Auto-detect the amount of TPROXY support available.
Uses the configured port address type to determine the level of testing
done. Systems with IPv4-only TPROXY (kernel 2.6.28 to 2.6.3*) will have
their ports reduced to IPv4-only, and those with IPv6 support will see
the port open as IPv6. This is done at run-time to cater for patched
kernels and kernel upgrades underneath Squid.
Bug 2570: wccp2 "Here I Am" announcements not sent
There is a bit of re-work in configuration needed before this can go into
the storage config scope where it belongs. Temporary fix for 3.1.
see bug report for details.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Fixed entry size calculation for the max-size cache_dir selection algorithms.
There were two sides of this bug:
In src/store_swapout.cc, we must create metadata earlier because
storeCreate() needs swap_hdr_sz. With swap_hdr_sz unknown at the time of
storeCreate(), the SwapDir selection algorithms may select SwapDirs that
should not really take the entry as the real storage size (with the
metadata swap_hdr_sz) would exceed the store slot size.
In src/store_dir.cc, we must add the metadata size before looking for
cache_dirs that accept objsize. Only the "new"
storeDirSelectSwapDirRoundRobin selection scheme was affected.
This makes the starting state explicitly private: instead of assuming its
going to be defined in a private state and dependign on the definer class.
We can cope with not setting the state to private at the end of the macro
as well. It just means the use of this macro must be last, or have an
explicit private/public definition after its use.
Amos Jeffries [Sun, 23 Aug 2009 04:18:18 +0000 (16:18 +1200)]
Always display auto-tools versions on bootstrap.
This will better help us identify from build-farm results if we broke a
particular auto-tool support or if its the specific OS implementation /
environment.
Amos Jeffries [Sun, 23 Aug 2009 04:15:54 +0000 (16:15 +1200)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Bug 2541: Hang in 100% CPU loop while extacting header details using a delimiter other than comma
strListGetItem() could get stuck in a 100% loop if called with a delimiter
other than ',' and the parsed string contains ','.
This change makes it properly detect ',' as a delimiter even if called
with another delimiter argument like intended. The reason why ',' is always
a delimiter is because this is the delimiter between merged values of a
multi-valued header, and must always be supported as delimiter even if
Cookie uses ';' instead.
Amos Jeffries [Sun, 23 Aug 2009 04:13:58 +0000 (16:13 +1200)]
Author: Guido Serassio <serassio@squid-cache.org>
Windows port: fix mswin_negotiate_auth.exe crash when executing a LocalCall authentication with verbose debug enabled
Amos Jeffries [Wed, 19 Aug 2009 05:48:13 +0000 (17:48 +1200)]
Author: Alin Nastac <mrness@gentoo.org>
Cleanup: deprecate ugly hack for sys/capability.h
Shuffle libcap v1 hack into libcompat for linux-only
Needed once to prevent build clashes between libc and sys/capabilility.h
headers. As of libcap2 that is no longer the case and from 2.26 in fact
prevents a clean build.
Add detection for libcap to enable the hack only if actually needed.
Add --disable-caps option
Gentoo requires this to pull in libcap dependencies via --enable-caps
which is a non-operation.
Using it to disable libcap usage will explicitly prevent TPROXY which
depends on it from operating while netfilter NAT support remains.
NP: The TPROXY v2 configure tests will not even run with caps disabled.
Amos Jeffries [Wed, 19 Aug 2009 05:26:19 +0000 (17:26 +1200)]
Bug 2718: FTP sends EPSV2 on ipv4 connection
Switch EPSV attempts based on the FTP control/data Channel IP type.
* EPSV ALL still sent by preference.
* EPSV 2 only attempted on IPv6 data links
* EPSV 1 only attempted on IPv4 data links
Also adds better debugging trace of what is being performed.
Amos Jeffries [Tue, 18 Aug 2009 07:46:55 +0000 (19:46 +1200)]
Author: Various
Better const-correctness on FTP login parse
Also reduces amount of copying done by the parse. The old version
was copying the entire URL into user/password then cropping it down.
This one only copies the required bytes and terminates the copy.
Henrik Nordstrom <henrik@henriknordstrom.net>
Alan Nastac <mrness@gentoo.org>
Amos Jeffries <squid3@treenet.co.nz>
Amos Jeffries [Wed, 12 Aug 2009 11:48:43 +0000 (23:48 +1200)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Remove support for deferred state in stateful helpers
the deferred state were previously used for the challenge reuse mode
in NTLM, but is since long unused as it was both incompatible with
NTLMv2 and also not very stable for authentication.
Amos Jeffries [Sun, 2 Aug 2009 09:53:20 +0000 (21:53 +1200)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Bug 2648: Reserved helpers not shut down after reconfigure/rotate
The race happens if the helpers are restarted(rotate/reconfigure) while
reserved. Those reserved are then not shut down when the reservation is
released.
This patch cleans this up and a couple of other related races.
Amos Jeffries [Sat, 1 Aug 2009 09:52:18 +0000 (21:52 +1200)]
Author: Alex Rousskov <rousskov@measurement-factory.com>
Bug 2723: enable PURGE requests if PURGE method ACL is present.
PURGE requests were always denied, probably since 2009-06-28 (r9772) changes.
PURGE was denied because Config2.onoff.enable_purge changes done in
ACLMethodData::parse() are lost when Squid memsets Config2 to zero before
interpreting the changes. Config2 is meant for storing values _derived_ from
the primary configuration phase so it is reset after that phase is over.
This patch solves the above problem by storing ACLMethodData::parse() changes
in an ACLMethodData static member. The member is reset before
[re]configuration.
There is probably another problem with r9772 (or earlier) changes. Special
PURGE method processing is enabled whenever a PURGE ACL is detected in the
Squid configuration file, even if the ACL is unused or used in an http_access
option that does not match. This is specifically what r4363 tried to avoid in
year 2000:
users complain that defining an ACL that is never used in
an access list shouldn't trip this flag.
The patch does not solve this other problem. The right solution may be adding
a dedicated "purge" option that will have an ACL that controls what PURGE
requests, if any, are allowed to purge. That option would be in addition to
any http_access controls.
Just the basics for some needed right now. This needs to be expanded.
Also, required to break some of the mime header parsing calls out into
mime_header.cc in preparation for splitting the icon handling from the
header handling and reduce dependencies on the new tests.
Harden the sanity checks to detect negative status and other syntax issues
before they have a chance to become problems. This applies to replies and
responses both in varying ways.
Also document the sanity check logics. sanityCheck* is supposed to fill
out the error status for what it detects with each fail result.
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Kick any pending *ufs write/close operations alive when the previous write completes
When using uufs only part of the object got written out to the disk,
forgetting to write out the last butes and closing the file.
This should have been seen at least in in diskd as well even if it
for some reason did not seem to show up in simple tests.
Headers may be accumulated over more than one read. It does not make
sense to limit the internal copy of the accumulated read buffer to 64KB.
Reverts the internal read buffer to MemBuf defaults. This may cause
issues where headers are of unbounded size. But those are expected to be
caught by the header parser.
Check buffer limits before parsing and return error on all bad parse cases.
No exceptions.
* display last 20 lines of test result on failure
we want to see the real error plus, not just "make Error 1" messages
* use chmod to improve cleanup removal after (un)install test failures
Author: Alex Rousskov <rousskov@measurement-factory.com>
Bug 2087: Support adaptation sets and chains, including dynamic ICAP chains
- Support adaptation service sets and chains
(adaptation_service_set and adaptation_service_chain)
- Dynamically form chains based on ICAP X-Next-Services header
(icap_service routing=on)
- Support cross-transactional ICAP header exchange
(adaptation_masterx_shared_names)
An adaptation service set contains similar, interchangeable services. No more
than one service is successfully applied. If one service is down or fails,
Squid can use another service. Think "hot standby" or "spare" ICAP servers.
Sets may seem similar to the existing "service bypass" feature, but they allow
the failed adaptation to be retried and succeed if a replacement service is
available. The services in a set may be all optional or all essential,
depending on whether ignoring the entire set is acceptable. The mixture of
optional and essential services in a set is supported, but yields results that
may be difficult for a human to anticipate or interpret. Squid warns when it
detects such a mixture.
When performing adaptations with a set, failures at a service (optional or
essential, does not matter) are retried with a different service if possible.
If there are no more replacement services left to try, the failure is treated
depending on whether the last service tried was optional or essential: Squid
either tries to ignore the failure and proceed or terminates the master
transaction.
An adaptation chain is a list of different services applied one after another,
forming an adaptation pipeline. Services in a chain may be optional or
essential. When performing adaptations, failures at an optional service are
ignored as if the service did not exist in the chain.
Request satisfaction terminates the adaptation chain.
When forming a set or chain for a given transaction, optional down services
are ignored as if they did not exist.
ICAP and eCAP services can be mixed and matched in an adaptation set or chain.
Merged from 3p1-plus branch at r9513.
* Implementation notes
The notes below focus on _changes_. Adaptation terminology and current layers
are now being documented in src/adaptation/notes.dox
Service sets and chains are implemented as ServiceGroup class kids. They are
very similar in most code aspects. The primary external difference is that
ServiceSet can "replace" a service and ServiceChain can find the "next"
service. The internal search code is implemented in ServiceGroup parent and
is parametrized by the kids.
Before the adaptation starts, Squid calculates the adaptation "plan", which is
just an iterator into the ServiceGroup. The client- and server-side adaptation
initiators used to deal with Service pointers. They now deal with ServiceGroup
pointers. The only interesting difference is that a ServiceGroup does not have
a notion of being optional or essential. Thus, if adaptation start fails, we
do not know whether the failure can be bypassed. Fortunately, starting an
adaptation does not require anything that depends on the adaptation services,
so we now simply assert that the start succeeds.
If the entire adaptation fails, the callers are notified as before. They are
told whether they can ignore the failure as before. No changes there.
A new Adaptation::Iterator class has been added to execute the adaptation
plan. That class is responsible for iterating the services in a service group
until the plan is exhausted or cannot progress due to a final failure.
Dynamically form adaptation chains based on the ICAP X-Next-Services header.
If an ICAP service with the routing=1 option in squid.conf returns an ICAP
X-Next-Services response header during a successful REQMOD or RESPMOD
transaction, Squid abandons the original adaptation plan and forms a new
adaptation chain consisting of services identified in the X-Next-Services
header value (using a comma-separated list of adaptation service names from
squid.conf). The dynamically created chain is destroyed once the new plan is
completed or replaced.
This feature is useful when a custom adaptation service knows which other
services are applicable to the message being adapted.
Limit adaptation iterations to adaptation_service_iteration_limit to protect
Squid from infinite adaptation loops caused by ICAP services constantly
including themselves in the dynamic adaptation chain they request. When the
limit is exceeded, the master transaction fails. The default limit of 16
should be large enough to not require an explicit configuration in most
environments yet may be small enough to limit side-effects of loops.
TODO: Add metadata support to eCAP API and honor X-Next-Services there as
well. Currently, only ICAP services can form dynamic chains but the formed
chains may contain eCAP services.
Other improvements:
Polished adaptation service configuration in squid.conf. Old format with an
anonymous bypass option is deprecated but still supported. Quit with a fatal
message if an adaptation service is misconfigured (debugging level-0 messages
do not seem to work at that stage, but that is probably another, general bug).
Polished HttpRequest::adaptHistory() interface so that the code that knows the
history is needed can force history creation without complex
configuration-time preparations and state. Currently, all adaptation history
users but the logging-related ones know runtime whether the history must be
created (e.g., when a certain ICAP header is received).
Fixed "canonical" Request URL maintenance when ICAP clones requests.
TODO: The urlCanonical() must become HttpRequest::canonical(), hiding the
often out-of-sync canonical data member.
Fixed ICAP request parsing (for ICAP logging). We used to parse Request-Line
as if it were the first header. TODO: optimize by parsing only when needed.
Fixed AccessCheck case where a service group disappears during a nb ACL check.
Replaced "done" member with an existing AsyncJob mustStop mechanism. Removed
extra async call as unneeded because ACL callbacks are already async.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Limit X-Forwarded-For growth.
X-Forwarded-For growth leads to String size limit assertions and probably
other problems.
We now replace huge XFF values with a string "error", warn the admin the
first 100 times, and hope that something will stop the loop (if it is a
loop). TODO: we should probably deny requests with huge XFF.
To make growth-associated problems visible during forwarding loops, the
loop breaking code must be disabled (no Via) or not applicable (direct
forwarding) and request_header_max_size has to be raised or disabled.
The X-Forwarded-For header value may also grow too large for reasons
unrelated to forwarding loops.
This change also prevents most cases of pointless computation of the
original X-Forwarded-For value list. That computation can be quite
expensive.
projects / thirdparty / squid.git / log
