| Age | Commit message (Collapse) | Author |
|---|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
pyr@'s initial version to rightfully add my copyright to these files:
sync with reality.
|
|
ok benno
|
|
- fix statistics
- set INT_MAX limit on session timeouts
- make sure we dont use to large session timeouts in pf redirects and
openssl
tested with old and new time_t
ok florian@
|
|
ok deraadt@
|
|
gettimeofday(). It was also bugging me for some time to have all
these checks of gettimeofday()'s return value: it should not fail. So
this diff introduces a void getmonotime(struct timeval *tv) that calls
clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a
struct timeval that can be used with the existing code and the
timeval-specific timer functions (timerclear, timersub, ...). It does
not return a status but calls fatal() on error-that-should-not-happen.
ok sthen@ chris@
|
|
the show sessions handler by implementing it in an asynchronous way.
Closes PR 6509
ok pyr@
|
|
daemon infrastructure. The previous design made it fairly hard to
reload the complex data structures, especially relays and protocols.
One of the reasons was that the privsep'd relayd processes had two
ways of getting their configuration: 1) from memory after forking from
the parent process and 2) and (partially) via imsgs after reload. The
new implementation first forks the privsep'd children before the
parents loads the configuration and sends it via imsgs to them; so it
is only like 2) before. It is based on an approach that I first
implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@
ok pyr@ dlg@ sthen@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
the needed bits
ok deraadt@, millert@
|
|
like several other things in the tree.
ok reyk@ looks fine claudio@
|
|
to recognize when something did not work in a much easier way then parsing
the relayctl output. OK reyk@
|
|
ok pyr@, jmc@ for man bits
|
|
another 'struct session' in sys/sysctl.h.
|
|
Stop pushing event handling in the imsg framework.
Instead, provide a small glue layer on top of both imsg and libevent.
This finally clearly separates event handling and imsg construction.
Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add
stub in relayctl.
This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd.
ok eric@
|
|
sync synopsis/usage.
|
|
arbitrary string in debugging mode, it will store an error code
(HCE_*) for each host. the error code can be translated to a string
(in log.c) for debugging but it will also be passed to relayctl via
the control socket.
from a user point of view, this will print a human-readable error
message in the "relayctl show hosts" output if a host is down because
the check failed. the relayctl(8) manpage includes detailed
explanations of the error messages including mitigations for the
most-common problems.
ok jmc@ (manpages)
ok phessler@
|
|
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
for relays. they can be viewed with the new "relayctl show redirects"
command.
(uses the previous change to pf_table.c to get the statistics)
looks good pyr@
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
ok pyr@
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
|
|
it is possible to attach a mark to a session based on matching an
entity (header, url, cookie, ...) and add conditional action for this
mark. it works a bit like the tag/tagged keywords in pf, but i decided
to pick a different name to avoid confusion.
ok pyr@ gilles@
|
|
Especially useful when interval is rather long.
I was supposed to commit this before 4.2.
|
|
|
|
|
|
sessions.
|
|
|
|
|
|
forward IMSG_CTL_RELOAD which ends up not doing anything for now.
|
|
this time around, include hoststatectl changes too.
|
|
This unbreaks the tree.
Fixed from the depth of the OpenBSD lair.
|
|
|
|
loadbalancing, SSL acceleration, general-purpose TCP relaying, and
transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for
details.
ok to commit deraadt@ pyr@
|
|
ok reyk@
|
|
ok pyr@
|
|
|
|
API (inspired by the ipsec pfkey monitor).
ok pyr@ niallo@
|
|
hoststated.
ok reyk@, "looks nice and clean" niallo@
|
|
with help and OK reyk@
with help and advice by claudio@ and Srebrenko Sehic
|
|
Note to testers: the user the daemon changes its id to is now _hoststated,
don't forget to update master.passwd.
ok reyk@
|
|
|
|
- minor change of the "hostatectl show" command output
- increase the max service and tag names (max pf tag name size is 64 now!)
thanks to pyr who found a bug in my initial diff
|
|
|
|
|
|
|
|
|
