summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd/relayd.h
AgeCommit message (Collapse)Author
2010-12-31Add missing #includes instead of assuming that some system header pulls inPhilip Guenthe
the needed bits ok deraadt@, millert@
2010-11-30The relayd processes did already bump up the socket file descriptorReyk Floeter
resource limits to the maximum of the daemon class but the host check process (hce/health checks) didn't and was limited to a fairly low default of 128 open sockets (openfiles-cur=128 in login.conf). This was reached fairly quickly with "check tcp" of many hosts. This diff increases the maximum number of monitored hosts and concurrent health checks in relayd in a significant way and may fix issues for people that have around 100 or more hosts (or fewer hosts with multiple checked ports). tested by phessler@ ok jsg@
2010-10-26redirects are loaded as "pass in quick ... rdr-to" pf rules by default. InReyk Floeter
some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
2010-08-01Allow fallback tables for relays, not just redirections.Stuart Henderson
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
2010-05-26Rename some imsg bits to make namespace collisions less likely buf toNicholas Marriott
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE. ok henning gilles claudio jacekm deraadt
2010-05-14allocate all struct event's on the heap, it looks cleaner, feels betterReyk Floeter
and follows a suggestion in event.h. also don't mix signal() and signal_set()/signal_add(). ok jsg@ gilles@
2010-05-14spacingReyk Floeter
2010-01-11add "log brief" and "log verbose" to change logging verbosityJonathan Gray
like several other things in the tree. ok reyk@ looks fine claudio@
2009-11-03reorder structure elements for struct netroute & router: static configReyk Floeter
elements first (this matches all the other structures). no functional change.
2009-08-17also report routers and their host states in relayctlReyk Floeter
ok pyr@, jmc@ for man bits
2009-08-13add new 'router' functionality to dynamically add or remove routesReyk Floeter
based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled. ok pyr@, jmc@ for manpages
2009-08-07rename 'struct session' to 'struct rsession' because it conflicts withReyk Floeter
another 'struct session' in sys/sysctl.h.
2009-08-07allow to modify the IP TTL value for host checks. this can be used toReyk Floeter
check if the host is only n hops away and not re-routed over a longer path.
2009-08-05prevent configuration of relays listening to a single addr:port tuple twiceReyk Floeter
2009-06-06Get ready for including imsg.h from a lib, when it comes along.Pierre-Yves Ritschard
2009-06-054 handed diff with eric:Pierre-Yves Ritschard
Stop pushing event handling in the imsg framework. Instead, provide a small glue layer on top of both imsg and libevent. This finally clearly separates event handling and imsg construction. Sidetrack bonus: remove the mega-ugly hack of having a dummy imsg_event_add stub in relayctl. This will make bgpd (and thus henning) happy. Next up are smtpd and ospfd. ok eric@
2009-06-05Make imsg completely async model agnostic by not requiring anPierre-Yves Ritschard
imsg_event_add function to be provided (which ended up being a named callback). Instead provide a wrapper in the daemon and call that everywhere. Previsously discussed with the usual suspects, ok eric@ though not too happy about the function name (imsg_compose_event).
2009-06-04move logging functions out of imsg.h, make imsg.c more library readyPierre-Yves Ritschard
by not calling log_* or fatal and handle set errno when appropriate. discussed with a bunch of imsg conscious guys, ok eric@
2009-06-04- move message types enum back to relayd.hEric Faurot
- use u_int16_t instead of enum imsg_type in imsg function prototypes requested by reyk@, ok pyr@
2009-06-04remove unused variableReyk Floeter
2009-06-04Make imsg.c and buffer.c more generic by introducingEric Faurot
imsg.h and a daemon-specific imsg_types.h discussed with and "yes, please" pyr@
2009-06-03change buf_close return type to void.Eric Faurot
that function is not supposed to report anything remotely useful, or fail in any meaningful way. ok pyr@
2009-06-02bring in buf_seek, buf_size and buf_left from bgpdEric Faurot
ok pyr@
2009-06-02constify argument to buf_addEric Faurot
ok pyr@
2009-04-24Allow UDP and/or TCP redirections instead of just TCP.Reyk Floeter
Thanks to Marek Grzybowski for feedback and testing. ok jmc@ (manpage bits)
2009-04-02add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify sslReyk Floeter
server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
2009-04-01Add support for client-side SSL connections from relays. relayd canReyk Floeter
now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course. This was tested by some people a while ago.
2008-12-05change the way relayd reports check results: instead of logging anReyk Floeter
arbitrary string in debugging mode, it will store an error code (HCE_*) for each host. the error code can be translated to a string (in log.c) for debugging but it will also be passed to relayctl via the control socket. from a user point of view, this will print a human-readable error message in the "relayctl show hosts" output if a host is down because the check failed. the relayctl(8) manpage includes detailed explanations of the error messages including mitigations for the most-common problems. ok jmc@ (manpages) ok phessler@
2008-09-29allow to load expect, filter, log, and remove keys from external filesReyk Floeter
just containing on key per line. this allows easier use of URL white/blacklists from external sources.
2008-09-29allow to listen on a port range for redirections. this fixesReyk Floeter
stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world. Tested and requested by many
2008-08-11better handling of HTTP POSTs or requests with Content-Length.Reyk Floeter
2008-07-22Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired byReyk Floeter
faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd. manpage bits ok jmc@ yes, sounds good todd@
2008-07-19no need for using a TAILQ queue for the host children list, use aReyk Floeter
singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
2008-07-19If the new 'parent' keyword is specified for a host in a table,Reyk Floeter
inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains). discussed with pyr, tested in different setups
2008-07-09Use OpenBSD's knuth shuffle algorithm of random values from bind toReyk Floeter
produce the DNS request ids instead of a simple per-request arc4random(). This ensure randomness but also satisfies the non-repeating property we need. ok deraadt@
2008-07-09also set the protocol, either TCP or UDP, in the NAT lookup. thisReyk Floeter
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
2008-07-09update the relay dns code to open a new udp socket to send theReyk Floeter
forwarded dns request to the server instead of sending from the server socket. this will fix the limitation the the dns relay had to listen to the "0.0.0.0" address, and will also enable relayd to use the udp source port randomization. relayd will know randomize the source port (on OpenBSD) and DNS request identifier for the clients behind it. ok pyr@
2008-06-11add support for "transparent" forwarding in relays: normally the l7Reyk Floeter
relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things... based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8) ok markus@ pyr@
2008-05-08move the session keys used by dns in a protocol-specific private ptr.Reyk Floeter
2008-05-07add an alternative "route to" mode to relayd redirections which mapsReyk Floeter
to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds. discussed with many, thought about in the onsen
2008-05-06Do not unconditionnaly load pf. If pf isn't required by the configurationPierre-Yves Ritschard
the initialisation isn't done properly.
2008-02-13bump copyrightReyk Floeter
2008-02-13stylistic change: move code to add protonodes from the BNF intoReyk Floeter
seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
2008-02-11Marry relayd with snmpd using new "send trap" option: Request to sendReyk Floeter
a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration. ok pyr@ thib@
2008-02-04Move some prototypes from relay.c to relayd.h and remove there externsThordur I. Bjornsson
in other places; ok reyk@
2008-02-04Move the declaration of DPRINTF from relay.c too relayd.h so it can beThordur I. Bjornsson
reused; ok reyk@
2008-02-04declare se_relay as pointer to a struct relay not as a void pointer;Thordur I. Bjornsson
shuffle the forward decleration of struct relay around too accommodate this change; ok reyk@
2008-01-31add prefixes to names of structure elements to make it easier to grepThordur I. Bjornsson
for code, next struct session; ok reyk@;
2008-01-31add prefixes to names of structure elements to make it easier to grepReyk Floeter
for code, next struct relay. knf long line fixes will follow later. ok thib@
2008-01-31add prefixes to names of structure elements to make it easier to grepReyk Floeter
for code, start with struct relayd. finally. ok thib@