| Age | Commit message (Collapse) | Author |
|---|
|
Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
|
sync usage() to the man page.
format string fixes.
complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
|
configuration struct.
|
|
again.
|
|
split the code to start the event loop in two functions.
introduce merge_config which will be used later on.
|
|
ok reyk@
|
|
for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout
handling later.
|
|
this will make it easier to send the struct over the socket.
|
|
this time around, include hoststatectl changes too.
|
|
|
|
First split out hosts, tables and services into to structs, one that
contains the runtime fields and one (inside the runtime) that contains
mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its
just a boolean.
ok reyk@
|
|
inherit them from multiple services or relays. this is useful if you
want to use a table with the same list of hosts but different ports as
specified in the relay or service section.
this makes mcbride more happy
ok pyr@
|
|
* make parse_config allocate the hoststated function by itself
* make as many sockets as necessary to talk to the relay children
* add send_all for talking to all children
with advise and ok reyk@
|
|
ok pyr@
|
|
optional connection "retry" to the forward to, service, and nat lookup
options. for example, "nat lookup retry 3" is useful when running
hoststated as a transparent proxy when connecting to unreliable
frontend/backend servers.
ok pyr@
|
|
support the Generalized TTL Security Mechanism (GTSM) according to RFC
3682. this is especially useful with inbound connections and a fixed
distance to the backend servers.
ok pyr@
|
|
layer 7 loadbalancing.
- allow to run relays with tables without depending on services
- show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
|
cookies yet), for example: cookie hash "JSESSIONID"
tested by some people
ok pyr@
|
|
actions on response headers (the reply sent by backend HTTP servers).
the default and slightly faster relay streaming mode will be used if
no actions are defined.
for example:
response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
|
another heads up for testers: you need to change configuration files.
ok reyk@
|
|
reorder other rules as well.
ok reyk@
|
|
configuration will need to be updated as some directives have changed.
manpage and examples bits coming up.
ok reyk@
|
|
|
|
You will need to update your configuration files accordingly.
"just do it", reyk@
|
|
(as required by the PCI DSS)
- increase the default listen backlog to 10, allow to modify the
backlog as a per-protocol tcp option to improve the performance
on busy systems (to get less connection failures on heavy load)
- close the connection if SSL_accept returned an error
- instead of logging _new_ relay sessions to syslog, log the
sessions in relay_close() after they have been _finished_.
this will allow to collect some additional information
- add a new log keyword to log specified header/url entities (useful
to track "bad guys" using many session ids or multiple user agents)
- some minor fixes, manpage bits, and bump the copyright (by some
reason, i didn't realize that we already have 2007...).
|
|
loadbalancing, SSL acceleration, general-purpose TCP relaying, and
transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for
details.
ok to commit deraadt@ pyr@
|
|
|
|
any truncated strings (table names/anchors/tags/...) to pf and the
kernel.
ok pyr@
|
|
notifications after completed host checks. either only log the
"updates" to new states or log "all" state notifications, even if the
state didn't change. the log messages will be reported to syslog or to
stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
|
ospfd(8) (can be re-imported later if required).
|
|
bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
|
ok reyk@
|
|
with help and OK reyk@
with help and advice by claudio@ and Srebrenko Sehic
|
|
ok pyr@
|
|
them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
|
ok claudio@, reyk@
|
|
Note to testers: the user the daemon changes its id to is now _hoststated,
don't forget to update master.passwd.
ok reyk@
|
|
|
|
and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface
using shell globbing rules instead. this allows simple patterns like
"220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
|
figured this out while testing hostated against a stottering spamd
where the send/expect timeout needs be > 10 seconds). also use another
struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
regex(3)). this allows to define additional checks for other TCP
protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
seconds (tv_sec) and microseconds (tv_usec), but the code assumed
seconds and milliseconds...
|
|
instead of nested select() calls and to handle the non-blocking
sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
(with a little help by me)
|
|
|
|
|
|
please note that some editors will replace tabs with multiple spaces
if you cut & paste code from other sections. please try to keep the
tabs ;).
|
