Hi,
HAProxy 3.4-dev2 was released on 2026/01/07. It added 69 new commits
after version 3.4-dev1.
Yeah I know it's been almost a month, but the vacation period seems to
have affected activity more than usual, probably due to how it broke
the weeks. But that's not bad because it also seems to have offered some
users some calm periods to plan upgrades that could possibly not have
been easy otherwise, resulting in some bugs being reported. Thus it's
not surprising that this version contains a bunch of fixes, several of
which also concern 3.3. I think we'll emit another 3.3 soon to flush
what's pending.
The bug fixes are not very interesting to discuss and touch various
areas (HTTP forwarding, idle connections, connection retries).
For the rest, not that many areas were touched. I can cite these
points of interest:
- improvements on the CPU topology simplified management. A new
"cpu-affinity" keyword permits to decide how threads will be pinnned
to CPUs within a group: will they all share the same cores permitted
in the group, all the cores of the CCX when the group covers a whole
CCX, or just the CPU core they're attached to or the CPU thread they're
attached to. "cpu-policy" now has a new sub-option "threads-per-core 1"
allowing to start a single thread per CPU core, which can be quite
convenient to leave more room to the the network driver on each core,
or for a new process during reloads, and in this case it makes sense
to permit that single thread to bind to both CPU siblings of the same
core. In certain test scenarios we're seeing from no gain with half
the threads (which is already interesting) to 10-15% gain by playing
with these. There's also a new directive "max-threads-per-group" which
allows to create more, smaller thread groups on CPUs with large unified
L3 caches. For example on an Ampere Altra with 80 cores, setting the
limit to 8-16 also increases the performance by 10-15% by creating 5
or 10 groups which all deal with less contention. So I think that we
now have a reasonable toolset to ease portable configurations that are
expected to match a workload and easily adapt to the underlying
hardware.
- patterns (maps/acl): an issue remained with the commit phase after
a long upload of large maps or ACLs: the generation ID of the element
is stored with the element, and in order to avoid long delays, we purge
the old ones in small batches. But this used to force a scan of many
new elements to find the next old one to remove, and continued to use
a lot of CPU during that purge. The patterns have now be reorganized
with one tree/list head per generation, and the purge of older
generations on commit is as simple as doing small batches of removal
of the first element in the list (i.e. they're basically dequeued).
This results in a much faster and more determinist purge time which
should no longer trigger watchdog warnings as some users have already
encountered.
- the HTTP/1 mux now supports counting glitches. This is still very
basic but it can be sufficient to cleanly close highly misbehaving
connections. Also, regarding glitches, both h1 and h2 will now try a
graceful close when reaching 75% of the configured glitches limit so
as to be nice with "just bogus" agents.
- the "show proc" master CLI keyword used to be limited by the buffer
size to around 202 processes. While this situation is not supposed to
happen on regular usages, if it ever happens while debugging an incident,
it didn't help that the output was truncated. Now it properly iterates
after pausing on a full buffer and is no longer affected by such a limit.
- other interesting point: we discovered that due to a historical bug
that probably has always been there, automatic proxy ID numbering
starts at 2, so ID 1 is never automatically assigned. Instead of fixing
it and breaking numerous setups for no reason, this was simply
documented in the doc and code, and a regtest now verifies that we
don't later fix it by accident.
- some cleanups of proxy structs and management tasks that are needed
to prepare a long journey through dynamic backends.
- basic support for Lua 5.5 was added. At least it builds, I think there
have been some tests but I don't know to what extent at this point. I
noticed that we didn't add the automatic version search in the lib name
in the makefile, I don't know if distros still use this format. We'll
see.
- a new TCP sample fetch function "fc_saved_syn" permits to retrieve a
binary dump of the TCP SYN packet as recorded by the TCP stack on
modern Linux systems, provided that the bind option "tcp-ss" was set
to "1" (ip+tcp) or "2" (eth+ip+tcp). This gives us a nice set of info
that are useful to perform some MAC-based access control, or to try
to differentiate a good from a bad actor behind a NAT box. A small
number of converters (~20) were added to manipulate such packets and
extract various pieces (e.g. source IP, TCP window, MSS etc), and one
("ip.fp") even builds a "fingerprint" composed of mostly invariant
parts of the packet. I'm still experimenting with this at home, but I
think it can be valuable during DDoS attacks, in order to try to
preserve access to innocent users (think about CGNAT where multiple
users share the same IP address for example). At least now we have the
tools and we can experiment.
The rest is more cleanups, more regtests, and some CI updates.
On a completely different topic, we're now running off the secondary
server for web and git, so it seems to indicate that the replication
was overall OK for all these years, though we had to tweak it a little
bit to make it bidirectional so that pushing to either node works (this
will reduce the effort of getting back to nominal later). I'll start to
experiment with the mailing list migration today. I'll do my best to
avoid spamming everyone but you can expect a few "test please ignore"
messages depending on how my tests go. If some find that they don't
receive anything anymore in the next few days, please check your spambox
first, then ping me privately so that we can investigate further.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.4/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Alexander Stephan (4):
MINOR: mworker/cli: only keep positive PIDs in proc_list
CLEANUP: mworker: remove duplicate list.h include
BUG/MINOR: mworker/cli: fix show proc pagination using reload counter
MINOR: mworker/cli: extract worker "show proc" row printer
Amaury Denoyelle (4):
MEDIUM: cfgparse: acknowledge that proxy ID auto numbering starts at 2
MINOR: cfgparse: remove useless checks on no server in backend
OPTIM/MINOR: proxy: do not init proxy management task if unused
BUG/MINOR: quic: fix deprecated warning for window size keyword
Christopher Faulet (8):
BUG/MEDIUM: http-ana: Properly detect client abort when forwarding
response (v2)
BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already
received
CLEANUP: backend: Remove useless test on server's xprt
CLEANUP: tcpcheck: Remove useless test on the xprt used for healthchecks
CLEANUP: ssl-sock: Remove useless tests on connection when resuming TLS
session
BUG/MEDIUM: peers: Properly handle shutdown when trying to get a line
BUG/MEDIUM: mux-h1: Take care to update <kop> value during zero-copy
forwarding
BUG/MEDIUM: stconn: Move data from <kip> to <kop> during zero-copy
forwarding
Frederic Lecaille (1):
REGTESTS: quic: fix a TLS stack usage
Ilia Shipitsin (1):
CLEANUP: assorted typo fixes in the code, commits and doc
Maxime Henrion (6):
MINOR: tools: add a secure implementation of memset
MINOR: patterns: preliminary changes for reorganization
MEDIUM: patterns: reorganize pattern reference elements
CLEANUP: patterns: remove dead code
OPTIM: patterns: cache the current generation
BUG/MAJOR: set the correct generation ID in pat_ref_append().
Mike Lothian (1):
MINOR: hlua: Add support for lua 5.5
Olivier Houchard (14):
BUG/MEDIUM: quic: Don't try to use hystart if not implemented
BUG/MEDIUM: backend: Do not remove CO_FL_SESS_IDLE in assign_server()
MINOR: cpu-topo: Turn the cpu policy configuration into a struct
MEDIUM: cpu-topo: Add a "threads-per-core" keyword to cpu-policy
MEDIUM: cpu-topo: Add a "cpu-affinity" option
MEDIUM: cpu-topo: Add a new "max-threads-per-group" global keyword
MEDIUM: cpu-topo: Add the "per-thread" cpu_affinity
MEDIUM: cpu-topo: Add the "per-ccx" cpu_affinity
BUG/MEDIUM: cpu-topo: Don't forget to reset visited_ccx.
MINOR: cpu-topo: Factorize code
MINOR: cpu-topo: Rename variables to better fit their usage
MINOR: threads: Avoid using a thread group mask when stopping.
MEDIUM: cpu-topo: Add an optional directive for per-group affinity
MINOR: receiver: Remove tgroup_mask from struct shard_info
William Lallemand (9):
BUG/MEDIUM: mworker/listener: ambiguous use of RX_F_INHERITED with shards
REGTESTS: list all skipped tests including 'feature cmd' ones
CI: github: remove openssl no-deprecated job
CI: github: add a job to test the master branch of OpenSSL
CI: github: openssl-master.yml misses actions/checkout
CI: github: use git prefix for openssl-master.yml
REGTESTS: fix error when no test are skipped
BUG/MINOR: cpu-topo: fix -Wlogical-not-parentheses build with clang
BUG/MEDIUM: mworker: can't use signals after a failed reload
Willy Tarreau (21):
BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend
stream
DOC: config: fix number of values for "cpu-affinity"
MINOR: mux-h2: add missing glitch count for non-decodable H2 headers
MINOR: mux-h2: perform a graceful close at 75% glitches threshold
MEDIUM: mux-h1: implement basic glitches support
MINOR: mux-h1: perform a graceful close at 75% glitches threshold
MINOR: tcp: add new bind option "tcp-ss" to instruct the kernel to save
the SYN
MINOR: protocol: support a generic way to call getsockopt() on a
connection
MINOR: tcp: implement the get_opt() function
MINOR: tcp_sample: implement the fc_saved_syn sample fetch function
BUG/MINOR: backend: fix the conn_retries check for TFO
BUG/MINOR: backend: inspect request not response buffer to check for TFO
MINOR: net_helper: add sample converters to decode ethernet frames
MINOR: net_helper: add sample converters to decode IP packet headers
MINOR: net_helper: add sample converters to decode TCP headers
MINOR: net_helper: add ip.fp() to build a simplified fingerprint of a SYN
MINOR: net_helper: prepare the ip.fp() converter to support more options
MINOR: net_helper: add an option to ip.fp() to append the TTL to the
fingerprint
MINOR: net_helper: add an option to ip.fp() to append the source address
DOC: config: fix the length attribute name for stick tables of type
binary / string
DOC: config: fix a few typos and refine cpu-affinity
---
