Age | Commit message (Collapse) | Author |
|
|
|
based on the existing hostapd/pfctl code.
ok pyr@
|
|
|
|
|
|
ok pyr@
|
|
header randomization). this adds an infrastructure to support
UDP-based protocols.
ok gilles@, tested by some
|
|
ok pyr@ (who is the first copyright holder)
|
|
Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
|
|
|
|
|
for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout
handling later.
|
|
inherit them from multiple services or relays. this is useful if you
want to use a table with the same list of hosts but different ports as
specified in the relay or service section.
this makes mcbride more happy
ok pyr@
|
|
ok pyr@
|
|
|
|
optional connection "retry" to the forward to, service, and nat lookup
options. for example, "nat lookup retry 3" is useful when running
hoststated as a transparent proxy when connecting to unreliable
frontend/backend servers.
ok pyr@
|
|
support the Generalized TTL Security Mechanism (GTSM) according to RFC
3682. this is especially useful with inbound connections and a fixed
distance to the backend servers.
ok pyr@
|
|
thanks to Sebastian Reitenbach, closes pr 5409
|
|
cookies yet), for example: cookie hash "JSESSIONID"
tested by some people
ok pyr@
|
|
|
|
actions on response headers (the reply sent by backend HTTP servers).
the default and slightly faster relay streaming mode will be used if
no actions are defined.
for example:
response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
|
from Tamas TEVESZ
|
|
|
|
another heads up for testers: you need to change configuration files.
ok reyk@
|
|
keyword for default relay actions.
ok pyr@
|
|
|
|
You will need to update your configuration files accordingly.
"just do it", reyk@
|
|
connections. the relay will retry to connect to the hosts for the
specified number of times. this sounds bad, but is a useful
"workaround" for unreliable backend servers...
|
|
|
|
|
|
suggested by dlg@
|
|
(as required by the PCI DSS)
- increase the default listen backlog to 10, allow to modify the
backlog as a per-protocol tcp option to improve the performance
on busy systems (to get less connection failures on heavy load)
- close the connection if SSL_accept returned an error
- instead of logging _new_ relay sessions to syslog, log the
sessions in relay_close() after they have been _finished_.
this will allow to collect some additional information
- add a new log keyword to log specified header/url entities (useful
to track "bad guys" using many session ids or multiple user agents)
- some minor fixes, manpage bits, and bump the copyright (by some
reason, i didn't realize that we already have 2007...).
|
|
|
|
|
|
|
|
in tables.
|
|
|
|
loadbalancing, SSL acceleration, general-purpose TCP relaying, and
transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for
details.
ok to commit deraadt@ pyr@
|
|
notifications after completed host checks. either only log the
"updates" to new states or log "all" state notifications, even if the
state didn't change. the log messages will be reported to syslog or to
stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
|
advised by and ok jmc@
|
|
with help and OK reyk@
with help and advice by claudio@ and Srebrenko Sehic
|
|
|
|
Note to testers: the user the daemon changes its id to is now _hoststated,
don't forget to update master.passwd.
ok reyk@
|
|
and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface
using shell globbing rules instead. this allows simple patterns like
"220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
|
|
regex(3)). this allows to define additional checks for other TCP
protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
instead of nested select() calls and to handle the non-blocking
sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
(with a little help by me)
|
|
|