pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net/pen Update to 0.34.1. From the changelog:

branches:  trunk
changeset: 317601:42178250f87a
user:      schmonz <>
date:      Thu Jan 10 14:58:56 2019 +0000

Update to 0.34.1. From the changelog:

- Corrected typo in pen.c per suggestion by Belinda Liu.
  This fixes issue #38.
- Merged pull request from Vincent Bernat for OpenSSL 1.1.0 compatibility.
  This fixes issue #28.
- Allow setting local address for upstream connections. This fixes issue #31.
- New penctl command "source" to set this option.
- Fixed issue #30: UDP not working in combination with a configuration file.
- In epoll.c: check for EPOLLHUP.
- In dsr.c: always use our real mac address, to avoid confusing switches.
- Cleaned up code residue surrounded by "#if 0".
- Added CS_HALFDEAD for UDP streams that haven't seen traffic in a while.
- Bug in pending_and_closing: don't modify the list we're looping over.
- Updated pen manpage.
- Deprecated -Q option (it didn't do anything since kqueue was already the
  default where it was available).
- Fixed error handling in epoll support.
- Added transparent UDP test case to
- Contribution from Talik Eichinger: add X-Forwarded-Proto when doing
  SSL decryption.
- Added tarpit test case to
- Tarpit functionality to be used with the DSR mode.
- pen.1: removed obsolete -S option, updated defaults for -x and -L.
- In failover_server: sanity checks to failover routine.
- In add_client: add the initial server to .client as well as .initial.
- In failover_server: changed abuse_server to ABUSE_SERVER and emerg_server
  to EMERG_SERVER, to handle their default NO_SERVER values.
  See issue #19 on Github.
- At the suggestion from Marcos Vinicius Rogowski, the hash algorith
  will now include the client port number if the -r (roundrobin)
  option is used. See
- Fixed IP-based client tracking.
- Removed unnecessary #include <pen.h> in dlist.c
- Added UDP mode for Direct Server Return.
- Updated for compatibility with CentOS 6.
- Added #ifdef around SSLv3 initialization code in ssl, as
  suggested by
- Transparent reverse proxy support for Linux, FreeBSD and OpenBSD.
- Allow the client table size to be updated on the fly. Default size still 2048.
- Allow the connection table size to be updated in the fly. Default still 500.
- See penctl.1, options clients_max and conn_max.
- Introduced the macro NO_SERVER to be used instead of -1 to signify
  error conditions and such.
- Removed the fixed server table size along with the -S option.
- Fixed cosmetic bug in startup code which required port to be specified
  on backend servers even if it was the same as the listening port.
- Numerous updates to support the madness that is Windows.
- Fix from Vincent Bernat: segfault when not using SSL.
- DSR support using Netmap on FreeBSD.
- Unbroke DSR on Linux.
- Replaced all calls to perror with debug(..., strerror(errno);
- Updated penlog and penlogd to use diag.[ch].
- More refactoring: broke out conn.[ch], client.[ch], server.[ch],
- Made a hash index such that the load balancer may balance load.
- Broke out Windows code from pen.c into windows.c. Added windows.h.
- Broke out public definitions for dsr into dsr.h.
- Broke out memory management into memory.[ch].
- Broke out dignostic and logging functions into diag.[ch].
- Broke out settings into settings.[ch].
- Broke out access lists into acl.[ch].
- Broke out event initialization into event.[ch].
- Added pen_epoll.h, pen_kqueue.h, pen_poll.h, pen_select.h.
- Broke out pen_aton et al into netconv.[ch].
- Added dsr.c
- Bug in copy_down affecting SSL connections fixed.
- Updated ocsp stapling to be compatible with server name indication.
- Added script.
- SSL code broken out into ssl.[ch]. SSL context creation broken
  out from ssl_init to ssl_create_context.
- Server Name Indication support. New command to enable:
  ssl_sni_path PATH
  where PATH is the name of a directory containing domain.key,
  domain.crt and files for each domain.
- OCSP stapling. New command ssl_ocsp_response filename
  specifies the location of the ocsp response to be stapled.
  The response must be pre-fetched. The idea was borrowed
  from Rob Stradling.
- New command ssl_client_renegotiation_interval specifies the
  minimum number of seconds the client must wait between
  renegotiation requests. Default 3600.
- Enabled SSL session resumption.
- In do_cmd: don't print "ignoring command" for comments starting
  with '#'.
- Added ssl_option no_tlsv1.1 and ssl_option no_tlsv1.2 to disable
  SSL 1.1 and 1.2 respectively.
- Added autoconf check that the ECDHE is available and not disabled.
- Bumped default max connections and listen queue to 500.
- Support for ECDHE cipher suites.
- New commands ssl_option and ssl_ciphers to individually disable
  insecure protocols and ciphers.
- Updated penctl.1 with the new command.
- New knob to tweak max number of pending nonblocking connection
  attempts: pending_max N (default 100).
- Moved dlist prototypes to dlist.h.
- Added check to close idle connections after a period of inactivity.
- Penctl: idle_timeout N (default 0 = never close idle connections).
- Moved git repository to GitHub..
- New feature: dummy server. Rather than acting as a proxy,
  Pen will pretend to be a web server with just barely enough
  functionality to work as a test target.
- Penctl: dummy|no dummy.
- Yet Another command: abort_on_error|no abort_on_error makes
  Pen call abort() (or not) when encountering a fatal error.
- New feature: "reliable idling". Pen will make and maintain a
  number of idle connections to the backend servers. When a connection
  closes, a new one is made (hence "reliable"). Penctl: idlers [N].
- In do_cmd: return diagnostics to penctl so the user can see them,
  instead of uselessly sending them to syslog.
- New penctl commands:
    - socket N (print which connection the socket belongs to)
    - connection N (print info on the specified connection)
    - close N (forcibly close connection N)
- In open_listener: check that the requested port is in range.
- Fixed bug in dlist_insert.
- Even load distribution when a server is unavailable.
- Let pen save the settings for tcp_nodelay and tcp_fastclose.
- Make flush_up and flush_down return the correct value on error.
- Added with reasonable settings for Windows.
- Better detection and blacklisting of unavailable servers.
- New penctl commands:
    - tcp_nodelay sets TCP_NODELAY on sockets. Turn off with no tcp_nodelay.
    - tcp_fastclose closes both upstream and downstream sockets if one of them
    - closes theirs. Will take the values up, down, both or off (default).
- Rather than making a table of pending connections every time through
  the main loop, keep them in a doubly linked list which is only updated
  as needed. O(n) -> O(1).
- A bug in udp mode: after successful "connect", do not event_add downfd,
  because it is equal to listenfd and epoll_ctl doesn't like that.
- Module kqueue.c updated.
- Module poll.c: set unused fd:s to -1, or Solaris will say ENOSYS.
- Enable diagnostic messages by default in
- Changed event bookkeeping from stateless to stateful.
- Made keepalive optional and added "keepalive / no keepalive" penctl command.
- Added windows.c and pen.h to the release tarball.
- More sensible autoconfiguration defaults: poll, kqueue, epoll, openssl and geoip
  are built if found unless explicitly excluded.
- New event management defaults: kqueue, epoll, poll, select in that order.
- New penctl commands: kqueue, epoll, poll, select.
- New command line option: -O cmd where cmd is any penctl command.
  E.g. -O select to use select instead of the compiled-in default.
- New penctl option "listen [address:]port" to allow listening address
  to be changed on the fly or via a configuration file.
- New pen options -i and -u to install and uninstall Pen as a Windows service.
- See pen manpage.
- Reduced default timeout to 3 seconds.
- New autoconf option --enable-debugging to enable debugging code.
- Lots of fixes for compatibility with Windows.
- Fixed bug in mainloop which kept trying to write 0 bytes.
- MinGW port. Use to compile.
- Event management code broken out into select.c, poll.c, kqueue.c and epoll.c.
- New command-line option -m to accept multiple incoming connections in a batch.
- New command-line option -q to set incoming pending connection queue length.
- Close upfd when failing over.
- Adjusted debug logging levels.
- Started on epoll support for Linux.
- Rewrote output_net and output_file to take a variable number of arguments.
- Handle timed out connection attempts in mainloop_kqueue.
- Fixed mainloop_kqueue.
- A lot of code broken out from mainloop_select into separate functions.
- Fixed mainloop_poll.
- Bugfixes related to the new backend connection logic.
- Cleaned up and simplified add_client() and associated circuitry.
- Connections to back end servers are now nonblocking and parallel.
- Removed the -n option and all code explicitly using blocking sockets.
- Removed the -D option and the "delayed forward" feature.
- Renamed server and client fields in the conn, client and server structures
  to better reflect what they are.
- Restructured the add_client, store_client, store_conn and try_server
- Allow write_cfg to save IPv6 and GeoIP access lists.
- Fixed a bug in write_cfg, where Pen would try to write to an unwritable
  file. Reported by Steven Myint
- Return UDP replies from the server to the client.
- UDP load balancing code restructured and bugfixed.
- In mainloop_select: When there is a pending connection, keep accepting
  up to multi_accept times *or* until EAGAIN *or* connection table is full.
  This improves performance under load.
- Updated GeoIP support for IPv6.
- Servers can have ipv6 addresses. It is possible to use a mix of ipv4
  and ipv6 servers:
  ./pen -df -S 2 -r :::2222 [::1]:22 []:22
- In order to allow server addresses with : in them (i.e. ipv6), it is now
  possible to use square brackets around the address part of the server
  specification: [address]:port (e.g. [::1]:8080).
- Pen can now listen on ipv6 sockets in addition to ipv4 and unix ones.
  I.e. things like "pen ::1:2222" are now possible.
- snprintf format errors reported by Christopher Meng fixed in
  pen.c and penctl.c.
- Updated pen manpage to clarify what the control socket does.
- Resist opening control socket running as root.
- Remove the default file name for web log.
- New feature: unix domain listening sockets.
- Redesigned server and client structs to allow ipv6 addresses and require
  less casting (yuck) in the code.
- Updated penctl man page with syntax for IPv6 and GeoIP access lists.
- Fixed cosmetic signedness compiler warnings.
- Moved defines for ACE_IPV4 et al outside #ifdef HAVE_SSL clause.
  Otherwise pen won't compile without ssl.
- GeoIP access lists.
- Added "special exception" clause for linking with OpenSSL.
- Penlog ipv6 compatible.
- Modernized automake configuration.
- Penctl ipv6 compatible.
- Updated autoconf to 2.69.
- Updated SSL code. Protocol ssl2 removed. Default changed to tls1.
- Added UDP patch from Zen.
- Added patch from Debian that fixes some issues with penctl.cgi.
- Priority based server selection algorithm.
- Patch from Stephen P. Schaefer fixes several issues in write_cfg.
- In the server_by_weight function, multiply current connections
  by WEIGHT_FACTOR to make the selection mo fine grained when the
  number of connections is small.
- Patch from Dana Contreras: send stdio to /dev/null after forking.
- Fixed a bunch of cosmetic signedness compiler warnings.


 net/pen/Makefile            |   6 +++---
 net/pen/distinfo            |  11 +++++------
 net/pen/patches/patch-pen.c |  39 ---------------------------------------
 3 files changed, 8 insertions(+), 48 deletions(-)

diffs (79 lines):

diff -r 8ba7d60cd9b2 -r 42178250f87a net/pen/Makefile
--- a/net/pen/Makefile  Thu Jan 10 14:58:09 2019 +0000
+++ b/net/pen/Makefile  Thu Jan 10 14:58:56 2019 +0000
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.20 2016/03/29 22:01:13 joerg Exp $
+# $NetBSD: Makefile,v 1.21 2019/01/10 14:58:56 schmonz Exp $
-DISTNAME=      pen-0.17.2
+DISTNAME=      pen-0.34.1
 COMMENT=       Load balancer for "simple" tcp based protocols
+LICENSE=       gnu-gpl-v2
diff -r 8ba7d60cd9b2 -r 42178250f87a net/pen/distinfo
--- a/net/pen/distinfo  Thu Jan 10 14:58:09 2019 +0000
+++ b/net/pen/distinfo  Thu Jan 10 14:58:56 2019 +0000
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.12 2016/03/29 22:01:13 joerg Exp $
+$NetBSD: distinfo,v 1.13 2019/01/10 14:58:56 schmonz Exp $
-SHA1 (pen-0.17.2.tar.gz) = 7277259c552b659ece6fef1d4bc55ca9fd927488
-RMD160 (pen-0.17.2.tar.gz) = 3e7152cad72f3893c171db8e1c85cae37418aeb6
-SHA512 (pen-0.17.2.tar.gz) = c84057ab6226f84cc3f024cf25bfb941be297fff42b2d027ad738ea8e7aaa88fec18668152c8dc283b19c93cd8ef8766430ef865d75a701dc1117148751e200a
-Size (pen-0.17.2.tar.gz) = 129285 bytes
-SHA1 (patch-pen.c) = 6c5315d429d26577ebdb9689ff71d9b4512f63ea
+SHA1 (pen-0.34.1.tar.gz) = 7a1d8a86ab711e217e19bd8ef5c5fea07f3284e5
+RMD160 (pen-0.34.1.tar.gz) = 79ef42beebc32a9fcf25f3b59d52509650bfea42
+SHA512 (pen-0.34.1.tar.gz) = 5237e67ef2a8751cab0bbaf75bbd081f0c645830b20d94e5fab365def0692307f2e0c55158697fc79a197c624bd34bda590cf5ded229beea44da597d3344b263
+Size (pen-0.34.1.tar.gz) = 184622 bytes
diff -r 8ba7d60cd9b2 -r 42178250f87a net/pen/patches/patch-pen.c
--- a/net/pen/patches/patch-pen.c       Thu Jan 10 14:58:09 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,39 +0,0 @@
-$NetBSD: patch-pen.c,v 1.2 2016/03/29 22:01:13 joerg Exp $
---- pen.c.orig 2016-03-28 18:32:43.989295691 +0000
-+++ pen.c
-@@ -56,7 +56,6 @@
- #include <openssl/err.h>
- #define SRV_SSL_V23 0
--#define SRV_SSL_V2 1
- #define SRV_SSL_V3 2
- #define SRV_SSL_TLS1 3
-@@ -327,9 +326,6 @@ static int ssl_init(void)
-       SSL_load_error_strings();
-       SSLeay_add_ssl_algorithms();
-       switch (ssl_protocol) {
--      case SRV_SSL_V2:
--              ssl_context = SSL_CTX_new(SSLv2_method());
--              break;
-       case SRV_SSL_V3:
-               ssl_context = SSL_CTX_new(SSLv3_method());
-               break;
-@@ -346,6 +342,7 @@ static int ssl_init(void)
-               error("SSL: Error allocating context: %s",
-                       ERR_error_string(err, NULL));
-       }
-+      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2);
-       if (ssl_compat) {
-               SSL_CTX_set_options(ssl_context, SSL_OP_ALL);
-       }
-@@ -2625,8 +2622,6 @@ static int options(int argc, char **argv
-               case 'L':
-                       if (strcmp(optarg, "ssl23") == 0)
-                               ssl_protocol = SRV_SSL_V23;
--                      else if (strcmp(optarg, "ssl2") == 0)
--                              ssl_protocol = SRV_SSL_V2;
-                       else if (strcmp(optarg, "ssl3") == 0)
-                               ssl_protocol = SRV_SSL_V3;
-                       else if (strcmp(optarg, "tls1") == 0)

Home | Main Index | Thread Index | Old Index