| Age | Commit message (Collapse) | Author |
|---|
|
This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.
From Sören Tempel, mostly based on Asherah's latest patch.
ok florian tb
|
|
|
|
pf's rule names are limited by 32 characters, so lower the length bounds
for redirect names and tags that relayd accepts as valid config but would
later fail to load into pf. Also display the offending name on error.
from Mark Johnston
ok florian
|
|
the option to set corresponding `log` action in pf(4) rules it generates
to handle network traffic.
The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr).
OK sashan@
|
|
|
|
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.
ok tb
|
|
mix of types used in these functions make this rather hard.
The expected data checks are still not great but a step in the right
direction.
OK tb@
|
|
Only has one return value and it's never checked.
ok martijn@, tb@
|
|
"%s". Same for the output of relay_expand_http().
with and ok claudio@
Found by Cedric Tessier, thanks!
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
path. These have to be dropped or every subsequent call will cause decrypt
errors. Use a sequence number cookie to keep the systems in sync.
Diff from niklas@ with some minor adjustments by myself.
|
|
no objection claudio@
ok tb@ jsing@
|
|
to privsep_procid.
ok mortimer
|
|
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
|
to add new objects easier if so desired and should handle a lot more
corner-cases.
This commit should also fix the following:
- On most (all) tables it omits the *Entry elements, making it not map to
OPENBSD-RELAYD-MIB.txt.
- sstolen returns the size of the sockaddr_in{,6}, instead of the
sin{,6}_addr resulting in garbage data to be put in the ip-field.
- relaydSessionPortIn and relaydSessionPortOut are swapped
- relaydSessions only uses relaydSessionIndex, while
OPENBSD-RELAYD-MIB.txt says it should have 2 indices
- miscellaneous minor things related to the AGENTX-protocol, like wonky
index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT
should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent
on adding it soon(tm). It also deprecates the snmp keyword in favour of
an agentx keyword. The snmp keyword is still available, but will be
removed in the future.
Tweaks and OK denis@ on the relayd parts
Tweaks and OK claudio@ on the agentx parts
"Get it in" deraadt@
|
|
with the help from tb@ jsing@; ok tb@
|
|
benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
|
Many thanks to Bruno Flueckiger who independently sent a very similar
patch. He also tested the one I'm committing that it works as
expected.
OK tb@
|
|
Tested by many (thanks!)
Feedback & OK rob@
|
|
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
|
Pass the *env as an explicit argument instead of using the global
pointer: The relay_load_certfiles() function is called early before
the *env is set up. This does not change anything in the current code
as *env is not used by anything in the function (not even
ssl_load_key() that is taking it as an argument) but it will be needed
by upcoming changes for SNI.
Ok rob@
|
|
OK bentley@ mikeb@
|
|
For example,
pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
|
- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place
Reported and tested by Rivo Nurges
OK and input from benno@
Cvs: ----------------------------------------------------------------------
|
|
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me. suggestions and ok bluhm@ and earlier
diff claudio@
|
|
proc_init(). As a consequence httpd(8) and relayd(8) child processes
did not detach from the terminal anymore. Dup /dev/null to the
stdio file descriptors in the children.
OK benno@
|
|
log updates|all
with
log state changes
log host checks
log connection [errors]
The first two control the logging of host check results: either changes in host state only or
all checks.
The third option controls logging of connections in relay mode:
Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
|
to 1024 session per process (esp. with keep-alive). Now the fd limit is
the new maximum and relayd will make sure to not accept too many sessions.
The tcp backlog config maximum is now 512, adjust manpage accordingly.
OK benno@ deraadt@
|
|
|
|
Currently this is only used by relay_close() but will be needed in near
future.
OK benno@
|
|
For this we need to add an additional pointer to the ctl_relay_event.
Diff from Petri Mikkila (pmikkila at gmail)
OK benno@
|
|
This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
|
|
the ca file (having all the trusted certs in them) can be so big that loading
via imsg fails.
OK beck@
|
|
ok bluhm@, >8k makes sense claudio@
|
|
Check whether TLS server object is available before using it. With
these fixes the ssl inspect regress test just fails and does not
crash relayd.
OK claudio@
|
|
needs revisiting. From Rivo Nurges, thanks.
ok florian@
|
|
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.
|
|
It is rarely needed and imposes a light DoS risk. LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.
It can still be enabled with "tls client-renegotiation".
ok benno@ beck@ jsing@
|
|
where it is used.
Currently pf is opened on every reload, that will no longer be
possible in the future with pledged programms that do ioctls.
This prepares relayd for that change.
ok deraadt@, meinetwegen reyk@
|
|
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
|
startup, for a short time, so we needed a rlimit hack in relayd.c.
Sync the fix from httpd: rzalamena@ has fixed proc.c and I added the
proc_flush_imsg() mechanism that makes sure that each fd is
immediately closed after forwarding it to a child process instead of
queueing it up.
OK rzalamena@ jca@ benno@
|
|
OK rzalamena@
|
|
|
|
variable and limit it from 128 to 32 instances (the old value).
While here, move a few PROC_ defines around.
OK rzalamena@
|
|
for httpd with some (current and previous) changes for relayd. Once
again, both daemons now share the same proc.c where most of the
privsep "magic" happens.
OK benno@ rzalamena@
|
|
snmp subsystem until the configuration is done.
OK benno@ claudio@
|
|
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@
|
|
OK benno@ rzalamena@
|
|
or killing child processes. - Based on rzalamena@'s diff for httpd.
OK deraadt@ rzalamena@
|
|
nature of relayd) to tls session tickets to do TLS session resumption.
TLS session tickets do not need to store SSL session data in the server but
instead send an encrypted ticket to the clients that allows to resume the
session. This is mostly stateless (apart from the encryption keys).
relayd now ensures that all relay processes use the same key to encrypt
the tickets. Keys are rotated every 2h and there is a primary and backup key.
The tls session timeout is set to 2h to hint to the clients how long the
session tickets is supposed to be alive.
Input and OK benno@, reyk@
|
