Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2017-12-05 01:30:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Tue Dec 5 01:30:30 2017 rev:53 rq:548086 version:1.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2017-11-29 10:54:39.184311592 +0100 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2017-12-05 01:30:32.324643232 +0100 @@ -1,0 +2,37 @@ +Mon Dec 04 10:33:40 UTC 2017 - [email protected] + +- Update to version 1.8.1 (bsc#1069954): + * BUG/MAJOR: h2: correctly check the request length when building an H1 request + * BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time + * BUG/MAJOR: thread/peers: fix deadlock on peers sync. + * BUG/MEDIUM: h2: do not accept upper case letters in request header names + * BUG/MEDIUM: h2: remove connection-specific headers from request + * BUG/MEDIUM: h2: enforce the per-connection stream limit + * BUG/MEDIUM: checks: Be sure we have a mux if we created a cs. + * BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync. + * BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response + * BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting + * BUG/MEDIUM: stream: fix session leak on applet-initiated connections + * BUG/MEDIUM: cache: bad computation of the remaining size + * BUG/MEDIUM: ssl: don't allocate shctx several time + * BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main + * BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. + * BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames + * BUG/MINOR: h2: reject response pseudo-headers from requests + * BUG/MINOR: h2: properly check PRIORITY frames + * BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame + * BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1 + * BUG/MINOR: h2: the TE header if present may only contain trailers + * BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to + * BUG/MINOR: h2: ":path" must not be empty + * BUG/MINOR: h2: try to abort closed streams as soon as possible + * BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream + * BUG/MINOR: hpack: dynamic table size updates are only allowed before headers + * BUG/MINOR: hpack: reject invalid header index + * BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits + * BUG/MINOR: hpack: fix debugging output of pseudo header names + * BUG/MINOR: mworker: detach from tty when in daemon mode + * BUG/MINOR: mworker: fix validity check for the pipe FDs + * BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream + +------------------------------------------------------------------- Old: ---- haproxy-1.8.0.tar.gz New: ---- haproxy-1.8.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.HWnwbk/_old 2017-12-05 01:30:33.336606468 +0100 +++ /var/tmp/diff_new_pack.HWnwbk/_new 2017-12-05 01:30:33.336606468 +0100 @@ -40,7 +40,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.8.0 +Version: 1.8.1 Release: 0 # # ++++++ _service ++++++ --- /var/tmp/diff_new_pack.HWnwbk/_old 2017-12-05 01:30:33.392604434 +0100 +++ /var/tmp/diff_new_pack.HWnwbk/_new 2017-12-05 01:30:33.392604434 +0100 @@ -3,8 +3,8 @@ <param name="url">http://git.haproxy.org/git/haproxy-1.8.git</param> <param name="scm">git</param> <param name="filename">haproxy</param> - <param name="versionformat">1.8.0</param> - <param name="revision">v1.8.0</param> + <param name="versionformat">1.8.1</param> + <param name="revision">v1.8.1</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.HWnwbk/_old 2017-12-05 01:30:33.436602835 +0100 +++ /var/tmp/diff_new_pack.HWnwbk/_new 2017-12-05 01:30:33.436602835 +0100 @@ -5,4 +5,4 @@ <param name="url">http://git.haproxy.org/git/haproxy-1.7.git</param> <param name="changesrevision">640d526f8cdad00f7f5043b51f6a34f3f6ebb49f</param></service><service name="tar_scm"> <param name="url">http://git.haproxy.org/git/haproxy-1.8.git</param> - <param name="changesrevision">0b78792bbe61fec420e4e7298d145ec7d498f8f2</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">bc1f797c2dcfe8a6b82697725e161f87b2d6c386</param></service></servicedata> \ No newline at end of file ++++++ haproxy-1.8.0.tar.gz -> haproxy-1.8.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/CHANGELOG new/haproxy-1.8.1/CHANGELOG --- old/haproxy-1.8.0/CHANGELOG 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/CHANGELOG 2017-12-03 22:19:05.000000000 +0100 @@ -1,6 +1,47 @@ ChangeLog : =========== +2017/12/03 : 1.8.1 + - BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. + - DOC: cache: update sections and fix some typos + - BUILD/MINOR: deviceatlas: enable thread support + - BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main + - BUG/MEDIUM: ssl: don't allocate shctx several time + - BUG/MEDIUM: cache: bad computation of the remaining size + - BUILD: checks: don't include server.h + - BUG/MEDIUM: stream: fix session leak on applet-initiated connections + - BUILD/MINOR: haproxy : FreeBSD/cpu affinity needs pthread_np header + - BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream + - BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting + - BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response + - BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync. + - BUG/MAJOR: thread/peers: fix deadlock on peers sync. + - BUILD/MINOR: haproxy: compiling config cpu parsing handling when needed + - BUG/MINOR: mworker: fix validity check for the pipe FDs + - BUG/MINOR: mworker: detach from tty when in daemon mode + - MINOR: threads: Fix pthread_setaffinity_np on FreeBSD. + - BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time + - BUILD: Fix LDFLAGS vs. LIBS re linking order in various makefiles + - BUG/MEDIUM: checks: Be sure we have a mux if we created a cs. + - BUG/MINOR: hpack: fix debugging output of pseudo header names + - BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits + - BUG/MINOR: hpack: reject invalid header index + - BUG/MINOR: hpack: dynamic table size updates are only allowed before headers + - BUG/MAJOR: h2: correctly check the request length when building an H1 request + - BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream + - BUG/MINOR: h2: try to abort closed streams as soon as possible + - BUG/MINOR: h2: ":path" must not be empty + - BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to + - BUG/MINOR: h2: the TE header if present may only contain trailers + - BUG/MEDIUM: h2: enforce the per-connection stream limit + - BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1 + - BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame + - BUG/MINOR: h2: properly check PRIORITY frames + - BUG/MINOR: h2: reject response pseudo-headers from requests + - BUG/MEDIUM: h2: remove connection-specific headers from request + - BUG/MEDIUM: h2: do not accept upper case letters in request header names + - BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames + 2017/11/26 : 1.8.0 - BUG/MEDIUM: stream: don't automatically forward connect nor close - BUG/MAJOR: stream: ensure analysers are always called upon close diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/README new/haproxy-1.8.1/README --- old/haproxy-1.8.0/README 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/README 2017-12-03 22:19:05.000000000 +0100 @@ -3,7 +3,7 @@ ---------------------- version 1.8 willy tarreau - 2017/11/26 + 2017/12/03 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/VERDATE new/haproxy-1.8.1/VERDATE --- old/haproxy-1.8.0/VERDATE 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/VERDATE 2017-12-03 22:19:05.000000000 +0100 @@ -1,2 +1,2 @@ $Format:%ci$ -2017/11/26 +2017/12/03 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/VERSION new/haproxy-1.8.1/VERSION --- old/haproxy-1.8.0/VERSION 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/VERSION 2017-12-03 22:19:05.000000000 +0100 @@ -1 +1 @@ -1.8.0 +1.8.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/contrib/mod_defender/Makefile new/haproxy-1.8.1/contrib/mod_defender/Makefile --- old/haproxy-1.8.0/contrib/mod_defender/Makefile 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/contrib/mod_defender/Makefile 2017-12-03 22:19:05.000000000 +0100 @@ -28,9 +28,8 @@ endif CFLAGS += -g -Wall -pthread -LDFLAGS += -lpthread $(EVENT_LIB) -levent_pthreads -lapr-1 -laprutil-1 -lstdc++ -lm INCS += -I../../include -I../../ebtree -I$(MOD_DEFENDER_SRC) -I$(APACHE2_INC) -I$(APR_INC) -I$(EVENT_INC) -LIBS = +LIBS += -lpthread $(EVENT_LIB) -levent_pthreads -lapr-1 -laprutil-1 -lstdc++ -lm CXXFLAGS = -g -std=gnu++11 CXXINCS += -I$(MOD_DEFENDER_SRC) -I$(MOD_DEFENDER_SRC)/deps -I$(APACHE2_INC) -I$(APR_INC) @@ -43,7 +42,7 @@ CXXOBJS = $(patsubst %.cpp, %.o, $(CXXSRCS)) defender: $(OBJS) $(CXXOBJS) - $(LD) -o $@ $^ $(LDFLAGS) $(LIBS) + $(LD) $(LDFLAGS) -o $@ $^ $(LIBS) install: defender install defender $(DESTDIR)$(BINDIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/contrib/modsecurity/Makefile new/haproxy-1.8.1/contrib/modsecurity/Makefile --- old/haproxy-1.8.0/contrib/modsecurity/Makefile 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/contrib/modsecurity/Makefile 2017-12-03 22:19:05.000000000 +0100 @@ -34,14 +34,13 @@ endif CFLAGS += -g -Wall -pthread -LDFLAGS += -lpthread $(EVENT_LIB) -levent_pthreads -lcurl -lapr-1 -laprutil-1 -lxml2 -lpcre -lyajl INCS += -I../../include -I../../ebtree -I$(MODSEC_INC) -I$(APACHE2_INC) -I$(APR_INC) -I$(LIBXML_INC) -I$(EVENT_INC) -LIBS = +LIBS += -lpthread $(EVENT_LIB) -levent_pthreads -lcurl -lapr-1 -laprutil-1 -lxml2 -lpcre -lyajl OBJS = spoa.o modsec_wrapper.o modsecurity: $(OBJS) - $(LD) $(LDFLAGS) $(LIBS) -o $@ $^ $(MODSEC_LIB)/standalone.a + $(LD) $(LDFLAGS) -o $@ $^ $(MODSEC_LIB)/standalone.a $(LIBS) install: modsecurity install modsecurity $(DESTDIR)$(BINDIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/contrib/spoa_example/Makefile new/haproxy-1.8.1/contrib/spoa_example/Makefile --- old/haproxy-1.8.0/contrib/spoa_example/Makefile 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/contrib/spoa_example/Makefile 2017-12-03 22:19:05.000000000 +0100 @@ -6,15 +6,14 @@ LD = $(CC) CFLAGS = -g -O2 -Wall -Werror -pthread -LDFLAGS = -lpthread -levent -levent_pthreads INCS += -I../../ebtree -I./include -LIBS = +LIBS = -lpthread -levent -levent_pthreads OBJS = spoa.o spoa: $(OBJS) - $(LD) $(LDFLAGS) $(LIBS) -o $@ $^ + $(LD) $(LDFLAGS) -o $@ $^ $(LIBS) install: spoa install spoa $(DESTDIR)$(BINDIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/doc/configuration.txt new/haproxy-1.8.1/doc/configuration.txt --- old/haproxy-1.8.0/doc/configuration.txt 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/doc/configuration.txt 2017-12-03 22:19:05.000000000 +0100 @@ -4,7 +4,7 @@ ---------------------- version 1.8 willy tarreau - 2017/11/26 + 2017/12/03 This document covers the configuration language as implemented in the version @@ -109,6 +109,10 @@ 9.3. Stream Processing Offload Engine (SPOE) 10. Cache +10.1. Limitation +10.2. Setup +10.2.1. Cache section +10.2.2. Proxy section 1. Quick reminder about HTTP ---------------------------- @@ -16990,13 +16994,13 @@ RAM. The cache is based on a memory which is shared between processes and threads, -this memory is splitted in blocks of 1k. +this memory is split in blocks of 1k. If an object is not used anymore, it can be deleted to store a new object independently of its expiration date. The oldest objects are deleted first when we try to allocate a new one. -The cache use a hash of the host header and the URI as the key. +The cache uses a hash of the host header and the URI as the key. It's possible to view the status of a cache using the Unix socket command "show cache" consult section 9.3 "Unix Socket commands" of Management Guide @@ -17005,8 +17009,8 @@ When an object is delivered from the cache, the server name in the log is replaced by "<CACHE>". -10.1 Limitation ---------------- +10.1. Limitation +---------------- The cache won't store and won't deliver objects in these cases: @@ -17022,16 +17026,16 @@ Caution!: Due to the current limitation of the filters, it is not recommended to use the cache with other filters. Using them can cause undefined behavior -if they modify the response (compression for exemple). +if they modify the response (compression for example). -10.2 Setup ----------- +10.2. Setup +----------- To setup a cache, you must define a cache section and use it in a proxy with the corresponding http-request and response actions. -10.2.1 Cache section --------------------- +10.2.1. Cache section +--------------------- cache <name> Declare a cache section, allocate a shared cache memory named <name>, the @@ -17048,8 +17052,8 @@ seconds, which means that you can't cache an object more than 60 seconds by default. -10.2.2 Proxy section --------------------- +10.2.2. Proxy section +--------------------- http-request cache-use <name> Try to deliver a cached object from the cache <name>. This directive is also diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/doc/management.txt new/haproxy-1.8.1/doc/management.txt --- old/haproxy-1.8.0/doc/management.txt 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/doc/management.txt 2017-12-03 22:19:05.000000000 +0100 @@ -1755,7 +1755,7 @@ [::1]:9999 operator 2 show cache - List the configurated caches and the objects stored in each cache tree. + List the configured caches and the objects stored in each cache tree. $ echo 'show cache' | socat stdio /tmp/sock1 0x7f6ac6c5b03a: foobar (shctx:0x7f6ac6c5b000, available blocks:3918) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/examples/haproxy.spec new/haproxy-1.8.1/examples/haproxy.spec --- old/haproxy-1.8.0/examples/haproxy.spec 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/examples/haproxy.spec 2017-12-03 22:19:05.000000000 +0100 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.8.0 +Version: 1.8.1 Release: 1 License: GPL Group: System Environment/Daemons @@ -74,6 +74,9 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Sun Dec 3 2017 Willy Tarreau <[email protected]> +- updated to 1.8.1 + * Sun Nov 26 2017 Willy Tarreau <[email protected]> - updated to 1.8.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/include/common/hpack-tbl.h new/haproxy-1.8.1/include/common/hpack-tbl.h --- old/haproxy-1.8.0/include/common/hpack-tbl.h 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/include/common/hpack-tbl.h 2017-12-03 22:19:05.000000000 +0100 @@ -154,6 +154,12 @@ return &dht->dte[idx]; } +/* returns non-zero if <idx> is valid for table <dht> */ +static inline int hpack_valid_idx(const struct hpack_dht *dht, uint16_t idx) +{ + return idx < dht->used + HPACK_SHT_SIZE; +} + /* return a pointer to the header name for entry <dte>. */ static inline struct ist hpack_get_name(const struct hpack_dht *dht, const struct hpack_dte *dte) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/include/proto/session.h new/haproxy-1.8.1/include/proto/session.h --- old/haproxy-1.8.0/include/proto/session.h 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/include/proto/session.h 2017-12-03 22:19:05.000000000 +0100 @@ -62,6 +62,9 @@ stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(stkctr->table, ts, 0); } stkctr_set_entry(stkctr, NULL); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/include/proto/stream.h new/haproxy-1.8.1/include/proto/stream.h --- old/haproxy-1.8.0/include/proto/stream.h 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/include/proto/stream.h 2017-12-03 22:19:05.000000000 +0100 @@ -107,6 +107,9 @@ stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(s->stkctr[i].table, ts, 0); } stkctr_set_entry(&s->stkctr[i], NULL); stksess_kill_if_expired(s->stkctr[i].table, ts, 1); @@ -142,6 +145,9 @@ stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(s->stkctr[i].table, ts, 0); } stkctr_set_entry(&s->stkctr[i], NULL); stksess_kill_if_expired(s->stkctr[i].table, ts, 1); @@ -174,6 +180,9 @@ ts->expire = tick_add(now_ms, MS_TO_TICKS(t->expire)); HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(t, ts, 0); } /* Enable tracking of stream counters as <stkctr> on stksess <ts>. The caller is @@ -221,6 +230,9 @@ stkctr->table->data_arg[STKTABLE_DT_HTTP_REQ_RATE].u, 1); HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(stkctr->table, ts, 0); } } @@ -255,6 +267,9 @@ stkctr->table->data_arg[STKTABLE_DT_HTTP_REQ_RATE].u, 1); HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(stkctr->table, ts, 0); } } @@ -293,6 +308,9 @@ stkctr->table->data_arg[STKTABLE_DT_HTTP_ERR_RATE].u, 1); HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(stkctr->table, ts, 0); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/include/types/checks.h new/haproxy-1.8.1/include/types/checks.h --- old/haproxy-1.8.0/include/types/checks.h 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/include/types/checks.h 2017-12-03 22:19:05.000000000 +0100 @@ -22,7 +22,6 @@ #include <types/connection.h> #include <types/obj_type.h> #include <types/task.h> -#include <types/server.h> /* enum used by check->result. Must remain in this order, as some code uses * result >= CHK_RES_PASSED to declare success. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/cache.c new/haproxy-1.8.1/src/cache.c --- old/haproxy-1.8.0/src/cache.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/cache.c 2017-12-03 22:19:05.000000000 +0100 @@ -228,6 +228,7 @@ MIN(bi_contig_data(msg->chn->buf), len - st->hdrs_len)); /* Rewind the buffer to forward all data */ b_rew(msg->chn->buf, st->hdrs_len); + st->hdrs_len = 0; if (ret) goto disable_cache; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/cfgparse.c new/haproxy-1.8.1/src/cfgparse.c --- old/haproxy-1.8.0/src/cfgparse.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/cfgparse.c 2017-12-03 22:19:05.000000000 +0100 @@ -646,6 +646,7 @@ return 0; } +#ifdef USE_CPU_AFFINITY /* Parse cpu sets. Each CPU set is either a unique number between 0 and * <LONGBITS> or a range with two such numbers delimited by a dash * ('-'). Multiple CPU numbers or ranges may be specified. On success, it @@ -687,6 +688,8 @@ } return 0; } +#endif + /* * parse a line in a <global> section. Returns the error code, 0 if OK, or * any combination of : diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/checks.c new/haproxy-1.8.1/src/checks.c --- old/haproxy-1.8.0/src/checks.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/checks.c 2017-12-03 22:19:05.000000000 +0100 @@ -1564,25 +1564,23 @@ conn->addr.to = s->addr; } + proto = protocol_by_family(conn->addr.to.ss_family); + + conn_prepare(conn, proto, check->xprt); + conn_install_mux(conn, &mux_pt_ops, cs); + cs_attach(cs, check, &check_conn_cb); + conn->target = &s->obj_type; + if ((conn->addr.to.ss_family == AF_INET) || (conn->addr.to.ss_family == AF_INET6)) { int i = 0; i = srv_check_healthcheck_port(check); - if (i == 0) { - cs->data = check; + if (i == 0) return SF_ERR_CHK_PORT; - } set_host_port(&conn->addr.to, i); } - proto = protocol_by_family(conn->addr.to.ss_family); - - conn_prepare(conn, proto, check->xprt); - conn_install_mux(conn, &mux_pt_ops, cs); - cs_attach(cs, check, &check_conn_cb); - conn->target = &s->obj_type; - /* no client address */ clear_addr(&conn->addr.from); @@ -2595,8 +2593,6 @@ struct list *head = check->tcpcheck_rules; int retcode = 0; - HA_SPIN_LOCK(SERVER_LOCK, &check->server->lock); - /* here, we know that the check is complete or that it failed */ if (check->result != CHK_RES_UNKNOWN) goto out_end_tcpcheck; @@ -2637,7 +2633,7 @@ if (s->proxy->timeout.check) t->expire = tick_first(t->expire, t_con); } - goto out_unlock; + goto out; } /* special case: option tcp-check with no rule, a connect is enough */ @@ -2732,7 +2728,7 @@ chunk_appendf(&trash, " comment: '%s'", comment); set_server_check_status(check, HCHK_STATUS_SOCKERR, trash.str); check->current_step = NULL; - goto out_unlock; + goto out; } if (check->cs) @@ -2854,7 +2850,7 @@ if (s->proxy->timeout.check) t->expire = tick_first(t->expire, t_con); } - goto out_unlock; + goto out; } } /* end 'connect' */ @@ -3059,7 +3055,7 @@ if (&check->current_step->list != head && check->current_step->action == TCPCHK_ACT_EXPECT) __cs_want_recv(cs); - goto out_unlock; + goto out; out_end_tcpcheck: /* collect possible new errors */ @@ -3074,8 +3070,7 @@ __cs_stop_both(cs); - out_unlock: - HA_SPIN_UNLOCK(SERVER_LOCK, &check->server->lock); + out: return retcode; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/da.c new/haproxy-1.8.1/src/da.c --- old/haproxy-1.8.0/src/da.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/da.c 2017-12-03 22:19:05.000000000 +0100 @@ -121,12 +121,6 @@ size_t atlasimglen; da_status_t status; - if (global.nbthread > 1) { - ha_alert("deviceatlas: multithreading is not supported for now.\n"); - err_code |= ERR_ALERT | ERR_FATAL; - goto out; - } - jsonp = fopen(global_deviceatlas.jsonpath, "r"); if (jsonp == 0) { ha_alert("deviceatlas : '%s' json file has invalid path or is not readable.\n", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/ev_kqueue.c new/haproxy-1.8.1/src/ev_kqueue.c --- old/haproxy-1.8.0/src/ev_kqueue.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/ev_kqueue.c 2017-12-03 22:19:05.000000000 +0100 @@ -216,8 +216,6 @@ */ REGPRM1 static int _do_fork(struct poller *p) { - if (kqueue_fd >= 0) - close(kqueue_fd); kqueue_fd = kqueue(); if (kqueue_fd < 0) return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/h2.c new/haproxy-1.8.1/src/h2.c --- old/haproxy-1.8.0/src/h2.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/h2.c 2017-12-03 22:19:05.000000000 +0100 @@ -83,7 +83,11 @@ } } - if (out + phdr[uri_idx].len + 1 + phdr[uri_idx].len + 11 > end) { + /* 7540#8.1.2.3: :path must not be empty */ + if (!phdr[uri_idx].len) + goto fail; + + if (out + phdr[H2_PHDR_IDX_METH].len + 1 + phdr[uri_idx].len + 11 > end) { /* too large */ goto fail; } @@ -129,6 +133,7 @@ int ck, lck; /* cookie index and last cookie index */ int phdr; int ret; + int i; lck = ck = -1; // no cookie for now fields = 0; @@ -139,6 +144,11 @@ } else { /* this can be any type of header */ + /* RFC7540#8.1.2: upper case not allowed in header field names */ + for (i = 0; i < list[idx].n.len; i++) + if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A') + goto fail; + phdr = h2_str_to_phdr(list[idx].n); } @@ -175,6 +185,17 @@ if (isteq(list[idx].n, ist("host"))) fields |= H2_PHDR_FND_HOST; + /* these ones are forbidden in requests (RFC7540#8.1.2.2) */ + if (isteq(list[idx].n, ist("connection")) || + isteq(list[idx].n, ist("proxy-connection")) || + isteq(list[idx].n, ist("keep-alive")) || + isteq(list[idx].n, ist("upgrade")) || + isteq(list[idx].n, ist("transfer-encoding"))) + goto fail; + + if (isteq(list[idx].n, ist("te")) && !isteq(list[idx].v, ist("trailers"))) + goto fail; + /* cookie requires special processing at the end */ if (isteq(list[idx].n, ist("cookie"))) { list[idx].n.len = -1; @@ -205,6 +226,10 @@ *(out++) = '\n'; } + /* RFC7540#8.1.2.1 mandates to reject response pseudo-headers (:status) */ + if (fields & H2_PHDR_FND_STAT) + goto fail; + /* Let's dump the request now if not yet emitted. */ if (!(fields & H2_PHDR_FND_NONE)) { ret = h2_prepare_h1_reqline(fields, phdr_val, &out, out_end); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/haproxy.c new/haproxy-1.8.1/src/haproxy.c --- old/haproxy-1.8.0/src/haproxy.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/haproxy.c 2017-12-03 22:19:05.000000000 +0100 @@ -55,6 +55,7 @@ #ifdef __FreeBSD__ #include <sys/param.h> #include <sys/cpuset.h> +#include <pthread_np.h> #endif #endif @@ -2679,7 +2680,8 @@ /* master pipe to ensure the master is still alive */ ret = pipe(mworker_pipe); if (ret < 0) { - ha_warning("[%s.main()] Cannot create master pipe.\n", argv[0]); + ha_alert("[%s.main()] Cannot create master pipe.\n", argv[0]); + exit(EXIT_FAILURE); } else { memprintf(&msg, "%d", mworker_pipe[0]); setenv("HAPROXY_MWORKER_PIPE_RD", msg, 1); @@ -2688,11 +2690,15 @@ free(msg); } } else { - mworker_pipe[0] = atol(getenv("HAPROXY_MWORKER_PIPE_RD")); - mworker_pipe[1] = atol(getenv("HAPROXY_MWORKER_PIPE_WR")); - if (mworker_pipe[0] <= 0 || mworker_pipe[1] <= 0) { - ha_warning("[%s.main()] Cannot get master pipe FDs.\n", argv[0]); + char* rd = getenv("HAPROXY_MWORKER_PIPE_RD"); + char* wr = getenv("HAPROXY_MWORKER_PIPE_WR"); + if (!rd || !wr) { + ha_alert("[%s.main()] Cannot get master pipe FDs.\n", argv[0]); + atexit_flag = 0;// dont reexecute master process + exit(EXIT_FAILURE); } + mworker_pipe[0] = atoi(rd); + mworker_pipe[1] = atoi(wr); } } @@ -2757,6 +2763,16 @@ if (global.mode & MODE_MWORKER) { mworker_cleanlisteners(); deinit_pollers(); + + if ((!(global.mode & MODE_QUIET) || (global.mode & MODE_VERBOSE)) && + (global.mode & MODE_DAEMON)) { + /* detach from the tty, this is required to properly daemonize. */ + fclose(stdin); fclose(stdout); fclose(stderr); + global.mode &= ~MODE_VERBOSE; + global.mode |= MODE_QUIET; /* ensure that we won't say anything from now */ + setsid(); + } + mworker_wait(); /* should never get there */ exit(EXIT_FAILURE); @@ -2899,10 +2915,24 @@ global.cpu_map.thread[relative_pid-1][i] &= global.cpu_map.proc[relative_pid-1]; if (i < LONGBITS && /* only the first 32/64 threads may be pinned */ - global.cpu_map.thread[relative_pid-1][i]) /* only do this if the thread has a THREAD map */ + global.cpu_map.thread[relative_pid-1][i]) {/* only do this if the thread has a THREAD map */ +#if defined(__FreeBSD__) || defined(__NetBSD__) + cpuset_t cpuset; +#else + cpu_set_t cpuset; +#endif + int j; + unsigned long cpu_map = global.cpu_map.thread[relative_pid-1][i]; + + CPU_ZERO(&cpuset); + + while ((j = ffsl(cpu_map)) > 0) { + CPU_SET(j - 1, &cpuset); + cpu_map &= ~(1 << (j - 1)); + } pthread_setaffinity_np(threads[i], - sizeof(unsigned long), - (void *)&global.cpu_map.thread[relative_pid-1][i]); + sizeof(cpuset), &cpuset); + } } #endif /* !USE_CPU_AFFINITY */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/hathreads.c new/haproxy-1.8.1/src/hathreads.c --- old/haproxy-1.8.0/src/hathreads.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/hathreads.c 2017-12-03 22:19:05.000000000 +0100 @@ -70,6 +70,8 @@ void thread_want_sync() { if (all_threads_mask) { + if (threads_want_sync & tid_bit) + return; if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit) shut_your_big_mouth_gcc(write(threads_sync_pipe[1], "S", 1)); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/hpack-dec.c new/haproxy-1.8.1/src/hpack-dec.c --- old/haproxy-1.8.0/src/hpack-dec.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/hpack-dec.c 2017-12-03 22:19:05.000000000 +0100 @@ -177,6 +177,11 @@ goto leave; } + if (!hpack_valid_idx(dht, idx)) { + ret = -HPACK_ERR_TOO_LARGE; + goto leave; + } + value = hpack_alloc_string(tmp, idx, hpack_idx_to_value(dht, idx)); if (!value.ptr) { ret = -HPACK_ERR_TOO_LARGE; @@ -197,6 +202,12 @@ } else if (*raw >= 0x20 && *raw <= 0x3f) { /* max dyn table size change */ + if (ret) { + /* 7541#4.2.1 : DHT size update must only be at the beginning */ + ret = -HPACK_ERR_TOO_LARGE; + goto leave; + } + idx = get_var_int(&raw, &len, 5); if (len == (uint32_t)-1) { // truncated ret = -HPACK_ERR_TRUNCATED; @@ -316,6 +327,11 @@ goto leave; } + if (!hpack_valid_idx(dht, idx)) { + ret = -HPACK_ERR_TOO_LARGE; + goto leave; + } + /* retrieve value */ huff = *raw & 0x80; vlen = get_var_int(&raw, &len, 7); @@ -376,7 +392,7 @@ } hpack_debug_printf("\e[1;34m%s\e[0m: ", - istpad(trash.str, name).ptr); + istpad(trash.str, name.ptr ? name : hpack_idx_to_name(dht, idx)).ptr); hpack_debug_printf("\e[1;35m%s\e[0m [idx=%d, used=%d]\n", istpad(trash.str, value).ptr, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/hpack-huff.c new/haproxy-1.8.1/src/hpack-huff.c --- old/haproxy-1.8.0/src/hpack-huff.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/hpack-huff.c 2017-12-03 22:19:05.000000000 +0100 @@ -1518,8 +1518,12 @@ if (bleft > 0) { /* some bits were not consumed after the last code, they must - * match EOS (ie: all ones). + * match EOS (ie: all ones) and there must be 7 bits or less. + * (7541#5.2). */ + if (bleft > 7) + return -1; + if ((code & -(1 << (32 - bleft))) != (uint32_t)-(1 << (32 - bleft))) return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/mux_h2.c new/haproxy-1.8.1/src/mux_h2.c --- old/haproxy-1.8.0/src/mux_h2.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/mux_h2.c 2017-12-03 22:19:05.000000000 +0100 @@ -105,6 +105,8 @@ int timeout; /* idle timeout duration in ticks */ int shut_timeout; /* idle timeout duration in ticks after GOAWAY was sent */ + unsigned int nb_streams; /* number of streams in the tree */ + /* 32 bit hole here */ struct task *task; /* timeout management task */ struct eb_root streams_by_id; /* all active streams by their ID */ struct list send_list; /* list of blocked streams requesting to send */ @@ -361,6 +363,7 @@ h2c->flags = H2_CF_NONE; h2c->rcvd_c = 0; h2c->rcvd_s = 0; + h2c->nb_streams = 0; h2c->dbuf = &buf_empty; h2c->dsi = -1; @@ -613,6 +616,9 @@ LIST_INIT(&h2s->list); eb32_insert(&h2c->streams_by_id, &h2s->by_id); + h2c->nb_streams++; + if (h2c->nb_streams > h2_settings_max_concurrent_streams) + goto out_close; cs = cs_new(h2c->conn); if (!cs) @@ -630,6 +636,7 @@ out_free_cs: cs_free(cs); out_close: + h2c->nb_streams--; eb32_delete(&h2s->by_id); pool_free(pool_head_h2s, h2s); h2s = NULL; @@ -991,6 +998,7 @@ if (!h2s->cs) { /* this stream was already orphaned */ + h2c->nb_streams--; eb32_delete(&h2s->by_id); pool_free(pool_head_h2s, h2s); continue; @@ -1094,6 +1102,12 @@ } h2c->mfs = arg; break; + case H2_SETTINGS_ENABLE_PUSH: + if (arg < 0 || arg > 1) { // RFC7540#6.5.2 + error = H2_ERR_PROTOCOL_ERROR; + goto fail; + } + break; } } @@ -1159,7 +1173,7 @@ } /* schedule a response */ - if (!(h2c->dft & H2_F_PING_ACK)) + if (!(h2c->dff & H2_F_PING_ACK)) h2c->st0 = H2_CS_FRAME_A; return 1; } @@ -1399,6 +1413,42 @@ last = h2_get_n32(h2c->dbuf, 0); h2c->errcode = h2_get_n32(h2c->dbuf, 4); h2_wake_some_streams(h2c, last, CS_FL_ERROR); + if (h2c->last_sid < 0) + h2c->last_sid = last; + return 1; + + conn_err: + h2c_error(h2c, error); + return 0; +} + +/* processes a PRIORITY frame, and either skips it or rejects if it is + * invalid. Returns > 0 on success or zero on missing data. It may return + * an error in h2c. Described in RFC7540#6.3. + */ +static int h2c_handle_priority(struct h2c *h2c) +{ + int error; + + if (h2c->dsi == 0) { + error = H2_ERR_PROTOCOL_ERROR; + goto conn_err; + } + + if (h2c->dfl != 5) { + error = H2_ERR_FRAME_SIZE_ERROR; + goto conn_err; + } + + /* process full frame only */ + if (h2c->dbuf->i < h2c->dfl) + return 0; + + if (h2_get_n32(h2c->dbuf, 0) == h2c->dsi) { + /* 7540#5.3 : can't depend on itself */ + error = H2_ERR_PROTOCOL_ERROR; + goto conn_err; + } return 1; conn_err: @@ -1793,6 +1843,11 @@ ret = h2c_send_strm_wu(h2c); break; + case H2_FT_PRIORITY: + if (h2c->st0 == H2_CS_FRAME_P) + ret = h2c_handle_priority(h2c); + break; + case H2_FT_RST_STREAM: if (h2c->st0 == H2_CS_FRAME_P) ret = h2c_handle_rst_stream(h2c, h2s); @@ -1904,6 +1959,7 @@ h2s->cs->flags &= ~CS_FL_DATA_WR_ENA; else { /* just sent the last frame for this orphaned stream */ + h2c->nb_streams--; eb32_delete(&h2s->by_id); pool_free(pool_head_h2s, h2s); } @@ -1946,6 +2002,7 @@ h2s->cs->flags &= ~CS_FL_DATA_WR_ENA; else { /* just sent the last frame for this orphaned stream */ + h2c->nb_streams--; eb32_delete(&h2s->by_id); pool_free(pool_head_h2s, h2s); } @@ -2297,6 +2354,7 @@ if (h2s->by_id.node.leaf_p) { /* h2s still attached to the h2c */ + h2c->nb_streams--; eb32_delete(&h2s->by_id); /* We don't want to close right now unless we're removing the @@ -2446,6 +2504,12 @@ /* Skip StreamDep and weight for now (we don't support PRIORITY) */ if (h2c->dff & H2_F_HEADERS_PRIORITY) { + if (read_n32(hdrs) == h2s->id) { + /* RFC7540#5.3.1 : stream dep may not depend on itself */ + h2c_error(h2c, H2_ERR_PROTOCOL_ERROR); + return 0;//goto fail_stream; + } + hdrs += 5; // stream dep = 4, weight = 1 flen -= 5; } @@ -2553,7 +2617,7 @@ /* The padlen is the first byte before data, and the padding appears * after data. padlen+data+padding are included in flen. */ - if (h2c->dff & H2_F_HEADERS_PADDED) { + if (h2c->dff & H2_F_DATA_PADDED) { padlen = *(uint8_t *)bi_ptr(h2c->dbuf); if (padlen >= flen) { /* RFC7540#6.1 : pad length = length of frame payload or greater */ @@ -2596,7 +2660,7 @@ * FIXME: should we instead try to send it much later, after the * response ? This would require that we keep a copy of it in h2s. */ - if (h2c->dff & H2_F_HEADERS_END_STREAM) { + if (h2c->dff & H2_F_DATA_END_STREAM) { h2s->cs->flags |= CS_FL_EOS; h2s->flags |= H2_SF_ES_RCVD; } @@ -2800,10 +2864,11 @@ h2s->st = H2_SS_CLOSED; } else if (h1m->status >= 100 && h1m->status < 200) { + /* we'll let the caller check if it has more headers to send */ h1m->state = HTTP_MSG_RPBEFORE; h1m->status = 0; h1m->flags = 0; - goto next_header_block; + goto end; } else h1m->state = (h1m->flags & H1_MF_CLEN) ? HTTP_MSG_BODY : HTTP_MSG_CHUNK_SIZE; @@ -3063,7 +3128,7 @@ if (h2s->res.state < HTTP_MSG_BODY) { total += h2s_frt_make_resp_headers(h2s, buf); - if (h2s->st == H2_SS_ERROR) + if (h2s->st >= H2_SS_ERROR) break; if (h2s->flags & H2_SF_BLK_ANY) @@ -3072,7 +3137,7 @@ else if (h2s->res.state < HTTP_MSG_TRAILERS) { total += h2s_frt_make_resp_data(h2s, buf); - if (h2s->st == H2_SS_ERROR) + if (h2s->st >= H2_SS_ERROR) break; if (h2s->flags & H2_SF_BLK_ANY) @@ -3099,7 +3164,7 @@ } /* RST are sent similarly to frame acks */ - if (h2s->st == H2_SS_ERROR) { + if (h2s->st >= H2_SS_ERROR) { cs->flags |= CS_FL_ERROR; if (h2s_send_rst_stream(h2s->h2c, h2s) > 0) h2s->st = H2_SS_CLOSED; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/peers.c new/haproxy-1.8.1/src/peers.c --- old/haproxy-1.8.0/src/peers.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/peers.c 2017-12-03 22:19:05.000000000 +0100 @@ -1474,6 +1474,7 @@ msglen = peer_prepare_switchmsg(st, trash.str, trash.size); if (!msglen) { + HA_SPIN_UNLOCK(STK_TABLE_LOCK, &st->table->lock); /* internal error: message does not fit in trash */ appctx->st0 = PEER_SESS_ST_END; goto switchstate; @@ -1482,6 +1483,7 @@ /* message to buffer */ repl = ci_putblk(si_ic(si), trash.str, msglen); if (repl <= 0) { + HA_SPIN_UNLOCK(STK_TABLE_LOCK, &st->table->lock); /* no more write possible */ if (repl == -1) { goto full; @@ -2102,7 +2104,7 @@ if (ps->flags & PEER_F_TEACH_COMPLETE) { if (peers->flags & PEERS_F_DONOTSTOP) { /* resync of new process was complete, current process can die now */ - HA_ATOMIC_ADD(&jobs, 1); + HA_ATOMIC_SUB(&jobs, 1); peers->flags &= ~PEERS_F_DONOTSTOP; for (st = ps->tables; st ; st = st->next) st->table->syncing--; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/proto_http.c new/haproxy-1.8.1/src/proto_http.c --- old/haproxy-1.8.0/src/proto_http.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/proto_http.c 2017-12-03 22:19:05.000000000 +0100 @@ -2754,6 +2754,9 @@ t->data_arg[STKTABLE_DT_HTTP_REQ_RATE].u, 1); HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(t, ts, 0); } stkctr_set_flags(&s->stkctr[trk_idx(rule->action)], STKCTR_TRACK_CONTENT); @@ -3054,6 +3057,9 @@ HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); + /* If data was modified, we need to touch to re-schedule sync */ + stktable_touch_local(t, ts, 0); + stkctr_set_flags(&s->stkctr[trk_idx(rule->action)], STKCTR_TRACK_CONTENT); if (sess->fe != s->be) stkctr_set_flags(&s->stkctr[trk_idx(rule->action)], STKCTR_TRACK_BACKEND); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/ssl_sock.c new/haproxy-1.8.1/src/ssl_sock.c --- old/haproxy-1.8.0/src/ssl_sock.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/ssl_sock.c 2017-12-03 22:19:05.000000000 +0100 @@ -324,7 +324,7 @@ #define SSL_SOCK_NUM_KEYTYPES 1 #endif -static struct shared_context *ssl_shctx; /* ssl shared session cache */ +static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */ static struct eb_root *sh_ssl_sess_tree; /* ssl shared session tree */ #define sh_ssl_sess_tree_delete(s) ebmb_delete(&(s)->key); @@ -4705,24 +4705,24 @@ return -1; } } - - alloc_ctx = shctx_init(&ssl_shctx, global.tune.sslcachesize, - sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE, - sizeof(*sh_ssl_sess_tree), - ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0); - if (alloc_ctx < 0) { - if (alloc_ctx == SHCTX_E_INIT_LOCK) - ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n"); - else - ha_alert("Unable to allocate SSL session cache.\n"); - return -1; + if (!ssl_shctx) { + alloc_ctx = shctx_init(&ssl_shctx, global.tune.sslcachesize, + sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE, + sizeof(*sh_ssl_sess_tree), + ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0); + if (alloc_ctx < 0) { + if (alloc_ctx == SHCTX_E_INIT_LOCK) + ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n"); + else + ha_alert("Unable to allocate SSL session cache.\n"); + return -1; + } + /* free block callback */ + ssl_shctx->free_block = sh_ssl_sess_free_blocks; + /* init the root tree within the extra space */ + sh_ssl_sess_tree = (void *)ssl_shctx + sizeof(struct shared_context); + *sh_ssl_sess_tree = EB_ROOT_UNIQUE; } - /* free block callback */ - ssl_shctx->free_block = sh_ssl_sess_free_blocks; - /* init the root tree within the extra space */ - sh_ssl_sess_tree = (void *)ssl_shctx + sizeof(struct shared_context); - *sh_ssl_sess_tree = EB_ROOT_UNIQUE; - err = 0; /* initialize all certificate contexts */ err += ssl_sock_prepare_all_ctx(bind_conf); @@ -5386,7 +5386,7 @@ if (ret > 0) conn->flags |= CO_FL_EARLY_DATA; } else { - conn->flags &= ~(CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA); + conn->flags &= ~(CO_FL_EARLY_SSL_HS); } } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.0/src/stream.c new/haproxy-1.8.1/src/stream.c --- old/haproxy-1.8.0/src/stream.c 2017-11-26 19:25:23.000000000 +0100 +++ new/haproxy-1.8.1/src/stream.c 2017-12-03 22:19:05.000000000 +0100 @@ -297,6 +297,7 @@ struct proxy *fe = sess->fe; struct bref *bref, *back; struct conn_stream *cli_cs = objt_cs(s->si[0].end); + int must_free_sess; int i; if (s->pend_pos) @@ -388,12 +389,15 @@ LIST_DEL(&s->list); HA_SPIN_UNLOCK(STRMS_LOCK, &streams_lock); + /* applets do not release session yet */ + must_free_sess = objt_appctx(sess->origin) && sess->origin == s->si[0].end; + si_release_endpoint(&s->si[1]); si_release_endpoint(&s->si[0]); - /* FIXME: for now we have a 1:1 relation between stream and session so - * the stream must free the session. - */ + if (must_free_sess) + session_free(sess); + pool_free(pool_head_stream, s); /* We may want to free the maximum amount of pools if the proxy is stopping */
