sample to show it uses constant memory*/ -- smp->flags |= SMP_F_CONST; - - #ifdef FIFTYONEDEGREES_H_PATTERN_INCLUDED - -@@ -448,6 +455,8 @@ static int _51d_fetch(const struct arg *args, struct sample *smp, const char *kw - fiftyoneDegreesWorksetPoolRelease(global_51degrees.pool, ws); - _51d_retrieve_cache_entry(smp, lru); - HA_SPIN_UNLOCK(OTHER_LOCK, &_51d_lru_lock); -+ -+ _51d_set_smp(smp); - return 1; - } - HA_SPIN_UNLOCK(OTHER_LOCK, &_51d_lru_lock); -@@ -485,6 +494,7 @@ static int _51d_fetch(const struct arg *args, struct sample *smp, const char *kw - _51d_insert_cache_entry(smp, lru, (void*)args); - #endif - -+ _51d_set_smp(smp); - return 1; - } - -@@ -497,8 +507,6 @@ static int _51d_conv(const struct arg *args, struct sample *smp, void *private) - #ifdef FIFTYONEDEGREES_H_TRIE_INCLUDED - fiftyoneDegreesDeviceOffsets *offsets; /* Offsets for detection */ - #endif -- /* Flags the sample to show it uses constant memory*/ -- smp->flags |= SMP_F_CONST; - - #ifdef FIFTYONEDEGREES_H_PATTERN_INCLUDED - -@@ -560,6 +568,7 @@ static int _51d_conv(const struct arg *args, struct sample *smp, void *private) - #endif - #endif - -+ _51d_set_smp(smp); - return 1; - } - diff --git a/net/haproxy/patches/028-BUILD-pattern-include-errno-h.patch b/net/haproxy/patches/028-BUILD-pattern-include-errno-h.patch deleted file mode 100644 index 9a95f173d..000000000 --- a/net/haproxy/patches/028-BUILD-pattern-include-errno-h.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit fb815462c6720c63d45e8fc09c35c49de6160888 -Author: Jerome Magnin <jmagnin@haproxy.com> -Date: Fri Jan 17 18:01:20 2020 +0100 - - BUILD: pattern: include errno.h - - Commit 3c79d4bdc introduced the use of errno in pattern.c without - including errno.h. - If we build haproxy without any option errno is not defined and the - build fails. - - (cherry picked from commit b8bd6d7efd6db5d964eae902e8f3c09a757b12a9) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - - [Cf: I miissed this one during my last backports] - -diff --git a/src/pattern.c b/src/pattern.c -index 33e0e17f2..90067cd23 100644 ---- a/src/pattern.c -+++ b/src/pattern.c -@@ -12,6 +12,7 @@ - - #include <ctype.h> - #include <stdio.h> -+#include <errno.h> - - #include <common/config.h> - #include <common/standard.h> diff --git a/net/haproxy/patches/029-BUG-MINOR-http-ana-filters-Wait-end-of-the-http_end-callback-for-all-filters.patch b/net/haproxy/patches/029-BUG-MINOR-http-ana-filters-Wait-end-of-the-http_end-callback-for-all-filters.patch deleted file mode 100644 index 55f9c1726..000000000 --- a/net/haproxy/patches/029-BUG-MINOR-http-ana-filters-Wait-end-of-the-http_end-callback-for-all-filters.patch +++ /dev/null @@ -1,202 +0,0 @@ -commit 8ece0801d813d6f821dabde13f7a74759dd95ee4 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Fri Nov 15 16:31:46 2019 +0100 - - BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters - - Filters may define the "http_end" callback, called at the end of the analysis of - any HTTP messages. It is called at the end of the payload forwarding and it can - interrupt the stream processing. So we must be sure to not remove the XFER_BODY - analyzers while there is still at least filter in progress on this callback. - - Unfortunatly, once the request and the response are borh in the DONE or the - TUNNEL mode, we consider the XFER_BODY analyzer has finished its processing on - both sides. So it is possible to prematurely interrupt the execution of the - filters "http_end" callback. - - To fix this bug, we switch a message in the ENDING state. It is then switched in - DONE/TUNNEL mode only after the execution of the filters "http_end" callback. - - This patch must be backported (and adapted) to 2.1, 2.0 and 1.9. The legacy HTTP - mode shoud probaly be fixed too. - - (cherry picked from commit 1a3e0279c6079174288e2e3fbbf09e530ff221c5) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/http_ana.c b/src/http_ana.c -index 268796d2e..047ed813a 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -1166,11 +1166,8 @@ int http_request_forward_body(struct stream *s, struct channel *req, int an_bit) - - if (req->to_forward) { - if (req->to_forward == CHN_INFINITE_FORWARD) { -- if (req->flags & CF_EOI) { -- msg->msg_state = HTTP_MSG_DONE; -- req->to_forward = 0; -- goto done; -- } -+ if (req->flags & CF_EOI) -+ msg->msg_state = HTTP_MSG_ENDING; - } - else { - /* We can't process the buffer's contents yet */ -@@ -1179,8 +1176,14 @@ int http_request_forward_body(struct stream *s, struct channel *req, int an_bit) - } - } - -- if (msg->msg_state >= HTTP_MSG_DONE) -- goto done; -+ if (msg->msg_state >= HTTP_MSG_ENDING) -+ goto ending; -+ -+ if (txn->meth == HTTP_METH_CONNECT) { -+ msg->msg_state = HTTP_MSG_ENDING; -+ goto ending; -+ } -+ - /* Forward input data. We get it by removing all outgoing data not - * forwarded yet from HTX data size. If there are some data filters, we - * let them decide the amount of data to forward. -@@ -1197,11 +1200,8 @@ int http_request_forward_body(struct stream *s, struct channel *req, int an_bit) - channel_htx_forward_forever(req, htx); - } - -- if (txn->meth == HTTP_METH_CONNECT) { -- msg->msg_state = HTTP_MSG_TUNNEL; -- goto done; -- } -- -+ if (htx->data != co_data(req)) -+ goto missing_data_or_waiting; - - /* Check if the end-of-message is reached and if so, switch the message - * in HTTP_MSG_ENDING state. Then if all data was marked to be -@@ -1211,16 +1211,11 @@ int http_request_forward_body(struct stream *s, struct channel *req, int an_bit) - goto missing_data_or_waiting; - - msg->msg_state = HTTP_MSG_ENDING; -- if (htx->data != co_data(req)) -- goto missing_data_or_waiting; -- msg->msg_state = HTTP_MSG_DONE; -- req->to_forward = 0; - -- done: -- /* other states, DONE...TUNNEL */ -- /* we don't want to forward closes on DONE except in tunnel mode. */ -- if (!(txn->flags & TX_CON_WANT_TUN)) -- channel_dont_close(req); -+ ending: -+ /* other states, ENDING...TUNNEL */ -+ if (msg->msg_state >= HTTP_MSG_DONE) -+ goto done; - - if (HAS_REQ_DATA_FILTERS(s)) { - ret = flt_http_end(s, msg); -@@ -1231,6 +1226,18 @@ int http_request_forward_body(struct stream *s, struct channel *req, int an_bit) - } - } - -+ if (txn->meth == HTTP_METH_CONNECT) -+ msg->msg_state = HTTP_MSG_TUNNEL; -+ else { -+ msg->msg_state = HTTP_MSG_DONE; -+ req->to_forward = 0; -+ } -+ -+ done: -+ /* we don't want to forward closes on DONE except in tunnel mode. */ -+ if (!(txn->flags & TX_CON_WANT_TUN)) -+ channel_dont_close(req); -+ - http_end_request(s); - if (!(req->analysers & an_bit)) { - http_end_response(s); -@@ -2179,11 +2186,8 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit - - if (res->to_forward) { - if (res->to_forward == CHN_INFINITE_FORWARD) { -- if (res->flags & CF_EOI) { -- msg->msg_state = HTTP_MSG_DONE; -- res->to_forward = 0; -- goto done; -- } -+ if (res->flags & CF_EOI) -+ msg->msg_state = HTTP_MSG_ENDING; - } - else { - /* We can't process the buffer's contents yet */ -@@ -2192,8 +2196,14 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit - } - } - -- if (msg->msg_state >= HTTP_MSG_DONE) -- goto done; -+ if (msg->msg_state >= HTTP_MSG_ENDING) -+ goto ending; -+ -+ if ((txn->meth == HTTP_METH_CONNECT && txn->status == 200) || txn->status == 101 || -+ (!(msg->flags & HTTP_MSGF_XFER_LEN) && !HAS_RSP_DATA_FILTERS(s))) { -+ msg->msg_state = HTTP_MSG_ENDING; -+ goto ending; -+ } - - /* Forward input data. We get it by removing all outgoing data not - * forwarded yet from HTX data size. If there are some data filters, we -@@ -2211,10 +2221,12 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit - channel_htx_forward_forever(res, htx); - } - -- if ((txn->meth == HTTP_METH_CONNECT && txn->status == 200) || txn->status == 101 || -- (!(msg->flags & HTTP_MSGF_XFER_LEN) && (res->flags & CF_SHUTR || !HAS_RSP_DATA_FILTERS(s)))) { -- msg->msg_state = HTTP_MSG_TUNNEL; -- goto done; -+ if (htx->data != co_data(res)) -+ goto missing_data_or_waiting; -+ -+ if (!(msg->flags & HTTP_MSGF_XFER_LEN) && res->flags & CF_SHUTR) { -+ msg->msg_state = HTTP_MSG_ENDING; -+ goto ending; - } - - /* Check if the end-of-message is reached and if so, switch the message -@@ -2225,14 +2237,11 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit - goto missing_data_or_waiting; - - msg->msg_state = HTTP_MSG_ENDING; -- if (htx->data != co_data(res)) -- goto missing_data_or_waiting; -- msg->msg_state = HTTP_MSG_DONE; -- res->to_forward = 0; - -- done: -- /* other states, DONE...TUNNEL */ -- channel_dont_close(res); -+ ending: -+ /* other states, ENDING...TUNNEL */ -+ if (msg->msg_state >= HTTP_MSG_DONE) -+ goto done; - - if (HAS_RSP_DATA_FILTERS(s)) { - ret = flt_http_end(s, msg); -@@ -2243,6 +2252,20 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit - } - } - -+ if ((txn->meth == HTTP_METH_CONNECT && txn->status == 200) || txn->status == 101 || -+ !(msg->flags & HTTP_MSGF_XFER_LEN)) { -+ msg->msg_state = HTTP_MSG_TUNNEL; -+ goto ending; -+ } -+ else { -+ msg->msg_state = HTTP_MSG_DONE; -+ res->to_forward = 0; -+ } -+ -+ done: -+ -+ channel_dont_close(res); -+ - http_end_response(s); - if (!(res->analysers & an_bit)) { - http_end_request(s); diff --git a/net/haproxy/patches/030-BUG-MINOR-http-rules-Remove-buggy-deinit-functions-for-HTTP-rules.patch b/net/haproxy/patches/030-BUG-MINOR-http-rules-Remove-buggy-deinit-functions-for-HTTP-rules.patch deleted file mode 100644 index 51a55c718..000000000 --- a/net/haproxy/patches/030-BUG-MINOR-http-rules-Remove-buggy-deinit-functions-for-HTTP-rules.patch +++ /dev/null @@ -1,133 +0,0 @@ -commit ff9be052e36d427df467b4a9b2f0a9b79af481a4 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Tue Dec 17 11:25:46 2019 +0100 - - BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules - - Functions to deinitialize the HTTP rules are buggy. These functions does not - check the action name to release the right part in the arg union. Only few info - are released. For auth rules, the realm is released and there is no problem - here. But the regex <arg.hdr_add.re> is always unconditionally released. So it - is easy to make these functions crash. For instance, with the following rule - HAProxy crashes during the deinit : - - http-request set-map(/path/to/map) %[src] %[req.hdr(X-Value)] - - For now, These functions are simply removed and we rely on the deinit function - used for TCP rules (renamed as deinit_act_rules()). This patch fixes the - bug. But arguments used by actions are not released at all, this part will be - addressed later. - - This patch must be backported to all stable versions. - - (cherry picked from commit cb5501327c7ece8a9b5b07c9a839419e45d9ee4a) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/include/proto/http_rules.h b/include/proto/http_rules.h -index 5e03dd813..608ca5760 100644 ---- a/include/proto/http_rules.h -+++ b/include/proto/http_rules.h -@@ -32,8 +32,6 @@ extern struct action_kw_list http_res_keywords; - - struct act_rule *parse_http_req_cond(const char **args, const char *file, int linenum, struct proxy *proxy); - struct act_rule *parse_http_res_cond(const char **args, const char *file, int linenum, struct proxy *proxy); --void free_http_req_rules(struct list *r); --void free_http_res_rules(struct list *r); - struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, struct proxy *curproxy, - const char **args, char **errmsg, int use_fmt, int dir); - -diff --git a/src/haproxy.c b/src/haproxy.c -index a66a184dc..f225a13f8 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -2300,14 +2300,14 @@ static void deinit_acl_cond(struct acl_cond *cond) - free(cond); - } - --static void deinit_tcp_rules(struct list *rules) -+static void deinit_act_rules(struct list *rules) - { -- struct act_rule *trule, *truleb; -+ struct act_rule *rule, *ruleb; - -- list_for_each_entry_safe(trule, truleb, rules, list) { -- LIST_DEL(&trule->list); -- deinit_acl_cond(trule->cond); -- free(trule); -+ list_for_each_entry_safe(rule, ruleb, rules, list) { -+ LIST_DEL(&rule->list); -+ deinit_acl_cond(rule->cond); -+ free(rule); - } - } - -@@ -2452,9 +2452,12 @@ void deinit(void) - free(lf); - } - -- deinit_tcp_rules(&p->tcp_req.inspect_rules); -- deinit_tcp_rules(&p->tcp_rep.inspect_rules); -- deinit_tcp_rules(&p->tcp_req.l4_rules); -+ deinit_act_rules(&p->tcp_req.inspect_rules); -+ deinit_act_rules(&p->tcp_rep.inspect_rules); -+ deinit_act_rules(&p->tcp_req.l4_rules); -+ deinit_act_rules(&p->tcp_req.l5_rules); -+ deinit_act_rules(&p->http_req_rules); -+ deinit_act_rules(&p->http_res_rules); - - deinit_stick_rules(&p->storersp_rules); - deinit_stick_rules(&p->sticking_rules); -@@ -2556,8 +2559,6 @@ void deinit(void) - free(p->desc); - free(p->fwdfor_hdr_name); - -- free_http_req_rules(&p->http_req_rules); -- free_http_res_rules(&p->http_res_rules); - task_destroy(p->task); - - pool_destroy(p->req_cap_pool); -@@ -2582,7 +2583,7 @@ void deinit(void) - free(uap->desc); - - userlist_free(uap->userlist); -- free_http_req_rules(&uap->http_req_rules); -+ deinit_act_rules(&uap->http_req_rules); - - free(uap); - } -diff --git a/src/http_rules.c b/src/http_rules.c -index b790c5ffe..aad771466 100644 ---- a/src/http_rules.c -+++ b/src/http_rules.c -@@ -1186,31 +1186,6 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st - return NULL; - } - --void free_http_res_rules(struct list *r) --{ -- struct act_rule *tr, *pr; -- -- list_for_each_entry_safe(pr, tr, r, list) { -- LIST_DEL(&pr->list); -- regex_free(pr->arg.hdr_add.re); -- free(pr); -- } --} -- --void free_http_req_rules(struct list *r) --{ -- struct act_rule *tr, *pr; -- -- list_for_each_entry_safe(pr, tr, r, list) { -- LIST_DEL(&pr->list); -- if (pr->action == ACT_HTTP_REQ_AUTH) -- free(pr->arg.auth.realm); -- -- regex_free(pr->arg.hdr_add.re); -- free(pr); -- } --} -- - __attribute__((constructor)) - static void __http_rules_init(void) - { diff --git a/net/haproxy/patches/031-BUG-MINOR-stick-table-Use-MAX_SESS_STKCTR-as-the-max-track-ID-during-parsing.patch b/net/haproxy/patches/031-BUG-MINOR-stick-table-Use-MAX_SESS_STKCTR-as-the-max-track-ID-during-parsing.patch deleted file mode 100644 index ddf9d1697..000000000 --- a/net/haproxy/patches/031-BUG-MINOR-stick-table-Use-MAX_SESS_STKCTR-as-the-max-track-ID-during-parsing.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 1781e3834bb4a0b74d88d467bddc11e8fb811f17 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Wed Dec 18 10:25:46 2019 +0100 - - BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing - - During the parsing of the sc-inc-gpc0, sc-inc-gpc1 and sc-inc-gpt1 actions, the - maximum stick table track ID allowed is tested against ACT_ACTION_TRK_SCMAX. It - is the action number and not the maximum number of stick counters. Instead, - MAX_SESS_STKCTR must be used. - - This patch must be backported to all stable versions. - - (cherry picked from commit 28436e23d313d5986ddb97c9b4a5a0e5e78b2a42) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/stick_table.c b/src/stick_table.c -index 1b70b468e..7b648475b 100644 ---- a/src/stick_table.c -+++ b/src/stick_table.c -@@ -1916,9 +1916,9 @@ static enum act_parse_ret parse_inc_gpc0(const char **args, int *arg, struct pro - return ACT_RET_PRS_ERR; - } - -- if (rule->arg.gpc.sc >= ACT_ACTION_TRK_SCMAX) { -+ if (rule->arg.gpc.sc >= MAX_SESS_STKCTR) { - memprintf(err, "invalid stick table track ID. The max allowed ID is %d", -- ACT_ACTION_TRK_SCMAX-1); -+ MAX_SESS_STKCTR-1); - return ACT_RET_PRS_ERR; - } - } -@@ -1998,9 +1998,9 @@ static enum act_parse_ret parse_inc_gpc1(const char **args, int *arg, struct pro - return ACT_RET_PRS_ERR; - } - -- if (rule->arg.gpc.sc >= ACT_ACTION_TRK_SCMAX) { -+ if (rule->arg.gpc.sc >= MAX_SESS_STKCTR) { - memprintf(err, "invalid stick table track ID. The max allowed ID is %d", -- ACT_ACTION_TRK_SCMAX-1); -+ MAX_SESS_STKCTR-1); - return ACT_RET_PRS_ERR; - } - } -@@ -2107,9 +2107,9 @@ static enum act_parse_ret parse_set_gpt0(const char **args, int *arg, struct pro - return ACT_RET_PRS_ERR; - } - -- if (rule->arg.gpt.sc >= ACT_ACTION_TRK_SCMAX) { -+ if (rule->arg.gpt.sc >= MAX_SESS_STKCTR) { - memprintf(err, "invalid stick table track ID '%s'. The max allowed ID is %d", -- args[*arg-1], ACT_ACTION_TRK_SCMAX-1); -+ args[*arg-1], MAX_SESS_STKCTR-1); - return ACT_RET_PRS_ERR; - } - } diff --git a/net/haproxy/patches/032-BUG-MINOR-tcp-rules-Fix-memory-releases-on-error-path-during-action-parsing.patch b/net/haproxy/patches/032-BUG-MINOR-tcp-rules-Fix-memory-releases-on-error-path-during-action-parsing.patch deleted file mode 100644 index 87bcafa1b..000000000 --- a/net/haproxy/patches/032-BUG-MINOR-tcp-rules-Fix-memory-releases-on-error-path-during-action-parsing.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 630583cc735de8036ca9963a6e093d5fef90157e -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Tue Jan 14 15:05:56 2020 +0100 - - BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing - - When an error occurred during the parsing of a TCP action, if some memory was - allocated, it should be released before exiting. Here, the fix consists for - replace a call to free() on a sample expression by a call to - release_sample_expr(). - - This patch may be backported to all supported versions. - - (cherry picked from commit fdb6fbfa9a7b730939865b79bfbca3af278113b8) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/tcp_rules.c b/src/tcp_rules.c -index 86b4df538..27cc0c20b 100644 ---- a/src/tcp_rules.c -+++ b/src/tcp_rules.c -@@ -694,7 +694,7 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, - memprintf(err, - "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here", - args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use)); -- free(expr); -+ release_sample_expr(expr); - return -1; - } - -@@ -704,7 +704,7 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, - memprintf(err, - "'%s %s %s' : missing length value", - args[0], args[1], args[kw]); -- free(expr); -+ release_sample_expr(expr); - return -1; - } - /* we copy the table name for now, it will be resolved later */ -@@ -713,7 +713,7 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, - memprintf(err, - "'%s %s %s' : length must be > 0", - args[0], args[1], args[kw]); -- free(expr); -+ release_sample_expr(expr); - return -1; - } - arg++; -@@ -772,7 +772,7 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, - memprintf(err, - "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here", - args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use)); -- free(expr); -+ release_sample_expr(expr); - return -1; - } - -@@ -785,7 +785,7 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, - memprintf(err, - "'%s %s %s' : missing table name", - args[0], args[1], args[kw]); -- free(expr); -+ release_sample_expr(expr); - return -1; - } - /* we copy the table name for now, it will be resolved later */ diff --git a/net/haproxy/patches/033-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-memory-leak.patch b/net/haproxy/patches/033-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-memory-leak.patch deleted file mode 100644 index 4d4214dd0..000000000 --- a/net/haproxy/patches/033-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-memory-leak.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 058a746aed714504781c3955b8c5147433bf4020 -Author: Emmanuel Hocdet <manu@gandi.net> -Date: Thu Jan 16 14:41:36 2020 +0100 - - BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak - - "set ssl cert <filename.ocsp> <payload>" CLI command must free - previous context. - - This patch should be backport to 2.1 - - (cherry picked from commit 0667faebcf55562d86c30af63f36fe86ba58fff9) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 1fac2d905..2c19fa5b3 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -945,7 +945,12 @@ static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *bu - ocsp_response = NULL; - goto end; - } -- -+ /* no error, fill ckch with new context, old context must be free */ -+ if (ckch->ocsp_response) { -+ free(ckch->ocsp_response->area); -+ ckch->ocsp_response->area = NULL; -+ free(ckch->ocsp_response); -+ } - ckch->ocsp_response = ocsp_response; - ret = 0; - end: diff --git a/net/haproxy/patches/034-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-memory-leak.patch b/net/haproxy/patches/034-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-memory-leak.patch deleted file mode 100644 index 9def302de..000000000 --- a/net/haproxy/patches/034-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-memory-leak.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 414139aa263974b1a8513c50a822e44c4767c66f -Author: Emmanuel Hocdet <manu@gandi.net> -Date: Thu Jan 16 14:45:00 2020 +0100 - - BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak - - "set ssl cert <filename.issuer> <payload>" CLI command must free - previous context. - - This patch should be backport to 2.1 - - (cherry picked from commit eb73dc34bbfbb5ffe8d9f3eb9d07fe981c938d8f) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 2c19fa5b3..1ec3a84bb 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3076,8 +3076,11 @@ static int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, stru - *err ? *err : "", path); - goto end; - } -- ret = 0; -+ /* no error, fill ckch with new context, old context must be free */ -+ if (ckch->ocsp_issuer) -+ X509_free(ckch->ocsp_issuer); - ckch->ocsp_issuer = issuer; -+ ret = 0; - - end: - diff --git a/net/haproxy/patches/035-BUG-MINOR-ssl-ssl_sock_load_sctl_from_file-memory-leak.patch b/net/haproxy/patches/035-BUG-MINOR-ssl-ssl_sock_load_sctl_from_file-memory-leak.patch deleted file mode 100644 index ced80c7a2..000000000 --- a/net/haproxy/patches/035-BUG-MINOR-ssl-ssl_sock_load_sctl_from_file-memory-leak.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 16a997d2b725eabc6ceec94f57cc25e005845e4d -Author: Emmanuel Hocdet <manu@gandi.net> -Date: Thu Jan 16 15:15:49 2020 +0100 - - BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak - - "set ssl cert <filename.sctl> <payload>" CLI command must free - previous context. - - This patch should be backport to 2.1 - - (cherry picked from commit 224a087a271b513b3f0a0f08ed23cde42919e0f6) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 1ec3a84bb..4f1e7e78e 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -1445,10 +1445,14 @@ static int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct - sctl = NULL; - goto end; - } -- ret = 0; -- /* TODO: free the previous SCTL in the ckch */ -+ /* no error, fill ckch with new context, old context must be free */ -+ if (ckch->sctl) { -+ free(ckch->sctl->area); -+ ckch->sctl->area = NULL; -+ free(ckch->sctl); -+ } - ckch->sctl = sctl; -- -+ ret = 0; - end: - if (fd != -1) - close(fd); diff --git a/net/haproxy/patches/036-MINOR-proxy-http-ana-Add-support-of-extra-attributes-for-the-cookie-directive.patch b/net/haproxy/patches/036-MINOR-proxy-http-ana-Add-support-of-extra-attributes-for-the-cookie-directive.patch deleted file mode 100644 index 7e49db86e..000000000 --- a/net/haproxy/patches/036-MINOR-proxy-http-ana-Add-support-of-extra-attributes-for-the-cookie-directive.patch +++ /dev/null @@ -1,140 +0,0 @@ -commit fac50825151ac2abc6b71343e3ffa6e0dc06c53d -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Tue Jan 21 11:06:48 2020 +0100 - - MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive - - It is now possible to insert any attribute when a cookie is inserted by - HAProxy. Any value may be set, no check is performed except the syntax validity - (CTRL chars and ';' are forbidden). For instance, it may be used to add the - SameSite attribute: - - cookie SRV insert attr "SameSite=Strict" - - The attr option may be repeated to add several attributes. - - This patch should fix the issue #361. - - (cherry picked from commit 2f5339079b884ac8bdde166add1879ebfd9e433b) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 3f381e386..e0dc49880 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -3255,7 +3255,7 @@ compression offload - cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] - [ postonly ] [ preserve ] [ httponly ] [ secure ] - [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ] -- [ dynamic ] -+ [ dynamic ] [ attr <value> ]* - Enable cookie-based persistence in a backend. - May be used in sections : defaults | frontend | listen | backend - yes | no | yes | yes -@@ -3414,6 +3414,11 @@ cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] - The cookie will be regenerated each time the IP address change, - and is only generated for IPv4/IPv6. - -+ attr This option tells haproxy to add an extra attribute when a -+ cookie is inserted. The attribute value can contain any -+ characters except control ones or ";". This option may be -+ repeated. -+ - There can be only one persistence cookie per HTTP backend, and it can be - declared in a defaults section. The value of the cookie will be the value - indicated after the "cookie" keyword in a "server" statement. If no cookie -diff --git a/include/types/proxy.h b/include/types/proxy.h -index 6ea96b3ad..3661c9a0c 100644 ---- a/include/types/proxy.h -+++ b/include/types/proxy.h -@@ -338,6 +338,7 @@ struct proxy { - int cookie_len; /* strlen(cookie_name), computed only once */ - char *cookie_domain; /* domain used to insert the cookie */ - char *cookie_name; /* name of the cookie to look for */ -+ char *cookie_attrs; /* list of attributes to add to the cookie */ - char *dyncookie_key; /* Secret key used to generate dynamic persistent cookies */ - unsigned int cookie_maxidle; /* max idle time for this cookie */ - unsigned int cookie_maxlife; /* max life time for this cookie */ -diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c -index 9975e4687..b1f5c0790 100644 ---- a/src/cfgparse-listen.c -+++ b/src/cfgparse-listen.c -@@ -323,6 +323,8 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - curproxy->rdp_cookie_name = strdup(defproxy.rdp_cookie_name); - curproxy->rdp_cookie_len = defproxy.rdp_cookie_len; - -+ if (defproxy.cookie_attrs) -+ curproxy->cookie_attrs = strdup(defproxy.cookie_attrs); - - if (defproxy.lbprm.arg_str) - curproxy->lbprm.arg_str = strdup(defproxy.lbprm.arg_str); -@@ -473,6 +475,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - free(defproxy.rdp_cookie_name); - free(defproxy.dyncookie_key); - free(defproxy.cookie_domain); -+ free(defproxy.cookie_attrs); - free(defproxy.lbprm.arg_str); - free(defproxy.capture_name); - free(defproxy.monitor_uri); -@@ -986,9 +989,34 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - err_code |= ERR_WARN; - curproxy->ck_opts |= PR_CK_DYNAMIC; - } -+ else if (!strcmp(args[cur_arg], "attr")) { -+ char *val; -+ if (!*args[cur_arg + 1]) { -+ ha_alert("parsing [%s:%d]: '%s' expects <value> as argument.\n", -+ file, linenum, args[cur_arg]); -+ err_code |= ERR_ALERT | ERR_FATAL; -+ goto out; -+ } -+ val = args[cur_arg + 1]; -+ while (*val) { -+ if (iscntrl(*val) || *val == ';') { -+ ha_alert("parsing [%s:%d]: character '%%x%02X' is not permitted in attribute value.\n", -+ file, linenum, *val); -+ err_code |= ERR_ALERT | ERR_FATAL; -+ goto out; -+ } -+ val++; -+ } -+ /* don't add ';' for the first attribute */ -+ if (!curproxy->cookie_attrs) -+ curproxy->cookie_attrs = strdup(args[cur_arg + 1]); -+ else -+ memprintf(&curproxy->cookie_attrs, "%s; %s", curproxy->cookie_attrs, args[cur_arg + 1]); -+ cur_arg++; -+ } - - else { -- ha_alert("parsing [%s:%d] : '%s' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle', 'dynamic' and 'maxlife' options.\n", -+ ha_alert("parsing [%s:%d] : '%s' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle', 'dynamic', 'maxlife' and 'attr' options.\n", - file, linenum, args[0]); - err_code |= ERR_ALERT | ERR_FATAL; - goto out; -diff --git a/src/haproxy.c b/src/haproxy.c -index f225a13f8..98d6a9a39 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -2352,6 +2352,7 @@ void deinit(void) - free(p->check_req); - free(p->cookie_name); - free(p->cookie_domain); -+ free(p->cookie_attrs); - free(p->lbprm.arg_str); - free(p->capture_name); - free(p->monitor_uri); -diff --git a/src/http_ana.c b/src/http_ana.c -index 047ed813a..cb5a60ca9 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -2027,6 +2027,9 @@ int http_process_res_common(struct stream *s, struct channel *rep, int an_bit, s - if (s->be->ck_opts & PR_CK_SECURE) - chunk_appendf(&trash, "; Secure"); - -+ if (s->be->cookie_attrs) -+ chunk_appendf(&trash, "; %s", s->be->cookie_attrs); -+ - if (unlikely(!http_add_header(htx, ist("Set-Cookie"), ist2(trash.area, trash.data)))) - goto return_bad_resp; - diff --git a/net/haproxy/patches/037-BUG-MINOR-http_act-dont-check-capture-id-in-backend.patch b/net/haproxy/patches/037-BUG-MINOR-http_act-dont-check-capture-id-in-backend.patch deleted file mode 100644 index 63b487c27..000000000 --- a/net/haproxy/patches/037-BUG-MINOR-http_act-dont-check-capture-id-in-backend.patch +++ /dev/null @@ -1,89 +0,0 @@ -commit 3480d55e0406e47214291eb8292a037fdca2859f -Author: Baptiste Assmann <bedis9@gmail.com> -Date: Thu Jan 16 14:34:22 2020 +0100 - - BUG/MINOR: http_act: don't check capture id in backend - - A wrong behavior was introduced by - e9544935e86278dfa3d49fb4b97b860774730625, leading to preventing loading - any configuration where a capture slot id is used in a backend. - IE, the configuration below does not parse: - - frontend f - bind *:80 - declare capture request len 32 - default_backend webserver - - backend webserver - http-request capture req.hdr(Host) id 1 - - The point is that such type of configuration is valid and should run. - - This patch enforces the check of capture slot id only if the action rule - is configured in a frontend. - The point is that at configuration parsing time, it is impossible to - check which frontend could point to this backend (furthermore if we use - dynamic backend name resolution at runtime). - - The documentation has been updated to warn the user to ensure that - relevant frontends have required declaration when such rule has to be - used in a backend. - If no capture slot can be found, then the action will just not be - executed and HAProxy will process the next one in the list, as expected. - - This should be backported to all supported branches (bug created as part - of a bug fix introduced into 1.7 and backported to 1.6). - - (cherry picked from commit 19a69b3740702ce5503a063e9dfbcea5b9187d27) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index e0dc49880..36291a339 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -4278,9 +4278,12 @@ http-request capture <sample> [ len <length> | id <id> ] - If the keyword "id" is used instead of "len", the action tries to store the - captured string in a previously declared capture slot. This is useful to run - captures in backends. The slot id can be declared by a previous directive -- "http-request capture" or with the "declare capture" keyword. If the slot -- <id> doesn't exist, then HAProxy fails parsing the configuration to prevent -- unexpected behavior at run time. -+ "http-request capture" or with the "declare capture" keyword. -+ -+ When using this action in a backend, double check that the relevant -+ frontend(s) have the required capture slots otherwise, this rule will be -+ ignored at run time. This can't be detected at configuration parsing time -+ due to HAProxy's ability to dynamically resolve backend name at runtime. - - http-request del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ] - -@@ -4959,8 +4962,11 @@ http-response capture <sample> id <id> [ { if | unless } <condition> ] - This is useful to run captures in backends. The slot id can be declared by a - previous directive "http-response capture" or with the "declare capture" - keyword. -- If the slot <id> doesn't exist, then HAProxy fails parsing the configuration -- to prevent unexpected behavior at run time. -+ -+ When using this action in a backend, double check that the relevant -+ frontend(s) have the required capture slots otherwise, this rule will be -+ ignored at run time. This can't be detected at configuration parsing time -+ due to HAProxy's ability to dynamically resolve backend name at runtime. - - http-response del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ] - -diff --git a/src/http_act.c b/src/http_act.c -index c8d9220fe..8ff8e886d 100644 ---- a/src/http_act.c -+++ b/src/http_act.c -@@ -424,7 +424,10 @@ static int check_http_req_capture(struct act_rule *rule, struct proxy *px, char - if (rule->action_ptr != http_action_req_capture_by_id) - return 1; - -- if (rule->arg.capid.idx >= px->nb_req_cap) { -+ /* capture slots can only be declared in frontends, so we can't check their -+ * existence in backends at configuration parsing step -+ */ -+ if (px->cap & PR_CAP_FE && rule->arg.capid.idx >= px->nb_req_cap) { - memprintf(err, "unable to find capture id '%d' referenced by http-request capture rule", - rule->arg.capid.idx); - return 0; diff --git a/net/haproxy/patches/038-BUG-MEDIUM-netscaler-Dont-forget-to-allocate-storage-for-conn--src-dst.patch b/net/haproxy/patches/038-BUG-MEDIUM-netscaler-Dont-forget-to-allocate-storage-for-conn--src-dst.patch deleted file mode 100644 index 4f4e57ce7..000000000 --- a/net/haproxy/patches/038-BUG-MEDIUM-netscaler-Dont-forget-to-allocate-storage-for-conn--src-dst.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit ad9954f2e723d37fed3a3a777fa6eecfa930fd11 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Wed Jan 22 15:31:09 2020 +0100 - - BUG/MEDIUM: netscaler: Don't forget to allocate storage for conn->src/dst. - - In conn_recv_netscaler_cip(), don't forget to allocate conn->src and - conn->dst, as those are now dynamically allocated. Not doing so results in - getting a crash when using netscaler. - This should fix github issue #460. - - This should be backported to 2.1. - - (cherry picked from commit 1a9dbe58a66516e6acc504ed2f185fd9d86a5e6d) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/connection.c b/src/connection.c -index 7a2ab2499..b48049e5a 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -740,6 +740,9 @@ int conn_recv_netscaler_cip(struct connection *conn, int flag) - if (!conn_ctrl_ready(conn)) - goto fail; - -+ if (!sockaddr_alloc(&conn->src) || !sockaddr_alloc(&conn->dst)) -+ goto fail; -+ - if (!fd_recv_ready(conn->handle.fd)) - goto not_ready; - diff --git a/net/haproxy/patches/039-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-consistent.patch b/net/haproxy/patches/039-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-consistent.patch deleted file mode 100644 index 8a98d92e1..000000000 --- a/net/haproxy/patches/039-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-consistent.patch +++ /dev/null @@ -1,129 +0,0 @@ -commit 04184b70503780533533f9ff15cf43af2c0eb820 -Author: Emmanuel Hocdet <manu@gandi.net> -Date: Fri Dec 20 17:47:12 2019 +0100 - - BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent - - "set ssl cert <filename> <payload>" CLI command should have the same - result as reload HAproxy with the updated pem file (<filename>). - Is not the case, DHparams/cert-chain is kept from the previous - context if no DHparams/cert-chain is set in the context (<payload>). - - This patch should be backport to 2.1 - - (cherry picked from commit 6b5b44e10fa1c5da18a120fd78082317036900e2) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/include/common/tools.h b/include/common/tools.h -index 398383ad3..961060109 100644 ---- a/include/common/tools.h -+++ b/include/common/tools.h -@@ -33,6 +33,8 @@ - #define MAX(a, b) (((a) > (b)) ? (a) : (b)) - #endif - -+#define SWAP(a, b) do { typeof(a) t; t = a; a = b; b = t; } while(0) -+ - /* return an integer of type <ret> with only the highest bit set. <ret> may be - * both a variable or a type. - */ -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 4f1e7e78e..b65da399f 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3112,7 +3112,8 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - X509 *ca; - X509 *cert = NULL; - EVP_PKEY *key = NULL; -- DH *dh; -+ DH *dh = NULL; -+ STACK_OF(X509) *chain = NULL; - - if (buf) { - /* reading from a buffer */ -@@ -3150,13 +3151,6 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - /* no need to return an error there, dh is not mandatory */ -- -- if (dh) { -- if (ckch->dh) -- DH_free(ckch->dh); -- ckch->dh = dh; -- } -- - #endif - - /* Seek back to beginning of file */ -@@ -3180,39 +3174,19 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - goto end; - } - -- /* Key and Cert are good, we can use them in the ckch */ -- if (ckch->key) /* free the previous key */ -- EVP_PKEY_free(ckch->key); -- ckch->key = key; -- key = NULL; -- -- if (ckch->cert) /* free the previous cert */ -- X509_free(ckch->cert); -- ckch->cert = cert; -- cert = NULL; -- - /* Look for a Certificate Chain */ -- ca = PEM_read_bio_X509(in, NULL, NULL, NULL); -- if (ca) { -- /* there is a chain a in the PEM, clean the previous one in the CKCH */ -- if (ckch->chain) /* free the previous chain */ -- sk_X509_pop_free(ckch->chain, X509_free); -- ckch->chain = sk_X509_new_null(); -- if (!sk_X509_push(ckch->chain, ca)) { -+ while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) { -+ if (chain == NULL) -+ chain = sk_X509_new_null(); -+ if (!sk_X509_push(chain, ca)) { - X509_free(ca); - goto end; - } - } -- /* look for other crt in the chain */ -- while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) -- if (!sk_X509_push(ckch->chain, ca)) { -- X509_free(ca); -- goto end; -- } - - /* no chain */ -- if (ckch->chain == NULL) { -- ckch->chain = sk_X509_new_null(); -+ if (chain == NULL) { -+ chain = sk_X509_new_null(); - } - - ret = ERR_get_error(); -@@ -3222,6 +3196,12 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - goto end; - } - -+ /* no error, fill ckch with new context, old context will be free at end: */ -+ SWAP(ckch->key, key); -+ SWAP(ckch->dh, dh); -+ SWAP(ckch->cert, cert); -+ SWAP(ckch->chain, chain); -+ - ret = 0; - - end: -@@ -3231,8 +3211,12 @@ end: - BIO_free(in); - if (key) - EVP_PKEY_free(key); -+ if (dh) -+ DH_free(dh); - if (cert) - X509_free(cert); -+ if (chain) -+ sk_X509_pop_free(chain, X509_free); - - return ret; - } diff --git a/net/haproxy/patches/040-BUG-MINOR-ssl-cli-free-the-previous-ckch-content-once-a-PEM-is-loaded.patch b/net/haproxy/patches/040-BUG-MINOR-ssl-cli-free-the-previous-ckch-content-once-a-PEM-is-loaded.patch deleted file mode 100644 index 8c93e9a45..000000000 --- a/net/haproxy/patches/040-BUG-MINOR-ssl-cli-free-the-previous-ckch-content-once-a-PEM-is-loaded.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 9f77fd742697cc2774c6a50204cb9f5b6909e930 -Author: William Lallemand <wlallemand@haproxy.com> -Date: Thu Jan 23 10:56:05 2020 +0100 - - BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded - - When using "set ssl cert" on the CLI, if we load a new PEM, the previous - sctl, issuer and OCSP response are still loaded. This doesn't make any - sense since they won't be usable with a new private key. - - This patch free the previous data. - - Should be backported in 2.1. - - (cherry picked from commit 75b15f790f2be0600483476c1505fec0ce898e35) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index b65da399f..e320d908f 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3196,6 +3196,26 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - goto end; - } - -+ /* once it loaded the PEM, it should remove everything else in the ckch */ -+ if (ckch->ocsp_response) { -+ free(ckch->ocsp_response->area); -+ ckch->ocsp_response->area = NULL; -+ free(ckch->ocsp_response); -+ ckch->ocsp_response = NULL; -+ } -+ -+ if (ckch->sctl) { -+ free(ckch->sctl->area); -+ ckch->sctl->area = NULL; -+ free(ckch->sctl); -+ ckch->sctl = NULL; -+ } -+ -+ if (ckch->ocsp_issuer) { -+ X509_free(ckch->ocsp_issuer); -+ ckch->ocsp_issuer = NULL; -+ } -+ - /* no error, fill ckch with new context, old context will be free at end: */ - SWAP(ckch->key, key); - SWAP(ckch->dh, dh); diff --git a/net/haproxy/patches/041-CLEANUP-stats-shut-up-a-wrong-null-deref-warning-from-gcc-9-2.patch b/net/haproxy/patches/041-CLEANUP-stats-shut-up-a-wrong-null-deref-warning-from-gcc-9-2.patch deleted file mode 100644 index c675ac6c3..000000000 --- a/net/haproxy/patches/041-CLEANUP-stats-shut-up-a-wrong-null-deref-warning-from-gcc-9-2.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit 03abacf806d155ca50fae612c0f999071625dd1d -Author: Willy Tarreau <w@1wt.eu> -Date: Thu Jan 23 11:47:13 2020 +0100 - - CLEANUP: stats: shut up a wrong null-deref warning from gcc 9.2 - - As reported in bug #447, gcc 9.2 invents impossible code paths and then - complains that we don't check for our pointers to be NULL... This code - path is not critical, better add the test to shut it up than try to - help it being less creative. - - This code hasn't changed for a while, so it could help distros to - backport this to older releases. - - (cherry picked from commit 027d206b57bec59397eb6fb23f8ff4e3a2edb2e1) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/stats.c b/src/stats.c -index 32236f457..befa75b30 100644 ---- a/src/stats.c -+++ b/src/stats.c -@@ -2400,7 +2400,7 @@ static void stats_dump_html_head(struct appctx *appctx, struct uri_auth *uri) - "-->\n" - "</style></head>\n", - (appctx->ctx.stats.flags & STAT_SHNODE) ? " on " : "", -- (appctx->ctx.stats.flags & STAT_SHNODE) ? (uri->node ? uri->node : global.node) : "" -+ (appctx->ctx.stats.flags & STAT_SHNODE) ? (uri && uri->node ? uri->node : global.node) : "" - ); - } - diff --git a/net/haproxy/patches/042-BUG-MINOR-ssl-increment-issuer-refcount-if-in-chain.patch b/net/haproxy/patches/042-BUG-MINOR-ssl-increment-issuer-refcount-if-in-chain.patch deleted file mode 100644 index d01dc57c6..000000000 --- a/net/haproxy/patches/042-BUG-MINOR-ssl-increment-issuer-refcount-if-in-chain.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 0ebb1d424da107ad4010b261f63e16e857465fc0 -Author: William Lallemand <wlallemand@haproxy.org> -Date: Thu Jan 23 11:42:52 2020 +0100 - - BUG/MINOR: ssl: increment issuer refcount if in chain - - When using the OCSP response, if the issuer of the response is in - the certificate chain, its address will be stored in ckch->ocsp_issuer. - However, since the ocsp_issuer could be filled by a separate file, this - pointer is free'd. The refcount of the X509 need to be incremented to - avoid a double free if we free the ocsp_issuer AND the chain. - - (cherry picked from commit b829dda57b4c8a44eff53682ed56492ad46ce3ad) - [wt: checked with William, needed for 2.1] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index e320d908f..180637e6b 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3307,6 +3307,7 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c - issuer = sk_X509_value(ckch->chain, i); - if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { - ckch->ocsp_issuer = issuer; -+ X509_up_ref(ckch->ocsp_issuer); - break; - } else - issuer = NULL; diff --git a/net/haproxy/patches/043-BUG-MINOR-ssl-memory-leak-w-the-ocsp_issuer.patch b/net/haproxy/patches/043-BUG-MINOR-ssl-memory-leak-w-the-ocsp_issuer.patch deleted file mode 100644 index 5aca074f5..000000000 --- a/net/haproxy/patches/043-BUG-MINOR-ssl-memory-leak-w-the-ocsp_issuer.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit c91a4d8dda53f3fb0ab98335f201a30f926349bc -Author: William Lallemand <wlallemand@haproxy.org> -Date: Thu Jan 23 11:53:13 2020 +0100 - - BUG/MINOR: ssl: memory leak w/ the ocsp_issuer - - This patch frees the ocsp_issuer in - ssl_sock_free_cert_key_and_chain_contents(). - - Shoudl be backported in 2.1. - - (cherry picked from commit 5c3c96fd361f7ab6ae237af802d04fe31720da1b) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 180637e6b..af285938e 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2965,6 +2965,10 @@ static void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain - free(ckch->ocsp_response); - ckch->ocsp_response = NULL; - } -+ -+ if (ckch->ocsp_issuer) -+ X509_free(ocsp_issuer); -+ ckch->ocsp_issuer = NULL; - } - - /* diff --git a/net/haproxy/patches/044-BUG-MINOR-ssl-typo-in-previous-patch.patch b/net/haproxy/patches/044-BUG-MINOR-ssl-typo-in-previous-patch.patch deleted file mode 100644 index d72b6b1d3..000000000 --- a/net/haproxy/patches/044-BUG-MINOR-ssl-typo-in-previous-patch.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 5d5c377717cfd5230150985c55322f1c5bb61a4e -Author: William Lallemand <wlallemand@haproxy.org> -Date: Thu Jan 23 11:59:02 2020 +0100 - - BUG/MINOR: ssl: typo in previous patch - - The previous patch 5c3c96f ("BUG/MINOR: ssl: memory leak w/ the - ocsp_issuer") contains a typo that prevent it to build. - - Should be backported in 2.1. - - (cherry picked from commit dad239d08be1f2abe7e54d9332f1eb87acebf987) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index af285938e..713c8aedd 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2967,7 +2967,7 @@ static void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain - } - - if (ckch->ocsp_issuer) -- X509_free(ocsp_issuer); -+ X509_free(ckch->ocsp_issuer); - ckch->ocsp_issuer = NULL; - } - diff --git a/net/haproxy/patches/045-BUG-MINOR-ssl-cli-ocsp_issuer-must-be-set-w-set-ssl-cert.patch b/net/haproxy/patches/045-BUG-MINOR-ssl-cli-ocsp_issuer-must-be-set-w-set-ssl-cert.patch deleted file mode 100644 index 99f6927bf..000000000 --- a/net/haproxy/patches/045-BUG-MINOR-ssl-cli-ocsp_issuer-must-be-set-w-set-ssl-cert.patch +++ /dev/null @@ -1,67 +0,0 @@ -commit f298352f4042ac2b0db5c12484c9d84f234fe3cd -Author: Emmanuel Hocdet <manu@gandi.net> -Date: Wed Jan 22 17:02:53 2020 +0100 - - BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" - - ocsp_issuer is primary set from ckch->chain when PEM is loaded from file, - but not set when PEM is loaded via CLI payload. Set ckch->ocsp_issuer in - ssl_sock_load_pem_into_ckch to fix that. - - Should be backported in 2.1. - - (cherry picked from commit 078156d06399282ae467a9d1a450a42238870028) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 713c8aedd..2cc5ae80e 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3113,6 +3113,7 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - { - BIO *in = NULL; - int ret = 1; -+ int i; - X509 *ca; - X509 *cert = NULL; - EVP_PKEY *key = NULL; -@@ -3226,6 +3227,15 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ - SWAP(ckch->cert, cert); - SWAP(ckch->chain, chain); - -+ /* check if one of the certificate of the chain is the issuer */ -+ for (i = 0; i < sk_X509_num(ckch->chain); i++) { -+ X509 *issuer = sk_X509_value(ckch->chain, i); -+ if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { -+ ckch->ocsp_issuer = issuer; -+ X509_up_ref(issuer); -+ break; -+ } -+ } - ret = 0; - - end: -@@ -3303,22 +3313,8 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c - - #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */ - if (ckch->ocsp_response) { -- X509 *issuer; -- int i; -- -- /* check if one of the certificate of the chain is the issuer */ -- for (i = 0; i < sk_X509_num(ckch->chain); i++) { -- issuer = sk_X509_value(ckch->chain, i); -- if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { -- ckch->ocsp_issuer = issuer; -- X509_up_ref(ckch->ocsp_issuer); -- break; -- } else -- issuer = NULL; -- } -- - /* if no issuer was found, try to load an issuer from the .issuer */ -- if (!issuer) { -+ if (!ckch->ocsp_issuer) { - struct stat st; - char fp[MAXPATHLEN+1]; - diff --git a/net/haproxy/patches/046-BUG-MEDIUM-0rtt-Only-consider-the-SSL-handshake.patch b/net/haproxy/patches/046-BUG-MEDIUM-0rtt-Only-consider-the-SSL-handshake.patch deleted file mode 100644 index 6a8ddbacb..000000000 --- a/net/haproxy/patches/046-BUG-MEDIUM-0rtt-Only-consider-the-SSL-handshake.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit 00ae17b75d20b30ab445970afb6a15f5d11cf257 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Thu Jan 23 14:57:36 2020 +0100 - - BUG/MEDIUM: 0rtt: Only consider the SSL handshake. - - We only add the Early-data header, or get ssl_fc_has_early to return 1, if - we didn't already did the SSL handshake, as otherwise, we know the early - data were fine, and there's no risk of replay attack. But to do so, we - wrongly checked CO_FL_HANDSHAKE, we have to check CO_FL_SSL_WAIT_HS instead, - as we don't care about the status of any other handshake. - - This should be backported to 2.1, 2.0, and 1.9. - - When deciding if we should add the Early-Data header, or if the sample fetch - should return - - (cherry picked from commit 220a26c31647b8cfd76f3922d08cb2e847e3009e) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/http_ana.c b/src/http_ana.c -index cb5a60ca9..fc4ca4f49 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -519,7 +519,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s - } - - if (conn && (conn->flags & CO_FL_EARLY_DATA) && -- (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) { -+ (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) { - struct http_hdr_ctx ctx; - - ctx.blk = NULL; -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 2cc5ae80e..c6888c128 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -7200,7 +7200,7 @@ smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const cha - } - #else - smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) && -- (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0; -+ (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) ? 1 : 0; - #endif - return 1; - } diff --git a/net/haproxy/patches/047-BUG-MINOR-stktable-report-the-current-proxy-name-in-error-messages.patch b/net/haproxy/patches/047-BUG-MINOR-stktable-report-the-current-proxy-name-in-error-messages.patch deleted file mode 100644 index d0efb4380..000000000 --- a/net/haproxy/patches/047-BUG-MINOR-stktable-report-the-current-proxy-name-in-error-messages.patch +++ /dev/null @@ -1,45 +0,0 @@ -commit e66ed8abc963ec689e2ba672e1be90249ab2612c -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 24 07:19:34 2020 +0100 - - BUG/MINOR: stktable: report the current proxy name in error messages - - Since commit 1b8e68e89a ("MEDIUM: stick-table: Stop handling stick-tables - as proxies."), a rule referencing the current proxy with no table leads - to the following error : - - [ALERT] 023/071924 (16479) : Proxy 'px': unable to find stick-table '(null)'. - [ALERT] 023/071914 (16479) : Fatal errors found in configuration. - - for a config like this one: - - backend px - stick on src - - This patch fixes it and should be backported as far as 2.0. - - (cherry picked from commit 508d232a06cf082ff2cc694d3f1c03b10a07e719) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 2e200e885..7f884df7c 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -2722,7 +2722,7 @@ int check_config_validity() - - if (!target) { - ha_alert("Proxy '%s': unable to find stick-table '%s'.\n", -- curproxy->id, mrule->table.name); -+ curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id); - cfgerr++; - } - else if (!stktable_compatible_sample(mrule->expr, target->type)) { -@@ -2760,7 +2760,7 @@ int check_config_validity() - - if (!target) { - ha_alert("Proxy '%s': unable to find store table '%s'.\n", -- curproxy->id, mrule->table.name); -+ curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id); - cfgerr++; - } - else if (!stktable_compatible_sample(mrule->expr, target->type)) { diff --git a/net/haproxy/patches/048-BUG-MEDIUM-mux-h2-make-sure-we-dont-emit-TE-headers-with-anything-but-trailers.patch b/net/haproxy/patches/048-BUG-MEDIUM-mux-h2-make-sure-we-dont-emit-TE-headers-with-anything-but-trailers.patch deleted file mode 100644 index b0b2f9f64..000000000 --- a/net/haproxy/patches/048-BUG-MEDIUM-mux-h2-make-sure-we-dont-emit-TE-headers-with-anything-but-trailers.patch +++ /dev/null @@ -1,69 +0,0 @@ -commit e22b3fb31968569194b1f848fadb4ca01f4dfc73 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 24 09:07:53 2020 +0100 - - BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" - - While the H2 parser properly checks for the absence of anything but - "trailers" in the TE header field, we forget to check this when sending - the request to an H2 server. The problem is that an H2->H2 conversion - may keep "gzip" and fail on the next stage. - - This patch makes sure that we only send "TE: trailers" if the TE header - contains the "trailers" token, otherwise it's dropped. - - This fixes issue #464 and should be backported till 1.9. - - (cherry picked from commit bb2c4ae06566b8a8789caca4c48524aeb88cbc1b) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index 8a82f60fd..15a5cd757 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -5034,23 +5034,36 @@ static size_t h2s_bck_make_req_headers(struct h2s *h2s, struct htx *htx) - * do not provide an authority. - */ - for (hdr = 0; hdr < sizeof(list)/sizeof(list[0]); hdr++) { -+ struct ist n = list[hdr].n; -+ struct ist v = list[hdr].v; -+ - /* these ones do not exist in H2 and must be dropped. */ -- if (isteq(list[hdr].n, ist("connection")) || -- (auth.len && isteq(list[hdr].n, ist("host"))) || -- isteq(list[hdr].n, ist("proxy-connection")) || -- isteq(list[hdr].n, ist("keep-alive")) || -- isteq(list[hdr].n, ist("upgrade")) || -- isteq(list[hdr].n, ist("transfer-encoding"))) -+ if (isteq(n, ist("connection")) || -+ (auth.len && isteq(n, ist("host"))) || -+ isteq(n, ist("proxy-connection")) || -+ isteq(n, ist("keep-alive")) || -+ isteq(n, ist("upgrade")) || -+ isteq(n, ist("transfer-encoding"))) - continue; - -+ if (isteq(n, ist("te"))) { -+ /* "te" may only be sent with "trailers" if this value -+ * is present, otherwise it must be deleted. -+ */ -+ v = istist(v, ist("trailers")); -+ if (!v.ptr || (v.len > 8 && v.ptr[8] != ',')) -+ continue; -+ v = ist("trailers"); -+ } -+ - /* Skip all pseudo-headers */ -- if (*(list[hdr].n.ptr) == ':') -+ if (*(n.ptr) == ':') - continue; - -- if (isteq(list[hdr].n, ist(""))) -+ if (isteq(n, ist(""))) - break; // end - -- if (!hpack_encode_header(&outbuf, list[hdr].n, list[hdr].v)) { -+ if (!hpack_encode_header(&outbuf, n, v)) { - /* output full */ - if (b_space_wraps(mbuf)) - goto realign_again; diff --git a/net/haproxy/patches/049-BUILD-cfgparse-silence-a-bogus-gcc-warning-on-32-bit-machines.patch b/net/haproxy/patches/049-BUILD-cfgparse-silence-a-bogus-gcc-warning-on-32-bit-machines.patch deleted file mode 100644 index 98a2c3468..000000000 --- a/net/haproxy/patches/049-BUILD-cfgparse-silence-a-bogus-gcc-warning-on-32-bit-machines.patch +++ /dev/null @@ -1,50 +0,0 @@ -commit eb94d47fbc0abc3c0b29a2f0a2bc666db38e2e87 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 24 11:19:13 2020 +0100 - - BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines - - A first patch was made during 2.0-dev to silence a bogus warning emitted - by gcc : dd1c8f1f72 ("MINOR: cfgparse: Add a cast to make gcc happier."), - but it happens it was not sufficient as the warning re-appeared on 32-bit - machines under gcc-8 and gcc-9 : - - src/cfgparse.c: In function 'check_config_validity': - src/cfgparse.c:3642:33: warning: argument 1 range [2147483648, 4294967295] exceeds maximum object size 2147483647 [-Walloc-size-larger-than=] - newsrv->idle_orphan_conns = calloc((unsigned int)global.nbthread, sizeof(*newsrv->idle_orphan_conns)); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This warning doesn't trigger in other locations, and it immediately - vanishes if the previous or subsequent loops do not depend on - global.nbthread anymore, or if the field ordering of the struct server - changes! As discussed in the thread at: - - https://www.mail-archive.com/haproxy@formilux.org/msg36107.html - - playing with -Walloc-size-larger-than has no effect. And a minimal - reproducer could be isolated, indicating it's pointless to circle around - this one. Let's just cast nbthread to ushort so that gcc cannot make - this wrong detection. It's unlikely we'll use more than 65535 threads in - the near future anyway. - - This may be backported to older releases if they are also affected, at - least to ease the job of distro maintainers. - - Thanks to Ilya for testing. - - (cherry picked from commit 645c588e7138526ccb71f3c47f00045cdf1d8510) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 7f884df7c..2a22405a3 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -3656,7 +3656,7 @@ out_uri_auth_compat: - MT_LIST_INIT(&toremove_connections[i]); - } - } -- newsrv->idle_orphan_conns = calloc((unsigned int)global.nbthread, sizeof(*newsrv->idle_orphan_conns)); -+ newsrv->idle_orphan_conns = calloc((unsigned short)global.nbthread, sizeof(*newsrv->idle_orphan_conns)); - if (!newsrv->idle_orphan_conns) - goto err; - for (i = 0; i < global.nbthread; i++) diff --git a/net/haproxy/patches/050-MINOR-lua-Add-hlua_prepend_path-function.patch b/net/haproxy/patches/050-MINOR-lua-Add-hlua_prepend_path-function.patch deleted file mode 100644 index 66720c5c3..000000000 --- a/net/haproxy/patches/050-MINOR-lua-Add-hlua_prepend_path-function.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit ed5d6a9f3c2a1cf9e0408c438c76c0643df9d6a5 -Author: Tim Duesterhus <tim@bastelstu.be> -Date: Sun Jan 12 13:55:39 2020 +0100 - - MINOR: lua: Add hlua_prepend_path function - - This function is added in preparation for following patches. - - (cherry picked from commit c9fc9f2836f1e56eef3eaf690421eeff34dd8a2b) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index 37f786687..10d615211 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -7458,6 +7458,22 @@ static int hlua_load(char **args, int section_type, struct proxy *curpx, - return 0; - } - -+/* Prepend the given <path> followed by a semicolon to the `package.<type>` variable -+ * in the given <ctx>. -+ */ -+static int hlua_prepend_path(struct hlua ctx, char *type, char *path) -+{ -+ lua_getglobal(ctx.T, "package"); /* push package variable */ -+ lua_pushstring(ctx.T, path); /* push given path */ -+ lua_pushstring(ctx.T, ";"); /* push semicolon */ -+ lua_getfield(ctx.T, -3, type); /* push old path */ -+ lua_concat(ctx.T, 3); /* concatenate to new path */ -+ lua_setfield(ctx.T, -2, type); /* store new path */ -+ lua_pop(ctx.T, 1); /* pop package variable */ -+ -+ return 0; -+} -+ - /* configuration keywords declaration */ - static struct cfg_kw_list cfg_kws = {{ },{ - { CFG_GLOBAL, "lua-load", hlua_load }, diff --git a/net/haproxy/patches/051-MINOR-lua-Add-lua-prepend-path-configuration-option.patch b/net/haproxy/patches/051-MINOR-lua-Add-lua-prepend-path-configuration-option.patch deleted file mode 100644 index 5b7abeb86..000000000 --- a/net/haproxy/patches/051-MINOR-lua-Add-lua-prepend-path-configuration-option.patch +++ /dev/null @@ -1,98 +0,0 @@ -commit c5438ed610bde49957d8d406f6e98a481e68bef3 -Author: Tim Duesterhus <tim@bastelstu.be> -Date: Sun Jan 12 13:55:40 2020 +0100 - - MINOR: lua: Add lua-prepend-path configuration option - - lua-prepend-path allows the administrator to specify a custom Lua library - path to load custom Lua modules that are useful within the context of HAProxy - without polluting the global Lua library folder. - - (cherry picked from commit dd74b5f2372f610cfa60e8cb2e151e2de377357e) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 36291a339..54d155b36 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -598,6 +598,7 @@ The following keywords are supported in the "global" section : - - log-tag - - log-send-hostname - - lua-load -+ - lua-prepend-path - - mworker-max-reloads - - nbproc - - nbthread -@@ -1037,6 +1038,31 @@ lua-load <file> - This global directive loads and executes a Lua file. This directive can be - used multiple times. - -+lua-prepend-path <string> [<type>] -+ Prepends the given string followed by a semicolon to Lua's package.<type> -+ variable. -+ <type> must either be "path" or "cpath". If <type> is not given it defaults -+ to "path". -+ -+ Lua's paths are semicolon delimited lists of patterns that specify how the -+ `require` function attempts to find the source file of a library. Question -+ marks (?) within a pattern will be replaced by module name. The path is -+ evaluated left to right. This implies that paths that are prepended later -+ will be checked earlier. -+ -+ As an example by specifying the following path: -+ -+ lua-prepend-path /usr/share/haproxy-lua/?/init.lua -+ lua-prepend-path /usr/share/haproxy-lua/?.lua -+ -+ When `require "example"` is being called Lua will first attempt to load the -+ /usr/share/haproxy-lua/example.lua script, if that does not exist the -+ /usr/share/haproxy-lua/example/init.lua will be attempted and the default -+ paths if that does not exist either. -+ -+ See https://www.lua.org/pil/8.1.html for the details within the Lua -+ documentation. -+ - master-worker [no-exit-on-failure] - Master-worker mode. It is equivalent to the command line "-W" argument. - This mode will launch a "master" which will monitor the "workers". Using -diff --git a/src/hlua.c b/src/hlua.c -index 10d615211..a245f9b7d 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -7474,8 +7474,36 @@ static int hlua_prepend_path(struct hlua ctx, char *type, char *path) - return 0; - } - -+static int hlua_config_prepend_path(char **args, int section_type, struct proxy *curpx, -+ struct proxy *defpx, const char *file, int line, -+ char **err) -+{ -+ char *path; -+ char *type = "path"; -+ if (too_many_args(2, args, err, NULL)) { -+ return -1; -+ } -+ -+ if (!(*args[1])) { -+ memprintf(err, "'%s' expects to receive a <path> as argument", args[0]); -+ return -1; -+ } -+ path = args[1]; -+ -+ if (*args[2]) { -+ if (strcmp(args[2], "path") != 0 && strcmp(args[2], "cpath") != 0) { -+ memprintf(err, "'%s' expects <type> to either be 'path' or 'cpath'", args[0]); -+ return -1; -+ } -+ type = args[2]; -+ } -+ -+ return hlua_prepend_path(gL, type, path); -+} -+ - /* configuration keywords declaration */ - static struct cfg_kw_list cfg_kws = {{ },{ -+ { CFG_GLOBAL, "lua-prepend-path", hlua_config_prepend_path }, - { CFG_GLOBAL, "lua-load", hlua_load }, - { CFG_GLOBAL, "tune.lua.session-timeout", hlua_session_timeout }, - { CFG_GLOBAL, "tune.lua.task-timeout", hlua_task_timeout }, diff --git a/net/haproxy/patches/052-MINOR-lua-Add-HLUA_PREPEND_C-PATH-build-option.patch b/net/haproxy/patches/052-MINOR-lua-Add-HLUA_PREPEND_C-PATH-build-option.patch deleted file mode 100644 index 80148f7cf..000000000 --- a/net/haproxy/patches/052-MINOR-lua-Add-HLUA_PREPEND_C-PATH-build-option.patch +++ /dev/null @@ -1,62 +0,0 @@ -commit 4fa1de1be89e1d64771a8e8cc725f991ece21819 -Author: Tim Duesterhus <tim@bastelstu.be> -Date: Sun Jan 12 13:55:41 2020 +0100 - - MINOR: lua: Add HLUA_PREPEND_C?PATH build option - - This complements the lua-prepend-path configuration option to allow - distro maintainers to add a default path for HAProxy specific Lua - libraries. - - (cherry picked from commit 541fe1ec52a0f9e1912dea5b3a784406dbdfad22) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/Makefile b/Makefile -index 8399f6ca3..bb494fac3 100644 ---- a/Makefile -+++ b/Makefile -@@ -88,6 +88,8 @@ - # installation only. - # DOCDIR is set to "$(PREFIX)/doc/haproxy" by default and is used for - # installation only. -+# HLUA_PREPEND_PATH may be used to prepend a folder to Lua's default package.path. -+# HLUA_PREPEND_CPATH may be used to prepend a folder to Lua's default package.cpath. - # - # Other variables : - # PCRE_CONFIG : force the binary path to get pcre config (by default -@@ -546,6 +548,14 @@ LUA_INC := $(firstword $(foreach lib,lua5.3 lua53 lua,$(call check_lua_inc,$(lib - ifneq ($(LUA_INC),) - OPTIONS_CFLAGS += -I$(LUA_INC) - endif -+ifneq ($(HLUA_PREPEND_PATH),) -+OPTIONS_CFLAGS += -DHLUA_PREPEND_PATH=$(HLUA_PREPEND_PATH) -+BUILD_OPTIONS += HLUA_PREPEND_PATH=$(HLUA_PREPEND_PATH) -+endif -+ifneq ($(HLUA_PREPEND_CPATH),) -+OPTIONS_CFLAGS += -DHLUA_PREPEND_CPATH=$(HLUA_PREPEND_CPATH) -+BUILD_OPTIONS += HLUA_PREPEND_CPATH=$(HLUA_PREPEND_CPATH) -+endif - endif - - OPTIONS_LDFLAGS += $(LUA_LD_FLAGS) -l$(LUA_LIB_NAME) -lm -diff --git a/src/hlua.c b/src/hlua.c -index a245f9b7d..8ace405d4 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -7651,6 +7651,16 @@ void hlua_init(void) - - /* Initialise lua. */ - luaL_openlibs(gL.T); -+#define HLUA_PREPEND_PATH_TOSTRING1(x) #x -+#define HLUA_PREPEND_PATH_TOSTRING(x) HLUA_PREPEND_PATH_TOSTRING1(x) -+#ifdef HLUA_PREPEND_PATH -+ hlua_prepend_path(gL, "path", HLUA_PREPEND_PATH_TOSTRING(HLUA_PREPEND_PATH)); -+#endif -+#ifdef HLUA_PREPEND_CPATH -+ hlua_prepend_path(gL, "cpath", HLUA_PREPEND_PATH_TOSTRING(HLUA_PREPEND_CPATH)); -+#endif -+#undef HLUA_PREPEND_PATH_TOSTRING -+#undef HLUA_PREPEND_PATH_TOSTRING1 - - /* Set safe environment for the initialisation. */ - if (!SET_SAFE_LJMP(gL.T)) { diff --git a/net/haproxy/patches/053-BUG-MEDIUM-ssl-Dont-forget-to-free-ctx--ssl-on-failure.patch b/net/haproxy/patches/053-BUG-MEDIUM-ssl-Dont-forget-to-free-ctx--ssl-on-failure.patch deleted file mode 100644 index bf87d6e89..000000000 --- a/net/haproxy/patches/053-BUG-MEDIUM-ssl-Dont-forget-to-free-ctx--ssl-on-failure.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit a95b302da71065e443477c2cbcd852ebb52d6db3 -Author: Olivier Houchard <cognet@ci0.org> -Date: Fri Jan 24 15:17:38 2020 +0100 - - BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. - - In ssl_sock_init(), if we fail to allocate the BIO, don't forget to free - the SSL *, or we'd end up with a memory leak. - - This should be backported to 2.1 and 2.0. - - (cherry picked from commit efe5e8e99890b24dcfb8c925d98bf82e2fdf0b9f) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index c6888c128..6841813b5 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5790,6 +5790,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) - } - ctx->bio = BIO_new(ha_meth); - if (!ctx->bio) { -+ SSL_free(ctx->ssl); -+ ctx->ssl = NULL; - if (may_retry--) { - pool_gc(NULL); - goto retry_connect; -@@ -5866,6 +5868,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) - - ctx->bio = BIO_new(ha_meth); - if (!ctx->bio) { -+ SSL_free(ctx->ssl); -+ ctx->ssl = NULL; - if (may_retry--) { - pool_gc(NULL); - goto retry_accept; diff --git a/net/haproxy/patches/054-BUG-MINOR-tcpchecks-fix-the-connect-flags-regarding-delayed-ack.patch b/net/haproxy/patches/054-BUG-MINOR-tcpchecks-fix-the-connect-flags-regarding-delayed-ack.patch deleted file mode 100644 index b73b0ab4b..000000000 --- a/net/haproxy/patches/054-BUG-MINOR-tcpchecks-fix-the-connect-flags-regarding-delayed-ack.patch +++ /dev/null @@ -1,33 +0,0 @@ -commit 77ec6260f99e7f41f22235bcc1905eb8b15c7eb8 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Jan 24 17:52:37 2020 +0100 - - BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack - - In issue #465, we see that Coverity detected dead code in checks.c - which is in fact a missing parenthesis to build the connect() flags - consecutive to the API change in commit fdcb007ad8 ("MEDIUM: proto: - Change the prototype of the connect() method."). - - The impact should be imperceptible as in the best case it may have - resulted in a missed optimization trying to save a syscall or to merge - outgoing packets. - - It may be backported as far as 2.0 though it's not critical. - - (cherry picked from commit 74ab7d2b80cf3930e2b3957c9234953a632c5226) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/checks.c b/src/checks.c -index 2b7fc09c6..952114e95 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -2962,7 +2962,7 @@ static int tcpcheck_main(struct check *check) - ret = SF_ERR_INTERNAL; - if (proto && proto->connect) - ret = proto->connect(conn, -- CONNECT_HAS_DATA /* I/O polling is always needed */ | (next && next->action == TCPCHK_ACT_EXPECT) ? 0 : CONNECT_DELACK_ALWAYS); -+ CONNECT_HAS_DATA /* I/O polling is always needed */ | ((next && next->action == TCPCHK_ACT_EXPECT) ? 0 : CONNECT_DELACK_ALWAYS)); - if (conn_ctrl_ready(conn) && - check->current_step->conn_opts & TCPCHK_OPT_SEND_PROXY) { - conn->send_proxy_ofs = 1; diff --git a/net/jool/Makefile b/net/jool/Makefile index 6cc4dd1ca..40f453fe7 100644 --- a/net/jool/Makefile +++ b/net/jool/Makefile @@ -9,7 +9,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=jool PKG_VERSION:=4.0.6 -PKG_RELEASE:=2 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/NICMx/Jool/releases/download/v$(PKG_VERSION) @@ -30,21 +30,21 @@ define Build/Compile KERNEL_DIR="$(LINUX_DIR)" \ ARCH="$(LINUX_KARCH)" \ CROSS_COMPILE="$(TARGET_CROSS)" \ - SUBDIRS="$(PKG_BUILD_DIR)/src/mod/nat64" \ + SUBDIRS="$(PKG_BUILD_DIR)/src/mod/common" \ V="$(V)" \ modules $(MAKE) -C "$(LINUX_DIR)" \ KERNEL_DIR="$(LINUX_DIR)" \ ARCH="$(LINUX_KARCH)" \ CROSS_COMPILE="$(TARGET_CROSS)" \ - SUBDIRS="$(PKG_BUILD_DIR)/src/mod/siit" \ + SUBDIRS="$(PKG_BUILD_DIR)/src/mod/nat64" \ V="$(V)" \ modules $(MAKE) -C "$(LINUX_DIR)" \ KERNEL_DIR="$(LINUX_DIR)" \ ARCH="$(LINUX_KARCH)" \ CROSS_COMPILE="$(TARGET_CROSS)" \ - SUBDIRS="$(PKG_BUILD_DIR)/src/mod/common" \ + SUBDIRS="$(PKG_BUILD_DIR)/src/mod/siit" \ V="$(V)" \ modules $(call Build/Compile/Default) diff --git a/net/lcdringer/Makefile b/net/lcdringer/Makefile index 98d4eca48..8cf3a2230 100644 --- a/net/lcdringer/Makefile +++ b/net/lcdringer/Makefile @@ -31,7 +31,7 @@ include $(INCLUDE_DIR)/nls.mk define Package/lcdringer SECTION:=network CATEGORY:=Network - DEPENDS:=+libgee +libgstreamer1 +loudmouth @TARGET_brcm2708 + DEPENDS:=+libgee +libgstreamer1 +loudmouth @TARGET_bcm27xx TITLE:=lcdringer URL:=https://www.flyn.org/projects/lcdringer/ endef diff --git a/net/lftp/Makefile b/net/lftp/Makefile index 020f933d4..4393500ed 100644 --- a/net/lftp/Makefile +++ b/net/lftp/Makefile @@ -8,18 +8,21 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lftp -PKG_VERSION:=4.8.4 -PKG_RELEASE:=3 +PKG_VERSION:=4.9.1 +PKG_RELEASE:=1 + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://lftp.tech/ftp/ \ +PKG_SOURCE_URL:=https://lftp.tech/ftp/ \ https://mirror.csclub.uwaterloo.ca/gentoo-distfiles/distfiles/ - -PKG_HASH:=4ebc271e9e5cea84a683375a0f7e91086e5dac90c5d51bb3f169f75386107a62 - +PKG_HASH:=5969fcaefd102955dd882f3bcd8962198bc537224749ed92f206f415207a024b +PKG_MAINTAINER:=Federico Di Marco <fededim@gmail.com> PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=COPYING -PKG_CPE_ID:=cpe:/a:alexander_v._lukyanov:lftp +PKG_CPE_ID:=cpe:/a:lftp_project:lftp + +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/uclibc++.mk include $(INCLUDE_DIR)/package.mk @@ -30,8 +33,7 @@ define Package/lftp CATEGORY:=Network DEPENDS:=+libncurses +libopenssl +libreadline $(CXX_DEPENDS) +libexpat +zlib TITLE:=a sophisticated file transfer program with command line interface. - MAINTAINER:=Federico Di Marco <fededim@gmail.com> - URL:=http://lftp.yar.ru/ + URL:=https://lftp.yar.ru/ endef define Package/lftp/description @@ -54,11 +56,9 @@ CONFIGURE_ARGS += \ --with-zlib="$(STAGING_DIR)/usr" \ --disable-static -TARGET_CXXFLAGS+= -std=c++11 - define Package/lftp/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/lftp $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/lftp $(1)/usr/bin/ endef $(eval $(call BuildPackage,lftp)) diff --git a/net/miniupnpc/Makefile b/net/miniupnpc/Makefile index 467b5b574..3d9626206 100644 --- a/net/miniupnpc/Makefile +++ b/net/miniupnpc/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=miniupnpc -PKG_VERSION:=2.1.20190824 +PKG_VERSION:=2.1.20191224 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://miniupnp.tuxfamily.org/files -PKG_HASH:=1fadefea0ecdceb3e35bb5d901f0db880c826740e93148ddfb087b4b4389e165 +PKG_HASH:=447b427854b6c027ea28bc838b18582c5a7e71db84f6ff36df93bd91e46d66cf -PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org> +PKG_MAINTAINER:= PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:miniupnp_project:miniupnp diff --git a/net/miniupnpd/Makefile b/net/miniupnpd/Makefile index c35c4318a..d3cbf2981 100644 --- a/net/miniupnpd/Makefile +++ b/net/miniupnpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=miniupnpd PKG_VERSION:=2.1.20191006 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_URL:=https://miniupnp.tuxfamily.org/files PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz diff --git a/net/miniupnpd/files/miniupnpd.hotplug b/net/miniupnpd/files/miniupnpd.hotplug index 9820d4254..9e525f9b5 100644 --- a/net/miniupnpd/files/miniupnpd.hotplug +++ b/net/miniupnpd/files/miniupnpd.hotplug @@ -1,8 +1,6 @@ -#!/bin/sh +#!/bin/sh /etc/rc.common -/etc/init.d/miniupnpd enabled || exit 0 - -. /lib/functions/service.sh +enabled miniupnpd || exit 0 # If miniupnpd is not running: # - check on _any_ event (even updates may contribute to network_find_wan*) @@ -11,7 +9,7 @@ # - check only on ifup (otherwise lease updates etc would cause # miniupnpd state loss) -[ "$ACTION" != "ifup" ] && service_check /usr/sbin/miniupnpd && exit 0 +[ "$ACTION" != "ifup" ] && service_running miniupnpd && exit 0 tmpconf="/var/etc/miniupnpd.conf" extiface=$(uci get upnpd.config.external_iface) @@ -19,15 +17,13 @@ extzone=$(uci get upnpd.config.external_zone) . /lib/functions/network.sh -if [ -z "$extiface" ] ; then +[ -z "$extiface" ] && { # manual external zone (if dynamically find interfaces # belonging to it) overrides network_find_wan* - if [ -n "$extzone" ] ; then - ifname=$(fw3 -q zone $extzone | head -1) - fi - [ -n "$extiface" ] || network_find_wan extiface - [ -n "$extiface" ] || network_find_wan6 extiface -fi - -[ -n "$ifname" ] || network_get_device ifname "$extiface" + [ -n "$extzone" ] && ifname=$(fw3 -q zone "$extzone" | head -1) + [ -z "$extiface" ] && network_find_wan extiface + [ -z "$extiface" ] && network_find_wan6 extiface +} + +[ -z "$ifname" ] && network_get_device ifname "$extiface" grep -q "ext_ifname=$ifname" "$tmpconf" || /etc/init.d/miniupnpd restart diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init index 9a85d0078..01434e915 100644 --- a/net/miniupnpd/files/miniupnpd.init +++ b/net/miniupnpd/files/miniupnpd.init @@ -3,8 +3,8 @@ START=94 STOP=15 - -SERVICE_USE_PID=1 +USE_PROCD=1 +PROG=/usr/sbin/miniupnpd upnpd_get_port_range() { local var="$1"; shift @@ -26,9 +26,8 @@ upnpd_get_port_range() { conf_rule_add() { local cfg="$1" - local tmpconf="$2" - local action external_port_start external_port_end int_addr - local internal_port_start internal_port_end comment + local action int_addr + local ext_start ext_end int_start int_end comment config_get action "$cfg" action "deny" # allow or deny upnpd_get_port_range "ext" "$cfg" ext_ports "0-65535" # external ports: x, x-y, x:y @@ -39,7 +38,7 @@ conf_rule_add() { # Make a single IP IP/32 so that miniupnpd.conf can use it. [ "${int_addr%/*}" = "$int_addr" ] && int_addr="$int_addr/32" - echo "$action $ext_start${ext_end:+-}$ext_end $int_addr $int_start${int_end:+-}$int_end #$comment" >>$tmpconf + echo "$action $ext_start${ext_end:+-}$ext_end $int_addr $int_start${int_end:+-}$int_end #$comment" } upnpd_write_bool() { @@ -50,161 +49,145 @@ upnpd_write_bool() { config_get_bool val config "$opt" "$def" if [ "$val" -eq 0 ]; then - echo "$alt=no" >> $tmpconf + echo "$alt=no" else - echo "$alt=yes" >> $tmpconf + echo "$alt=yes" fi } -boot() { - return -} - -start() { +upnpd() { config_load "upnpd" - local extiface intiface upload download logging secure enabled natpmp - local extip port usesysuptime conffile serial_number model_number - local uuid notify_interval presentation_url enable_upnp + local external_iface external_iface6 external_zone external_ip internal_iface + local upload download log_output port config_file serial_number model_number + local use_stun stun_host stun_port uuid notify_interval presentation_url local upnp_lease_file clean_ruleset_threshold clean_ruleset_interval - local ipv6_listening_ip enabled + local enabled config_get_bool enabled config enabled 1 - [ "$enabled" -eq 0 ] && return 1 - config_get extiface config external_iface - config_get extzone config external_zone - config_get intiface config internal_iface - config_get extip config external_ip + config_get external_iface config external_iface + config_get external_zone config external_zone + config_get external_ip config external_ip + config_get internal_iface config internal_iface config_get port config port 5000 config_get upload config upload config_get download config download - config_get_bool logging config log_output 0 - config_get conffile config config_file + config_get_bool log_output config log_output 0 + config_get config_file config config_file config_get serial_number config serial_number config_get model_number config model_number config_get uuid config uuid + config_get stun_host config stun_host + config_get stun_port config stun_port config_get notify_interval config notify_interval config_get presentation_url config presentation_url config_get upnp_lease_file config upnp_lease_file config_get clean_ruleset_threshold config clean_ruleset_threshold config_get clean_ruleset_interval config clean_ruleset_interval - config_get ipv6_listening_ip config ipv6_listening_ip - local args ifname + local conf ifname ifname6 . /lib/functions/network.sh - # manual external interface overrides everything - if [ -z "$extiface" ] ; then - # manual external zone (if dynamically find interfaces - # belonging to it) overrides network_find_wan* - if [ -n "$extzone" ] ; then - ifname=$(fw3 -q zone $extzone | head -1) - fi - [ -n "$extiface" ] || network_find_wan extiface - [ -n "$extiface" ] || network_find_wan6 extiface - fi - - [ -n "$ifname" ] || network_get_device ifname $extiface - - if [ -n "$conffile" ]; then - args="-f $conffile" + # manual external interface overrides everything + [ -z "$external_iface" ] && { + # manual external zone (if dynamically find interfaces + # belonging to it) overrides network_find_wan* + [ -n "$external_zone" ] && ifname=$(fw3 -q zone "$external_zone" | head -1) + [ -z "$external_iface" ] && network_find_wan external_iface + [ -z "$external_iface6" ] && network_find_wan6 external_iface6 + } + + [ -z "$ifname" ] && network_get_device ifname "$external_iface" + [ -z "$ifname6" ] && network_get_device ifname6 "$external_iface6" + + if [ -n "$config_file" ]; then + conf="$config_file" else local tmpconf="/var/etc/miniupnpd.conf" - args="-f $tmpconf" + conf="$tmpconf" mkdir -p /var/etc - echo "ext_ifname=$ifname" >$tmpconf - - [ -n "$extip" ] && \ - echo "ext_ip=$extip" >>$tmpconf + { + echo "ext_ifname=$ifname" + echo "ext_ifname6=$ifname6" + [ -n "$external_ip" ] && echo "ext_ip=$external_ip" local iface - for iface in ${intiface:-lan}; do + for iface in ${internal_iface:-lan}; do local device - network_get_device device "$iface" && { - echo "listening_ip=$device" >>$tmpconf - } + network_get_device device "$iface" && echo "listening_ip=$device" + network_get_device device "$iface" && echo "ipv6_listening_ip=$device" done - [ "$port" != "auto" ] && \ - echo "port=$port" >>$tmpconf - config_load "upnpd" upnpd_write_bool enable_natpmp 1 upnpd_write_bool enable_upnp 1 upnpd_write_bool secure_mode 1 - upnpd_write_bool pcp_allow_thirdparty 0 upnpd_write_bool system_uptime 1 upnpd_write_bool igdv1 0 force_igd_desc_v1 + upnpd_write_bool use_stun 0 ext_perform_stun - [ -n "$upnp_lease_file" ] && \ - echo "lease_file=$upnp_lease_file" >>$tmpconf - - [ -n "$upload" -a -n "$download" ] && { - echo "bitrate_down=$(($download * 1024 * 8))" >>$tmpconf - echo "bitrate_up=$(($upload * 1024 * 8))" >>$tmpconf + [ "$use_stun" -eq 0 ] || { + [ -n "$stun_host" ] && echo "ext_stun_host=$stun_host" + [ -n "$stun_port" ] && echo "ext_stun_port=$stun_port" } - [ -n "${presentation_url}" ] && \ - echo "presentation_url=${presentation_url}" >>$tmpconf - - [ -n "${notify_interval}" ] && \ - echo "notify_interval=${notify_interval}" >>$tmpconf - - [ -n "${clean_ruleset_threshold}" ] && \ - echo "clean_ruleset_threshold=${clean_ruleset_threshold}" >>$tmpconf - - [ -n "${clean_ruleset_interval}" ] && \ - echo "clean_ruleset_interval=${clean_ruleset_interval}" >>$tmpconf + [ -n "$upload" ] && [ -n "$download" ] && { + echo "bitrate_down=$((download * 1024 * 8))" + echo "bitrate_up=$((upload * 1024 * 8))" + } - [ -n "${ipv6_listening_ip}" ] && \ - echo "ipv6_listening_ip=${ipv6_listening_ip}" >>$tmpconf + [ -n "$upnp_lease_file" ] && touch "$upnp_lease_file" && echo "lease_file=$upnp_lease_file" + [ -n "$presentation_url" ] && echo "presentation_url=$presentation_url" + [ -n "$notify_interval" ] && echo "notify_interval=$notify_interval" + [ -n "$clean_ruleset_threshold" ] && echo "clean_ruleset_threshold=$clean_ruleset_threshold" + [ -n "$clean_ruleset_interval" ] && echo "clean_ruleset_interval=$clean_ruleset_interval" + [ -n "$serial_number" ] && echo "serial=$serial_number" + [ -n "$model_number" ] && echo "model_number=$model_number" + [ -n "$port" ] && echo "port=$port" [ -z "$uuid" ] && { uuid="$(cat /proc/sys/kernel/random/uuid)" - uci set upnpd.config.uuid=$uuid + uci set upnpd.config.uuid="$uuid" uci commit upnpd } - [ "$uuid" = "nocli" ] || \ - echo "uuid=$uuid" >>$tmpconf - - [ -n "${serial_number}" ] && \ - echo "serial=${serial_number}" >>$tmpconf + [ "$uuid" = "nocli" ] || echo "uuid=$uuid" - [ -n "${model_number}" ] && \ - echo "model_number=${model_number}" >>$tmpconf + config_foreach conf_rule_add perm_rule - config_foreach conf_rule_add perm_rule "$tmpconf" + } > "$tmpconf" fi - if [ -n "$ifname" ]; then # start firewall iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload - - if [ "$logging" = "1" ]; then - SERVICE_DAEMONIZE=1 \ - service_start /usr/sbin/miniupnpd $args -d - else - SERVICE_DAEMONIZE= \ - service_start /usr/sbin/miniupnpd $args - fi else logger -t "upnp daemon" "external interface not found, not starting" fi -} -stop() { - service_stop /usr/sbin/miniupnpd + procd_open_instance + procd_set_param command "$PROG" + procd_append_param command -f "$conf" + [ "$log_output" = "1" ] && procd_append_param command -d + procd_close_instance +} +stop_service() { iptables -t nat -F MINIUPNPD 2>/dev/null iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null iptables -t filter -F MINIUPNPD 2>/dev/null - [ -x /usr/sbin/ip6tables ] && { - ip6tables -t filter -F MINIUPNPD 2>/dev/null - } + [ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null +} + +start_service() { + config_load "upnpd" + config_foreach upnpd "upnpd" +} + +service_triggers() { + procd_add_reload_trigger "upnpd" } diff --git a/net/miniupnpd/files/upnpd.config b/net/miniupnpd/files/upnpd.config index 299664362..4e7466495 100644 --- a/net/miniupnpd/files/upnpd.config +++ b/net/miniupnpd/files/upnpd.config @@ -4,8 +4,8 @@ config upnpd config option enable_upnp 1 option secure_mode 1 option log_output 0 - option download 1024 - option upload 512 + option download 1024 + option upload 512 #by default, looked up dynamically from ubus # option external_iface wan option internal_iface lan diff --git a/net/miniupnpd/patches/100-no-daemon.patch b/net/miniupnpd/patches/100-no-daemon.patch new file mode 100644 index 000000000..3d51fcaa7 --- /dev/null +++ b/net/miniupnpd/patches/100-no-daemon.patch @@ -0,0 +1,25 @@ +--- a/miniupnpd.c ++++ b/miniupnpd.c +@@ -1727,21 +1727,7 @@ init(int argc, char * * argv, struct runtime_vars * v) + } + } + +- if(debug_flag) +- { +- pid = getpid(); +- } +- else +- { +-#ifdef USE_DAEMON +- if(daemon(0, 0)<0) { +- perror("daemon()"); +- } +- pid = getpid(); +-#else +- pid = daemonize(); +-#endif +- } ++ pid = getpid(); + + openlog_option = LOG_PID|LOG_CONS; + if(debug_flag) diff --git a/net/nfdump/Makefile b/net/nfdump/Makefile index 171983d25..a1b2f6d97 100644 --- a/net/nfdump/Makefile +++ b/net/nfdump/Makefile @@ -7,40 +7,41 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nfdump PKG_VERSION:=1.6.18 -PKG_RELEASE:=1 - -PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org> - -PKG_LICENSE:=BSD-3-Clause -PKG_LICENSE_FILES:=COPYING +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/phaag/nfdump/tar.gz/v$(PKG_VERSION)? PKG_HASH:=5d6046bf7faa34713b004c6cf8b3d30027c761c5ac22a3195d49388342e8147e +PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org> +PKG_LICENSE:=BSD-3-Clause +PKG_LICENSE_FILES:=COPYING + +PKG_FIXUP:=autoreconf PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 -PKG_FIXUP:=autoreconf include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/nls.mk define Package/nfdump SECTION:=net CATEGORY:=Network - DEPENDS:= +libbz2 + DEPENDS:= +libbz2 +USE_MUSL:musl-fts TITLE:= nfdump URL:=https://github.com/phaag/nfdump/ endef define Package/nfdump/description - NetFlow collecting and processing tools + NetFlow collecting and processing tools endef define Package/nfdump/conffiles /etc/config/nfcapd endef +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -Wl,--as-needed $(if $(CONFIG_USE_MUSL),-lfts) + define Package/nfdump/install $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libnfdump-$(PKG_VERSION).so $(1)/usr/lib/ diff --git a/net/nginx-util/Makefile b/net/nginx-util/Makefile index 46c98a1d6..5fd89878b 100644 --- a/net/nginx-util/Makefile +++ b/net/nginx-util/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx-util PKG_VERSION:=1.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at> include $(INCLUDE_DIR)/package.mk @@ -15,27 +15,27 @@ define Package/nginx-util/default SECTION:=net CATEGORY:=Network SUBMENU:=Web Servers/Proxies - TITLE:=Builder of LAN listen directives for Nginx + TITLE:=Nginx configurator DEPENDS:=+libstdcpp +libubus +libubox +libpthread endef define Package/nginx-util $(Package/nginx-util/default) - CONFLICTS:=nginx-ssl-util + CONFLICTS:=nginx-ssl-util-nopcre nginx-ssl-util endef define Package/nginx-ssl-util/default $(Package/nginx-util/default) - TITLE+= and manager of its SSL certificates + TITLE+= including SSL DEPENDS+= +libopenssl - CONFLICTS:=nginx-util + CONFLICTS:=,nginx-util endef define Package/nginx-ssl-util $(Package/nginx-ssl-util/default) TITLE+= (using PCRE) DEPENDS+= +libpcre - CONFLICTS+= nginx-ssl-util-nopcre + CONFLICTS+= ,nginx-ssl-util-nopcre endef define Package/nginx-ssl-util-nopcre diff --git a/net/nlbwmon/Makefile b/net/nlbwmon/Makefile index 0778d7bb4..be4fb0c78 100644 --- a/net/nlbwmon/Makefile +++ b/net/nlbwmon/Makefile @@ -1,13 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nlbwmon -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/jow-/nlbwmon.git -PKG_SOURCE_DATE:=2019-06-06 -PKG_SOURCE_VERSION:=4574e6e80e3a5ab8de65886baa0d563dfee589ff -PKG_MIRROR_HASH:=559a8b04e8942c83e31a6a5e2576a5308fdc16349ed29e0b2d9fc182d715976d +PKG_SOURCE_DATE:=2019-06-13 +PKG_SOURCE_VERSION:=e921ca0af9957d3cb05797acfb8bde4d7d2278e5 +PKG_MIRROR_HASH:=1f6ed5086e978beeba4c22c255b4ed893d598119c3f2c03061501464910ea421 CMAKE_INSTALL:=1 diff --git a/net/pingcheck/Makefile b/net/pingcheck/Makefile index bbc535173..8df3fa857 100644 --- a/net/pingcheck/Makefile +++ b/net/pingcheck/Makefile @@ -8,15 +8,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pingcheck -PKG_VERSION:=2019-10-08 -PKG_RELEASE:=2 +PKG_VERSION:=2020-02-12 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MIRROR_HASH:=0bf82809ce36106825d1a757c4624efcbab1829c1a9bf9e1e055e75ebf83403d +PKG_MIRROR_HASH:=3890cd39add7e523ab7418faf6a7ae1a1f71d2739982e6e09aa33cc6defac8be PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_URL:=https://github.com/br101/pingcheck PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=7223f1b10697735d34f297ca2520495337666df6 +PKG_SOURCE_VERSION:=520718f9377eab49888a3e38ece59f9ad94d978e PKG_MAINTAINER:=Bruno Randolf <br1@einfach.org> PKG_LICENSE:=GPL-2.0-or-later @@ -53,6 +53,11 @@ define Package/pingcheck/install $(INSTALL_BIN) ./pingcheck.init $(1)/etc/init.d/pingcheck $(INSTALL_DIR) $(1)/etc/config $(INSTALL_DATA) $(PKG_BUILD_DIR)/pingcheck.config $(1)/etc/config/pingcheck + $(INSTALL_DIR) $(1)/etc/pingcheck/online.d/ + $(INSTALL_DIR) $(1)/etc/pingcheck/offline.d/ + $(INSTALL_DIR) $(1)/etc/pingcheck/panic.d/ + $(INSTALL_DATA) $(PKG_BUILD_DIR)/example-script.sh $(1)/etc/pingcheck/online.d/ + $(INSTALL_DATA) $(PKG_BUILD_DIR)/example-script.sh $(1)/etc/pingcheck/offline.d/ endef $(eval $(call BuildPackage,pingcheck)) diff --git a/net/shorewall-core/Makefile b/net/shorewall-core/Makefile index b2eb268c7..689d0496a 100644 --- a/net/shorewall-core/Makefile +++ b/net/shorewall-core/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shorewall-core PKG_MAJOR_MINOR_VERSION:=5.2 PKG_BUGFIX_MAJOR_VERSION:=3 -PKG_BUGFIX_MINOR_VERSION:=.5 +PKG_BUGFIX_MINOR_VERSION:=.6 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION) PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION) PKG_RELEASE:=2 @@ -22,7 +22,7 @@ PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION http://shorewall.de/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \ http://www.shorewall.com.au/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=c9dbbe51e2550651335ec82d59a237a66ee4fe7e87719ee52285d253921ec07b +PKG_HASH:=e177d43d06be8db53008d736e0153d5c50a8ce6bd2171836f2f669c6a3233918 PKG_MAINTAINER:=Willem van den Akker <wvdakker@wilsoft.nl> PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/shorewall-lite/Makefile b/net/shorewall-lite/Makefile index 42afe12aa..a09ae075e 100644 --- a/net/shorewall-lite/Makefile +++ b/net/shorewall-lite/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shorewall-lite PKG_MAJOR_MINOR_VERSION:=5.2 PKG_BUGFIX_MAJOR_VERSION:=3 -PKG_BUGFIX_MINOR_VERSION:=.5 +PKG_BUGFIX_MINOR_VERSION:=.6 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION) PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION) PKG_RELEASE:=2 @@ -22,7 +22,7 @@ PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION http://shorewall.de/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \ http://www.shorewall.com.au/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=233ea801ce100e905e0231dd5585e3ee47fabf637ddb7d6dbe1913d63cd13e54 +PKG_HASH:=29e00965f4f3d5b27a917c6dc94b487a72fbd69ee1430b24d8eeedce8f79ebc6 PKG_MAINTAINER:=Willem van den Akker <wvdakker@wilsoft.nl> PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/shorewall/Makefile b/net/shorewall/Makefile index 540bc7597..865db1c90 100644 --- a/net/shorewall/Makefile +++ b/net/shorewall/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shorewall PKG_MAJOR_MINOR_VERSION:=5.2 PKG_BUGFIX_MAJOR_VERSION:=3 -PKG_BUGFIX_MINOR_VERSION:=.5 +PKG_BUGFIX_MINOR_VERSION:=.6 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION) PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION) PKG_RELEASE:=2 @@ -22,7 +22,7 @@ PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION http://shorewall.de/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \ http://www.shorewall.com.au/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=466afa987eb24e64c81565a994951c59f540fdd5c008ef9ec397bdd7566fc50f +PKG_HASH:=897110c803ededb873aa59af98f97a42a07968c29fd636e1a01f84e33b32e9d3 PKG_MAINTAINER:=Willem van den Akker <wvdakker@wilsoft.nl> PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/shorewall6-lite/Makefile b/net/shorewall6-lite/Makefile index 073508ae1..7043f185f 100644 --- a/net/shorewall6-lite/Makefile +++ b/net/shorewall6-lite/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shorewall6-lite PKG_MAJOR_MINOR_VERSION:=5.2 PKG_BUGFIX_MAJOR_VERSION:=3 -PKG_BUGFIX_MINOR_VERSION:=.5 +PKG_BUGFIX_MINOR_VERSION:=.6 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION) PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION) PKG_RELEASE:=2 @@ -22,7 +22,7 @@ PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION http://shorewall.de/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \ http://www.shorewall.com.au/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=aeac91d2cef004892c31256b1d7107d5ae4c392772a7530c0b4834893180eae3 +PKG_HASH:=6c3e0f76814be703bec1c78052abc191b1f47161a683fbdeaab0b12c37e11cc2 PKG_MAINTAINER:=Willem van den Akker <wvdakker@wilsoft.nl> PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/shorewall6/Makefile b/net/shorewall6/Makefile index 351b35929..2faa1e8a8 100644 --- a/net/shorewall6/Makefile +++ b/net/shorewall6/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shorewall6 PKG_MAJOR_MINOR_VERSION:=5.2 PKG_BUGFIX_MAJOR_VERSION:=3 -PKG_BUGFIX_MINOR_VERSION:=.5 +PKG_BUGFIX_MINOR_VERSION:=.6 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION) PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION) PKG_RELEASE:=2 @@ -22,7 +22,7 @@ PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION http://shorewall.de/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \ http://www.shorewall.com.au/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=eff1dae5669648e96b5db78a7718cbb39a5f0b16a33c7223aa5a55fce56751b5 +PKG_HASH:=83dcad18aef2872904dd95d3cd882a926d2162ad870eb582fa7158c0d12f369d PKG_MAINTAINER:=Willem van den Akker <wvdakker@wilsoft.nl> PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/socat/Makefile b/net/socat/Makefile index 33a4bf1cd..faf8d302e 100644 --- a/net/socat/Makefile +++ b/net/socat/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=socat -PKG_VERSION:=1.7.3.3 -PKG_RELEASE:=3 +PKG_VERSION:=1.7.3.4 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download -PKG_HASH:=0dd63ffe498168a4aac41d307594c5076ff307aa0ac04b141f8f1cec6594d04a +PKG_HASH:=972374ca86f65498e23e3259c2ee1b8f9dbeb04d12c2a78c0c9b5d1cb97dfdfc PKG_MAINTAINER:=Ted Hess <thess@kitschensync.net> PKG_LICENSE:=GPL-2.0-or-later OpenSSL diff --git a/net/spoofer/Makefile b/net/spoofer/Makefile index 29811a7f2..201089ed4 100644 --- a/net/spoofer/Makefile +++ b/net/spoofer/Makefile @@ -19,13 +19,12 @@ PKG_MAINTAINER:=Ken Keys <spoofer-info@caida.org> PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE -PKG_USE_MIPS16:=0 +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_DEPENDS:=protobuf/host -include $(INCLUDE_DIR)/host-build.mk include $(INCLUDE_DIR)/package.mk -$(eval $(call HostBuild)) - define Package/spoofer SECTION:=net CATEGORY:=Network @@ -54,19 +53,15 @@ CONFIGURE_ARGS += \ CONFIGURE_VARS += \ PROTOC=$(STAGING_DIR_HOSTPKG)/bin/protoc -EXTRA_CXXFLAGS += -std=gnu++14 - -SPOOFER_SRC=$(PKG_BUILD_DIR) - define Package/spoofer/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/prober/spoofer-prober $(1)/usr/bin - $(INSTALL_BIN) $(SPOOFER_SRC)/openwrt-files/spoofer $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin//spoofer-prober $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/openwrt-files/spoofer $(1)/usr/bin $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) $(SPOOFER_SRC)/openwrt-files/initscript $(1)/etc/init.d/spoofer + $(INSTALL_BIN) $(PKG_BUILD_DIR)/openwrt-files/initscript $(1)/etc/init.d/spoofer $(INSTALL_DIR) $(1)/usr/share/spoofer - $(INSTALL_DATA) $(SPOOFER_SRC)/gd_bundle.crt $(1)/usr/share/spoofer - $(INSTALL_DATA) $(SPOOFER_SRC)/openwrt-files/spoofer-lib.sh $(1)/usr/share/spoofer + $(INSTALL_DATA) $(PKG_BUILD_DIR)/gd_bundle.crt $(1)/usr/share/spoofer + $(INSTALL_DATA) $(PKG_BUILD_DIR)/openwrt-files/spoofer-lib.sh $(1)/usr/share/spoofer endef $(eval $(call BuildPackage,spoofer)) diff --git a/net/sslh/Makefile b/net/sslh/Makefile index 0a516fa6f..fbf097be7 100644 --- a/net/sslh/Makefile +++ b/net/sslh/Makefile @@ -8,12 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sslh -PKG_VERSION:=v1.19c -PKG_RELEASE:=2 +PKG_VERSION:=v1.20 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://rutschle.net/tech/sslh/ -PKG_HASH:=bb11dfa88b27ae1ec825a1b8156000c3f17f7e8f042311f19b7a249193c47bf3 +PKG_HASH:=a7f49b0a1cfcb7bb9d97f5ffa932bff11c5f65d9a9bd8fe1812481dee5855116 + +PKG_MAINTAINER:=Jonathan McCrohan <jmccrohan@gmail.com> PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=COPYING @@ -26,7 +28,6 @@ define Package/sslh TITLE:=SSL/SSH multiplexer DEPENDS:=+libconfig +USE_UCLIBC:libpcre +USE_MUSL:libpcre URL:=https://rutschle.net/tech/sslh/README.html - PKG_MAINTAINER:=Jonathan McCrohan <jmccrohan@gmail.com> endef define Package/sslh/conffiles diff --git a/net/sslh/patches/010-format.patch b/net/sslh/patches/010-format.patch new file mode 100644 index 000000000..a25290544 --- /dev/null +++ b/net/sslh/patches/010-format.patch @@ -0,0 +1,11 @@ +--- a/sslh-main.c ++++ b/sslh-main.c +@@ -167,7 +167,7 @@ void cmd_ssl_to_tls(int argc, char* argv[]) + strcpy(argv[i], "--tls"); + /* foreground option not parsed yet, syslog not open, just print on + * stderr and hope for the best */ +- fprintf(stderr, ssl_err_msg); ++ fprintf(stderr, "%s", ssl_err_msg); + } + } + } diff --git a/net/tor/Makefile b/net/tor/Makefile index d62b12901..f9f980af9 100644 --- a/net/tor/Makefile +++ b/net/tor/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tor PKG_VERSION:=0.4.2.6 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dist.torproject.org/ \ diff --git a/net/tor/files/tor.init b/net/tor/files/tor.init index 8512b9843..142e2512d 100644 --- a/net/tor/files/tor.init +++ b/net/tor/files/tor.init @@ -48,6 +48,5 @@ start_service() { procd_set_param command /usr/sbin/tor --runasdaemon 0 procd_append_param command -f "$TORRC_GEN" procd_set_param respawn - procd_set_param pidfile /var/run/tor.pid procd_close_instance } diff --git a/net/uacme/Makefile b/net/uacme/Makefile index 60fbd561b..d57016a16 100644 --- a/net/uacme/Makefile +++ b/net/uacme/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uacme -PKG_VERSION:=1.0.20 +PKG_VERSION:=1.0.22 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ndilieto/uacme/tar.gz/upstream/$(PKG_VERSION)? -PKG_HASH:=c9106e166156685fcf9f164f0b2935cf680251a653f460b04da26a290e946bf9 +PKG_HASH:=08070779232c9711a227189ee2d3cb55042f6be2ea0aa59525cb7b554c4688b0 PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com> PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/udpxy/Makefile b/net/udpxy/Makefile index a9fc6311d..f70533a0d 100644 --- a/net/udpxy/Makefile +++ b/net/udpxy/Makefile @@ -8,21 +8,19 @@ include $(TOPDIR)/rules.mk PKG_NAME:=udpxy -PKG_SOURCE_VERSION:=53e4672a7522311c40e9f6110ff256041c52c8b4 -PKG_VERSION:=2016-09-18-$(PKG_SOURCE_VERSION) +PKG_VERSION:=1.0-24.1 PKG_RELEASE:=1 -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/pcherenkov/udpxy.git -PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MIRROR_HASH:=bb6ca16706b011cc473d296ebc6d6e57fe5cfc2a0fc46e81399fba01d6484b3e -PKG_MAINTAINER:=Álvaro Fernández Rojas <noltari@gmail.com> +PKG_SOURCE_URL:=https://codeload.github.com/pcherenkov/udpxy/tar.gz/$(PKG_VERSION)? +PKG_HASH:=27e5d3d2bae29522354d1505a3cc931c96953846d68eeb25bb99fe9b0cb6cbe0 -PKG_LICENSE:=GPL-3.0 -PKG_LICENSE_FILES:=gpl.txt +PKG_MAINTAINER:=Álvaro Fernández Rojas <noltari@gmail.com> +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=chipmunk/gpl.txt PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk |