| Age | Commit message (Collapse) | Author |
|---|
|
|
|
URL filter category etc.)
|
|
|
|
|
|
|
|
|
|
|
|
abort the session if we get an empty line except of the expected chunk
header.
|
|
|
|
|
|
nor chunked encoding. We don't know the length of the HTTP body in
this case, so it only works for single-pass HTTP responses without
subsequent HTTP response headers in the stream. You can still enforce
the Content-Length header with an "expect" rule.
For example, this fixes response handling from undeadly.org (thttpd)
if relayd is running as a transparent HTTP proxy.
|
|
OK reyk@
|
|
faithd(8) by doing a similar mapping of IPv4/6 addresses with
relayd(8) and pf(4) redirections without the need of the faith(4)
interface. The trick works in both directions, it can accept IPv6
connections and relay them to IPv4 hosts by extracting the last 4
octets from the IPv6 destination (like faithd(8)), and it can accept
IPv4 connections and relay them to IPv6 hosts by prepending the 4
octets of the original IPv4 destination to a configured IPv6 prefix.
An access list is not needed because the classification is done in
pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@
yes, sounds good todd@
|
|
if it does.
|
|
doing a nat lookup. this fixes nat lookups when the relay is
listening to a wildcard IPv4/IPv6 address (like 0.0.0.0 or ::).
|
|
produce the DNS request ids instead of a simple per-request
arc4random(). This ensure randomness but also satisfies the
non-repeating property we need.
ok deraadt@
|
|
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
way and didn't show since our read buffers are small.
``put it in'' reyk@
|
|
|
|
|
|
the tree lookups in some cases.
From Nigel Taylor
ok pyr@ deraadt@
|
|
|
|
was forgotten.
|
|
in other places;
ok reyk@
|
|
reused;
ok reyk@
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
for code, start with struct relayd. finally.
ok thib@
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
the tables will look more like pf tables, it is easier to re-use
tables with different options, "services" will become "redirections"
(they refer to rdr pf rules), sync configuration directives of
redirect (l3, ex-service) relay (l7) sections (for example "virtual
host" will become "listen on"), all target definitions will start with
"forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt
ok pyr@
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
maximum number of file descriptors for this login class
(openfiles-max) of the relay child processes. this will allow 1024
instead of just 128 open file descriptors in the default configuration
(class daemon), use the openfiles-max capability and the sysctl
kern.maxfiles to adjust the value.
ok gilles@ pyr@
|
|
|
|
error pages and can be used to refer to additional information.
ok pyr@
|
|
|
|
|
|
possible suffix/prefix combinations by stripping subdomains, path
components, and the query args.
ok and tested by gilles@
|
|
|
|
it is possible to attach a mark to a session based on matching an
entity (header, url, cookie, ...) and add conditional action for this
mark. it works a bit like the tag/tagged keywords in pf, but i decided
to pick a different name to avoid confusion.
ok pyr@ gilles@
|
|
table are down.
Thanks to Preston Norvell at serialssolutions dot com for reporting
the problem.
|
|
suffix/prefix expressions like "example.com/index.html?args". a digest
mode allows to match against anonymized SHA1/MD5 digests of
suffix/prefix expressions.
|
|
(the if () else if () block was getting very big).
|
|
with large trees of protocol actions.
|
|
please update your hoststated.conf configurations. also add more
examples to the manpage.
alright pyr@
|
|
receiving a filtered entity, fix some remaining issues.
|
|
|
|
meaningful message if a HTTP/HTTPS relay closes the connection for
some reason. for example, a "403 Forbidden" if the request was
rejected by a filter. this will be enabled with the "return error"
option and is disabled by default, the standard behaviour is to
silently drop the connection; the browser may display an empty page in
this case. the look+feel of the HTTP error page can be customized with
a CSS style sheet, but we do not intend to allow customization of the
error page contents (hoststated is not a webserver!).
ok pyr@
|
|
correctly.
ok pyr@
|
