| Age | Commit message (Collapse) | Author |
|---|
|
When relayd(8) handles 'host disable/enable' command issued by relayctl(8),
it disables redirect it finds in tables for particular host. However there can
be multiple redirect instances which use the same host in relayd(8) tables.
This change makes relayd(8) to walk through all tables and disable all redirects
which match the host.
OK giovanni@, OK sashan@
|
|
to add new objects easier if so desired and should handle a lot more
corner-cases.
This commit should also fix the following:
- On most (all) tables it omits the *Entry elements, making it not map to
OPENBSD-RELAYD-MIB.txt.
- sstolen returns the size of the sockaddr_in{,6}, instead of the
sin{,6}_addr resulting in garbage data to be put in the ip-field.
- relaydSessionPortIn and relaydSessionPortOut are swapped
- relaydSessions only uses relaydSessionIndex, while
OPENBSD-RELAYD-MIB.txt says it should have 2 indices
- miscellaneous minor things related to the AGENTX-protocol, like wonky
index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT
should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent
on adding it soon(tm). It also deprecates the snmp keyword in favour of
an agentx keyword. The snmp keyword is still available, but will be
removed in the future.
Tweaks and OK denis@ on the relayd parts
Tweaks and OK claudio@ on the agentx parts
"Get it in" deraadt@
|
|
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
|
|
where it is used.
Currently pf is opened on every reload, that will no longer be
possible in the future with pledged programms that do ioctls.
This prepares relayd for that change.
ok deraadt@, meinetwegen reyk@
|
|
snmp subsystem until the configuration is done.
OK benno@ claudio@
|
|
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@
|
|
OK benno@ rzalamena@
|
|
or killing child processes. - Based on rzalamena@'s diff for httpd.
OK deraadt@ rzalamena@
|
|
if the host fails the SLA check. patch from Brian S. Vangsgaard.
ok reyk@
|
|
so add a shortcut proc_compose*() that skips all of them. Only use the
full argument list if needed. The functions with full argument lists can
eventually be replaced with a nicer transaction-based approach later.
OK benno@
|
|
Move getrtable() from pfe to parent process, since its in the way of
pledge.
ok deraadt@, feedback from reyk@ on previous version.
|
|
|
|
for developers, not sysadmins
original diff from yasuoka@
|
|
manual review. Based on common practice, relayd.h now includes the
necessary headers for itself.
OK benno@
|
|
ok millert
|
|
This should be equivalent to the statistics available
via the various relaydctl show commands
okay benno@ reyk@
|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
gettimeofday(). It was also bugging me for some time to have all
these checks of gettimeofday()'s return value: it should not fail. So
this diff introduces a void getmonotime(struct timeval *tv) that calls
clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a
struct timeval that can be used with the existing code and the
timeval-specific timer functions (timerclear, timersub, ...). It does
not return a status but calls fatal() on error-that-should-not-happen.
ok sthen@ chris@
|
|
code for main and backup table all over the place, turn the relay
tables into a list attached to the relay. This improves the code and
allows some other tricks with multiple tables later.
|
|
the config. Solves a race at startup time where processes can send status
messages about hosts that other processes don't know about yet.
(and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt
solves the problem ok from benno todd
|
|
ok mikeb
|
|
the show sessions handler by implementing it in an asynchronous way.
Closes PR 6509
ok pyr@
|
|
daemon infrastructure. The previous design made it fairly hard to
reload the complex data structures, especially relays and protocols.
One of the reasons was that the privsep'd relayd processes had two
ways of getting their configuration: 1) from memory after forking from
the parent process and 2) and (partially) via imsgs after reload. The
new implementation first forks the privsep'd children before the
parents loads the configuration and sends it via imsgs to them; so it
is only like 2) before. It is based on an approach that I first
implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@
ok pyr@ dlg@ sthen@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
instead of static function names. __func__ is C99 and perfectly fine
to use. It also avoids printing errors; for example if a statement
log_debug("foo:"..) was moved or copied from function foo() to bar()
and the log message was not updated...
|
|
From Patrik Lundin and Linus Widstromer.
ok reyk@
|
|
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
|
and follows a suggestion in event.h. also don't mix signal() and
signal_set()/signal_add().
ok jsg@ gilles@
|
|
ok pyr@, jmc@ for man bits
|
|
based on health check results, using the existing table syntax. this
allows to maintain multiple (uplink) gateways to implement link
balancing or WAN link failover if no routing protocol or other
keepalive method is available. works fine with or without
net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
|
another 'struct session' in sys/sysctl.h.
|
|
Stop pushing event handling in the imsg framework.
Instead, provide a small glue layer on top of both imsg and libevent.
This finally clearly separates event handling and imsg construction.
Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add
stub in relayctl.
This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd.
ok eric@
|
|
|
|
imsg_event_add function to be provided (which ended up being a named
callback).
Instead provide a wrapper in the daemon and call that everywhere.
Previsously discussed with the usual suspects,
ok eric@ though not too happy about the function name
(imsg_compose_event).
|
|
required because it is called later and there is no return before.
ok gilles@
|
|
So change the code accordingly to allow that.
Found by claudio@ in ospfd
|
|
From Camiel Dobbelaar, closes PR 6066
|
|
From Pascal Lalonde, closes PR 6112
|
|
arbitrary string in debugging mode, it will store an error code
(HCE_*) for each host. the error code can be translated to a string
(in log.c) for debugging but it will also be passed to relayctl via
the control socket.
from a user point of view, this will print a human-readable error
message in the "relayctl show hosts" output if a host is down because
the check failed. the relayctl(8) manpage includes detailed
explanations of the error messages including mitigations for the
most-common problems.
ok jmc@ (manpages)
ok phessler@
|
|
ok pyr@
|
|
OK reyk@
|
|
singly-linked SLIST instead. the only noticeable change is the
reversed order to notify the children but it does not really matter
here. also only walk through the children host list if the host
itself is a potential parent.
|
|
inherit the state from another host with the specified Id; no
additional check will be for the inheriting host. This helps in
scenarios with lots of IP aliases that all point to the same service
on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
for code, start with struct relayd. finally.
ok thib@
|
|
for relays. they can be viewed with the new "relayctl show redirects"
command.
(uses the previous change to pf_table.c to get the statistics)
looks good pyr@
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
|
|
|
