Age | Commit message (Collapse) | Author |
|
ok jsg@
|
|
ok reyk@ sure deraadt@
|
|
|
|
Pointed out by Markus Elfring
OK mikeb@ millert@
|
|
|
|
manual review. Based on common practice, relayd.h now includes the
necessary headers for itself.
OK benno@
|
|
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
pyr@'s initial version to rightfully add my copyright to these files:
sync with reality.
|
|
and add a missing .Pa macro;
from Jan Stary <hans at stare dot cz>
|
|
|
|
ok benno
|
|
- fix statistics
- set INT_MAX limit on session timeouts
- make sure we dont use to large session timeouts in pf redirects and
openssl
tested with old and new time_t
ok florian@
|
|
ok deraadt@
|
|
gettimeofday(). It was also bugging me for some time to have all
these checks of gettimeofday()'s return value: it should not fail. So
this diff introduces a void getmonotime(struct timeval *tv) that calls
clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a
struct timeval that can be used with the existing code and the
timeval-specific timer functions (timerclear, timersub, ...). It does
not return a status but calls fatal() on error-that-should-not-happen.
ok sthen@ chris@
|
|
Makes "make build" build with WARNINGS=Yes on amd64.
ok espie
|
|
the show sessions handler by implementing it in an asynchronous way.
Closes PR 6509
ok pyr@
|
|
daemon infrastructure. The previous design made it fairly hard to
reload the complex data structures, especially relays and protocols.
One of the reasons was that the privsep'd relayd processes had two
ways of getting their configuration: 1) from memory after forking from
the parent process and 2) and (partially) via imsgs after reload. The
new implementation first forks the privsep'd children before the
parents loads the configuration and sends it via imsgs to them; so it
is only like 2) before. It is based on an approach that I first
implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@
ok pyr@ dlg@ sthen@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
the needed bits
ok deraadt@, millert@
|
|
change. ok claudio
|
|
Minor bump for libutil.
Previous versions of this diff and man page looked at by various people.
"you should just commit" deraadt
|
|
like several other things in the tree.
ok reyk@ looks fine claudio@
|
|
we don't know the size of, otherwise gcc >= 4 will error.
ok markus@ deraadt@
|
|
few remaining ".Tn UNIX" macros with ".Ux" ones.
pointed out by ratchov@, thanks!
ok jmc@
|
|
ok jmc@
|
|
to recognize when something did not work in a much easier way then parsing
the relayctl output. OK reyk@
|
|
ok pyr@, jmc@ for man bits
|
|
another 'struct session' in sys/sysctl.h.
|
|
Stop pushing event handling in the imsg framework.
Instead, provide a small glue layer on top of both imsg and libevent.
This finally clearly separates event handling and imsg construction.
Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add
stub in relayctl.
This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd.
ok eric@
|
|
sync synopsis/usage.
|
|
arbitrary string in debugging mode, it will store an error code
(HCE_*) for each host. the error code can be translated to a string
(in log.c) for debugging but it will also be passed to relayctl via
the control socket.
from a user point of view, this will print a human-readable error
message in the "relayctl show hosts" output if a host is down because
the check failed. the relayctl(8) manpage includes detailed
explanations of the error messages including mitigations for the
most-common problems.
ok jmc@ (manpages)
ok phessler@
|
|
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
statistics for new connections with sticky states.
|
|
for relays. they can be viewed with the new "relayctl show redirects"
command.
(uses the previous change to pf_table.c to get the statistics)
looks good pyr@
|
|
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
ok pyr@
|
|
the tables will look more like pf tables, it is easier to re-use
tables with different options, "services" will become "redirections"
(they refer to rdr pf rules), sync configuration directives of
redirect (l3, ex-service) relay (l7) sections (for example "virtual
host" will become "listen on"), all target definitions will start with
"forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt
ok pyr@
|
|
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
|
|
it is possible to attach a mark to a session based on matching an
entity (header, url, cookie, ...) and add conditional action for this
mark. it works a bit like the tag/tagged keywords in pf, but i decided
to pick a different name to avoid confusion.
ok pyr@ gilles@
|
|
prompted by reyk@
|
|
|
|
Especially useful when interval is rather long.
I was supposed to commit this before 4.2.
|