From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 31 Mar 2025 15:57:56 +0000 (+0200)
Subject: BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port
X-Git-Tag: v3.2-dev9~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fda64e87e7963fa65812e0583338191e4cc7c8b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port

On backend connection reuse, a hash is calculated from various
parameters, to ensure the selected connection match the requested
parameters. Notably, destination address is one of these parameters.
However, it is only taken into account if using a transparent server
(server address 0.0.0.0).

This may cause issue where an incorrect connection is reused, which is
not targetted to the correct destination address. This may be the case
if a set-dst/set-dst-port is used with a transparent proxy (proxy option
transparent).

The fix is simple enough. Destination address is now always used as
input to the connection reuse hash.

This must be backported up to 2.6. Note that for reverse HTTP to work,
it relies on the following patch, which ensures destination address
remains NULL in this case.

  commit e94baf6ca71cb2319610baa74dbf17b9bc602b18
  BUG/MINOR: rhttp: fix incorrect dst/dst_port values
---

diff --git a/src/backend.c b/src/backend.c
index 1791a38e6..b897c1551 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1597,8 +1597,7 @@ int connect_server(struct stream *s)
 	}
 
 	/* 3. destination address */
-	if (srv && srv_is_transparent(srv))
-		hash_params.dst_addr = s->scb->dst;
+	hash_params.dst_addr = s->scb->dst;
 
 	/* 4. source address */
 	hash_params.src_addr = bind_addr;