summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd/relayd.h
AgeCommit message (Collapse)Author
2013-09-09Add support for ECDHE (Elliptic curve Diffie-Hellman) to enableReyk Floeter
TLS/SSL Perfect Forward Secrecy (PFS). ok djm@
2013-09-07Change default ciphers to HIGH:!aNULL.Federico G. Schwindt
reyk@ ok
2013-05-30Support SSL inspection, the ability to transparently filter in SSL/TLSReyk Floeter
connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details. ok benno@, manpage bits jmc@
2013-04-27time_t 64bit fixes for relayd and relayctl:Sebastian Benoit
- fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl tested with old and new time_t ok florian@
2013-03-10This diff changes relayd to use the monotonic clock instead ofReyk Floeter
gettimeofday(). It was also bugging me for some time to have all these checks of gettimeofday()'s return value: it should not fail. So this diff introduces a void getmonotime(struct timeval *tv) that calls clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a struct timeval that can be used with the existing code and the timeval-specific timer functions (timerclear, timersub, ...). It does not return a status but calls fatal() on error-that-should-not-happen. ok sthen@ chris@
2013-03-09Enable TCP socket splicing for HTTP persistent connection and chunkedAlexander Bluhm
transfer encoding. This speeds up relayd for more protocol modes by zero-copy TCP forwarding. OK reyk@ benno@
2013-03-04sync yyerror() with bgpd; use vlog() to log parser errors so they show inStuart Henderson
logs if they occur when reloading. ok benno@
2013-02-05Rework http content and chunk handling in relayd. Use specialAlexander Bluhm
toread values to track the current http header or chunk state. This allows to handle an optional chunk trailer properly. Tracking the http state is also a prerequisite for splicing persistent http connections. OK and test reyk@ benno@
2012-11-27Add format attributes to the proper functions and then fix the warningsPhilip Guenthe
that gcc then reports when compiling with -DDEBUG=2 ok reyk@ benno@
2012-10-19Support additional scheduling algorithms in the load balancer:Reyk Floeter
least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays. ok benno@
2012-10-04spacingReyk Floeter
2012-10-03Inherit and pass the relay table flags correctly.Reyk Floeter
2012-10-03Support more than one relay backup table. Instead of duplicating theReyk Floeter
code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
2012-09-21file descriptor accounting for relays: track how many connections toSebastian Benoit
backend servers are unopened and reserve fds for them. ok reyk@, "don't wait" deraadt@
2012-09-20Move the HTTP code into an extra file to make future changes easier toReyk Floeter
follow. No functional changes, only one function got renamed. ok benno@
2012-07-09Allow relayd to handle transactions > 2GB in sizeTheo de Raadt
tested by snapshot users and benno for a while ok benno
2012-07-09need a private copy of nitems()Theo de Raadt
2012-05-08fix "label string" in http protocol. problem found by giovanni.Sebastian Benoit
ok giovanni@, henning@
2012-04-11Do rate limiting of accept() when under pressure, like in other recentTheo de Raadt
daemons. Light testing by some relayd users; let me know if issues develop.
2012-01-21Only start the child processes after all of them reported to have loadedCamiel Dobbelaar
the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id") ok henning pyr deraadt solves the problem ok from benno todd
2011-09-04KNF, fix white spaces in relayd. No binary change.Alexander Bluhm
ok pyr@ sthen@
2011-05-26Add additional check to prevent running scripts when not configured.Reyk Floeter
2011-05-26fix "check script" by sending all required information to the parent.Reyk Floeter
2011-05-20Concurrent calls of "relayctl show sessions" could crash relayd. FixReyk Floeter
the show sessions handler by implementing it in an asynchronous way. Closes PR 6509 ok pyr@
2011-05-19Fix reload support in relayd(8) by reimplementing large parts of theReyk Floeter
daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code. Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
2011-05-09Reorganize the relayd code to use the proc.c privsep API/commodityReyk Floeter
functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications. ok sthen@ pyr@
2011-05-05Allow a user to specify the route priorityPeter Hessler
OK reyk@ claudio@ sthen@
2011-04-24Get rid of casts to struct rsession in relayd by not declaring aAlexander Bluhm
void pointer in struct ctl_relay_event. That way the compiler can do its job and enforce correct types. ok pyr@ deraadt@
2011-04-12update flags and printing of flags in debug mode, handle splicing flag.Reyk Floeter
2011-04-12Enable socket splicing for relayd. This allows zero-copy dataAlexander Bluhm
forwarding for plain tcp connections. feedback and ok reyk@
2011-04-07Add support for divert-to which provides some benefits over rdr-to.Reyk Floeter
ok mikeb@
2010-12-31Add missing #includes instead of assuming that some system header pulls inPhilip Guenthe
the needed bits ok deraadt@, millert@
2010-11-30The relayd processes did already bump up the socket file descriptorReyk Floeter
resource limits to the maximum of the daemon class but the host check process (hce/health checks) didn't and was limited to a fairly low default of 128 open sockets (openfiles-cur=128 in login.conf). This was reached fairly quickly with "check tcp" of many hosts. This diff increases the maximum number of monitored hosts and concurrent health checks in relayd in a significant way and may fix issues for people that have around 100 or more hosts (or fewer hosts with multiple checked ports). tested by phessler@ ok jsg@
2010-10-26redirects are loaded as "pass in quick ... rdr-to" pf rules by default. InReyk Floeter
some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
2010-08-01Allow fallback tables for relays, not just redirections.Stuart Henderson
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
2010-05-26Rename some imsg bits to make namespace collisions less likely buf toNicholas Marriott
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE. ok henning gilles claudio jacekm deraadt
2010-05-14allocate all struct event's on the heap, it looks cleaner, feels betterReyk Floeter
and follows a suggestion in event.h. also don't mix signal() and signal_set()/signal_add(). ok jsg@ gilles@
2010-05-14spacingReyk Floeter
2010-01-11add "log brief" and "log verbose" to change logging verbosityJonathan Gray
like several other things in the tree. ok reyk@ looks fine claudio@
2009-11-03reorder structure elements for struct netroute & router: static configReyk Floeter
elements first (this matches all the other structures). no functional change.
2009-08-17also report routers and their host states in relayctlReyk Floeter
ok pyr@, jmc@ for man bits
2009-08-13add new 'router' functionality to dynamically add or remove routesReyk Floeter
based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled. ok pyr@, jmc@ for manpages
2009-08-07rename 'struct session' to 'struct rsession' because it conflicts withReyk Floeter
another 'struct session' in sys/sysctl.h.
2009-08-07allow to modify the IP TTL value for host checks. this can be used toReyk Floeter
check if the host is only n hops away and not re-routed over a longer path.
2009-08-05prevent configuration of relays listening to a single addr:port tuple twiceReyk Floeter
2009-06-06Get ready for including imsg.h from a lib, when it comes along.Pierre-Yves Ritschard
2009-06-054 handed diff with eric:Pierre-Yves Ritschard
Stop pushing event handling in the imsg framework. Instead, provide a small glue layer on top of both imsg and libevent. This finally clearly separates event handling and imsg construction. Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add stub in relayctl. This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd. ok eric@
2009-06-05Make imsg completely async model agnostic by not requiring anPierre-Yves Ritschard
imsg_event_add function to be provided (which ended up being a named callback). Instead provide a wrapper in the daemon and call that everywhere. Previsously discussed with the usual suspects, ok eric@ though not too happy about the function name (imsg_compose_event).
2009-06-04move logging functions out of imsg.h, make imsg.c more library readyPierre-Yves Ritschard
by not calling log_* or fatal and handle set errno when appropriate. discussed with a bunch of imsg conscious guys, ok eric@
2009-06-04- move message types enum back to relayd.hEric Faurot
- use u_int16_t instead of enum imsg_type in imsg function prototypes requested by reyk@, ok pyr@