Created by Celso Providelo and last modified
Get this branch:
bzr branch lp:~cprov/squid/snap
Only Celso Providelo can upload to this branch. If you are Celso Providelo please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Celso Providelo

Recent revisions

14715. By Celso Providelo

Snapcraft setup.

14714. By Alex Rousskov

Do not make bogus recvmsg(2) calls when closing UDS sockets.

comm_empty_os_read_buffers() assumes that all non-blocking
FD_READ_METHODs can read into an opaque buffer filled with random
characters. That assumption is wrong for UDS sockets that require an
initialized msghdr structure. Feeding random data to recvmsg(2) leads to
confusing errors, at best. Squid does not log those errors, but they
are visible in, for example, strace:

  recvmsg(17, 0x7fffbb, MSG_DONTWAIT) = -1 EMSGSIZE (Message too long)

comm_empty_os_read_buffers() is meant to prevent TCP RST packets. The
function now ignores UDS sockets that are not used for TCP.

TODO: Useless reads may also exist for UDP and some TCP sockets.

14713. By Amos Jeffries

Bug 4504: Too many WARNING: Ignoring error setting CA certificate locations

14712. By Source Maintenance <email address hidden>

SourceFormat Enforcement

14711. By Marcos Felipe Mello

Bug 4516: security_file_certgen man page update

14710. By Alex Rousskov

Fixed Server::maybeMakeSpaceAvailable() logic.

This change fixes logic bugs that mostly affect performance: In micro-
tests, this change gives 10% performance improvement for intercepted
"fast peek at SNI and splice" SslBump configurations. Similar
improvement is expected for future plain HTTP/2 parsers.

maybeMakeSpaceAvailable() is called with an essentially random inBuf.
The method must prepare inBuf for the next network read. The old code
was not doing that [well enough], leading to performance problems.

In some environments, inBuf often ends up having tiny space exceeding 2
bytes (e.g., 6 bytes). This happens, for example, when Squid creates and
parses a fake CONNECT request. The old code often left such tiny inBufs
"as is" because we tried to ensure that we have at least 2 bytes to read
instead of trying to provide a reasonable number of buffer space for the
next network read. Tiny buffers naturally result in tiny network reads,
which are very inefficient, especially for non-incremental parsers.

I have removed the explicit "2 byte" space checks: Both the new and the
old code do not _guarantee_ that at least 2 bytes of buffer space are
always available, and the caller does not check that condition either.
If some other code relies on it, more fixes will be needed (but this
change is not breaking that guarantee -- either it was broken earlier or
was never fully enforced). In practice, only buffers approaching
Config.maxRequestBufferSize limit may violate this guarantee AFAICT, and
those buffers ought to be rare, so the bug, if any, remains unnoticed.

Another subtle maybeMakeSpaceAvailable() problem was that the code
contained its own buffer capacity increase algorithm (n^2 growth).
However, increasing buffer capacity exponentially does not make much
sense because network read sizes are not going to increase
exponentially. Also, memAllocStringmemAllocate() overwrites n^2 growth
with its own logic. Besides, it is buffer _space_, not the total
capacity that should be increased. More work is needed to better match
Squid buffer size for from-user network reads with the TCP stack buffers
and traffic patterns.

Both the old and the new code reallocate inBuf MemBlobs. However, the
new code leaves "reallocate or memmove" decision to the new
SBuf::reserve(), opening the possibility for future memmove
optimizations that SBuf/MemBlob do not currently support.

It is probably wrong that inBuf points to an essentially random MemBlob
outside Server control but this change does not attempt to fix that.

14709. By Christos Tsantilas

TLS Authority Key Identifier certificate extension

This patch add support for mimicking TLS Authority Key Identifier certificate
extension in Squid generated TLS certificates: If the origin server certificate
has that extension, the generated certificate (via the ssl_crtd daemon or
internally) should have the same extension, with the same set of fields if

This is a Measurement Factory project

14708. By Alex Rousskov

Added a script to find kid-specific cache.log lines.

14707. By Amos Jeffries

Cleanup cppunit detection and use

The cppunit-config tool has apparently been replaced by pkg-config .pc
file years ago and is now in the process of being removed from some OS.
Notably Fedora.

Which means our present way of detecting it for use by "make check" will
increasingly fail.

This converts configure.ac to using the pkg-config method of detection
and updates the --with-cppunit-basedir parameter to --without-cppunit
matching our naming and usage scheme for other similar options. If a
=PATH is explicitly provided cppunit is assumed to exist at that
location without configure-time checking.

14706. By Alex Rousskov

Destructed objects that were never born are not alive.

Such objects are typical in partial logs that are missing some
construction events.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.