Age | Commit message (Collapse) | Author |
|
|
|
The fd based code introduced weirdness since all children were accessing
the same fd at once. This will also greatly facilitate reloading, no
fd-passing will be involved between the parent and relay children.
While there, cleanup the code diverting from the original ssl_rsa.c code
a bit more.
Weird behavior discovery by pascoe@.
|
|
equivalent openssl functions.
|
|
already chrooted and with privileges dropped.
This is the very first step in being able to reload a
layer 7 configuration.
not ok reyk who's away but should be glad to see this in.
|
|
header randomization). this adds an infrastructure to support
UDP-based protocols.
ok gilles@, tested by some
|
|
|
|
|
|
|
|
|
|
be used for faster lookups of sessions based on different criteria.
ok pyr@
|
|
this unbreaks some configurations that worked when sslciphers was a
dynamic charbuf.
ok pyr@
|
|
promote the field to u_int32_t.
no impact on hoststatectl.
|
|
needed for layer 7 reload support.
ok pyr@
|
|
split the code to start the event loop in two functions.
introduce merge_config which will be used later on.
|
|
forward IMSG_CTL_RELOAD which ends up not doing anything for now.
|
|
|
|
for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout
handling later.
|
|
this will make it easier to send the struct over the socket.
|
|
this time around, include hoststatectl changes too.
|
|
allow purging of parts of the hoststated environment structure.
start using this function now to only keep vital information in
hoststated children processes.
ok reyk@
|
|
|
|
First split out hosts, tables and services into to structs, one that
contains the runtime fields and one (inside the runtime) that contains
mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its
just a boolean.
ok reyk@
|
|
* make parse_config allocate the hoststated function by itself
* make as many sockets as necessary to talk to the relay children
* add send_all for talking to all children
with advise and ok reyk@
|
|
ok pyr@
|
|
will need it later.
|
|
optional connection "retry" to the forward to, service, and nat lookup
options. for example, "nat lookup retry 3" is useful when running
hoststated as a transparent proxy when connecting to unreliable
frontend/backend servers.
ok pyr@
|
|
|
|
support the Generalized TTL Security Mechanism (GTSM) according to RFC
3682. this is especially useful with inbound connections and a fixed
distance to the backend servers.
ok pyr@
|
|
since we have a tristate in relay_handle_http(), use nicer return
codes defined to make it better readble (no function change).
|
|
actions on response headers (the reply sent by backend HTTP servers).
the default and slightly faster relay streaming mode will be used if
no actions are defined.
for example:
response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
|
|
|
|
|
connections. the relay will retry to connect to the hosts for the
specified number of times. this sounds bad, but is a useful
"workaround" for unreliable backend servers...
|
|
|
|
|
|
suggested by dlg@
|
|
(as required by the PCI DSS)
- increase the default listen backlog to 10, allow to modify the
backlog as a per-protocol tcp option to improve the performance
on busy systems (to get less connection failures on heavy load)
- close the connection if SSL_accept returned an error
- instead of logging _new_ relay sessions to syslog, log the
sessions in relay_close() after they have been _finished_.
this will allow to collect some additional information
- add a new log keyword to log specified header/url entities (useful
to track "bad guys" using many session ids or multiple user agents)
- some minor fixes, manpage bits, and bump the copyright (by some
reason, i didn't realize that we already have 2007...).
|
|
|
|
|
|
loadbalancing, SSL acceleration, general-purpose TCP relaying, and
transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for
details.
ok to commit deraadt@ pyr@
|
|
notifications after completed host checks. either only log the
"updates" to new states or log "all" state notifications, even if the
state didn't change. the log messages will be reported to syslog or to
stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
|
ospfd(8) (can be re-imported later if required).
|
|
bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
|
in check_tcp.c, prototype them in check_tcp.c
ok reyk@
|
|
|
|
ok reyk@
|
|
hoststated.
ok reyk@, "looks nice and clean" niallo@
|
|
with help and OK reyk@
with help and advice by claudio@ and Srebrenko Sehic
|
|
ok reyk@
|
|
ok claudio@, reyk@
|