HAProxy 2.8.3 was released on 2023/09/07. It added 49 new commits
after version 2.8.2.

Some bugs were fixed on QUIC side. Malformed ACK frames are now properly
ignored. A possible wakeup loop on client connection closure was also
fixed. RTT sampling might be ignored is some rare cases, when now_ms wraps.
It is now fixed. And RTT computation was also fixed to be more accurate.

A basic support for Linux capabilities was added. For a while there has been
the constraint of having to run as root for transparent proxying, and we're
starting to see some cases where QUIC is not running in
socket-per-connection mode due to the missing capability that would be
needed to bind a privileged port. So following Linux capabilities are now
supported: cap_net_raw, cap_net_admin and cap_net_bind_service. The
mechanism was made OS-specific. It can be easily refined later for other
OSes if needed. A new keyword "setcaps" is added to the global section, to
enumerate the capabilities that must be kept when switching from root to
non-root. This is ignored in other situations though. HAProxy has to be
built with USE_LINUX_CAP=1 for this to be supported, which is enabled by
default for linux-glibc, linux-glibc-legacy and linux-musl.

Changes performed in the 2.8 on the stream-connector layer introduced
several bugs that were fixed. Many were related to timeouts detection and
stream's expiration date computation leading to sessions freeze, most of
time with the stats applet or the CLI. To avoid any trouble in future with
applets, if an applet is waiting for more room while an abort was reported,
an error is now triggered. This way, even if an applet does not handle the
error by its own, the session will be shutdown anyway.

Specifically on the CLI applet, it is now possible to inhibit the client
timeout for blocking commands. For instance, it is the case for "show
events" command.

An issue in the H1 chunked payload parsing was fixed by Chris Staite. H1
messages parsing could be blocked on the chunk size parsing because the
output buffer was full. And once the buffer is emptied, the parsing was
never restarted. This was fixed by parsing the chunk size anyway and
blocking on the chunk payload. This is enough to restart the parsing when
emptying the output buffer.

sc-add-gpc and sc-set-gpt(0) actions are now allowed from tcp-request
connection. According to the documentation, this was supposed to be

The SSL certificates replacement was broken in 2.6 when the ".crt" extension
was handled as a default extension for a certificate. Without
"ssl-load-extra-del-ext" option, the lookup for certificates with a ".crt"
failed. This was fixed by removing ".crt" extension from default ones.

It is now possible to configure the connect timeout and the number of
retries for httpclients. To do so, two new global options were added:
"httpclient.timeout.connect" and "httpclient.retries".

Finally, xxhash was update to version 0.8.2 and some updates was also
performed on plock.

Thanks everyone for you help and your contributions !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.8/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.8.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
   Changelog        : https://www.haproxy.org/download/2.8/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (1):
      BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing

Aurelien DARRAGON (6):
      BUG/MINOR: hlua: fix invalid use of lua_pop on error paths
      BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection
      BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection
      BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage
      DOC: lua: fix core.register_action typo
      BUG/MINOR: hlua/action: incorrect message on E_YIELD error

Chris Staite (1):
      BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer

Christopher Faulet (12):
      DEBUG: applet: Properly report opposite SC expiration dates in traces
      BUG/MEDIUM: stconn: Update stream expiration date on blocked sends
      BUG/MINOR: stconn: Don't report blocked sends during connection 
      BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending 
      BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown
      BUG/MEDIUM: applet: Fix API for function to push new data in channels 
      BUG/MEDIUM: stconn: Report read activity when a stream is attached to 
front SC
      BUG/MEDIUM: applet: Report an error if applet request more room on 
aborted SC
      BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout
      NUG/MEDIUM: stconn: Always update stream's expiration date after I/O
      BUG/MINOR: applet: Always expect data when CLI is waiting for a new 
      BUG/MINOR: ring/cli: Don't expect input data when showing events

Frédéric Lécaille (4):
      BUG/MINOR: quic: Possible skipped RTT sampling
      BUG/MAJOR: quic: Really ignore malformed ACK frames.
      BUG/MINOR: quic: Wrong RTT adjusments
      BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var)

Ilya Shipitsin (3):
      CI: do not use "groupinstall" for Fedora Rawhide builds
      CI: get rid of travis-ci wrapper for Coverity scan
      CI: fedora: fix "dnf" invocation syntax

Johannes Naab (1):
      DOC: typo: fix sc-set-gpt references

Remi Tricot-Le Breton (1):
      DOC: jwt: Add explicit list of supported algorithms

Tim Duesterhus (2):
      REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3)
      CI: Update to actions/checkout@v4

William Lallemand (5):
      BUILD: Makefile: add the USE_QUIC option to make help
      BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate
      DOC: configuration: update examples for req.ver
      MINOR: httpclient: allow to configure the retries
      MINOR: httpclient: allow to configure the timeout.connect

Willy Tarreau (13):
      DEV: flags/show-sess-to-flags: properly decode fd.state
      SCRIPTS: git-show-backports: automatic ref and base detection with -m
      IMPORT: plock: also support inlining the int code
      MINOR: threads: inline the wait function for pthread_rwlock emulation
      MINOR: atomic: make sure to always relax after a failed CAS
      IMPORT: xxhash: update xxHash to version 0.8.2
      BUG/MINOR: ssl_sock: fix possible memory leak on OOM
      BUILD: import: guard plock.h against multiple inclusion
      BUG/MINOR: stream: protect stream_dump() against incomplete streams
      DOC: config: mention uid dependency on the tune.quic.socket-owner option
      BUG/MINOR: checks: do not queue/wake a bounced check
      BUG/MINOR: stream: further protect stream_dump() against incomplete 
      MEDIUM: capabilities: enable support for Linux capabilities

Christopher Faulet

Reply via email to