include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.5.15
-PKG_RELEASE:=13
+PKG_VERSION:=1.5.16
+PKG_RELEASE:=01
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_MD5SUM:=eeaa35744f84c92184cd735ee56dd0a3
+PKG_MD5SUM:=294fdb5aaaccba00c2070e5f4baf9f0e
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=GPL-2.0
+++ /dev/null
-From 4818bc3035bccc00d8c3fc9b14ec37366cac3059 Mon Sep 17 00:00:00 2001
-From: Jerome Duval <jerome.duval@gmail.com>
-Date: Mon, 2 Nov 2015 17:47:43 +0000
-Subject: [PATCH 01/10] BUG/BUILD: replace haproxy-systemd-wrapper with
- $(EXTRA) in install-bin.
-
-[wt: this should be backported to 1.6 and 1.5 as well since some platforms
- don't build the systemd-wrapper]
-(cherry picked from commit 796d2fc136359c31c5c35f00c0751890ab42a016)
-(cherry picked from commit 9d0b47d96825b0584ea81c826a96ed8babcc016b)
----
- Makefile | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 9556069..e3199b2 100644
---- a/Makefile
-+++ b/Makefile
-@@ -719,10 +719,9 @@ install-doc:
- install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
- done
-
--install-bin: haproxy haproxy-systemd-wrapper
-+install-bin: haproxy $(EXTRA)
- install -d "$(DESTDIR)$(SBINDIR)"
-- install haproxy "$(DESTDIR)$(SBINDIR)"
-- install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)"
-+ install haproxy $(EXTRA) "$(DESTDIR)$(SBINDIR)"
-
- install: install-bin install-man install-doc
-
---
-2.4.10
-
+++ /dev/null
-From 1af6a324c3206902f69bd2c9838e94ffb4cee3ae Mon Sep 17 00:00:00 2001
-From: Lukas Tribus <luky-37@hotmail.com>
-Date: Thu, 5 Nov 2015 13:59:30 +0100
-Subject: [PATCH 02/10] BUG/MINOR: acl: don't use record layer in req_ssl_ver
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The initial record layer version in a SSL handshake may be set to TLSv1.0
-or similar for compatibility reasons, this is allowed as per RFC5246
-Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].
-
-A related issue has been fixed some time ago in commit 57d229747
-("BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version").
-
-Fix this by using the real client hello version instead of the record
-layer version.
-
-This was reported by Julien Vehent and analyzed by Cyril Bonté.
-The initial patch is from Julien Vehent as well.
-
-This should be backported to stable series, the req_ssl_ver keyword was
-first introduced in 1.3.16.
-
-[1] https://tools.ietf.org/html/rfc5246#appendix-E.1
-[2] https://github.com/openssl/openssl/commit/4a1cf50187659e60c5867ecbbc36e37b2605d2c3
-[3] https://bugzilla.mozilla.org/show_bug.cgi?id=774547
-(cherry picked from commit c93242cab986087f06a4655d14fec18eecb7f5f4)
-(cherry picked from commit b048a6eb3d9cb518e4a378e20ba2a801afec553c)
----
- src/payload.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/src/payload.c b/src/payload.c
-index f62163c..b8f1ca3 100644
---- a/src/payload.c
-+++ b/src/payload.c
-@@ -148,21 +148,24 @@ smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned in
- data = (const unsigned char *)s->req->buf->p;
- if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
- /* SSLv3 header format */
-- if (bleft < 5)
-+ if (bleft < 11)
- goto too_short;
-
-- version = (data[1] << 16) + data[2]; /* version: major, minor */
-+ version = (data[1] << 16) + data[2]; /* record layer version: major, minor */
- msg_len = (data[3] << 8) + data[4]; /* record length */
-
- /* format introduced with SSLv3 */
- if (version < 0x00030000)
- goto not_ssl;
-
-- /* message length between 1 and 2^14 + 2048 */
-- if (msg_len < 1 || msg_len > ((1<<14) + 2048))
-+ /* message length between 6 and 2^14 + 2048 */
-+ if (msg_len < 6 || msg_len > ((1<<14) + 2048))
- goto not_ssl;
-
- bleft -= 5; data += 5;
-+
-+ /* return the client hello client version, not the record layer version */
-+ version = (data[4] << 16) + data[5]; /* client hello version: major, minor */
- } else {
- /* SSLv2 header format, only supported for hello (msg type 1) */
- int rlen, plen, cilen, silen, chlen;
---
-2.4.10
-
+++ /dev/null
-From ef8a113d59e89b2214adf7ab9f9b0b75905a7050 Mon Sep 17 00:00:00 2001
-From: lsenta <laurent.senta@gmail.com>
-Date: Fri, 13 Nov 2015 10:44:22 +0100
-Subject: [PATCH 03/10] BUG: http: do not abort keep-alive connections on
- server timeout
-
-When a server timeout is detected on the second or nth request of a keep-alive
-connection, HAProxy closes the connection without writing a response.
-Some clients would fail with a remote disconnected exception and some
-others would retry potentially unsafe requests.
-
-This patch removes the special case and makes sure a 504 timeout is
-written back whenever a server timeout is handled.
-
-Signed-off-by: lsenta <laurent.senta@gmail.com>
-(cherry picked from commit 1e1f41d0f3473d86da84dc3785b7d7cbef6e9044)
-(cherry picked from commit 1f279c0b116f7fbc208793fffbd256c3c736fc52)
----
- src/proto_http.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 17742c6..e7e1785 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -5782,8 +5782,6 @@ int http_wait_for_response(struct session *s, struct channel *rep, int an_bit)
- else if (rep->flags & CF_READ_TIMEOUT) {
- if (msg->err_pos >= 0)
- http_capture_bad_message(&s->be->invalid_rep, s, msg, msg->msg_state, s->fe);
-- else if (txn->flags & TX_NOT_FIRST)
-- goto abort_keep_alive;
-
- s->be->be_counters.failed_resp++;
- if (objt_server(s->target)) {
---
-2.4.10
-
+++ /dev/null
-From c0d56134320e507c82952f3d2a03f76b701945cb Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 18 Nov 2015 11:59:55 +0100
-Subject: [PATCH 04/10] BUG/MEDIUM: http: switch the request channel to
- no-delay once done.
-
-There's an issue when sending POST data that came in a second packet,
-the CF_NEVER_WAIT flag is not always set on the request channel, while
-the server is waiting for the request. We must always set this flag in
-this case since we're not going to shut down after sending, contrary
-to the response side.
-
-Note that option http-no-delay works around this issue.
-
-Reproducer :
-
-listen px
- mode http
- timeout client 10s
- timeout server 5s
- timeout connect 3s
- option http-server-close
- #option http-no-delay
- bind :8001
- server s1 127.0.0.1:8003
-
-$ (printf "POST / HTTP/1.1\r\nTransfer-encoding: chunked\r\n\r\n"; sleep 0.01; printf "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n") | nc6 0 8001
-
-Before this fix :
-
-12:03:31.946763 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 1000) = 1
-12:03:32.634175 accept4(5, {sa_family=AF_INET, sin_port=htons(53849), sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_NONBLOCK) = 6
-12:03:32.634318 setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
-12:03:32.634434 accept4(5, 0x7ffccfbb2cf0, [128], SOCK_NONBLOCK) = -1 EAGAIN (Resource temporarily unavailable)
-12:03:32.634574 recvfrom(6, "POST / HTTP/1.1\r\nTransfer-encodi"..., 8192, 0, NULL, NULL) = 47
-12:03:32.634809 setsockopt(6, SOL_TCP, TCP_QUICKACK, [1], 4) = 0
-12:03:32.634952 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 7
-12:03:32.635031 fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
-12:03:32.635089 setsockopt(7, SOL_TCP, TCP_NODELAY, [1], 4) = 0
-12:03:32.635153 connect(7, {sa_family=AF_INET, sin_port=htons(8003), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
-12:03:32.635315 epoll_wait(3, {}, 200, 0) = 0
-12:03:32.635394 sendto(7, "POST / HTTP/1.1\r\nTransfer-encodi"..., 66, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 66
-12:03:32.635527 recvfrom(6, 0x7f0224e66024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
-12:03:32.635651 epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN|0x2000, {u32=6, u64=6}}) = 0
-12:03:32.635782 epoll_wait(3, {}, 200, 0) = 0
-12:03:32.635842 recvfrom(7, 0x7f0224e66024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
-12:03:32.635924 epoll_ctl(3, EPOLL_CTL_ADD, 7, {EPOLLIN|0x2000, {u32=7, u64=7}}) = 0
-12:03:32.636027 epoll_wait(3, {{EPOLLIN, {u32=6, u64=6}}}, 200, 1000) = 1
-12:03:32.644892 recvfrom(6, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 8192, 0, NULL, NULL) = 27
-12:03:32.645016 epoll_wait(3, {}, 200, 0) = 0
-12:03:32.645105 sendto(7, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 27, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE, NULL, 0) = 27
-
-After the fix :
-
-11:59:12.538617 connect(7, {sa_family=AF_INET, sin_port=htons(8003), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
-11:59:12.538787 epoll_wait(3, {}, 200, 0) = 0
-11:59:12.538867 sendto(7, "POST / HTTP/1.1\r\nTransfer-encodi"..., 66, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 66
-11:59:12.539031 recvfrom(6, 0x7f832ce45024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
-11:59:12.539161 epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN|0x2000, {u32=6, u64=6}}) = 0
-11:59:12.539259 epoll_wait(3, {}, 200, 0) = 0
-11:59:12.539337 recvfrom(7, 0x7f832ce45024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
-11:59:12.539421 epoll_ctl(3, EPOLL_CTL_ADD, 7, {EPOLLIN|0x2000, {u32=7, u64=7}}) = 0
-11:59:12.539499 epoll_wait(3, {{EPOLLIN, {u32=6, u64=6}}}, 200, 1000) = 1
-11:59:12.548519 recvfrom(6, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 8192, 0, NULL, NULL) = 27
-11:59:12.548844 epoll_wait(3, {}, 200, 0) = 0
-11:59:12.549012 sendto(7, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 27, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 27
-11:59:12.549454 epoll_wait(3, {}, 200, 1000) = 0
-
-This fix must be backported to 1.6, 1.5 and 1.4.
-(cherry picked from commit 7f876a1eeb14ffae708327aad8a0b4b029da5e26)
-(cherry picked from commit 712a5339f384db62796aa4d4901e091dd7fd24dd)
----
- src/proto_http.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index e7e1785..b32e778 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -5001,6 +5001,13 @@ int http_sync_req_state(struct session *s)
- */
- chn->cons->flags |= SI_FL_NOHALF;
-
-+ /* In any case we've finished parsing the request so we must
-+ * disable Nagle when sending data because 1) we're not going
-+ * to shut this side, and 2) the server is waiting for us to
-+ * send pending data.
-+ */
-+ chn->flags |= CF_NEVER_WAIT;
-+
- if (txn->rsp.msg_state == HTTP_MSG_ERROR)
- goto wait_other_side;
-
-@@ -5015,7 +5022,6 @@ int http_sync_req_state(struct session *s)
- /* if any side switches to tunnel mode, the other one does too */
- channel_auto_read(chn);
- txn->req.msg_state = HTTP_MSG_TUNNEL;
-- chn->flags |= CF_NEVER_WAIT;
- goto wait_other_side;
- }
-
-@@ -5048,7 +5054,6 @@ int http_sync_req_state(struct session *s)
- if ((txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_TUN) {
- channel_auto_read(chn);
- txn->req.msg_state = HTTP_MSG_TUNNEL;
-- chn->flags |= CF_NEVER_WAIT;
- }
- }
-
---
-2.4.10
-
+++ /dev/null
-From e77015cdc18ab74aba61cdf57de56d06be5c2a4d Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 14 Jan 2015 11:48:58 +0100
-Subject: [PATCH 05/10] MINOR: config: extend the default max hostname length
- to 64 and beyond
-
-Some users reported that the default max hostname length of 32 is too
-short in some environments. This patch does two things :
-
- - it relies on the system's max hostname length as found in MAXHOSTNAMELEN
- if it is set. This is the most logical thing to do as the system libs
- generally present the appropriate value supported by the system. This
- value is 64 on Linux and 256 on Solaris, to give a few examples.
-
- - otherwise it defaults to 64
-
-It is still possible to override this value by defining MAX_HOSTNAME_LEN at
-build time. After some observation time, this patch may be backported to
-1.5 if it does not cause any build issue, as it is harmless and may help
-some users.
-(cherry picked from commit 75abcb3106e2c27ef983df885558cf94e01f717a)
-
-Cc: Lukas Tribus <luky-37@hotmail.com>
-Cc: jose.castro.leon@cern.ch
-
-[wt: no issue reported so far and Jose rightfully asked for it in 1.5]
----
- include/common/defaults.h | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/include/common/defaults.h b/include/common/defaults.h
-index 0075509..a191b8a 100644
---- a/include/common/defaults.h
-+++ b/include/common/defaults.h
-@@ -190,8 +190,12 @@
-
- /* Maximum host name length */
- #ifndef MAX_HOSTNAME_LEN
--#define MAX_HOSTNAME_LEN 32
--#endif
-+#if MAXHOSTNAMELEN
-+#define MAX_HOSTNAME_LEN MAXHOSTNAMELEN
-+#else
-+#define MAX_HOSTNAME_LEN 64
-+#endif // MAXHOSTNAMELEN
-+#endif // MAX_HOSTNAME_LEN
-
- /* Maximum health check description length */
- #ifndef HCHK_DESC_LEN
---
-2.4.10
-
+++ /dev/null
-From 3de8e7ab8d9125402cc1a8fb48ee475ee21d7d4c Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 25 Nov 2015 20:11:11 +0100
-Subject: [PATCH 06/10] BUG/MEDIUM: http: don't enable auto-close on the
- response side
-
-There is a bug where "option http-keep-alive" doesn't force a response
-to stay in keep-alive if the server sends the FIN along with the response
-on the second or subsequent response. The reason is that the auto-close
-was forced enabled when recycling the HTTP transaction and it's never
-disabled along the response processing chain before the SHUTR gets a
-chance to be forwarded to the client side. The MSG_DONE state of the
-HTTP response properly disables it but too late.
-
-There's no more reason for enabling auto-close here, because either it
-doesn't matter in non-keep-alive modes because the connection is closed,
-or it is automatically enabled by process_stream() when it sees there's
-no analyser on the stream.
-
-This bug also affects 1.5 so a backport is desired.
-(cherry picked from commit 714ea78c9a09fe6a35a1f2d86af8f7fc9abb64d1)
-(cherry picked from commit a15091be17f27fcf4e3a84338df1a8b732e396a1)
----
- src/proto_http.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index b32e778..5facfbb 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4946,11 +4946,13 @@ void http_end_txn_clean_session(struct session *s)
- s->rep->flags |= CF_EXPECT_MORE;
- }
-
-- /* we're removing the analysers, we MUST re-enable events detection */
-+ /* we're removing the analysers, we MUST re-enable events detection.
-+ * We don't enable close on the response channel since it's either
-+ * already closed, or in keep-alive with an idle connection handler.
-+ */
- channel_auto_read(s->req);
- channel_auto_close(s->req);
- channel_auto_read(s->rep);
-- channel_auto_close(s->rep);
-
- /* we're in keep-alive with an idle connection, monitor it */
- si_idle_conn(s->req->cons);
---
-2.4.10
-
+++ /dev/null
-From 9154bc92ed11c6de75573dec341b6a0ce68bd0eb Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 25 Nov 2015 20:17:27 +0100
-Subject: [PATCH 07/10] BUG/MEDIUM: stream: fix half-closed timeout handling
-
-client-fin and server-fin are bogus. They are applied on the write
-side after a SHUTR was seen. The immediate effect is that sometimes
-if a SHUTR was seen after a SHUTW on the same side, the timeout is
-enabled again regardless of the fact that the output is already
-closed. This results in the timeout event not to be processed and
-a busy poll loop to happen until another timeout on the stream gets
-rid of it. Note that haproxy continues its job during this, it's just
-that it eats all the CPU trying to handle an event that it ignores.
-
-An reproducible case consists in having a client stop reading data from
-a server to ensure data remain in the response buffer, then the client
-sends a shutdown(write). If abortonclose is enabled on haproxy, the
-shutdown is passed to the server side and the server responds with a
-SHUTR that cannot immediately be forwarded to the client since the
-buffer is full. During this time the event is ignored and the task is
-woken again in loops.
-
-It is worth noting that the timeout handling since 1.5 is a bit fragile
-and that it might be possible that other similar conditions still exist,
-so the timeout handling should be audited regarding this issue.
-
-Many thanks to BaiYang for providing detailed information showing the
-problem in action.
-
-This bug also affects 1.5 thus the fix must be backported.
-(cherry picked from commit f25b3573d65fd2411c7537b7b0a4817b478df909)
-[Note for 1.5, it's in session.c here]
-(cherry picked from commit 44e86286159474a52dc74f80d3271504cc6f1550)
----
- src/session.c | 16 ----------------
- 1 file changed, 16 deletions(-)
-
-diff --git a/src/session.c b/src/session.c
-index 7520a85..2b2ad78 100644
---- a/src/session.c
-+++ b/src/session.c
-@@ -2213,10 +2213,6 @@ struct task *process_session(struct task *t)
- if (unlikely((s->req->flags & (CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CLOSE|CF_SHUTR)) ==
- (CF_AUTO_CLOSE|CF_SHUTR))) {
- channel_shutw_now(s->req);
-- if (tick_isset(s->fe->timeout.clientfin)) {
-- s->rep->wto = s->fe->timeout.clientfin;
-- s->rep->wex = tick_add(now_ms, s->rep->wto);
-- }
- }
-
- /* shutdown(write) pending */
-@@ -2241,10 +2237,6 @@ struct task *process_session(struct task *t)
- if (s->req->prod->flags & SI_FL_NOHALF)
- s->req->prod->flags |= SI_FL_NOLINGER;
- si_shutr(s->req->prod);
-- if (tick_isset(s->fe->timeout.clientfin)) {
-- s->rep->wto = s->fe->timeout.clientfin;
-- s->rep->wex = tick_add(now_ms, s->rep->wto);
-- }
- }
-
- /* it's possible that an upper layer has requested a connection setup or abort.
-@@ -2391,10 +2383,6 @@ struct task *process_session(struct task *t)
- if (unlikely((s->rep->flags & (CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CLOSE|CF_SHUTR)) ==
- (CF_AUTO_CLOSE|CF_SHUTR))) {
- channel_shutw_now(s->rep);
-- if (tick_isset(s->be->timeout.serverfin)) {
-- s->req->wto = s->be->timeout.serverfin;
-- s->req->wex = tick_add(now_ms, s->req->wto);
-- }
- }
-
- /* shutdown(write) pending */
-@@ -2417,10 +2405,6 @@ struct task *process_session(struct task *t)
- if (s->rep->prod->flags & SI_FL_NOHALF)
- s->rep->prod->flags |= SI_FL_NOLINGER;
- si_shutr(s->rep->prod);
-- if (tick_isset(s->be->timeout.serverfin)) {
-- s->req->wto = s->be->timeout.serverfin;
-- s->req->wex = tick_add(now_ms, s->req->wto);
-- }
- }
-
- if (s->req->prod->state == SI_ST_DIS || s->req->cons->state == SI_ST_DIS)
---
-2.4.10
-
+++ /dev/null
-From 07ccb48add8c8cb0dd8a0f7d3f4994866d0ef32e Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Thu, 26 Nov 2015 18:32:39 +0100
-Subject: [PATCH 08/10] BUG/MEDIUM: cli: changing compression rate-limiting
- must require admin level
-
-Right now it's possible to change the global compression rate limiting
-without the CLI being at the admin level.
-
-This fix must be backported to 1.6 and 1.5.
-(cherry picked from commit a1c2b2c4f3e65d198a0a4b25a4f655f7b307a855)
-(cherry picked from commit 9e5f1489c9f2d6926729890f249f7ebb9d3bfd43)
----
- src/dumpstats.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/dumpstats.c b/src/dumpstats.c
-index b4be2cd..b1bbf31 100644
---- a/src/dumpstats.c
-+++ b/src/dumpstats.c
-@@ -1695,6 +1695,12 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
- if (strcmp(args[3], "global") == 0) {
- int v;
-
-+ if (s->listener->bind_conf->level < ACCESS_LVL_ADMIN) {
-+ appctx->ctx.cli.msg = stats_permission_denied_msg;
-+ appctx->st0 = STAT_CLI_PRINT;
-+ return 1;
-+ }
-+
- if (!*args[4]) {
- appctx->ctx.cli.msg = "Expects a maximum input byte rate in kB/s.\n";
- appctx->st0 = STAT_CLI_PRINT;
---
-2.4.10
-
+++ /dev/null
-From 97ef6f99b8426ffdc97864fc8bb2d85c87cfdad0 Mon Sep 17 00:00:00 2001
-From: Thierry FOURNIER <tfournier@arpalert.org>
-Date: Tue, 3 Nov 2015 19:17:37 +0100
-Subject: [PATCH 09/10] BUILD: freebsd: double declaration
-
-On freebsd, the macro LIST_PREV already exists in the header file
-<sys/queue.h>, and this makes a build error.
-
-This patch removes the macros before declaring it. This ensure
-that the error doesn't occurs.
-(cherry picked from commit 1db96672c4cd264ebca8197bec93a5ce1b23aaa9)
-(cherry picked from commit 6cf9c6b270e57f05abf72cd61f4facb5b6980d57)
----
- include/common/mini-clist.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/common/mini-clist.h b/include/common/mini-clist.h
-index 3c3f001..404b6fa 100644
---- a/include/common/mini-clist.h
-+++ b/include/common/mini-clist.h
-@@ -144,6 +144,7 @@ struct cond_wordlist {
- * which contains list head <lh>, which is known as element <el> in
- * struct pt.
- */
-+#undef LIST_PREV
- #define LIST_PREV(lh, pt, el) (LIST_ELEM((lh)->p, pt, el))
-
- /*
---
-2.4.10
-
+++ /dev/null
-From 0f836e1361933721c5689c7943143fd6cd260148 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
-Date: Thu, 26 Nov 2015 21:39:56 +0100
-Subject: [PATCH 10/10] BUG/MEDIUM: sample: urlp can't match an empty value
-
-Currently urlp fetching samples were able to find parameters with an empty
-value, but the return code depended on the value length. The final result was
-that acls using urlp couldn't match empty values.
-
-Example of acl which always returned "false":
- acl MATCH_EMPTY urlp(foo) -m len 0
-
-The fix consists in unconditionally return 1 when the parameter is found.
-
-This fix must be backported to 1.6 and 1.5.
-(cherry picked from commit ce1ef4df0135f9dc1cb6691395eacb487015fe3e)
-(cherry picked from commit 6bd426cf35c95985712369ed528c10a5f80ad8fd)
-[ note: in 1.5 we have value+value_l instead of vstart+vend ]
----
- src/proto_http.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 5facfbb..3af7880 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -11050,9 +11050,11 @@ find_url_param_pos(char* query_string, size_t query_string_l,
- }
-
- /*
-- * Given a url parameter name, returns its value and size into *value and
-- * *value_l respectively, and returns non-zero. If the parameter is not found,
-- * zero is returned and value/value_l are not touched.
-+ * Given a url parameter name and a query string, find the next value.
-+ * An empty url_param_name matches the first available parameter.
-+ * If the parameter is found, 1 is returned and *value / *value_l are updated
-+ * to respectively provide a pointer to the value and its length.
-+ * Otherwise, 0 is returned and value/value_l are not modified.
- */
- static int
- find_url_param_value(char* path, size_t path_l,
-@@ -11082,7 +11084,7 @@ find_url_param_value(char* path, size_t path_l,
-
- *value = value_start;
- *value_l = value_end - value_start;
-- return value_end != value_start;
-+ return 1;
- }
-
- static int
---
-2.4.10
-
+++ /dev/null
-From 96a1b4a969a5f3c9224d786c79e90d15a47094b0 Mon Sep 17 00:00:00 2001
-From: Emeric Brun <ebrun@haproxy.com>
-Date: Wed, 16 Dec 2015 15:16:46 +0100
-Subject: [PATCH 11/13] BUG/MEDIUM: peers: table entries learned from a remote
- are pushed to others after a random delay.
-
-New sticktable entries learned from a remote peer can be pushed to others after
-a random delay because they are not inserted at the right position in the updates
-tree.
-(cherry picked from commit 234fc3c31e751f8191b9b78fa5fd16663c2627fe)
-(cherry picked from commit 8b1a697362977b8392caca3efaf97a5a8a8c782b)
----
- src/peers.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/peers.c b/src/peers.c
-index 0564d3d..92b4df0 100644
---- a/src/peers.c
-+++ b/src/peers.c
-@@ -720,7 +720,7 @@ switchstate:
- ts = stktable_store(ps->table->table, newts, 0);
- newts = NULL; /* don't reuse it */
-
-- ts->upd.key= (++ps->table->table->update)+(2^31);
-+ ts->upd.key= (++ps->table->table->update)+(2147483648U);
- eb = eb32_insert(&ps->table->table->updates, &ts->upd);
- if (eb != &ts->upd) {
- eb32_delete(eb);
---
-2.4.10
-
+++ /dev/null
-From a320fd146f802a851a396b2cde491711a4fb87cf Mon Sep 17 00:00:00 2001
-From: Emeric Brun <ebrun@haproxy.com>
-Date: Wed, 16 Dec 2015 15:28:12 +0100
-Subject: [PATCH 12/13] BUG/MEDIUM: peers: old stick table updates could be
- repushed.
-
-Because the stick table updates tree was not properly initialized to EB_ROOT_UNIQUE.
-(cherry picked from commit 1c6235dbba0a67bad1d5e57ada88f28e1270a5cb)
-(cherry picked from commit 6e80935a77c8c2c67a982780a0f14c241f02f2aa)
----
- src/stick_table.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/stick_table.c b/src/stick_table.c
-index 48d5710..6310690 100644
---- a/src/stick_table.c
-+++ b/src/stick_table.c
-@@ -385,6 +385,7 @@ int stktable_init(struct stktable *t)
- if (t->size) {
- memset(&t->keys, 0, sizeof(t->keys));
- memset(&t->exps, 0, sizeof(t->exps));
-+ t->updates = EB_ROOT_UNIQUE;
-
- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED);
-
---
-2.4.10
-
+++ /dev/null
-From 21fab69d332bfafd0a214ee29d8ad0779a055988 Mon Sep 17 00:00:00 2001
-From: David Carlier <devnexen@gmail.com>
-Date: Tue, 8 Dec 2015 21:43:09 +0000
-Subject: [PATCH 13/13] CLEANUP: haproxy: using _GNU_SOURCE instead of
- __USE_GNU macro.
-
-In order to properly enable sched_setaffinity, in some versions of Linux,
-it is rather _GNU_SOURCE than __USE_GNU (spotted on Alpine Linux for instance),
-also for the sake of consistency as __USE_GNU seems not used across the code and
-for last, it seems on Linux it is the best way to enable non portable code.
-On Linux glibc's based versions, it seems _GNU_SOURCE defines __USE_GNU
-it should be safe enough.
-(cherry picked from commit 7ece096767d329d0ea04b70a1fb2c8b8a96b47e0)
-(cherry picked from commit 5a0ac35503f88a7bc8ee2c4f865354fa6cc25901)
----
- src/haproxy.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/haproxy.c b/src/haproxy.c
-index b94252d..20480a1 100644
---- a/src/haproxy.c
-+++ b/src/haproxy.c
-@@ -25,6 +25,7 @@
- *
- */
-
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-@@ -47,9 +48,7 @@
- #include <syslog.h>
- #include <grp.h>
- #ifdef USE_CPU_AFFINITY
--#define __USE_GNU
- #include <sched.h>
--#undef __USE_GNU
- #endif
-
- #ifdef DEBUG_FULL
---
-2.4.10
-
projects / feed / packages.git / commitdiff