Repositories - haproxy-2.3.git/log

BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition

commit 5a982a71656ce885be4b1d4b90b8db31204788a1 ("MINOR:
contrib/prometheus-exporter: export build_info") is breaking lua
`core.get_info()`.

This patch makes sure build_info is correctly initialised in all cases.

Reviewed-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit b62b78be131de1848d71350d369deac07daf448a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: peers: fix build warning about unused variable

Previous commit da2b0844f ("MINOR: peers: Add traces for peer control
messages.") introduced a build warning on some compiler versions after
the removal of variable "peers" in peer_send_msgs() because variable
"s" was used only to assign this one, and variable "si" to assign "s".
Let's remove both to fix the warning. No backport is needed.

(cherry picked from commit 81d7092dbd25db04cc72d2dca77647d548342256)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: dns: SRV records ignores duplicated AR records (v2)

V2 of this fix which includes a missing pointer initialization which was
causing a segfault in v1 (949a7f64591458eb06c998acf409093ea991dc3a)

This bug happens when a service has multiple records on the same host
and the server provides the A/AAAA resolution in the response as AR
(Additional Records).

In such condition, the first occurence of the host will be taken from
the Additional section, while the second (and next ones) will be process
by an independent resolution task (like we used to do before 2.2).
This can lead to a situation where the "synchronisation" of the
resolution may diverge, like described in github issue #971.

Because of this behavior, HAProxy mixes various type of requests to
resolve the full list of servers: SRV+AR for all "first" occurences and
A/AAAA for all other occurences of an existing hostname.
IE: with the following type of response:

   ;; ANSWER SECTION:
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 80 A2.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 86 A3.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 80 A1.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 85 A3.tld.

   ;; ADDITIONAL SECTION:
   A2.tld.                 3600    IN      A       192.168.0.2
   A3.tld.                 3600    IN      A       192.168.0.3
   A1.tld.                 3600    IN      A       192.168.0.1
   A3.tld.                 3600    IN      A       192.168.0.3

the first A3 host is resolved using the Additional Section and the
second one through a dedicated A request.

When linking the SRV records to their respective Additional one, a
condition was missing (chek if said SRV record is already attached to an
Additional one), leading to stop processing SRV only when the target
SRV field matches the Additional record name. Hence only the first
occurence of a target was managed by an additional record.
This patch adds a condition in this loop to ensure the record being
parsed is not already linked to an Additional Record. If so, we can
carry on the parsing to find a possible next one with the same target
field value.

backport status: 2.2 and above

(cherry picked from commit 6554742b15880bc19e41f89761905baed33bc398)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: peers: Add traces for peer control messages.

Display traces when sending/receiving peer control messages (synchronisation, heartbeat).
Add remaining traces when parsing malformed messages (acks, stick-table definitions)
or ignoring them.
Also add traces when releasing session or when reaching the PEER_SESS_ST_ERRPROTO
peer protocol state.

(cherry picked from commit da2b0844fc4eafd9c63e3eb20a1a7020d9f92088)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: threads: Fixes the number of possible cpus report for Mac.

There is no low level api to achieve same as Linux/FreeBSD, we rely
on CPUs available. Without this, the number of threads is just 1 for
Mac while having 8 cores in my M1.

Backporting to 2.1 should be enough if that's possible.

Signed-off-by: David CARLIER <devnexen@gmail.com>
(cherry picked from commit 6a9060189d66ca931984706d5e2a970ed913f457)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: server: Forbid server definitions in frontend sections

An fatal error is now reported if a server is defined in a frontend
section. til now, a warning was just emitted and the server was ignored. The
warning was added in the 1.3.4 when the frontend/backend keywords were
introduced to allow a smooth transition and to not break existing
configs. It is old enough now to emit an fatal error in this case.

This patch is related to the issue #1043. It may be backported at least as
far as 2.2, and possibly to older versions. It relies on the previous commit
("MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities").

(cherry picked from commit e3bdc81f8aeb02b5c92b5d10fc9352daaea1cf20)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities

This function must be used to emit an alert if a proxy does not have at
least one of the requested capabilities. An additional message may be
appended to the alert.

(cherry picked from commit d4a83dd6b30a68605f13a447b398a15ab38f28d4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable

The HAPROXY_CFGFILES env variable is built using a static trash chunk, via a
call to get_trash_chunk() function. This chunk is reserved during the whole
configuration parsing. It is far too large to guarantee it will not be
reused during the configuration parsing. And in fact, it happens in the lua
code since the commit f67442efd ("BUG/MINOR: lua: warn when registering
action, conv, sf, cli or applet multiple times"), when a lua script is
loaded.

To fix the bug, we now use a dynamic buffer instead. And we call memprintf()
function to handle both the allocation and the formatting. Allocation errors
at this stage are fatal.

This patch should fix the issue #1041. It must be backported as far as 2.0.

(cherry picked from commit 4e36682d51f4e206c63d792a8cde3e669fb8a0d4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

[RELEASE] Released version 2.3.4

Released version 2.3.4 with the following main changes :
    - MINOR: reg-tests: add a way to add service dependency
    - BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
    - BUG/MINOR: reg-tests: fix service dependency script
    - MINOR: reg-tests: add base prometheus test
    - Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records"
    - BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
    - BUG/MINOR: check: Don't perform any check on servers defined in a frontend
    - BUG/MINOR: init: enforce strict-limits when using master-worker
    - MINOR: contrib/prometheus-exporter: avoid connection close header
    - MINOR: contrib/prometheus-exporter: use fill_info for process dump

MINOR: contrib/prometheus-exporter: use fill_info for process dump

use `stats_fill_info` when possible to avoid duplicating code.

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 5d9b8f3c9347a1a10b86f81d70b22c3cab0e6925)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: contrib/prometheus-exporter: avoid connection close header

it does not seem to have a reason to close connections after each
request; reflect that in tests by doing all requests within the same
client.

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 1704efee89c9a0d430e63e7a9b54e97644d27a2a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: init: enforce strict-limits when using master-worker

The strict-limits global option was introduced with commit 0fec3ab7b
("MINOR: init: always fail when setrlimit fails"). When used in
conjuction with master-worker, haproxy will not fail when a setrlimit
fails. This happens because we only exit() if master-worker isn't used.

This patch removes all tests for master-worker mode for all cases covered
by strict-limits scope.

This should be backported from 2.1 onward.
This should fix issue #1042.

Reviewed by William Dauchy <wdauchy@gmail.com>

(cherry picked from commit 50f757c5fdd7e6eb404103d878f648453d00d73e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: check: Don't perform any check on servers defined in a frontend

If a server is defined in a frontend, thus a proxy without the backend
capability, the 'check' and 'agent-check' keywords are ignored. This way, no
check is performed on an ignored server. This avoids a segfault because some
part of the tcpchecks are not fully initialized (or released for frontends
during the post-check).

In addition, an test on the server's proxy capabilities is performed when
checks or agent-checks are initialized and nothing is performed for servers
attached to a non-backend proxy.

This patch should fix the issue #1043. It must be backported as far as 2.2.

(cherry picked from commit 6ecd59326f7416dcba215f05a6674d4b9f970749)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: sample: Memory leak of sample_expr structure in case of error

If an errors occurs during the sample expression parsing, the alloced
sample_expr is not freed despite having its main pointer reset.

This fixes GitHub issue #1046.
It could be backported as far as 1.8.

(cherry picked from commit 22e0d9b39cfb238e7bf866b3d78aa9b393004508)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records"

This reverts commit 949a7f64591458eb06c998acf409093ea991dc3a.

The first part of the patch introduces a bug. When a dns answer item is
allocated, its <ar_item> is only initialized at the end of the parsing, when
the item is added in the answer list. Thus, we must not try to release it
during the parsing.

The second part is also probably buggy. It fixes the issue #971 but reverts
a fix for the issue #841 (see commit fb0884c8297 "BUG/MEDIUM: dns: Don't
store additional records in a linked-list"). So it must be at least
revalidated.

This revert fixes a segfault reported in a comment of the issue #971. It
must be backported as far as 2.2.

(cherry picked from commit a1eea3bbb1973f3becc4603c3bbad4e96af3361f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: reg-tests: add base prometheus test

Add a base test to start with something, even though this is not
necessarily complete.
Also make use of the recent REQUIRE_SERVICE option to exclude it from
test list of it was not build with prometheus included.

note: I thought it was possible to send multiple requests within the
same client, but I'm getting "HTTP header is incomplete" from the second
request

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 76603f2552fafc23871a914600a18c3616959693)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: reg-tests: fix service dependency script

I badly tested my previous patch forgetting to remove the "+" testing
present in options, and not in services; the list of services do not
have any "+" at the beginning of each service

this patch is fixing commit aabde7133242563109b4f36c42e732f083 ("MINOR:
reg-tests: add a way to add service dependency")

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 4488434c97b4ae3ae8fde501b37f5ef9a588bd09)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: sample: check alloc_trash_chunk return value in concat()

like it is done in other places, check the return value of
`alloc_trash_chunk` before using it. This was detected by coverity.

this patch fixes commit 591fc3a330005c289b4705fe4cb37c4eec9f9eed
("BUG/MINOR: sample: fix concat() converter's corruption with non-string
variables"
As a consequence, this patch should be backported as far as 2.0

this should fix github issue #1039

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit e997010accdb17e70b628bc1e7c2810487d279c0)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: reg-tests: add a way to add service dependency

I was looking at writing a simple first test for prometheus but I
realised there is no proper way to exclude it if haproxy was not built
with prometheus plugin.

Today we have `REQUIRE_OPTIONS` in reg-tests which is based on `Feature
list` from `haproxy -vv`. Those options are coming from the Makefile
itself.

A plugin is build this way:
  EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o"

It does register service actions through `service_keywords_register`.
Those are listed through `list_services` in `haproxy -vv`.
To facilitate parsing, I slightly changed the output to a single line
and integrate it in regtests shell script so that we can now specify a
dependency while writing a reg-test for prometheus, e.g:

  #REQUIRE_SERVICE=prometheus-exporter
  #REQUIRE_SERVICES=prometheus-exporter,foo

There might be other ways to handle this, but that's the cleanest I
found; I understand people might be concerned by this output change in
`haproxy -vv` which goes from:

  Available services :
          foo
          bar

to:

  Available services : foo bar

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit aabde7133242563109b4f36c42e732f083bddf4d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

[RELEASE] Released version 2.3.3

Released version 2.3.3 with the following main changes :
    - MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
    - BUG/MEDIUM: lists: Lock the element while we check if it is in a list.
    - MINOR: task: remove __tasklet_remove_from_tasklet_list()
    - BUG/MEDIUM: task: close a possible data race condition on a tasklet's list link
    - BUG/MEDIUM: local log format regression.
    - BUG/MINOR: mux-h2/stats: make stream/connection proto errors more accurate
    - BUG/MINOR: mux-h2/stats: not all GOAWAY frames are errors
    - BUG/MINOR: lua: missing "\n" in error message
    - BUG/MINOR: lua: lua-load doesn't check its parameters
    - BUG/MINOR: lua: Post init register function are not executed beyond the first one
    - BUG/MINOR: lua: Some lua init operation are processed unsafe
    - MINOR: actions: Export actions lookup functions
    - MINOR: actions: add a function returning a service pointer from its name
    - MINOR: cli: add a function to look up a CLI service description
    - BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
    - BUG/MAJOR: ring: tcp forward on ring can break the reader counter.
    - BUILD/MINOR: haproxy DragonFlyBSD affinity build update.
    - DOC/MINOR: Fix formatting in Management Guide
    - BUG/MINOR: listener: use sockaddr_in6 for IPv6
    - BUG/MINOR: mux-h1: Handle keep-alive timeout for idle frontend connections
    - MINOR: protocol: add a ->set_port() helper to address families
    - MINOR: listener: automatically set the port when creating listeners
    - MINOR: listener: now use a generic add_listener() function
    - MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1
    - BUG/MAJOR: spoa/python: Fixing return None
    - DOC: spoa/python: Fixing typo in IP related error messages
    - DOC: spoa/python: Rephrasing memory related error messages
    - DOC: spoa/python: Fixing typos in comments
    - BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
    - BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
    - BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
    - BUG/MEDIUM: spoa/python: Fixing references to None
    - DOC: email change of the DeviceAtlas maintainer
    - BUG/MINOR: http-check: Use right condition to consider HTX message as full
    - BUG/MINOR: tcpcheck: Don't rearm the check timeout on each read
    - MINOR: tcpcheck: Only wait for more payload data on HTTP expect rules
    - BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
    - BUG/MINOR: tools: Reject size format not starting by a digit
    - BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
    - BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"
    - REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
    - BUILD: SSL: fine guard for SSL_CTX_add_server_custom_ext call
    - BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well
    - BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
    - BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
    - BUG/MEDIUM: mux-h1: Handle h1_process() failures on a pipelined request
    - CONTRIB: halog: fix build issue caused by %L printf format
    - CONTRIB: halog: mark the has_zero* functions unused
    - CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
    - CONTRIB: debug: address "poll" utility build on non-linux platforms
    - BUILD: plock: remove dead code that causes a warning in gcc 11
    - BUILD: ssl: fine guard for SSL_CTX_get0_privatekey call
    - BUG/MINOR: dns: SRV records ignores duplicated AR records
    - DOC: fix "smp_size" vs "sample_size" in "log" directive arguments
    - BUG/MEDIUM: mux_h2: Add missing braces in h2_snd_buf()around trace+wakeup
    - BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
    - MINOR: atomic: don't use ; to separate instruction on aarch64.
    - BUG/MINOR: sink: Return an allocation failure in __sink_new if strdup() fails
    - BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails
    - BUG/MINOR: tcpcheck: Report a L7OK if the last evaluated rule is a send rule
    - DOC: Improve the message printed when running `make` w/o `TARGET`
    - BUG/MINOR: stats: Make stat_l variable used to dump a stat line thread local
    - SCRIPTS: improve announce-release to support different tag and versions
    - SCRIPTS: make announce release support preparing announces before tag exists
    - BUG/MINOR: srv: do not init address if backend is disabled
    - BUG/MINOR: srv: do not cleanup idle conns if pool max is null
    - MINOR: converter: adding support for url_enc
    - BUILD: Makefile: exclude broken tests by default
    - CLEANUP: cfgparse: replace "realloc" with "my_realloc2" to fix to memory leak on error
    - MINOR: contrib/prometheus-exporter: export build_info
    - DOC: fix some spelling issues over multiple files
    - SCRIPTS: announce-release: fix typo in help message
    - DOC: Add maintainers for the Prometheus exporter
    - BUG/MINOR: sample: fix concat() converter's corruption with non-string variables

BUG/MINOR: sample: fix concat() converter's corruption with non-string variables

Patrick Hemmer reported that calling concat() with an integer variable
causes a %00 to appear at the beginning of the output. Looking at the
code, it's not surprising. The function uses get_trash_chunk() to get
one of the trashes, but can call casting functions which will also use
their trash in turn and will cycle back to ours, causing the trash to
be overwritten before being assigned to a sample.

By allocating the trash from a pool using alloc_trash_chunk(), we can
avoid this. However we must free it so the trash's contents must be
moved to a permanent trash buffer before returning. This is what's
achieved using smp_dup().

This should be backported as far as 2.0.

(cherry picked from commit 591fc3a330005c289b4705fe4cb37c4eec9f9eed)
Signed-off-by: Willy Tarreau <w@1wt.eu>

DOC: Add maintainers for the Prometheus exporter

William Dauchy and Christopher Faulet are the official maintainers of the
Prometheus exporter. William better knows the Prometheus usages and is the
referent for the features while Christopher's role is more code-centric, he
takes care of bugs and the exporter integration into Haproxy.

(cherry picked from commit 84c88a58c5153b8fffa509934375c92435298a1b)
Signed-off-by: Willy Tarreau <w@1wt.eu>

SCRIPTS: announce-release: fix typo in help message

s/relase/release in -p help message.

(cherry picked from commit 478e5ddc8d2ecab13391c96a4001081b1cf9b981)
Signed-off-by: Willy Tarreau <w@1wt.eu>

DOC: fix some spelling issues over multiple files

This is from the output of codespell and may be backported.

(cherry picked from commit cdbcca9995a4974c6998720e158d6f1d4d9a25c0)
Signed-off-by: Willy Tarreau <w@1wt.eu>

MINOR: contrib/prometheus-exporter: export build_info

commit c55a626217a7e676e1cc ("MINOR: contrib/prometheus-exporter: Add
missing global and per-server metrics") is renaming two metrics between
v2.2 and v2.3:
  server_idle_connections_current
  server_idle_connections_limit

It is breaking some tools which are making use of those metrics while
supporting several haproxy versions. This build_info will permit tools
which make use of metrics to be able to match the haproxy version and
change the list of expected metrics. This was possible using the haproxy
stats socket but not with prometheus export.

This patch follows prometheus best pratices to export specific software
informations. It is adding a new field `build_info` so we can extend it
to other parameters if needed in the future.

example output:
  # HELP haproxy_process_build_info HAProxy build info.
  # TYPE haproxy_process_build_info gauge
  haproxy_process_build_info{version="2.4-dev5-2e1a3f-5"} 1

Even though it is not a bugfix, this patch will make more sense when
backported up to >= 2.0

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 5a982a71656ce885be4b1d4b90b8db31204788a1)
Signed-off-by: Willy Tarreau <w@1wt.eu>

CLEANUP: cfgparse: replace "realloc" with "my_realloc2" to fix to memory leak on error

my_realloc2 frees variable in case of allocation failure.

fixes #1030

realloc was introduced in 9e1758efbd68c8b1d27e17e2abe4444e110f3ebe

this might be backported to 2.2, 2.3

(cherry picked from commit 76837bc948578e91e113141bd4c73dad8093be3b)
Signed-off-by: Willy Tarreau <w@1wt.eu>

BUILD: Makefile: exclude broken tests by default

it could be sometimes a bit confusing to have tests which are known to
be broken executed in the default `make reg-tests` command, especially
for not frequent contributors which are not necessarily aware of all our
quirks.

without this patch, this test is failing on my side:
# top TEST reg-tests/seamless-reload/abns_socket.vtc FAILED (2.228) exit=2
1 tests failed, 0 tests skipped, 107 tests passed

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 3bad3d5ee64caec53077018a848075bdc817580e)
Signed-off-by: Willy Tarreau <w@1wt.eu>

MINOR: converter: adding support for url_enc

add base support for url encode following RFC3986, supporting `query`
type only.

- add test checking url_enc/url_dec/url_enc
- update documentation
- leave the door open for future changes

this should resolve github issue #941

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 888b0ae8cf92cb23112bd8920b256b0bdf67caf0)
[wt: updated regtest to mention 2.3]
Signed-off-by: Willy Tarreau <w@1wt.eu>

BUG/MINOR: srv: do not cleanup idle conns if pool max is null

If a server is configured to not have any idle conns, returns immediatly
from srv_cleanup_connections. This avoids a segfault when a server is
configured with pool-max-conn to 0.

This should be backported up to 2.2.

(cherry picked from commit 10d5c3172b366e48b5851a20de9b68f0d5495b92)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: srv: do not init address if backend is disabled

Do not proceed on init_addr if the backend of the server is marked as
disabled. When marked as disabled, the server is not fully initialized
and some operation must be avoided to prevent segfault. It is correct
because there is no way to activate a disabled backend.

This fixes the github issue #1031.
This should be backported to 2.2.

(cherry picked from commit e3c419296211f08209300b9a06dc17467a6cb315)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

SCRIPTS: make announce release support preparing announces before tag exists

It takes so much time to write an announce message that sometimes it's
annoying not being able to start the work while a fix is being finished.
With the new "-p" argument, announce-release will allow to prepare the
announce message for the current HEAD and with no tag yet. It will
restart from the last tag and automatically increment the version using
the same algorithm as create-release so that everything is accurate. It
should then be easier at the last moment to just include the final entry
by hand when the last fix finally arrives. For convenience, this argument
also allows to create an announce from another branch than master.

(cherry picked from commit 96d5368202705de79756ebe7da78beb1af11fb2d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

SCRIPTS: improve announce-release to support different tag and versions

By having three variables it will be easier to preset the version and
the tag separately. One contains the announced version, another one the
associated tag and the last one the final commit ID (used as the ending
point before the release). This initially allows to check for the HEAD
matching the tag only when the version was not forced, hence re-announce
already tagged versions after some extra commits were added for example.

(cherry picked from commit 0c612936b2f4319dcc55567af4aa425b1d6d52c7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: stats: Make stat_l variable used to dump a stat line thread local

Since ee63d4bd6 ("MEDIUM: stats: integrate static proxies stats in new
stats"), all dumped stats for a given domain, the default ones and the
modules ones, are merged in a signle array to dump them in a generic way.
For this purpose, the stat_l global variable is allocated at startup to
store a line of stats before the dump, i.e. all stats of an entity
(frontend, backend, listener, server or dns nameserver). But this variable
is not thread safe. If stats are retrieved concurrently by several clients
on different threads, the same variable is used. This leads to corrupted
stats output.

To fix the bug, the stat_l variable is now thread local.

This patch should probably solve issues #972 and #992. It must be backported
to 2.3.

(cherry picked from commit de79cd28ec9e1facc5f2da02cd95dda82ac6fe58)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: Improve the message printed when running `make` w/o `TARGET`

Rephrase the message to no longer talk about something that "is no longer
supported", but about what actually *is* supported.

Adjustments include:

- Removal of rare targets to make it easier to find the proper one.
- Reformatting to be easier to read (more newlines)
- Explanation of common non-default feature flags.

(cherry picked from commit 1ab76dd956042019aabbfc2a04dc6a3101ce1a02)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: tcpcheck: Report a L7OK if the last evaluated rule is a send rule

When all rules of a tcpcheck ruleset are successfully evaluated, the right
check status must always be reported. It is true if the last evaluated rule
is an expect or a connect rule. But not if it is a send rule. In this
situation, nothing more is done until the check timeout expiration and a
L7TOUT is reported instead of a L7OK.

Now, by default, when all rules were successfully evaluated, a L7OK is
reported. When the last evaluated rule is an expect or a connect, the
behavior remains unchanged.

This patch should fix the issue #1027. It must be backported as far as 2.2.

(cherry picked from commit 8d4977ae86bf70e6834f3e28bad5876769db5b07)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails

This patch fixes GitHub issue #1024.

I could track the `strdup` back to commit
3a1f5fda109fc56ae127d03eaf34ce027c9542e1 which is 1.9-dev8. It's probably not
worth the effort to backport it across this refactoring.

This patch should be backported to 1.9+.

(cherry picked from commit 5ce5a1586d8c67affa604dedf0faa2c5a02ecab5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: sink: Return an allocation failure in __sink_new if strdup() fails

This patch fixes GitHub issue #1023.

The function was introduced in commit 99c453d ("MEDIUM: ring: new
section ring to declare custom ring buffers."), which first appeared
in 2.2-dev9. The fix should be backported to 2.2+.

(cherry picked from commit a7ebffef660c2c83590798e0f1acceb9001ff92c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: atomic: don't use ; to separate instruction on aarch64.

The assembler on MacOS aarch64 interprets ; as the beginning of comments,
so it is not suitable for separating instructions in inline asm. Use \n
instead.

This should be backported to 2.3, 2.2, 2.1, 2.0 and 1.9.

(cherry picked from commit 63ee28185430cbf5bdce21f82484f7de70fe4654)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h

This fixes building hpack from contrib, which failed because of the
undeclared VAR_ARRAY:

make -C contrib/hpack
...
cc -O2 -Wall -g -I../../include -fwrapv -fno-strict-aliasing -c -o gen-enc.o gen-enc.c
In file included from gen-enc.c:18:
../../include/haproxy/hpack-tbl-t.h:105:23: error: 'VAR_ARRAY' undeclared here (not in a function)
105 | struct hpack_dte dte[VAR_ARRAY]; /* dynamic table entries */
...

As discussed in the thread below, let's redefine VAR_ARRAY in this file
so that it remains self-sustaining:

https://www.mail-archive.com/haproxy@formilux.org/msg39212.html

(cherry picked from commit b67e1558955c1c88dc2a3530322802ce3710bc88)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: mux_h2: Add missing braces in h2_snd_buf()around trace+wakeup

This is a regression in 7838a79ba ("MEDIUM: mux-h2/trace: add lots of traces
all over the code"). The issue was found using -Wmisleading-indentation.
This patch fixes GitHub issue #1015.

The impact of this bug is that it could in theory cause occasional delays
on some long responses for connections having otherwise no traffic.

This patch should be backported to 2.1+, the commit was first tagged in
v2.1-dev2.

(cherry picked from commit 12a08d8849166ec0a779bbdee2ce9d768d5aa824)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: fix "smp_size" vs "sample_size" in "log" directive arguments

The "log" directive syntax shows an argument named "smp_size" but the
description mentions "sample_size". Let's fix this.

(cherry picked from commit 3e678607e221bb38ff1032be239853b9243210fb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: dns: SRV records ignores duplicated AR records

This bug happens when a service has multiple records on the same host
and the server provides the A/AAAA resolution in the response as AR
(Additional Records).

In such condition, the first occurence of the host will be taken from
the Additional section, while the second (and next ones) will be process
by an independent resolution task (like we used to do before 2.2).
This can lead to a situation where the "synchronisation" of the
resolution may diverge, like described in github issue #971.

Because of this behavior, HAProxy mixes various type of requests to
resolve the full list of servers: SRV+AR for all "first" occurences and
A/AAAA for all other occurences of an existing hostname.
IE: with the following type of response:

   ;; ANSWER SECTION:
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 80 A2.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 86 A3.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 80 A1.tld.
   _http._tcp.be2.tld.     3600    IN      SRV     5 500 85 A3.tld.

   ;; ADDITIONAL SECTION:
   A2.tld.                 3600    IN      A       192.168.0.2
   A3.tld.                 3600    IN      A       192.168.0.3
   A1.tld.                 3600    IN      A       192.168.0.1
   A3.tld.                 3600    IN      A       192.168.0.3

the first A3 host is resolved using the Additional Section and the
second one through a dedicated A request.

When linking the SRV records to their respective Additional one, a
condition was missing (chek if said SRV record is already attached to an
Additional one), leading to stop processing SRV only when the target
SRV field matches the Additional record name. Hence only the first
occurence of a target was managed by an additional record.
This patch adds a condition in this loop to ensure the record being
parsed is not already linked to an Additional Record. If so, we can
carry on the parsing to find a possible next one with the same target
field value.

backport status: 2.2 and above

(cherry picked from commit 949a7f64591458eb06c998acf409093ea991dc3a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: ssl: fine guard for SSL_CTX_get0_privatekey call

SSL_CTX_get0_privatekey is openssl/boringssl specific function present
since openssl-1.0.2, let us define readable guard for it, not depending
on HA_OPENSSL_VERSION

(cherry picked from commit af204881a3df36da1451af33f57b2c11ecb0972e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: plock: remove dead code that causes a warning in gcc 11

As Ilya reported in issue #998, gcc 11 complains about misleading code
indentation which is in fact caused by dead assignments to zero after
a loop which stops on zero. Let's clean both of these.

(cherry picked from commit b1f54925fc17b00ddbe25e30c2207a8d68d47f34)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

CONTRIB: debug: address "poll" utility build on non-linux platforms

MSG_NOSIGNAL and MSG_MORE are not defined everywhere, let's make them
zero when not defined. It will roughly result in the same behavior,
albeit a bit less optimal, which is no big deal when debugging. This
should fix issue #1014.

(cherry picked from commit 79d2e7bbbd56455f5f73c030df41e8e1ed621df4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps

Some variables were signed while they were compared to unsigned ones,
causing warnings to be issued when -Wextra is enabled.

(cherry picked from commit 03ca6054d02350e83cb5227608ccec13efdd3ade)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

CONTRIB: halog: mark the has_zero* functions unused

These ones will depend on the use of memchr() or not, let's mark them unused
to avoid the warning reported in issue #1013.

(cherry picked from commit f531dfff18becc87a3855ae6bc987afe9bffccc3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

CONTRIB: halog: fix build issue caused by %L printf format

%Ld isn't standard, %lld is more portable. In addition, the format
should be %llu since the printed values are unsigned. This should
address issue #1013.

(cherry picked from commit 2df860cb13e503fc8d80889bb93c20d5e8b24cd5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: mux-h1: Handle h1_process() failures on a pipelined request

On frontend side, when a conn-stream is detached from a H1 connection, the
H1 stream is destroyed and if we already have some data to parse (a
pipelined request), we process these data immedialtely calling
h1_process(). Then we adjust the H1 connection timeout. But h1_process() may
fail and release the H1 connection. For instance, a parsing error may be
reported. Thus, when that happens, we must not use anymore the H1 connection
and exit.

This patch must be backported as far as the 2.2. This bug can impact the 2.3
and the 2.2, in theory, if h1 stream creation fails. But, concretly, it only
fails on the 2.4 because the requests are now parsed at this step.

(cherry picked from commit 0c366a87619206d1bf1c9f69698933d0e58b7be5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode

When a channel is set in TUNNEL mode, we now always set the CF_NEVER_WAIT flag,
to be sure to never wait for sending data. It is important because in TUNNEL
mode, we have no idea if more data are expected or not. Setting this flag
prevent the MSG_MORE flag to be set on the connection.

It is only a problem with the HTX, since the 2.2. On previous versions, the
MSG_MORE flag is only set on the mux initiative. In fact, the problem arises
because there is an ambiguity in tunnel mode about the HTX_FL_EOI flag. In this
mode, from the mux point of view, while the SHUTR is not received more data are
expected. But from the channel point of view, we want to send data asap.

At short term, this fix is good enough and is valid anyway. But for the long
term more reliable solution must be found. At least, the to_forward field must
regain its original meaning.

This patch must be backported as far as 2.2.

(cherry picked from commit 198ef8b1de3ddac116baeaf5b86f2f8335e69e62)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests

When a protocol upgrade request is received, once parsed, it is waiting for
the response in the DONE state. But we must not set the flag CS_FL_EOI
because we don't know if a protocol upgrade will be performed or not.

Now, it is set on the response path, if both sides reached the DONE
state. If a protocol upgrade is finally performed, both side are switched in
TUNNEL state. Thus the CS_FL_EOI flag is not set.

If backported, this patch must be adapted because for now it relies on last
2.4-dev changes. It may be backported as far as 2.0.

(cherry picked from commit 3e1748bbf30bc06407bda36517c00c0b97bfeb50)
[cf: context adjustment]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well

Now that we sometimes link some contrib subparts directly into the
haproxy binary, it's becoming a real problem that they're not cleaned
on make clean. Some of the tools there are useful as .so or pure
binaries and we don't want to remove them, but anything intermediary
susceptible to be linked into haproxy should be clenaed. This is what
this patch does for 3 levels of subdirs into contrib/, without touching
the rest. It should be sufficient for the vast majority of use cases.

(cherry picked from commit da867d8d68f19f9034a47d42d16db78a84a12299)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD: SSL: fine guard for SSL_CTX_add_server_custom_ext call

SSL_CTX_add_server_custom_ext is openssl specific function present
since openssl-1.0.2, let us define readable guard for it, not depending
on HA_OPENSSL_VERSION

(cherry picked from commit ec609098718b9c1cd803ca57442b2b98c9ba4a16)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

REGTESTS: make use of HAPROXY_ARGS and pass -dM by default

Enabling memory poisonning is often pretty effective for detecting
uninitialized structure fields. Let's enable it by default and let
the user change the arguments at will (e.g. forcing some memory limits
or disabling a poller). This will work with the latest vtest version
to date (02a9bc1).

(cherry picked from commit a4009cd6103a92752db27c3a85051c6adcc832c1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"

In issue #1004, it was reported that it is not possible to remove
correctly a certificate after updating it when it came from a crt-list.

Indeed the "commit ssl cert" command on the CLI does not update the list
of ckch_inst in the crtlist_entry. Because of this, the "del ssl
crt-list" command does not remove neither the instances nor the SNIs
because they were never linked to the crtlist_entry.

This patch fixes the issue by inserting the ckch_inst in the
crtlist_entry once generated.

Must be backported as far as 2.2.

(cherry picked from commit a55685bfea0c95fd311b9bd0478950e534305786)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight

Depending on the context, the current eweight or the next one must be used
to reposition a server in the tree. When the server state is updated, for
instance its weight, the next eweight must be used because it is not yet
committed. However, when the server is used, on normal conditions, the
current eweight must be used.

In fact, it is only a bug on the 1.8. On newer versions, the changes on a
server are performed synchronously. But it is safer to rely on the right
eweight value to avoid any futur bugs.

On the 1.8, it is important to do so, because the server state is updated
and committed inside the rendez-vous point. Thus, the next server state may
be unsync with the current state for a short time, waiting all threads join
the rendez-vous point. It is especially a problem if the next eweight is set
to 0. Because otherwise, it must not be used to reposition the server in the
tree, leading to a divide by 0.

This patch must be backported as far as 1.8.

(cherry picked from commit cb33d3ac7f8dbc3f7323606a521d29dc100adbda)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: tools: Reject size format not starting by a digit

parse_size_err() function is now more strict on the size format. The first
character must be a digit. Otherwise an error is returned. Thus "size k" is
now rejected.

This patch must be backported to all stable versions.

(cherry picked from commit 82635a0fc1d8196e5b199e2948d2bea4b1217ace)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: tools: make parse_time_err() more strict on the timer validity

First, an error is now reported if the first character is not a digit. Thus,
"timeout client s" triggers an error now. Then 'u' is also rejected
now. 'us' is valid and should be used set the timer in microseconds. However
'u' alone is not a valid unit. It was just ignored before (default to
milliseconds). Now, it is an error. Finally, a warning is reported if the
end of the text is not reached after the timer parsing. This warning will
probably be switched to an error in a futur version.

This patch must be backported to all stable versions.

(cherry picked from commit c20ad0d8dbd1bb5707bbfe23632415c3062e046c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: tcpcheck: Only wait for more payload data on HTTP expect rules

For HTTP expect rules, if the buffer is not empty, it is guarantee that all
responses headers are received, with the start-line. Thus, except for
payload matching, there is no reason to wait for more data from the moment
the htx message is not empty.

This patch may be backported as far as 2.2.

(cherry picked from commit cad5f5e1ede350e92a0e0b1626d636f1c70c646d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: tcpcheck: Don't rearm the check timeout on each read

The check timeout is used to limit a health-check execution. By default
inter timeout is used. But when defined the check timeout is used. In this
case, the inter timeout (or connect timeout) is used for the connection
establishment only. And the check timeout for the health-check
execution. Thus, it must be set after a successfull connect. It means it is
rearm at the end of each connect rule.

This patch with the previous one (BUG/MINOR: http-check: Use right condition
to consider HTX message as full) should solve the issue #991. It must be
backported as far as 2.2. On the 2.3 and 2.2, there are 2 places were the
connection establishement is handled. The check timeout must be set on both.

(cherry picked from commit c878f56f7c921135acca5e3dccf7961422928285)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: http-check: Use right condition to consider HTX message as full

When an HTTP expect rule is evaluated, we must know if more data is expected
or not to wait if the matching fails. If the whole response is received or
if the HTX message is full, we must not wait. In this context,
htx_free_data_space() must be used instead of htx_free_space(). The fisrt
one count down the block size. Otherwise at the edge, when only the block
size remains free (8 bytes), we may think there is some place for more data
while the mux is unable to add more block.

This bug explains the loop described on the GH issue #991. It should be
backported as far as 2.2.

(cherry picked from commit 3f527197cd7d34fc1975862f346e2d778dc44dc2)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: email change of the DeviceAtlas maintainer

(cherry picked from commit 1470b9d0459306c4784285cc7f16b150a5b4b17a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: spoa/python: Fixing references to None

As per https://docs.python.org/3/c-api/none.html, None has to be treated
exactly like other objects for reference counting.
So, when we use it, we need to INCREF and when we are done, DECREF

This patch must be backported as far as 2.0.

(cherry picked from commit bdd034947c4a3a6f8c41af9bf6e62b7a74b4ebbc)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments

As per https://docs.python.org/3/c-api/object.html#c.PyObject_Call,
positional arguments should be an empty tuple when not used.
Previously the code had a dictionary instead of tuple. This commit is to
fix it and use tuple to avoid unexpected consequences

This patch must be backported as far as 2.0.

(cherry picked from commit 042f697a0fce0255b569786d29e929a4a41cbc46)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails

This change is to ensure objects from the ipaddress module are cleaned
up when spoa module initialization fails.
In general the interpreter would just crash, but in a code where import
is conditional (try/except), then we would keep those objects around

This patch must be backported as far as 2.0.

(cherry picked from commit d1c0cf80bceb352b6bf33064b352f6dbe2b0b39c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations

As per https://docs.python.org/3/c-api/module.html#c.PyModule_AddObject,
references are stolen by the function only for success. We must do
cleanup manually if there is a failure

This patch must be backported as far as 2.0.

(cherry picked from commit 132d8f61e9440b9254069ca2c4bcff67df29bb6f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: spoa/python: Fixing typos in comments

Fixing a missing letter in a comment

This patch must be backported as far as 2.0.

(cherry picked from commit c7485ac1013e32e79d692230a65be082c995f683)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: spoa/python: Rephrasing memory related error messages

The old message "No more space left available" was redundant with "left
available". This commit is to rephrase that sentence and make it more
explicit we are talking about memory

This patch must be backported as far as 2.0.

(cherry picked from commit 85b25829bce67a8d8338350a9bc8845f0ed9c2ad)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC: spoa/python: Fixing typo in IP related error messages

This commit fixes typos in the ps_python_set_var_ip* byte manipulation error
messages

This patch must be backported as far as 2.0.

(cherry picked from commit 6884742c651e65d065be9fc10cfaf258dae353f0)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MAJOR: spoa/python: Fixing return None

As per https://docs.python.org/3/c-api/none.html, None requires to be
incremented before being returned to prevent deallocating none

This patch must be backported as far as 2.0.

(cherry picked from commit d5c428e761796317fdfa9c7f9bf3f6280e218a98)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1

Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.

This problem was encountered by an user in issue #990.

This must be backported in 2.3.

(cherry picked from commit b7fdfdfd92b9fdc6a3f742643760d6415fdc6f6b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: listener: now use a generic add_listener() function

With the removal of the family-specific port setting, all protocol had
exactly the same implementation of ->add(). A generic one was created
with the name "default_add_listener" so that all other ones can now be
removed. The API was slightly adjusted so that the protocol and the
listener are passed instead of the listener and the port.

Note that all protocols continue to provide this ->add() method instead
of routinely calling default_add_listener() from create_listeners(). This
makes sure that any non-standard protocol will still be able to intercept
the listener addition if needed.

This could be backported to 2.3 along with the few previous patches on
listners as a pure code cleanup.

(cherry picked from commit d1f250f87b8850f24456e62140509e612f8b3415)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: listener: automatically set the port when creating listeners

In create_listeners() we iterate over a port range and call the
protocol's ->add() function to add a new listener on the specified
port. Only tcp4/tcp6/udp4/udp6 support a port, the other ones ignore
it. Now that we can rely on the address family to properly set the
port, better do it this way directly from create_listeners() and
remove the family-specific case from the protocol layer.

(cherry picked from commit 07400c56bb0ab81cfd2e295c790b699839fea0a3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: protocol: add a ->set_port() helper to address families

At various places we need to set a port on an IPv4 or IPv6 address, and
it requires casts that are easy to get wrong. Let's add a new set_port()
helper to the address family to assist in this. It will be directly
accessible from the protocol and will make the operation seamless.
Right now this is only implemented for sock_inet as other families do
not need a port.

(cherry picked from commit 73bed9ff135472c0e02b5aba08845b8a359eb268)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: mux-h1: Handle keep-alive timeout for idle frontend connections

IDLE frontend connections have no stream attached. The stream is only
created when new data are received, when the parsing of the next request
starts. Thus the keep-alive timeout, handled into the HTTP analysers, is not
considered while nothing is received. But this is especially when this
timeout must be considered. Concretely the http-keep-alive is ignored while
no data are received. Only the client timeout is used. It will only be
considered on incomplete requests, if the http-request timeout is not set.

To fix the bug, the http-keep-alive timeout must be handled at the mux
level, for IDLE frontend connection only.

This patch should fix the issue #984. It must be backported as far as
2.2. On prior versions, the stream is created earlier. So, it is not a
problem, except if this behavior changes of course (it was an optim of the
2.2, but don't remember the commit).

(cherry picked from commit 268c92e2f8454569c1d2354f22cbe3187d548c3c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: listener: use sockaddr_in6 for IPv6

A copy-paste bug between {tcp,udp}{4,6}_add_listener() resulted in
using a struct sockaddr_in to set the TCP/UDP port while it ought to
be a struct sockaddr_in6. Fortunately, the port has the same offset
(2) in both so it was harmless. A cleaner way to proceed would be
to have a set_port function exported by the address family layer.

This needs to be backported to 2.3.

(cherry picked from commit 7da02dd308baa40df43b87b5fdca3af8c49e48a8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

DOC/MINOR: Fix formatting in Management Guide

section numbering used '9.2)' instead of '9.2.'.

(cherry picked from commit b931f964e13700bbf43419c05a37a503bcfb555b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUILD/MINOR: haproxy DragonFlyBSD affinity build update.

sched_setaffinity supported by this platform.

(cherry picked from commit 2d0493af49fa2518bb53a260e0b04bc43d9683c3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MAJOR: ring: tcp forward on ring can break the reader counter.

If the session is not established, the applet handler could leave
with the applet detached from the ring. At next call, the attach
counter will be decreased again causing unpredectable behavior.

This patch should be backported on branches >=2.2

(cherry picked from commit fdabf4954860942d314fe3059a869bed207e78d4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times

Lua allows registering multiple sample-fetches, converters, action, cli,
applet/services with the same name. This is absolutely useless since only
the first registration will be used. This patch sends a warning if the case
is encountered.

This pach could be backported until 1.8, with the 3 associated patches:
- MINOR: actions: Export actions lookup functions
- MINOR: actions: add a function returning a service pointer from its name
- MINOR: cli: add a function to look up a CLI service description

(cherry picked from commit f67442efdb509d5d15f530a536b13f29fa7f48b7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: cli: add a function to look up a CLI service description

This function will be useful to check if the keyword is already registered.
Also add a define for the max number of args.

This will be needed by a next patch to fix a bug and will have to be
backported.

(cherry picked from commit a51a1fd17420a96bb766afbae354e041fc9e1d9b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: actions: add a function returning a service pointer from its name

This function simply calls action_lookup() on the private service_keywords,
to look up a service name. This will be used to detect double registration
of a same service from Lua.

This will be needed by a next patch to fix a bug and will have to be
backported.

(cherry picked from commit 87e539906b13ed1d86684d9d3eab82b550fae02d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: actions: Export actions lookup functions

These functions will be useful to check if a keyword is already registered.
This will be needed by a next patch to fix a bug, and will need to be
backported.

(cherry picked from commit 7a71a6d9d262d7a0f7c3d208ab339d469958011d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: lua: Some lua init operation are processed unsafe

Operation luaL_openlibs() and lua_prepend path are processed whithout
the safe context, so in case of failure Haproxy aborts or stops without
error message.

This patch could be backported until 1.8

(cherry picked from commit 2f05cc6f86ee6beda9c42a6bb99a9a96fad37b68)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: lua: Post init register function are not executed beyond the first one

Just because if the first init is a success we return success in place
of continuing the loop.

This patch could be backported until 1.8

(cherry picked from commit 13d08b73eb99741ca5903e8414b85a1d0b919594)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: lua: lua-load doesn't check its parameters

"lua-load" doesn't check if the expected parameter is present. It tries to
open() directly the argument at second position. So if the filename is
omitted, it tries to load an empty filename.

This patch could be backported until 1.8

(cherry picked from commit 77a88943d6a0d7852c25a03541d60ccf44aa5c6d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: lua: missing "\n" in error message

Just replace ".n" by "\n"

This could be backported until 1.9, but it is not so important.

(cherry picked from commit de6145f747e38a5da455ccb8a84ebfc1cd2f517f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: mux-h2/stats: not all GOAWAY frames are errors

The stats on haproxy.org reported ~12k GOAWAY for ~34k connections, with
only 2 protocol errorss. It turns out that the GOAWAY frame counter added
in commit a8879238c ("MINOR: mux-h2: report detected error on stats")
matches a bit too many situations. First it counts those which are not
sent as well as failed retries, second it counts as errors the cases of
attempts to cleanly close, while it's titled "GOAWAY sent on detected
error". Let's address this by moving the counter up one line and excluding
the clean codes.

This can be backported to 2.3.

(cherry picked from commit f965b2ad136b6487571f9a8fb0b3e58f778c002c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MINOR: mux-h2/stats: make stream/connection proto errors more accurate

Since commit a8879238c ("MINOR: mux-h2: report detected error on stats")
we now have some error stats on stream/connection level protocol errors,
but some were improperly marked as stream while they're connection, and
2 or 3 relevant ones were missing and have now been added.

This could be backported to 2.3.

(cherry picked from commit a307528fe287f085705ef08a798c1698e474c395)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: local log format regression.

Since 2.3 default local log format always adds hostame field.
This behavior change was due to log/sink re-work, because according
to rfc3164 the hostname field is mandatory.

This patch re-introduce a legacy "local" format which is analog
to rfc3164 but with hostname stripped. This is the new
default if logs are generated by haproxy.

To stay compliant with previous configurations, the option
"log-send-hostname" acts as if the default format is switched
to rfc3164.

This patch addresses the github issue #963

This patch should be backported in branches >= 2.3.

(cherry picked from commit 0237c4e3f5deb062e8714d02588c86d48fa2703c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: task: close a possible data race condition on a tasklet's list link

In issue #958 Ashley Penney reported intermittent crashes on AWS's ARM
nodes which would not happen on x86 nodes. After investigation it turned
out that the Neoverse N1 CPU cores used in the Graviton2 CPU are much
more aggressive than the usual Cortex A53/A72/A55 or any x86 regarding
memory ordering.

The issue that was triggered there is that if a tasklet_wakeup() call
is made on a tasklet scheduled to run on a foreign thread and that
tasklet is just being dequeued to be processed, there can be a race at
two places:
  - if MT_LIST_TRY_ADDQ() happens between MT_LIST_BEHEAD() and
    LIST_SPLICE_END_DETACHED() if the tasklet is alone in the list,
    because the emptiness tests matches ;

  - if MT_LIST_TRY_ADDQ() happens during LIST_DEL_INIT() in
    run_tasks_from_lists(), then depending on how LIST_DEL_INIT() ends
    up being implemented, it may even corrupt the adjacent nodes while
    they're being reused for the in-tree storage.

This issue was introduced in 2.2 when support for waking up remote
tasklets was added. Initially the attachment of a tasklet to a list
was enough to know its status and this used to be stable information.
Now it's not sufficient to rely on this anymore, thus we need to use
a different information.

This patch solves this by adding a new task flag, TASK_IN_LIST, which
is atomically set before attaching a tasklet to a list, and is only
removed after the tasklet is detached from a list. It is checked
by tasklet_wakeup_on() so that it may only be done while the tasklet
is out of any list, and is cleared during the state switch when calling
the tasklet. Note that the flag is not set for pure tasks as it's not
needed.

However this introduces a new special case: the function
tasklet_remove_from_tasklet_list() needs to keep both states in sync
and cannot check both the state and the attachment to a list at the
same time. This function is already limited to being used by the thread
owning the tasklet, so in this case the test remains reliable. However,
just like its predecessors, this function is wrong by design and it
should probably be replaced with a stricter one, a lazy one, or be
totally removed (it's only used in checks to avoid calling a possibly
scheduled event, and when freeing a tasklet). Regardless, for now the
function exists so the flag is removed only if the deletion could be
done, which covers all cases we're interested in regarding the insertion.
This removal is safe against a concurrent tasklet_wakeup_on() since
MT_LIST_DEL() guarantees the atomic test, and will ultimately clear
the flag only if the task could be deleted, so the flag will always
reflect the last state.

This should be carefully be backported as far as 2.2 after some
observation period. This patch depends on previous patch
"MINOR: task: remove __tasklet_remove_from_tasklet_list()".

(cherry picked from commit 4d6c594998a47d2c62ff74fba36f5798bea1a228)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: task: remove __tasklet_remove_from_tasklet_list()

This function is only used at a single place directly within the
scheduler in run_tasks_from_lists() and it really ought not be called
by anything else, regardless of what its comment says. Let's delete
it, move the two lines directly into the call place, and take this
opportunity to factor the atomic decrement on tasks_run_queue. A comment
was added on the remaining one tasklet_remove_from_tasklet_list() to
mention the risks in using it.

(cherry picked from commit 2da4c316c2cb7b01f54ed1959e91d1799d13959c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

BUG/MEDIUM: lists: Lock the element while we check if it is in a list.

In MT_LIST_TRY_ADDQ() and MT_LIST_TRY_ADD() we can't just check if the
element is already in a list, because there's a small race condition, it
could be added between the time we checked, and the time we actually set
its next and prev, so we have to lock it first.

This is required to address issue #958.

This should be backported to 2.3, 2.2 and 2.1.

(cherry picked from commit 1f05324cbe92a7dde71f44dc740eb8240539746f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

MINOR: plock: use an ARMv8 instruction barrier for the pause instruction

As suggested by @AGSaidi in issue #958, on ARMv8 its convenient to use
an "isb" instruction in pl_cpu_relax() to improve fairness. Without it
I've met a few watchdog conditions on valid locks with 16 threads,
indicating that some threads couldn't manage to get it in 2 seconds. I
never happened again with it. In addition, the performance increased
by slightly more than 5% thanks to the reduced contention.

This should be backported as far as 2.2, possibly even 2.0.

(cherry picked from commit 1e237d037b3a45ec92d1dfa80dfd2c6bd7fc3af9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

[RELEASE] Released version 2.3.2

Released version 2.3.2 with the following main changes :
    - BUILD: http-htx: fix build warning regarding long type in printf
    - CLEANUP: cfgparse: remove duplicate registration for transparent build options
    - BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
    - BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
    - DOC: add missing 3.10 in the summary
    - BUG/MINOR: ssl: segv on startup when AKID but no keyid
    - BUG/MEDIUM: http-ana: Don't eval http-after-response ruleset on empty messages
    - BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list
    - BUG/MEDIUM: ssl: error when no certificate are found
    - BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated
    - BUG/MEDIUM: ssl/crt-list: fix error when no file found
    - BUILD: makefile: enable crypt(3) for OpenBSD
    - DOC: clarify how to create a fallback crt
    - CLEANUP: connection: do not use conn->owner when the session is known
    - BUG/MAJOR: connection: reset conn->owner when detaching from session list
    - BUG/MINOR: http_htx: Fix searching headers by substring
    - DOC: better describes how to configure a fallback crt
    - BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
    - MEDIUM: cache: Change caching conditions
    - DOC: cache: Add new caching limitation information
    - REGTESTS: Add sample_fetches/cook.vtc
    - REGTESTS: converter: add url_dec test
    - MINOR: http_act: Add -m flag for del-header name matching method
    - BUILD: Make DEBUG part of .build_opts
    - BUILD: Show the value of DEBUG= in haproxy -vv
    - BUG/MEDIUM: http_act: Restore init of log-format list
    - BUG/MAJOR: peers: fix partial message decoding
    - DOC: better document the config file format and escaping/quoting rules
    - DOC: Clarify %HP description in log-format
    - BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of check
    - MINOR: tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main
    - BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer pool
    - DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
    - BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a health-check

BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a health-check

res.body may be called from a health-check. It is probably never used. But it is
possibe. In such case, there is no channel. Thus we must not use it
unconditionally to set the flag SMP_F_MAY_CHANGE on the smp.

Now the condition test the channel first. In addtion, the flag is not set if the
payload is fully received.

This patch must be backported as far as 2.2.

(cherry picked from commit a9ffc416377e0df9859526dc3c1d769c6a68636f)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section

req.hdrs and req.hdrs_bin are L7 sample fetches, not L6. They were in the wrong
section.

This patch may be backported as far as 1.8.

(cherry picked from commit 687a68e2d04900e84317d066de80891a7f848747)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer pool

Historically, the input and output buffers of a check are allocated by hand
during the startup, with a specific size (not necessarily the same than
other buffers). But since the recent refactoring of the checks to rely
exclusively on the tcp-checks and to use the underlying mux layer, this part
is totally buggy. Indeed, because these buffers are now passed to a mux,
they maybe be swapped if a zero-copy is possible. In fact, for now it is
only possible in h2_rcv_buf(). Thus the bug concretely only exists if a h2
health-check is performed. But, it is a latent bug for other muxes.

Another problem is the size of these buffers. because it may differ for the
other buffer size, it might be source of bugs.

Finally, for configurations with hundreds of thousands of servers, having 2
buffers per check always allocated may be an issue.

To fix the bug, we now allocate these buffers when required using the buffer
pool. Thus not-running checks don't waste memory and muxes may swap them if
possible. The only drawback is the check buffers have now always the same
size than buffers used by the streams. This deprecates indirectly the
"tune.chksize" global option.

In addition, the http-check regtest have been update to perform some h2
health-checks.

Many thanks to @VigneshSP94 for its help on this bug.

This patch should solve the issue #936. It relies on the commit "MINOR:
tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main".
Both must be backport as far as 2.2.

bla

(cherry picked from commit b381a505c1010bb11abbe7b31e8d2307c4dab541)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

MINOR: tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main

The special handling of in-progress send rules at the begining of
tcpcheck_main() function can be removed. Instead, at the begining of the
tcpcheck_eval_send() function, we test is there is some data in the output
buffer. In this case, it means we are evaluating an unfinished send rule and
we can jump to the sending part, skipping the formatting part.

This patch is mandatory for a major fix on the checks and must be backported
as far as 2.2.

(cherry picked from commit 39066c27384653b41b95370fc4dec4469a637a23)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of check

When a new kind of check is found during the parsing of a proxy section (via
an option directive), we must reset tcpcheck flags for this proxy. It is
mandatory to not inherit some flags from a previously declared check (for
instance in the default section).

This patch must be backported as far as 2.2.

(cherry picked from commit 1faf18ae3976cddfb17afa95ea447205330c821e)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>