Up to [local] / src / usr.sbin / relayd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.272 / (download) - annotate - [select for diffs], Sat May 18 06:34:46 2024 UTC (3 weeks, 2 days ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.271: +1 -4 lines
Diff to previous 1.271 (colored)
remove prototypes with no matching function
Revision 1.271 / (download) - annotate - [select for diffs], Sun Jun 25 08:07:39 2023 UTC (11 months, 2 weeks ago) by op
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.270: +1 -2 lines
Diff to previous 1.270 (colored)
remove ssl_init() it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. ok tb
Revision 1.270 / (download) - annotate - [select for diffs], Wed Jun 21 07:54:54 2023 UTC (11 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.269: +1 -2 lines
Diff to previous 1.269 (colored)
Simplify and clean up the code. Try to use more ibuf idioms but the mix of types used in these functions make this rather hard. The expected data checks are still not great but a step in the right direction. OK tb@
Revision 1.269 / (download) - annotate - [select for diffs], Wed Aug 31 16:17:18 2022 UTC (21 months, 1 week ago) by dv
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.268: +2 -2 lines
Diff to previous 1.268 (colored)
relayd(8): change agentx_getsock to return void Only has one return value and it's never checked. ok martijn@, tb@
Revision 1.266.2.1 / (download) - annotate - [select for diffs], Sun Jul 25 20:37:23 2021 UTC (2 years, 10 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.266: +5 -3 lines
Diff to previous 1.266 (colored) next main 1.267 (colored)
relayd(8), when using the the http protocol strip filter directive or http protocol macro expansion, processes format strings. Original commit in current: Modified files: usr.sbin/relayd: relay_http.c (1.82) relayd.h (1.268) The output of server_root_strip() is a string. Use the correct format "%s". Same for the output of relay_expand_http(). with and ok claudio@ Found by Cedric Tessier, thanks! This is patches/6.9/common/010_relayd.patch.sig
Revision 1.268 / (download) - annotate - [select for diffs], Sun Jul 25 20:31:41 2021 UTC (2 years, 10 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.267: +5 -3 lines
Diff to previous 1.267 (colored)
The output of server_root_strip() is a string. Use the correct format "%s". Same for the output of relay_expand_http(). with and ok claudio@ Found by Cedric Tessier, thanks!
Revision 1.267 / (download) - annotate - [select for diffs], Tue Apr 20 21:11:56 2021 UTC (3 years, 1 month ago) by dv
Branch: MAIN
Changes since 1.266: +1 -3 lines
Diff to previous 1.266 (colored)
Move TAILQ initialization to files where they are used. These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
Revision 1.266 / (download) - annotate - [select for diffs], Tue Mar 23 16:34:31 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Changes since 1.265: +2 -1 lines
Diff to previous 1.265 (colored)
Timed out RSA key ops, may leave uncalled for responses in the imsg return path. These have to be dropped or every subsequent call will cause decrypt errors. Use a sequence number cookie to keep the systems in sync. Diff from niklas@ with some minor adjustments by myself.
Revision 1.265 / (download) - annotate - [select for diffs], Wed Jan 27 20:33:05 2021 UTC (3 years, 4 months ago) by eric
Branch: MAIN
Changes since 1.264: +1 -2 lines
Diff to previous 1.264 (colored)
remove bogus key hack now that it's handled by libtls no objection claudio@ ok tb@ jsing@
Revision 1.264 / (download) - annotate - [select for diffs], Wed Jan 27 07:21:54 2021 UTC (3 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.263: +4 -3 lines
Diff to previous 1.263 (colored)
these programs (with common ancestry) had a -fno-common problem related to privsep_procid. ok mortimer
Revision 1.263 / (download) - annotate - [select for diffs], Sat Jan 9 08:53:58 2021 UTC (3 years, 5 months ago) by denis
Branch: MAIN
Changes since 1.262: +3 -2 lines
Diff to previous 1.262 (colored)
Add 'strip' directive Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa OK benno@
Revision 1.262 / (download) - annotate - [select for diffs], Mon Sep 14 11:30:25 2020 UTC (3 years, 8 months ago) by martijn
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.261: +14 -14 lines
Diff to previous 1.261 (colored)
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases. This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc. This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future. Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
Revision 1.261 / (download) - annotate - [select for diffs], Thu May 14 17:27:39 2020 UTC (4 years ago) by pvk
Branch: MAIN
Changes since 1.260: +5 -4 lines
Diff to previous 1.260 (colored)
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
Revision 1.260 / (download) - annotate - [select for diffs], Sun Sep 15 19:23:29 2019 UTC (4 years, 8 months ago) by rob
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.259: +10 -4 lines
Diff to previous 1.259 (colored)
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@. ok benno@
Revision 1.259 / (download) - annotate - [select for diffs], Wed Jun 26 12:13:47 2019 UTC (4 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.258: +4 -2 lines
Diff to previous 1.258 (colored)
Add support for OCSP stapling Many thanks to Bruno Flueckiger who independently sent a very similar patch. He also tested the one I'm committing that it works as expected. OK tb@
Revision 1.258 / (download) - annotate - [select for diffs], Fri May 31 15:25:57 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.257: +10 -2 lines
Diff to previous 1.257 (colored)
Add support for SNI with new "tls keypair" option to load additional certs. Tested by many (thanks!) Feedback & OK rob@
Revision 1.257 / (download) - annotate - [select for diffs], Fri May 31 15:15:37 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.256: +25 -10 lines
Diff to previous 1.256 (colored)
Move the relay keys/certs into a separate global list and look them up by id. Moving the certs out of the relay struct will help to add multiple SNI certs. Tested by many users (thanks!) Feedback & OK rob@
Revision 1.256 / (download) - annotate - [select for diffs], Wed May 29 11:48:29 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.255: +3 -3 lines
Diff to previous 1.255 (colored)
Move relay_load_*() functions into relayd.c Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI. Ok rob@
Revision 1.255 / (download) - annotate - [select for diffs], Mon May 13 09:54:07 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.254: +7 -2 lines
Diff to previous 1.254 (colored)
Fix filter rules with "forward to" statement in persistent connections. OK bentley@ mikeb@
Revision 1.254 / (download) - annotate - [select for diffs], Fri May 10 09:15:00 2019 UTC (5 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.253: +7 -4 lines
Diff to previous 1.253 (colored)
Add support for from/to in relay filter rules. For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b> Ok benno@
Revision 1.253 / (download) - annotate - [select for diffs], Wed May 8 23:22:19 2019 UTC (5 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.252: +3 -1 lines
Diff to previous 1.252 (colored)
Fix and tweak websocket upgrade handling. - Don't expect the Connection header to equal Upgrade, it may include Upgrade - Reshuffle the code to check the Upgrade/Connection headers in one place Reported and tested by Rivo Nurges OK and input from benno@ Cvs: ----------------------------------------------------------------------
Revision 1.252 / (download) - annotate - [select for diffs], Mon Mar 4 21:25:03 2019 UTC (5 years, 3 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.251: +5 -1 lines
Diff to previous 1.251 (colored)
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
Revision 1.251 / (download) - annotate - [select for diffs], Sun Sep 9 21:06:51 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.250: +2 -2 lines
Diff to previous 1.250 (colored)
During the fork+exec implementation, daemon(3) was moved after proc_init(). As a consequence httpd(8) and relayd(8) child processes did not detach from the terminal anymore. Dup /dev/null to the stdio file descriptors in the children. OK benno@
Revision 1.250 / (download) - annotate - [select for diffs], Mon Aug 6 17:31:31 2018 UTC (5 years, 10 months ago) by benno
Branch: MAIN
Changes since 1.249: +5 -4 lines
Diff to previous 1.249 (colored)
replace the current log options log updates|all with log state changes log host checks log connection [errors] The first two control the logging of host check results: either changes in host state only or all checks. The third option controls logging of connections in relay mode: Either log all connections, or only errors. Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog. ok and feedback from claudio@
Revision 1.249 / (download) - annotate - [select for diffs], Wed Apr 18 12:10:54 2018 UTC (6 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.248: +2 -2 lines
Diff to previous 1.248 (colored)
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
Revision 1.248 / (download) - annotate - [select for diffs], Tue Nov 28 18:25:53 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.247: +2 -2 lines
Diff to previous 1.247 (colored)
One less lie in comments
Revision 1.247 / (download) - annotate - [select for diffs], Tue Nov 28 01:51:47 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.246: +4 -2 lines
Diff to previous 1.246 (colored)
Introduce relay_reset_event() which closes and resets a relay connection. Currently this is only used by relay_close() but will be needed in near future. OK benno@
Revision 1.246 / (download) - annotate - [select for diffs], Tue Nov 28 01:24:22 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.245: +2 -1 lines
Diff to previous 1.245 (colored)
In TLS inspection mode we also need to keep the server tls object around. For this we need to add an additional pointer to the ctl_relay_event. Diff from Petri Mikkila (pmikkila at gmail) OK benno@
Revision 1.245 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:16 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.244: +3 -3 lines
Diff to previous 1.244 (colored)
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
Revision 1.244 / (download) - annotate - [select for diffs], Mon Nov 27 21:06:26 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.243: +17 -9 lines
Diff to previous 1.243 (colored)
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
Revision 1.243 / (download) - annotate - [select for diffs], Wed Nov 15 19:03:26 2017 UTC (6 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.242: +4 -2 lines
Diff to previous 1.242 (colored)
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
Revision 1.242 / (download) - annotate - [select for diffs], Fri Jul 28 13:58:52 2017 UTC (6 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.241: +3 -2 lines
Diff to previous 1.241 (colored)
Always calculate the hash value of the x509 cert in ssl_load_pkey(). Check whether TLS server object is available before using it. With these fixes the ssl inspect regress test just fails and does not crash relayd. OK claudio@
Revision 1.241 / (download) - annotate - [select for diffs], Tue Jul 4 19:59:51 2017 UTC (6 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.240: +3 -3 lines
Diff to previous 1.240 (colored)
make relayd not crash in relay_udp_server() when using a dns relay. needs revisiting. From Rivo Nurges, thanks. ok florian@
Revision 1.240 / (download) - annotate - [select for diffs], Sat May 27 08:33:25 2017 UTC (7 years ago) by claudio
Branch: MAIN
Changes since 1.239: +33 -39 lines
Diff to previous 1.239 (colored)
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
Revision 1.239 / (download) - annotate - [select for diffs], Thu Feb 2 08:24:16 2017 UTC (7 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.238: +2 -10 lines
Diff to previous 1.238 (colored)
Disable client-initiated TLS renegotiation by default. It is rarely needed and imposes a light DoS risk. LibreSSL's libssl allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION option instead of the complicated implementation that was used before. It now turns it off completely instead of allowing one initial client-initiated renegotiation. It can still be enabled with "tls client-renegotiation". ok benno@ beck@ jsing@
Revision 1.238 / (download) - annotate - [select for diffs], Tue Jan 24 10:49:14 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.237: +10 -2 lines
Diff to previous 1.237 (colored)
move the opening of /dev/pf from the parent process to the pfe process where it is used. Currently pf is opened on every reload, that will no longer be possible in the future with pledged programms that do ioctls. This prepares relayd for that change. ok deraadt@, meinetwegen reyk@
Revision 1.237 / (download) - annotate - [select for diffs], Mon Jan 9 14:49:21 2017 UTC (7 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.236: +3 -2 lines
Diff to previous 1.236 (colored)
Stop accessing verbose and debug variables from log.c directly. This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
Revision 1.236 / (download) - annotate - [select for diffs], Thu Nov 24 21:01:18 2016 UTC (7 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.235: +2 -1 lines
Diff to previous 1.235 (colored)
The new fork+exec mode used too many fds in the parent process on startup, for a short time, so we needed a rlimit hack in relayd.c. Sync the fix from httpd: rzalamena@ has fixed proc.c and I added the proc_flush_imsg() mechanism that makes sure that each fd is immediately closed after forwarding it to a child process instead of queueing it up. OK rzalamena@ jca@ benno@
Revision 1.235 / (download) - annotate - [select for diffs], Wed Oct 5 16:58:19 2016 UTC (7 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.234: +2 -1 lines
Diff to previous 1.234 (colored)
sync proc.c with vmd: add p_pw to specify a non-standard user for a process. OK rzalamena@
Revision 1.234 / (download) - annotate - [select for diffs], Wed Sep 28 12:16:44 2016 UTC (7 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.233: +2 -3 lines
Diff to previous 1.233 (colored)
sync proc.c incl. the p_env removal
Revision 1.233 / (download) - annotate - [select for diffs], Sat Sep 3 14:44:21 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.232: +5 -8 lines
Diff to previous 1.232 (colored)
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around. OK rzalamena@
Revision 1.232 / (download) - annotate - [select for diffs], Sat Sep 3 14:09:04 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.231: +23 -9 lines
Diff to previous 1.231 (colored)
Use the fork+exec privsep model in relayd; based on rzalamena@'s work for httpd with some (current and previous) changes for relayd. Once again, both daemons now share the same proc.c where most of the privsep "magic" happens. OK benno@ rzalamena@
Revision 1.231 / (download) - annotate - [select for diffs], Fri Sep 2 16:14:09 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.230: +5 -6 lines
Diff to previous 1.230 (colored)
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done. OK benno@ claudio@
Revision 1.230 / (download) - annotate - [select for diffs], Fri Sep 2 14:45:51 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.229: +12 -13 lines
Diff to previous 1.229 (colored)
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts. With input from and OK claudio@ benno@
Revision 1.229 / (download) - annotate - [select for diffs], Fri Sep 2 12:12:51 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.228: +2 -4 lines
Diff to previous 1.228 (colored)
As done in httpd, remove ps_ninstances and p_instance. OK benno@ rzalamena@
Revision 1.228 / (download) - annotate - [select for diffs], Fri Sep 2 11:51:50 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.227: +7 -8 lines
Diff to previous 1.227 (colored)
Terminate relayd using the socket status instead of watching SIGCHLD or killing child processes. - Based on rzalamena@'s diff for httpd. OK deraadt@ rzalamena@
Revision 1.227 / (download) - annotate - [select for diffs], Thu Sep 1 10:49:48 2016 UTC (7 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.226: +17 -3 lines
Diff to previous 1.226 (colored)
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
Revision 1.226 / (download) - annotate - [select for diffs], Thu Sep 1 10:40:38 2016 UTC (7 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.225: +2 -1 lines
Diff to previous 1.225 (colored)
Do not busy loop in the rsa engine callback waiting for the ca. Instead use poll(2) to wait for up to 1sec for a response. This is not the nicest way to fix this issue but the smallest. Goal is to reduce the contention on the kernel big lock on busy relayd systems. reyk@ agrees (especially about the nastyness of this)
Revision 1.213.4.2 / (download) - annotate - [select for diffs], Sun Aug 7 07:54:42 2016 UTC (7 years, 10 months ago) by benno
Branch: OPENBSD_5_8
Changes since 1.213.4.1: +3 -2 lines
Diff to previous 1.213.4.1 (colored) to branchpoint 1.213 (colored) next main 1.214 (colored)
Improve parsing of the Host-header by following RFC 7230 Section 5.4 more strictly. MFC relay_http.c v 1.57, relayd.c v 1.154, relayd.h v 1.224
Revision 1.222.2.2 / (download) - annotate - [select for diffs], Sun Aug 7 07:54:07 2016 UTC (7 years, 10 months ago) by benno
Branch: OPENBSD_5_9
Changes since 1.222.2.1: +3 -2 lines
Diff to previous 1.222.2.1 (colored) to branchpoint 1.222 (colored) next main 1.223 (colored)
Improve parsing of the Host-header by following RFC 7230 Section 5.4 more strictly. MFC relay_http.c v 1.57, relayd.c v 1.154, relayd.h v 1.224
Revision 1.223.2.1 / (download) - annotate - [select for diffs], Sun Aug 7 07:53:45 2016 UTC (7 years, 10 months ago) by benno
Branch: OPENBSD_6_0
Changes since 1.223: +3 -2 lines
Diff to previous 1.223 (colored) next main 1.224 (colored)
Improve parsing of the Host-header by following RFC 7230 Section 5.4 more strictly. MFC relay_http.c v 1.57, relayd.c v 1.154, relayd.h v 1.224
Revision 1.225 / (download) - annotate - [select for diffs], Fri Jul 29 10:09:27 2016 UTC (7 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.224: +2 -2 lines
Diff to previous 1.224 (colored)
Bump copyright in files that I touched last. (btw. hostated-hoststated-relayd's 10th birthday is on Dec 16.)
Revision 1.224 / (download) - annotate - [select for diffs], Wed Jul 27 06:55:44 2016 UTC (7 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.223: +3 -2 lines
Diff to previous 1.223 (colored)
Improve parsing of the Host by following RFC 7230 Section 5.4 more strictly: - Respond with a 400 (Bad Request) if there is more than one Host: header to prevent ambiguities. - Make sure that the host in the optional absolute form of request-target (eg. GET http://www.target.com/ HTTP/1.1) matches the Host: value. Proxies are supposed to ignore the Host: value if the request-target exists, but relayd used to ignore the absolute request-target form instead. In HTTP terminology, relayd is a gateway and not a proxy, but it has to make sure that the host is validated consistently. OK benno@ bluhm@
Revision 1.222.2.1 / (download) - annotate - [select for diffs], Sat Jul 23 21:01:33 2016 UTC (7 years, 10 months ago) by benno
Branch: OPENBSD_5_9
Changes since 1.222: +4 -2 lines
Diff to previous 1.222 (colored)
reliability fix: When signaling an error to an HTTP relay client, the connection can be terminated prematurely, leading to a crash.
Revision 1.213.4.1 / (download) - annotate - [select for diffs], Sat Jul 23 20:56:02 2016 UTC (7 years, 10 months ago) by benno
Branch: OPENBSD_5_8
Changes since 1.213: +4 -2 lines
Diff to previous 1.213 (colored)
reliability fix: When signaling an error to an HTTP relay client, the connection can be terminated prematurely, leading to a crash.
Revision 1.223 / (download) - annotate - [select for diffs], Fri Jul 22 09:30:36 2016 UTC (7 years, 10 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE
Branch point for: OPENBSD_6_0
Changes since 1.222: +4 -2 lines
Diff to previous 1.222 (colored)
fix some cases where we relay_abort_http() the connection too soon. instead, pass a more specific error back and handle the errors in relay_test() instead. reported by Arto Jonsson and Hiltjo Posthuma, thanks! ok bluhm@ reyk@
Revision 1.222 / (download) - annotate - [select for diffs], Mon Jan 11 21:31:42 2016 UTC (8 years, 5 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE
Branch point for: OPENBSD_5_9
Changes since 1.221: +2 -1 lines
Diff to previous 1.221 (colored)
This adds the host_error output and the http code (when available) to the host-check log. ok claudio@
Revision 1.221 / (download) - annotate - [select for diffs], Wed Dec 2 22:12:29 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.220: +2 -1 lines
Diff to previous 1.220 (colored)
relayd (when running relays) can distribute client sessions over hosts with a hash generated from different data and calculate modulo rlt->rlt_nhosts to find the host the session should go to. If this host is down, the current algorithm simply selects the next host that is up, obviously not ideal, because this puts heavier load on this next host. this changes the algorithm: if the chosen host is not available, the hash value is recalculated and and retried until a host that is usable is found or a maximum of retires is reached (in that case the old method is used). ok and nice input on my original idea bluhm@
Revision 1.220 / (download) - annotate - [select for diffs], Wed Dec 2 13:41:27 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.219: +7 -3 lines
Diff to previous 1.219 (colored)
In most cases we don't need all arguments of proc_compose*_imsg(), so add a shortcut proc_compose*() that skips all of them. Only use the full argument list if needed. The functions with full argument lists can eventually be replaced with a nicer transaction-based approach later. OK benno@
Revision 1.219 / (download) - annotate - [select for diffs], Sun Nov 29 01:20:33 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.218: +2 -1 lines
Diff to previous 1.218 (colored)
Use pledge("pf") in pfe.c. Move getrtable() from pfe to parent process, since its in the way of pledge. ok deraadt@, feedback from reyk@ on previous version.
Revision 1.218 / (download) - annotate - [select for diffs], Sat Nov 28 09:52:07 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.217: +1 -7 lines
Diff to previous 1.217 (colored)
Use SOCK_NONBLOCK in relayd as well. OK benno@
Revision 1.217 / (download) - annotate - [select for diffs], Sun Nov 22 13:27:13 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.216: +7 -4 lines
Diff to previous 1.216 (colored)
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging. OK benno@
Revision 1.216 / (download) - annotate - [select for diffs], Sat Nov 21 12:37:42 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.215: +14 -8 lines
Diff to previous 1.215 (colored)
Move local logging functions from log.c to new file util.c (that is also shared with relayctl). This allows us to unify common log.c with other daemons. It also clarifies the Copyright: log.c is by Henning, relayd's additions were from me. No functional or code changes, but it will make future updates easier.
Revision 1.215 / (download) - annotate - [select for diffs], Tue Oct 27 12:27:54 2015 UTC (8 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.214: +2 -2 lines
Diff to previous 1.214 (colored)
change cipher-server-preference to be on by default. It can be disabled with no cipher-server-preference this makes more clients select ciphers with pfs. requested and ok by reyk@
Revision 1.207.2.1 / (download) - annotate - [select for diffs], Sun Sep 20 11:20:16 2015 UTC (8 years, 8 months ago) by benno
Branch: OPENBSD_5_7
Changes since 1.207: +11 -2 lines
Diff to previous 1.207 (colored) next main 1.208 (colored)
maintainance diff for relayd MFC the following changes - Missing free(3) in error path (ssl.c,v 1.29) - fix a memory leak. (pfe.c,v 1.80) - allocate se_log evbuffer before loging errors with relay_close() (relay.c,v 1.192) - fix a file descriptor leak in http protocol handling (relay.c,v 1.193 and relay_http.c,v 1.44) - Fix obvious problems with relayd config reload (ca.c,v 1.13; config.c,v 1.25; parse.y,v 1.204; relayd.c,v 1.139; relayd.h,v 1.209) - http protocol: you cannot append to the previous key-value before line three of a request (relay_http.c,v 1.45) - fix a crash / use after free (relay.c,v 1.194; relay_http.c,v 1.46) - fix a non safe use of TAILQ_FOREACH with TAILQ_REMOVE (relay_http.c,v 1.47) - Plug a memory leak by simplifying kv_free() (relayd.c,v 1.141) - Fix memory leak in error case (relay_http.c,v 1.48) - track the connection state of a session and stops doing double opens in certain situations (relay.c,v 1.195; relay_http.c,v 1.49; relayd.h,v 1.210) - coding style (relay.c,v 1.196; relay_http.c,v 1.50; relayd.h,v 1.212) ok claudio@, sthen@ and feedback tedu@
Revision 1.214 / (download) - annotate - [select for diffs], Fri Aug 21 08:45:51 2015 UTC (8 years, 9 months ago) by yasuoka
Branch: MAIN
Changes since 1.213: +2 -1 lines
Diff to previous 1.213 (colored)
Increase the input side socket buffer size for "check icmp" not to drop the reply messages when "check icmp" is used with many hosts. ok reyk benno
Revision 1.213 / (download) - annotate - [select for diffs], Sat Jul 18 16:01:28 2015 UTC (8 years, 10 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE
Branch point for: OPENBSD_5_8
Changes since 1.212: +3 -1 lines
Diff to previous 1.212 (colored)
Fix unbounded buffer growth. In the case of a slow client reading large files, we would consume large ammounts of memory. Found by Matthew Martin <matt DOT a DOT martin AT gmail DOT com> in httpd, fixed in httpd by florian@ feedback from florian, reyk and bluhm, ok bluhm, reyk
Revision 1.212 / (download) - annotate - [select for diffs], Fri Jun 12 14:40:55 2015 UTC (9 years ago) by reyk
Branch: MAIN
Changes since 1.211: +9 -2 lines
Diff to previous 1.211 (colored)
To match relayd's style, use an explicit enum with prefixed names for the states that Claudio introduced. No functional change. OK claudio@ benno@
Revision 1.211 / (download) - annotate - [select for diffs], Thu Jun 11 18:49:09 2015 UTC (9 years ago) by reyk
Branch: MAIN
Changes since 1.210: +4 -4 lines
Diff to previous 1.210 (colored)
Use "compliant" header guards by avoiding the reserved '_' namespace. Pointed out by Markus Elfring OK mikeb@ millert@
Revision 1.210 / (download) - annotate - [select for diffs], Mon Jun 8 15:47:51 2015 UTC (9 years ago) by claudio
Branch: MAIN
Changes since 1.209: +2 -1 lines
Diff to previous 1.209 (colored)
Introduce a state on the ctl_relay_event struct. This makes it possible to better track the connection state of a session and stops doing double opens in certain situations using http relays. Using a state field to simplify the logic since relay_connect() is called multiple times. OK benno@, bluhm@ and running in production for more than a week
Revision 1.209 / (download) - annotate - [select for diffs], Sat May 2 13:15:24 2015 UTC (9 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.208: +3 -2 lines
Diff to previous 1.208 (colored)
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
Revision 1.208 / (download) - annotate - [select for diffs], Mon Mar 9 17:20:38 2015 UTC (9 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.207: +2 -2 lines
Diff to previous 1.207 (colored)
Make relayd TLSv1.2-only by default. OK krw@ benno@ Based on revision 1.66 of usr.sbin/httpd/parse.y: Make httpd TLSv1.2-only by default. Some older browsers, like IE 10, will be incompatible with this change. We do this early in the release cycle, so there is a good chance to get more experience with the impact of it and the upcoming restricted cipher modes. OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
Revision 1.207 / (download) - annotate - [select for diffs], Thu Jan 22 17:42:09 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE
Branch point for: OPENBSD_5_7
Changes since 1.206: +12 -6 lines
Diff to previous 1.206 (colored)
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself. OK benno@
Revision 1.206 / (download) - annotate - [select for diffs], Thu Jan 22 09:26:05 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.205: +1 -4 lines
Diff to previous 1.205 (colored)
LibreSSL now supports loading of CA certificates from memory, replace the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
Revision 1.205 / (download) - annotate - [select for diffs], Fri Jan 16 15:08:52 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.204: +1 -2 lines
Diff to previous 1.204 (colored)
SSL_CTX_use_certificate_chain() has been added to LibreSSL and there is no need to keep a local copy in ssl_privsep.c. This adds a little burden on OpenSMTPD-portable because it will have to put it in openbsd-compat for compatibility with legacy OpenSSL. OK gilles@
Revision 1.204 / (download) - annotate - [select for diffs], Fri Jan 16 15:06:41 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.203: +10 -11 lines
Diff to previous 1.203 (colored)
Adapt to <limits.h> universe. ok millert
Revision 1.203 / (download) - annotate - [select for diffs], Tue Jan 13 09:24:21 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
bump copyright year
Revision 1.202 / (download) - annotate - [select for diffs], Thu Jan 1 14:54:06 2015 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.201: +2 -1 lines
Diff to previous 1.201 (colored)
Merge error page changes from httpd: send Content-Length:, change Date: from asctime to the preferred HTTP/1.1 format, and use the popular "Comic Sans" style (can be changed in the configuration).
Revision 1.201 / (download) - annotate - [select for diffs], Sun Dec 21 00:54:49 2014 UTC (9 years, 5 months ago) by guenther
Branch: MAIN
Changes since 1.200: +2 -1 lines
Diff to previous 1.200 (colored)
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't. ok reyk@
Revision 1.200 / (download) - annotate - [select for diffs], Thu Dec 18 20:55:01 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.199: +14 -5 lines
Diff to previous 1.199 (colored)
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument. With input from Max Fillinger. ok tedu@
Revision 1.199 / (download) - annotate - [select for diffs], Wed Dec 17 13:54:27 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.198: +2 -2 lines
Diff to previous 1.198 (colored)
Add missing flag in the description field.
Revision 1.198 / (download) - annotate - [select for diffs], Fri Dec 12 10:05:09 2014 UTC (9 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.197: +68 -70 lines
Diff to previous 1.197 (colored)
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now. (btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html) OK benno@, with input from tedu@
Revision 1.197 / (download) - annotate - [select for diffs], Wed Nov 19 10:24:40 2014 UTC (9 years, 6 months ago) by blambert
Branch: MAIN
Changes since 1.196: +13 -2 lines
Diff to previous 1.196 (colored)
Support exporting relayd statistics via AgentX/snmpd This should be equivalent to the statistics available via the various relaydctl show commands okay benno@ reyk@
Revision 1.196 / (download) - annotate - [select for diffs], Fri Nov 7 13:48:06 2014 UTC (9 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.195: +7 -8 lines
Diff to previous 1.195 (colored)
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended. ok reyk@
Revision 1.195 / (download) - annotate - [select for diffs], Sun Nov 2 13:59:40 2014 UTC (9 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.194: +2 -1 lines
Diff to previous 1.194 (colored)
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
Revision 1.194 / (download) - annotate - [select for diffs], Mon Oct 20 14:50:41 2014 UTC (9 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.193: +1 -2 lines
Diff to previous 1.193 (colored)
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code. A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination". OK sthen@
Revision 1.193 / (download) - annotate - [select for diffs], Wed Oct 15 11:06:16 2014 UTC (9 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.192: +11 -8 lines
Diff to previous 1.192 (colored)
Disable SSLv3 by default. OK sthen@ jsing@
Revision 1.192 / (download) - annotate - [select for diffs], Fri Sep 5 10:19:26 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.191: +1 -11 lines
Diff to previous 1.191 (colored)
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation apologies to anybody who got bitten by this mistake ok reyk@
Revision 1.191 / (download) - annotate - [select for diffs], Fri Aug 29 09:03:36 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.190: +11 -1 lines
Diff to previous 1.190 (colored)
Implement consistent host hashing for relayd, based on work done by andre@ Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past). Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so. ok reyk@
Revision 1.190 / (download) - annotate - [select for diffs], Mon Aug 18 12:59:00 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.189: +2 -1 lines
Diff to previous 1.189 (colored)
Sync proc.c with httpd. httpd needs SIGUSR1 but relayd will ignore it now instead of terminating the process. ok florian@
Revision 1.189 / (download) - annotate - [select for diffs], Mon Jul 14 00:11:12 2014 UTC (9 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.188: +4 -3 lines
Diff to previous 1.188 (colored)
When a connection was spliced in one direction and in copy mode in the other direction, the timeouts did not work. They were longer than specified. Link the splicing and non-splicing timeouts. Found by make run-regress-args-timeout-http.pl OK reyk@
Revision 1.188 / (download) - annotate - [select for diffs], Sun Jul 13 00:32:08 2014 UTC (9 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.187: +5 -2 lines
Diff to previous 1.187 (colored)
improve log output for relays. adjust regress tests ok reyk
Revision 1.187 / (download) - annotate - [select for diffs], Sat Jul 12 14:34:13 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.186: +3 -2 lines
Diff to previous 1.186 (colored)
Move HTTP error codes into http.h. ok benno@
Revision 1.186 / (download) - annotate - [select for diffs], Fri Jul 11 22:28:44 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.185: +3 -1 lines
Diff to previous 1.185 (colored)
Limit HTTP header length to about 8K (based on the default of 4-8K in common web servers). Add a related regress test. OK benno@
Revision 1.185 / (download) - annotate - [select for diffs], Fri Jul 11 21:09:28 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored)
8 bits is enough for sslflags
Revision 1.184 / (download) - annotate - [select for diffs], Fri Jul 11 16:59:38 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.183: +26 -8 lines
Diff to previous 1.183 (colored)
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences. This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults. ok benno@
Revision 1.183 / (download) - annotate - [select for diffs], Fri Jul 11 11:48:50 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.182: +21 -14 lines
Diff to previous 1.182 (colored)
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers. ok bluhm@ (regress part) ok benno@
Revision 1.182 / (download) - annotate - [select for diffs], Wed Jul 9 16:42:05 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.181: +200 -129 lines
Diff to previous 1.181 (colored)
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later. With some testing, feedback, and help from benno@ and andre@. OK benno@
Revision 1.181 / (download) - annotate - [select for diffs], Fri Jun 27 07:49:08 2014 UTC (9 years, 11 months ago) by andre
Branch: MAIN
Changes since 1.180: +3 -3 lines
Diff to previous 1.180 (colored)
knf, no functional change. ok reyk
Revision 1.180 / (download) - annotate - [select for diffs], Tue May 20 17:33:36 2014 UTC (10 years ago) by reyk
Branch: MAIN
Changes since 1.179: +4 -4 lines
Diff to previous 1.179 (colored)
Unify the SSL privsep key loading functions. ok eric@
Revision 1.179 / (download) - annotate - [select for diffs], Thu May 8 13:08:48 2014 UTC (10 years, 1 month ago) by blambert
Branch: MAIN
Changes since 1.178: +5 -1 lines
Diff to previous 1.178 (colored)
match relayd proc.c infrastructure with snmpd okay reyk@
Revision 1.178 / (download) - annotate - [select for diffs], Sun May 4 16:38:19 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored)
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine. Thanks to Bjorn Ketelaars for reporting and testing. ok gilles@ (for the relayd part)
Revision 1.177 / (download) - annotate - [select for diffs], Tue Apr 22 08:04:23 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.176: +20 -3 lines
Diff to previous 1.176 (colored)
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id. ok benno@
Revision 1.176 / (download) - annotate - [select for diffs], Sun Apr 20 14:48:29 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.175: +10 -4 lines
Diff to previous 1.175 (colored)
Reimplement the multi-dimensional arrays that are used to set up the process to process imsg communication. It became a maze after we added support for multiple relay processes and even worse with the ca processes. This change makes it easier to understand. Now it only opens socketpairs that are needed - the code previously wasted lots of fds. ok blambert@
Revision 1.175 / (download) - annotate - [select for diffs], Fri Apr 18 13:55:26 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.174: +29 -6 lines
Diff to previous 1.174 (colored)
Introduce privsep for private keys: - Move RSA private keys to a new separate process instead of copying them to the relays. A custom RSA engine is used by the SSL/TLS code of the relay processes to send RSA private key encryption/decryption (also used for sign/verify) requests to the new "ca" processes instead of operating on the private key directly. - Each relay process gets its own related ca process. Setting "prefork 5" in the config file will spawn 10 processes (5 relay, 5 ca). This diff also reduces the default number of relay processes from 5 to 3 which should be suitable in most installations without a very heavy load. - Don't keep text versions of the keys in memory, parse them once and keep the binary representation. This might still be the case in OpenSSL's internals but will be fixed in the library. This diff doesn't prevent something like "heartbleed" but adds an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. With feedback from many ok benno@
Revision 1.174 / (download) - annotate - [select for diffs], Fri Apr 18 12:02:37 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.173: +3 -1 lines
Diff to previous 1.173 (colored)
The proc.c code sets up some socketpair for the communication between different privsep processes. The implementation is using multi-dimensional arrays and and some complicated process to process relations. This is the first attempt of cleaning it up and to allow N:N communications for the upcoming "CA" processes. Discussed with some, but nobody dared to comment on the code.
Revision 1.173 / (download) - annotate - [select for diffs], Mon Apr 14 12:58:04 2014 UTC (10 years, 1 month ago) by blambert
Branch: MAIN
Changes since 1.172: +7 -3 lines
Diff to previous 1.172 (colored)
Adapt relayd to use AgentX protocol to send traps ok reyk@ benno@
Revision 1.172 / (download) - annotate - [select for diffs], Fri Feb 14 10:21:00 2014 UTC (10 years, 3 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.171: +1 -2 lines
Diff to previous 1.171 (colored)
remove unused function that distracts from cleaning up the imsg_flush() mess ok krw, florian, henning
Revision 1.171 / (download) - annotate - [select for diffs], Mon Sep 9 17:57:45 2013 UTC (10 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.170: +3 -1 lines
Diff to previous 1.170 (colored)
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS). ok djm@
Revision 1.170 / (download) - annotate - [select for diffs], Sat Sep 7 10:46:31 2013 UTC (10 years, 9 months ago) by fgsch
Branch: MAIN
Changes since 1.169: +2 -2 lines
Diff to previous 1.169 (colored)
Change default ciphers to HIGH:!aNULL. reyk@ ok
Revision 1.169 / (download) - annotate - [select for diffs], Thu May 30 20:17:12 2013 UTC (11 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.168: +17 -1 lines
Diff to previous 1.168 (colored)
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details. ok benno@, manpage bits jmc@
Revision 1.168 / (download) - annotate - [select for diffs], Sat Apr 27 16:39:30 2013 UTC (11 years, 1 month ago) by benno
Branch: MAIN
Changes since 1.167: +2 -2 lines
Diff to previous 1.167 (colored)
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl tested with old and new time_t ok florian@
Revision 1.167 / (download) - annotate - [select for diffs], Sun Mar 10 23:32:53 2013 UTC (11 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.166: +2 -2 lines
Diff to previous 1.166 (colored)
This diff changes relayd to use the monotonic clock instead of gettimeofday(). It was also bugging me for some time to have all these checks of gettimeofday()'s return value: it should not fail. So this diff introduces a void getmonotime(struct timeval *tv) that calls clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a struct timeval that can be used with the existing code and the timeval-specific timer functions (timerclear, timersub, ...). It does not return a status but calls fatal() on error-that-should-not-happen. ok sthen@ chris@
Revision 1.166 / (download) - annotate - [select for diffs], Sat Mar 9 14:43:06 2013 UTC (11 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.165: +4 -1 lines
Diff to previous 1.165 (colored)
Enable TCP socket splicing for HTTP persistent connection and chunked transfer encoding. This speeds up relayd for more protocol modes by zero-copy TCP forwarding. OK reyk@ benno@
Revision 1.165 / (download) - annotate - [select for diffs], Mon Mar 4 08:41:32 2013 UTC (11 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.164: +2 -1 lines
Diff to previous 1.164 (colored)
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
Revision 1.164 / (download) - annotate - [select for diffs], Tue Feb 5 21:36:33 2013 UTC (11 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.163: +8 -1 lines
Diff to previous 1.163 (colored)
Rework http content and chunk handling in relayd. Use special toread values to track the current http header or chunk state. This allows to handle an optional chunk trailer properly. Tracking the http state is also a prerequisite for splicing persistent http connections. OK and test reyk@ benno@
Revision 1.163 / (download) - annotate - [select for diffs], Tue Nov 27 05:00:28 2012 UTC (11 years, 6 months ago) by guenther
Branch: MAIN
Changes since 1.162: +5 -5 lines
Diff to previous 1.162 (colored)
Add format attributes to the proper functions and then fix the warnings that gcc then reports when compiling with -DDEBUG=2 ok reyk@ benno@
Revision 1.162 / (download) - annotate - [select for diffs], Fri Oct 19 16:49:50 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.161: +8 -4 lines
Diff to previous 1.161 (colored)
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays. ok benno@
Revision 1.161 / (download) - annotate - [select for diffs], Thu Oct 4 20:53:30 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.160: +3 -3 lines
Diff to previous 1.160 (colored)
spacing
Revision 1.160 / (download) - annotate - [select for diffs], Wed Oct 3 08:40:40 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.159: +2 -1 lines
Diff to previous 1.159 (colored)
Inherit and pass the relay table flags correctly.
Revision 1.159 / (download) - annotate - [select for diffs], Wed Oct 3 08:33:31 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.158: +23 -9 lines
Diff to previous 1.158 (colored)
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
Revision 1.158 / (download) - annotate - [select for diffs], Fri Sep 21 09:56:27 2012 UTC (11 years, 8 months ago) by benno
Branch: MAIN
Changes since 1.157: +8 -1 lines
Diff to previous 1.157 (colored)
file descriptor accounting for relays: track how many connections to backend servers are unopened and reserve fds for them. ok reyk@, "don't wait" deraadt@
Revision 1.157 / (download) - annotate - [select for diffs], Thu Sep 20 12:30:20 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.156: +31 -3 lines
Diff to previous 1.156 (colored)
Move the HTTP code into an extra file to make future changes easier to follow. No functional changes, only one function got renamed. ok benno@
Revision 1.156 / (download) - annotate - [select for diffs], Mon Jul 9 09:52:05 2012 UTC (11 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.155: +2 -2 lines
Diff to previous 1.155 (colored)
Allow relayd to handle transactions > 2GB in size tested by snapshot users and benno for a while ok benno
Revision 1.155 / (download) - annotate - [select for diffs], Mon Jul 9 08:56:00 2012 UTC (11 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.154: +5 -1 lines
Diff to previous 1.154 (colored)
need a private copy of nitems()
Revision 1.154 / (download) - annotate - [select for diffs], Tue May 8 15:10:15 2012 UTC (12 years, 1 month ago) by benno
Branch: MAIN
Changes since 1.153: +3 -1 lines
Diff to previous 1.153 (colored)
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
Revision 1.153 / (download) - annotate - [select for diffs], Wed Apr 11 08:25:26 2012 UTC (12 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.152: +3 -1 lines
Diff to previous 1.152 (colored)
Do rate limiting of accept() when under pressure, like in other recent daemons. Light testing by some relayd users; let me know if issues develop.
Revision 1.152 / (download) - annotate - [select for diffs], Sat Jan 21 13:40:48 2012 UTC (12 years, 4 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.151: +2 -1 lines
Diff to previous 1.151 (colored)
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id") ok henning pyr deraadt solves the problem ok from benno todd
Revision 1.151 / (download) - annotate - [select for diffs], Sun Sep 4 20:26:58 2011 UTC (12 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.150: +8 -8 lines
Diff to previous 1.150 (colored)
KNF, fix white spaces in relayd. No binary change. ok pyr@ sthen@
Revision 1.150 / (download) - annotate - [select for diffs], Thu May 26 14:48:20 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.149: +3 -2 lines
Diff to previous 1.149 (colored)
Add additional check to prevent running scripts when not configured.
Revision 1.149 / (download) - annotate - [select for diffs], Thu May 26 14:38:03 2011 UTC (13 years ago) by reyk
Branch: MAIN
Changes since 1.148: +4 -1 lines
Diff to previous 1.148 (colored)
fix "check script" by sending all required information to the parent.
Revision 1.148 / (download) - annotate - [select for diffs], Fri May 20 09:43:53 2011 UTC (13 years ago) by reyk
Branch: MAIN
Changes since 1.147: +4 -1 lines
Diff to previous 1.147 (colored)
Concurrent calls of "relayctl show sessions" could crash relayd. Fix the show sessions handler by implementing it in an asynchronous way. Closes PR 6509 ok pyr@
Revision 1.147 / (download) - annotate - [select for diffs], Thu May 19 08:56:49 2011 UTC (13 years ago) by reyk
Branch: MAIN
Changes since 1.146: +95 -43 lines
Diff to previous 1.146 (colored)
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code. Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
Revision 1.146 / (download) - annotate - [select for diffs], Mon May 9 12:08:47 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.145: +153 -81 lines
Diff to previous 1.145 (colored)
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications. ok sthen@ pyr@
Revision 1.145 / (download) - annotate - [select for diffs], Thu May 5 10:20:24 2011 UTC (13 years, 1 month ago) by phessler
Branch: MAIN
Changes since 1.144: +2 -1 lines
Diff to previous 1.144 (colored)
Allow a user to specify the route priority OK reyk@ claudio@ sthen@
Revision 1.144 / (download) - annotate - [select for diffs], Sun Apr 24 10:07:43 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)
Get rid of casts to struct rsession in relayd by not declaring a void pointer in struct ctl_relay_event. That way the compiler can do its job and enforce correct types. ok pyr@ deraadt@
Revision 1.143 / (download) - annotate - [select for diffs], Tue Apr 12 12:37:22 2011 UTC (13 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.142: +18 -1 lines
Diff to previous 1.142 (colored)
update flags and printing of flags in debug mode, handle splicing flag.
Revision 1.142 / (download) - annotate - [select for diffs], Tue Apr 12 11:45:18 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.141: +2 -1 lines
Diff to previous 1.141 (colored)
Enable socket splicing for relayd. This allows zero-copy data forwarding for plain tcp connections. feedback and ok reyk@
Revision 1.141 / (download) - annotate - [select for diffs], Thu Apr 7 13:22:29 2011 UTC (13 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.140: +4 -1 lines
Diff to previous 1.140 (colored)
Add support for divert-to which provides some benefits over rdr-to. ok mikeb@
Revision 1.140 / (download) - annotate - [select for diffs], Fri Dec 31 21:22:42 2010 UTC (13 years, 5 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.139: +3 -1 lines
Diff to previous 1.139 (colored)
Add missing #includes instead of assuming that some system header pulls in the needed bits ok deraadt@, millert@
Revision 1.139 / (download) - annotate - [select for diffs], Tue Nov 30 14:38:45 2010 UTC (13 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.138: +5 -2 lines
Diff to previous 1.138 (colored)
The relayd processes did already bump up the socket file descriptor resource limits to the maximum of the daemon class but the host check process (hce/health checks) didn't and was limited to a fairly low default of 128 open sockets (openfiles-cur=128 in login.conf). This was reached fairly quickly with "check tcp" of many hosts. This diff increases the maximum number of monitored hosts and concurrent health checks in relayd in a significant way and may fix issues for people that have around 100 or more hosts (or fewer hosts with multiple checked ports). tested by phessler@ ok jsg@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Oct 26 15:04:37 2010 UTC (13 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.137: +2 -1 lines
Diff to previous 1.137 (colored)
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
Revision 1.137 / (download) - annotate - [select for diffs], Sun Aug 1 22:18:35 2010 UTC (13 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.136: +3 -1 lines
Diff to previous 1.136 (colored)
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
Revision 1.136 / (download) - annotate - [select for diffs], Wed May 26 13:56:08 2010 UTC (14 years ago) by nicm
Branch: MAIN
Changes since 1.135: +2 -2 lines
Diff to previous 1.135 (colored)
Rename some imsg bits to make namespace collisions less likely buf to ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE. ok henning gilles claudio jacekm deraadt
Revision 1.135 / (download) - annotate - [select for diffs], Fri May 14 11:13:36 2010 UTC (14 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.134: +8 -1 lines
Diff to previous 1.134 (colored)
allocate all struct event's on the heap, it looks cleaner, feels better and follows a suggestion in event.h. also don't mix signal() and signal_set()/signal_add(). ok jsg@ gilles@
Revision 1.134 / (download) - annotate - [select for diffs], Fri May 14 07:57:07 2010 UTC (14 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.133: +1 -2 lines
Diff to previous 1.133 (colored)
spacing
Revision 1.133 / (download) - annotate - [select for diffs], Mon Jan 11 06:40:14 2010 UTC (14 years, 5 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.132: +3 -1 lines
Diff to previous 1.132 (colored)
add "log brief" and "log verbose" to change logging verbosity like several other things in the tree. ok reyk@ looks fine claudio@
Revision 1.132 / (download) - annotate - [select for diffs], Tue Nov 3 21:33:22 2009 UTC (14 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.131: +5 -5 lines
Diff to previous 1.131 (colored)
reorder structure elements for struct netroute & router: static config elements first (this matches all the other structures). no functional change.
Revision 1.131 / (download) - annotate - [select for diffs], Mon Aug 17 11:36:01 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.130: +3 -1 lines
Diff to previous 1.130 (colored)
also report routers and their host states in relayctl ok pyr@, jmc@ for man bits
Revision 1.130 / (download) - annotate - [select for diffs], Thu Aug 13 13:51:21 2009 UTC (14 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.129: +63 -2 lines
Diff to previous 1.129 (colored)
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled. ok pyr@, jmc@ for manpages
Revision 1.129 / (download) - annotate - [select for diffs], Fri Aug 7 11:21:53 2009 UTC (14 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.128: +13 -13 lines
Diff to previous 1.128 (colored)
rename 'struct session' to 'struct rsession' because it conflicts with another 'struct session' in sys/sysctl.h.
Revision 1.128 / (download) - annotate - [select for diffs], Fri Aug 7 11:10:23 2009 UTC (14 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.127: +2 -1 lines
Diff to previous 1.127 (colored)
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
Revision 1.127 / (download) - annotate - [select for diffs], Wed Aug 5 13:46:13 2009 UTC (14 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.126: +1 -0 lines
Diff to previous 1.126 (colored)
prevent configuration of relays listening to a single addr:port tuple twice
Revision 1.126 / (download) - annotate - [select for diffs], Sat Jun 6 18:31:42 2009 UTC (15 years ago) by pyr
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.125: +2 -2 lines
Diff to previous 1.125 (colored)
Get ready for including imsg.h from a lib, when it comes along.
Revision 1.125 / (download) - annotate - [select for diffs], Fri Jun 5 23:39:51 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.124: +15 -7 lines
Diff to previous 1.124 (colored)
4 handed diff with eric: Stop pushing event handling in the imsg framework. Instead, provide a small glue layer on top of both imsg and libevent. This finally clearly separates event handling and imsg construction. Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add stub in relayctl. This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd. ok eric@
Revision 1.124 / (download) - annotate - [select for diffs], Fri Jun 5 00:04:01 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.123: +4 -1 lines
Diff to previous 1.123 (colored)
Make imsg completely async model agnostic by not requiring an imsg_event_add function to be provided (which ended up being a named callback). Instead provide a wrapper in the daemon and call that everywhere. Previsously discussed with the usual suspects, ok eric@ though not too happy about the function name (imsg_compose_event).
Revision 1.123 / (download) - annotate - [select for diffs], Thu Jun 4 23:33:49 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.122: +10 -1 lines
Diff to previous 1.122 (colored)
move logging functions out of imsg.h, make imsg.c more library ready by not calling log_* or fatal and handle set errno when appropriate. discussed with a bunch of imsg conscious guys, ok eric@
Revision 1.122 / (download) - annotate - [select for diffs], Thu Jun 4 20:31:37 2009 UTC (15 years ago) by eric
Branch: MAIN
Changes since 1.121: +56 -2 lines
Diff to previous 1.121 (colored)
- move message types enum back to relayd.h - use u_int16_t instead of enum imsg_type in imsg function prototypes requested by reyk@, ok pyr@
Revision 1.121 / (download) - annotate - [select for diffs], Thu Jun 4 14:12:16 2009 UTC (15 years ago) by reyk
Branch: MAIN
Changes since 1.120: +1 -2 lines
Diff to previous 1.120 (colored)
remove unused variable
Revision 1.120 / (download) - annotate - [select for diffs], Thu Jun 4 07:16:38 2009 UTC (15 years ago) by eric
Branch: MAIN
Changes since 1.119: +4 -150 lines
Diff to previous 1.119 (colored)
Make imsg.c and buffer.c more generic by introducing imsg.h and a daemon-specific imsg_types.h discussed with and "yes, please" pyr@
Revision 1.119 / (download) - annotate - [select for diffs], Wed Jun 3 05:35:06 2009 UTC (15 years ago) by eric
Branch: MAIN
Changes since 1.118: +2 -2 lines
Diff to previous 1.118 (colored)
change buf_close return type to void. that function is not supposed to report anything remotely useful, or fail in any meaningful way. ok pyr@
Revision 1.118 / (download) - annotate - [select for diffs], Tue Jun 2 22:02:01 2009 UTC (15 years ago) by eric
Branch: MAIN
Changes since 1.117: +4 -1 lines
Diff to previous 1.117 (colored)
bring in buf_seek, buf_size and buf_left from bgpd ok pyr@
Revision 1.117 / (download) - annotate - [select for diffs], Tue Jun 2 21:44:22 2009 UTC (15 years ago) by eric
Branch: MAIN
Changes since 1.116: +2 -2 lines
Diff to previous 1.116 (colored)
constify argument to buf_add ok pyr@
Revision 1.116 / (download) - annotate - [select for diffs], Fri Apr 24 14:20:24 2009 UTC (15 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.115: +2 -1 lines
Diff to previous 1.115 (colored)
Allow UDP and/or TCP redirections instead of just TCP. Thanks to Marek Grzybowski for feedback and testing. ok jmc@ (manpage bits)
Revision 1.115 / (download) - annotate - [select for diffs], Thu Apr 2 14:30:51 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.114: +5 -1 lines
Diff to previous 1.114 (colored)
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
Revision 1.114 / (download) - annotate - [select for diffs], Wed Apr 1 14:56:38 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course. This was tested by some people a while ago.
Revision 1.113 / (download) - annotate - [select for diffs], Fri Dec 5 16:37:56 2008 UTC (15 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.112: +40 -2 lines
Diff to previous 1.112 (colored)
change the way relayd reports check results: instead of logging an arbitrary string in debugging mode, it will store an error code (HCE_*) for each host. the error code can be translated to a string (in log.c) for debugging but it will also be passed to relayctl via the control socket. from a user point of view, this will print a human-readable error message in the "relayctl show hosts" output if a host is down because the check failed. the relayctl(8) manpage includes detailed explanations of the error messages including mitigations for the most-common problems. ok jmc@ (manpages) ok phessler@
Revision 1.112 / (download) - annotate - [select for diffs], Mon Sep 29 14:53:36 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.111: +3 -1 lines
Diff to previous 1.111 (colored)
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
Revision 1.111 / (download) - annotate - [select for diffs], Mon Sep 29 09:58:51 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.110: +8 -2 lines
Diff to previous 1.110 (colored)
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world. Tested and requested by many
Revision 1.110 / (download) - annotate - [select for diffs], Mon Aug 11 08:07:14 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.109: +11 -10 lines
Diff to previous 1.109 (colored)
better handling of HTTP POSTs or requests with Content-Length.
Revision 1.109 / (download) - annotate - [select for diffs], Tue Jul 22 23:17:37 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.108: +4 -1 lines
Diff to previous 1.108 (colored)
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd. manpage bits ok jmc@ yes, sounds good todd@
Revision 1.108 / (download) - annotate - [select for diffs], Sat Jul 19 11:38:54 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.107: +3 -3 lines
Diff to previous 1.107 (colored)
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
Revision 1.107 / (download) - annotate - [select for diffs], Sat Jul 19 10:52:32 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.106: +6 -3 lines
Diff to previous 1.106 (colored)
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains). discussed with pyr, tested in different setups
Revision 1.106 / (download) - annotate - [select for diffs], Wed Jul 9 17:16:51 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.105: +13 -1 lines
Diff to previous 1.105 (colored)
Use OpenBSD's knuth shuffle algorithm of random values from bind to produce the DNS request ids instead of a simple per-request arc4random(). This ensure randomness but also satisfies the non-repeating property we need. ok deraadt@
Revision 1.105 / (download) - annotate - [select for diffs], Wed Jul 9 14:57:01 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.104: +2 -1 lines
Diff to previous 1.104 (colored)
also set the protocol, either TCP or UDP, in the NAT lookup. this unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
Revision 1.104 / (download) - annotate - [select for diffs], Wed Jul 9 10:50:34 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored)
update the relay dns code to open a new udp socket to send the forwarded dns request to the server instead of sending from the server socket. this will fix the limitation the the dns relay had to listen to the "0.0.0.0" address, and will also enable relayd to use the udp source port randomization. relayd will know randomize the source port (on OpenBSD) and DNS request identifier for the clients behind it. ok pyr@
Revision 1.103 / (download) - annotate - [select for diffs], Wed Jun 11 18:21:20 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.102: +22 -3 lines
Diff to previous 1.102 (colored)
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things... based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8) ok markus@ pyr@
Revision 1.102 / (download) - annotate - [select for diffs], Thu May 8 02:27:58 2008 UTC (16 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.101: +5 -5 lines
Diff to previous 1.101 (colored)
move the session keys used by dns in a protocol-specific private ptr.
Revision 1.101 / (download) - annotate - [select for diffs], Wed May 7 01:49:29 2008 UTC (16 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.100: +4 -1 lines
Diff to previous 1.100 (colored)
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds. discussed with many, thought about in the onsen
Revision 1.100 / (download) - annotate - [select for diffs], Tue May 6 06:09:48 2008 UTC (16 years, 1 month ago) by pyr
Branch: MAIN
Changes since 1.99: +2 -1 lines
Diff to previous 1.99 (colored)
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
Revision 1.99 / (download) - annotate - [select for diffs], Wed Feb 13 11:32:59 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.98: +2 -2 lines
Diff to previous 1.98 (colored)
bump copyright
Revision 1.98 / (download) - annotate - [select for diffs], Wed Feb 13 11:02:37 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.97: +5 -1 lines
Diff to previous 1.97 (colored)
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
Revision 1.97 / (download) - annotate - [select for diffs], Mon Feb 11 10:42:50 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.96: +18 -2 lines
Diff to previous 1.96 (colored)
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration. ok pyr@ thib@
Revision 1.96 / (download) - annotate - [select for diffs], Mon Feb 4 12:12:30 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.95: +9 -1 lines
Diff to previous 1.95 (colored)
Move some prototypes from relay.c to relayd.h and remove there externs in other places; ok reyk@
Revision 1.95 / (download) - annotate - [select for diffs], Mon Feb 4 12:05:26 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.94: +7 -1 lines
Diff to previous 1.94 (colored)
Move the declaration of DPRINTF from relay.c too relayd.h so it can be reused; ok reyk@
Revision 1.94 / (download) - annotate - [select for diffs], Mon Feb 4 12:01:33 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.93: +3 -3 lines
Diff to previous 1.93 (colored)
declare se_relay as pointer to a struct relay not as a void pointer; shuffle the forward decleration of struct relay around too accommodate this change; ok reyk@
Revision 1.93 / (download) - annotate - [select for diffs], Thu Jan 31 12:12:50 2008 UTC (16 years, 4 months ago) by thib
Branch: MAIN
Changes since 1.92: +20 -20 lines
Diff to previous 1.92 (colored)
add prefixes to names of structure elements to make it easier to grep for code, next struct session; ok reyk@;
Revision 1.92 / (download) - annotate - [select for diffs], Thu Jan 31 09:56:29 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.91: +21 -21 lines
Diff to previous 1.91 (colored)
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later. ok thib@
Revision 1.91 / (download) - annotate - [select for diffs], Thu Jan 31 09:33:39 2008 UTC (16 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.90: +31 -31 lines
Diff to previous 1.90 (colored)
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally. ok thib@
Revision 1.90 / (download) - annotate - [select for diffs], Thu Dec 20 20:15:43 2007 UTC (16 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.89: +14 -10 lines
Diff to previous 1.89 (colored)
implement statistics for redirections, like the existing statistics for relays. they can be viewed with the new "relayctl show redirects" command. (uses the previous change to pf_table.c to get the statistics) looks good pyr@
Revision 1.89 / (download) - annotate - [select for diffs], Sat Dec 8 20:36:36 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.88: +23 -23 lines
Diff to previous 1.88 (colored)
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
Revision 1.88 / (download) - annotate - [select for diffs], Sat Dec 8 17:07:09 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.87: +4 -3 lines
Diff to previous 1.87 (colored)
some changes to the relayd.conf configuration language and grammar. the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf) discussed with pyr and deraadt ok pyr@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Dec 7 17:17:01 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.86: +49 -49 lines
Diff to previous 1.86 (colored)
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
Revision 1.86 / (download) - annotate - [select for diffs], Mon Nov 26 09:38:25 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.85: +9 -1 lines
Diff to previous 1.85 (colored)
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information. ok pyr@
Revision 1.85 / (download) - annotate - [select for diffs], Sat Nov 24 16:13:50 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.84: +3 -1 lines
Diff to previous 1.84 (colored)
extend the url lookup algorithm to match the full URL and different possible suffix/prefix combinations by stripping subdomains, path components, and the query args. ok and tested by gilles@
Revision 1.84 / (download) - annotate - [select for diffs], Fri Nov 23 09:39:42 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.83: +5 -3 lines
Diff to previous 1.83 (colored)
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion. ok pyr@ gilles@
Revision 1.83 / (download) - annotate - [select for diffs], Thu Nov 22 16:38:25 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.82: +3 -3 lines
Diff to previous 1.82 (colored)
shuffle some structure elements; avoid using enums in *_config structs.
Revision 1.82 / (download) - annotate - [select for diffs], Thu Nov 22 16:07:03 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored)
Fix relay roundrobin mode to work correctly when multiple hosts in a table are down. Thanks to Preston Norvell at serialssolutions dot com for reporting the problem.
Revision 1.81 / (download) - annotate - [select for diffs], Thu Nov 22 10:09:53 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.80: +6 -2 lines
Diff to previous 1.80 (colored)
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
Revision 1.80 / (download) - annotate - [select for diffs], Wed Nov 21 20:28:38 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.79: +6 -6 lines
Diff to previous 1.79 (colored)
spacing
Revision 1.79 / (download) - annotate - [select for diffs], Wed Nov 21 20:13:20 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.78: +5 -3 lines
Diff to previous 1.78 (colored)
move digest string handling into an extra function.
Revision 1.78 / (download) - annotate - [select for diffs], Wed Nov 21 14:12:04 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.77: +3 -3 lines
Diff to previous 1.77 (colored)
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage. alright pyr@
Revision 1.77 / (download) - annotate - [select for diffs], Wed Nov 21 13:04:42 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.76: +7 -1 lines
Diff to previous 1.76 (colored)
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations. ok pyr@ gilles@
Revision 1.76 / (download) - annotate - [select for diffs], Tue Nov 20 15:54:55 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.75: +5 -1 lines
Diff to previous 1.75 (colored)
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!). ok pyr@
Revision 1.75 / (download) - annotate - [select for diffs], Tue Nov 20 15:44:21 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.74: +3 -1 lines
Diff to previous 1.74 (colored)
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
Revision 1.74 / (download) - annotate - [select for diffs], Tue Nov 20 13:01:13 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
bump table name size. ok reyk@
Revision 1.73 / (download) - annotate - [select for diffs], Mon Nov 19 14:48:19 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.72: +14 -8 lines
Diff to previous 1.72 (colored)
rework the internal handling of protocol actions a little bit: - allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, .. - prevent specifing an HTTP header for multiple times when using the expect action. - minor code shuffling
Revision 1.72 / (download) - annotate - [select for diffs], Wed Nov 14 10:59:01 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)
make protos dynamic too
Revision 1.71 / (download) - annotate - [select for diffs], Mon Oct 22 16:53:30 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.70: +2 -1 lines
Diff to previous 1.70 (colored)
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more. ok reyk@ who spotted a stupid mistake again...
Revision 1.70 / (download) - annotate - [select for diffs], Fri Oct 19 14:15:14 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored)
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
Revision 1.69 / (download) - annotate - [select for diffs], Fri Oct 19 12:08:55 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.68: +3 -2 lines
Diff to previous 1.68 (colored)
Add the ability to schedule an immediate check through hoststatectl. Especially useful when interval is rather long. I was supposed to commit this before 4.2.
Revision 1.68 / (download) - annotate - [select for diffs], Fri Oct 12 12:50:59 2007 UTC (16 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.67: +3 -3 lines
Diff to previous 1.67 (colored)
Silence some lint(1) warnings ok pyr@
Revision 1.67 / (download) - annotate - [select for diffs], Fri Oct 5 17:32:13 2007 UTC (16 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.66: +8 -7 lines
Diff to previous 1.66 (colored)
stylistic changes in the relay/relay_config structure.
Revision 1.66 / (download) - annotate - [select for diffs], Fri Oct 5 15:50:12 2007 UTC (16 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.65: +2 -2 lines
Diff to previous 1.65 (colored)
using an enum in the imsg_hdr is gross, use a fixed u_int16_t instead
Revision 1.65 / (download) - annotate - [select for diffs], Tue Oct 2 21:04:13 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
Revision 1.64 / (download) - annotate - [select for diffs], Fri Sep 28 13:29:56 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)
Correct my mail address.
Revision 1.63 / (download) - annotate - [select for diffs], Fri Sep 28 13:05:28 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.62: +7 -5 lines
Diff to previous 1.62 (colored)
Change the ssl_privsep code to work on char buffers. The fd based code introduced weirdness since all children were accessing the same fd at once. This will also greatly facilitate reloading, no fd-passing will be involved between the parent and relay children. While there, cleanup the code diverting from the original ssl_rsa.c code a bit more. Weird behavior discovery by pascoe@.
Revision 1.62 / (download) - annotate - [select for diffs], Thu Sep 27 13:34:21 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.61: +5 -2 lines
Diff to previous 1.61 (colored)
Simplify ssl_privsep.c, since it won't need to remain synced with the equivalent openssl functions.
Revision 1.61 / (download) - annotate - [select for diffs], Tue Sep 25 08:24:26 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.60: +5 -1 lines
Diff to previous 1.60 (colored)
Introduce two new functions to be able to load certificates while already chrooted and with privileges dropped. This is the very first step in being able to reload a layer 7 configuration. not ok reyk who's away but should be glad to see this in.
Revision 1.60 / (download) - annotate - [select for diffs], Mon Sep 10 11:59:22 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.59: +16 -2 lines
Diff to previous 1.59 (colored)
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols. ok gilles@, tested by some
Revision 1.59 / (download) - annotate - [select for diffs], Fri Sep 7 08:20:24 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.58: +4 -1 lines
Diff to previous 1.58 (colored)
add an interface to dump running relay sessions to the control socket
Revision 1.58 / (download) - annotate - [select for diffs], Fri Sep 7 07:59:18 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.57: +1 -2 lines
Diff to previous 1.57 (colored)
remove unused flags field from the structure
Revision 1.57 / (download) - annotate - [select for diffs], Fri Sep 7 07:52:14 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.56: +2 -1 lines
Diff to previous 1.56 (colored)
add a function to print delays in hours, minutes, and seconds
Revision 1.56 / (download) - annotate - [select for diffs], Thu Sep 6 19:55:45 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)
rename relay_host to print_host in log.c
Revision 1.55 / (download) - annotate - [select for diffs], Wed Sep 5 08:48:42 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.54: +10 -4 lines
Diff to previous 1.54 (colored)
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria. ok pyr@
Revision 1.54 / (download) - annotate - [select for diffs], Wed Sep 5 07:32:33 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
increase th maximum string size for the sslciphers from 32 to 768. this unbreaks some configurations that worked when sslciphers was a dynamic charbuf. ok pyr@
Revision 1.53 / (download) - annotate - [select for diffs], Mon Jun 18 17:29:38 2007 UTC (16 years, 11 months ago) by pyr
Branch: MAIN
Changes since 1.52: +23 -23 lines
Diff to previous 1.52 (colored)
we're going to need more room for flags (again). promote the field to u_int32_t. no impact on hoststatectl.
Revision 1.52 / (download) - annotate - [select for diffs], Tue Jun 12 15:16:10 2007 UTC (17 years ago) by msf
Branch: MAIN
Changes since 1.51: +9 -2 lines
Diff to previous 1.51 (colored)
put the fd passing from bgpd back in to hoststated's version of imsg, needed for layer 7 reload support. ok pyr@
Revision 1.51 / (download) - annotate - [select for diffs], Thu May 31 03:24:05 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.50: +4 -3 lines
Diff to previous 1.50 (colored)
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
Revision 1.50 / (download) - annotate - [select for diffs], Tue May 29 23:19:18 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
allow the control handling code to send messages back to the parent. forward IMSG_CTL_RELOAD which ends up not doing anything for now.
Revision 1.49 / (download) - annotate - [select for diffs], Tue May 29 19:05:13 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.48: +12 -1 lines
Diff to previous 1.48 (colored)
put the reload imsg types in right now. it makes my life easier.
Revision 1.48 / (download) - annotate - [select for diffs], Tue May 29 17:12:04 2007 UTC (17 years ago) by reyk
Branch: MAIN
Changes since 1.47: +15 -3 lines
Diff to previous 1.47 (colored)
add a new check method which allows to run external scripts/programs for custom evaluations. pyr agrees to put it in now but to do some improvements of the timeout handling later.
Revision 1.47 / (download) - annotate - [select for diffs], Tue May 29 00:48:04 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
Revision 1.46 / (download) - annotate - [select for diffs], Tue May 29 00:21:10 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.45: +18 -12 lines
Diff to previous 1.45 (colored)
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
Revision 1.45 / (download) - annotate - [select for diffs], Mon May 28 22:11:33 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.44: +8 -1 lines
Diff to previous 1.44 (colored)
another small step towards hoststated reloading. allow purging of parts of the hoststated environment structure. start using this function now to only keep vital information in hoststated children processes. ok reyk@
Revision 1.44 / (download) - annotate - [select for diffs], Mon May 28 17:37:16 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.43: +2 -1 lines
Diff to previous 1.43 (colored)
store the configuration file's path, this will be useful when reloading.
Revision 1.43 / (download) - annotate - [select for diffs], Sun May 27 20:53:10 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.42: +31 -17 lines
Diff to previous 1.42 (colored)
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload. Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
Revision 1.42 / (download) - annotate - [select for diffs], Sat May 26 19:58:49 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.41: +12 -10 lines
Diff to previous 1.41 (colored)
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
Revision 1.41 / (download) - annotate - [select for diffs], Thu Apr 12 14:45:45 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.40: +4 -2 lines
Diff to previous 1.40 (colored)
add a new relay 'path' action to filter the URL path and arguments. ok pyr@
Revision 1.40 / (download) - annotate - [select for diffs], Tue Apr 10 21:33:52 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.39: +5 -1 lines
Diff to previous 1.39 (colored)
move the decoding of the URL, independent from the node lookups, we will need it later.
Revision 1.39 / (download) - annotate - [select for diffs], Wed Mar 21 00:08:08 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers. ok pyr@
Revision 1.38 / (download) - annotate - [select for diffs], Sat Mar 17 22:28:42 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.37: +4 -4 lines
Diff to previous 1.37 (colored)
move some elements in the relay imsg ctl structures (just for the style)
Revision 1.37 / (download) - annotate - [select for diffs], Tue Mar 13 12:04:52 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.36: +5 -1 lines
Diff to previous 1.36 (colored)
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers. ok pyr@
Revision 1.36 / (download) - annotate - [select for diffs], Mon Mar 5 11:44:50 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.35: +7 -1 lines
Diff to previous 1.35 (colored)
do not strip the header for expect, hash, and log actions. since we have a tristate in relay_handle_http(), use nicer return codes defined to make it better readble (no function change).
Revision 1.35 / (download) - annotate - [select for diffs], Tue Feb 27 13:38:58 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.34: +14 -4 lines
Diff to previous 1.34 (colored)
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined. for example: response change "Server" to "OpenBSD-hoststated/4.1" ok pyr@
Revision 1.34 / (download) - annotate - [select for diffs], Mon Feb 26 12:35:43 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.33: +2 -1 lines
Diff to previous 1.33 (colored)
handle requests with chunked transfer-encoding.
Revision 1.33 / (download) - annotate - [select for diffs], Mon Feb 26 12:09:21 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.32: +2 -1 lines
Diff to previous 1.32 (colored)
improve the relay bufferevent handler if one side closed the connection
Revision 1.32 / (download) - annotate - [select for diffs], Mon Feb 26 11:59:48 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)
re-use the retry value from table host entries for inbound relay connections. the relay will retry to connect to the hosts for the specified number of times. this sounds bad, but is a useful "workaround" for unreliable backend servers...
Revision 1.31 / (download) - annotate - [select for diffs], Sun Feb 25 14:57:09 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.30: +1 -2 lines
Diff to previous 1.30 (colored)
remove unused variable
Revision 1.30 / (download) - annotate - [select for diffs], Sat Feb 24 16:14:02 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
disable anonymous DH by default (cipher suite HIGH:!ADH instead of HIGH).
Revision 1.29 / (download) - annotate - [select for diffs], Sat Feb 24 15:48:54 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.28: +4 -2 lines
Diff to previous 1.28 (colored)
disable SSLv2 and use "HIGH" crypto cipher suites by default. suggested by dlg@
Revision 1.28 / (download) - annotate - [select for diffs], Sat Feb 24 00:22:32 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.27: +32 -9 lines
Diff to previous 1.27 (colored)
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
Revision 1.27 / (download) - annotate - [select for diffs], Fri Feb 23 00:28:06 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)
knf
Revision 1.26 / (download) - annotate - [select for diffs], Thu Feb 22 05:58:06 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.25: +11 -11 lines
Diff to previous 1.25 (colored)
spacing
Revision 1.25 / (download) - annotate - [select for diffs], Thu Feb 22 03:32:39 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.24: +240 -5 lines
Diff to previous 1.24 (colored)
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying. see hoststated.conf(5) and my upcoming article on undeadly.org for details. ok to commit deraadt@ pyr@
Revision 1.24 / (download) - annotate - [select for diffs], Wed Feb 7 15:17:46 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.23: +21 -12 lines
Diff to previous 1.23 (colored)
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode. ok claudio@ pyr@
Revision 1.23 / (download) - annotate - [select for diffs], Wed Feb 7 13:39:58 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.22: +1 -3 lines
Diff to previous 1.22 (colored)
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
Revision 1.22 / (download) - annotate - [select for diffs], Wed Feb 7 13:30:17 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.21: +2 -1 lines
Diff to previous 1.21 (colored)
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
Revision 1.21 / (download) - annotate - [select for diffs], Tue Feb 6 10:26:13 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.20: +1 -8 lines
Diff to previous 1.20 (colored)
now that check_http_code, check_http_digest and check_send_expect are in check_tcp.c, prototype them in check_tcp.c ok reyk@
Revision 1.20 / (download) - annotate - [select for diffs], Tue Feb 6 10:06:55 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored)
declare the function ssl_error() globally
Revision 1.19 / (download) - annotate - [select for diffs], Tue Feb 6 08:45:46 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.18: +4 -1 lines
Diff to previous 1.18 (colored)
inform hoststatectl monitor of ruleset changes and table syncs. ok reyk@
Revision 1.18 / (download) - annotate - [select for diffs], Thu Feb 1 20:03:39 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.17: +6 -3 lines
Diff to previous 1.17 (colored)
add a monitor mode to hoststatectl to continuously report changes in hoststated. ok reyk@, "looks nice and clean" niallo@
Revision 1.17 / (download) - annotate - [select for diffs], Mon Jan 29 14:23:31 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.16: +11 -1 lines
Diff to previous 1.16 (colored)
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jan 12 17:05:18 2007 UTC (17 years, 5 months ago) by pyr
Branch: MAIN
Changes since 1.15: +15 -15 lines
Diff to previous 1.15 (colored)
use an u_int16_t for flags, the u_int8_t was getting too small. ok reyk@
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jan 12 16:43:01 2007 UTC (17 years, 5 months ago) by pyr
Branch: MAIN
Changes since 1.14: +8 -4 lines
Diff to previous 1.14 (colored)
eliminate duplicate tcp read/write code. ok claudio@, reyk@
Revision 1.14 / (download) - annotate - [select for diffs], Thu Jan 11 18:05:08 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.13: +26 -17 lines
Diff to previous 1.13 (colored)
use real async events for checks and improve the non-blocking socket usage. also modify the check_icmp code to use non-blocking raw sockets and merge the icmp4 and icmp6 functions. some other minor changes while i'm here. as discussed with pyr@ claudio@ deraadt@ ok pyr@
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jan 9 13:50:11 2007 UTC (17 years, 5 months ago) by pyr
Branch: MAIN
Changes since 1.12: +45 -45 lines
Diff to previous 1.12 (colored)
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jan 9 03:32:56 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
use the correct buffer sizes. (this code needs some more work to implement a better icmp handling, but this will fix a serious bug for now)
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 8 20:46:18 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.10: +1 -2 lines
Diff to previous 1.10 (colored)
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems. change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*". suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jan 8 16:52:58 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code. ok Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 8 13:37:26 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.8: +8 -1 lines
Diff to previous 1.8 (colored)
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols. From Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.8 / (download) - annotate - [select for diffs], Wed Jan 3 09:45:29 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
spacing
Revision 1.7 / (download) - annotate - [select for diffs], Wed Jan 3 09:42:30 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.6: +2 -1 lines
Diff to previous 1.6 (colored)
allow the sticky-address option for round-robin pools. From Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.6 / (download) - annotate - [select for diffs], Tue Dec 26 02:51:00 2006 UTC (17 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.5: +2 -0 lines
Diff to previous 1.5 (colored)
Add missing $OpenBSD$
Revision 1.5 / (download) - annotate - [select for diffs], Mon Dec 25 19:05:41 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
Revision 1.4 / (download) - annotate - [select for diffs], Mon Dec 25 18:12:14 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.3: +34 -9 lines
Diff to previous 1.3 (colored)
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly. From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
Revision 1.3 / (download) - annotate - [select for diffs], Sat Dec 16 18:50:33 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.2: +19 -9 lines
Diff to previous 1.2 (colored)
- allow to use host/service/table names instead of Ids in hostatectl. - minor change of the "hostatectl show" command output - increase the max service and tag names (max pf tag name size is 64 now!) thanks to pyr who found a bug in my initial diff
Revision 1.2 / (download) - annotate - [select for diffs], Sat Dec 16 12:42:14 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.1: +89 -86 lines
Diff to previous 1.1 (colored)
knf, spacing please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
Revision 1.1 / (download) - annotate - [select for diffs], Sat Dec 16 11:45:07 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd". The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup. ok deraadt@ claudio@