SHA256
1
0
forked from pool/haproxy

Accepting request 241695 from network:ha-clustering:Factory

1

OBS-URL: https://build.opensuse.org/request/show/241695
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=8
This commit is contained in:
Stephan Kulow 2014-07-21 19:40:10 +00:00 committed by Git OBS Bridge
parent 23e7c6db83
commit 1767f8e3d7
15 changed files with 316 additions and 433 deletions

View File

@ -1,44 +0,0 @@
From f86d9bb6dd56d56e7425246f91a6c105a5f38659 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 24 Jun 2014 17:27:02 +0200
Subject: [PATCH 1/6] BUG/MEDIUM: http: fetch "base" is not compatible with
set-header
The sample fetch function "base" makes use of the trash which is also
used by set-header/add-header etc... everything which builds a formated
line. So we end up with some junk in the header if base is in use. Let's
fix this as all other fetches by using a trash chunk instead.
This bug was reported by Baptiste Assmann, and also affects 1.5.
---
src/proto_http.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 231d49a12875..5321f7d53e6a 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -10247,6 +10247,7 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
struct http_txn *txn = l7;
char *ptr, *end, *beg;
struct hdr_ctx ctx;
+ struct chunk *temp;
CHECK_HTTP_MESSAGE_FIRST();
@@ -10255,9 +10256,10 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
return smp_fetch_path(px, l4, l7, opt, args, smp, kw);
/* OK we have the header value in ctx.line+ctx.val for ctx.vlen bytes */
- memcpy(trash.str, ctx.line + ctx.val, ctx.vlen);
+ temp = get_trash_chunk();
+ memcpy(temp->str, ctx.line + ctx.val, ctx.vlen);
smp->type = SMP_T_STR;
- smp->data.str.str = trash.str;
+ smp->data.str.str = temp->str;
smp->data.str.len = ctx.vlen;
/* now retrieve the path */
--
1.8.4.5

View File

@ -0,0 +1,29 @@
From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 12 Jul 2014 17:31:07 +0200
Subject: [PATCH 1/5] DOC: mention that Squid correctly responds 400 to PPv2
header
Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630
were confirmed to respond correctly here and that any version will do
the same.
(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad)
---
doc/proxy-protocol.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index a2dbcea..a3925a4 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -692,6 +692,7 @@ presented, even with minimal implementations :
- thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- SSL :
- stud 0.3.47 : connection abort => pass/optimal
- stunnel 4.45 : connection abort => pass/optimal
--
1.8.4.5

View File

@ -1,100 +0,0 @@
From 87e56ce15591dbb98046fe9fb923f28769eb6056 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.com>
Date: Tue, 24 Jun 2014 18:26:41 +0200
Subject: [PATCH 2/6] BUG/MINOR: ssl: Fix external function in order not to
return a pointer on an internal trash buffer.
'ssl_sock_get_common_name' applied to a connection was also renamed
'ssl_sock_get_remote_common_name'. Currently, this function is only used
with protocol PROXYv2 to retrieve the client certificate's common name.
A further usage could be to retrieve the server certificate's common name
on an outgoing connection.
---
include/proto/ssl_sock.h | 2 +-
src/connection.c | 5 ++---
src/ssl_sock.c | 23 +++++++++++------------
3 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 0902fde989bb..3e111cd68490 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -52,7 +52,7 @@ const char *ssl_sock_get_cipher_name(struct connection *conn);
const char *ssl_sock_get_proto_version(struct connection *conn);
char *ssl_sock_get_version(struct connection *conn);
int ssl_sock_get_cert_used(struct connection *conn);
-char *ssl_sock_get_common_name(struct connection *conn);
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
diff --git a/src/connection.c b/src/connection.c
index 0b154d802a80..20a911bcd41f 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -682,9 +682,8 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- value = ssl_sock_get_common_name(remote);
- if (value) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, strlen(value), value);
+ if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
ssl_tlv_len += tlv_len;
}
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 328b97880b8d..375225d19f72 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2654,21 +2654,25 @@ char *ssl_sock_get_version(struct connection *conn)
return (char *)SSL_get_version(conn->xprt_ctx);
}
-/* returns common name, NULL terminated, from client certificate, or NULL if none */
-char *ssl_sock_get_common_name(struct connection *conn)
+/* Extract peer certificate's common name into the chunk dest
+ * Returns
+ * the len of the extracted common name
+ * or 0 if no CN found in DN
+ * or -1 on error case (i.e. no peer certificate)
+ */
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *dest)
{
X509 *crt = NULL;
X509_NAME *name;
- struct chunk *cn_trash;
const char find_cn[] = "CN";
const struct chunk find_cn_chunk = {
.str = (char *)&find_cn,
.len = sizeof(find_cn)-1
};
- char *result = NULL;
+ int result = -1;
if (!ssl_sock_is_ssl(conn))
- return NULL;
+ goto out;
/* SSL_get_peer_certificate, it increase X509 * ref count */
crt = SSL_get_peer_certificate(conn->xprt_ctx);
@@ -2679,13 +2683,8 @@ char *ssl_sock_get_common_name(struct connection *conn)
if (!name)
goto out;
- cn_trash = get_trash_chunk();
- if (ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, cn_trash) <= 0)
- goto out;
- cn_trash->str[cn_trash->len] = '\0';
- result = cn_trash->str;
-
- out:
+ result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest);
+out:
if (crt)
X509_free(crt);
--
1.8.4.5

View File

@ -0,0 +1,29 @@
From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
Date: Sat, 12 Jul 2014 18:22:42 +0200
Subject: [PATCH 2/5] DOC: fix typo in Unix Socket commands
Konstantin Romanenko reported a typo in the HTML documentation. The typo is
already present in the raw text version : the "shutdown sessions" command
should be "shutdown sessions server".
(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index ca21f7d..2d71555 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13869,7 +13869,7 @@ shutdown session <id>
endless transfer is ongoing. Such terminated sessions are reported with a 'K'
flag in the logs.
-shutdown sessions <backend>/<server>
+shutdown sessions server <backend>/<server>
Immediately terminate all the sessions attached to the specified server. This
can be used to terminate long-running sessions after a server is put into
maintenance mode, for instance. Such terminated sessions are reported with a
--
1.8.4.5

View File

@ -0,0 +1,101 @@
From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
Date: Tue, 15 Jul 2014 11:36:40 +0200
Subject: [PATCH 3/5] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(),
leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange.
This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time.
Note: this fix must be backported to 1.5.
(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570)
---
src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 36 insertions(+), 7 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 375225d..cf8adc7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -105,6 +105,13 @@ enum {
int sslconns = 0;
int totalsslconns = 0;
+#ifndef OPENSSL_NO_DH
+static DH *local_dh_1024 = NULL;
+static DH *local_dh_2048 = NULL;
+static DH *local_dh_4096 = NULL;
+static DH *local_dh_8192 = NULL;
+#endif /* OPENSSL_NO_DH */
+
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
struct certificate_ocsp {
struct ebmb_node key;
@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
}
if (keylen >= 8192) {
- dh = ssl_get_dh_8192();
+ dh = local_dh_8192;
}
else if (keylen >= 4096) {
- dh = ssl_get_dh_4096();
+ dh = local_dh_4096;
}
else if (keylen >= 2048) {
- dh = ssl_get_dh_2048();
+ dh = local_dh_2048;
}
else {
- dh = ssl_get_dh_1024();
+ dh = local_dh_1024;
}
return dh;
@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
if (global.tune.ssl_default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
- dh = ssl_get_dh_1024();
- if (dh == NULL)
+ local_dh_1024 = ssl_get_dh_1024();
+ if (local_dh_1024 == NULL)
goto end;
- SSL_CTX_set_tmp_dh(ctx, dh);
+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
}
else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
global.tune.ssl_default_dh_param = 1024;
}
+#ifndef OPENSSL_NO_DH
+ if (global.tune.ssl_default_dh_param >= 1024) {
+ if (local_dh_1024 == NULL) {
+ local_dh_1024 = ssl_get_dh_1024();
+ }
+ if (global.tune.ssl_default_dh_param >= 2048) {
+ if (local_dh_2048 == NULL) {
+ local_dh_2048 = ssl_get_dh_2048();
+ }
+ if (global.tune.ssl_default_dh_param >= 4096) {
+ if (local_dh_4096 == NULL) {
+ local_dh_4096 = ssl_get_dh_4096();
+ }
+ if (global.tune.ssl_default_dh_param >= 8192 &&
+ local_dh_8192 == NULL) {
+ local_dh_8192 = ssl_get_dh_8192();
+ }
+ }
+ }
+ }
+#endif /* OPENSSL_NO_DH */
+
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
--
1.8.4.5

View File

@ -1,41 +0,0 @@
From ecde57996941ab79f8e3ee5d6114ede49adaaf17 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 15:36:04 +0200
Subject: [PATCH 3/6] BUG/MINOR: counters: do not untrack counters before
logging
Baptiste Assmann reported a corner case in the releasing of stick-counters:
we release content-aware counters before logging. In the past it was not a
problem, but since now we can log them it, it prevents one from logging
their value. Simply switching the log production and the release of the
counter fixes the issue.
This should be backported into 1.5.
---
src/proto_http.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 5321f7d53e6a..d566bcc819ec 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4808,7 +4808,6 @@ void http_end_txn_clean_session(struct session *s)
s->logs.t_close = tv_ms_elapsed(&s->logs.tv_accept, &now);
session_process_counters(s);
- session_stop_content_counters(s);
if (s->txn.status) {
int n;
@@ -4842,6 +4841,8 @@ void http_end_txn_clean_session(struct session *s)
s->do_log(s);
}
+ /* stop tracking content-based counters */
+ session_stop_content_counters(s);
session_update_time_stats(s);
s->logs.accept_date = date; /* user-visible date for logging */
--
1.8.4.5

View File

@ -1,64 +0,0 @@
From 6747e44f116b7f20c96514454174cf0c0a2e1a4b Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 16:56:41 +0200
Subject: [PATCH 4/6] BUG/MAJOR: sample: correctly reinitialize sample fetch
context before calling sample_process()
We used to only clear flags when reusing the static sample before calling
sample_process(), but that's not enough because there's a context in samples
that can be used by some fetch functions such as auth, headers and cookies,
and not reinitializing it risks that a pointer of a different type is used
in the wrong context.
An example configuration which triggers the case consists in mixing hdr()
and http_auth_group() which both make use of contexts :
http-request add-header foo2 %[hdr(host)],%[http_auth_group(foo)]
The solution is simple, initialize all the sample and not just the flags.
This fix must be backported into 1.5 since it was introduced in 1.5-dev19.
---
src/proto_http.c | 3 +++
src/sample.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index d566bcc819ec..01fe62d09246 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -9748,6 +9748,9 @@ smp_prefetch_http(struct proxy *px, struct session *s, void *l7, unsigned int op
return 1;
}
+/* Note: these functinos *do* modify the sample. Even in case of success, at
+ * least the type and uint value are modified.
+ */
#define CHECK_HTTP_MESSAGE_FIRST() \
do { int r = smp_prefetch_http(px, l4, l7, opt, args, smp, 1); if (r <= 0) return r; } while (0)
diff --git a/src/sample.c b/src/sample.c
index 9f22ef97156f..3a0f3fbbcff2 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -905,7 +905,7 @@ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7,
if (p == NULL) {
p = &temp_smp;
- p->flags = 0;
+ memset(p, 0, sizeof(*p));
}
if (!expr->fetch->process(px, l4, l7, opt, expr->arg_p, p, expr->fetch->kw))
@@ -1160,7 +1160,8 @@ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l
{
struct sample *smp = &temp_smp;
- smp->flags = 0;
+ memset(smp, 0, sizeof(*smp));
+
if (!sample_process(px, l4, l7, opt, expr, smp)) {
if ((smp->flags & SMP_F_MAY_CHANGE) && !(opt & SMP_OPT_FINAL))
return smp;
--
1.8.4.5

View File

@ -0,0 +1,35 @@
From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 15 Jul 2014 21:34:06 +0200
Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
version of base32
We're using the internal memory representation of base32 here, which is
wrong since these data might be exported to headers for logs or be used
to stick to a server and replicated to other peers. Let's convert base32
to big endian (network representation) when building the binary block.
This mistake is also present in 1.5, it would be better to backport it.
(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
---
src/proto_http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 94afed7..b7ed85d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
return 0;
temp = get_trash_chunk();
- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
- temp->len += sizeof(smp->data.uint);
+ *(unsigned int *)temp->str = htonl(smp->data.uint);
+ temp->len += sizeof(unsigned int);
switch (cli_conn->addr.from.ss_family) {
case AF_INET:
--
1.8.4.5

View File

@ -0,0 +1,42 @@
From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
From: Dave McCowan <11235david@gmail.com>
Date: Thu, 17 Jul 2014 14:34:01 -0400
Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
building a proxy v2 header
Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory overwrite.
This fix must also be backported to 1.5.
(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
---
src/connection.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 20a911b..3435b1a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
char *value = NULL;
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+ struct chunk *cn_trash;
#endif
if (buf_len < PP2_HEADER_LEN)
@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
+ cn_trash = get_trash_chunk();
+ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
}
--
1.8.4.5

View File

@ -1,108 +0,0 @@
From f0b3bcc98e0d3fc372f0ec658e6c402af8b98412 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 16:20:53 +0200
Subject: [PATCH 5/6] MINOR: stick-table: make stktable_fetch_key() indicate
why it failed
stktable_fetch_key() does not indicate whether it returns NULL because
the input sample was not found or because it's unstable. It causes trouble
with track-sc* rules. Just like with sample_fetch_string(), we want it to
be able to give more information to the caller about what it found. Thus,
now we use the pointer to a sample passed by the caller, and fill it with
the information we have about the sample. That way, even if we return NULL,
the caller has the ability to check whether a sample was found and if it is
still changing or not.
---
include/proto/stick_table.h | 2 +-
src/proto_tcp.c | 4 ++--
src/session.c | 4 ++--
src/stick_table.c | 12 +++++++-----
4 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/include/proto/stick_table.h b/include/proto/stick_table.h
index 0c26fbea3052..57ca2234317c 100644
--- a/include/proto/stick_table.h
+++ b/include/proto/stick_table.h
@@ -48,7 +48,7 @@ struct stksess *stktable_lookup_key(struct stktable *t, struct stktable_key *key
struct stksess *stktable_update_key(struct stktable *table, struct stktable_key *key);
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px,
struct session *l4, void *l7, unsigned int opt,
- struct sample_expr *expr);
+ struct sample_expr *expr, struct sample *smp);
int stktable_compatible_sample(struct sample_expr *expr, unsigned long table_type);
int stktable_get_data_type(char *name);
struct proxy *find_stktable(const char *name);
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 65c4fdad379e..1aac0d9225d9 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1027,7 +1027,7 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
@@ -1228,7 +1228,7 @@ int tcp_exec_req_rules(struct session *s)
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key)))
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
diff --git a/src/session.c b/src/session.c
index e26f5ad17a6b..df85170cd13a 100644
--- a/src/session.c
+++ b/src/session.c
@@ -1458,7 +1458,7 @@ static int process_sticking_rules(struct session *s, struct channel *req, int an
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
@@ -1561,7 +1561,7 @@ static int process_store_rules(struct session *s, struct channel *rep, int an_bi
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
diff --git a/src/stick_table.c b/src/stick_table.c
index c6463ec7b95a..a708d3c53386 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -601,15 +601,17 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = {
* Process a fetch + format conversion as defined by the sample expression <expr>
* on request or response considering the <opt> parameter. Returns either NULL if
* no key could be extracted, or a pointer to the converted result stored in
- * static_table_key in format <table_type>.
+ * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset
+ * and its flags will be initialized so that the caller gets a copy of the input
+ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
*/
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
- unsigned int opt,
- struct sample_expr *expr)
+ unsigned int opt, struct sample_expr *expr, struct sample *smp)
{
- struct sample *smp;
+ if (smp)
+ memset(smp, 0, sizeof(*smp));
- smp = sample_process(px, l4, l7, opt, expr, NULL);
+ smp = sample_process(px, l4, l7, opt, expr, smp);
if (!smp)
return NULL;
--
1.8.4.5

View File

@ -1,56 +0,0 @@
From 08901b038aa0837786fbb1049508fb28c92a15d7 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 17:01:56 +0200
Subject: [PATCH 6/6] BUG/MEDIUM: counters: fix track-sc* to wait on unstable
contents
I've been facing multiple configurations which involved track-sc* rules
in tcp-request content without the "if ..." to force it to wait for the
contents, resulting in random behaviour with contents sometimes retrieved
and sometimes not.
Reading the doc doesn't make it clear either that the tracking will be
performed only if data are already there and that waiting on an ACL is
the only way to avoid this.
Since this behaviour is not natural and we now have the ability to fix
it, this patch ensures that if input data are still moving, instead of
silently dropping them, we naturally wait for them to stabilize up to
the inspect-delay. This way it's not needed anymore to implement an
ACL-based condition to force to wait for data, eventhough the behaviour
is not changed for when an ACL is present.
The most obvious usage will be when track-sc is followed by any HTTP
sample expression, there's no need anymore for adding "if HTTP".
It's probably worth backporting this to 1.5 to avoid further configuration
issues. Note that it requires previous patch.
---
src/proto_tcp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 1aac0d9225d9..e9dbc9c0b6de 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1022,12 +1022,16 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
* applies.
*/
struct stktable_key *key;
+ struct sample smp;
if (stkctr_entry(&s->stkctr[tcp_trk_idx(rule->action)]))
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
+
+ if (smp.flags & SMP_F_MAY_CHANGE)
+ goto missing_data;
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
--
1.8.4.5

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:69b54be39247b4a7556b4a7d3bd90ffd4acf35799ffa7125bbadebab8e5df5b4
size 1329710

3
haproxy-1.5.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f9cc9fcb30e5d998d4690331a0183a6970ca768833cc0ac68ad2a89600403d53
size 1334897

View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de
- added
0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch:
BUG/MEDIUM: connection: fix memory corruption when building a
proxy v2 header
-------------------------------------------------------------------
Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de
- pulled a few fixes from the 1.5 branch: most notable the DHE
memleak fix. Adds the following patches:
0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
0002-DOC-fix-typo-in-Unix-Socket-commands.patch
0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
-------------------------------------------------------------------
Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de
- update to 1.5.2
- BUG/MEDIUM: backend: Update hash to use unsigned int throughout
- BUG/MINOR: ssl: Fix external function in order not to return a
pointer on an internal trash buffer.
- DOC: expand the docs for the provided stats.
- BUG/MEDIUM: unix: do not unlink() abstract namespace sockets
upon failure.
- MINOR: stats: fix minor typo in HTML page
- BUG/MEDIUM: http: fetch "base" is not compatible with
set-header
- BUG/MINOR: counters: do not untrack counters before logging
- BUG/MAJOR: sample: correctly reinitialize sample fetch context
before calling sample_process()
- MINOR: stick-table: make stktable_fetch_key() indicate why it
failed
- BUG/MEDIUM: counters: fix track-sc* to wait on unstable
contents
- BUILD: remove TODO from the spec file and add README
- MINOR: log: make MAX_SYSLOG_LEN overridable at build time
- MEDIUM: log: support a user-configurable max log line length
- DOC: provide an example of how to use ssl_c_sha1
- BUILD: http: fix isdigit & isspace warnings on Solaris
- BUG/MINOR: listener: set the listener's fd to -1 after deletion
- BUG/MEDIUM: unix: failed abstract socket binding is retryable
- MEDIUM: listener: implement a per-protocol pause() function
- MEDIUM: listener: support rebinding during resume()
- BUG/MEDIUM: unix: completely unbind abstract sockets during a
pause()
- DOC: explicitly mention the limits of abstract namespace
sockets
- DOC: minor fix on {sc,src}_kbytes_{in,out}
- DOC: fix alphabetical sort of converters
- BUG/MAJOR: http: correctly rewind the request body after start
of forwarding
- DOC: remove references to CPU=native in the README
- DOC: mention that "compression offload" is ignored in defaults
section
- drop patches including in version upgrade.
- 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch
- 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch
- 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
- 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
- 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
- 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch
- use www.haproxy.org now instead of the old domain which is just
redirecting to haproxy.org now.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com

View File

@ -33,7 +33,7 @@
%bcond_without apparmor %bcond_without apparmor
Name: haproxy Name: haproxy
Version: 1.5.1 Version: 1.5.2
Release: 0 Release: 0
# #
# #
@ -51,28 +51,21 @@ BuildRequires: vim
%define pkg_name haproxy %define pkg_name haproxy
%define pkg_home /var/lib/%{pkg_name} %define pkg_home /var/lib/%{pkg_name}
# #
Url: http://haproxy.1wt.eu/ Url: http://www.haproxy.org/
Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz Source: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
Source1: %{pkg_name}.init Source1: %{pkg_name}.init
Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim Source2: http://www.haproxy.org/download/contrib/haproxy.vim
Source3: usr.sbin.haproxy.apparmor Source3: usr.sbin.haproxy.apparmor
Source4: local.usr.sbin.haproxy.apparmor Source4: local.usr.sbin.haproxy.apparmor
Patch1: haproxy-1.2.16_config_haproxy_user.patch Patch1: haproxy-1.2.16_config_haproxy_user.patch
Patch2: haproxy-makefile_lib.patch Patch2: haproxy-makefile_lib.patch
Patch3: sec-options.patch Patch3: sec-options.patch
Patch4: haproxy-1.5_check_config_before_start.patch Patch4: haproxy-1.5_check_config_before_start.patch
# PATCH-FIX-UPSTREAM: http: fetch "base" is not compatible with set-header Patch5: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
Patch5: 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch Patch6: 0002-DOC-fix-typo-in-Unix-Socket-commands.patch
# PATCH-FIX-UPSTREAM: ssl: Fix external function in order not to return a pointer on an internal trash buffer. Patch7: 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
Patch6: 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch Patch8: 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
# PATCH-FIX-UPSTREAM: counters: do not untrack counters before logging Patch9: 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
Patch7: 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
# PATCH-FIX-UPSTREAM: sample: correctly reinitialize sample fetch context before calling sample_process()
Patch8: 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
# PATCH-FIX-UPSTREAM: stick-table: make stktable_fetch_key() indicate why it failed
Patch9: 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
# PATCH-FIX-UPSTREAM: counters: fix track-sc* to wait on unstable contents
Patch10: 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch
Source99: haproxy-rpmlintrc Source99: haproxy-rpmlintrc
# #
Summary: The Reliable, High Performance TCP/HTTP Load Balancer Summary: The Reliable, High Performance TCP/HTTP Load Balancer
@ -111,7 +104,6 @@ the most work done from every CPU cycle.
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%build %build
%{__make} \ %{__make} \