| Age | Commit message (Collapse) | Author |
|---|
|
another 'struct session' in sys/sysctl.h.
|
|
Currently the receiver fetches an imsg via imsg_get() and if he expects
an fd, he then calls imsg_get_fd() to fetch the next fd queued on the
imsgbuf from which the imsg came.
This changes hides the fd queueing mechanism to the API user. When closing
an imsg with an fd, the message is flagged so that the receiving end knows
it must dequeue the fd in imsg_get() and return it with the imsg structure.
This way there is no (less) possible screw up from imsg_get_fd() not being
called directly after imsg_get() by the user. The retreived imsg is
self-contained.
ok pyr@, "I like that" henning@
|
|
Stop pushing event handling in the imsg framework.
Instead, provide a small glue layer on top of both imsg and libevent.
This finally clearly separates event handling and imsg construction.
Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add
stub in relayctl.
This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd.
ok eric@
|
|
|
|
imsg_event_add function to be provided (which ended up being a named
callback).
Instead provide a wrapper in the daemon and call that everywhere.
Previsously discussed with the usual suspects,
ok eric@ though not too happy about the function name
(imsg_compose_event).
|
|
required because it is called later and there is no return before.
ok gilles@
|
|
So change the code accordingly to allow that.
Found by claudio@ in ospfd
|
|
value.
ok & ``makes sense'' reyk@
|
|
server certificates when connecting as an SSL client from relays. it
works so far, but needs more testing and is currently lacking support
for certificate revocation (like CRL or OCSP). the file ssl_privsep.c
is extended to implement more code that should be in openssl to allow
loading the ca from chroot...
|
|
now sit between two SSL connections (Oitm - OpenBSD-in-the-middle),
accept SSL connections and forward to TCP, accept TCP connections and
forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
|
|
|
URL filter category etc.)
|
|
|
|
|
|
|
|
|
|
|
|
abort the session if we get an empty line except of the expected chunk
header.
|
|
|
|
|
|
nor chunked encoding. We don't know the length of the HTTP body in
this case, so it only works for single-pass HTTP responses without
subsequent HTTP response headers in the stream. You can still enforce
the Content-Length header with an "expect" rule.
For example, this fixes response handling from undeadly.org (thttpd)
if relayd is running as a transparent HTTP proxy.
|
|
OK reyk@
|
|
faithd(8) by doing a similar mapping of IPv4/6 addresses with
relayd(8) and pf(4) redirections without the need of the faith(4)
interface. The trick works in both directions, it can accept IPv6
connections and relay them to IPv4 hosts by extracting the last 4
octets from the IPv6 destination (like faithd(8)), and it can accept
IPv4 connections and relay them to IPv6 hosts by prepending the 4
octets of the original IPv4 destination to a configured IPv6 prefix.
An access list is not needed because the classification is done in
pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@
yes, sounds good todd@
|
|
if it does.
|
|
doing a nat lookup. this fixes nat lookups when the relay is
listening to a wildcard IPv4/IPv6 address (like 0.0.0.0 or ::).
|
|
produce the DNS request ids instead of a simple per-request
arc4random(). This ensure randomness but also satisfies the
non-repeating property we need.
ok deraadt@
|
|
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
way and didn't show since our read buffers are small.
``put it in'' reyk@
|
|
|
|
|
|
the tree lookups in some cases.
From Nigel Taylor
ok pyr@ deraadt@
|
|
|
|
was forgotten.
|
|
in other places;
ok reyk@
|
|
reused;
ok reyk@
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
for code, start with struct relayd. finally.
ok thib@
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
the tables will look more like pf tables, it is easier to re-use
tables with different options, "services" will become "redirections"
(they refer to rdr pf rules), sync configuration directives of
redirect (l3, ex-service) relay (l7) sections (for example "virtual
host" will become "listen on"), all target definitions will start with
"forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt
ok pyr@
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
maximum number of file descriptors for this login class
(openfiles-max) of the relay child processes. this will allow 1024
instead of just 128 open file descriptors in the default configuration
(class daemon), use the openfiles-max capability and the sysctl
kern.maxfiles to adjust the value.
ok gilles@ pyr@
|
|
|
|
error pages and can be used to refer to additional information.
ok pyr@
|
|
|
|
|
|
possible suffix/prefix combinations by stripping subdomains, path
components, and the query args.
ok and tested by gilles@
|
|
|
