Development August 2017

development@lists.ipfire.org

12 participants
46 discussions

Updates wanted?
by Matthias Fischer 23 Aug '17

23 Aug '17

Hi, having some time I looked around and found some rather old (Net-)packages: Net-DNS 'next': 0.47 current: 1.12 Used in: 'sa-update', 'amavisd', 'vpnmain.cgi', 'ovpnmain.cgi' Net-Server 'next': 0.97 current: 2.009 Used in: 'amavisd' Net-Telnet 'next': 3.03 current: 3.04 Used in: 'checkrad', 'wio.cgi', 'index.cgi', 'ovpnmain.cgi' Net_SSLeay (why named with underscore, shouldn't it be 'Net-SSLeay'!?) 'next': 1.55 current: 1.81 Used in: 'general-functions.pl', 'sendEmail' I just searched for "use net::[package_name]", of course there can be further hits. Now the "critical" question: ;-) I think updatting these could be delicate, so I ask BEFORE I spend to much work and time with it => is there any interest in updating these packages!? Since I can't test them all under all needed circumstances, I'm very careful about it. Best, Matthias

1 0

[PATCH] gnutls: Update to 3.5.15
by Matthias Fischer 23 Aug '17

23 Aug '17

For details see: https://lists.gnupg.org/pipermail/gnutls-devel/2017-August/008483.html Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/gnutls | 2 +- lfs/gnutls | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 13d97c6bd..8231c7588 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -33,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.14.6 +usr/lib/libgnutls.so.30.14.7 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.28 diff --git a/lfs/gnutls b/lfs/gnutls index 86e7fb2c7..360594fe6 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -24,7 +24,7 @@ include Config -VER = 3.5.14 +VER = 3.5.15 THISAPP = gnutls-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 1e84b57a472b5f3b01f2c1b7a3a2bcbe +$(DL_FILE)_MD5 = bcdcbc65c50a7499617ad9f4d0058de9 install : $(TARGET) -- 2.14.1

1 0

[PATCH] dhcp: update to 4.3.6
by Jonatan Schlag 22 Aug '17

22 Aug '17

The deleted patches do not apply any more, all other patches are updated to apply. Fixes: #11363 Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org> --- dhcp/dhcp.nm | 4 +- dhcp/patches/0003-dhcp-errwarn-message.patch | 2 +- dhcp/patches/0004-dhcp-dhclient-options.patch | 140 ++----- .../0006-dhcp-dhclient-decline-backoff.patch | 4 +- dhcp/patches/0015-dhcp-capability.patch | 10 +- dhcp/patches/0021-dhcp-IPoIB-log-id.patch | 33 +- dhcp/patches/0025-dhcp-getifaddrs.patch | 429 --------------------- dhcp/patches/0027-dhcp-interval.patch | 25 -- 8 files changed, 64 insertions(+), 583 deletions(-) delete mode 100644 dhcp/patches/0025-dhcp-getifaddrs.patch delete mode 100644 dhcp/patches/0027-dhcp-interval.patch diff --git a/dhcp/dhcp.nm b/dhcp/dhcp.nm index eafb0b0..cdc0673 100644 --- a/dhcp/dhcp.nm +++ b/dhcp/dhcp.nm @@ -4,7 +4,7 @@ ############################################################################### name = dhcp -version = 4.3.5b1 +version = 4.3.6 release = 1 groups = Networking/Daemons @@ -20,7 +20,7 @@ description easier to administer a large network. end -source_dl = ftp://ftp.isc.org/isc/dhcp/%{version}/ +source_dl = https://ftp.isc.org/isc/dhcp/%{version}/ build requires diff --git a/dhcp/patches/0003-dhcp-errwarn-message.patch b/dhcp/patches/0003-dhcp-errwarn-message.patch index f42d1e9..18f77cf 100644 --- a/dhcp/patches/0003-dhcp-errwarn-message.patch +++ b/dhcp/patches/0003-dhcp-errwarn-message.patch @@ -51,7 +51,7 @@ diff -up dhcp-4.3.5/omapip/errwarn.c.errwarn dhcp-4.3.5/omapip/errwarn.c - log_error ("than a configuration issue please read the section on submitting"); - log_error ("bugs on either our web page at www.isc.org or in the README file"); - log_error ("before submitting a bug. These pages explain the proper"); -- log_error ("process and the information we find helpful for debugging.."); +- log_error ("process and the information we find helpful for debugging."); + log_error ("This version of ISC DHCP is based on the release available"); + log_error ("on ftp.isc.org. Features have been added and other changes"); + log_error ("have been made to the base software release in order to make"); diff --git a/dhcp/patches/0004-dhcp-dhclient-options.patch b/dhcp/patches/0004-dhcp-dhclient-options.patch index 8f0dfe9..806ac63 100644 --- a/dhcp/patches/0004-dhcp-dhclient-options.patch +++ b/dhcp/patches/0004-dhcp-dhclient-options.patch @@ -1,6 +1,7 @@ -diff -up dhcp-4.3.4/client/clparse.c.options dhcp-4.3.4/client/clparse.c ---- dhcp-4.3.4/client/clparse.c.options 2016-03-22 14:16:51.000000000 +0100 -+++ dhcp-4.3.4/client/clparse.c 2016-04-29 12:06:13.485470579 +0200 +diff --git a/client/clparse.c b/client/clparse.c +index 03190c3..2033427 100644 +--- a/client/clparse.c ++++ b/client/clparse.c @@ -189,6 +189,7 @@ isc_result_t read_client_conf () /* Requested lease time, used by DHCPv6 (DHCPv4 uses the option cache) */ @@ -19,7 +20,7 @@ diff -up dhcp-4.3.4/client/clparse.c.options dhcp-4.3.4/client/clparse.c void parse_client_statement (cfile, ip, config) struct parse *cfile; -@@ -817,6 +819,12 @@ void parse_client_statement (cfile, ip, +@@ -817,6 +819,12 @@ void parse_client_statement (cfile, ip, config) parse_lease_id_format(cfile); break; @@ -32,10 +33,11 @@ diff -up dhcp-4.3.4/client/clparse.c.options dhcp-4.3.4/client/clparse.c default: lose = 0; -diff -up dhcp-4.3.4/client/dhclient.8.options dhcp-4.3.4/client/dhclient.8 ---- dhcp-4.3.4/client/dhclient.8.options 2016-03-22 14:16:51.000000000 +0100 -+++ dhcp-4.3.4/client/dhclient.8 2016-04-29 11:59:50.446590077 +0200 -@@ -134,6 +134,33 @@ dhclient - Dynamic Host Configuration Pr +diff --git a/client/dhclient.8 b/client/dhclient.8 +index 24f8f12..aa2238d 100644 +--- a/client/dhclient.8 ++++ b/client/dhclient.8 +@@ -134,6 +134,33 @@ dhclient - Dynamic Host Configuration Protocol Client .B -w ] [ @@ -66,82 +68,13 @@ diff -up dhcp-4.3.4/client/dhclient.8.options dhcp-4.3.4/client/dhclient.8 +.I timeout +] +[ - .B -v + .B --dad-wait-time + .I seconds ] - [ -@@ -289,6 +316,69 @@ not to exit when it doesn't find any suc - program can then be used to notify the client when a network interface - has been added or removed, so that the client can attempt to configure an IP - address on that interface. -+ -+.TP -+.BI \-B -+Set the BOOTP broadcast flag in request packets so servers will always -+broadcast replies. -+ -+.TP -+.BI \-C\ <dhcp-client-identifier> -+Specify the dhcp-client-identifier option to send to the DHCP server. -+ -+.TP -+.BI \-H\ <host-name> -+Specify the host-name option to send to the DHCP server. The host-name -+string only contains the client's hostname prefix, to which the server will -+append the ddns-domainname or domain-name options, if any, to derive the -+fully qualified domain name of the client. The -+.B -H -+option cannot be used with the -+.B -F -+option. -+ -+.TP -+.BI \-F\ <fqdn.fqdn> -+Specify the fqdn.fqdn option to send to the DHCP server. This option cannot -+be used with the -+.B -H -+option. The fqdn.fqdn option must specify the complete domain name of the -+client host, which the server may use for dynamic DNS updates. -+ -+.TP -+.BI \-V\ <vendor-class-identifier> -+Specify the vendor-class-identifier option to send to the DHCP server. -+ -+.TP -+.BI \--request-options\ <option>[,<option>...] -+Specify the list of options the client is to request from the server. The -+option list must be a single string consisting of option names separated -+by at least one command and optional space characters. The default option -+list is: -+ -+.BR -+ subnet-mask, broadcast-address, time-offset, routers, -+.BR -+ domain-search, domain-name, domain-name-servers, host-name, -+.BR -+ nis-domain, nis-servers, ntp-servers, interface-mtu -+ -+.TP -+.B --request-options -+option does not append options to the default request, it overrides the -+default request list. Keep this in mind if you want to request an -+additional option besides the default request list. You will have to -+specify all option names for the -+.B --request-options -+parameter. -+ -+.TP -+.BI \--timeout\ <timeout> -+Specify the time after which -+.B dhclient -+will decide that no DHCP servers can be contacted when no responses have been -+received. -+ - .TP - .BI \-n - Do not configure any interfaces. This is most likely to be useful in -diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c ---- dhcp-4.3.4/client/dhclient.c.options 2016-03-22 14:16:51.000000000 +0100 -+++ dhcp-4.3.4/client/dhclient.c 2016-04-29 12:12:14.182364093 +0200 +diff --git a/client/dhclient.c b/client/dhclient.c +index dcf3f1a..270a960 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c @@ -40,6 +40,12 @@ #include <isc/file.h> #include <dns/result.h> @@ -155,7 +88,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c TIME default_lease_time = 43200; /* 12 hours... */ TIME max_lease_time = 86400; /* 24 hours... */ -@@ -100,6 +106,10 @@ char *mockup_relay = NULL; +@@ -101,6 +107,10 @@ char *mockup_relay = NULL; char *progname = NULL; @@ -166,7 +99,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c void run_stateless(int exit_mode, u_int16_t port); static isc_result_t write_duid(struct data_string *duid); -@@ -177,7 +187,11 @@ usage(const char *sfmt, const char *sarg +@@ -179,7 +189,11 @@ usage(const char *sfmt, const char *sarg) " [-s server-addr] [-cf config-file]\n" " [-df duid-file] [-lf lease-file]\n" " [-pf pid-file] [--no-pid] [-e VAR=val]\n" @@ -179,7 +112,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c isc_file_basename(progname)); } -@@ -214,6 +228,16 @@ main(int argc, char **argv) { +@@ -216,6 +230,16 @@ main(int argc, char **argv) { progname = argv[0]; #endif @@ -196,7 +129,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c /* Initialize client globals. */ memset(&default_duid, 0, sizeof(default_duid)); -@@ -431,6 +455,88 @@ main(int argc, char **argv) { +@@ -442,6 +466,88 @@ main(int argc, char **argv) { strlen(PACKAGE_VERSION))); IGNORE_RET(write(STDERR_FILENO, "\n", 1)); exit(0); @@ -285,7 +218,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c } else if (argv[i][0] == '-') { usage("Unknown command: %s", argv[i]); } else if (interfaces_requested < 0) { -@@ -630,6 +736,156 @@ main(int argc, char **argv) { +@@ -641,6 +747,156 @@ main(int argc, char **argv) { /* Parse the dhclient.conf file. */ read_client_conf(); @@ -442,7 +375,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c /* Parse the lease database. */ read_client_leases(); -@@ -3067,7 +3323,8 @@ void make_discover (client, lease) +@@ -3092,7 +3348,8 @@ void make_discover (client, lease) client -> packet.xid = random (); client -> packet.secs = 0; /* filled in by send_discover. */ @@ -452,7 +385,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c client -> packet.flags = 0; else client -> packet.flags = htons (BOOTP_BROADCAST); -@@ -3152,7 +3409,9 @@ void make_request (client, lease) +@@ -3177,7 +3434,9 @@ void make_request (client, lease) } else { memset (&client -> packet.ciaddr, 0, sizeof client -> packet.ciaddr); @@ -463,7 +396,7 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c client -> packet.flags = 0; else client -> packet.flags = htons (BOOTP_BROADCAST); -@@ -3215,7 +3474,8 @@ void make_decline (client, lease) +@@ -3240,7 +3499,8 @@ void make_decline (client, lease) client -> packet.hops = 0; client -> packet.xid = client -> xid; client -> packet.secs = 0; /* Filled in by send_request. */ @@ -473,10 +406,11 @@ diff -up dhcp-4.3.4/client/dhclient.c.options dhcp-4.3.4/client/dhclient.c client -> packet.flags = 0; else client -> packet.flags = htons (BOOTP_BROADCAST); -diff -up dhcp-4.3.4/common/conflex.c.options dhcp-4.3.4/common/conflex.c ---- dhcp-4.3.4/common/conflex.c.options 2016-04-29 11:59:50.448590077 +0200 -+++ dhcp-4.3.4/common/conflex.c 2016-04-29 12:13:23.637342420 +0200 -@@ -832,6 +832,8 @@ intern(char *atom, enum dhcp_token dfv) +diff --git a/common/conflex.c b/common/conflex.c +index fe994ac..bdb4a52 100644 +--- a/common/conflex.c ++++ b/common/conflex.c +@@ -832,6 +832,8 @@ intern(char *atom, enum dhcp_token dfv) { if (!strcasecmp(atom+1, "ig-endian")) { return TOKEN_BIG_ENDIAN; } @@ -485,10 +419,11 @@ diff -up dhcp-4.3.4/common/conflex.c.options dhcp-4.3.4/common/conflex.c break; case 'c': if (!strcasecmp(atom + 1, "ase")) -diff -up dhcp-4.3.4/includes/dhcpd.h.options dhcp-4.3.4/includes/dhcpd.h ---- dhcp-4.3.4/includes/dhcpd.h.options 2016-04-29 11:59:50.448590077 +0200 -+++ dhcp-4.3.4/includes/dhcpd.h 2016-04-29 12:14:05.361329401 +0200 -@@ -1246,6 +1246,9 @@ struct client_config { +diff --git a/includes/dhcpd.h b/includes/dhcpd.h +index eab09a6..cfdac23 100644 +--- a/includes/dhcpd.h ++++ b/includes/dhcpd.h +@@ -1251,6 +1251,9 @@ struct client_config { int lease_id_format; /* format for IDs in lease file, TOKEN_OCTAL or TOKEN_HEX */ @@ -498,9 +433,10 @@ diff -up dhcp-4.3.4/includes/dhcpd.h.options dhcp-4.3.4/includes/dhcpd.h }; /* Per-interface state used in the dhcp client... */ -diff -up dhcp-4.3.4/includes/dhctoken.h.options dhcp-4.3.4/includes/dhctoken.h ---- dhcp-4.3.4/includes/dhctoken.h.options 2016-04-29 11:59:50.449590076 +0200 -+++ dhcp-4.3.4/includes/dhctoken.h 2016-04-29 12:15:03.073300846 +0200 +diff --git a/includes/dhctoken.h b/includes/dhctoken.h +index 15bbd1c..b312e7a 100644 +--- a/includes/dhctoken.h ++++ b/includes/dhctoken.h @@ -373,7 +373,8 @@ enum dhcp_token { TOKEN_BIG_ENDIAN = 675, LEASE_ID_FORMAT = 676, diff --git a/dhcp/patches/0006-dhcp-dhclient-decline-backoff.patch b/dhcp/patches/0006-dhcp-dhclient-decline-backoff.patch index 645f931..1fc1c12 100644 --- a/dhcp/patches/0006-dhcp-dhclient-decline-backoff.patch +++ b/dhcp/patches/0006-dhcp-dhclient-decline-backoff.patch @@ -32,8 +32,8 @@ diff -up dhcp-4.3.4/client/dhclient.c.backoff dhcp-4.3.4/client/dhclient.c } /* -@@ -1734,6 +1745,7 @@ void bind_lease (client) - "try (declined). Exiting."); +@@ -1734,5 +1745,6 @@ void bind_lease (client) +#endif exit(2); } else { + client -> state = S_DECLINED; diff --git a/dhcp/patches/0015-dhcp-capability.patch b/dhcp/patches/0015-dhcp-capability.patch index 4572c34..b689f7d 100644 --- a/dhcp/patches/0015-dhcp-capability.patch +++ b/dhcp/patches/0015-dhcp-capability.patch @@ -11,9 +11,9 @@ diff -up dhcp-4.3.4/client/dhclient.8.capability dhcp-4.3.4/client/dhclient.8 .B -B ] [ -@@ -318,6 +321,32 @@ has been added or removed, so that the c +@@ -318,6 +321,32 @@ program can then be used to notify the c + has been added or removed, so that the client can attempt to configure an IP address on that interface. - .TP +.BI \-nc +Do not drop capabilities. @@ -41,9 +41,9 @@ diff -up dhcp-4.3.4/client/dhclient.8.capability dhcp-4.3.4/client/dhclient.8 +was not compiled with libcap-ng support. + +.TP - .BI \-B - Set the BOOTP broadcast flag in request packets so servers will always - broadcast replies. + .BI \-n + Do not configure any interfaces. This is most likely to be useful in + combination with the diff -up dhcp-4.3.4/client/dhclient.c.capability dhcp-4.3.4/client/dhclient.c --- dhcp-4.3.4/client/dhclient.c.capability 2016-04-29 12:19:40.691129307 +0200 +++ dhcp-4.3.4/client/dhclient.c 2016-04-29 12:21:07.620091930 +0200 diff --git a/dhcp/patches/0021-dhcp-IPoIB-log-id.patch b/dhcp/patches/0021-dhcp-IPoIB-log-id.patch index 97e9dd5..e0369bb 100644 --- a/dhcp/patches/0021-dhcp-IPoIB-log-id.patch +++ b/dhcp/patches/0021-dhcp-IPoIB-log-id.patch @@ -1,9 +1,8 @@ -diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c ---- dhcp-4.3.4/server/dhcp.c.IPoIB-log-id 2016-04-29 12:52:14.285061620 +0200 -+++ dhcp-4.3.4/server/dhcp.c 2016-04-29 12:53:59.535088020 +0200 -@@ -85,6 +85,42 @@ const int dhcp_type_name_max = ((sizeof - # define send_packet trace_packet_send - #endif +--- a/server/dhcp.c 2017-07-14 15:32:14.611104590 +0200 ++++ b/server/dhcp.c 2017-07-14 15:34:17.508858018 +0200 +@@ -87,6 +87,42 @@ + + static TIME leaseTimeCheck(TIME calculated, TIME alternate); +char *print_client_identifier_from_packet (packet) + struct packet *packet; @@ -44,7 +43,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c void dhcp (struct packet *packet) { int ms_nulltp = 0; -@@ -127,9 +163,7 @@ dhcp (struct packet *packet) { +@@ -129,9 +165,7 @@ log_info("%s from %s via %s: %s", s, (packet->raw->htype @@ -55,7 +54,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c : "<no identifier>"), packet->raw->giaddr.s_addr ? inet_ntoa(packet->raw->giaddr) -@@ -326,9 +360,7 @@ void dhcpdiscover (packet, ms_nulltp) +@@ -328,9 +362,7 @@ #endif snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", (packet -> raw -> htype @@ -66,7 +65,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c : (lease ? print_hex_1(lease->uid_len, lease->uid, 60) : "<no identifier>")), -@@ -540,9 +572,7 @@ void dhcprequest (packet, ms_nulltp, ip_ +@@ -542,9 +574,7 @@ "DHCPREQUEST for %s%s from %s %s%s%svia %s", piaddr (cip), smbuf, (packet -> raw -> htype @@ -77,7 +76,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c : (lease ? print_hex_1(lease->uid_len, lease->uid, 60) : "<no identifier>")), -@@ -783,9 +813,7 @@ void dhcprelease (packet, ms_nulltp) +@@ -785,9 +815,7 @@ if ((oc = lookup_option (&dhcp_universe, packet -> options, DHO_DHCP_REQUESTED_ADDRESS))) { log_info ("DHCPRELEASE from %s specified requested-address.", @@ -88,7 +87,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c } oc = lookup_option (&dhcp_universe, packet -> options, -@@ -877,9 +905,7 @@ void dhcprelease (packet, ms_nulltp) +@@ -879,9 +907,7 @@ "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)", cstr, (packet -> raw -> htype @@ -99,7 +98,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c : (lease ? print_hex_1(lease->uid_len, lease->uid, 60) : "<no identifier>")), -@@ -984,9 +1010,7 @@ void dhcpdecline (packet, ms_nulltp) +@@ -986,9 +1012,7 @@ "DHCPDECLINE of %s from %s %s%s%svia %s", piaddr (cip), (packet -> raw -> htype @@ -110,7 +109,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c : (lease ? print_hex_1(lease->uid_len, lease->uid, 60) : "<no identifier>")), -@@ -1683,8 +1707,7 @@ void dhcpinform (packet, ms_nulltp) +@@ -1707,8 +1731,7 @@ /* Report what we're sending. */ snprintf(msgbuf, sizeof msgbuf, "DHCPACK to %s (%s) via", piaddr(cip), (packet->raw->htype && packet->raw->hlen) ? @@ -120,7 +119,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c "<no client hardware address>"); log_info("%s %s", msgbuf, gip.len ? piaddr(gip) : packet->interface->name); -@@ -1862,9 +1885,7 @@ void nak_lease (packet, cip, network_gro +@@ -1886,9 +1909,7 @@ #endif log_info ("DHCPNAK on %s to %s via %s", piaddr (*cip), @@ -131,7 +130,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c packet -> raw -> giaddr.s_addr ? inet_ntoa (packet -> raw -> giaddr) : packet -> interface -> name); -@@ -3859,7 +3880,7 @@ void dhcp_reply (lease) +@@ -3897,7 +3918,7 @@ ? (state -> offer == DHCPACK ? "DHCPACK" : "DHCPOFFER") : "BOOTREPLY"), piaddr (lease -> ip_addr), @@ -140,7 +139,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c ? print_hw_addr (lease -> hardware_addr.hbuf [0], lease -> hardware_addr.hlen - 1, &lease -> hardware_addr.hbuf [1]) -@@ -4408,10 +4429,7 @@ int find_lease (struct lease **lp, +@@ -4450,10 +4471,7 @@ if (uid_lease) { if (uid_lease->binding_state == FTS_ACTIVE) { log_error ("client %s has duplicate%s on %s", @@ -152,7 +151,7 @@ diff -up dhcp-4.3.4/server/dhcp.c.IPoIB-log-id dhcp-4.3.4/server/dhcp.c " leases", (ip_lease -> subnet -> shared_network -> name)); -@@ -4578,9 +4596,7 @@ int find_lease (struct lease **lp, +@@ -4620,9 +4638,7 @@ log_error("uid lease %s for client %s is duplicate " "on %s", piaddr(uid_lease->ip_addr), diff --git a/dhcp/patches/0025-dhcp-getifaddrs.patch b/dhcp/patches/0025-dhcp-getifaddrs.patch deleted file mode 100644 index 586c3b0..0000000 --- a/dhcp/patches/0025-dhcp-getifaddrs.patch +++ /dev/null @@ -1,429 +0,0 @@ -diff -up dhcp-4.3.5b1/common/discover.c.getifaddrs dhcp-4.3.5b1/common/discover.c ---- dhcp-4.3.5b1/common/discover.c.getifaddrs 2016-09-12 17:10:39.585374741 +0200 -+++ dhcp-4.3.5b1/common/discover.c 2016-09-12 17:15:56.160628636 +0200 -@@ -373,392 +373,13 @@ end_iface_scan(struct iface_conf_list *i - ifaces->sock = -1; - } - --#elif __linux /* !HAVE_SIOCGLIFCONF */ --/* -- * Linux support -- * ------------- -- * -- * In Linux, we use the /proc pseudo-filesystem to get information -- * about interfaces, along with selected ioctl() calls. -- * -- * Linux low level access is documented in the netdevice man page. -- */ -- --/* -- * Structure holding state about the scan. -- */ --struct iface_conf_list { -- int sock; /* file descriptor used to get information */ -- FILE *fp; /* input from /proc/net/dev */ --#ifdef DHCPv6 -- FILE *fp6; /* input from /proc/net/if_inet6 */ --#endif --}; -- --/* -- * Structure used to return information about a specific interface. -- */ --struct iface_info { -- char name[IFNAMSIZ]; /* name of the interface, e.g. "eth0" */ -- struct sockaddr_storage addr; /* address information */ -- isc_uint64_t flags; /* interface flags, e.g. IFF_LOOPBACK */ --}; -- --/* -- * Start a scan of interfaces. -- * -- * The iface_conf_list structure maintains state for this process. -- */ --int --begin_iface_scan(struct iface_conf_list *ifaces) { -- char buf[IF_LINE_LENGTH]; -- int len; -- int i; -- -- ifaces->fp = fopen("/proc/net/dev", "r"); -- if (ifaces->fp == NULL) { -- log_error("Error opening '/proc/net/dev' to list interfaces"); -- return 0; -- } -- -- /* -- * The first 2 lines are header information, so read and ignore them. -- */ -- for (i=0; i<2; i++) { -- if (fgets(buf, sizeof(buf), ifaces->fp) == NULL) { -- log_error("Error reading headers from '/proc/net/dev'"); -- fclose(ifaces->fp); -- ifaces->fp = NULL; -- return 0; -- } -- len = strlen(buf); -- if ((len <= 0) || (buf[len-1] != '\n')) { -- log_error("Bad header line in '/proc/net/dev'"); -- fclose(ifaces->fp); -- ifaces->fp = NULL; -- return 0; -- } -- } -- -- ifaces->sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); -- if (ifaces->sock < 0) { -- log_error("Error creating socket to list interfaces; %m"); -- fclose(ifaces->fp); -- ifaces->fp = NULL; -- return 0; -- } -- --#ifdef DHCPv6 -- if (local_family == AF_INET6) { -- ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); -- if (ifaces->fp6 == NULL) { -- log_error("Error opening '/proc/net/if_inet6' to " -- "list IPv6 interfaces; %m"); -- close(ifaces->sock); -- ifaces->sock = -1; -- fclose(ifaces->fp); -- ifaces->fp = NULL; -- return 0; -- } -- } --#endif -- -- return 1; --} -- --/* -- * Read our IPv4 interfaces from /proc/net/dev. -- * -- * The file looks something like this: -- * -- * Inter-| Receive ... -- * face |bytes packets errs drop fifo frame ... -- * lo: 1580562 4207 0 0 0 0 ... -- * eth0: 0 0 0 0 0 0 ... -- * eth1:1801552440 37895 0 14 0 ... -- * -- * We only care about the interface name, which is at the start of -- * each line. -- * -- * We use an ioctl() to get the address and flags for each interface. -- */ --static int --next_iface4(struct iface_info *info, int *err, struct iface_conf_list *ifaces) { -- char buf[IF_LINE_LENGTH]; -- int len; -- char *p; -- char *name; -- struct ifreq tmp; -- -- /* -- * Loop exits when we find an interface that has an address, or -- * when we run out of interfaces. -- */ -- for (;;) { -- do { -- /* -- * Read the next line in the file. -- */ -- if (fgets(buf, sizeof(buf), ifaces->fp) == NULL) { -- if (ferror(ifaces->fp)) { -- *err = 1; -- log_error("Error reading interface " -- "information"); -- } else { -- *err = 0; -- } -- return 0; -- } -- -- /* -- * Make sure the line is a nice, -- * newline-terminated line. -- */ -- len = strlen(buf); -- if ((len <= 0) || (buf[len-1] != '\n')) { -- log_error("Bad line reading interface " -- "information"); -- *err = 1; -- return 0; -- } -- -- /* -- * Figure out our name. -- */ -- p = strrchr(buf, ':'); -- if (p == NULL) { -- log_error("Bad line reading interface " -- "information (no colon)"); -- *err = 1; -- return 0; -- } -- *p = '\0'; -- name = buf; -- while (isspace(*name)) { -- name++; -- } -- -- /* -- * Copy our name into our interface structure. -- */ -- len = p - name; -- if (len >= sizeof(info->name)) { -- *err = 1; -- log_error("Interface name '%s' too long", name); -- return 0; -- } -- strncpy(info->name, name, sizeof(info->name) - 1); -- --#ifdef ALIAS_NAMED_PERMUTED -- /* interface aliases look like "eth0:1" or "wlan1:3" */ -- s = strchr(info->name, ':'); -- if (s != NULL) { -- *s = '\0'; -- } --#endif -- --#ifdef SKIP_DUMMY_INTERFACES -- } while (strncmp(info->name, "dummy", 5) == 0); --#else -- } while (0); --#endif -- -- memset(&tmp, 0, sizeof(tmp)); -- strncpy(tmp.ifr_name, name, sizeof(tmp.ifr_name) - 1); -- if (ioctl(ifaces->sock, SIOCGIFADDR, &tmp) < 0) { -- if (errno == EADDRNOTAVAIL) { -- continue; -- } -- log_error("Error getting interface address " -- "for '%s'; %m", name); -- *err = 1; -- return 0; -- } -- memcpy(&info->addr, &tmp.ifr_addr, sizeof(tmp.ifr_addr)); -- -- memset(&tmp, 0, sizeof(tmp)); -- strncpy(tmp.ifr_name, name, sizeof(tmp.ifr_name) - 1); -- if (ioctl(ifaces->sock, SIOCGIFFLAGS, &tmp) < 0) { -- log_error("Error getting interface flags for '%s'; %m", -- name); -- *err = 1; -- return 0; -- } -- info->flags = tmp.ifr_flags; -- -- *err = 0; -- return 1; -- } --} -- --#ifdef DHCPv6 --/* -- * Read our IPv6 interfaces from /proc/net/if_inet6. -- * -- * The file looks something like this: -- * -- * fe80000000000000025056fffec00008 05 40 20 80 vmnet8 -- * 00000000000000000000000000000001 01 80 10 80 lo -- * fe80000000000000025056fffec00001 06 40 20 80 vmnet1 -- * 200108881936000202166ffffe497d9b 03 40 00 00 eth1 -- * fe8000000000000002166ffffe497d9b 03 40 20 80 eth1 -- * -- * We get IPv6 address from the start, the interface name from the end, -- * and ioctl() to get flags. -- */ --static int --next_iface6(struct iface_info *info, int *err, struct iface_conf_list *ifaces) { -- char buf[IF_LINE_LENGTH]; -- int len; -- char *p; -- char *name; -- int i; -- struct sockaddr_in6 addr; -- struct ifreq tmp; -- -- do { -- /* -- * Read the next line in the file. -- */ -- if (fgets(buf, sizeof(buf), ifaces->fp6) == NULL) { -- if (ferror(ifaces->fp6)) { -- *err = 1; -- log_error("Error reading IPv6 " -- "interface information"); -- } else { -- *err = 0; -- } -- return 0; -- } -- -- /* -- * Make sure the line is a nice, newline-terminated line. -- */ -- len = strlen(buf); -- if ((len <= 0) || (buf[len-1] != '\n')) { -- log_error("Bad line reading IPv6 " -- "interface information"); -- *err = 1; -- return 0; -- } -- -- /* -- * Figure out our name. -- */ -- buf[--len] = '\0'; -- p = strrchr(buf, ' '); -- if (p == NULL) { -- log_error("Bad line reading IPv6 interface " -- "information (no space)"); -- *err = 1; -- return 0; -- } -- name = p+1; -- -- /* -- * Copy our name into our interface structure. -- */ -- len = strlen(name); -- if (len >= sizeof(info->name)) { -- *err = 1; -- log_error("IPv6 interface name '%s' too long", name); -- return 0; -- } -- strncpy(info->name, name, sizeof(info->name) - 1); -- --#ifdef SKIP_DUMMY_INTERFACES -- } while (strncmp(info->name, "dummy", 5) == 0); --#else -- } while (0); --#endif -- -- /* -- * Double-check we start with the IPv6 address. -- */ -- for (i=0; i<32; i++) { -- if (!isxdigit(buf[i]) || isupper(buf[i])) { -- *err = 1; -- log_error("Bad line reading IPv6 interface address " -- "for '%s'", name); -- return 0; -- } -- } -- -- /* -- * Load our socket structure. -- */ -- memset(&addr, 0, sizeof(addr)); -- addr.sin6_family = AF_INET6; -- for (i=0; i<16; i++) { -- unsigned char byte; -- static const char hex[] = "0123456789abcdef"; -- byte = ((index(hex, buf[i * 2]) - hex) << 4) | -- (index(hex, buf[i * 2 + 1]) - hex); -- addr.sin6_addr.s6_addr[i] = byte; -- } -- memcpy(&info->addr, &addr, sizeof(addr)); -- -- /* -- * Get our flags. -- */ -- memset(&tmp, 0, sizeof(tmp)); -- strncpy(tmp.ifr_name, name, sizeof(tmp.ifr_name) - 1); -- if (ioctl(ifaces->sock, SIOCGIFFLAGS, &tmp) < 0) { -- log_error("Error getting interface flags for '%s'; %m", name); -- *err = 1; -- return 0; -- } -- info->flags = tmp.ifr_flags; -- -- *err = 0; -- return 1; --} --#endif /* DHCPv6 */ -- --/* -- * Retrieve the next interface. -- * -- * Returns information in the info structure. -- * Sets err to 1 if there is an error, otherwise 0. -- */ --int --next_iface(struct iface_info *info, int *err, struct iface_conf_list *ifaces) { -- memset(info, 0, sizeof(struct iface_info)); -- if (next_iface4(info, err, ifaces)) { -- return 1; -- } --#ifdef DHCPv6 -- if (!(*err)) { -- if (local_family == AF_INET6) -- return next_iface6(info, err, ifaces); -- } --#endif -- return 0; --} -- --/* -- * End scan of interfaces. -- */ --void --end_iface_scan(struct iface_conf_list *ifaces) { -- fclose(ifaces->fp); -- ifaces->fp = NULL; -- close(ifaces->sock); -- ifaces->sock = -1; --#ifdef DHCPv6 -- if (local_family == AF_INET6) { -- fclose(ifaces->fp6); -- ifaces->fp6 = NULL; -- } --#endif --} - #else - - /* - * BSD support - * ----------- - * -- * FreeBSD, NetBSD, OpenBSD, and OS X all have the getifaddrs() -+ * FreeBSD, NetBSD, OpenBSD, OS X and Linux all have the getifaddrs() - * function. - * - * The getifaddrs() man page describes the use. -@@ -806,6 +427,8 @@ begin_iface_scan(struct iface_conf_list - */ - int - next_iface(struct iface_info *info, int *err, struct iface_conf_list *ifaces) { -+ size_t sa_len = 0; -+ - if (ifaces->next == NULL) { - *err = 0; - return 0; -@@ -818,8 +441,20 @@ next_iface(struct iface_info *info, int - } - memset(info, 0, sizeof(struct iface_info)); - strncpy(info->name, ifaces->next->ifa_name, sizeof(info->name) - 1); -- memcpy(&info->addr, ifaces->next->ifa_addr, -- ifaces->next->ifa_addr->sa_len); -+ -+ memset(&info->addr, 0 , sizeof(info->addr)); -+ -+ if (ifaces->next->ifa_addr != NULL) { -+#ifdef HAVE_SA_LEN -+ sa_len = ifaces->next->ifa_addr->sa_len; -+#else -+ if (ifaces->next->ifa_addr->sa_family == AF_INET) -+ sa_len = sizeof(struct sockaddr_in); -+ else if (ifaces->next->ifa_addr->sa_family == AF_INET6) -+ sa_len = sizeof(struct sockaddr_in6); -+#endif -+ memcpy(&info->addr, ifaces->next->ifa_addr, sa_len); -+ } - info->flags = ifaces->next->ifa_flags; - ifaces->next = ifaces->next->ifa_next; - *err = 0; diff --git a/dhcp/patches/0027-dhcp-interval.patch b/dhcp/patches/0027-dhcp-interval.patch deleted file mode 100644 index 8fff47c..0000000 --- a/dhcp/patches/0027-dhcp-interval.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up dhcp-4.3.0a1/common/dispatch.c.interval dhcp-4.3.0a1/common/dispatch.c ---- dhcp-4.3.0a1/common/dispatch.c.interval 2013-12-20 13:51:14.385260622 +0100 -+++ dhcp-4.3.0a1/common/dispatch.c 2013-12-20 13:51:14.493259116 +0100 -@@ -343,7 +343,20 @@ void add_timeout (when, where, what, ref - q->next = timeouts; - timeouts = q; - -- isc_interval_set(&interval, sec & DHCP_SEC_MAX, usec * 1000); -+ /* isc_time_nowplusinterval() is not safe with 64-bit time_t and will -+ * return an error for sufficiently large intervals. We have to limit -+ * the interval to INT_MAX or less to ensure the interval doesn't -+ * overflow 32 bits, since the returned isc_time_t fields are -+ * 32-bit unsigned ints. -+ * -+ * HACK: The 9 is a magic number of seconds, since some time may have -+ * gone by since the last call to gettimeofday() and the one in -+ * isc_time_nowplusinterval(). -+ */ -+ if (sec > TIME_MAX) -+ sec = TIME_MAX - 9; -+ -+ isc_interval_set(&interval, sec, usec * 1000); - status = isc_time_nowplusinterval(&expires, &interval); - if (status != ISC_R_SUCCESS) { - /* -- 2.6.3

1 0

[PATCH] squid: Update to 3.5.27
by Matthias Fischer 21 Aug '17

21 Aug '17

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/squid | 20 +- ...=> squid-3.5.27-fix-max-file-descriptors.patch} | 0 src/patches/squid/squid-3.5-14169.patch | 881 --------------------- src/patches/squid/squid-3.5-14170.patch | 85 -- src/patches/squid/squid-3.5-14171.patch | 45 -- src/patches/squid/squid-3.5-14172.patch | 40 - src/patches/squid/squid-3.5-14173.patch | 254 ------ src/patches/squid/squid-3.5-14174.patch | 274 ------- src/patches/squid/squid-3.5-14175.patch | 34 - src/patches/squid/squid-3.5-14176.patch | 42 - src/patches/squid/squid-3.5-14177.patch | 52 -- src/patches/squid/squid-3.5-14178.patch | 36 - src/patches/squid/squid-3.5-14179.patch | 105 --- src/patches/squid/squid-3.5-14180.patch | 448 ----------- src/patches/squid/squid-3.5-14181.patch | 30 - src/patches/squid/squid-3.5-14182.patch | 35 - 16 files changed, 3 insertions(+), 2378 deletions(-) rename src/patches/{squid-3.5.26-fix-max-file-descriptors.patch => squid-3.5.27-fix-max-file-descriptors.patch} (100%) delete mode 100644 src/patches/squid/squid-3.5-14169.patch delete mode 100644 src/patches/squid/squid-3.5-14170.patch delete mode 100644 src/patches/squid/squid-3.5-14171.patch delete mode 100644 src/patches/squid/squid-3.5-14172.patch delete mode 100644 src/patches/squid/squid-3.5-14173.patch delete mode 100644 src/patches/squid/squid-3.5-14174.patch delete mode 100644 src/patches/squid/squid-3.5-14175.patch delete mode 100644 src/patches/squid/squid-3.5-14176.patch delete mode 100644 src/patches/squid/squid-3.5-14177.patch delete mode 100644 src/patches/squid/squid-3.5-14178.patch delete mode 100644 src/patches/squid/squid-3.5-14179.patch delete mode 100644 src/patches/squid/squid-3.5-14180.patch delete mode 100644 src/patches/squid/squid-3.5-14181.patch delete mode 100644 src/patches/squid/squid-3.5-14182.patch diff --git a/lfs/squid b/lfs/squid index 8440cf85b..08583d0b9 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.5.26 +VER = 3.5.27 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 510e2c84773879c00d0e7ced997864d9 +$(DL_FILE)_MD5 = 39ef8199675d48a314b540f92c00c545 install : $(TARGET) @@ -70,21 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14169.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14170.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14171.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14172.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14173.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14174.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14175.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14176.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14177.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14178.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14179.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14180.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14181.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14182.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.26-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.27-fix-max-file-descriptors.patch cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/src/patches/squid-3.5.26-fix-max-file-descriptors.patch b/src/patches/squid-3.5.27-fix-max-file-descriptors.patch similarity index 100% rename from src/patches/squid-3.5.26-fix-max-file-descriptors.patch rename to src/patches/squid-3.5.27-fix-max-file-descriptors.patch diff --git a/src/patches/squid/squid-3.5-14169.patch b/src/patches/squid/squid-3.5-14169.patch deleted file mode 100644 index 464ce5368..000000000 --- a/src/patches/squid/squid-3.5-14169.patch +++ /dev/null @@ -1,881 +0,0 @@ ------------------------------------------------------------- -revno: 14169 -revision-id: squid3(a)treenet.co.nz-20170614213720-3qmiohlx4zr2jnqq -parent: squid3(a)treenet.co.nz-20170601134753-6u64sl2rzmbfs67l -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=2833 -author: Eduard Bagdasaryan <eduard.bagdasaryan(a)measurement-factory.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Thu 2017-06-15 09:37:20 +1200 -message: - Bug 2833 pt2: Collapse internal revalidation requests (SMP-unaware caches), again. - - The security fix in v5 r14979 had a negative effect on collapsed - forwarding. All "private" entries were considered automatically - non-shareable among collapsed clients. However this is not true: there - are many situations when collapsed forwarding should work despite of - "private" entry status: 304/5xx responses are good examples of that. - This patch fixes that by means of a new StoreEntry::shareableWhenPrivate - flag. - - The suggested fix is not complete: To cover all possible situations, we - need to decide whether StoreEntry::shareableWhenPrivate is true or not - for all contexts where StoreEntry::setPrivateKey() is used. This patch - fixes only few important cases inside http.cc, making CF (as well - collapsed revalidation) work for some [non-cacheable] response status - codes, including 3xx, 5xx and some others. - - The original support for internal revalidation requests collapsing - was in trink r14755 and referred to Squid bugs 2833, 4311, and 4471. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170614213720-3qmiohlx4zr2jnqq -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 9e248e2e9d2f1defe1070eb808177df978fb4146 -# timestamp: 2017-06-14 21:51:05 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170601134753-\ -# 6u64sl2rzmbfs67l -# -# Begin patch -=== modified file 'src/HttpHdrCc.cc' ---- src/HttpHdrCc.cc 2017-01-01 00:16:45 +0000 -+++ src/HttpHdrCc.cc 2017-06-14 21:37:20 +0000 -@@ -262,8 +262,8 @@ - case CC_PUBLIC: - break; - case CC_PRIVATE: -- if (Private().size()) -- packerPrintf(p, "=\"" SQUIDSTRINGPH "\"", SQUIDSTRINGPRINT(Private())); -+ if (private_.size()) -+ packerPrintf(p, "=\"" SQUIDSTRINGPH "\"", SQUIDSTRINGPRINT(private_)); - break; - - case CC_NO_CACHE: - -=== modified file 'src/MemStore.cc' ---- src/MemStore.cc 2017-01-01 00:16:45 +0000 -+++ src/MemStore.cc 2017-06-14 21:37:20 +0000 -@@ -299,7 +299,7 @@ - e.ping_status = PING_NONE; - - EBIT_CLR(e.flags, RELEASE_REQUEST); -- EBIT_CLR(e.flags, KEY_PRIVATE); -+ e.clearPrivate(); - EBIT_SET(e.flags, ENTRY_VALIDATED); - - MemObject::MemCache &mc = e.mem_obj->memCache; - -=== modified file 'src/Store.h' ---- src/Store.h 2017-01-01 00:16:45 +0000 -+++ src/Store.h 2017-06-14 21:37:20 +0000 -@@ -95,15 +95,19 @@ - void abort(); - void unlink(); - void makePublic(const KeyScope keyScope = ksDefault); -- void makePrivate(); -+ void makePrivate(const bool shareable); -+ /// A low-level method just resetting "private key" flags. -+ /// To avoid key inconsistency please use forcePublicKey() -+ /// or similar instead. -+ void clearPrivate(); - void setPublicKey(const KeyScope keyScope = ksDefault); - /// Resets existing public key to a public key with default scope, - /// releasing the old default-scope entry (if any). - /// Does nothing if the existing public key already has default scope. - void clearPublicKeyScope(); -- void setPrivateKey(); -+ void setPrivateKey(const bool shareable); - void expireNow(); -- void releaseRequest(); -+ void releaseRequest(const bool shareable = false); - void negativeCache(); - void cacheNegatively(); /** \todo argh, why both? */ - void invokeHandlers(); -@@ -230,7 +234,13 @@ - /// update last reference timestamp and related Store metadata - void touch(); - -- virtual void release(); -+ virtual void release(const bool shareable = false); -+ -+ /// May the caller commit to treating this [previously locked] -+ /// entry as a cache hit? -+ bool mayStartHitting() const { -+ return !EBIT_TEST(flags, KEY_PRIVATE) || shareableWhenPrivate; -+ } - - #if USE_ADAPTATION - /// call back producer when more buffer space is available -@@ -252,6 +262,13 @@ - - unsigned short lock_count; /* Assume < 65536! */ - -+ /// Nobody can find/lock KEY_PRIVATE entries, but some transactions -+ /// (e.g., collapsed requests) find/lock a public entry before it becomes -+ /// private. May such transactions start using the now-private entry -+ /// they previously locked? This member should not affect transactions -+ /// that already started reading from the entry. -+ bool shareableWhenPrivate; -+ - #if USE_ADAPTATION - /// producer callback registered with deferProducer - AsyncCall::Pointer deferredProducer; -@@ -259,6 +276,8 @@ - - bool validLength() const; - bool hasOneOfEtags(const String &reqETags, const bool allowWeakMatch) const; -+ -+ friend std::ostream &operator <<(std::ostream &os, const StoreEntry &e); - }; - - std::ostream &operator <<(std::ostream &os, const StoreEntry &e); - -=== modified file 'src/client_side_reply.cc' ---- src/client_side_reply.cc 2017-05-29 13:15:55 +0000 -+++ src/client_side_reply.cc 2017-06-14 21:37:20 +0000 -@@ -396,8 +396,8 @@ - if (result.flags.error && !EBIT_TEST(http->storeEntry()->flags, ENTRY_ABORTED)) - return; - -- if (collapsedRevalidation == crSlave && EBIT_TEST(http->storeEntry()->flags, KEY_PRIVATE)) { -- debugs(88, 3, "CF slave hit private " << *http->storeEntry() << ". MISS"); -+ if (collapsedRevalidation == crSlave && !http->storeEntry()->mayStartHitting()) { -+ debugs(88, 3, "CF slave hit private non-shareable " << *http->storeEntry() << ". MISS"); - // restore context to meet processMiss() expectations - restoreState(); - http->logType = LOG_TCP_MISS; -@@ -530,7 +530,7 @@ - // The previously identified hit suddenly became unsharable! - // This is common for collapsed forwarding slaves but might also - // happen to regular hits because we are called asynchronously. -- if (EBIT_TEST(e->flags, KEY_PRIVATE)) { -+ if (!e->mayStartHitting()) { - debugs(88, 3, "unsharable " << *e << ". MISS"); - http->logType = LOG_TCP_MISS; - processMiss(); - -=== modified file 'src/fs/rock/RockSwapDir.cc' ---- src/fs/rock/RockSwapDir.cc 2017-01-01 00:16:45 +0000 -+++ src/fs/rock/RockSwapDir.cc 2017-06-14 21:37:20 +0000 -@@ -149,7 +149,7 @@ - e.ping_status = PING_NONE; - - EBIT_CLR(e.flags, RELEASE_REQUEST); -- EBIT_CLR(e.flags, KEY_PRIVATE); -+ e.clearPrivate(); - EBIT_SET(e.flags, ENTRY_VALIDATED); - - e.swap_dirn = index; - -=== modified file 'src/fs/ufs/UFSSwapDir.cc' ---- src/fs/ufs/UFSSwapDir.cc 2017-01-01 00:16:45 +0000 -+++ src/fs/ufs/UFSSwapDir.cc 2017-06-14 21:37:20 +0000 -@@ -809,7 +809,7 @@ - e->refcount = refcount; - e->flags = newFlags; - EBIT_CLR(e->flags, RELEASE_REQUEST); -- EBIT_CLR(e->flags, KEY_PRIVATE); -+ e->clearPrivate(); - e->ping_status = PING_NONE; - EBIT_CLR(e->flags, ENTRY_VALIDATED); - mapBitSet(e->swap_filen); - -=== modified file 'src/http.cc' ---- src/http.cc 2017-01-01 00:16:45 +0000 -+++ src/http.cc 2017-06-14 21:37:20 +0000 -@@ -290,7 +290,9 @@ - (Config.onoff.surrogate_is_remote - && sctusable->noStoreRemote())) { - surrogateNoStore = true; -- entry->makePrivate(); -+ // Be conservative for now and make it non-shareable because -+ // there is no enough information here to make the decision. -+ entry->makePrivate(false); - } - - /* The HttpHeader logic cannot tell if the header it's parsing is a reply to an -@@ -315,12 +317,13 @@ - } - } - --int --HttpStateData::cacheableReply() -+HttpStateData::ReuseDecision::Answers -+HttpStateData::reusableReply(HttpStateData::ReuseDecision &decision) - { - HttpReply const *rep = finalReply(); - HttpHeader const *hdr = &rep->header; - const char *v; -+ - #if USE_HTTP_VIOLATIONS - - const RefreshPattern *R = NULL; -@@ -337,24 +340,19 @@ - #define REFRESH_OVERRIDE(flag) 0 - #endif - -- if (EBIT_TEST(entry->flags, RELEASE_REQUEST)) { -- debugs(22, 3, "NO because " << *entry << " has been released."); -- return 0; -- } -+ if (EBIT_TEST(entry->flags, RELEASE_REQUEST)) -+ return decision.make(ReuseDecision::reuseNot, "the entry has been released"); - - // RFC 7234 section 4: a cache MUST use the most recent response - // (as determined by the Date header field) -- if (sawDateGoBack) { -- debugs(22, 3, "NO because " << *entry << " has an older date header."); -- return 0; -- } -+ // TODO: whether such responses could be shareable? -+ if (sawDateGoBack) -+ return decision.make(ReuseDecision::reuseNot, "the response has an older date header"); - - // Check for Surrogate/1.0 protocol conditions - // NP: reverse-proxy traffic our parent server has instructed us never to cache -- if (surrogateNoStore) { -- debugs(22, 3, HERE << "NO because Surrogate-Control:no-store"); -- return 0; -- } -+ if (surrogateNoStore) -+ return decision.make(ReuseDecision::reuseNot, "Surrogate-Control:no-store"); - - // RFC 2616: HTTP/1.1 Cache-Control conditions - if (!ignoreCacheControl) { -@@ -363,11 +361,10 @@ - // for now we are not reliably doing that so we waste CPU re-checking request CC - - // RFC 2616 section 14.9.2 - MUST NOT cache any response with request CC:no-store -- if (request && request->cache_control && request->cache_control->noStore() && -- !REFRESH_OVERRIDE(ignore_no_store)) { -- debugs(22, 3, HERE << "NO because client request Cache-Control:no-store"); -- return 0; -- } -+ if (request && request->cache_control && request->cache_control->hasNoStore() && -+ !REFRESH_OVERRIDE(ignore_no_store)) -+ return decision.make(ReuseDecision::reuseNot, -+ "client request Cache-Control:no-store"); - - // NP: request CC:no-cache only means cache READ is forbidden. STORE is permitted. - if (rep->cache_control && rep->cache_control->hasNoCache() && rep->cache_control->noCache().size() > 0) { -@@ -376,19 +373,18 @@ - * successfully (ie, must revalidate AND these headers are prohibited on stale replies). - * That is a bit tricky for squid right now so we avoid caching entirely. - */ -- debugs(22, 3, HERE << "NO because server reply Cache-Control:no-cache has parameters"); -- return 0; -+ return decision.make(ReuseDecision::reuseNot, -+ "server reply Cache-Control:no-cache has parameters"); - } - - // NP: request CC:private is undefined. We ignore. - // NP: other request CC flags are limiters on HIT/MISS. We don't care about here. - - // RFC 2616 section 14.9.2 - MUST NOT cache any response with CC:no-store -- if (rep->cache_control && rep->cache_control->noStore() && -- !REFRESH_OVERRIDE(ignore_no_store)) { -- debugs(22, 3, HERE << "NO because server reply Cache-Control:no-store"); -- return 0; -- } -+ if (rep->cache_control && rep->cache_control->hasNoStore() && -+ !REFRESH_OVERRIDE(ignore_no_store)) -+ return decision.make(ReuseDecision::reuseNot, -+ "server reply Cache-Control:no-store"); - - // RFC 2616 section 14.9.1 - MUST NOT cache any response with CC:private in a shared cache like Squid. - // CC:private overrides CC:public when both are present in a response. -@@ -401,27 +397,25 @@ - * successfully (ie, must revalidate AND these headers are prohibited on stale replies). - * That is a bit tricky for squid right now so we avoid caching entirely. - */ -- debugs(22, 3, HERE << "NO because server reply Cache-Control:private"); -- return 0; -+ return decision.make(ReuseDecision::reuseNot, -+ "server reply Cache-Control:private"); - } - } - - // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present - // allow HTTP violations to IGNORE those controls (ie re-block caching Auth) - if (request && (request->flags.auth || request->flags.authSent) && !REFRESH_OVERRIDE(ignore_auth)) { -- if (!rep->cache_control) { -- debugs(22, 3, HERE << "NO because Authenticated and server reply missing Cache-Control"); -- return 0; -- } -+ if (!rep->cache_control) -+ return decision.make(ReuseDecision::reuseNot, -+ "authenticated and server reply missing Cache-Control"); - -- if (ignoreCacheControl) { -- debugs(22, 3, HERE << "NO because Authenticated and ignoring Cache-Control"); -- return 0; -- } -+ if (ignoreCacheControl) -+ return decision.make(ReuseDecision::reuseNot, -+ "authenticated and ignoring Cache-Control"); - - bool mayStore = false; - // HTTPbis pt6 section 3.2: a response CC:public is present -- if (rep->cache_control->Public()) { -+ if (rep->cache_control->hasPublic()) { - debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public"); - mayStore = true; - -@@ -441,15 +435,13 @@ - #endif - - // HTTPbis pt6 section 3.2: a response CC:s-maxage is present -- } else if (rep->cache_control->sMaxAge()) { -+ } else if (rep->cache_control->hasSMaxAge()) { - debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:s-maxage"); - mayStore = true; - } - -- if (!mayStore) { -- debugs(22, 3, HERE << "NO because Authenticated transaction"); -- return 0; -- } -+ if (!mayStore) -+ return decision.make(ReuseDecision::reuseNot, "authenticated transaction"); - - // NP: response CC:no-cache is equivalent to CC:must-revalidate,max-age=0. We MAY cache, and do so. - // NP: other request CC flags are limiters on HIT/MISS/REFRESH. We don't care about here. -@@ -460,12 +452,26 @@ - * probably should not be cachable - */ - if ((v = hdr->getStr(HDR_CONTENT_TYPE))) -- if (!strncasecmp(v, "multipart/x-mixed-replace", 25)) { -- debugs(22, 3, HERE << "NO because Content-Type:multipart/x-mixed-replace"); -- return 0; -- } -+ if (!strncasecmp(v, "multipart/x-mixed-replace", 25)) -+ return decision.make(ReuseDecision::reuseNot, "Content-Type:multipart/x-mixed-replace"); -+ -+ // TODO: if possible, provide more specific message for each status code -+ static const char *shareableError = "shareable error status code"; -+ static const char *nonShareableError = "non-shareable error status code"; -+ ReuseDecision::Answers statusAnswer = ReuseDecision::reuseNot; -+ const char *statusReason = nonShareableError; - - switch (rep->sline.status()) { -+ -+ /* There are several situations when a non-cacheable response may be -+ * still shareable (e.g., among collapsed clients). We assume that these -+ * are 3xx and 5xx responses, indicating server problems and some of -+ * 4xx responses, common for all clients with a given cache key (e.g., -+ * 404 Not Found or 414 URI Too Long). On the other hand, we should not -+ * share non-cacheable client-specific errors, such as 400 Bad Request -+ * or 406 Not Acceptable. -+ */ -+ - /* Responses that are cacheable */ - - case Http::scOkay: -@@ -482,112 +488,90 @@ - * Don't cache objects that need to be refreshed on next request, - * unless we know how to refresh it. - */ -+ if (refreshIsCachable(entry) || REFRESH_OVERRIDE(store_stale)) -+ decision.make(ReuseDecision::cachePositively, "refresh check returned cacheable"); -+ else -+ decision.make(ReuseDecision::doNotCacheButShare, "refresh check returned non-cacheable"); - -- if (!refreshIsCachable(entry) && !REFRESH_OVERRIDE(store_stale)) { -- debugs(22, 3, "NO because refreshIsCachable() returned non-cacheable.."); -- return 0; -- } else { -- debugs(22, 3, HERE << "YES because HTTP status " << rep->sline.status()); -- return 1; -- } -- /* NOTREACHED */ - break; - - /* Responses that only are cacheable if the server says so */ - - case Http::scFound: - case Http::scTemporaryRedirect: -- if (rep->date <= 0) { -- debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status() << " and Date missing/invalid"); -- return 0; -- } -- if (rep->expires > rep->date) { -- debugs(22, 3, HERE << "YES because HTTP status " << rep->sline.status() << " and Expires > Date"); -- return 1; -- } else { -- debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status() << " and Expires <= Date"); -- return 0; -- } -- /* NOTREACHED */ -+ -+ if (rep->date <= 0) -+ decision.make(ReuseDecision::doNotCacheButShare, "Date is missing/invalid"); -+ else if (rep->expires > rep->date) -+ decision.make(ReuseDecision::cachePositively, "Expires > Date"); -+ else -+ decision.make(ReuseDecision::doNotCacheButShare, "Expires <= Date"); - break; - -- /* Errors can be negatively cached */ -- -+ /* These responses can be negatively cached. Most can also be shared. */ - case Http::scNoContent: -- - case Http::scUseProxy: -- -- case Http::scBadRequest: -- - case Http::scForbidden: -- - case Http::scNotFound: -- - case Http::scMethodNotAllowed: -- - case Http::scUriTooLong: -- - case Http::scInternalServerError: -- - case Http::scNotImplemented: -- - case Http::scBadGateway: -- - case Http::scServiceUnavailable: -- - case Http::scGatewayTimeout: - case Http::scMisdirectedRequest: -- -- debugs(22, 3, "MAYBE because HTTP status " << rep->sline.status()); -- return -1; -- -- /* NOTREACHED */ -+ statusAnswer = ReuseDecision::doNotCacheButShare; -+ statusReason = shareableError; -+ // fall through to the actual decision making below -+ -+ case Http::scBadRequest: // no sharing; perhaps the server did not like something specific to this request -+ -+#if USE_HTTP_VIOLATIONS -+ if (Config.negativeTtl > 0) -+ decision.make(ReuseDecision::cacheNegatively, "Config.negativeTtl > 0"); -+ else -+#endif -+ decision.make(statusAnswer, statusReason); - break; - -- /* Some responses can never be cached */ -- -- case Http::scPartialContent: /* Not yet supported */ -- -+ /* these responses can never be cached, some -+ of them can be shared though */ - case Http::scSeeOther: -- - case Http::scNotModified: -- - case Http::scUnauthorized: -- - case Http::scProxyAuthenticationRequired: -- -- case Http::scInvalidHeader: /* Squid header parsing error */ -- -- case Http::scHeaderTooLarge: -- - case Http::scPaymentRequired: -+ case Http::scInsufficientStorage: -+ // TODO: use more specific reason for non-error status codes -+ decision.make(ReuseDecision::doNotCacheButShare, shareableError); -+ break; -+ -+ case Http::scPartialContent: /* Not yet supported. TODO: make shareable for suitable ranges */ - case Http::scNotAcceptable: -- case Http::scRequestTimeout: -- case Http::scConflict: -+ case Http::scRequestTimeout: // TODO: is this shareable? -+ case Http::scConflict: // TODO: is this shareable? - case Http::scLengthRequired: - case Http::scPreconditionFailed: - case Http::scPayloadTooLarge: - case Http::scUnsupportedMediaType: - case Http::scUnprocessableEntity: -- case Http::scLocked: -+ case Http::scLocked: // TODO: is this shareable? - case Http::scFailedDependency: -- case Http::scInsufficientStorage: - case Http::scRequestedRangeNotSatisfied: - case Http::scExpectationFailed: -- -- debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status()); -- return 0; -- -+ case Http::scInvalidHeader: /* Squid header parsing error */ -+ case Http::scHeaderTooLarge: -+ decision.make(ReuseDecision::reuseNot, nonShareableError); -+ break; - default: - /* RFC 2616 section 6.1.1: an unrecognized response MUST NOT be cached. */ -- debugs (11, 3, HERE << "NO because unknown HTTP status code " << rep->sline.status()); -- return 0; - -- /* NOTREACHED */ -+ decision.make(ReuseDecision::reuseNot, "unknown status code"); - break; - } - -- /* NOTREACHED */ -+ return decision.answer; - } - - /// assemble a variant key (vary-mark) from the given Vary header and HTTP request -@@ -898,11 +882,12 @@ - - Ctx ctx = ctx_enter(entry->mem_obj->urlXXX()); - HttpReply *rep = finalReply(); -+ const Http::StatusCode statusCode = rep->sline.status(); - - entry->timestampsSet(); - - /* Check if object is cacheable or not based on reply code */ -- debugs(11, 3, "HTTP CODE: " << rep->sline.status()); -+ debugs(11, 3, "HTTP CODE: " << statusCode); - - if (const StoreEntry *oldEntry = findPreviouslyCachedEntry(entry)) - sawDateGoBack = rep->olderThan(oldEntry->getReply()); -@@ -919,7 +904,9 @@ - const SBuf vary(httpMakeVaryMark(request, rep)); - - if (vary.isEmpty()) { -- entry->makePrivate(); -+ // TODO: check whether such responses are shareable. -+ // Do not share for now. -+ entry->makePrivate(false); - if (!fwd->reforwardableStatus(rep->sline.status())) - EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); - varyFailure = true; -@@ -942,30 +929,31 @@ - if (!fwd->reforwardableStatus(rep->sline.status())) - EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); - -- switch (cacheableReply()) { -- -- case 1: -+ ReuseDecision decision(entry, statusCode); -+ -+ switch (reusableReply(decision)) { -+ -+ case ReuseDecision::reuseNot: -+ entry->makePrivate(false); -+ break; -+ -+ case ReuseDecision::cachePositively: - entry->makePublic(); - break; - -- case 0: -- entry->makePrivate(); -+ case ReuseDecision::cacheNegatively: -+ entry->cacheNegatively(); - break; - -- case -1: -- --#if USE_HTTP_VIOLATIONS -- if (Config.negativeTtl > 0) -- entry->cacheNegatively(); -- else --#endif -- entry->makePrivate(); -+ case ReuseDecision::doNotCacheButShare: -+ entry->makePrivate(true); - break; - - default: - assert(0); - break; - } -+ debugs(11, 3, "decided: " << decision); - } - - if (!ignoreCacheControl) { -@@ -2429,3 +2417,29 @@ - mustStop(reason); - } - -+HttpStateData::ReuseDecision::ReuseDecision(const StoreEntry *e, const Http::StatusCode code) -+ : answer(HttpStateData::ReuseDecision::reuseNot), reason(nullptr), entry(e), statusCode(code) {} -+ -+HttpStateData::ReuseDecision::Answers -+HttpStateData::ReuseDecision::make(const HttpStateData::ReuseDecision::Answers ans, const char *why) -+{ -+ answer = ans; -+ reason = why; -+ return answer; -+} -+ -+std::ostream &operator <<(std::ostream &os, const HttpStateData::ReuseDecision &d) -+{ -+ static const char *ReuseMessages[] = { -+ "do not cache and do not share", // reuseNot -+ "cache positively and share", // cachePositively -+ "cache negatively and share", // cacheNegatively -+ "do not cache but share" // doNotCacheButShare -+ }; -+ -+ assert(d.answer >= HttpStateData::ReuseDecision::reuseNot && -+ d.answer <= HttpStateData::ReuseDecision::doNotCacheButShare); -+ return os << ReuseMessages[d.answer] << " because " << d.reason << -+ "; HTTP status " << d.statusCode << " " << *(d.entry); -+} -+ - -=== modified file 'src/http.h' ---- src/http.h 2017-01-01 00:16:45 +0000 -+++ src/http.h 2017-06-14 21:37:20 +0000 -@@ -22,6 +22,23 @@ - { - - public: -+ -+ /// assists in making and relaying entry caching/sharing decision -+ class ReuseDecision -+ { -+ public: -+ enum Answers { reuseNot = 0, cachePositively, cacheNegatively, doNotCacheButShare }; -+ -+ ReuseDecision(const StoreEntry *e, const Http::StatusCode code); -+ /// stores the corresponding decision -+ Answers make(const Answers ans, const char *why); -+ -+ Answers answer; ///< the decision id -+ const char *reason; ///< the decision reason -+ const StoreEntry *entry; ///< entry for debugging -+ const Http::StatusCode statusCode; ///< HTTP status for debugging -+ }; -+ - HttpStateData(FwdState *); - ~HttpStateData(); - -@@ -39,8 +56,8 @@ - void readReply(const CommIoCbParams &io); - virtual void maybeReadVirginBody(); // read response data from the network - -- // Determine whether the response is a cacheable representation -- int cacheableReply(); -+ // Checks whether the response is cacheable/shareable. -+ ReuseDecision::Answers reusableReply(ReuseDecision &decision); - - CachePeer *_peer; /* CachePeer request made to */ - int eof; /* reached end-of-object? */ -@@ -119,6 +136,8 @@ - CBDATA_CLASS2(HttpStateData); - }; - -+std::ostream &operator <<(std::ostream &os, const HttpStateData::ReuseDecision &d); -+ - int httpCachable(const HttpRequestMethod&); - void httpStart(FwdState *); - SBuf httpMakeVaryMark(HttpRequest * request, HttpReply const * reply); - -=== modified file 'src/store.cc' ---- src/store.cc 2017-01-01 00:16:45 +0000 -+++ src/store.cc 2017-06-14 21:37:20 +0000 -@@ -171,11 +171,18 @@ - } - - void --StoreEntry::makePrivate() -+StoreEntry::makePrivate(const bool shareable) - { - /* This object should never be cached at all */ - expireNow(); -- releaseRequest(); /* delete object when not used */ -+ releaseRequest(shareable); /* delete object when not used */ -+} -+ -+void -+StoreEntry::clearPrivate() -+{ -+ EBIT_CLR(flags, KEY_PRIVATE); -+ shareableWhenPrivate = false; - } - - void -@@ -365,7 +372,8 @@ - ping_status(PING_NONE), - store_status(STORE_PENDING), - swap_status(SWAPOUT_NONE), -- lock_count(0) -+ lock_count(0), -+ shareableWhenPrivate(false) - { - debugs(20, 5, "StoreEntry constructed, this=" << this); - } -@@ -504,14 +512,14 @@ - } - - void --StoreEntry::releaseRequest() -+StoreEntry::releaseRequest(const bool shareable) - { - if (EBIT_TEST(flags, RELEASE_REQUEST)) - return; - - setReleaseFlag(); // makes validToSend() false, preventing future hits - -- setPrivateKey(); -+ setPrivateKey(shareable); - } - - int -@@ -623,12 +631,16 @@ - * concept'. - */ - void --StoreEntry::setPrivateKey() -+StoreEntry::setPrivateKey(const bool shareable) - { - const cache_key *newkey; - -- if (key && EBIT_TEST(flags, KEY_PRIVATE)) -- return; /* is already private */ -+ if (key && EBIT_TEST(flags, KEY_PRIVATE)) { -+ // The entry is already private, but it may be still shareable. -+ if (!shareable) -+ shareableWhenPrivate = false; -+ return; -+ } - - if (key) { - setReleaseFlag(); // will markForUnlink(); all caches/workers will know -@@ -649,6 +661,7 @@ - - assert(hash_lookup(store_table, newkey) == NULL); - EBIT_SET(flags, KEY_PRIVATE); -+ shareableWhenPrivate = shareable; - hashInsert(newkey); - } - -@@ -705,14 +718,17 @@ - if (StoreEntry *e2 = (StoreEntry *)hash_lookup(store_table, newkey)) { - assert(e2 != this); - debugs(20, 3, "Making old " << *e2 << " private."); -- e2->setPrivateKey(); -- e2->release(); -+ -+ // TODO: check whether there is any sense in keeping old entry -+ // shareable here. Leaving it non-shareable for now. -+ e2->setPrivateKey(false); -+ e2->release(false); - } - - if (key) - hashDelete(); - -- EBIT_CLR(flags, KEY_PRIVATE); -+ clearPrivate(); - - hashInsert(newkey); - -@@ -830,7 +846,7 @@ - e->lock("storeCreateEntry"); - - if (neighbors_do_private_keys || !flags.hierarchical) -- e->setPrivateKey(); -+ e->setPrivateKey(false); - else - e->setPublicKey(); - -@@ -1264,7 +1280,7 @@ - - /* release an object from a cache */ - void --StoreEntry::release() -+StoreEntry::release(const bool shareable) - { - PROF_start(storeRelease); - debugs(20, 3, "releasing " << *this << ' ' << getMD5Text()); -@@ -1274,7 +1290,7 @@ - if (locked()) { - expireNow(); - debugs(20, 3, "storeRelease: Only setting RELEASE_REQUEST bit"); -- releaseRequest(); -+ releaseRequest(shareable); - PROF_stop(storeRelease); - return; - } -@@ -1282,7 +1298,7 @@ - Store::Root().memoryUnlink(*this); - - if (StoreController::store_dirs_rebuilding && swap_filen > -1) { -- setPrivateKey(); -+ setPrivateKey(shareable); - - if (swap_filen > -1) { - // lock the entry until rebuilding is done -@@ -2181,7 +2197,11 @@ - if (EBIT_TEST(e.flags, REFRESH_REQUEST)) os << 'F'; - if (EBIT_TEST(e.flags, ENTRY_REVALIDATE_STALE)) os << 'E'; - if (EBIT_TEST(e.flags, ENTRY_DISPATCHED)) os << 'D'; -- if (EBIT_TEST(e.flags, KEY_PRIVATE)) os << 'I'; -+ if (EBIT_TEST(e.flags, KEY_PRIVATE)) { -+ os << 'I'; -+ if (e.shareableWhenPrivate) -+ os << 'H'; -+ } - if (EBIT_TEST(e.flags, ENTRY_FWD_HDR_WAIT)) os << 'W'; - if (EBIT_TEST(e.flags, ENTRY_NEGCACHED)) os << 'N'; - if (EBIT_TEST(e.flags, ENTRY_VALIDATED)) os << 'V'; - -=== modified file 'src/tests/stub_store.cc' ---- src/tests/stub_store.cc 2017-01-01 00:16:45 +0000 -+++ src/tests/stub_store.cc 2017-06-14 21:37:20 +0000 -@@ -43,11 +43,11 @@ - void StoreEntry::abort() STUB - void StoreEntry::unlink() STUB - void StoreEntry::makePublic(const KeyScope keyScope) STUB --void StoreEntry::makePrivate() STUB -+void StoreEntry::makePrivate(const bool shareable) STUB - void StoreEntry::setPublicKey(const KeyScope keyScope) STUB --void StoreEntry::setPrivateKey() STUB -+void StoreEntry::setPrivateKey(const bool shareable) STUB - void StoreEntry::expireNow() STUB --void StoreEntry::releaseRequest() STUB -+void StoreEntry::releaseRequest(const bool shareable) STUB - void StoreEntry::negativeCache() STUB - void StoreEntry::cacheNegatively() STUB - void StoreEntry::purgeMem() STUB -@@ -99,7 +99,7 @@ - int64_t StoreEntry::contentLen() const STUB_RETVAL(0) - void StoreEntry::lock(const char *) STUB - void StoreEntry::touch() STUB --void StoreEntry::release() STUB -+void StoreEntry::release(const bool shareable) STUB - - NullStoreEntry *NullStoreEntry::getInstance() STUB_RETVAL(NULL) - const char *NullStoreEntry::getMD5Text() const STUB_RETVAL(NULL) - -=== modified file 'src/tests/testStoreController.cc' ---- src/tests/testStoreController.cc 2017-01-01 00:16:45 +0000 -+++ src/tests/testStoreController.cc 2017-06-14 21:37:20 +0000 -@@ -116,7 +116,7 @@ - e->lastModified(squid_curtime); - e->refcount = 1; - EBIT_CLR(e->flags, RELEASE_REQUEST); -- EBIT_CLR(e->flags, KEY_PRIVATE); -+ e->clearPrivate(); - e->ping_status = PING_NONE; - EBIT_CLR(e->flags, ENTRY_VALIDATED); - e->hashInsert((const cache_key *)name.termedBuf()); /* do it after we clear KEY_PRIVATE */ - -=== modified file 'src/tests/testStoreHashIndex.cc' ---- src/tests/testStoreHashIndex.cc 2017-01-01 00:16:45 +0000 -+++ src/tests/testStoreHashIndex.cc 2017-06-14 21:37:20 +0000 -@@ -97,7 +97,7 @@ - e->lastModified(squid_curtime); - e->refcount = 1; - EBIT_CLR(e->flags, RELEASE_REQUEST); -- EBIT_CLR(e->flags, KEY_PRIVATE); -+ e->clearPrivate(); - e->ping_status = PING_NONE; - EBIT_CLR(e->flags, ENTRY_VALIDATED); - e->hashInsert((const cache_key *)name.termedBuf()); /* do it after we clear KEY_PRIVATE */ - diff --git a/src/patches/squid/squid-3.5-14170.patch b/src/patches/squid/squid-3.5-14170.patch deleted file mode 100644 index cea0f1363..000000000 --- a/src/patches/squid/squid-3.5-14170.patch +++ /dev/null @@ -1,85 +0,0 @@ ------------------------------------------------------------- -revno: 14170 -revision-id: squid3(a)treenet.co.nz-20170614215906-ly36sobvlr2pt0u6 -parent: squid3(a)treenet.co.nz-20170614213720-3qmiohlx4zr2jnqq -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=2833 -author: Eduard Bagdasaryan <eduard.bagdasaryan(a)measurement-factory.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Thu 2017-06-15 09:59:06 +1200 -message: - Bug 2833 pt3: Do not respond with HTTP/304 to unconditional requests - - ... after internal revalidation. The original unconditional HttpRequest - was still marked (and processed) as conditional after internal - revalidation because the original (clear) Last-Modified and ETag values - were not restored (cleared) after the internal revalidation abused them. - - TODO: Isolate the code converting the request into conditional one _and_ - the code that undoes that conversion, to keep both actions in sync. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170614215906-ly36sobvlr2pt0u6 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 0991e2d39b3bcebcf18cba3db0e3b57aabf23b8b -# timestamp: 2017-06-14 22:22:43 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170614213720-\ -# 3qmiohlx4zr2jnqq -# -# Begin patch -=== modified file 'src/client_side_reply.cc' ---- src/client_side_reply.cc 2017-06-14 21:37:20 +0000 -+++ src/client_side_reply.cc 2017-06-14 21:59:06 +0000 -@@ -72,8 +72,8 @@ - HTTPMSGUNLOCK(reply); - } - --clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : http (cbdataReference(clientContext)), old_entry (NULL), old_sc(NULL), deleting(false), -- collapsedRevalidation(crNone) -+clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : http (cbdataReference(clientContext)), old_entry (NULL), -+ old_sc(NULL), old_lastmod(-1), deleting(false), collapsedRevalidation(crNone) - {} - - /** Create an error in the store awaiting the client side to read it. -@@ -185,6 +185,8 @@ - debugs(88, 3, "clientReplyContext::saveState: saving store context"); - old_entry = http->storeEntry(); - old_sc = sc; -+ old_lastmod = http->request->lastmod; -+ old_etag = http->request->etag; - old_reqsize = reqsize; - tempBuffer.offset = reqofs; - /* Prevent accessing the now saved entries */ -@@ -204,9 +206,13 @@ - sc = old_sc; - reqsize = old_reqsize; - reqofs = tempBuffer.offset; -+ http->request->lastmod = old_lastmod; -+ http->request->etag = old_etag; - /* Prevent accessed the old saved entries */ - old_entry = NULL; - old_sc = NULL; -+ old_lastmod = -1; -+ old_etag.clean(); - old_reqsize = 0; - tempBuffer.offset = 0; - } - -=== modified file 'src/client_side_reply.h' ---- src/client_side_reply.h 2017-01-01 00:16:45 +0000 -+++ src/client_side_reply.h 2017-06-14 21:59:06 +0000 -@@ -130,7 +130,11 @@ - void sendNotModifiedOrPreconditionFailedError(); - - StoreEntry *old_entry; -- store_client *old_sc; /* ... for entry to be validated */ -+ /* ... for entry to be validated */ -+ store_client *old_sc; -+ time_t old_lastmod; -+ String old_etag; -+ - bool deleting; - - typedef enum { - diff --git a/src/patches/squid/squid-3.5-14171.patch b/src/patches/squid/squid-3.5-14171.patch deleted file mode 100644 index f357045b2..000000000 --- a/src/patches/squid/squid-3.5-14171.patch +++ /dev/null @@ -1,45 +0,0 @@ ------------------------------------------------------------- -revno: 14171 -revision-id: squidadm(a)squid-cache.org-20170615001633-wgrl5w8isv15o7gg -parent: squid3(a)treenet.co.nz-20170614215906-ly36sobvlr2pt0u6 -committer: Source Maintenance <squidadm(a)squid-cache.org> -branch nick: 3.5 -timestamp: Thu 2017-06-15 00:16:33 +0000 -message: - SourceFormat Enforcement ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squidadm(a)squid-cache.org-20170615001633-\ -# wgrl5w8isv15o7gg -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 237182ac5eed6aca7e9aca295a90057f3a8cf10b -# timestamp: 2017-06-15 00:51:05 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170614215906-\ -# ly36sobvlr2pt0u6 -# -# Begin patch -=== modified file 'src/http.cc' ---- src/http.cc 2017-06-14 21:37:20 +0000 -+++ src/http.cc 2017-06-15 00:16:33 +0000 -@@ -523,7 +523,7 @@ - case Http::scMisdirectedRequest: - statusAnswer = ReuseDecision::doNotCacheButShare; - statusReason = shareableError; -- // fall through to the actual decision making below -+ // fall through to the actual decision making below - - case Http::scBadRequest: // no sharing; perhaps the server did not like something specific to this request - -@@ -2438,8 +2438,8 @@ - }; - - assert(d.answer >= HttpStateData::ReuseDecision::reuseNot && -- d.answer <= HttpStateData::ReuseDecision::doNotCacheButShare); -+ d.answer <= HttpStateData::ReuseDecision::doNotCacheButShare); - return os << ReuseMessages[d.answer] << " because " << d.reason << -- "; HTTP status " << d.statusCode << " " << *(d.entry); -+ "; HTTP status " << d.statusCode << " " << *(d.entry); - } - - diff --git a/src/patches/squid/squid-3.5-14172.patch b/src/patches/squid/squid-3.5-14172.patch deleted file mode 100644 index aa7332765..000000000 --- a/src/patches/squid/squid-3.5-14172.patch +++ /dev/null @@ -1,40 +0,0 @@ ------------------------------------------------------------- -revno: 14172 -revision-id: squid3(a)treenet.co.nz-20170621195439-l63xfsad58ghhhfu -parent: squidadm(a)squid-cache.org-20170615001633-wgrl5w8isv15o7gg -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4671 -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Thu 2017-06-22 07:54:39 +1200 -message: - Bug 4671 pt2: GCC 7: raise FTP Gateway CTRL channel buffer to 16KB - - Fixes - error: %s directive output may be truncated writing up to 8191 bytes - into a region of size 1019 - note: snprintf output between 8 and 8199 bytes into a destination of - size 1024 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170621195439-l63xfsad58ghhhfu -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: eeb32b45efe5504eebeaae89088d4a81d807807c -# timestamp: 2017-06-21 20:50:58 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squidadm(a)squid-cache.org-20170615001633-\ -# wgrl5w8isv15o7gg -# -# Begin patch -=== modified file 'src/clients/FtpGateway.cc' ---- src/clients/FtpGateway.cc 2017-05-29 04:37:41 +0000 -+++ src/clients/FtpGateway.cc 2017-06-21 19:54:39 +0000 -@@ -192,7 +192,7 @@ - - #define FTP_LOGIN_NOT_ESCAPED 0 - --#define CTRL_BUFLEN 1024 -+#define CTRL_BUFLEN 16*1024 - static char cbuf[CTRL_BUFLEN]; - - /* - diff --git a/src/patches/squid/squid-3.5-14173.patch b/src/patches/squid/squid-3.5-14173.patch deleted file mode 100644 index 6841202ac..000000000 --- a/src/patches/squid/squid-3.5-14173.patch +++ /dev/null @@ -1,254 +0,0 @@ ------------------------------------------------------------- -revno: 14173 -revision-id: squid3(a)treenet.co.nz-20170621201248-ezpvykg0b307ix61 -parent: squid3(a)treenet.co.nz-20170621195439-l63xfsad58ghhhfu -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4671 -author: Alex Rousskov <rousskov(a)measurement-factory.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Thu 2017-06-22 08:12:48 +1200 -message: - Replace new/delete operators using modern C++ rules. - - This change was motivated by "Mismatched free()/delete/delete[]" errors - reported by valgrind and mused about in Squid source code. - - I speculate that the old new/delete replacement code was the result of - slow accumulation of working hacks to accomodate various environments, - as compiler support for the feature evolved. The cumulative result does - not actually work well (see the above paragraph), and the replacement - functions had the following visible coding problems according to [1,2]: - - a) Declared with non-standard profiles that included throw specifiers. - b) Declared inline. C++ says that the results of inline declarations - have unspecified effects. In Squid, they probably necessitated - complex compiler-specific "extern inline" workarounds. - c) Defined in the header file. C++ says that defining replacements "in - any source file" is enough and that multiple replacements per - program (which is what a header file definition produces) result in - "undefined behavior". - d) Declared inconsistently (only 2 out of 4 flavors). Declaring one base - flavor should be sufficient, but if we declare more, we should - declare all of them. - - [1] http://en.cppreference.com/w/cpp/memory/new/operator_new - [2] http://en.cppreference.com/w/cpp/memory/new/operator_delete - - The replacements were not provided to clang (trunk r13219), but there - was no explanation why. This patch does not change that exclusion. - - I have no idea whether any of the old hacks are still necessary in some - cases. However, I suspect that either we do not care much if the - replacements are not enabled on some poorly supported platforms OR we - can disable them (or make them work) using much simpler hacks for the - platforms we do care about. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170621201248-ezpvykg0b307ix61 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 4f15c23326e4e4fe2ca2a6c7a13333e01677a0b0 -# timestamp: 2017-06-21 20:51:02 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170621195439-\ -# l63xfsad58ghhhfu -# -# Begin patch -=== modified file 'compat/os/macosx.h' ---- compat/os/macosx.h 2017-01-01 00:16:45 +0000 -+++ compat/os/macosx.h 2017-06-21 20:12:48 +0000 -@@ -28,11 +28,6 @@ - - #include "compat/cmsg.h" - --// MacOS GCC 4.0.1 and 4.2.1 supply __GNUC_GNU_INLINE__ but do not actually define __attribute__((gnu_inline)) --#if defined(__cplusplus) && !defined(_SQUID_EXTERNNEW_) --#define _SQUID_EXTERNNEW_ extern inline --#endif -- - #endif /* _SQUID_APPLE_ */ - #endif /* SQUID_OS_MACOSX_H */ - - -=== modified file 'compat/os/sgi.h' ---- compat/os/sgi.h 2017-01-01 00:16:45 +0000 -+++ compat/os/sgi.h 2017-06-21 20:12:48 +0000 -@@ -25,15 +25,6 @@ - #define _ABI_SOURCE - #endif /* USE_ASYNC_IO */ - --#if defined(__cplusplus) && !defined(_SQUID_EXTERNNEW_) && !defined(_GNUC_) --/* -- * The gcc compiler treats extern inline functions as being extern, -- * while the SGI MIPSpro compilers treat them as inline. To get equivalent -- * behavior, remove the inline keyword. -- */ --#define _SQUID_EXTERNNEW_ extern --#endif -- - #endif /* _SQUID_SGI_ */ - #endif /* SQUID_OS_SGI_H */ - - -=== modified file 'compat/os/solaris.h' ---- compat/os/solaris.h 2017-01-01 00:16:45 +0000 -+++ compat/os/solaris.h 2017-06-21 20:12:48 +0000 -@@ -59,13 +59,6 @@ - #endif - - /* -- * SunPro CC handles extern inline as inline, PLUS extern symbols. -- */ --#if !defined(_SQUID_EXTERNNEW_) && defined(__SUNPRO_CC) --#define _SQUID_EXTERNNEW_ extern --#endif -- --/* - * SunStudio CC does not define C++ portability API __FUNCTION__ - */ - #if defined(__SUNPRO_CC) && !defined(__FUNCTION__) - -=== removed file 'include/SquidNew.h' ---- include/SquidNew.h 2017-01-01 00:16:45 +0000 -+++ include/SquidNew.h 1970-01-01 00:00:00 +0000 -@@ -1,41 +0,0 @@ --/* -- * Copyright (C) 1996-2017 The Squid Software Foundation and contributors -- * -- * Squid software is distributed under GPLv2+ license and includes -- * contributions from numerous individuals and organizations. -- * Please see the COPYING and CONTRIBUTORS files for details. -- */ -- --#ifndef SQUID_NEW_H --#define SQUID_NEW_H -- --#if !defined(__SUNPRO_CC) && !defined(__clang__) --/* Any code using libstdc++ must have externally resolvable overloads -- * for void * operator new - which means in the .o for the binary, -- * or in a shared library. static libs don't propogate the symbol -- * so, look in the translation unit containing main() in squid -- * for the extern version in squid -- */ --#include <new> -- --_SQUID_EXTERNNEW_ void *operator new(size_t size) throw (std::bad_alloc) --{ -- return xmalloc(size); --} --_SQUID_EXTERNNEW_ void operator delete (void *address) throw() --{ -- xfree(address); --} --_SQUID_EXTERNNEW_ void *operator new[] (size_t size) throw (std::bad_alloc) --{ -- return xmalloc(size); --} --_SQUID_EXTERNNEW_ void operator delete[] (void *address) throw() --{ -- xfree(address); --} -- --#endif /* !__SUNPRO_CC && !__clang__*/ -- --#endif /* SQUID_NEW_H */ -- - -=== modified file 'include/util.h' ---- include/util.h 2017-01-01 00:16:45 +0000 -+++ include/util.h 2017-06-21 20:12:48 +0000 -@@ -19,23 +19,6 @@ - SQUIDCEXTERN int tvSubUsec(struct timeval, struct timeval); - SQUIDCEXTERN double tvSubDsec(struct timeval, struct timeval); - SQUIDCEXTERN void Tolower(char *); --#if defined(__cplusplus) --/* -- * Any code using libstdc++ must have externally resolvable overloads -- * for void * operator new - which means in the .o for the binary, -- * or in a shared library. static libs don't propogate the symbol -- * so, look in the translation unit containing main() in squid -- * for the extern version in squid -- */ --#if !defined(_SQUID_EXTERNNEW_) --#if defined(__GNUC_STDC_INLINE__) || defined(__GNUC_GNU_INLINE__) --#define _SQUID_EXTERNNEW_ extern inline __attribute__((gnu_inline)) --#else --#define _SQUID_EXTERNNEW_ extern inline --#endif --#endif --#include "SquidNew.h" --#endif - - SQUIDCEXTERN time_t parse_iso3307_time(const char *buf); - - -=== modified file 'src/SquidNew.cc' ---- src/SquidNew.cc 2017-01-01 00:16:45 +0000 -+++ src/SquidNew.cc 2017-06-21 20:12:48 +0000 -@@ -8,29 +8,45 @@ - - /* DEBUG: none Memory Allocation */ - --#define _SQUID_EXTERNNEW_ -- - #include "squid.h" - --#ifdef __SUNPRO_CC -+#if !defined(__clang__) - - #include <new> --void *operator new(size_t size) throw (std::bad_alloc) --{ -- return xmalloc(size); --} --void operator delete (void *address) throw() --{ -- xfree (address); --} --void *operator new[] (size_t size) throw (std::bad_alloc) --{ -- return xmalloc(size); --} --void operator delete[] (void *address) throw() --{ -- xfree (address); --} -- --#endif /* __SUNPRO_CC */ -+ -+void *operator new(size_t size) -+{ -+ return xmalloc(size); -+} -+void operator delete(void *address) -+{ -+ xfree(address); -+} -+void *operator new[](size_t size) -+{ -+ return xmalloc(size); -+} -+void operator delete[](void *address) -+{ -+ xfree(address); -+} -+ -+void *operator new(size_t size, const std::nothrow_t &tag) -+{ -+ return xmalloc(size); -+} -+void operator delete(void *address, const std::nothrow_t &tag) -+{ -+ xfree(address); -+} -+void *operator new[](size_t size, const std::nothrow_t &tag) -+{ -+ return xmalloc(size); -+} -+void operator delete[](void *address, const std::nothrow_t &tag) -+{ -+ xfree(address); -+} -+ -+#endif /* !defined(__clang__) */ - - diff --git a/src/patches/squid/squid-3.5-14174.patch b/src/patches/squid/squid-3.5-14174.patch deleted file mode 100644 index 7427eb38d..000000000 --- a/src/patches/squid/squid-3.5-14174.patch +++ /dev/null @@ -1,274 +0,0 @@ ------------------------------------------------------------- -revno: 14174 -revision-id: squid3(a)treenet.co.nz-20170622153146-nxo8vl6a9r8z03v4 -parent: squid3(a)treenet.co.nz-20170621201248-ezpvykg0b307ix61 -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4671 -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Fri 2017-06-23 03:31:46 +1200 -message: - Bug 4671 pt3: various GCC 7 compile errors - - Also, remove limit on FTP realm strings - - Convert ftpRealm() from generating char* to SBuf. This fixes issues identified - by GCC 7 where the realm string may be longer than the available buffer and - gets truncated. - The size of the buffer was making the occurance rather rare, but it is still - possible. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170622153146-nxo8vl6a9r8z03v4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: b54e1a339544443ed9b34a094717b2781c746c76 -# timestamp: 2017-06-22 15:50:59 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170621201248-\ -# ezpvykg0b307ix61 -# -# Begin patch -=== modified file 'src/DiskIO/DiskThreads/aiops.cc' ---- src/DiskIO/DiskThreads/aiops.cc 2017-01-01 00:16:45 +0000 -+++ src/DiskIO/DiskThreads/aiops.cc 2017-06-22 15:31:46 +0000 -@@ -290,7 +290,7 @@ - /* Create threads and get them to sit in their wait loop */ - squidaio_thread_pool = memPoolCreate("aio_thread", sizeof(squidaio_thread_t)); - -- assert(NUMTHREADS); -+ assert(NUMTHREADS != 0); - - for (i = 0; i < NUMTHREADS; ++i) { - threadp = (squidaio_thread_t *)squidaio_thread_pool->alloc(); - -=== modified file 'src/clients/FtpGateway.cc' ---- src/clients/FtpGateway.cc 2017-06-21 19:54:39 +0000 -+++ src/clients/FtpGateway.cc 2017-06-22 15:31:46 +0000 -@@ -153,8 +153,8 @@ - virtual void timeout(const CommTimeoutCbParams &io); - void ftpAcceptDataConnection(const CommAcceptCbParams &io); - -- static HttpReply *ftpAuthRequired(HttpRequest * request, const char *realm); -- const char *ftpRealm(void); -+ static HttpReply *ftpAuthRequired(HttpRequest * request, SBuf &realm); -+ SBuf ftpRealm(); - void loginFailed(void); - - virtual void haveParsedReplyHeaders(); -@@ -1189,7 +1189,8 @@ - { - if (!checkAuth(&request->header)) { - /* create appropriate reply */ -- HttpReply *reply = ftpAuthRequired(request, ftpRealm()); -+ SBuf realm(ftpRealm()); // local copy so SBuf wont disappear too early -+ HttpReply *reply = ftpAuthRequired(request, realm); - entry->replaceHttpReply(reply); - serverComplete(); - return; -@@ -1290,7 +1291,9 @@ - - #if HAVE_AUTH_MODULE_BASIC - /* add Authenticate header */ -- newrep->header.putAuth("Basic", ftpRealm()); -+ // XXX: performance regression. c_str() may reallocate -+ SBuf realm(ftpRealm()); // local copy so SBuf wont disappear too early -+ newrep->header.putAuth("Basic", realm.c_str()); - #endif - - // add it to the store entry for response.... -@@ -1298,18 +1301,19 @@ - serverComplete(); - } - --const char * -+SBuf - Ftp::Gateway::ftpRealm() - { -- static char realm[8192]; -+ SBuf realm; - - /* This request is not fully authenticated */ -- if (!request) { -- snprintf(realm, 8192, "FTP %s unknown", user); -- } else if (request->port == 21) { -- snprintf(realm, 8192, "FTP %s %s", user, request->GetHost()); -- } else { -- snprintf(realm, 8192, "FTP %s %s port %d", user, request->GetHost(), request->port); -+ realm.appendf("FTP %s ", user); -+ if (!request) -+ realm.append("unknown", 7); -+ else { -+ realm.append(request->GetHost()); -+ if (request->port != 21) -+ realm.appendf(" port %d", request->port); - } - return realm; - } -@@ -2673,13 +2677,14 @@ - } - - HttpReply * --Ftp::Gateway::ftpAuthRequired(HttpRequest * request, const char *realm) -+Ftp::Gateway::ftpAuthRequired(HttpRequest * request, SBuf &realm) - { - ErrorState err(ERR_CACHE_ACCESS_DENIED, Http::scUnauthorized, request); - HttpReply *newrep = err.BuildHttpReply(); - #if HAVE_AUTH_MODULE_BASIC - /* add Authenticate header */ -- newrep->header.putAuth("Basic", realm); -+ // XXX: performance regression. c_str() may reallocate -+ newrep->header.putAuth("Basic", realm.c_str()); - #endif - return newrep; - } - -=== modified file 'src/fde.cc' ---- src/fde.cc 2017-01-01 00:16:45 +0000 -+++ src/fde.cc 2017-06-22 15:31:46 +0000 -@@ -85,15 +85,15 @@ - char const * - fde::remoteAddr() const - { -- LOCAL_ARRAY(char, buf, MAX_IPSTRLEN ); -+ static char buf[MAX_IPSTRLEN+7]; // 7 = length of ':port' strings - - if (type != FD_SOCKET) - return null_string; - - if ( *ipaddr ) -- snprintf( buf, MAX_IPSTRLEN, "%s:%d", ipaddr, (int)remote_port); -+ snprintf(buf, sizeof(buf), "%s:%u", ipaddr, remote_port); - else -- local_addr.toUrl(buf,MAX_IPSTRLEN); // toHostStr does not include port. -+ local_addr.toUrl(buf, sizeof(buf)); // toHostStr does not include port. - - return buf; - } - -=== modified file 'src/fs/ufs/RebuildState.cc' ---- src/fs/ufs/RebuildState.cc 2017-01-01 00:16:45 +0000 -+++ src/fs/ufs/RebuildState.cc 2017-06-22 15:31:46 +0000 -@@ -444,7 +444,7 @@ - } - - if (0 == in_dir) { /* we need to read in a new directory */ -- snprintf(fullpath, MAXPATHLEN, "%s/%02X/%02X", -+ snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X", - sd->path, - curlvl1, curlvl2); - -@@ -489,7 +489,7 @@ - continue; - } - -- snprintf(fullfilename, MAXPATHLEN, "%s/%s", -+ snprintf(fullfilename, sizeof(fullfilename), "%s/%s", - fullpath, entry->d_name); - debugs(47, 3, HERE << "Opening " << fullfilename); - fd = file_open(fullfilename, O_RDONLY | O_BINARY); - -=== modified file 'src/fs/ufs/RebuildState.h' ---- src/fs/ufs/RebuildState.h 2017-01-01 00:16:45 +0000 -+++ src/fs/ufs/RebuildState.h 2017-06-22 15:31:46 +0000 -@@ -54,7 +54,7 @@ - dirent_t *entry; - DIR *td; - char fullpath[MAXPATHLEN]; -- char fullfilename[MAXPATHLEN]; -+ char fullfilename[MAXPATHLEN*2]; - - StoreRebuildData counts; - - -=== modified file 'src/gopher.cc' ---- src/gopher.cc 2017-01-01 00:16:45 +0000 -+++ src/gopher.cc 2017-06-22 15:31:46 +0000 -@@ -820,7 +820,7 @@ - * This will be called when request write is complete. Schedule read of reply. - */ - static void --gopherSendComplete(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag errflag, int xerrno, void *data) -+gopherSendComplete(const Comm::ConnectionPointer &conn, char *, size_t size, Comm::Flag errflag, int xerrno, void *data) - { - GopherStateData *gopherState = (GopherStateData *) data; - StoreEntry *entry = gopherState->entry; -@@ -840,10 +840,6 @@ - err->url = xstrdup(entry->url()); - gopherState->fwd->fail(err); - gopherState->serverConn->close(); -- -- if (buf) -- memFree(buf, MEM_4K_BUF); /* Allocated by gopherSendRequest. */ -- - return; - } - -@@ -885,9 +881,6 @@ - AsyncCall::Pointer call = commCbCall(5,5, "gopherReadReply", - CommIoCbPtrFun(gopherReadReply, gopherState)); - entry->delayAwareRead(conn, gopherState->replybuf, BUFSIZ, call); -- -- if (buf) -- memFree(buf, MEM_4K_BUF); /* Allocated by gopherSendRequest. */ - } - - /** -@@ -898,32 +891,31 @@ - gopherSendRequest(int fd, void *data) - { - GopherStateData *gopherState = (GopherStateData *)data; -- char *buf = (char *)memAllocate(MEM_4K_BUF); -+ MemBuf mb; -+ mb.init(); - - if (gopherState->type_id == GOPHER_CSO) { - const char *t = strchr(gopherState->request, '?'); - -- if (t != NULL) -+ if (t) - ++t; /* skip the ? */ - else - t = ""; - -- snprintf(buf, 4096, "query %s\r\nquit\r\n", t); -- } else if (gopherState->type_id == GOPHER_INDEX) { -- char *t = strchr(gopherState->request, '?'); -- -- if (t != NULL) -- *t = '\t'; -- -- snprintf(buf, 4096, "%s\r\n", gopherState->request); -+ mb.Printf("query %s\r\nquit", t); - } else { -- snprintf(buf, 4096, "%s\r\n", gopherState->request); -+ if (gopherState->type_id == GOPHER_INDEX) { -+ if (char *t = strchr(gopherState->request, '?')) -+ *t = '\t'; -+ } -+ mb.append(gopherState->request, strlen(gopherState->request)); - } -+ mb.append("\r\n", 2); - -- debugs(10, 5, HERE << gopherState->serverConn); -+ debugs(10, 5, gopherState->serverConn); - AsyncCall::Pointer call = commCbCall(5,5, "gopherSendComplete", - CommIoCbPtrFun(gopherSendComplete, gopherState)); -- Comm::Write(gopherState->serverConn, buf, strlen(buf), call, NULL); -+ Comm::Write(gopherState->serverConn, &mb, call); - - gopherState->entry->makePublic(); - } - -=== modified file 'src/icmp/Makefile.am' ---- src/icmp/Makefile.am 2017-01-01 00:16:45 +0000 -+++ src/icmp/Makefile.am 2017-06-22 15:31:46 +0000 -@@ -59,7 +59,8 @@ - pinger_LDFLAGS = $(LIBADD_DL) - pinger_LDADD=\ - libicmp-core.la \ -- ../ip/libip.la \ -+ $(top_builddir)/src/ip/libip.la \ -+ $(top_builddir)/src/base/libbase.la \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - - diff --git a/src/patches/squid/squid-3.5-14175.patch b/src/patches/squid/squid-3.5-14175.patch deleted file mode 100644 index a2a8a5d07..000000000 --- a/src/patches/squid/squid-3.5-14175.patch +++ /dev/null @@ -1,34 +0,0 @@ ------------------------------------------------------------- -revno: 14175 -revision-id: squid3(a)treenet.co.nz-20170629125627-socq6szqysvm9ifa -parent: squid3(a)treenet.co.nz-20170622153146-nxo8vl6a9r8z03v4 -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4112 -author: Sven Eisenberg <sven.eisenberg(a)lairdtech.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Fri 2017-06-30 00:56:27 +1200 -message: - Bug 4112: ssl_engine does not accept cryptodev ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170629125627-socq6szqysvm9ifa -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: c74e6941e5b6df8e36d26dd5c02389ae2955bc21 -# timestamp: 2017-06-29 13:51:04 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170622153146-\ -# nxo8vl6a9r8z03v4 -# -# Begin patch -=== modified file 'src/ssl/support.cc' ---- src/ssl/support.cc 2017-01-27 16:14:19 +0000 -+++ src/ssl/support.cc 2017-06-29 12:56:27 +0000 -@@ -737,6 +737,7 @@ - - #if HAVE_OPENSSL_ENGINE_H - if (Config.SSL.ssl_engine) { -+ ENGINE_load_builtin_engines(); - ENGINE *e; - if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) - fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine); - diff --git a/src/patches/squid/squid-3.5-14176.patch b/src/patches/squid/squid-3.5-14176.patch deleted file mode 100644 index 63141e388..000000000 --- a/src/patches/squid/squid-3.5-14176.patch +++ /dev/null @@ -1,42 +0,0 @@ ------------------------------------------------------------- -revno: 14176 -revision-id: squid3(a)treenet.co.nz-20170701073514-uzowexcysowqostf -parent: squid3(a)treenet.co.nz-20170629125627-socq6szqysvm9ifa -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4687 -author: Lubos Uhliarik <luhliari(a)redhat.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sat 2017-07-01 19:35:14 +1200 -message: - Bug 4687: Wrong names of components in man page, section SEE ALSO ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701073514-uzowexcysowqostf -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 9099c98de3cb8fc125dd9952373de42c079b0ccc -# timestamp: 2017-07-01 07:45:05 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170629125627-\ -# socq6szqysvm9ifa -# -# Begin patch -=== modified file 'src/squid.8.in' ---- src/squid.8.in 2017-01-01 00:16:45 +0000 -+++ src/squid.8.in 2017-07-01 07:35:14 +0000 -@@ -265,11 +265,11 @@ - .SH SEE ALSO - .if !'po4a'hide' .B cachemgr.cgi "(8), " - .if !'po4a'hide' .B squidclient "(1), " --.if !'po4a'hide' .B pam_auth "(8), " --.if !'po4a'hide' .B squid_ldap_auth "(8), " --.if !'po4a'hide' .B squid_ldap_group "(8), " -+.if !'po4a'hide' .B basic_pam_auth "(8), " -+.if !'po4a'hide' .B basic_ldap_auth "(8), " -+.if !'po4a'hide' .B ext_ldap_group_acl "(8), " - .if !'po4a'hide' .B ext_session_acl "(8), " --.if !'po4a'hide' .B squid_unix_group "(8), " -+.if !'po4a'hide' .B ext_unix_group_acl "(8), " - .br - The Squid FAQ wiki - .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq - diff --git a/src/patches/squid/squid-3.5-14177.patch b/src/patches/squid/squid-3.5-14177.patch deleted file mode 100644 index c9920adaf..000000000 --- a/src/patches/squid/squid-3.5-14177.patch +++ /dev/null @@ -1,52 +0,0 @@ ------------------------------------------------------------- -revno: 14177 -revision-id: squid3(a)treenet.co.nz-20170701073754-4x1i6p5s1gzk73co -parent: squid3(a)treenet.co.nz-20170701073514-uzowexcysowqostf -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sat 2017-07-01 19:37:54 +1200 -message: - basic_ncsa_auth: fix hash listing wrap in man(8) page - - '*' list bullet points must be indented with whitespace. - If they are not the list is treated as a single wrapped paragraph. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701073754-4x1i6p5s1gzk73co -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: ffd783ab19a438c56affcdc6c1d106fa00403f4f -# timestamp: 2017-07-01 07:45:09 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170701073514-\ -# uzowexcysowqostf -# -# Begin patch -=== modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.8' ---- helpers/basic_auth/NCSA/basic_ncsa_auth.8 2017-01-01 00:16:45 +0000 -+++ helpers/basic_auth/NCSA/basic_ncsa_auth.8 2017-07-01 07:37:54 +0000 -@@ -18,15 +18,15 @@ - .PP - This authenticator accepts: - .BR --* Blowfish - for passwords 72 characters or less in length --.BR --* SHA256 - with salting and magic strings --.BR --* SHA512 - with salting and magic strings --.BR --* MD5 - with optional salt and magic strings --.BR --* DES - for passwords 8 characters or less in length -+ * Blowfish \- for passwords 72 characters or less in length. -+.BR -+ * SHA256 \- with salting and magic strings. -+.BR -+ * SHA512 \- with salting and magic strings. -+.BR -+ * MD5 \- with optional salt and magic strings. -+.BR -+ * DES \- for passwords 8 characters or less in length. - . - NOTE: Blowfish and SHA algorithms require system-specific support. - . - diff --git a/src/patches/squid/squid-3.5-14178.patch b/src/patches/squid/squid-3.5-14178.patch deleted file mode 100644 index 1a95150d3..000000000 --- a/src/patches/squid/squid-3.5-14178.patch +++ /dev/null @@ -1,36 +0,0 @@ ------------------------------------------------------------- -revno: 14178 -revision-id: squid3(a)treenet.co.nz-20170701081116-xekwolj1wdkeaxqv -parent: squid3(a)treenet.co.nz-20170701073754-4x1i6p5s1gzk73co -author: Alex Rousskov <rousskov(a)measurement-factory.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sat 2017-07-01 20:11:16 +1200 -message: - Fix message packing error handling in mgr and snmp SMP Forwarders. - - A missing "return" resulted in Forwarders sending garbage (or worse) to - Coordinator. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701081116-xekwolj1wdkeaxqv -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: a593abc992a79d4539dede76b4f63e013f96d33a -# timestamp: 2017-07-01 08:51:30 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170701073754-\ -# 4x1i6p5s1gzk73co -# -# Begin patch -=== modified file 'src/ipc/Forwarder.cc' ---- src/ipc/Forwarder.cc 2017-01-01 00:16:45 +0000 -+++ src/ipc/Forwarder.cc 2017-07-01 08:11:16 +0000 -@@ -62,6 +62,7 @@ - // assume the pack() call failed because the message did not fit - // TODO: add a more specific exception? - handleError(); -+ return; - } - - SendMessage(Ipc::Port::CoordinatorAddr(), message); - diff --git a/src/patches/squid/squid-3.5-14179.patch b/src/patches/squid/squid-3.5-14179.patch deleted file mode 100644 index 112bdb093..000000000 --- a/src/patches/squid/squid-3.5-14179.patch +++ /dev/null @@ -1,105 +0,0 @@ ------------------------------------------------------------- -revno: 14179 -revision-id: squid3(a)treenet.co.nz-20170701095916-wknqmneq2w0mxt6a -parent: squid3(a)treenet.co.nz-20170701081116-xekwolj1wdkeaxqv -author: Alex Rousskov <rousskov(a)measurement-factory.com> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sat 2017-07-01 21:59:16 +1200 -message: - Fix mgr query handoff from the original recipient to Coordinator. - - This bug has already been fixed once, in trunk r11164.1.61, but that fix - was accidentally undone shortly after, during significant cross-branch - merging activity combined with the Forwarder class split. The final - merge importing the associated code (trunk r11730) was buggy. - - The bug (explained in r11164.1.61) leads to a race condition between - - * Store notifying Server classes about the entry completion (which might - trigger a bogus error message sent to the cache manager client while - Coordinator sends its own valid response on the same connection!) and - - * post-cleanup() connection closure handlers of Server classes silently - closing everything (and leaving Coordinator the only responding - process on that shared connection). - - The bug probably was not noticed for so long because, evidently, the - latter actions tend to win in the current code. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701095916-wknqmneq2w0mxt6a -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: c7e89c80468c7f388f7e09ad2d68a245789db50d -# timestamp: 2017-07-01 10:51:12 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170701081116-\ -# xekwolj1wdkeaxqv -# -# Begin patch -=== modified file 'src/ipc/Forwarder.h' ---- src/ipc/Forwarder.h 2017-01-01 00:16:45 +0000 -+++ src/ipc/Forwarder.h 2017-07-01 09:59:16 +0000 -@@ -47,12 +47,14 @@ - virtual void handleError(); - virtual void handleTimeout(); - virtual void handleException(const std::exception& e); -- virtual void handleRemoteAck(); - - private: - static void RequestTimedOut(void* param); - void requestTimedOut(); - void removeTimeoutEvent(); -+ -+ void handleRemoteAck(); -+ - static AsyncCall::Pointer DequeueRequest(unsigned int requestId); - - protected: - -=== modified file 'src/mgr/Forwarder.cc' ---- src/mgr/Forwarder.cc 2017-01-01 00:16:45 +0000 -+++ src/mgr/Forwarder.cc 2017-07-01 09:59:16 +0000 -@@ -102,17 +102,6 @@ - mustStop("commClosed"); - } - --/// called when Coordinator starts processing the request --void --Mgr::Forwarder::handleRemoteAck() --{ -- Ipc::Forwarder::handleRemoteAck(); -- -- Must(entry != NULL); -- EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); -- entry->complete(); --} -- - /// send error page - void - Mgr::Forwarder::sendError(ErrorState *error) - -=== modified file 'src/mgr/Forwarder.h' ---- src/mgr/Forwarder.h 2017-01-01 00:16:45 +0000 -+++ src/mgr/Forwarder.h 2017-07-01 09:59:16 +0000 -@@ -40,7 +40,6 @@ - virtual void handleError(); - virtual void handleTimeout(); - virtual void handleException(const std::exception& e); -- virtual void handleRemoteAck(); - - private: - void noteCommClosed(const CommCloseCbParams& params); - -=== modified file 'src/tests/stub_libmgr.cc' ---- src/tests/stub_libmgr.cc 2017-01-01 00:16:45 +0000 -+++ src/tests/stub_libmgr.cc 2017-07-01 09:59:16 +0000 -@@ -100,7 +100,6 @@ - void Mgr::Forwarder::handleError() STUB - void Mgr::Forwarder::handleTimeout() STUB - void Mgr::Forwarder::handleException(const std::exception& e) STUB --void Mgr::Forwarder::handleRemoteAck() STUB - - #include "mgr/FunAction.h" - Mgr::Action::Pointer Mgr::FunAction::Create(const CommandPointer &cmd, OBJH *aHandler) STUB_RETVAL(dummyAction) - diff --git a/src/patches/squid/squid-3.5-14180.patch b/src/patches/squid/squid-3.5-14180.patch deleted file mode 100644 index 01d11cd03..000000000 --- a/src/patches/squid/squid-3.5-14180.patch +++ /dev/null @@ -1,448 +0,0 @@ ------------------------------------------------------------- -revno: 14180 -revision-id: squid3(a)treenet.co.nz-20170701120848-q2xznzfvxb4kwvb6 -parent: squid3(a)treenet.co.nz-20170701095916-wknqmneq2w0mxt6a -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4464 -author: Christos Tsantilas <chtsanti(a)users.sourceforge.net> -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sun 2017-07-02 00:08:48 +1200 -message: - Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions. - - * Protect Squid Client classes from new requests that compete with - ongoing pinned connection use and - * resume dealing with new requests when those Client classes are done - using the pinned connection. - - Replaced primary ConnStateData::pinConnection() calls with a pair of - pinBusyConnection() and notePinnedConnectionBecameIdle() calls, - depending on the pinned connection state ("busy" or "idle"). - - Removed pinConnection() parameters that were not longer used or could be computed from the remaining parameters. - - Removed ConnStateData::httpsPeeked() code "hiding" the originating - request and connection peer details while entering the first "idle" - state. The old (trunk r11880.1.6) bump-server-first code used a pair of - NULLs because "Intercepted connections do not have requests at the - connection pinning stage", but that limitation no longer applicable - because Squid always fakes (when intercepting) or parses (a CONNECT) - request now, even during SslBump step1. - - The added XXX and TODOs are not directly related to this fix. They - were added to document problems discovered while working on this fix. - - In v3.5 code, the same problems manifest as Read.cc - "fd_table[conn->fd].halfClosedReader != NULL" assertions. - - This is a Measurement Factory project ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701120848-q2xznzfvxb4kwvb6 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: e4f432eed8a845431d4bbbf023de04d682adeaff -# timestamp: 2017-07-01 12:32:26 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170701095916-\ -# wknqmneq2w0mxt6a -# -# Begin patch -=== modified file 'src/FwdState.cc' ---- src/FwdState.cc 2017-01-01 00:16:45 +0000 -+++ src/FwdState.cc 2017-07-01 12:08:48 +0000 -@@ -246,7 +246,7 @@ - #if USE_OPENSSL - if (request->flags.sslPeek && request->clientConnectionManager.valid()) { - CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, -- ConnStateData::httpsPeeked, Comm::ConnectionPointer(NULL)); -+ ConnStateData::httpsPeeked, ConnStateData::PinnedIdleContext(Comm::ConnectionPointer(nullptr), request)); - } - #endif - } else { -@@ -952,7 +952,7 @@ - #if USE_OPENSSL - if (request->flags.sslPeek) { - CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, -- ConnStateData::httpsPeeked, serverConnection()); -+ ConnStateData::httpsPeeked, ConnStateData::PinnedIdleContext(serverConnection(), request)); - unregister(serverConn); // async call owns it now - complete(); // destroys us - return; - -=== modified file 'src/base/RefCount.h' ---- src/base/RefCount.h 2017-01-01 00:16:45 +0000 -+++ src/base/RefCount.h 2017-07-01 12:08:48 +0000 -@@ -54,9 +54,7 @@ - - C & operator * () const {return *const_cast<C *>(p_); } - -- C const * getRaw() const {return p_; } -- -- C * getRaw() {return const_cast<C *>(p_); } -+ C * getRaw() const { return const_cast<C *>(p_); } - - bool operator == (const RefCount& p) const { - return p.p_ == p_; - -=== modified file 'src/client_side.cc' ---- src/client_side.cc 2017-05-29 13:15:55 +0000 -+++ src/client_side.cc 2017-07-01 12:08:48 +0000 -@@ -836,6 +836,7 @@ - assert(areAllContextsForThisConnection()); - freeAllContexts(); - -+ // XXX: Closing pinned conn is too harsh: The Client may want to continue! - unpinConnection(true); - - if (Comm::IsConnOpen(clientConnection)) -@@ -1559,6 +1560,13 @@ - - debugs(33, 3, HERE << "ConnnStateData(" << conn->clientConnection << "), Context(" << clientConnection << ")"); - connIsFinished(); -+ conn->kick(); -+} -+ -+void -+ConnStateData::kick() -+{ -+ ConnStateData * conn = this; // XXX: Remove this diff minimization hack - - if (conn->pinning.pinned && !Comm::IsConnOpen(conn->pinning.serverConnection)) { - debugs(33, 2, HERE << conn->clientConnection << " Connection was pinned but server side gone. Terminating client connection"); -@@ -3240,6 +3248,13 @@ - if (in.buf.isEmpty()) - break; - -+ // Prohibit concurrent requests when using a pinned to-server connection -+ // because our Client classes do not support request pipelining. -+ if (pinning.pinned && !pinning.readHandler) { -+ debugs(33, 3, clientConnection << " waits for busy " << pinning.serverConnection); -+ break; -+ } -+ - /* Limit the number of concurrent requests */ - if (concurrentRequestQueueFilled()) - break; -@@ -4434,22 +4449,19 @@ - } - - void --ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) -+ConnStateData::httpsPeeked(PinnedIdleContext pic) - { - Must(sslServerBump != NULL); -+ Must(sslServerBump->request == pic.request); -+ Must(currentobject == NULL || currentobject->http == NULL || currentobject->http->request == pic.request.getRaw()); - -- if (Comm::IsConnOpen(serverConnection)) { -- pinConnection(serverConnection, NULL, NULL, false); -+ if (Comm::IsConnOpen(pic.connection)) { -+ notePinnedConnectionBecameIdle(pic); - - debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp); -- } else { -+ } else - debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp); - -- // copy error detail from bump-server-first request to CONNECT request -- if (currentobject != NULL && currentobject->http != NULL && currentobject->http->request) -- currentobject->http->request->detailError(sslServerBump->request->errType, sslServerBump->request->errDetail); -- } -- - getSslContextStart(); - } - -@@ -4952,19 +4964,35 @@ - } - - void --ConnStateData::pinConnection(const Comm::ConnectionPointer &pinServer, HttpRequest *request, CachePeer *aPeer, bool auth, bool monitor) --{ -- if (!Comm::IsConnOpen(pinning.serverConnection) || -- pinning.serverConnection->fd != pinServer->fd) -- pinNewConnection(pinServer, request, aPeer, auth); -- -- if (monitor) -- startPinnedConnectionMonitoring(); --} -- --void --ConnStateData::pinNewConnection(const Comm::ConnectionPointer &pinServer, HttpRequest *request, CachePeer *aPeer, bool auth) --{ -+ConnStateData::pinBusyConnection(const Comm::ConnectionPointer &pinServer, const HttpRequest::Pointer &request) -+{ -+ pinConnection(pinServer, request); -+} -+ -+void -+ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) -+{ -+ Must(pic.connection != NULL); -+ Must(pic.request != NULL); -+ pinConnection(pic.connection, pic.request); -+ -+ // monitor pinned server connection for remote-end closures. -+ startPinnedConnectionMonitoring(); -+ -+ if (!currentobject) -+ kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+} -+ -+/// Forward future client requests using the given server connection. -+void -+ConnStateData::pinConnection(const Comm::ConnectionPointer &pinServer, const HttpRequest::Pointer &request) -+{ -+ if (Comm::IsConnOpen(pinning.serverConnection) && -+ pinning.serverConnection->fd == pinServer->fd) { -+ debugs(33, 3, "already pinned" << pinServer); -+ return; -+ } -+ - unpinConnection(true); // closes pinned connection, if any, and resets fields - - pinning.serverConnection = pinServer; -@@ -4973,23 +5001,21 @@ - - Must(pinning.serverConnection != NULL); - -- // when pinning an SSL bumped connection, the request may be NULL - const char *pinnedHost = "[unknown]"; -- if (request) { -+ if (request != NULL) { - pinning.host = xstrdup(request->GetHost()); - pinning.port = request->port; - pinnedHost = pinning.host; -+ pinning.auth = request->flags.connectionAuth; - } else { - pinning.port = pinServer->remote.port(); - } - pinning.pinned = true; -- if (aPeer) -- pinning.peer = cbdataReference(aPeer); -- pinning.auth = auth; -+ pinning.peer = cbdataReference(pinServer->getPeer()); - char stmp[MAX_IPSTRLEN]; - char desc[FD_DESC_SZ]; - snprintf(desc, FD_DESC_SZ, "%s pinned connection for %s (%d)", -- (auth || !aPeer) ? pinnedHost : aPeer->name, -+ (pinning.auth || !pinning.peer) ? pinnedHost : pinning.peer->name, - clientConnection->remote.toUrl(stmp,MAX_IPSTRLEN), - clientConnection->fd); - fd_note(pinning.serverConnection->fd, desc); -@@ -5164,3 +5190,8 @@ - * connection has gone away */ - } - -+std::ostream & -+operator <<(std::ostream &os, const ConnStateData::PinnedIdleContext &pic) -+{ -+ return os << pic.connection << ", request=" << pic.request; -+} - -=== modified file 'src/client_side.h' ---- src/client_side.h 2017-01-01 00:16:45 +0000 -+++ src/client_side.h 2017-07-01 12:08:48 +0000 -@@ -26,6 +26,8 @@ - #include "ssl/support.h" - #endif - -+#include <iosfwd> -+ - class ConnStateData; - class ClientHttpRequest; - class clientStreamNode; -@@ -188,6 +190,11 @@ - /// Traffic parsing - bool clientParseRequests(); - void readNextRequest(); -+ -+ // In v3.5, usually called via ClientSocketContext::keepaliveNextRequest(). -+ /// try to make progress on a transaction or read more I/O -+ void kick(); -+ - ClientSocketContext::Pointer getCurrentContext() const; - void addContextToQueue(ClientSocketContext * context); - int getConcurrentRequestCount() const; -@@ -287,9 +294,21 @@ - bool handleReadData(); - bool handleRequestBodyData(); - -- /// Forward future client requests using the given server connection. -- /// Optionally, monitor pinned server connection for remote-end closures. -- void pinConnection(const Comm::ConnectionPointer &pinServerConn, HttpRequest *request, CachePeer *peer, bool auth, bool monitor = true); -+ /// parameters for the async notePinnedConnectionBecameIdle() call -+ class PinnedIdleContext -+ { -+ public: -+ PinnedIdleContext(const Comm::ConnectionPointer &conn, const HttpRequest::Pointer &req): connection(conn), request(req) {} -+ -+ Comm::ConnectionPointer connection; ///< to-server connection to be pinned -+ HttpRequest::Pointer request; ///< to-server request that initiated serverConnection -+ }; -+ -+ /// Called when a pinned connection becomes available for forwarding the next request. -+ void notePinnedConnectionBecameIdle(PinnedIdleContext pic); -+ /// Forward future client requests using the given to-server connection. -+ /// The connection is still being used by the current client request. -+ void pinBusyConnection(const Comm::ConnectionPointer &pinServerConn, const HttpRequest::Pointer &request); - /// Undo pinConnection() and, optionally, close the pinned connection. - void unpinConnection(const bool andClose); - /// Returns validated pinnned server connection (and stops its monitoring). -@@ -345,7 +364,7 @@ - /// generated - void doPeekAndSpliceStep(); - /// called by FwdState when it is done bumping the server -- void httpsPeeked(Comm::ConnectionPointer serverConnection); -+ void httpsPeeked(PinnedIdleContext pic); - - /// Start to create dynamic SSL_CTX for host or uses static port SSL context. - void getSslContextStart(); -@@ -449,7 +468,7 @@ - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -- void pinNewConnection(const Comm::ConnectionPointer &pinServer, HttpRequest *request, CachePeer *aPeer, bool auth); -+ void pinConnection(const Comm::ConnectionPointer &pinServerConn, const HttpRequest::Pointer &request); - - /* PROXY protocol functionality */ - bool proxyProtocolValidateClient(); -@@ -516,5 +535,7 @@ - void clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *context, const HttpRequestMethod& method, Http::ProtocolVersion http_ver); - void clientPostHttpsAccept(ConnStateData *connState); - -+std::ostream &operator <<(std::ostream &os, const ConnStateData::PinnedIdleContext &pic); -+ - #endif /* SQUID_CLIENTSIDE_H */ - - -=== modified file 'src/clients/FtpRelay.cc' ---- src/clients/FtpRelay.cc 2017-01-01 00:16:45 +0000 -+++ src/clients/FtpRelay.cc 2017-07-01 12:08:48 +0000 -@@ -210,9 +210,10 @@ - mgr->unpinConnection(false); - ctrl.close(); - } else { -- mgr->pinConnection(ctrl.conn, fwd->request, -- ctrl.conn->getPeer(), -- fwd->request->flags.connectionAuth); -+ CallJobHere1(9, 4, mgr, -+ ConnStateData, -+ notePinnedConnectionBecameIdle, -+ ConnStateData::PinnedIdleContext(ctrl.conn, fwd->request)); - ctrl.forget(); - } - } - -=== modified file 'src/http.cc' ---- src/http.cc 2017-06-15 00:16:33 +0000 -+++ src/http.cc 2017-07-01 12:08:48 +0000 -@@ -1383,9 +1383,6 @@ - void - HttpStateData::processReplyBody() - { -- Ip::Address client_addr; -- bool ispinned = false; -- - if (!flags.headers_parsed) { - flags.do_next_read = true; - maybeReadVirginBody(); -@@ -1435,35 +1432,49 @@ - } - break; - -- case COMPLETE_PERSISTENT_MSG: -+ case COMPLETE_PERSISTENT_MSG: { - debugs(11, 5, "processReplyBody: COMPLETE_PERSISTENT_MSG from " << serverConnection); -- /* yes we have to clear all these! */ -+ -+ // TODO: Remove serverConnectionSaved but preserve exception safety. -+ - commUnsetConnTimeout(serverConnection); - flags.do_next_read = false; - - comm_remove_close_handler(serverConnection->fd, closeHandler); - closeHandler = NULL; -- fwd->unregister(serverConnection); - -+ Ip::Address client_addr; // XXX: Remove as unused. Why was it added? - if (request->flags.spoofClientIp) - client_addr = request->client_addr; - -+ Comm::ConnectionPointer serverConnectionSaved = serverConnection; -+ fwd->unregister(serverConnection); -+ serverConnection = nullptr; -+ -+ bool ispinned = false; // TODO: Rename to isOrShouldBePinned - if (request->flags.pinned) { - ispinned = true; - } else if (request->flags.connectionAuth && request->flags.authSent) { - ispinned = true; - } - -- if (ispinned && request->clientConnectionManager.valid()) { -- request->clientConnectionManager->pinConnection(serverConnection, request, _peer, -- (request->flags.connectionAuth)); -+ if (ispinned) { -+ if (request->clientConnectionManager.valid()) { -+ CallJobHere1(11, 4, request->clientConnectionManager, -+ ConnStateData, -+ notePinnedConnectionBecameIdle, -+ ConnStateData::PinnedIdleContext(serverConnectionSaved, request)); -+ } else { -+ // must not pool/share ispinned connections, even orphaned ones -+ serverConnectionSaved->close(); -+ } - } else { -- fwd->pconnPush(serverConnection, request->GetHost()); -+ fwd->pconnPush(serverConnectionSaved, request->GetHost()); - } - -- serverConnection = NULL; - serverComplete(); - return; -+ } - - case COMPLETE_NONPERSISTENT_MSG: - debugs(11, 5, "processReplyBody: COMPLETE_NONPERSISTENT_MSG from " << serverConnection); - -=== modified file 'src/servers/FtpServer.cc' ---- src/servers/FtpServer.cc 2017-02-26 11:09:42 +0000 -+++ src/servers/FtpServer.cc 2017-07-01 12:08:48 +0000 -@@ -301,12 +301,8 @@ - Must(http != NULL); - HttpRequest *const request = http->request; - Must(request != NULL); -- -- // this is not an idle connection, so we do not want I/O monitoring -- const bool monitor = false; -- - // make FTP peer connection exclusive to our request -- pinConnection(conn, request, conn->getPeer(), false, monitor); -+ pinBusyConnection(conn, request); - } - - void - -=== modified file 'src/tests/stub_client_side.cc' ---- src/tests/stub_client_side.cc 2017-01-01 00:16:45 +0000 -+++ src/tests/stub_client_side.cc 2017-07-01 12:08:48 +0000 -@@ -60,7 +60,8 @@ - void ConnStateData::noteBodyConsumerAborted(BodyPipe::Pointer) STUB - bool ConnStateData::handleReadData() STUB_RETVAL(false) - bool ConnStateData::handleRequestBodyData() STUB_RETVAL(false) --void ConnStateData::pinConnection(const Comm::ConnectionPointer &pinServerConn, HttpRequest *request, CachePeer *peer, bool auth, bool monitor) STUB -+void ConnStateData::pinBusyConnection(const Comm::ConnectionPointer &, const HttpRequest::Pointer &) STUB -+void ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext) STUB - void ConnStateData::unpinConnection(const bool andClose) STUB - const Comm::ConnectionPointer ConnStateData::validatePinnedConnection(HttpRequest *request, const CachePeer *peer) STUB_RETVAL(NULL) - void ConnStateData::clientPinnedConnectionClosed(const CommCloseCbParams &io) STUB -@@ -70,7 +71,7 @@ - void ConnStateData::swanSong() STUB - void ConnStateData::quitAfterError(HttpRequest *request) STUB - #if USE_OPENSSL --void ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) STUB -+void ConnStateData::httpsPeeked(PinnedIdleContext) STUB - void ConnStateData::getSslContextStart() STUB - void ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew) STUB - void ConnStateData::sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply) STUB - diff --git a/src/patches/squid/squid-3.5-14181.patch b/src/patches/squid/squid-3.5-14181.patch deleted file mode 100644 index 4516d6033..000000000 --- a/src/patches/squid/squid-3.5-14181.patch +++ /dev/null @@ -1,30 +0,0 @@ ------------------------------------------------------------- -revno: 14181 -revision-id: squidadm(a)squid-cache.org-20170701121615-ktx76udds2mzmc6c -parent: squid3(a)treenet.co.nz-20170701120848-q2xznzfvxb4kwvb6 -committer: Source Maintenance <squidadm(a)squid-cache.org> -branch nick: 3.5 -timestamp: Sat 2017-07-01 12:16:15 +0000 -message: - SourceFormat Enforcement ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squidadm(a)squid-cache.org-20170701121615-\ -# ktx76udds2mzmc6c -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: d7942d1260def31f62ccc820a44bb769381beae2 -# timestamp: 2017-07-01 12:32:29 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3(a)treenet.co.nz-20170701120848-\ -# q2xznzfvxb4kwvb6 -# -# Begin patch -=== modified file 'src/client_side.cc' ---- src/client_side.cc 2017-07-01 12:08:48 +0000 -+++ src/client_side.cc 2017-07-01 12:16:15 +0000 -@@ -5195,3 +5195,4 @@ - { - return os << pic.connection << ", request=" << pic.request; - } -+ - diff --git a/src/patches/squid/squid-3.5-14182.patch b/src/patches/squid/squid-3.5-14182.patch deleted file mode 100644 index 335488107..000000000 --- a/src/patches/squid/squid-3.5-14182.patch +++ /dev/null @@ -1,35 +0,0 @@ ------------------------------------------------------------- -revno: 14182 -revision-id: squid3(a)treenet.co.nz-20170701232253-3beaysa03xf5c67p -parent: squidadm(a)squid-cache.org-20170701121615-ktx76udds2mzmc6c -committer: Amos Jeffries <squid3(a)treenet.co.nz> -branch nick: 3.5 -timestamp: Sun 2017-07-02 11:22:53 +1200 -message: - Fix build on FreeBSD after rev.14180 - - RefCount<> does not support assignment from nullptr with C++03 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3(a)treenet.co.nz-20170701232253-3beaysa03xf5c67p -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: d5ecf68c60c022783f69311e9049e546be8fa1a0 -# timestamp: 2017-07-01 23:50:58 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squidadm(a)squid-cache.org-20170701121615-\ -# ktx76udds2mzmc6c -# -# Begin patch -=== modified file 'src/http.cc' ---- src/http.cc 2017-07-01 12:08:48 +0000 -+++ src/http.cc 2017-07-01 23:22:53 +0000 -@@ -1449,7 +1449,7 @@ - - Comm::ConnectionPointer serverConnectionSaved = serverConnection; - fwd->unregister(serverConnection); -- serverConnection = nullptr; -+ serverConnection = NULL; - - bool ispinned = false; // TODO: Rename to isOrShouldBePinned - if (request->flags.pinned) { - -- 2.14.1

1 0

[PATCH] rules.pl: fix missing blank in 'if'-condition
by Matthias Fischer 21 Aug '17

21 Aug '17

Triggered by https://forum.ipfire.org/viewtopic.php?f=22&t=19304 Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/firewall/rules.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 8b0c6ddc8..efbe9cfef 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -608,7 +608,7 @@ sub geoipblock { # create iptables rules, if blocking this country # is enabled. foreach my $location (@locations) { - if($geoipsettings{$location} eq "on") { + if ($geoipsettings{$location} eq "on") { run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); } } -- 2.14.1

2 2

RE: [PATCH 2/2] Update to apache 2.4.27
by Wolfgang Apolinarski 21 Aug '17

21 Aug '17

Hi Michael, > > this patch looks quite good I think. A few small comments below... > > On Tue, 2017-08-15 at 22:43 +0200, Wolfgang Apolinarski wrote: > > - Updated to apache 2.4 > > - Updated the htpasswd generation to use the more secure bcrypt > > algorithm > > --- > > config/httpd/httpd.conf | 4 +- > > config/httpd/loadmodule.conf | 10 +- > > config/httpd/server-tuning.conf | 10 +- > > config/httpd/ssl-global.conf | 5 - > > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 20 +- > > config/httpd/vhosts.d/ipfire-interface.conf | 18 +- > > config/httpd/vhosts.d/nagios.conf | 14 +- > > config/httpd/vhosts.d/openmailadmin.conf | 3 +- > > config/icinga/icinga.conf | 6 - > > config/nagiosql/nagios.conf | 17 +- > > config/owncloud/owncloud.conf | 3 +- > > config/php/php.ini | 2 +- > > config/phpSANE/phpSANE.conf | 3 +- > > config/rootfiles/common/apache2 | 604 > > +++++++++++++++++------- > > config/rootfiles/common/php | 7 +- > > lfs/apache2 | 28 +- > > src/setup/passwords.c | 2 +- > > 17 files changed, 498 insertions(+), 258 deletions(-) > > > > diff --git a/config/httpd/httpd.conf b/config/httpd/httpd.conf > > index 9c1fb2b10..14dcc735c 100644 > > --- a/config/httpd/httpd.conf > > +++ b/config/httpd/httpd.conf > > @@ -65,7 +65,6 @@ Include /etc/httpd/conf/global.conf > > > > # associate MIME types with filename extensions > > TypesConfig /etc/mime.types > > -DefaultType text/plain > > > > # global (server-wide) SSL configuration, that is not specific to > > # any virtual host > > @@ -80,8 +79,7 @@ Include /etc/httpd/conf/ssl-global.conf > > AccessFileName .htaccess > > # and never show them > > <Files ~ "^\.ht"> > > - Order allow,deny > > - Deny from all > > + Require all denied > > </Files> > > > > # List of resources to look for when the client requests a directory > > diff --git a/config/httpd/loadmodule.conf > > b/config/httpd/loadmodule.conf > > index e30f79b28..249221e8c 100644 > > --- a/config/httpd/loadmodule.conf > > +++ b/config/httpd/loadmodule.conf > > @@ -1,8 +1,11 @@ > > LoadModule authn_file_module /usr/lib/apache/mod_authn_file.so > > +LoadModule unixd_module /usr/lib/apache/mod_unixd.so > > #LoadModule authn_dbm_module /usr/lib/apache/mod_authn_dbm.so > > #LoadModule authn_anon_module /usr/lib/apache/mod_authn_anon.so > > #LoadModule authn_dbd_module /usr/lib/apache/mod_authn_dbd.so > > #LoadModule authn_default_module > > /usr/lib/apache/mod_authn_default.so > > +LoadModule authn_core_module /usr/lib/apache/mod_authn_core.so > > +LoadModule authz_core_module /usr/lib/apache/mod_authz_core.so > > LoadModule authz_host_module /usr/lib/apache/mod_authz_host.so > > #LoadModule authz_groupfile_module > > /usr/lib/apache/mod_authz_groupfile.so > > LoadModule authz_user_module /usr/lib/apache/mod_authz_user.so > > @@ -10,7 +13,7 @@ LoadModule authz_user_module > > /usr/lib/apache/mod_authz_user.so > > #LoadModule authz_owner_module /usr/lib/apache/mod_authz_owner.so > > #LoadModule authz_default_module > > /usr/lib/apache/mod_authz_default.so > > LoadModule auth_basic_module /usr/lib/apache/mod_auth_basic.so > > -LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so > > +#LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so > > Any reason this is suddenly deactivated? I know we don't really use > this anywhere but just asking... Yes, I wrote a mail on the 18th of May that explained the modules and the changes (ok, that is long ago). Since you suggested that fewer modules result in a smaller attack surface, I disabled this module. In general, auth digest is not secure and not even more secure than basic auth: To cite the apache documentation: "Another problem is that the storage of the passwords on the server is insecure. The contents of a stolen htdigest file can be used directly for digest authentication." Since almost no one is using auth digest and it gives no security advantage, I thought that disabling the module makes sense. > > > #LoadModule dbd_module /usr/lib/apache/mod_dbd.so > > #LoadModule dumpio_module /usr/lib/apache/mod_dumpio.so > > #LoadModule ext_filter_module /usr/lib/apache/mod_ext_filter.so > > @@ -33,10 +36,10 @@ LoadModule setenvif_module > > /usr/lib/apache/mod_setenvif.so > > LoadModule mime_module /usr/lib/apache/mod_mime.so > > #LoadModule dav_module /usr/lib/apache/mod_dav.so > > #LoadModule status_module /usr/lib/apache/mod_status.so > > -LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so > > +#LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so > > Why is the autoindex module deactivated? I deactivated all modules that are currently not in use. Actually, the autoindex may lead to potential privacy issues, especially since the web server may be used by several extensions. Although the web server should only be reachable from the inner network, a user could change that configuration. If autoindexing is necessary, the module can be activated quite easily manually. Of course, I can activate it, if you think that this should be the default. > > > #LoadModule asis_module /usr/lib/apache/mod_asis.so > > #LoadModule info_module /usr/lib/apache/mod_info.so > > -LoadModule cgi_module /usr/lib/apache/mod_cgi.so > > +LoadModule cgid_module /usr/lib/apache/mod_cgid.so > > #LoadModule dav_fs_module /usr/lib/apache/mod_dav_fs.so > > #LoadModule vhost_alias_module /usr/lib/apache/mod_vhost_alias.so > > #LoadModule negotiation_module /usr/lib/apache/mod_negotiation.so > > @@ -47,5 +50,6 @@ LoadModule dir_module /usr/lib/apache/mod_dir.so > > #LoadModule userdir_module /usr/lib/apache/mod_userdir.so > > LoadModule alias_module /usr/lib/apache/mod_alias.so > > LoadModule rewrite_module /usr/lib/apache/mod_rewrite.so > > +LoadModule socache_shmcb_module /usr/lib/apache/mod_socache_shmcb.so > > Do we need this module? Yes, it is used by the SSLSessionCache. > > > LoadModule ssl_module /usr/lib/apache/mod_ssl.so > > LoadModule php5_module /usr/lib/apache/libphp5.so > > diff --git a/config/httpd/server-tuning.conf b/config/httpd/server- > > tuning.conf > > index 90410186d..5edfb990e 100644 > > --- a/config/httpd/server-tuning.conf > > +++ b/config/httpd/server-tuning.conf > > @@ -17,10 +17,12 @@ MaxKeepAliveRequests 100 > > # > > KeepAliveTimeout 15 > > > > -MinSpareServers 1 > > -MaxSpareServers 10 > > -StartServers 2 > > -MaxClients 256 > > +MinSpareThreads 1 > > +MaxSpareThreads 11 > > +StartServers 1 > > +MaxRequestWorkers 10 > > +MaxConnectionsPerChild 100 > > +ThreadsPerChild 10 > > For what reason did you change the number of started servers and > clients. We recently adjusted this a little since there were problems > with update accelerator in large networks. Ok, I will try to come up with a configuration that is quite similar to the current configuration, then. During my tests, the web server was always very responsive, even with extensions like owncloud, but there are plenty of configurations and systems that I cannot test, so sticking as close as possible to the existing configuration might be a good idea. (...) > > @@ -1146,13 +1452,21 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf > > #srv/web/ipfire/manual/vhosts/name-based.html.ja.utf8 > > #srv/web/ipfire/manual/vhosts/name-based.html.ko.euc-kr > > #srv/web/ipfire/manual/vhosts/name-based.html.tr.utf8 > > -#usr/bin/apr-1-config > > -#usr/bin/apu-1-config > > +#usr/bin/ab > > +#usr/bin/apxs > > +#usr/bin/dbmmanage > > +#usr/bin/htdbm > > +#usr/bin/htdigest > > +usr/bin/htpasswd > > +#usr/bin/httxt2dbm > > +#usr/bin/logresolve > > #usr/include/apache (...) > > -#usr/lib/libaprutil-1.so.0.5.3 > > -#usr/lib/pkgconfig/apr-1.pc > > -#usr/lib/pkgconfig/apr-util-1.pc > > -#usr/sbin/ab > > +usr/lib/apache/mod_watchdog.so > > +usr/lib/apache/mod_xml2enc.so > > usr/sbin/apachectl > > -#usr/sbin/apxs > > #usr/sbin/checkgid > > -#usr/sbin/dbmmanage > > #usr/sbin/envvars > > #usr/sbin/envvars-std > > +usr/sbin/fcgistarter > > #usr/sbin/htcacheclean > > -#usr/sbin/htdbm > > -#usr/sbin/htdigest > > -usr/sbin/htpasswd > > usr/sbin/httpd > > -#usr/sbin/httxt2dbm > > -#usr/sbin/logresolve > > #usr/sbin/rotatelogs > > All the commands that have been moved from /usr/sbin to /usr/bin must > be deleted manually when installing the core update. This would be htpasswd only, right? Can I do anything that eases the process? > > +#usr/share/man/man1/ab.1 > > > > install : $(TARGET) > > > > @@ -75,7 +78,7 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && patch -Np1 -i $(DIR_DL)/httpd-2.2.2-config- > > 1.patch > > + cd $(DIR_APP) && patch -Np0 -i $(DIR_DL)/PR61382-Fix.patch > > > > ### Add IPFire's layout, too > > echo "# IPFire layout" >> $(DIR_APP)/config.layout > > @@ -103,14 +106,15 @@ $(TARGET) : $(patsubst > > %,$(DIR_DL)/%,$(objects)) > > echo "</Layout>" >> $(DIR_APP)/config.layout > > > > cd $(DIR_APP) && ./configure --enable-layout=IPFire \ > > - --enable-ssl --enable-mods- > > shared=all --enable-proxy > > + --enable-ssl --enable-mods- > > shared=all --enable-proxy --with-mpm=event > > And lastly the big question: Why MPM? What happened to prefork? > Advantages/disadvantages? Prefork is quite memory intensive. Event is stable and chosen as default on many distributions. The apache documentation states: "In the case of Unix, the decision as to which MPM is installed is based on two questions: 1. Does the system support threads? 2. Does the system support thread-safe polling (Specifically, the kqueue and epoll functions)? If the answer to both questions is 'yes', the default MPM is event. If The answer to #1 is 'yes', but the answer to #2 is 'no', the default will be worker. If the answer to both questions is 'no', then the default MPM will be prefork. In practical terms, this means that the default will almost always be event, as all modern operating systems support these two features." Since we support the features and a lower memory footprint is in our interest, I would suggest that event MPM is the right choice here. There are possible disadvantages that non-thread-safe modules could break. To the best of my knowledge, we do not use these kind of modules and they are actually quite old and usually unsupported. I still remember that apache was the common example for explaining how forking network applications work. Eventually, multi-threading made it's way... (although preforking is still supported, of course!) (...) Best regards, Wolfgang

2 1

[PATCH] hdparm: Update to 9.52
by Matthias Fischer 19 Aug '17

19 Aug '17

Changes from 9.50 to 9.52: - add support for Jmicron USB-SATA bridges, courtesy Jan Friesse <jfriesse(a)gmail.com>. - New --security-prompt-for-password flag for use with the various --security- actions. - Makefile tweak from Mike Frysinger. - fix spelling/typos in man page and "removable", courtesy of Alex Mestiashvili. - fix spelling/typos in --sanitize-crypto-scramble, courtesy of Tom Yan. - fix NULL password handling in --security-unlock, courtesy of Tom Yan. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/hdparm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/hdparm b/lfs/hdparm index 6c7dc4de6..c26131eaa 100644 --- a/lfs/hdparm +++ b/lfs/hdparm @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2017 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 9.50 +VER = 9.52 THISAPP = hdparm-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = d380062ad6c4b40076736efbb640f1f5 +$(DL_FILE)_MD5 = 410539d0bf3cc247181594581edbfb53 install : $(TARGET) -- 2.14.1

1 0

Re: [PATCH 1/2] apr and aprutil: Added as requirement for apache 2.4
by Wolfgang Apolinarski 17 Aug '17

17 Aug '17

Hi Michael, I will first respond to the apr changes (I shortened the response): > > config/rootfiles/common/apache2 | 8 ++-- > > config/rootfiles/common/apr | 57 ++++++++++++++++++++++++++++ > > config/rootfiles/common/aprutil | 52 +++++++++++++++++++++++++ > > lfs/apr | 84 > > +++++++++++++++++++++++++++++++++++++++++ > > lfs/aprutil | 84 > > +++++++++++++++++++++++++++++++++++++++++ > > make.sh | 2 + > > 6 files changed, 283 insertions(+), 4 deletions(-) > > create mode 100644 config/rootfiles/common/apr > > create mode 100644 config/rootfiles/common/aprutil > > create mode 100644 lfs/apr > > create mode 100644 lfs/aprutil > > > > diff --git a/config/rootfiles/common/apache2 > > b/config/rootfiles/common/apache2 > > index 7e33a155e..360f5ae61 100644 > > --- a/config/rootfiles/common/apache2 > > +++ b/config/rootfiles/common/apache2 > > @@ -1342,22 +1342,22 @@ usr/lib/apache/mod_usertrack.so > > usr/lib/apache/mod_version.so > > usr/lib/apache/mod_vhost_alias.so > > #usr/lib/apr-util-1 > > -usr/lib/apr-util-1/apr_dbd_sqlite3-1.so > > +#usr/lib/apr-util-1/apr_dbd_sqlite3-1.so > > #usr/lib/apr-util-1/apr_dbd_sqlite3.a > > #usr/lib/apr-util-1/apr_dbd_sqlite3.la > > -usr/lib/apr-util-1/apr_dbd_sqlite3.so > > +#usr/lib/apr-util-1/apr_dbd_sqlite3.so > > #usr/lib/apr.exp > > #usr/lib/aprutil.exp > > #usr/lib/libapr-1.a > > #usr/lib/libapr-1.la > > usr/lib/libapr-1.so > > usr/lib/libapr-1.so.0 > > -usr/lib/libapr-1.so.0.5.1 > > +#usr/lib/libapr-1.so.0.5.1 > > #usr/lib/libaprutil-1.a > > #usr/lib/libaprutil-1.la > > usr/lib/libaprutil-1.so > > usr/lib/libaprutil-1.so.0 > > -usr/lib/libaprutil-1.so.0.5.3 > > +#usr/lib/libaprutil-1.so.0.5.3 > > #usr/lib/pkgconfig/apr-1.pc > > #usr/lib/pkgconfig/apr-util-1.pc > > #usr/sbin/ab > > You don't need to package the .so files. They are just needed for > linking which we never do on the firewall system. > > Just ship the .so.X and .so.X.Y files. Ok, I will change that. Currently, the .so files are shipped and they are actually only a symbolic link to the .so.X.Y file. Are you sure I should leave them out? > Here it seems taht you are not shipping libaprutil at all. Can we not > disable it in the build since it is being compiled in an extra package? Yes, you are right, I will disable it in the rootfile of apache 2.2. I tried to perform only the absolute minimum changes in the apache 2.2 package, this is why they were still there. (...) > > +usr/lib/libapr-1.so.0.6.2 > > +usr/lib/apr.exp > > +usr/lib/libapr-1.la > > +usr/lib/libapr-1.so > > +usr/lib/libapr-1.so.0 > > +#usr/lib/pkgconfig/apr-1.pc > > +#usr/share/apr-1 > > +#usr/share/apr-1/build > > +#usr/share/apr-1/build/apr_common.m4 > > +#usr/share/apr-1/build/apr_rules.mk > > +#usr/share/apr-1/build/find_apr.m4 > > +#usr/share/apr-1/build/libtool > > +#usr/share/apr-1/build/make_exports.awk > > +#usr/share/apr-1/build/make_var_export.awk > > +#usr/share/apr-1/build/mkdir.sh > > Same as above. The static library .a isn't needed on the system either. You mean the .la file, right? I will remove that, this is currently not shipped, I added it by accident. I will also remove the .exp file. > Also the alphabetical order of the rootfile is messed up. The build > system should complain about that. It did not (well, at least not in the last lines), I will sort that out. > > diff --git a/config/rootfiles/common/aprutil > > b/config/rootfiles/common/aprutil > > new file mode 100644 > > index 000000000..7b0bbb8d7 > > --- /dev/null > > +++ b/config/rootfiles/common/aprutil > > @@ -0,0 +1,52 @@ (...) > > +usr/lib/aprutil.exp > > The package has a bundled version of libexpat. We have a package for > that. Please disable this here. aprutil is compiled after expat, but it > does not seem to find it or it is not happy with the version. There is a build option that hopefully fixes that. (...) > > ########### > > + > > +include Config > > + > > +VER = 1.6.2 > > + > > +THISAPP = apr-$(VER) > > +DL_FILE = $(THISAPP).tar.bz2 > > +DL_FROM = http://archive.apache.org/dist/apr > > +DIR_APP = $(DIR_SRC)/$(THISAPP) > > + > > +TARGET = $(DIR_INFO)/$(THISAPP) (...) > > + > > + cd $(DIR_APP) && sed -i "/seems to be moved/s/^/#/" > > build/ltmain.sh > What is this supposed to do? Please add a comment. This was part of the LFS build "Installation of Apr" process. It is not anymore for apr 1.6.2, so I will remove this line. (...) > > --- a/make.sh > > +++ b/make.sh > > @@ -358,6 +358,7 @@ buildbase() { > > lfsmake2 bzip2 > > lfsmake2 pcre > > lfsmake2 pcre-compat > > + lfsmake2 apr > > lfsmake2 bash > > lfsmake2 diffutils > > lfsmake2 e2fsprogs > > Does apr need to be built this early in the processs? Why can we not > have it in the IPFire stage? Is anything suddenly depending on it? I added it some months ago, I actually don't remember. I will test if I can move it directly in front of aprutil. Best regards, Wolfgang

2 1

Problem building perl on ipfire 2.x on Ubuntu 64 bit...Another try two years later
by William Pechter 16 Aug '17

16 Aug '17

A couple of years ago I reported the issue but had to drop it due to a lack of time on my part. Perl 5.12.3 fails to build on my Ubuntu 17.04 system (was upgraded from the 14.04 I was using a couple of years ago. perl [ 5.12.3 ] [ 92 ] [ FAIL ] Processing Jamo.txt Processing UnicodeData.txt Processing ArabicShaping.txt Processing Blocks.txt Processing PropList.txt Processing SpecialCasing.txt Processing LineBreak.txt Processing EastAsianWidth.txt Processing CompositionExclusions.txt Processing BidiMirroring.txt Processing CaseFolding.txt Processing DCoreProperties.txt Processing Scripts.txt Processing DNormalizationProps.txt Processing HangulSyllableType.txt Processing auxiliary/WordBreakProperty.txt Processing auxiliary/GraphemeBreakProperty.txt Processing auxiliary/GCBTest.txt Processing auxiliary/SentenceBreakProperty.txt Processing NamedSequences.txt Processing NameAliases.txt Finishing processing Unicode properties Compiling Perl properties Creating Perl synonyms Writing tables Making pod file Making test script Updating 'mktables.lst' make[1]: Leaving directorroot@S20:/usr/ipfire-2.x# tail /usr/ipfire-2.x/log/_build.base.log Processing NameAliases.txt Finishing processing Unicode properties Compiling Perl properties Creating Perl synonyms Writing tables Making pod file Making test script Updating 'mktables.lst' make[1]: Leaving directory '/usr/src/perl-5.12.3' make: *** [perl:85: /usr/src/log/perl-5.12.3] Error 2 root@S20:/usr/ipfire-2.x# root@S20:/usr/ipfire-2.x# tail /usr/ipfire-2.x/log/_build.base.log Processing NameAliases.txt Finishing processing Unicode properties Compiling Perl properties Creating Perl synonyms Writing tables Making pod file Making test script Updating 'mktables.lst' make[1]: Leaving directory '/usr/src/perl-5.12.3' make: *** [perl:85: /usr/src/log/perl-5.12.3] Error 2 I found the last referenced mktables.lst in lib/unicore and it exists and seems ok. -rw-r--r-- 1 root root 14334 Aug 9 14:43 mktables.lst How do figure where in the perl makefile is the failing part? In ipfire-2.x/build/usr/src/perl-5.12.3 is a perl binary which executes. How do figure where in the perl makefile is the failing part? root@S20:/usr/ipfire-2.x/build/usr/src/perl-5.12.3# ./perl -v This is perl 5, version 12, subversion 3 (v5.12.3) built for x86_64-linux-thread-multi Copyright 1987-2010, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page -- Digital had it then. Don't you wish you could buy it now! pechter-at-gmail.com http://xkcd.com/705/ -- Digital had it then. Don't you wish you could buy it now! pechter-at-gmail.com http://xkcd.com/705/

3 4

Patches for Core 113
by Wolfgang Apolinarski 16 Aug '17

16 Aug '17

Hi! Sorry, I just got the daily digest. I can re-send the patches for core 114, if necessary. Best regards, Wolfgang

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development August 2017