| Age | Commit message (Collapse) | Author |
|---|
|
For example,
pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
|
ok gcc, claudio@ agrees
|
|
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me. suggestions and ok bluhm@ and earlier
diff claudio@
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
|
"looks good" gilles@ halex@
|
|
log updates|all
with
log state changes
log host checks
log connection [errors]
The first two control the logging of host check results: either changes in host state only or
all checks.
The third option controls logging of connections in relay mode:
Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
Thanks to otto@ for the initial diff.
OK benno@
|
|
ok benno@
|
|
to 1024 session per process (esp. with keep-alive). Now the fd limit is
the new maximum and relayd will make sure to not accept too many sessions.
The tcp backlog config maximum is now 512, adjust manpage accordingly.
OK benno@ deraadt@
|
|
From Kapetanakis Giannis, thanks.
ok claudio@
|
|
This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
|
|
the ca file (having all the trusted certs in them) can be so big that loading
via imsg fails.
OK beck@
|
|
OK benno@
|
|
ok bluhm@, >8k makes sense claudio@
|
|
Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT
gmail, thanks!
chris@ pointed out that more than httpd(8) is effected.
OK gilles@
|
|
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.
|
|
modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
|
|
variable and limit it from 128 to 32 instances (the old value).
While here, move a few PROC_ defines around.
OK rzalamena@
|
|
snmp subsystem until the configuration is done.
OK benno@ claudio@
|
|
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@
|
|
nature of relayd) to tls session tickets to do TLS session resumption.
TLS session tickets do not need to store SSL session data in the server but
instead send an encrypted ticket to the clients that allows to resume the
session. This is mostly stateless (apart from the encryption keys).
relayd now ensures that all relay processes use the same key to encrypt
the tickets. Keys are rotated every 2h and there is a primary and backup key.
The tls session timeout is set to 2h to hint to the clients how long the
session tickets is supposed to be alive.
Input and OK benno@, reyk@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
include the process name, and replace all calls of fatal*(NULL) with
fatal(__func__) for better debugging.
OK benno@
|
|
ok millert krw
|
|
- fix a TAILQ corruption because of a use after free
- do not reinit the SSL engine since that fails
OK sthen, benno
|
|
OK henning@
|
|
manual review. Based on common practice, relayd.h now includes the
necessary headers for itself.
OK benno@
|
|
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
|
ok millert
|
|
in redirections. Thanks for help and input from jsg and yasuoka who
reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
|
*Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
|
loadbalance and hash modes use a random key by default that can be
forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
|
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
This should be equivalent to the statistics available
via the various relaydctl show commands
okay benno@ reyk@
|
|
SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform
with another SSL library). Also fix the SSLv3 handling so that 'no sslv3'
actually works as intended.
ok reyk@
|
|
format string, create a temporary message.
OK deraadt@
|
|
It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following
directive in a relay block: "transparent forward to destination".
OK sthen@
|
|
OK sthen@ jsing@
|
|
as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
|
work done by andre@
Re-add a randomized hash seed (which had apparently
gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured
to forward traffic to the same host, falling back to
the random seed when not explicitly configured to do so.
ok reyk@
|
|
|
|
clients. Additionally, add options for disallowing client-initiated
renegotiations and to prefer the server's cipher list over the
client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was
discussed with jsing@ resulting in a few different defaults.
ok benno@
|
|
with associated lists instead of the complicated lookup table and
"others" list. This might add a little malloc overhead for common
headers but also fixes some issues like the handling of repeated
headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part)
ok benno@
|
