| Age | Commit message (Collapse) | Author |
|---|
|
|
|
faithd(8) by doing a similar mapping of IPv4/6 addresses with
relayd(8) and pf(4) redirections without the need of the faith(4)
interface. The trick works in both directions, it can accept IPv6
connections and relay them to IPv4 hosts by extracting the last 4
octets from the IPv6 destination (like faithd(8)), and it can accept
IPv4 connections and relay them to IPv6 hosts by prepending the 4
octets of the original IPv4 destination to a configured IPv6 prefix.
An access list is not needed because the classification is done in
pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@
yes, sounds good todd@
|
|
|
|
inherit the state from another host with the specified Id; no
additional check will be for the inheriting host. This helps in
scenarios with lots of IP aliases that all point to the same service
on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
seconds by default (pf's default is 86400s), they can be cranked with
the "session timeout" directive and it is consistent to relay session
timeouts. also remove the hack to modify the closing timeout because
pf's sloppy state handling is taking care about half connection
closing now.
|
|
where we only see the client side of the TCP session; this removes the
timeout limitations that we had before. document "route to" in the
manpage since it is fully working now.
|
|
to pf route-to instead of the default rdr. it is a first steps towards
support for "direct server return" (dsr), an asynchronous mode where
the load balanced servers send the replies to a different gateway like
a l3 switch/router to handle higher amounts of return traffic.
because the state handling in pf isn't optimal for this case yet, it
just sees half of the TCP connection, the sessions are forced to time
out after fixed number of seconds.
discussed with many, thought about in the onsen
|
|
|
|
expected the keywords "forward timeout". rename it to "session
timeout" and sync the documentation with reality.
|
|
clarification.
From bsd at openbsd dot rutgers dot edu, closes pr5801
ok pyr@
|
|
|
|
also adjust the documentation a little bit to decrease confusion about
the check timeout.
From pyr@
ok deraadt@
|
|
|
|
a SNMP trap when the state of a host changes. relayd(8) will try to
(re-)connect to snmpd(8) and request it to send a trap to the
registered trap receivers, see snmpd.conf(5) for more information
about the configuration.
ok pyr@ thib@
|
|
|
|
- kill useless .Pp
|
|
ok reyk@
|
|
to use "protocol foo" without defining a type).
|
|
the tables will look more like pf tables, it is easier to re-use
tables with different options, "services" will become "redirections"
(they refer to rdr pf rules), sync configuration directives of
redirect (l3, ex-service) relay (l7) sections (for example "virtual
host" will become "listen on"), all target definitions will start with
"forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt
ok pyr@
|
|
|
|
|
|
error pages and can be used to refer to additional information.
ok pyr@
|
|
|
|
|
|
possible suffix/prefix combinations by stripping subdomains, path
components, and the query args.
ok and tested by gilles@
|
|
- a URL instead of an URL (a "you-are-el")
suggested by jmc@
|
|
it is possible to attach a mark to a session based on matching an
entity (header, url, cookie, ...) and add conditional action for this
mark. it works a bit like the tag/tagged keywords in pf, but i decided
to pick a different name to avoid confusion.
ok pyr@ gilles@
|
|
suffix/prefix expressions like "example.com/index.html?args". a digest
mode allows to match against anonymized SHA1/MD5 digests of
suffix/prefix expressions.
|
|
short form for "filter * from value" or "expect * from value".
|
|
|
|
please update your hoststated.conf configurations. also add more
examples to the manpage.
alright pyr@
|
|
digest string length; it is compatible to any existing SHA1-only
configurations.
ok pyr@ gilles@
|
|
service sections.
ok reyk@
|
|
|
|
meaningful message if a HTTP/HTTPS relay closes the connection for
some reason. for example, a "403 Forbidden" if the request was
rejected by a filter. this will be enabled with the "return error"
option and is disabled by default, the standard behaviour is to
silently drop the connection; the browser may display an empty page in
this case. the look+feel of the HTTP error page can be customized with
a CSS style sheet, but we do not intend to allow customization of the
error page contents (hoststated is not a webserver!).
ok pyr@
|
|
Table specific intervals must be multiples of the global interval.
help and ok reyk@
|
|
|
|
based on the existing hostapd/pfctl code.
ok pyr@
|
|
|
|
|
|
ok pyr@
|
|
header randomization). this adds an infrastructure to support
UDP-based protocols.
ok gilles@, tested by some
|
|
ok pyr@ (who is the first copyright holder)
|
|
Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
|
|
|
|
|
for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout
handling later.
|
|
inherit them from multiple services or relays. this is useful if you
want to use a table with the same list of hosts but different ports as
specified in the relay or service section.
this makes mcbride more happy
ok pyr@
|
