Hi, HAProxy 3.2-dev2 was released on 2024/12/25. It added 97 new commits after version 3.2-dev1.
This version contains few changes and mostly addresses pending issues. It starts by bringing some fixes in a few areas (quic/bbr, stream timers, rhttp counters, SSL CLI). A notable one is the queue issue that has been bugging us for a few months now, alternating between requests timing out in queues, infinite loops, and violated maxconns, is now fixed. The fixes will be progressively backported to stable releases. An issue was raised with Lua by which a boolean sample expression returning a boolean would be converted to an integer in Lua instead of a boolean. This seems to result from a very early copy-paste between integer and boolean handling. In order to address this without breaking scripts and ease the transition, a new global option was added to choose between the legacy and correct behavior: "tune.lua.bool-sample-conversion". When the option is not set and the situation is detected, a warning will be issued to explain how to choose between both behaviors, and the default is not changed. We intend to backport this now to 3.1 in order to catch such issues as early as possible and let the rare users check their scripts accordingly and/or choose the option that suits them best. The "show ssl sni -A" CLI command can now show expired certificates. The gpc/gpt arrays of stick-tables can now be specified on the CLI "set/clear/show table" commands. The QUIC pacing code was lifted a bit to make it more robust and easier to follow at the same time. The SSL OCSP update code will keep a trace of the last error met and will report it on "show ssl ocsp-updates". The output of haproxy -vv will now report "SSL library" as a line prefix instead of "OpenSSL" which is confusing with alternate libraries. Also the presence of FIPS is now explicitly reported as well. For developers, a new DEBUG_STRESS build option allows to apply various degrees of pressure on the existing code to help reproduce certain issues (e.g. disable multi-writes to a same buffer, more levels might come later). Also, the new ASSUME(expr) and ASSUME_NONULL(ptr) macros are used to let the compiler know about the expected domain for some values or expressions, without having to compute values and throw the result away. A few places were cleaned up and BUG_ON() can now fall back to this when DEBUG_STRICT is not set, eliminating some warnings. In addition this results in better code. Also it's now possible to temporarily disable traces in the code at the thread level. This is convenient when knowing that a certain condition does not warrant tracing despite calling shared code. Finally, some build fixes for old libcs and uncommon architectures (m68k), CI updates to enable latest WolfSSL weekly and aws-lc-fips, some cleanups and the usual doc updates. An I think that's about all. It's not much, mostly a few changes here and there that fill some small feature gaps or prepare the architecture for future changes. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (18): MINOR: build: define DEBUG_STRESS MINOR: applet: define applet_putchk_stress() alternative MINOR: stats: use stress mode to force reentrant dumps BUG/MEDIUM: mux-quic: do not mix qcc_io_send() return codes with pacing CLEANUP: mux-quic: remove unused qcc member send_retry_list MINOR: quic: add traces MINOR: mux-quic: refactor wait-for-handshake support MEDIUM/OPTIM: mux-quic: define a recv_list for demux resumption MEDIUM/OPTIM: mux-quic: implement purg_list MINOR: mux-quic: extract code to build STREAM frames list MINOR: mux-quic: split STREAM and RS/SS emission MEDIUM/OPTIM: mux-quic: do not rebuild frms list on every send MEDIUM: mux-quic: remove pacing specific code on qcc_io_cb MINOR: trace: implement tracing disabling API MINOR: mux-quic: hide traces when woken up on pacing only BUG/MEDIUM: mux-quic: prevent BUG_ON() by refreshing frms on MAX_DATA CLEANUP: mux-quic: remove dead err label in qcc_build_frms() BUG/MINOR: h2/rhttp: fix HTTP2 conn counters on reverse Aurelien DARRAGON (9): DOC: config: add example for server "track" keyword DOC: config: reorder "tune.lua.*" keywords by alphabetical order DOC: config: add "tune.lua.burst-timeout" to the list of global parameters MINOR: hlua: add option to preserve bool type from smp to lua REGTESTS: fix lua-based regtests using tune.lua.smp-preserve-bool MINOR: hlua: rename "tune.lua.preserve-smp-bool" to "tune.lua.bool-sample-conversion" BUG/MINOR: stats: fix segfault caused by uninitialized value in "show schema json" MINOR: stktable: add stktable_get_data_type_idx() helper function MINOR: stktable: support optional index for array types in {set, clear, show} table commands Christopher Faulet (1): BUG/MEDIUM: stconn: Only consider I/O timers to update stream's expiration date Frederic Lecaille (13): MINOR: window_filter: rely on the time to update the filter samples (QUIC/BBR) BUG/MINOR: quic: wrong logical statement in in_recovery_period() (BBR) BUG/MINOR: quic: fix BBB max bandwidth oscillation issue. BUG/MINOR: quic: wrong bbr_target_inflight() implementation BUG/MINOR: quic: remove max_bw filter from delivery rate sampling BUG/MINOR: quic: underflow issue for bbr_inflight_hi_from_lost_packet() BUG/MINOR: quic: reduce packet losses at least during ProbeBW_CRUISE (BBR) MINOR: quic: reduce the private data size of QUIC cc algos CLEANUP: quic: remove a wrong comment about ->app_limited (drs) BUG/MINOR: quic: fix the wrong tracked recovery start time value BUG/MINOR: quic: too permissive exit condition for high loss detection in Startup (BBR) BUG/MINOR: quic: missing Startup accelerating probing bw states CLEANUP: quic: Rename some BBR functions in relation with bw probing Ilia Shipitsin (5): CI: limit aws-lc and libressl Quic Interop to "haproxy" only BUG/MINOR: checks: handle a possible strdup() failure BUG/MINOR: listener: handle a possible strdup() failure BUG/MINOR: mux_h1: handle a possible strdup() failure BUG/MINOR: debug: handle a possible strdup() failure Olivier Houchard (7): BUG/MEDIUM: queues: Make sure we call process_srv_queue() when leaving BUG/MEDIUM: queues: Do not use pendconn_grab_from_px(). CLEANUP: queues: Remove pendconn_grab_from_px(). BUG/MEDIUM: queue: Make process_srv_queue return the number of streams BUG/MEDIUM: queues: Stricly respect maxconn for outgoing connections MEDIUM: queue: Handle the race condition between queue and dequeue differently CLEANUP: Remove pendconn_must_try_again(). Remi Tricot-Le Breton (1): MINOR: ssl/ocsp: Add extra details in error logs when possible Valentine Krasnobaeva (5): BUG/MINOR: cli: cli_snd_buf: preserve \r\n for payload lines REGTESTS: ssl: add a PEM with mix of LF and CRLF line endings REORG: startup: move global.maxconn calculations in limits.c REORG: startup: move code that applies limits to limits.c REORG: startup: move nofile limit checks in limits.c William Lallemand (21): CI: scripts: add support for AWS-LC-FIPS in build-ssl.sh MINOR: ssl: add "FIPS" details in haproxy -vv MEDIUM: ssl: rename 'OpenSSL' by 'SSL library' in haproxy -vv CI: github: let's add an AWS-LC-FIPS job MINOR: ssl: add utils functions to extract X509 notAfter date MINOR: ssl/cli: allow to filter expired certificates with 'show ssl sni' MINOR: ssl/cli: add -A to the 'show ssl sni' command description BUG/MINOR: ssl/cli: 'show ssl cert' escape the first '*' of a filename BUG/MINOR: ssl/cli: 'show ssl crl-file' escape the first '*' of a filename BUG/MINOR: ssl/cli: 'show ssl ca-file' escape the first '*' of a filename MINOR: ssl/cli: add a 'Uncommitted' status for 'show ssl' commands BUILD: ssl/ocsp: error: â%.*sâ directive argument is null MEDIUM: ssl/ocsp: OCSP response is expired with OCSP_MAX_RESPONSE_TIME_SKEW MINOR: ssl: improve HAVE_SSL_OCSP ifdef MINOR: ssl: change visibility of ssl_stats_module MINOR: ssl: rework the error management in the OCSP callback MEDIUM: ssl/ocsp: counters for OCSP stapling CI: github: try to build the latest WolfSSL master weekly CI: github: activate ASAN on the WolfSSL weekly job CI: scripts: allow to build wolfssl with --enable-debug CI: github: activate debug in wolfssl weekly build Willy Tarreau (17): BUILD: debug: only dump/reset glitch counters when really defined MINOR: compiler: add a __has_builtin() macro to detect features more easily MINOR: compiler: rely on builtin detection for __builtin_unreachable() MINOR: compiler: add a new "ASSUME" macro to help the compiler MINOR: compiler: also enable __builtin_assume() for ASSUME() MINOR: compiler: add ASSUME_NONNULL() to tell the compiler a pointer is valid MINOR: bug: make BUG_ON() fall back to ASSUME CLEANUP: cache: use ASSUME_NONNULL() instead of DISGUISE() CLEANUP: hlua: use ASSUME_NONNULL() instead of ALREADY_CHECKED() CLEANUP: htx: use ASSUME_NONNULL() to mark the start line as non-null CLEANUP: mux-fcgi: use ASSUME_NONNULL() to indicate that the first block exists CLEANUP: stats: use ASSUME_NONNULL() to indicate that the first block exists CLEANUP: quic: replace ALREADY_CHECKED() with ASSUME_NONNULL() at a few places CLEANUP: ssl-sock: drop two now unneeded ALREADY_CHECKED() BUILD: compat: add missing fcntl.h before defining F_SETPIPE_SZ BUILD: mworker: always initialize the saveptr of strtok_r() BUILD: limits: make normalize_rlim() take an rlim_t to fix build on m68k ---
