Age | Commit message (Collapse) | Author |
|
TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
|
reyk@ ok
|
|
connections (eg. HTTPS) by using a local CA that is accepted by the
clients. See the "SSL RELAYS" and "EXAMPLES" sections in the
relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
|
- fix statistics
- set INT_MAX limit on session timeouts
- make sure we dont use to large session timeouts in pf redirects and
openssl
tested with old and new time_t
ok florian@
|
|
gettimeofday(). It was also bugging me for some time to have all
these checks of gettimeofday()'s return value: it should not fail. So
this diff introduces a void getmonotime(struct timeval *tv) that calls
clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a
struct timeval that can be used with the existing code and the
timeval-specific timer functions (timerclear, timersub, ...). It does
not return a status but calls fatal() on error-that-should-not-happen.
ok sthen@ chris@
|
|
transfer encoding. This speeds up relayd for more protocol modes
by zero-copy TCP forwarding.
OK reyk@ benno@
|
|
logs if they occur when reloading. ok benno@
|
|
toread values to track the current http header or chunk state. This
allows to handle an optional chunk trailer properly. Tracking the
http state is also a prerequisite for splicing persistent http
connections.
OK and test reyk@ benno@
|
|
that gcc then reports when compiling with -DDEBUG=2
ok reyk@ benno@
|
|
least-states, random, source-hash. least-states is currently only
supported for redirections and the other ones are currently only
supported by relays.
ok benno@
|
|
|
|
|
|
code for main and backup table all over the place, turn the relay
tables into a list attached to the relay. This improves the code and
allows some other tricks with multiple tables later.
|
|
backend servers are unopened and reserve fds for them.
ok reyk@, "don't wait" deraadt@
|
|
follow. No functional changes, only one function got renamed.
ok benno@
|
|
tested by snapshot users and benno for a while
ok benno
|
|
|
|
ok giovanni@, henning@
|
|
daemons. Light testing by some relayd users; let me know if issues
develop.
|
|
the config. Solves a race at startup time where processes can send status
messages about hosts that other processes don't know about yet.
(and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt
solves the problem ok from benno todd
|
|
ok pyr@ sthen@
|
|
|
|
|
|
the show sessions handler by implementing it in an asynchronous way.
Closes PR 6509
ok pyr@
|
|
daemon infrastructure. The previous design made it fairly hard to
reload the complex data structures, especially relays and protocols.
One of the reasons was that the privsep'd relayd processes had two
ways of getting their configuration: 1) from memory after forking from
the parent process and 2) and (partially) via imsgs after reload. The
new implementation first forks the privsep'd children before the
parents loads the configuration and sends it via imsgs to them; so it
is only like 2) before. It is based on an approach that I first
implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@
ok pyr@ dlg@ sthen@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
OK reyk@ claudio@ sthen@
|
|
void pointer in struct ctl_relay_event. That way the compiler can
do its job and enforce correct types.
ok pyr@ deraadt@
|
|
|
|
forwarding for plain tcp connections.
feedback and ok reyk@
|
|
ok mikeb@
|
|
the needed bits
ok deraadt@, millert@
|
|
resource limits to the maximum of the daemon class but the host check
process (hce/health checks) didn't and was limited to a fairly low
default of 128 open sockets (openfiles-cur=128 in login.conf). This
was reached fairly quickly with "check tcp" of many hosts. This diff
increases the maximum number of monitored hosts and concurrent health
checks in relayd in a significant way and may fix issues for people
that have around 100 or more hosts (or fewer hosts with multiple checked
ports).
tested by phessler@
ok jsg@
|
|
some cases it is desired to load the rules as "match in" without "quick"
to allow additional filtering or applying additional rule/state options,
eg. to add an overload table for DOS mitigation. Add the optional "match"
keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
|
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
|
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE.
ok henning gilles claudio jacekm deraadt
|
|
and follows a suggestion in event.h. also don't mix signal() and
signal_set()/signal_add().
ok jsg@ gilles@
|
|
|
|
like several other things in the tree.
ok reyk@ looks fine claudio@
|
|
elements first (this matches all the other structures). no functional
change.
|
|
ok pyr@, jmc@ for man bits
|
|
based on health check results, using the existing table syntax. this
allows to maintain multiple (uplink) gateways to implement link
balancing or WAN link failover if no routing protocol or other
keepalive method is available. works fine with or without
net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
|
another 'struct session' in sys/sysctl.h.
|
|
check if the host is only n hops away and not re-routed over a longer
path.
|
|
|
|
|
|
Stop pushing event handling in the imsg framework.
Instead, provide a small glue layer on top of both imsg and libevent.
This finally clearly separates event handling and imsg construction.
Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add
stub in relayctl.
This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd.
ok eric@
|
|
imsg_event_add function to be provided (which ended up being a named
callback).
Instead provide a wrapper in the daemon and call that everywhere.
Previsously discussed with the usual suspects,
ok eric@ though not too happy about the function name
(imsg_compose_event).
|
|
by not calling log_* or fatal and handle set errno when appropriate.
discussed with a bunch of imsg conscious guys, ok eric@
|
|
- use u_int16_t instead of enum imsg_type in imsg function prototypes
requested by reyk@, ok pyr@
|