| Age | Commit message (Collapse) | Author |
|---|
|
promote the field to u_int32_t.
no impact on hoststatectl.
|
|
needed for layer 7 reload support.
ok pyr@
|
|
split the code to start the event loop in two functions.
introduce merge_config which will be used later on.
|
|
forward IMSG_CTL_RELOAD which ends up not doing anything for now.
|
|
|
|
for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout
handling later.
|
|
this will make it easier to send the struct over the socket.
|
|
this time around, include hoststatectl changes too.
|
|
allow purging of parts of the hoststated environment structure.
start using this function now to only keep vital information in
hoststated children processes.
ok reyk@
|
|
|
|
First split out hosts, tables and services into to structs, one that
contains the runtime fields and one (inside the runtime) that contains
mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its
just a boolean.
ok reyk@
|
|
* make parse_config allocate the hoststated function by itself
* make as many sockets as necessary to talk to the relay children
* add send_all for talking to all children
with advise and ok reyk@
|
|
ok pyr@
|
|
will need it later.
|
|
optional connection "retry" to the forward to, service, and nat lookup
options. for example, "nat lookup retry 3" is useful when running
hoststated as a transparent proxy when connecting to unreliable
frontend/backend servers.
ok pyr@
|
|
|
|
support the Generalized TTL Security Mechanism (GTSM) according to RFC
3682. this is especially useful with inbound connections and a fixed
distance to the backend servers.
ok pyr@
|
|
since we have a tristate in relay_handle_http(), use nicer return
codes defined to make it better readble (no function change).
|
|
actions on response headers (the reply sent by backend HTTP servers).
the default and slightly faster relay streaming mode will be used if
no actions are defined.
for example:
response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
|
|
|
|
|
connections. the relay will retry to connect to the hosts for the
specified number of times. this sounds bad, but is a useful
"workaround" for unreliable backend servers...
|
|
|
|
|
|
suggested by dlg@
|
|
(as required by the PCI DSS)
- increase the default listen backlog to 10, allow to modify the
backlog as a per-protocol tcp option to improve the performance
on busy systems (to get less connection failures on heavy load)
- close the connection if SSL_accept returned an error
- instead of logging _new_ relay sessions to syslog, log the
sessions in relay_close() after they have been _finished_.
this will allow to collect some additional information
- add a new log keyword to log specified header/url entities (useful
to track "bad guys" using many session ids or multiple user agents)
- some minor fixes, manpage bits, and bump the copyright (by some
reason, i didn't realize that we already have 2007...).
|
|
|
|
|
|
loadbalancing, SSL acceleration, general-purpose TCP relaying, and
transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for
details.
ok to commit deraadt@ pyr@
|
|
notifications after completed host checks. either only log the
"updates" to new states or log "all" state notifications, even if the
state didn't change. the log messages will be reported to syslog or to
stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
|
ospfd(8) (can be re-imported later if required).
|
|
bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
|
in check_tcp.c, prototype them in check_tcp.c
ok reyk@
|
|
|
|
ok reyk@
|
|
hoststated.
ok reyk@, "looks nice and clean" niallo@
|
|
with help and OK reyk@
with help and advice by claudio@ and Srebrenko Sehic
|
|
ok reyk@
|
|
ok claudio@, reyk@
|
|
usage. also modify the check_icmp code to use non-blocking raw sockets
and merge the icmp4 and icmp6 functions. some other minor changes
while i'm here.
as discussed with pyr@ claudio@ deraadt@
ok pyr@
|
|
Note to testers: the user the daemon changes its id to is now _hoststated,
don't forget to update master.passwd.
ok reyk@
|
|
(this code needs some more work to implement a better icmp handling,
but this will fix a serious bug for now)
|
|
and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface
using shell globbing rules instead. this allows simple patterns like
"220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
figured this out while testing hostated against a stottering spamd
where the send/expect timeout needs be > 10 seconds). also use another
struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
regex(3)). this allows to define additional checks for other TCP
protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
|
|
|
seconds (tv_sec) and microseconds (tv_usec), but the code assumed
seconds and milliseconds...
|
|
instead of nested select() calls and to handle the non-blocking
sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
(with a little help by me)
|
