From: Christian Lachner Date: Wed, 24 Jul 2019 05:54:52 +0000 (+0200) Subject: haproxy: Update HAProxy to v2.0.3 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=4791d229466a826cb976096009602498cc6dc659;p=feed%2Fpackages.git haproxy: Update HAProxy to v2.0.3 - Update haproxy download URL and hash - Add new patches Signed-off-by: Christian Lachner --- diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index b0a691e020..0c6cb0739e 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.0.1 +PKG_VERSION:=2.0.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.0/src -PKG_HASH:=9975c475ba6f19aac4b665d8705f7b9f7911df7fc316ba7b9efd6fe263181eb1 +PKG_HASH:=aac1ff3e5079997985b6560f46bf265447d0cd841f11c4d77f15942c9fe4b770 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Thomas Heil , \ diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index 1e548c6c20..f3c59beeb7 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/bash CLONEURL=http://git.haproxy.org/git/haproxy-2.0.git -BASE_TAG=v2.0.1 +BASE_TAG=v2.0.3 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch b/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch deleted file mode 100644 index 36fb3e8647..0000000000 --- a/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch +++ /dev/null @@ -1,81 +0,0 @@ -commit 1bd140ea3fab97ccd37adf9d0c106d52af9e53fa -Author: William Lallemand -Date: Mon Jul 1 10:56:15 2019 +0200 - - BUG/MINOR: mworker/cli: don't output a \n before the response - - When using a level lower than admin on the master CLI, a \n is output - before the response, this is caused by the response of the "operator" or - "user" that are sent before the actual command. - - To fix this problem we introduce the flag APPCTX_CLI_ST1_NOLF which ask - a command response to not be followed by the final \n. - This patch made a special case with the command operator and user - followed by a - so they are not followed by \n. - - This patch must be backported to 2.0 and 1.9. - - (cherry picked from commit ad03288e6b28d816abb443cf8c6d984a72bb91a6) - Signed-off-by: William Lallemand - -diff --git a/include/types/applet.h b/include/types/applet.h -index c9e02d17..1f3a4983 100644 ---- a/include/types/applet.h -+++ b/include/types/applet.h -@@ -50,6 +50,7 @@ struct applet { - - #define APPCTX_CLI_ST1_PROMPT (1 << 0) - #define APPCTX_CLI_ST1_PAYLOAD (1 << 1) -+#define APPCTX_CLI_ST1_NOLF (1 << 2) - - /* Context of a running applet. */ - struct appctx { -diff --git a/src/cli.c b/src/cli.c -index 44ddc7bf..9a9f80f9 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -821,7 +821,7 @@ static void cli_io_handler(struct appctx *appctx) - prompt = "\n> "; - } - else { -- if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD)) -+ if (!(appctx->st1 & (APPCTX_CLI_ST1_PAYLOAD|APPCTX_CLI_ST1_NOLF))) - prompt = "\n"; - } - -@@ -848,6 +848,8 @@ static void cli_io_handler(struct appctx *appctx) - - /* switch state back to GETREQ to read next requests */ - appctx->st0 = CLI_ST_GETREQ; -+ /* reactivate the \n at the end of the response for the next command */ -+ appctx->st1 &= ~APPCTX_CLI_ST1_NOLF; - } - } - -@@ -1442,6 +1444,10 @@ static int cli_parse_show_lvl(char **args, char *payload, struct appctx *appctx, - /* parse and set the CLI level dynamically */ - static int cli_parse_set_lvl(char **args, char *payload, struct appctx *appctx, void *private) - { -+ /* this will ask the applet to not output a \n after the command */ -+ if (!strcmp(args[1], "-")) -+ appctx->st1 |= APPCTX_CLI_ST1_NOLF; -+ - if (!strcmp(args[0], "operator")) { - if (!cli_has_level(appctx, ACCESS_LVL_OPER)) { - return 1; -@@ -2097,11 +2103,11 @@ int pcli_parse_request(struct stream *s, struct channel *req, char **errmsg, int - if (pcli_has_level(s, ACCESS_LVL_ADMIN)) { - goto end; - } else if (pcli_has_level(s, ACCESS_LVL_OPER)) { -- ci_insert_line2(req, 0, "operator", strlen("operator")); -- ret += strlen("operator") + 2; -+ ci_insert_line2(req, 0, "operator -", strlen("operator -")); -+ ret += strlen("operator -") + 2; - } else if (pcli_has_level(s, ACCESS_LVL_USER)) { -- ci_insert_line2(req, 0, "user", strlen("user")); -- ret += strlen("user") + 2; -+ ci_insert_line2(req, 0, "user -", strlen("user -")); -+ ret += strlen("user -") + 2; - } - } - end: diff --git a/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch b/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch new file mode 100644 index 0000000000..275702522b --- /dev/null +++ b/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch @@ -0,0 +1,18 @@ +--- a/Makefile ++++ b/Makefile +@@ -327,6 +327,15 @@ ifeq ($(TARGET),linux-glibc) + USE_GETADDRINFO) + endif + ++# For linux >= 2.6.28 and uclibc ++ifeq ($(TARGET),linux-uclibc) ++ set_target_defaults = $(call default_opts, \ ++ USE_POLL USE_TPROXY USE_DL USE_RT USE_NETFILTER \ ++ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY \ ++ USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \ ++ USE_GETADDRINFO) ++endif ++ + # Solaris 8 and above + ifeq ($(TARGET),solaris) + # We also enable getaddrinfo() which works since solaris 8. diff --git a/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch b/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch deleted file mode 100644 index a37cda56f9..0000000000 --- a/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit aa2ecea6f711f50192476b26a5b1d767108bd761 -Author: Olivier Houchard -Date: Fri Jun 28 14:10:33 2019 +0200 - - BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. - - Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however - check-alpn failed to check if the connection was indeed using SSL, and thus, - would crash if check-alpn was used on a non-SSL connection. Fix this by - making sure the connection uses SSL before attempting to set the ALPN. - - This should be backported to 2.0 and 1.9. - - (cherry picked from commit e488ea865a433d93efcb14c0c602918070c6b208) - Signed-off-by: Willy Tarreau - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 05240063..c9fffbec 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - struct ssl_sock_ctx *ctx = conn->xprt_ctx; - -+ if (!ssl_sock_is_ssl(conn)) -+ return; -+ - SSL_set_alpn_protos(ctx->ssl, alpn, len); - #endif - } diff --git a/net/haproxy/patches/001-OPENWRT-openssl-deprecated.patch b/net/haproxy/patches/001-OPENWRT-openssl-deprecated.patch new file mode 100644 index 0000000000..541077e238 --- /dev/null +++ b/net/haproxy/patches/001-OPENWRT-openssl-deprecated.patch @@ -0,0 +1,12 @@ +--- a/include/common/openssl-compat.h ++++ b/include/common/openssl-compat.h +@@ -217,7 +217,8 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey) + #define TLSEXT_signature_ecdsa 3 + #endif + +-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) + #define X509_getm_notBefore X509_get_notBefore + #define X509_getm_notAfter X509_get_notAfter + #endif diff --git a/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch b/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch deleted file mode 100644 index 140ec71db5..0000000000 --- a/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 9fa93f6220a374f724491fd781d44d31f307671f -Author: Christopher Faulet -Date: Fri Jun 28 17:41:42 2019 +0200 - - BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported - - We must take care of this when the stream is detached from the - connection. Otherwise, on the server side, the connexion is inserted in the list - of idle connections of the session. But when reused, because the shutdown for - writes was already catched, nothing is sent to the server and the session is - blocked with a freezed connection. - - This patch must be backported to 2.0 and 1.9. It is related to the issue #136 - reported on Github. - - (cherry picked from commit 3ac0f43020e1cd77198020201e4e482a1c2ef8ac) - Signed-off-by: Willy Tarreau - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index 3d2bd8b8..e497e6f6 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -2192,9 +2192,9 @@ static void h1_detach(struct conn_stream *cs) - } - } - -- /* We don't want to close right now unless the connection is in error */ -- if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || -- (h1c->conn->flags & CO_FL_ERROR) || !h1c->conn->owner) -+ /* We don't want to close right now unless the connection is in error or shut down for writes */ -+ if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTW_NOW|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || -+ (h1c->conn->flags & (CO_FL_ERROR|CO_FL_SOCK_WR_SH)) || !h1c->conn->owner) - h1_release(h1c); - else { - tasklet_wakeup(h1c->wait_event.tasklet); diff --git a/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch b/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch deleted file mode 100644 index d23dbdc9f7..0000000000 --- a/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch +++ /dev/null @@ -1,51 +0,0 @@ -commit afc313e6cd4be32f3c3d212e875d4dbcef8a0c70 -Author: Willy Tarreau -Date: Mon Jul 1 07:51:29 2019 +0200 - - BUG/MEDIUM: checks: unblock signals in external checks - - As discussed in issue #140, processes are forked with signals blocked - resulting in haproxy's kill being ignored. This happens when the command - takes more time to complete than the configured check timeout or interval. - Just calling "sleep 30" every second makes the problem obvious. - - The fix simply consists in unblocking the signals in the child after the - fork. It needs to be backported to all stable branches containing external - checks and where signals are blocked on startup. It's unclear when it - started, but the following config exhibits the issue : - - global - external-check - - listen www - bind :8001 - timeout client 5s - timeout server 5s - timeout connect 5s - option external-check - external-check command "$PWD/sleep10.sh" - server local 127.0.0.1:80 check inter 200 - - $ cat sleep10.sh - #!/bin/sh - exec /bin/sleep 10 - - The "sleep" processes keep accumulating for 10 seconds and stabilize - around 25 when the bug is present. Just issuing "killall sleep" has no - effect on them, and stopping haproxy leaves these processes behind. - - (cherry picked from commit 2df8cad0fea2d1a4ca8dd58f384df3c3c3f5d7ee) - Signed-off-by: Willy Tarreau - -diff --git a/src/checks.c b/src/checks.c -index c175a752..e31eb173 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1997,6 +1997,7 @@ static int connect_proc_chk(struct task *t) - - environ = check->envp; - extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf))); -+ haproxy_unblock_signals(); - execvp(px->check_command, check->argv); - ha_alert("Failed to exec process for external health check: %s. Aborting.\n", - strerror(errno)); diff --git a/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch b/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch deleted file mode 100644 index 2e16401962..0000000000 --- a/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 52131680c42ddbfa6f2b5d109ffc79c28f44e42a -Author: Christopher Faulet -Date: Thu Jun 27 17:40:14 2019 +0200 - - BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages - - Unlike H1, H2 messages may contains trailers while the header "Content-Length" - is set. Indeed, because of the framed structure of HTTP/2, it is no longer - necessary to use the chunked transfer encoding. So Trailing HEADERS frames, - after all DATA frames, may be added on messages with an explicit content length. - - But in H1, it is impossible to have trailers on non-chunked messages. So when - outgoing messages are formatted by the H1 multiplexer, if the message is not - chunked, all trailers must be dropped. - - This patch must be backported to 2.0 and 1.9. However, the patch will have to be - adapted for the 1.9. - - (cherry picked from commit 5433a0b0215c791b4165bddd360a254fa141c6e9) - Signed-off-by: Christopher Faulet - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index e497e6f6..e7d769b4 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -1696,7 +1696,9 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun - goto done; - } - else if (type == HTX_BLK_EOT || type == HTX_BLK_TLR) { -- if (!chunk_memcat(&tmp, "0\r\n", 3)) -+ /* If the message is not chunked, never -+ * add the last chunk. */ -+ if ((h1m->flags & H1_MF_CHNK) && !chunk_memcat(&tmp, "0\r\n", 3)) - goto copy; - goto trailers; - } -@@ -1715,6 +1717,11 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun - goto error; - trailers: - h1m->state = H1_MSG_TRAILERS; -+ /* If the message is not chunked, ignore -+ * trailers. It may happen with H2 messages. */ -+ if (!(h1m->flags & H1_MF_CHNK)) -+ break; -+ - if (type == HTX_BLK_EOT) { - if (!chunk_memcat(&tmp, "\r\n", 2)) - goto copy; diff --git a/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch b/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch deleted file mode 100644 index d1619601ce..0000000000 --- a/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 33d58b51e0f1bf68603aa86c9125ae75d6964454 -Author: Christopher Faulet -Date: Mon Jul 1 16:17:30 2019 +0200 - - BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses - - HEAD responses must not have any body payload. But, because of a bug, for chunk - reponses, the empty chunk was always added. - - This patch fixes the Github issue #146. It must be backported to 2.0 and 1.9. - - (cherry picked from commit b8fc304e8f996f0d9835e4d6524ef8961d3be076) - Signed-off-by: Christopher Faulet - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index e7d769b4..37cc8252 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -1682,6 +1682,8 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun - h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); - h1s->flags &= ~H1S_F_HAVE_O_CONN; - } -+ else if ((h1m->flags & H1_MF_RESP) && h1s->meth == HTTP_METH_HEAD) -+ h1m->state = H1_MSG_DONE; - else - h1m->state = H1_MSG_DATA; - break; diff --git a/net/haproxy/patches/006-OPENWRT-add-uclibc-support.patch b/net/haproxy/patches/006-OPENWRT-add-uclibc-support.patch deleted file mode 100644 index 275702522b..0000000000 --- a/net/haproxy/patches/006-OPENWRT-add-uclibc-support.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/Makefile -+++ b/Makefile -@@ -327,6 +327,15 @@ ifeq ($(TARGET),linux-glibc) - USE_GETADDRINFO) - endif - -+# For linux >= 2.6.28 and uclibc -+ifeq ($(TARGET),linux-uclibc) -+ set_target_defaults = $(call default_opts, \ -+ USE_POLL USE_TPROXY USE_DL USE_RT USE_NETFILTER \ -+ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY \ -+ USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \ -+ USE_GETADDRINFO) -+endif -+ - # Solaris 8 and above - ifeq ($(TARGET),solaris) - # We also enable getaddrinfo() which works since solaris 8. diff --git a/net/haproxy/patches/007-OPENWRT-openssl-deprecated.patch b/net/haproxy/patches/007-OPENWRT-openssl-deprecated.patch deleted file mode 100644 index 541077e238..0000000000 --- a/net/haproxy/patches/007-OPENWRT-openssl-deprecated.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/include/common/openssl-compat.h -+++ b/include/common/openssl-compat.h -@@ -217,7 +217,8 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey) - #define TLSEXT_signature_ecdsa 3 - #endif - --#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L) -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) - #define X509_getm_notBefore X509_get_notBefore - #define X509_getm_notAfter X509_get_notAfter - #endif