Config check fails for TCP DNS resolvers on FreeBSD #3254
Description
Detailed Description of the Problem
I've just tried to update from HAProxy from 3.0.12 to 3.2.10.
On HAProxy 3.0.12 using the syntax tcp@192.168.123.4:53 works just fine. However, on HAProxy 3.2.10 this results in a syntax error:
[NOTICE] (80850) : haproxy version is 3.2.10-35a71a0
[NOTICE] (80850) : path to executable is /usr/local/sbin/haproxy
[ALERT] (80850) : config : parsing [haproxy.conf:19] : 'nameserver ns4' : unsupported stream protocol for stream family 2 address 'tcp@192.168.123.4:53'
[ALERT] (80850) : config : Error(s) found in configuration file : haproxy.conf
[ALERT] (80850) : config : Fatal errors found in configuration.
This error occurs on FreeBSD 14.3. I could not reproduce it on Linux (6.8.0-90-generic).
Expected Behavior
The syntax tcp@192.168.123.4:53 should pass the syntax check on FreeBSD too.
Steps to Reproduce the Behavior
- Create a sample haproxy.conf (see below)
- run syntax check:
haproxy -c -f haproxy.conf - fails:
'nameserver ns4' : unsupported stream protocol for stream family 2 address 'tcp@192.168.123.4:53'
Do you have any idea what may have caused this?
Seems to be related to using FreeBSD as the operating system. I was unable to reproduce this on Linux.
Do you have an idea how to solve the issue?
No response
What is your configuration?
$ uname -a
FreeBSD REDACTED 14.3-RELEASE-p3 FreeBSD 14.3-RELEASE-p3 GENERIC amd64
$ cat haproxy.conf
global
uid 80
gid 80
daemon
nbthread 1
no strict-limits
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
resolvers test_resolvers
nameserver ns3 udp@192.168.123.3:53
nameserver ns4 tcp@192.168.123.4:53
frontend test_frontend
bind 127.0.0.1:8888 name 127.0.0.1:8888
mode httpOutput of haproxy -vv
HAProxy version 3.2.10-35a71a0 2025/12/18 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2030.
Known bugs: http://www.haproxy.org/bugs/bugs-3.2.10.html
Running on: FreeBSD 14.3-RELEASE-p3 FreeBSD 14.3-RELEASE-p3 GENERIC amd64
Build options :
TARGET = freebsd
CC = cc
CFLAGS = -O2 -g -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fwrapv -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_TFO=1 USE_THREAD_DUMP=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1
DEBUG =
Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT -RT -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=2).
Built with SSL library version : OpenSSL 3.0.16 11 Feb 2025
Running on SSL library version : OpenSSL 3.0.16 11 Feb 2025
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
QUIC: connection socket-owner mode support : no
QUIC: GSO emission support : no
Built with the Prometheus exporter as a service
Built with zlib version : 1.3.1
Running on zlib version : 1.3.1
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE2 version : 10.47 2025-10-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 19.1.7 (https://github.com/llvm/llvm-project.git llvmorg-19.1.7-0-gcd708029e0b2)
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
<default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Last Outputs and Backtraces
Additional Information
I've DIFFed the output of haproxy -vv for the working (3.0.12) and non-working (3.2.8) version, but couldn't find anything useful:
--- haproxy_3.0.12 2026-01-26 15:33:56.800278000 +0100
+++ haproxy_3.2.8 2026-01-26 15:27:21.873355000 +0100
@@ -1,26 +1,28 @@
-HAProxy version 3.0.12-21a355d 2025/10/03 - https://haproxy.org/
-Status: long-term supported branch - will stop receiving fixes around Q2 2029.
-Known bugs: http://www.haproxy.org/bugs/bugs-3.0.12.html
+HAProxy version 3.2.8-9200f39 2025/11/07 - https://haproxy.org/
+Status: long-term supported branch - will stop receiving fixes around Q2 2030.
+Known bugs: http://www.haproxy.org/bugs/bugs-3.2.8.html
Running on: FreeBSD 14.3-RELEASE-p7 FreeBSD 14.3-RELEASE-p7 stable/25.7-n271813-98ad27755186 SMP amd64
-Build options :
+Build options :
TARGET = freebsd
CC = cc
CFLAGS = -O2 -g -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fwrapv -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_TFO=1 USE_THREAD_DUMP=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1
DEBUG =
-Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT -RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB
+Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT -RT -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
-Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
-Built with OpenSSL version : OpenSSL 3.0.18 30 Sep 2025
-Running on OpenSSL version : OpenSSL 3.0.18 30 Sep 2025
-OpenSSL library supports TLS extensions : yes
-OpenSSL library supports SNI : yes
-OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
+Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=2).
+Built with SSL library version : OpenSSL 3.0.16 11 Feb 2025
+Running on SSL library version : OpenSSL 3.0.16 11 Feb 2025
+SSL library supports TLS extensions : yes
+SSL library supports SNI : yes
+SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default legacy
+QUIC: connection socket-owner mode support : no
+QUIC: GSO emission support : no
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Built with zlib version : 1.3.1
@@ -45,6 +47,8 @@
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
+ spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
+ <default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=