From e059fa00970cab5063af90aecf2b61d52bcc84a5 Mon Sep 17 00:00:00 2001 From: schmonz Date: Thu, 10 Jan 2019 14:58:56 +0000 Subject: [PATCH] Update to 0.34.1. From the changelog: - Corrected typo in pen.c per suggestion by Belinda Liu. This fixes issue #38. - Merged pull request from Vincent Bernat for OpenSSL 1.1.0 compatibility. This fixes issue #28. - Allow setting local address for upstream connections. This fixes issue #31. - New penctl command "source" to set this option. - Fixed issue #30: UDP not working in combination with a configuration file. - In epoll.c: check for EPOLLHUP. - In dsr.c: always use our real mac address, to avoid confusing switches. - Cleaned up code residue surrounded by "#if 0". - Added CS_HALFDEAD for UDP streams that haven't seen traffic in a while. - Bug in pending_and_closing: don't modify the list we're looping over. - Updated pen manpage. - Deprecated -Q option (it didn't do anything since kqueue was already the default where it was available). - Fixed error handling in epoll support. - Added transparent UDP test case to testsuite.sh. - Contribution from Talik Eichinger: add X-Forwarded-Proto when doing SSL decryption. - Added tarpit test case to testsuite.sh. - Tarpit functionality to be used with the DSR mode. - pen.1: removed obsolete -S option, updated defaults for -x and -L. - In failover_server: sanity checks to failover routine. - In add_client: add the initial server to .client as well as .initial. - In failover_server: changed abuse_server to ABUSE_SERVER and emerg_server to EMERG_SERVER, to handle their default NO_SERVER values. See issue #19 on Github. - At the suggestion from Marcos Vinicius Rogowski, the hash algorith will now include the client port number if the -r (roundrobin) option is used. See https://github.com/UlricE/pen/pull/18 - Fixed IP-based client tracking. - Removed unnecessary #include in dlist.c - Added UDP mode for Direct Server Return. - Updated configure.ac for compatibility with CentOS 6. - Added #ifdef around SSLv3 initialization code in ssl, as suggested by jca@openbsd.org. - Transparent reverse proxy support for Linux, FreeBSD and OpenBSD. - Allow the client table size to be updated on the fly. Default size still 2048. - Allow the connection table size to be updated in the fly. Default still 500. - See penctl.1, options clients_max and conn_max. - Introduced the macro NO_SERVER to be used instead of -1 to signify error conditions and such. - Removed the fixed server table size along with the -S option. - Fixed cosmetic bug in startup code which required port to be specified on backend servers even if it was the same as the listening port. - Numerous updates to support the madness that is Windows. - Fix from Vincent Bernat: segfault when not using SSL. - DSR support using Netmap on FreeBSD. - Unbroke DSR on Linux. - Replaced all calls to perror with debug(..., strerror(errno); - Updated penlog and penlogd to use diag.[ch]. - More refactoring: broke out conn.[ch], client.[ch], server.[ch], idler.[ch]. - Made a hash index such that the load balancer may balance load. - Broke out Windows code from pen.c into windows.c. Added windows.h. - Broke out public definitions for dsr into dsr.h. - Broke out memory management into memory.[ch]. - Broke out dignostic and logging functions into diag.[ch]. - Broke out settings into settings.[ch]. - Broke out access lists into acl.[ch]. - Broke out event initialization into event.[ch]. - Added pen_epoll.h, pen_kqueue.h, pen_poll.h, pen_select.h. - Broke out pen_aton et al into netconv.[ch]. - Added dsr.c - Bug in copy_down affecting SSL connections fixed. - Updated ocsp stapling to be compatible with server name indication. - Added pen-ocsp.sh script. - SSL code broken out into ssl.[ch]. SSL context creation broken out from ssl_init to ssl_create_context. - Server Name Indication support. New command to enable: ssl_sni_path PATH where PATH is the name of a directory containing domain.key, domain.crt and domain.ca files for each domain. - OCSP stapling. New command ssl_ocsp_response filename specifies the location of the ocsp response to be stapled. The response must be pre-fetched. The idea was borrowed from Rob Stradling. - New command ssl_client_renegotiation_interval specifies the minimum number of seconds the client must wait between renegotiation requests. Default 3600. - Enabled SSL session resumption. - In do_cmd: don't print "ignoring command" for comments starting with '#'. - Added ssl_option no_tlsv1.1 and ssl_option no_tlsv1.2 to disable SSL 1.1 and 1.2 respectively. - Added autoconf check that the ECDHE is available and not disabled. - Bumped default max connections and listen queue to 500. - Support for ECDHE cipher suites. - New commands ssl_option and ssl_ciphers to individually disable insecure protocols and ciphers. - Updated penctl.1 with the new command. - New knob to tweak max number of pending nonblocking connection attempts: pending_max N (default 100). - Moved dlist prototypes to dlist.h. - Added check to close idle connections after a period of inactivity. - Penctl: idle_timeout N (default 0 = never close idle connections). - Moved git repository to GitHub.. - New feature: dummy server. Rather than acting as a proxy, Pen will pretend to be a web server with just barely enough functionality to work as a test target. - Penctl: dummy|no dummy. - Yet Another command: abort_on_error|no abort_on_error makes Pen call abort() (or not) when encountering a fatal error. - New feature: "reliable idling". Pen will make and maintain a number of idle connections to the backend servers. When a connection closes, a new one is made (hence "reliable"). Penctl: idlers [N]. - In do_cmd: return diagnostics to penctl so the user can see them, instead of uselessly sending them to syslog. - New penctl commands: - socket N (print which connection the socket belongs to) - connection N (print info on the specified connection) - close N (forcibly close connection N) - In open_listener: check that the requested port is in range. - Fixed bug in dlist_insert. - Even load distribution when a server is unavailable. - Let pen save the settings for tcp_nodelay and tcp_fastclose. - Make flush_up and flush_down return the correct value on error. - Added config.h.win with reasonable settings for Windows. - Better detection and blacklisting of unavailable servers. - New penctl commands: - tcp_nodelay sets TCP_NODELAY on sockets. Turn off with no tcp_nodelay. - tcp_fastclose closes both upstream and downstream sockets if one of them - closes theirs. Will take the values up, down, both or off (default). - Rather than making a table of pending connections every time through the main loop, keep them in a doubly linked list which is only updated as needed. O(n) -> O(1). - A bug in udp mode: after successful "connect", do not event_add downfd, because it is equal to listenfd and epoll_ctl doesn't like that. - Module kqueue.c updated. - Module poll.c: set unused fd:s to -1, or Solaris will say ENOSYS. - Enable diagnostic messages by default in configure.ac. - Changed event bookkeeping from stateless to stateful. - Made keepalive optional and added "keepalive / no keepalive" penctl command. - Added windows.c and pen.h to the release tarball. - More sensible autoconfiguration defaults: poll, kqueue, epoll, openssl and geoip are built if found unless explicitly excluded. - New event management defaults: kqueue, epoll, poll, select in that order. - New penctl commands: kqueue, epoll, poll, select. - New command line option: -O cmd where cmd is any penctl command. E.g. -O select to use select instead of the compiled-in default. - New penctl option "listen [address:]port" to allow listening address to be changed on the fly or via a configuration file. - New pen options -i and -u to install and uninstall Pen as a Windows service. - See pen manpage. - Reduced default timeout to 3 seconds. - New autoconf option --enable-debugging to enable debugging code. - Lots of fixes for compatibility with Windows. - Fixed bug in mainloop which kept trying to write 0 bytes. - MinGW port. Use Makefile.win to compile. - Event management code broken out into select.c, poll.c, kqueue.c and epoll.c. - New command-line option -m to accept multiple incoming connections in a batch. - New command-line option -q to set incoming pending connection queue length. - Close upfd when failing over. - Adjusted debug logging levels. - Started on epoll support for Linux. - Rewrote output_net and output_file to take a variable number of arguments. - Handle timed out connection attempts in mainloop_kqueue. - Fixed mainloop_kqueue. - A lot of code broken out from mainloop_select into separate functions. - Fixed mainloop_poll. - Bugfixes related to the new backend connection logic. - Cleaned up and simplified add_client() and associated circuitry. - Connections to back end servers are now nonblocking and parallel. - Removed the -n option and all code explicitly using blocking sockets. - Removed the -D option and the "delayed forward" feature. - Renamed server and client fields in the conn, client and server structures to better reflect what they are. - Restructured the add_client, store_client, store_conn and try_server functions. - Allow write_cfg to save IPv6 and GeoIP access lists. - Fixed a bug in write_cfg, where Pen would try to write to an unwritable file. Reported by Steven Myint - Return UDP replies from the server to the client. - UDP load balancing code restructured and bugfixed. - In mainloop_select: When there is a pending connection, keep accepting up to multi_accept times *or* until EAGAIN *or* connection table is full. This improves performance under load. - Updated GeoIP support for IPv6. - Servers can have ipv6 addresses. It is possible to use a mix of ipv4 and ipv6 servers: ./pen -df -S 2 -r :::2222 [::1]:22 [127.0.0.1]:22 - In order to allow server addresses with : in them (i.e. ipv6), it is now possible to use square brackets around the address part of the server specification: [address]:port (e.g. [::1]:8080). - Pen can now listen on ipv6 sockets in addition to ipv4 and unix ones. I.e. things like "pen ::1:2222 127.0.0.1:22" are now possible. - snprintf format errors reported by Christopher Meng fixed in pen.c and penctl.c. - Updated pen manpage to clarify what the control socket does. - Resist opening control socket running as root. - Remove the default file name for web log. - New feature: unix domain listening sockets. - Redesigned server and client structs to allow ipv6 addresses and require less casting (yuck) in the code. - Updated penctl man page with syntax for IPv6 and GeoIP access lists. - Fixed cosmetic signedness compiler warnings. - Moved defines for ACE_IPV4 et al outside #ifdef HAVE_SSL clause. Otherwise pen won't compile without ssl. - GeoIP access lists. - Added "special exception" clause for linking with OpenSSL. - Penlog ipv6 compatible. - Modernized automake configuration. - Penctl ipv6 compatible. - Updated autoconf to 2.69. - Updated SSL code. Protocol ssl2 removed. Default changed to tls1. - Added UDP patch from Zen. - Added patch from Debian that fixes some issues with penctl.cgi. - Priority based server selection algorithm. - Patch from Stephen P. Schaefer fixes several issues in write_cfg. - In the server_by_weight function, multiply current connections by WEIGHT_FACTOR to make the selection mo fine grained when the number of connections is small. - Patch from Dana Contreras: send stdio to /dev/null after forking. - Fixed a bunch of cosmetic signedness compiler warnings. --- net/pen/Makefile | 6 +++--- net/pen/distinfo | 11 +++++------ net/pen/patches/patch-pen.c | 39 ------------------------------------- 3 files changed, 8 insertions(+), 48 deletions(-) delete mode 100644 net/pen/patches/patch-pen.c diff --git a/net/pen/Makefile b/net/pen/Makefile index 0b972d4d6e77..34077557cded 100644 --- a/net/pen/Makefile +++ b/net/pen/Makefile @@ -1,13 +1,13 @@ -# $NetBSD: Makefile,v 1.20 2016/03/29 22:01:13 joerg Exp $ +# $NetBSD: Makefile,v 1.21 2019/01/10 14:58:56 schmonz Exp $ -DISTNAME= pen-0.17.2 -PKGREVISION= 5 +DISTNAME= pen-0.34.1 CATEGORIES= net MASTER_SITES= http://siag.nu/pub/pen/ MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://siag.nu/pen/ COMMENT= Load balancer for "simple" tcp based protocols +LICENSE= gnu-gpl-v2 GNU_CONFIGURE= YES diff --git a/net/pen/distinfo b/net/pen/distinfo index 62b1acd3e531..71400ede59bb 100644 --- a/net/pen/distinfo +++ b/net/pen/distinfo @@ -1,7 +1,6 @@ -$NetBSD: distinfo,v 1.12 2016/03/29 22:01:13 joerg Exp $ +$NetBSD: distinfo,v 1.13 2019/01/10 14:58:56 schmonz Exp $ -SHA1 (pen-0.17.2.tar.gz) = 7277259c552b659ece6fef1d4bc55ca9fd927488 -RMD160 (pen-0.17.2.tar.gz) = 3e7152cad72f3893c171db8e1c85cae37418aeb6 -SHA512 (pen-0.17.2.tar.gz) = c84057ab6226f84cc3f024cf25bfb941be297fff42b2d027ad738ea8e7aaa88fec18668152c8dc283b19c93cd8ef8766430ef865d75a701dc1117148751e200a -Size (pen-0.17.2.tar.gz) = 129285 bytes -SHA1 (patch-pen.c) = 6c5315d429d26577ebdb9689ff71d9b4512f63ea +SHA1 (pen-0.34.1.tar.gz) = 7a1d8a86ab711e217e19bd8ef5c5fea07f3284e5 +RMD160 (pen-0.34.1.tar.gz) = 79ef42beebc32a9fcf25f3b59d52509650bfea42 +SHA512 (pen-0.34.1.tar.gz) = 5237e67ef2a8751cab0bbaf75bbd081f0c645830b20d94e5fab365def0692307f2e0c55158697fc79a197c624bd34bda590cf5ded229beea44da597d3344b263 +Size (pen-0.34.1.tar.gz) = 184622 bytes diff --git a/net/pen/patches/patch-pen.c b/net/pen/patches/patch-pen.c deleted file mode 100644 index 380bb4c9571b..000000000000 --- a/net/pen/patches/patch-pen.c +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-pen.c,v 1.2 2016/03/29 22:01:13 joerg Exp $ - ---- pen.c.orig 2016-03-28 18:32:43.989295691 +0000 -+++ pen.c -@@ -56,7 +56,6 @@ - #include - - #define SRV_SSL_V23 0 --#define SRV_SSL_V2 1 - #define SRV_SSL_V3 2 - #define SRV_SSL_TLS1 3 - -@@ -327,9 +326,6 @@ static int ssl_init(void) - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); - switch (ssl_protocol) { -- case SRV_SSL_V2: -- ssl_context = SSL_CTX_new(SSLv2_method()); -- break; - case SRV_SSL_V3: - ssl_context = SSL_CTX_new(SSLv3_method()); - break; -@@ -346,6 +342,7 @@ static int ssl_init(void) - error("SSL: Error allocating context: %s", - ERR_error_string(err, NULL)); - } -+ SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2); - if (ssl_compat) { - SSL_CTX_set_options(ssl_context, SSL_OP_ALL); - } -@@ -2625,8 +2622,6 @@ static int options(int argc, char **argv - case 'L': - if (strcmp(optarg, "ssl23") == 0) - ssl_protocol = SRV_SSL_V23; -- else if (strcmp(optarg, "ssl2") == 0) -- ssl_protocol = SRV_SSL_V2; - else if (strcmp(optarg, "ssl3") == 0) - ssl_protocol = SRV_SSL_V3; - else if (strcmp(optarg, "tls1") == 0)