Up to [local] / src / usr.sbin / relayd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.259 / (download) - annotate - [select for diffs], Wed Jan 17 10:01:24 2024 UTC (4 months, 3 weeks ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.258: +2 -2 lines
Diff to previous 1.258 (colored)
Use imsg_get_fd() As usual proc_forward_imsg() is never forwarding a file descriptor so just use -1 there. This should be replaced by imsg_forward(). All other changes are simple conversions. OK tb@
Revision 1.258 / (download) - annotate - [select for diffs], Sun Oct 29 11:27:11 2023 UTC (7 months, 1 week ago) by kn
Branch: MAIN
Changes since 1.257: +3 -3 lines
Diff to previous 1.257 (colored)
Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno
Revision 1.257 / (download) - annotate - [select for diffs], Sun Sep 3 10:22:03 2023 UTC (9 months ago) by nicm
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.256: +2 -2 lines
Diff to previous 1.256 (colored)
Use EVBUFFER_DATA instead of reaching into struct evbuffer. ok tb
Revision 1.256 / (download) - annotate - [select for diffs], Tue Jun 6 15:16:52 2023 UTC (12 months ago) by beck
Branch: MAIN
Changes since 1.255: +1 -5 lines
Diff to previous 1.255 (colored)
Make the tlsv1.0 and tlsv1.1 options in relayd do nothing Also document that fact, and that the existing ssl3 option does nothing. This changes relayd to no longer request tls1.0 or tls1.1 in preparation for the upcoming deprecation of these out of data protocols ok jsing@ bluhm@ tb@ claudio@ benno@
Revision 1.255 / (download) - annotate - [select for diffs], Wed Dec 28 21:30:18 2022 UTC (17 months, 1 week ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.254: +3 -3 lines
Diff to previous 1.254 (colored)
spelling fixes; from paul tagliamonte any parts of his diff not taken are noted on tech
Revision 1.254 / (download) - annotate - [select for diffs], Wed Mar 24 20:59:53 2021 UTC (3 years, 2 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.253: +2 -2 lines
Diff to previous 1.253 (colored)
Responses to HEAD requests must not have a message body (even though they have a Content-Length header). HTTP RFC 7231 section 4.3.2. found by niklas@, claudio@ agrees.
Revision 1.253 / (download) - annotate - [select for diffs], Wed Jan 27 20:33:05 2021 UTC (3 years, 4 months ago) by eric
Branch: MAIN
Changes since 1.252: +8 -26 lines
Diff to previous 1.252 (colored)
remove bogus key hack now that it's handled by libtls no objection claudio@ ok tb@ jsing@
Revision 1.252 / (download) - annotate - [select for diffs], Sat Jan 9 08:53:58 2021 UTC (3 years, 4 months ago) by denis
Branch: MAIN
Changes since 1.251: +8 -3 lines
Diff to previous 1.251 (colored)
Add 'strip' directive Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa OK benno@
Revision 1.251 / (download) - annotate - [select for diffs], Thu May 14 17:27:38 2020 UTC (4 years ago) by pvk
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.250: +3 -1 lines
Diff to previous 1.250 (colored)
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
Revision 1.250 / (download) - annotate - [select for diffs], Sat Jul 13 06:53:00 2019 UTC (4 years, 10 months ago) by chrisz
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.249: +3 -2 lines
Diff to previous 1.249 (colored)
Don't "forward to <table>" when a "forward to destination" address is set. This matches the documented behaviour. On matching "forward to <table>" filter rules the "forward to destination" address is unset, so that in that case the "forward to <table>" rule is still used. OK benno@, regression tests still passing.
Revision 1.249 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:50 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.248: +3 -3 lines
Diff to previous 1.248 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.248 / (download) - annotate - [select for diffs], Wed Jun 26 12:13:47 2019 UTC (4 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.247: +17 -5 lines
Diff to previous 1.247 (colored)
Add support for OCSP stapling Many thanks to Bruno Flueckiger who independently sent a very similar patch. He also tested the one I'm committing that it works as expected. OK tb@
Revision 1.247 / (download) - annotate - [select for diffs], Fri May 31 15:15:37 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.246: +43 -27 lines
Diff to previous 1.246 (colored)
Move the relay keys/certs into a separate global list and look them up by id. Moving the certs out of the relay struct will help to add multiple SNI certs. Tested by many users (thanks!) Feedback & OK rob@
Revision 1.246 / (download) - annotate - [select for diffs], Wed May 29 11:48:28 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.245: +1 -101 lines
Diff to previous 1.245 (colored)
Move relay_load_*() functions into relayd.c Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI. Ok rob@
Revision 1.245 / (download) - annotate - [select for diffs], Mon May 13 09:54:07 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.244: +49 -19 lines
Diff to previous 1.244 (colored)
Fix filter rules with "forward to" statement in persistent connections. OK bentley@ mikeb@
Revision 1.244 / (download) - annotate - [select for diffs], Fri May 10 09:15:00 2019 UTC (5 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.243: +33 -15 lines
Diff to previous 1.243 (colored)
Add support for from/to in relay filter rules. For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b> Ok benno@
Revision 1.243 / (download) - annotate - [select for diffs], Wed May 8 23:22:19 2019 UTC (5 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.242: +2 -8 lines
Diff to previous 1.242 (colored)
Fix and tweak websocket upgrade handling. - Don't expect the Connection header to equal Upgrade, it may include Upgrade - Reshuffle the code to check the Upgrade/Connection headers in one place Reported and tested by Rivo Nurges OK and input from benno@ Cvs: ----------------------------------------------------------------------
Revision 1.242 / (download) - annotate - [select for diffs], Mon Mar 4 21:25:03 2019 UTC (5 years, 3 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.241: +8 -2 lines
Diff to previous 1.241 (colored)
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
Revision 1.241 / (download) - annotate - [select for diffs], Wed Sep 19 11:28:02 2018 UTC (5 years, 8 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.240: +9 -1 lines
Diff to previous 1.240 (colored)
Do not abort when the ca privenc runs into a timeout. OK claudio@
Revision 1.240 / (download) - annotate - [select for diffs], Mon Aug 6 17:31:31 2018 UTC (5 years, 10 months ago) by benno
Branch: MAIN
Changes since 1.239: +52 -41 lines
Diff to previous 1.239 (colored)
replace the current log options log updates|all with log state changes log host checks log connection [errors] The first two control the logging of host check results: either changes in host state only or all checks. The third option controls logging of connections in relay mode: Either log all connections, or only errors. Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog. ok and feedback from claudio@
Revision 1.239 / (download) - annotate - [select for diffs], Sun Jun 10 20:41:47 2018 UTC (5 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.238: +9 -5 lines
Diff to previous 1.238 (colored)
When a TLS error occurs, print the tls_error() message as part of the connection closed log message, not just as debug message. ok claudio@ reyk@
Revision 1.238 / (download) - annotate - [select for diffs], Wed Apr 18 12:10:54 2018 UTC (6 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.237: +2 -3 lines
Diff to previous 1.237 (colored)
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
Revision 1.237 / (download) - annotate - [select for diffs], Wed Dec 27 15:53:30 2017 UTC (6 years, 5 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.236: +17 -6 lines
Diff to previous 1.236 (colored)
log specific error when connect() fails. ok claudio@, feedback bluhm@
Revision 1.236 / (download) - annotate - [select for diffs], Tue Nov 28 01:51:47 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.235: +37 -27 lines
Diff to previous 1.235 (colored)
Introduce relay_reset_event() which closes and resets a relay connection. Currently this is only used by relay_close() but will be needed in near future. OK benno@
Revision 1.235 / (download) - annotate - [select for diffs], Tue Nov 28 01:24:22 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.234: +5 -4 lines
Diff to previous 1.234 (colored)
In TLS inspection mode we also need to keep the server tls object around. For this we need to add an additional pointer to the ctl_relay_event. Diff from Petri Mikkila (pmikkila at gmail) OK benno@
Revision 1.234 / (download) - annotate - [select for diffs], Tue Nov 28 00:17:56 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.233: +2 -2 lines
Diff to previous 1.233 (colored)
Add space between to and read like in other DPRINTFs.
Revision 1.233 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:16 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.232: +4 -4 lines
Diff to previous 1.232 (colored)
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
Revision 1.232 / (download) - annotate - [select for diffs], Mon Nov 27 23:04:26 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.231: +5 -4 lines
Diff to previous 1.231 (colored)
lseek/read is racy when there is multiple consumers. Use pread instead. Solves the startup issues seen by bluhm@. pread idea from guenther@. While there save the errno in the error case. OK bluhm@
Revision 1.231 / (download) - annotate - [select for diffs], Mon Nov 27 21:09:55 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.230: +3 -1 lines
Diff to previous 1.230 (colored)
Add a DPRINTF() in relay_error() that helped me out way too many times.
Revision 1.230 / (download) - annotate - [select for diffs], Mon Nov 27 21:06:26 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.229: +55 -34 lines
Diff to previous 1.229 (colored)
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
Revision 1.229 / (download) - annotate - [select for diffs], Mon Nov 27 17:35:49 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.228: +8 -7 lines
Diff to previous 1.228 (colored)
Do not rip out the output buffer of the bufferevent. Instead just use an initial bufferevent_write_buffer() to write out the queued up HTTP request. OK benno@
Revision 1.228 / (download) - annotate - [select for diffs], Mon Nov 27 03:40:04 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.227: +4 -1 lines
Diff to previous 1.227 (colored)
relay_tls_connected() is playing with the inner bowels of bufferevents. Be more careful and remove the events before resetting them to the new backends. This is also what some of the bufferevent functions are doing. OK benno@
Revision 1.227 / (download) - annotate - [select for diffs], Sat Sep 23 11:56:57 2017 UTC (6 years, 8 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.226: +5 -3 lines
Diff to previous 1.226 (colored)
The relayd regression tests for chunked HTTP traffic were failing sporadically. If the \r and \n were read in separate chunks, relayd got out of sync with the protocol as they were interpreted as two lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of evbuffer_readline(). OK benno@
Revision 1.226 / (download) - annotate - [select for diffs], Mon Aug 28 17:31:00 2017 UTC (6 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.225: +4 -4 lines
Diff to previous 1.225 (colored)
Do not close the relay if data is still in the output buffer. Otherwise data not written could get lost. Also try to drain the buffers when socket splicing should be enabled. The latter was lost when the expicit bufferevent_enable() was added in relay_write(). bug report, analysis, initial fix, testing Rivo Nurges; OK beck@
Revision 1.225 / (download) - annotate - [select for diffs], Wed Aug 9 21:29:17 2017 UTC (6 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.224: +4 -1 lines
Diff to previous 1.224 (colored)
Call tls_config_skip_private_key_check() to disable the key checking in the inspect case (same is done in the regular server mode). OK bluhm@ and jsing@
Revision 1.224 / (download) - annotate - [select for diffs], Sun Jul 30 09:33:08 2017 UTC (6 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.223: +3 -4 lines
Diff to previous 1.223 (colored)
Fix a double free of the TLS config in the error path. OK claudio@
Revision 1.223 / (download) - annotate - [select for diffs], Fri Jul 28 13:58:52 2017 UTC (6 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.222: +7 -3 lines
Diff to previous 1.222 (colored)
Always calculate the hash value of the x509 cert in ssl_load_pkey(). Check whether TLS server object is available before using it. With these fixes the ssl inspect regress test just fails and does not crash relayd. OK claudio@
Revision 1.222 / (download) - annotate - [select for diffs], Tue Jul 4 19:59:51 2017 UTC (6 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.221: +3 -3 lines
Diff to previous 1.221 (colored)
make relayd not crash in relay_udp_server() when using a dns relay. needs revisiting. From Rivo Nurges, thanks. ok florian@
Revision 1.221 / (download) - annotate - [select for diffs], Sun May 28 10:39:15 2017 UTC (7 years ago) by benno
Branch: MAIN
Changes since 1.220: +20 -20 lines
Diff to previous 1.220 (colored)
use __func__ in log messages. fix some whitespace while here. From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks! ok florian, claudio
Revision 1.220 / (download) - annotate - [select for diffs], Sat May 27 08:33:25 2017 UTC (7 years ago) by claudio
Branch: MAIN
Changes since 1.219: +339 -476 lines
Diff to previous 1.219 (colored)
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
Revision 1.219 / (download) - annotate - [select for diffs], Thu Feb 2 08:24:16 2017 UTC (7 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.218: +5 -61 lines
Diff to previous 1.218 (colored)
Disable client-initiated TLS renegotiation by default. It is rarely needed and imposes a light DoS risk. LibreSSL's libssl allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION option instead of the complicated implementation that was used before. It now turns it off completely instead of allowing one initial client-initiated renegotiation. It can still be enabled with "tls client-renegotiation". ok benno@ beck@ jsing@
Revision 1.218 / (download) - annotate - [select for diffs], Mon Jan 9 14:49:21 2017 UTC (7 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.217: +2 -4 lines
Diff to previous 1.217 (colored)
Stop accessing verbose and debug variables from log.c directly. This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
Revision 1.217 / (download) - annotate - [select for diffs], Thu Nov 10 13:21:58 2016 UTC (7 years, 6 months ago) by jca
Branch: MAIN
Changes since 1.216: +25 -7 lines
Diff to previous 1.216 (colored)
Fix tcp ip ttl / minttl on IPv6 sockets. ok florian@
Revision 1.216 / (download) - annotate - [select for diffs], Thu Sep 29 22:04:28 2016 UTC (7 years, 8 months ago) by benno
Branch: MAIN
Changes since 1.215: +2 -2 lines
Diff to previous 1.215 (colored)
fix DEBUG build after ps->ps_instance change ok reyk@ bluhm@
Revision 1.215 / (download) - annotate - [select for diffs], Mon Sep 26 16:25:16 2016 UTC (7 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.214: +3 -3 lines
Diff to previous 1.214 (colored)
spacing
Revision 1.214 / (download) - annotate - [select for diffs], Fri Sep 23 12:06:15 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.213: +10 -6 lines
Diff to previous 1.213 (colored)
use sizeof instead of constant 16 in function calls suggested by and ok reyk@
Revision 1.213 / (download) - annotate - [select for diffs], Thu Sep 22 07:56:48 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.212: +5 -5 lines
Diff to previous 1.212 (colored)
Change function arguments from "unsigned char keyname[16]" to "unsigned char *keyname" to make it clear that an array size can not be inferred. Suggested by millert@
Revision 1.212 / (download) - annotate - [select for diffs], Thu Sep 22 06:18:58 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.211: +3 -3 lines
Diff to previous 1.211 (colored)
correct invalid use of sizeof ok krw@ millert@ claudio@
Revision 1.211 / (download) - annotate - [select for diffs], Fri Sep 2 14:45:51 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.210: +10 -8 lines
Diff to previous 1.210 (colored)
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts. With input from and OK claudio@ benno@
Revision 1.210 / (download) - annotate - [select for diffs], Fri Sep 2 14:31:47 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.209: +12 -10 lines
Diff to previous 1.209 (colored)
proc_id has been replaced by ps->ps_instance. OK claudio@
Revision 1.209 / (download) - annotate - [select for diffs], Fri Sep 2 12:12:51 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.208: +1 -4 lines
Diff to previous 1.208 (colored)
As done in httpd, remove ps_ninstances and p_instance. OK benno@ rzalamena@
Revision 1.208 / (download) - annotate - [select for diffs], Fri Sep 2 11:51:49 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.207: +3 -6 lines
Diff to previous 1.207 (colored)
Terminate relayd using the socket status instead of watching SIGCHLD or killing child processes. - Based on rzalamena@'s diff for httpd. OK deraadt@ rzalamena@
Revision 1.207 / (download) - annotate - [select for diffs], Thu Sep 1 10:49:48 2016 UTC (7 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.206: +86 -18 lines
Diff to previous 1.206 (colored)
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
Revision 1.206 / (download) - annotate - [select for diffs], Wed Dec 30 16:00:57 2015 UTC (8 years, 5 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.205: +3 -5 lines
Diff to previous 1.205 (colored)
SSL_CTX_free() and SSL_free() check for null so dont do it in relayd ok jung@ tedu@ deraadt@
Revision 1.205 / (download) - annotate - [select for diffs], Thu Dec 24 05:06:24 2015 UTC (8 years, 5 months ago) by mmcc
Branch: MAIN
Changes since 1.204: +2 -2 lines
Diff to previous 1.204 (colored)
completly -> completely
Revision 1.204 / (download) - annotate - [select for diffs], Mon Dec 7 04:03:27 2015 UTC (8 years, 6 months ago) by mmcc
Branch: MAIN
Changes since 1.203: +7 -13 lines
Diff to previous 1.203 (colored)
Remove NULL-checks before free(). No functional change.
Revision 1.203 / (download) - annotate - [select for diffs], Sat Dec 5 20:58:32 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
initialize host, to get rid of gcc warning, the conditions are correct. ok henning@
Revision 1.202 / (download) - annotate - [select for diffs], Fri Dec 4 15:28:55 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.201: +4 -1 lines
Diff to previous 1.201 (colored)
pledge the relay (layer 7 proxy) children, they can do with "stdio recvfd inet" ok reyk@
Revision 1.201 / (download) - annotate - [select for diffs], Wed Dec 2 22:12:29 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.200: +27 -6 lines
Diff to previous 1.200 (colored)
relayd (when running relays) can distribute client sessions over hosts with a hash generated from different data and calculate modulo rlt->rlt_nhosts to find the host the session should go to. If this host is down, the current algorithm simply selects the next host that is up, obviously not ideal, because this puts heavier load on this next host. this changes the algorithm: if the chosen host is not available, the hash value is recalculated and and retried until a host that is usable is found or a maximum of retires is reached (in that case the old method is used). ok and nice input on my original idea bluhm@
Revision 1.200 / (download) - annotate - [select for diffs], Wed Dec 2 13:41:27 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.199: +11 -13 lines
Diff to previous 1.199 (colored)
In most cases we don't need all arguments of proc_compose*_imsg(), so add a shortcut proc_compose*() that skips all of them. Only use the full argument list if needed. The functions with full argument lists can eventually be replaced with a nicer transaction-based approach later. OK benno@
Revision 1.199 / (download) - annotate - [select for diffs], Sat Nov 28 09:52:07 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.198: +3 -7 lines
Diff to previous 1.198 (colored)
Use SOCK_NONBLOCK in relayd as well. OK benno@
Revision 1.191.2.1 / (download) - annotate - [select for diffs], Sun Sep 20 11:20:16 2015 UTC (8 years, 8 months ago) by benno
Branch: OPENBSD_5_7
Changes since 1.191: +48 -18 lines
Diff to previous 1.191 (colored) next main 1.192 (colored)
maintainance diff for relayd MFC the following changes - Missing free(3) in error path (ssl.c,v 1.29) - fix a memory leak. (pfe.c,v 1.80) - allocate se_log evbuffer before loging errors with relay_close() (relay.c,v 1.192) - fix a file descriptor leak in http protocol handling (relay.c,v 1.193 and relay_http.c,v 1.44) - Fix obvious problems with relayd config reload (ca.c,v 1.13; config.c,v 1.25; parse.y,v 1.204; relayd.c,v 1.139; relayd.h,v 1.209) - http protocol: you cannot append to the previous key-value before line three of a request (relay_http.c,v 1.45) - fix a crash / use after free (relay.c,v 1.194; relay_http.c,v 1.46) - fix a non safe use of TAILQ_FOREACH with TAILQ_REMOVE (relay_http.c,v 1.47) - Plug a memory leak by simplifying kv_free() (relayd.c,v 1.141) - Fix memory leak in error case (relay_http.c,v 1.48) - track the connection state of a session and stops doing double opens in certain situations (relay.c,v 1.195; relay_http.c,v 1.49; relayd.h,v 1.210) - coding style (relay.c,v 1.196; relay_http.c,v 1.50; relayd.h,v 1.212) ok claudio@, sthen@ and feedback tedu@
Revision 1.198 / (download) - annotate - [select for diffs], Tue Jul 28 10:24:26 2015 UTC (8 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored)
spacing
Revision 1.197 / (download) - annotate - [select for diffs], Sat Jul 18 16:01:28 2015 UTC (8 years, 10 months ago) by benno
Branch: MAIN
Changes since 1.196: +17 -1 lines
Diff to previous 1.196 (colored)
Fix unbounded buffer growth. In the case of a slow client reading large files, we would consume large ammounts of memory. Found by Matthew Martin <matt DOT a DOT martin AT gmail DOT com> in httpd, fixed in httpd by florian@ feedback from florian, reyk and bluhm, ok bluhm, reyk
Revision 1.196 / (download) - annotate - [select for diffs], Fri Jun 12 14:40:55 2015 UTC (8 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.195: +12 -11 lines
Diff to previous 1.195 (colored)
To match relayd's style, use an explicit enum with prefixed names for the states that Claudio introduced. No functional change. OK claudio@ benno@
Revision 1.195 / (download) - annotate - [select for diffs], Mon Jun 8 15:47:51 2015 UTC (9 years ago) by claudio
Branch: MAIN
Changes since 1.194: +32 -7 lines
Diff to previous 1.194 (colored)
Introduce a state on the ctl_relay_event struct. This makes it possible to better track the connection state of a session and stops doing double opens in certain situations using http relays. Using a state field to simplify the logic since relay_connect() is called multiple times. OK benno@, bluhm@ and running in production for more than a week
Revision 1.194 / (download) - annotate - [select for diffs], Mon May 18 16:57:20 2015 UTC (9 years ago) by bluhm
Branch: MAIN
Changes since 1.193: +8 -2 lines
Diff to previous 1.193 (colored)
Fix a crash reported and analyzed by Bertrand PROVOST. When a HTTP client or server writes multiple requests or chunks in a single transfer, relayd invokes the libevent callback manually for the next data. If the callback closes the session, this resulted in an use after free. Instead of the more complicated fix suggested by Bertrand PROVOST, just move the invocation of the callback to the end of the function. So in case the callback frees any structures, they are not accessed. OK benno@ reyk@
Revision 1.193 / (download) - annotate - [select for diffs], Wed Apr 29 08:41:24 2015 UTC (9 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.192: +3 -3 lines
Diff to previous 1.192 (colored)
When the HTTP client did close the connection while relayd was still parsig the HTTP header, the session was never destroyed. This resulted in a file descriptor leak. Add a check wether the protocol knows how much data to expect. If relayd is reading unlimited data or is expecting nothing to read, ignore the end-of-file. Otherwise it is a protocol violation, so close the session immediately. While there, make relayd compile with DEBUG defined. Based on a diff from claudio@; tested by claudio@; OK claudio@ benno@
Revision 1.192 / (download) - annotate - [select for diffs], Thu Apr 23 17:03:01 2015 UTC (9 years, 1 month ago) by florian
Branch: MAIN
Changes since 1.191: +7 -9 lines
Diff to previous 1.191 (colored)
We cannot log errors with relay_close() before allocating se_log evbuffer. (Same problem as the one just fixed in httpd(8)) OK benno
Revision 1.191 / (download) - annotate - [select for diffs], Fri Feb 6 01:37:11 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE
Branch point for: OPENBSD_5_7
Changes since 1.190: +2 -2 lines
Diff to previous 1.190 (colored)
Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem(). As discussed with beck@ jsing@ and others OK beck@
Revision 1.190 / (download) - annotate - [select for diffs], Thu Jan 22 17:42:09 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.189: +7 -9 lines
Diff to previous 1.189 (colored)
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself. OK benno@
Revision 1.189 / (download) - annotate - [select for diffs], Thu Jan 22 15:21:28 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.188: +2 -2 lines
Diff to previous 1.188 (colored)
spacing
Revision 1.188 / (download) - annotate - [select for diffs], Thu Jan 22 09:26:05 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored)
LibreSSL now supports loading of CA certificates from memory, replace the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
Revision 1.187 / (download) - annotate - [select for diffs], Fri Jan 16 15:08:52 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.186: +2 -2 lines
Diff to previous 1.186 (colored)
SSL_CTX_use_certificate_chain() has been added to LibreSSL and there is no need to keep a local copy in ssl_privsep.c. This adds a little burden on OpenSMTPD-portable because it will have to put it in openbsd-compat for compatibility with legacy OpenSSL. OK gilles@
Revision 1.186 / (download) - annotate - [select for diffs], Fri Jan 16 15:06:40 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.185: +6 -4 lines
Diff to previous 1.185 (colored)
Adapt to <limits.h> universe. ok millert
Revision 1.185 / (download) - annotate - [select for diffs], Fri Jan 16 14:34:51 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.184: +9 -4 lines
Diff to previous 1.184 (colored)
The SSL/TLS session Id context is limited to 32 bytes. Instead of using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
Revision 1.184 / (download) - annotate - [select for diffs], Sun Dec 21 00:54:49 2014 UTC (9 years, 5 months ago) by guenther
Branch: MAIN
Changes since 1.183: +1 -2 lines
Diff to previous 1.183 (colored)
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't. ok reyk@
Revision 1.183 / (download) - annotate - [select for diffs], Thu Dec 18 20:55:01 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.182: +40 -42 lines
Diff to previous 1.182 (colored)
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument. With input from Max Fillinger. ok tedu@
Revision 1.182 / (download) - annotate - [select for diffs], Fri Dec 12 10:05:09 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.181: +153 -153 lines
Diff to previous 1.181 (colored)
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now. (btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html) OK benno@, with input from tedu@
Revision 1.181 / (download) - annotate - [select for diffs], Wed Nov 19 10:24:40 2014 UTC (9 years, 6 months ago) by blambert
Branch: MAIN
Changes since 1.180: +32 -2 lines
Diff to previous 1.180 (colored)
Support exporting relayd statistics via AgentX/snmpd This should be equivalent to the statistics available via the various relaydctl show commands okay benno@ reyk@
Revision 1.180 / (download) - annotate - [select for diffs], Fri Nov 7 13:48:06 2014 UTC (9 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.179: +6 -3 lines
Diff to previous 1.179 (colored)
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended. ok reyk@
Revision 1.179 / (download) - annotate - [select for diffs], Sat Oct 25 03:23:49 2014 UTC (9 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.178: +1 -2 lines
Diff to previous 1.178 (colored)
Remove unnecessary netinet/in_systm.h include. ok millert@
Revision 1.178 / (download) - annotate - [select for diffs], Wed Oct 15 11:06:16 2014 UTC (9 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.177: +6 -2 lines
Diff to previous 1.177 (colored)
Disable SSLv3 by default. OK sthen@ jsing@
Revision 1.177 / (download) - annotate - [select for diffs], Fri Sep 5 10:19:26 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.176: +7 -78 lines
Diff to previous 1.176 (colored)
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation apologies to anybody who got bitten by this mistake ok reyk@
Revision 1.176 / (download) - annotate - [select for diffs], Fri Aug 29 09:03:36 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.175: +78 -7 lines
Diff to previous 1.175 (colored)
Implement consistent host hashing for relayd, based on work done by andre@ Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past). Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so. ok reyk@
Revision 1.175 / (download) - annotate - [select for diffs], Mon Jul 14 00:11:12 2014 UTC (9 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.174: +6 -1 lines
Diff to previous 1.174 (colored)
When a connection was spliced in one direction and in copy mode in the other direction, the timeouts did not work. They were longer than specified. Link the splicing and non-splicing timeouts. Found by make run-regress-args-timeout-http.pl OK reyk@
Revision 1.174 / (download) - annotate - [select for diffs], Sun Jul 13 00:32:08 2014 UTC (9 years, 10 months ago) by benno
Branch: MAIN
Changes since 1.173: +10 -1 lines
Diff to previous 1.173 (colored)
improve log output for relays. adjust regress tests ok reyk
Revision 1.173 / (download) - annotate - [select for diffs], Fri Jul 11 16:59:38 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.172: +135 -3 lines
Diff to previous 1.172 (colored)
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences. This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults. ok benno@
Revision 1.172 / (download) - annotate - [select for diffs], Wed Jul 9 16:42:05 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.171: +154 -165 lines
Diff to previous 1.171 (colored)
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later. With some testing, feedback, and help from benno@ and andre@. OK benno@
Revision 1.171 / (download) - annotate - [select for diffs], Fri Jun 27 07:49:08 2014 UTC (9 years, 11 months ago) by andre
Branch: MAIN
Changes since 1.170: +34 -34 lines
Diff to previous 1.170 (colored)
knf, no functional change. ok reyk
Revision 1.170 / (download) - annotate - [select for diffs], Tue May 20 17:33:36 2014 UTC (10 years ago) by reyk
Branch: MAIN
Changes since 1.169: +5 -5 lines
Diff to previous 1.169 (colored)
Unify the SSL privsep key loading functions. ok eric@
Revision 1.169 / (download) - annotate - [select for diffs], Tue Apr 22 08:04:23 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.168: +15 -5 lines
Diff to previous 1.168 (colored)
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id. ok benno@
Revision 1.168 / (download) - annotate - [select for diffs], Fri Apr 18 13:55:26 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.167: +19 -5 lines
Diff to previous 1.167 (colored)
Introduce privsep for private keys: - Move RSA private keys to a new separate process instead of copying them to the relays. A custom RSA engine is used by the SSL/TLS code of the relay processes to send RSA private key encryption/decryption (also used for sign/verify) requests to the new "ca" processes instead of operating on the private key directly. - Each relay process gets its own related ca process. Setting "prefork 5" in the config file will spawn 10 processes (5 relay, 5 ca). This diff also reduces the default number of relay processes from 5 to 3 which should be suitable in most installations without a very heavy load. - Don't keep text versions of the keys in memory, parse them once and keep the binary representation. This might still be the case in OpenSSL's internals but will be fixed in the library. This diff doesn't prevent something like "heartbleed" but adds an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. With feedback from many ok benno@
Revision 1.167 / (download) - annotate - [select for diffs], Mon Sep 9 17:57:44 2013 UTC (10 years, 9 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.166: +14 -3 lines
Diff to previous 1.166 (colored)
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS). ok djm@
Revision 1.150.2.1 / (download) - annotate - [select for diffs], Tue Jun 4 00:57:16 2013 UTC (11 years ago) by sthen
Branch: OPENBSD_5_2
Changes since 1.150: +3 -2 lines
Diff to previous 1.150 (colored) next main 1.151 (colored)
Fix 5.2 similar to what was done in relay_http.c r1.15 in -current. From reyk@ With HTTP keepalive, relayd only filtered the first request and switched to pass-through mode for subsequent requests from the client. Make sure to stay in HTTP header mode.
Revision 1.166 / (download) - annotate - [select for diffs], Thu May 30 20:17:12 2013 UTC (11 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.165: +81 -10 lines
Diff to previous 1.165 (colored)
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details. ok benno@, manpage bits jmc@
Revision 1.165 / (download) - annotate - [select for diffs], Sat Apr 20 17:45:02 2013 UTC (11 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.164: +3 -2 lines
Diff to previous 1.164 (colored)
SSL_CTX_set_timeout only handles long for the delta timeval, so constrain it with MIN and LONG_MAX. It is only an interval, so it is fine. suggestion by djm, ok benno
Revision 1.164 / (download) - annotate - [select for diffs], Sun Mar 10 23:32:53 2013 UTC (11 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.163: +13 -15 lines
Diff to previous 1.163 (colored)
This diff changes relayd to use the monotonic clock instead of gettimeofday(). It was also bugging me for some time to have all these checks of gettimeofday()'s return value: it should not fail. So this diff introduces a void getmonotime(struct timeval *tv) that calls clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a struct timeval that can be used with the existing code and the timeval-specific timer functions (timerclear, timersub, ...). It does not return a status but calls fatal() on error-that-should-not-happen. ok sthen@ chris@
Revision 1.163 / (download) - annotate - [select for diffs], Sat Mar 9 14:43:06 2013 UTC (11 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.162: +71 -10 lines
Diff to previous 1.162 (colored)
Enable TCP socket splicing for HTTP persistent connection and chunked transfer encoding. This speeds up relayd for more protocol modes by zero-copy TCP forwarding. OK reyk@ benno@
Revision 1.162 / (download) - annotate - [select for diffs], Tue Feb 5 21:36:33 2013 UTC (11 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.161: +5 -1 lines
Diff to previous 1.161 (colored)
Rework http content and chunk handling in relayd. Use special toread values to track the current http header or chunk state. This allows to handle an optional chunk trailer properly. Tracking the http state is also a prerequisite for splicing persistent http connections. OK and test reyk@ benno@
Revision 1.161 / (download) - annotate - [select for diffs], Thu Jan 17 20:34:18 2013 UTC (11 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.160: +31 -32 lines
Diff to previous 1.160 (colored)
Remove unnecessary pointer casts. No binary diff. OK benno@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Dec 18 15:58:25 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.159: +11 -16 lines
Diff to previous 1.159 (colored)
reorder some variables and move large buffers to the top of the stack.
Revision 1.159 / (download) - annotate - [select for diffs], Thu Nov 29 01:01:53 2012 UTC (11 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.158: +4 -4 lines
Diff to previous 1.158 (colored)
Fix white spaces in relayd. No binary diff.
Revision 1.158 / (download) - annotate - [select for diffs], Tue Nov 27 05:00:28 2012 UTC (11 years, 6 months ago) by guenther
Branch: MAIN
Changes since 1.157: +3 -4 lines
Diff to previous 1.157 (colored)
Add format attributes to the proper functions and then fix the warnings that gcc then reports when compiling with -DDEBUG=2 ok reyk@ benno@
Revision 1.157 / (download) - annotate - [select for diffs], Fri Oct 19 16:49:50 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.156: +18 -4 lines
Diff to previous 1.156 (colored)
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays. ok benno@
Revision 1.156 / (download) - annotate - [select for diffs], Thu Oct 4 20:53:30 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.155: +9 -8 lines
Diff to previous 1.155 (colored)
spacing
Revision 1.155 / (download) - annotate - [select for diffs], Wed Oct 3 08:40:40 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.154: +2 -2 lines
Diff to previous 1.154 (colored)
Inherit and pass the relay table flags correctly.
Revision 1.154 / (download) - annotate - [select for diffs], Wed Oct 3 08:33:31 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.153: +65 -37 lines
Diff to previous 1.153 (colored)
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
Revision 1.153 / (download) - annotate - [select for diffs], Fri Sep 21 09:56:27 2012 UTC (11 years, 8 months ago) by benno
Branch: MAIN
Changes since 1.152: +137 -16 lines
Diff to previous 1.152 (colored)
file descriptor accounting for relays: track how many connections to backend servers are unopened and reserve fds for them. ok reyk@, "don't wait" deraadt@
Revision 1.152 / (download) - annotate - [select for diffs], Thu Sep 20 12:30:20 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.151: +6 -1064 lines
Diff to previous 1.151 (colored)
Move the HTTP code into an extra file to make future changes easier to follow. No functional changes, only one function got renamed. ok benno@
Revision 1.151 / (download) - annotate - [select for diffs], Mon Sep 17 19:27:38 2012 UTC (11 years, 8 months ago) by benno
Branch: MAIN
Changes since 1.150: +4 -1 lines
Diff to previous 1.150 (colored)
Fix relay statistics. Found and fix by Erik Lax (erik -at- halon -dot- se) ok reyk
Revision 1.150 / (download) - annotate - [select for diffs], Fri Jul 13 07:54:14 2012 UTC (11 years, 10 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE
Branch point for: OPENBSD_5_2
Changes since 1.149: +12 -1 lines
Diff to previous 1.149 (colored)
after connect() returns EINPROGRESS the connection can still fail, so check with getsockopt if the socket is open. ok mikeb@
Revision 1.149 / (download) - annotate - [select for diffs], Mon Jul 9 09:52:04 2012 UTC (11 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.148: +9 -9 lines
Diff to previous 1.148 (colored)
Allow relayd to handle transactions > 2GB in size tested by snapshot users and benno for a while ok benno
Revision 1.148 / (download) - annotate - [select for diffs], Mon Apr 30 10:49:57 2012 UTC (12 years, 1 month ago) by benno
Branch: MAIN
Changes since 1.147: +15 -1 lines
Diff to previous 1.147 (colored)
The message-body should be forwarded for GET,HEAD and OPTIONS methods as well. ok giovanni@, phessler@, henning@
Revision 1.147 / (download) - annotate - [select for diffs], Fri Apr 27 14:01:35 2012 UTC (12 years, 1 month ago) by giovanni
Branch: MAIN
Changes since 1.146: +4 -2 lines
Diff to previous 1.146 (colored)
A message-body should be forwarded for DELETE method too. from Florian Obser ok pyr@
Revision 1.146 / (download) - annotate - [select for diffs], Wed Apr 11 08:25:26 2012 UTC (12 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.145: +29 -6 lines
Diff to previous 1.145 (colored)
Do rate limiting of accept() when under pressure, like in other recent daemons. Light testing by some relayd users; let me know if issues develop.
Revision 1.145 / (download) - annotate - [select for diffs], Sat Mar 24 14:48:18 2012 UTC (12 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.144: +21 -7 lines
Diff to previous 1.144 (colored)
Allow relayd to use a separate SSL certificate for each port (/etc/ssl/host:port.crt, /etc/ssl/private/host:port.key). ok benno@, todd@ likes it too, doc tweak suggested by jmc.
Revision 1.144 / (download) - annotate - [select for diffs], Sat Jan 21 13:40:48 2012 UTC (12 years, 4 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.143: +3 -1 lines
Diff to previous 1.143 (colored)
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id") ok henning pyr deraadt solves the problem ok from benno todd
Revision 1.143 / (download) - annotate - [select for diffs], Wed Sep 21 18:45:40 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.142: +82 -38 lines
Diff to previous 1.142 (colored)
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
Revision 1.142 / (download) - annotate - [select for diffs], Fri Sep 16 14:29:26 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.141: +2 -3 lines
Diff to previous 1.141 (colored)
If a user configures logging explicitly in relayd.conf, do it regardlessly of debugging mode and compile switch. ok sthen@
Revision 1.141 / (download) - annotate - [select for diffs], Sun Sep 4 20:26:58 2011 UTC (12 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.140: +3 -3 lines
Diff to previous 1.140 (colored)
KNF, fix white spaces in relayd. No binary change. ok pyr@ sthen@
Revision 1.140 / (download) - annotate - [select for diffs], Sun Sep 4 10:42:47 2011 UTC (12 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.139: +3 -2 lines
Diff to previous 1.139 (colored)
Especially with SSL and short data transfers, it could happen that the client closed before the connection to the server has been established. Then the relay closed immediately before transferring any data. The solution is to delay the close until the other side has an event buffer. ok sthen@
Revision 1.139 / (download) - annotate - [select for diffs], Sun Sep 4 09:55:10 2011 UTC (12 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.138: +12 -9 lines
Diff to previous 1.138 (colored)
The relayd used the CHECK_TIMEOUT for connect and ssl handshake. This is 200 milliseconds and too short. Instead use the 600 seconds session timeout that is used for accepted sessions everywhere else. While there, make flag handling in relay_ssl_transaction() consistent to the other functions. tested and ok sthen@
Revision 1.138 / (download) - annotate - [select for diffs], Fri May 20 09:43:53 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.137: +10 -4 lines
Diff to previous 1.137 (colored)
Concurrent calls of "relayctl show sessions" could crash relayd. Fix the show sessions handler by implementing it in an asynchronous way. Closes PR 6509 ok pyr@
Revision 1.137 / (download) - annotate - [select for diffs], Thu May 19 08:56:49 2011 UTC (13 years ago) by reyk
Branch: MAIN
Changes since 1.136: +103 -103 lines
Diff to previous 1.136 (colored)
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code. Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
Revision 1.136 / (download) - annotate - [select for diffs], Mon May 9 12:08:47 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.135: +144 -325 lines
Diff to previous 1.135 (colored)
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications. ok sthen@ pyr@
Revision 1.135 / (download) - annotate - [select for diffs], Thu May 5 12:01:44 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.134: +74 -76 lines
Diff to previous 1.134 (colored)
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
Revision 1.134 / (download) - annotate - [select for diffs], Sun Apr 24 10:07:43 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.133: +19 -20 lines
Diff to previous 1.133 (colored)
Get rid of casts to struct rsession in relayd by not declaring a void pointer in struct ctl_relay_event. That way the compiler can do its job and enforce correct types. ok pyr@ deraadt@
Revision 1.133 / (download) - annotate - [select for diffs], Tue Apr 12 12:37:22 2011 UTC (13 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.132: +12 -3 lines
Diff to previous 1.132 (colored)
update flags and printing of flags in debug mode, handle splicing flag.
Revision 1.132 / (download) - annotate - [select for diffs], Tue Apr 12 11:45:18 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.131: +53 -3 lines
Diff to previous 1.131 (colored)
Enable socket splicing for relayd. This allows zero-copy data forwarding for plain tcp connections. feedback and ok reyk@
Revision 1.131 / (download) - annotate - [select for diffs], Thu Apr 7 13:22:29 2011 UTC (13 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.130: +32 -4 lines
Diff to previous 1.130 (colored)
Add support for divert-to which provides some benefits over rdr-to. ok mikeb@
Revision 1.130 / (download) - annotate - [select for diffs], Sat Mar 12 21:06:40 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.129: +3 -2 lines
Diff to previous 1.129 (colored)
Fix previous commit. When data arrives from the client before the server connection is set up, do not enable read events for the other side.
Revision 1.129 / (download) - annotate - [select for diffs], Sat Mar 12 18:18:11 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored)
A connection that is constantly sending data uni-directionaly from the client to the server did always trigger the session timeout. The reason for this behavior was that any read event reset the client side timeout. A read event on one side must reset the timeout for the other side instead. ok deraadt@
Revision 1.128 / (download) - annotate - [select for diffs], Mon Dec 20 12:38:06 2010 UTC (13 years, 5 months ago) by dhill
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.127: +11 -8 lines
Diff to previous 1.127 (colored)
Only set SO_REUSEPORT for listening ports. Fixes "Address already in use" errors seen on high load. OK reyk@ pyr@
Revision 1.127 / (download) - annotate - [select for diffs], Tue Nov 30 14:49:14 2010 UTC (13 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.126: +6 -6 lines
Diff to previous 1.126 (colored)
The returned SSL_METHOD of SSLv23_server_method()/SSLv23_client_method() is const now, adjust the variable and silence a compiler warning.
Revision 1.126 / (download) - annotate - [select for diffs], Tue Nov 30 14:38:45 2010 UTC (13 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.125: +3 -14 lines
Diff to previous 1.125 (colored)
The relayd processes did already bump up the socket file descriptor resource limits to the maximum of the daemon class but the host check process (hce/health checks) didn't and was limited to a fairly low default of 128 open sockets (openfiles-cur=128 in login.conf). This was reached fairly quickly with "check tcp" of many hosts. This diff increases the maximum number of monitored hosts and concurrent health checks in relayd in a significant way and may fix issues for people that have around 100 or more hosts (or fewer hosts with multiple checked ports). tested by phessler@ ok jsg@
Revision 1.125 / (download) - annotate - [select for diffs], Wed Nov 24 13:57:05 2010 UTC (13 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.124: +3 -1 lines
Diff to previous 1.124 (colored)
When disabling and enabling tables set the number of hosts that are up to zero, consistent with pfe and makes other parts of the code better behaved. From Patrik Lundin. ok reyk@
Revision 1.124 / (download) - annotate - [select for diffs], Tue Nov 16 15:31:01 2010 UTC (13 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.123: +17 -1 lines
Diff to previous 1.123 (colored)
Add support for enable/disable table when using relays instead of redirects. From Patrik Lundin and Linus Widstromer. ok reyk@
Revision 1.122.2.1 / (download) - annotate - [select for diffs], Tue Oct 26 01:50:13 2010 UTC (13 years, 7 months ago) by william
Branch: OPENBSD_4_8
Changes since 1.122: +7 -1 lines
Diff to previous 1.122 (colored) next main 1.123 (colored)
MFC: - - - date: 2010/10/12 14:52:21; author: dhill; state: Exp; lines: +7 -1 Plug a significant memory leak when using SSL. ok claudio@, jsg@, phessler@ - - - requested by dhill, ok deraadt pyr
Revision 1.119.2.1 / (download) - annotate - [select for diffs], Tue Oct 26 01:49:49 2010 UTC (13 years, 7 months ago) by william
Branch: OPENBSD_4_7
Changes since 1.119: +7 -1 lines
Diff to previous 1.119 (colored) next main 1.120 (colored)
MFC: - - - date: 2010/10/12 14:52:21; author: dhill; state: Exp; lines: +7 -1 Plug a significant memory leak when using SSL. ok claudio@, jsg@, phessler@ - - - requested by dhill, ok deraadt pyr
Revision 1.123 / (download) - annotate - [select for diffs], Tue Oct 12 14:52:21 2010 UTC (13 years, 7 months ago) by dhill
Branch: MAIN
Changes since 1.122: +7 -1 lines
Diff to previous 1.122 (colored)
Plug a significant memory leak when using SSL. ok claudio@, jsg@, phessler@
Revision 1.122 / (download) - annotate - [select for diffs], Sun Aug 1 22:18:35 2010 UTC (13 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE
Branch point for: OPENBSD_4_8
Changes since 1.121: +4 -2 lines
Diff to previous 1.121 (colored)
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
Revision 1.121 / (download) - annotate - [select for diffs], Wed May 26 13:56:08 2010 UTC (14 years ago) by nicm
Branch: MAIN
Changes since 1.120: +5 -5 lines
Diff to previous 1.120 (colored)
Rename some imsg bits to make namespace collisions less likely buf to ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE. ok henning gilles claudio jacekm deraadt
Revision 1.120 / (download) - annotate - [select for diffs], Fri May 14 11:13:36 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.119: +20 -9 lines
Diff to previous 1.119 (colored)
allocate all struct event's on the heap, it looks cleaner, feels better and follows a suggestion in event.h. also don't mix signal() and signal_set()/signal_add(). ok jsg@ gilles@
Revision 1.119 / (download) - annotate - [select for diffs], Thu Feb 18 16:33:25 2010 UTC (14 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE
Branch point for: OPENBSD_4_7
Changes since 1.118: +26 -5 lines
Diff to previous 1.118 (colored)
Fix a leak that could happen with multiple requests on the one connection and while here create a seperate function for handling cleaning up after a request; with suggestions from reyk and claudio. ok claudio@
Revision 1.118 / (download) - annotate - [select for diffs], Mon Jan 11 06:40:14 2010 UTC (14 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.117: +6 -1 lines
Diff to previous 1.117 (colored)
add "log brief" and "log verbose" to change logging verbosity like several other things in the tree. ok reyk@ looks fine claudio@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Aug 7 11:21:53 2009 UTC (14 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.116: +46 -46 lines
Diff to previous 1.116 (colored)
rename 'struct session' to 'struct rsession' because it conflicts with another 'struct session' in sys/sysctl.h.
Revision 1.116 / (download) - annotate - [select for diffs], Sun Jun 7 05:56:25 2009 UTC (15 years ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.115: +2 -2 lines
Diff to previous 1.115 (colored)
Change the way fds passed over a socket are retreived on the receiving side. Currently the receiver fetches an imsg via imsg_get() and if he expects an fd, he then calls imsg_get_fd() to fetch the next fd queued on the imsgbuf from which the imsg came. This changes hides the fd queueing mechanism to the API user. When closing an imsg with an fd, the message is flagged so that the receiving end knows it must dequeue the fd in imsg_get() and return it with the imsg structure. This way there is no (less) possible screw up from imsg_get_fd() not being called directly after imsg_get() by the user. The retreived imsg is self-contained. ok pyr@, "I like that" henning@
Revision 1.115 / (download) - annotate - [select for diffs], Fri Jun 5 23:39:51 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.114: +35 -30 lines
Diff to previous 1.114 (colored)
4 handed diff with eric: Stop pushing event handling in the imsg framework. Instead, provide a small glue layer on top of both imsg and libevent. This finally clearly separates event handling and imsg construction. Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add stub in relayctl. This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd. ok eric@
Revision 1.114 / (download) - annotate - [select for diffs], Fri Jun 5 00:20:50 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.113: +7 -4 lines
Diff to previous 1.113 (colored)
some KNF cleanup following the last sed.
Revision 1.113 / (download) - annotate - [select for diffs], Fri Jun 5 00:04:01 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.112: +7 -7 lines
Diff to previous 1.112 (colored)
Make imsg completely async model agnostic by not requiring an imsg_event_add function to be provided (which ended up being a named callback). Instead provide a wrapper in the daemon and call that everywhere. Previsously discussed with the usual suspects, ok eric@ though not too happy about the function name (imsg_compose_event).
Revision 1.112 / (download) - annotate - [select for diffs], Tue Jun 2 12:24:16 2009 UTC (15 years ago) by reyk
Branch: MAIN
Changes since 1.111: +1 -5 lines
Diff to previous 1.111 (colored)
remove extra imsg_event_add() after EV_WRITE checks - this is not required because it is called later and there is no return before. ok gilles@
Revision 1.111 / (download) - annotate - [select for diffs], Tue Jun 2 11:33:06 2009 UTC (15 years ago) by reyk
Branch: MAIN
Changes since 1.110: +11 -13 lines
Diff to previous 1.110 (colored)
Libevent may do an upcall with both EV_READ and EV_WRITE set. So change the code accordingly to allow that. Found by claudio@ in ospfd
Revision 1.110 / (download) - annotate - [select for diffs], Fri Apr 24 13:22:01 2009 UTC (15 years, 1 month ago) by pyr
Branch: MAIN
Changes since 1.109: +2 -2 lines
Diff to previous 1.109 (colored)
don't truncate http headers when no separator is given between key and value. ok & ``makes sense'' reyk@
Revision 1.109 / (download) - annotate - [select for diffs], Thu Apr 2 14:30:51 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.108: +20 -3 lines
Diff to previous 1.108 (colored)
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
Revision 1.108 / (download) - annotate - [select for diffs], Wed Apr 1 14:56:38 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.107: +104 -13 lines
Diff to previous 1.107 (colored)
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course. This was tested by some people a while ago.
Revision 1.107 / (download) - annotate - [select for diffs], Mon Sep 29 15:50:56 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.106: +27 -13 lines
Diff to previous 1.106 (colored)
fix log option with filter rules
Revision 1.106 / (download) - annotate - [select for diffs], Mon Sep 29 15:27:20 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.105: +7 -2 lines
Diff to previous 1.105 (colored)
also log the label if available for the matching rule node (like the URL filter category etc.)
Revision 1.105 / (download) - annotate - [select for diffs], Mon Sep 29 15:12:22 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.104: +13 -7 lines
Diff to previous 1.104 (colored)
spacing
Revision 1.104 / (download) - annotate - [select for diffs], Mon Aug 11 08:24:41 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored)
more goto fail on gettimeofday error
Revision 1.103 / (download) - annotate - [select for diffs], Mon Aug 11 08:07:14 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.102: +26 -16 lines
Diff to previous 1.102 (colored)
better handling of HTTP POSTs or requests with Content-Length.
Revision 1.102 / (download) - annotate - [select for diffs], Mon Aug 11 06:42:06 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.101: +4 -2 lines
Diff to previous 1.101 (colored)
add missing 'break' to read HTTP content correctly
Revision 1.101 / (download) - annotate - [select for diffs], Fri Aug 8 22:49:33 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.100: +6 -1 lines
Diff to previous 1.100 (colored)
add a variable $SERVER_NAME which is "OpenBSD relayd" by default.
Revision 1.100 / (download) - annotate - [select for diffs], Fri Aug 8 20:34:30 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.99: +3 -2 lines
Diff to previous 1.99 (colored)
chunked encoding may include empty lines at random places, do not abort the session if we get an empty line except of the expected chunk header.
Revision 1.99 / (download) - annotate - [select for diffs], Fri Aug 8 19:13:24 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.98: +7 -3 lines
Diff to previous 1.98 (colored)
fix possible memleaks in chunked encoding handler
Revision 1.98 / (download) - annotate - [select for diffs], Fri Aug 8 18:56:05 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.97: +7 -5 lines
Diff to previous 1.97 (colored)
only dump all protocol nodes with DEBUG > 1.
Revision 1.97 / (download) - annotate - [select for diffs], Fri Aug 8 18:38:14 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.96: +6 -5 lines
Diff to previous 1.96 (colored)
Support HTTP responses that neither specify a Content-Length header nor chunked encoding. We don't know the length of the HTTP body in this case, so it only works for single-pass HTTP responses without subsequent HTTP response headers in the stream. You can still enforce the Content-Length header with an "expect" rule. For example, this fixes response handling from undeadly.org (thttpd) if relayd is running as a transparent HTTP proxy.
Revision 1.96 / (download) - annotate - [select for diffs], Fri Aug 8 08:51:21 2008 UTC (15 years, 10 months ago) by thib
Branch: MAIN
Changes since 1.95: +9 -9 lines
Diff to previous 1.95 (colored)
Check gettimeofday() against -1; Add a missing error check in one place. OK reyk@
Revision 1.95 / (download) - annotate - [select for diffs], Tue Jul 22 23:17:37 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.94: +18 -2 lines
Diff to previous 1.94 (colored)
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd. manpage bits ok jmc@ yes, sounds good todd@
Revision 1.94 / (download) - annotate - [select for diffs], Wed Jul 16 15:02:19 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.93: +3 -2 lines
Diff to previous 1.93 (colored)
relay_connect() may fail, close the session in the bindany callback if it does.
Revision 1.93 / (download) - annotate - [select for diffs], Wed Jul 16 14:49:44 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.92: +9 -2 lines
Diff to previous 1.92 (colored)
use getsockname() to find out the local address of a connection before doing a nat lookup. this fixes nat lookups when the relay is listening to a wildcard IPv4/IPv6 address (like 0.0.0.0 or ::).
Revision 1.92 / (download) - annotate - [select for diffs], Wed Jul 9 17:16:51 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.91: +11 -1 lines
Diff to previous 1.91 (colored)
Use OpenBSD's knuth shuffle algorithm of random values from bind to produce the DNS request ids instead of a simple per-request arc4random(). This ensure randomness but also satisfies the non-repeating property we need. ok deraadt@
Revision 1.91 / (download) - annotate - [select for diffs], Wed Jul 9 14:57:01 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.90: +2 -1 lines
Diff to previous 1.90 (colored)
also set the protocol, either TCP or UDP, in the NAT lookup. this unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
Revision 1.90 / (download) - annotate - [select for diffs], Wed Jun 11 18:21:19 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.89: +96 -21 lines
Diff to previous 1.89 (colored)
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things... based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8) ok markus@ pyr@
Revision 1.89 / (download) - annotate - [select for diffs], Thu May 8 02:27:58 2008 UTC (16 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.88: +6 -4 lines
Diff to previous 1.88 (colored)
move the session keys used by dns in a protocol-specific private ptr.
Revision 1.88 / (download) - annotate - [select for diffs], Mon May 5 12:33:55 2008 UTC (16 years, 1 month ago) by pyr
Branch: MAIN
Changes since 1.87: +4 -1 lines
Diff to previous 1.87 (colored)
Put relay sockets in non blocking mode too. This got forgotten along the way and didn't show since our read buffers are small. ``put it in'' reyk@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Mar 21 05:22:11 2008 UTC (16 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.86: +15 -25 lines
Diff to previous 1.86 (colored)
better handling of chunked encoding, further fixes after extensive testing
Revision 1.86 / (download) - annotate - [select for diffs], Thu Mar 20 22:24:46 2008 UTC (16 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.85: +10 -4 lines
Diff to previous 1.85 (colored)
handle the case that the Content-Length HTTP header may be 0
Revision 1.85 / (download) - annotate - [select for diffs], Mon Mar 3 16:41:36 2008 UTC (16 years, 3 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.84: +15 -10 lines
Diff to previous 1.84 (colored)
improve the compare function of addresses respecting the ports; this will fix the tree lookups in some cases. From Nigel Taylor ok pyr@ deraadt@
Revision 1.84 / (download) - annotate - [select for diffs], Wed Feb 13 11:32:59 2008 UTC (16 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
bump copyright
Revision 1.83 / (download) - annotate - [select for diffs], Tue Feb 5 14:12:58 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
Fix a debug printf. After the session members got a se_ prefix this one was forgotten.
Revision 1.82 / (download) - annotate - [select for diffs], Mon Feb 4 12:12:30 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.81: +1 -8 lines
Diff to previous 1.81 (colored)
Move some prototypes from relay.c to relayd.h and remove there externs in other places; ok reyk@
Revision 1.81 / (download) - annotate - [select for diffs], Mon Feb 4 12:05:26 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.80: +1 -7 lines
Diff to previous 1.80 (colored)
Move the declaration of DPRINTF from relay.c too relayd.h so it can be reused; ok reyk@
Revision 1.80 / (download) - annotate - [select for diffs], Thu Jan 31 12:12:50 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.79: +176 -176 lines
Diff to previous 1.79 (colored)
add prefixes to names of structure elements to make it easier to grep for code, next struct session; ok reyk@;
Revision 1.79 / (download) - annotate - [select for diffs], Thu Jan 31 09:56:28 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.78: +124 -124 lines
Diff to previous 1.78 (colored)
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later. ok thib@
Revision 1.78 / (download) - annotate - [select for diffs], Thu Jan 31 09:33:39 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.77: +22 -22 lines
Diff to previous 1.77 (colored)
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally. ok thib@
Revision 1.77 / (download) - annotate - [select for diffs], Sat Dec 8 20:36:36 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.76: +2 -2 lines
Diff to previous 1.76 (colored)
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
Revision 1.76 / (download) - annotate - [select for diffs], Sat Dec 8 17:07:09 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.75: +6 -6 lines
Diff to previous 1.75 (colored)
some changes to the relayd.conf configuration language and grammar. the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf) discussed with pyr and deraadt ok pyr@
Revision 1.75 / (download) - annotate - [select for diffs], Fri Dec 7 17:17:01 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.74: +9 -9 lines
Diff to previous 1.74 (colored)
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
Revision 1.74 / (download) - annotate - [select for diffs], Wed Nov 28 16:25:12 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.73: +15 -1 lines
Diff to previous 1.73 (colored)
bump the current file descriptor resource limit (openfiles-cur) to the maximum number of file descriptors for this login class (openfiles-max) of the relay child processes. this will allow 1024 instead of just 128 open file descriptors in the default configuration (class daemon), use the openfiles-max capability and the sysctl kern.maxfiles to adjust the value. ok gilles@ pyr@
Revision 1.73 / (download) - annotate - [select for diffs], Wed Nov 28 14:41:36 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.72: +3 -3 lines
Diff to previous 1.72 (colored)
typos
Revision 1.72 / (download) - annotate - [select for diffs], Mon Nov 26 09:38:25 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.71: +33 -24 lines
Diff to previous 1.71 (colored)
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information. ok pyr@
Revision 1.71 / (download) - annotate - [select for diffs], Sat Nov 24 17:43:47 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.70: +3 -1 lines
Diff to previous 1.70 (colored)
tweak for hostnames without dots (like "localhost")
Revision 1.70 / (download) - annotate - [select for diffs], Sat Nov 24 17:07:28 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.69: +3 -5 lines
Diff to previous 1.69 (colored)
sort includes, adjust to style(9)
Revision 1.69 / (download) - annotate - [select for diffs], Sat Nov 24 16:13:50 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.68: +96 -15 lines
Diff to previous 1.68 (colored)
extend the url lookup algorithm to match the full URL and different possible suffix/prefix combinations by stripping subdomains, path components, and the query args. ok and tested by gilles@
Revision 1.68 / (download) - annotate - [select for diffs], Sat Nov 24 13:39:24 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
fix goto to jump to the right place
Revision 1.67 / (download) - annotate - [select for diffs], Fri Nov 23 09:39:42 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.66: +44 -23 lines
Diff to previous 1.66 (colored)
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion. ok pyr@ gilles@
Revision 1.66 / (download) - annotate - [select for diffs], Thu Nov 22 16:07:03 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.65: +5 -2 lines
Diff to previous 1.65 (colored)
Fix relay roundrobin mode to work correctly when multiple hosts in a table are down. Thanks to Preston Norvell at serialssolutions dot com for reporting the problem.
Revision 1.65 / (download) - annotate - [select for diffs], Thu Nov 22 10:09:53 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.64: +82 -3 lines
Diff to previous 1.64 (colored)
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
Revision 1.64 / (download) - annotate - [select for diffs], Wed Nov 21 20:41:40 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.63: +120 -93 lines
Diff to previous 1.63 (colored)
move HTTP cookie and query lookup code from the into separate functions (the if () else if () block was getting very big).
Revision 1.63 / (download) - annotate - [select for diffs], Wed Nov 21 20:01:45 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.62: +6 -3 lines
Diff to previous 1.62 (colored)
fix the tree comparison function. it turned out that it could fail with large trees of protocol actions.
Revision 1.62 / (download) - annotate - [select for diffs], Wed Nov 21 14:12:04 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.61: +9 -7 lines
Diff to previous 1.61 (colored)
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage. alright pyr@
Revision 1.61 / (download) - annotate - [select for diffs], Wed Nov 21 11:06:21 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.60: +15 -4 lines
Diff to previous 1.60 (colored)
more work on the "filter" action: close the connection instantly when receiving a filtered entity, fix some remaining issues.
Revision 1.60 / (download) - annotate - [select for diffs], Tue Nov 20 17:11:50 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.59: +12 -2 lines
Diff to previous 1.59 (colored)
limit the number of displayed lines per node in relay_protodebug().
Revision 1.59 / (download) - annotate - [select for diffs], Tue Nov 20 15:54:55 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.58: +113 -14 lines
Diff to previous 1.58 (colored)
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!). ok pyr@
Revision 1.58 / (download) - annotate - [select for diffs], Tue Nov 20 15:10:46 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.57: +8 -9 lines
Diff to previous 1.57 (colored)
another fix to handle "expect" and "filter" actions in the new style correctly. ok pyr@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Nov 20 09:59:09 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.56: +1 -3 lines
Diff to previous 1.56 (colored)
spacing
Revision 1.56 / (download) - annotate - [select for diffs], Tue Nov 20 09:57:49 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.55: +6 -6 lines
Diff to previous 1.55 (colored)
minor change to some relay log messages
Revision 1.55 / (download) - annotate - [select for diffs], Mon Nov 19 15:31:36 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.54: +4 -4 lines
Diff to previous 1.54 (colored)
spacing
Revision 1.54 / (download) - annotate - [select for diffs], Mon Nov 19 14:48:19 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.53: +209 -152 lines
Diff to previous 1.53 (colored)
rework the internal handling of protocol actions a little bit: - allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, .. - prevent specifing an HTTP header for multiple times when using the expect action. - minor code shuffling
Revision 1.53 / (download) - annotate - [select for diffs], Mon Oct 22 17:14:10 2007 UTC (16 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.52: +42 -47 lines
Diff to previous 1.52 (colored)
we don't need mmap/munmap in relay_load_certificates anymore... just use read() and make the function a little bit nicer. ok pyr@
Revision 1.52 / (download) - annotate - [select for diffs], Mon Oct 22 16:53:30 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.51: +68 -50 lines
Diff to previous 1.51 (colored)
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more. ok reyk@ who spotted a stupid mistake again...
Revision 1.51 / (download) - annotate - [select for diffs], Fri Oct 19 14:15:14 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.50: +7 -7 lines
Diff to previous 1.50 (colored)
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
Revision 1.50 / (download) - annotate - [select for diffs], Fri Oct 5 17:32:13 2007 UTC (16 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.49: +3 -3 lines
Diff to previous 1.49 (colored)
stylistic changes in the relay/relay_config structure.
Revision 1.49 / (download) - annotate - [select for diffs], Fri Oct 5 15:46:49 2007 UTC (16 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.48: +3 -2 lines
Diff to previous 1.48 (colored)
unbreak non-SSL relays by calling the ssl context init only if the SSL flag is present...
Revision 1.48 / (download) - annotate - [select for diffs], Mon Oct 1 13:57:29 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.47: +1 -3 lines
Diff to previous 1.47 (colored)
kill some remaining debug that snuk in.
Revision 1.47 / (download) - annotate - [select for diffs], Fri Sep 28 13:05:28 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.46: +25 -5 lines
Diff to previous 1.46 (colored)
Change the ssl_privsep code to work on char buffers. The fd based code introduced weirdness since all children were accessing the same fd at once. This will also greatly facilitate reloading, no fd-passing will be involved between the parent and relay children. While there, cleanup the code diverting from the original ssl_rsa.c code a bit more. Weird behavior discovery by pascoe@.
Revision 1.46 / (download) - annotate - [select for diffs], Thu Sep 27 13:50:40 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.45: +39 -25 lines
Diff to previous 1.45 (colored)
Move SSL context creation after privileges are dropped. This puts the ssl_privsep code to use. One more step towards graceful L7 reload.
Revision 1.45 / (download) - annotate - [select for diffs], Thu Sep 27 13:34:22 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
Simplify ssl_privsep.c, since it won't need to remain synced with the equivalent openssl functions.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Sep 25 08:24:26 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.43: +8 -3 lines
Diff to previous 1.43 (colored)
Introduce two new functions to be able to load certificates while already chrooted and with privileges dropped. This is the very first step in being able to reload a layer 7 configuration. not ok reyk who's away but should be glad to see this in.
Revision 1.43 / (download) - annotate - [select for diffs], Mon Sep 10 11:59:22 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.42: +93 -13 lines
Diff to previous 1.42 (colored)
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols. ok gilles@, tested by some
Revision 1.42 / (download) - annotate - [select for diffs], Fri Sep 7 08:20:24 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.41: +20 -1 lines
Diff to previous 1.41 (colored)
add an interface to dump running relay sessions to the control socket
Revision 1.41 / (download) - annotate - [select for diffs], Thu Sep 6 19:55:45 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.40: +6 -21 lines
Diff to previous 1.40 (colored)
rename relay_host to print_host in log.c
Revision 1.40 / (download) - annotate - [select for diffs], Wed Sep 5 10:25:13 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
be extra careful with pointers in session_cmp
Revision 1.39 / (download) - annotate - [select for diffs], Wed Sep 5 08:48:42 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.38: +21 -6 lines
Diff to previous 1.38 (colored)
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria. ok pyr@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Sep 4 10:58:08 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.37: +11 -9 lines
Diff to previous 1.37 (colored)
small fix in the error path when accepting new relay sessions
Revision 1.37 / (download) - annotate - [select for diffs], Tue Sep 4 10:32:54 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
support chained ssl certificates; a chain can be added to the PEM-encoded server cert file (no CA support yet). makes a chained ssl certificate from Comodo work with hoststated, also tested with other certs (self-signed, Thawte Premium) thanks to ben (pr0ncracker at gmail dot com)
Revision 1.36 / (download) - annotate - [select for diffs], Thu Jul 26 23:29:40 2007 UTC (16 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.35: +4 -10 lines
Diff to previous 1.35 (colored)
Combine http filter/expect cases to simplify code. ok reyk@
Revision 1.35 / (download) - annotate - [select for diffs], Tue Jun 19 06:29:20 2007 UTC (16 years, 11 months ago) by pyr
Branch: MAIN
Changes since 1.34: +13 -5 lines
Diff to previous 1.34 (colored)
Do not fatal out with ``pipe closed'' when a short read occurs on one of our socket pairs. Instead disable listening on the pipe, terminate the event loop, and let the parent process's SIGCHLD handler do a clean shutdown. from an ospfd diff by claudio, ok claudio@
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jun 12 15:16:10 2007 UTC (17 years ago) by msf
Branch: MAIN
Changes since 1.33: +5 -4 lines
Diff to previous 1.33 (colored)
put the fd passing from bgpd back in to hoststated's version of imsg, needed for layer 7 reload support. ok pyr@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Jun 7 07:19:50 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.32: +4 -1 lines
Diff to previous 1.32 (colored)
(finally) Enable reload support for layer 3 configurations. Hoststated can be reloaded either by sending SIGHUP to the parent process or by using ``hoststatectl reload'' discussed and ok reyk@
Revision 1.32 / (download) - annotate - [select for diffs], Tue May 29 00:48:04 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.31: +3 -6 lines
Diff to previous 1.31 (colored)
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
Revision 1.31 / (download) - annotate - [select for diffs], Tue May 29 00:21:10 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.30: +51 -48 lines
Diff to previous 1.30 (colored)
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
Revision 1.30 / (download) - annotate - [select for diffs], Mon May 28 22:11:33 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
another small step towards hoststated reloading. allow purging of parts of the hoststated environment structure. start using this function now to only keep vital information in hoststated children processes. ok reyk@
Revision 1.29 / (download) - annotate - [select for diffs], Sun May 27 20:53:10 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.28: +16 -13 lines
Diff to previous 1.28 (colored)
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload. Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
Revision 1.28 / (download) - annotate - [select for diffs], Sat May 26 19:58:49 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.27: +8 -4 lines
Diff to previous 1.27 (colored)
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
Revision 1.27 / (download) - annotate - [select for diffs], Wed May 2 09:07:28 2007 UTC (17 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.26: +2 -9 lines
Diff to previous 1.26 (colored)
It is no longer needed to pass a cleared timeval to event_loopexit() NULL does the job just fine. OK reyk@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Apr 12 14:45:45 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.25: +31 -1 lines
Diff to previous 1.25 (colored)
add a new relay 'path' action to filter the URL path and arguments. ok pyr@
Revision 1.25 / (download) - annotate - [select for diffs], Tue Apr 10 21:33:52 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.24: +33 -18 lines
Diff to previous 1.24 (colored)
move the decoding of the URL, independent from the node lookups, we will need it later.
Revision 1.24 / (download) - annotate - [select for diffs], Tue Apr 10 18:18:26 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.23: +2 -4 lines
Diff to previous 1.23 (colored)
it is a better idea to handle all enum values in the switch statement
Revision 1.23 / (download) - annotate - [select for diffs], Tue Apr 10 18:14:17 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.22: +15 -5 lines
Diff to previous 1.22 (colored)
the relay filter action needs special handling to work correctly
Revision 1.22 / (download) - annotate - [select for diffs], Wed Mar 21 00:08:08 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.21: +2 -1 lines
Diff to previous 1.21 (colored)
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers. ok pyr@
Revision 1.21 / (download) - annotate - [select for diffs], Sat Mar 17 22:25:08 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
close unused relay2pfe privsep sockets correctly
Revision 1.20 / (download) - annotate - [select for diffs], Sat Mar 17 22:22:23 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.19: +6 -3 lines
Diff to previous 1.19 (colored)
fix the natlook mode.
Revision 1.19 / (download) - annotate - [select for diffs], Tue Mar 13 12:04:52 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.18: +34 -11 lines
Diff to previous 1.18 (colored)
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers. ok pyr@
Revision 1.18 / (download) - annotate - [select for diffs], Wed Mar 7 17:40:32 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.17: +22 -2 lines
Diff to previous 1.17 (colored)
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands ok pyr@ deraadt@ with some input from mcbride@
Revision 1.17 / (download) - annotate - [select for diffs], Tue Mar 6 19:26:46 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.16: +63 -12 lines
Diff to previous 1.16 (colored)
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID" tested by some people ok pyr@
Revision 1.16 / (download) - annotate - [select for diffs], Mon Mar 5 11:44:50 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.15: +16 -12 lines
Diff to previous 1.15 (colored)
do not strip the header for expect, hash, and log actions. since we have a tristate in relay_handle_http(), use nicer return codes defined to make it better readble (no function change).
Revision 1.15 / (download) - annotate - [select for diffs], Fri Mar 2 11:32:40 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.14: +5 -3 lines
Diff to previous 1.14 (colored)
when the http read callback changes and some data is still left in the input buffer, we call the new callback to handle the remaining data. this change makes sure that we only do this after the read callback was actually changed (read header -> read content, read content -> read header, read chunks...) to avoid a possible loop which could happen in some rare cases.
Revision 1.14 / (download) - annotate - [select for diffs], Tue Feb 27 13:38:58 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.13: +61 -14 lines
Diff to previous 1.13 (colored)
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined. for example: response change "Server" to "OpenBSD-hoststated/4.1" ok pyr@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Feb 26 16:10:24 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
handle strlcpy return values, make lint happy
Revision 1.12 / (download) - annotate - [select for diffs], Mon Feb 26 15:41:44 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.11: +95 -47 lines
Diff to previous 1.11 (colored)
better error handling for buffer I/O, fix the log action
Revision 1.11 / (download) - annotate - [select for diffs], Mon Feb 26 12:35:43 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.10: +114 -1 lines
Diff to previous 1.10 (colored)
handle requests with chunked transfer-encoding.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Feb 26 12:16:12 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
tweak flushing of unwritten bytes on http mode changes
Revision 1.9 / (download) - annotate - [select for diffs], Mon Feb 26 12:11:19 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (colored)
spacing
Revision 1.8 / (download) - annotate - [select for diffs], Mon Feb 26 12:09:21 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.7: +7 -16 lines
Diff to previous 1.7 (colored)
improve the relay bufferevent handler if one side closed the connection
Revision 1.7 / (download) - annotate - [select for diffs], Mon Feb 26 11:59:48 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.6: +11 -1 lines
Diff to previous 1.6 (colored)
re-use the retry value from table host entries for inbound relay connections. the relay will retry to connect to the hosts for the specified number of times. this sounds bad, but is a useful "workaround" for unreliable backend servers...
Revision 1.6 / (download) - annotate - [select for diffs], Mon Feb 26 11:24:26 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.5: +4 -1 lines
Diff to previous 1.5 (colored)
fix small memleaks
Revision 1.5 / (download) - annotate - [select for diffs], Sun Feb 25 18:16:16 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
one example (of two) of tree breaking the "other gcc"
Revision 1.4 / (download) - annotate - [select for diffs], Sat Feb 24 15:48:54 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.3: +6 -8 lines
Diff to previous 1.3 (colored)
disable SSLv2 and use "HIGH" crypto cipher suites by default. suggested by dlg@
Revision 1.3 / (download) - annotate - [select for diffs], Sat Feb 24 00:22:32 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.2: +125 -62 lines
Diff to previous 1.2 (colored)
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 22 23:07:38 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.1: +2 -7 lines
Diff to previous 1.1 (colored)
read the exact length for POST requests as specified by the content-length header.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 22 03:32:40 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying. see hoststated.conf(5) and my upcoming article on undeadly.org for details. ok to commit deraadt@ pyr@