| Age | Commit message (Collapse) | Author |
|---|
|
produce the DNS request ids instead of a simple per-request
arc4random(). This ensure randomness but also satisfies the
non-repeating property we need.
ok deraadt@
|
|
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
|
|
forwarded dns request to the server instead of sending from the server
socket. this will fix the limitation the the dns relay had to listen
to the "0.0.0.0" address, and will also enable relayd to use the udp
source port randomization. relayd will know randomize the source port
(on OpenBSD) and DNS request identifier for the clients behind it.
ok pyr@
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
to pf route-to instead of the default rdr. it is a first steps towards
support for "direct server return" (dsr), an asynchronous mode where
the load balanced servers send the replies to a different gateway like
a l3 switch/router to handle higher amounts of return traffic.
because the state handling in pf isn't optimal for this case yet, it
just sees half of the TCP connection, the sessions are forced to time
out after fixed number of seconds.
discussed with many, thought about in the onsen
|
|
the initialisation isn't done properly.
|
|
|
|
seperate functions in relayd.c (protonode_add/protonode_header). this
code got to big to look nice in the BNF statements...
|
|
a SNMP trap when the state of a host changes. relayd(8) will try to
(re-)connect to snmpd(8) and request it to send a trap to the
registered trap receivers, see snmpd.conf(5) for more information
about the configuration.
ok pyr@ thib@
|
|
in other places;
ok reyk@
|
|
reused;
ok reyk@
|
|
shuffle the forward decleration of struct relay around too accommodate
this change;
ok reyk@
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
|
for code, start with struct relayd. finally.
ok thib@
|
|
for relays. they can be viewed with the new "relayctl show redirects"
command.
(uses the previous change to pf_table.c to get the statistics)
looks good pyr@
|
|
(for instance: rename struct service to struct rdr), refer to redirects
otherwise (hoststatectl output).
ok reyk@
|
|
the tables will look more like pf tables, it is easier to re-use
tables with different options, "services" will become "redirections"
(they refer to rdr pf rules), sync configuration directives of
redirect (l3, ex-service) relay (l7) sections (for example "virtual
host" will become "listen on"), all target definitions will start with
"forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt
ok pyr@
|
|
what the daemon does - it is a relayer that pays attention to the status
of pools of hosts; not a status checkers that happens to do some relaying
|
|
error pages and can be used to refer to additional information.
ok pyr@
|
|
possible suffix/prefix combinations by stripping subdomains, path
components, and the query args.
ok and tested by gilles@
|
|
it is possible to attach a mark to a session based on matching an
entity (header, url, cookie, ...) and add conditional action for this
mark. it works a bit like the tag/tagged keywords in pf, but i decided
to pick a different name to avoid confusion.
ok pyr@ gilles@
|
|
|
|
table are down.
Thanks to Preston Norvell at serialssolutions dot com for reporting
the problem.
|
|
suffix/prefix expressions like "example.com/index.html?args". a digest
mode allows to match against anonymized SHA1/MD5 digests of
suffix/prefix expressions.
|
|
|
|
|
|
please update your hoststated.conf configurations. also add more
examples to the manpage.
alright pyr@
|
|
digest string length; it is compatible to any existing SHA1-only
configurations.
ok pyr@ gilles@
|
|
meaningful message if a HTTP/HTTPS relay closes the connection for
some reason. for example, a "403 Forbidden" if the request was
rejected by a filter. this will be enabled with the "return error"
option and is disabled by default, the standard behaviour is to
silently drop the connection; the browser may display an empty page in
this case. the look+feel of the HTTP error page can be customized with
a CSS style sheet, but we do not intend to allow customization of the
error page contents (hoststated is not a webserver!).
ok pyr@
|
|
Table specific intervals must be multiples of the global interval.
help and ok reyk@
|
|
ok reyk@
|
|
- allow to use a key for multiple times by appending a queue of
additional matches to the tree node. for example, this allows to
specify multiple "expect" or "filter" actions to white-/black-list
a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the
expect action.
- minor code shuffling
|
|
|
|
this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
|
This syncs it with other hoststated entities and will make reload easier.
This is step 1 out of 7 for reload.
|
|
Especially useful when interval is rather long.
I was supposed to commit this before 4.2.
|
|
ok pyr@
|
|
|
|
|
|
instead move some of the logic in yylex and do hoststated specific
translations into hoststated.c
ok gilles@
|
|
|
|
The fd based code introduced weirdness since all children were accessing
the same fd at once. This will also greatly facilitate reloading, no
fd-passing will be involved between the parent and relay children.
While there, cleanup the code diverting from the original ssl_rsa.c code
a bit more.
Weird behavior discovery by pascoe@.
|
|
equivalent openssl functions.
|
|
already chrooted and with privileges dropped.
This is the very first step in being able to reload a
layer 7 configuration.
not ok reyk who's away but should be glad to see this in.
|
|
header randomization). this adds an infrastructure to support
UDP-based protocols.
ok gilles@, tested by some
|
|
|
|
|
|
|
