| Age | Commit message (Collapse) | Author |
|---|
|
|
|
produce the DNS request ids instead of a simple per-request
arc4random(). This ensure randomness but also satisfies the
non-repeating property we need.
ok deraadt@
|
|
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
|
|
|
|
forwarded dns request to the server instead of sending from the server
socket. this will fix the limitation the the dns relay had to listen
to the "0.0.0.0" address, and will also enable relayd to use the udp
source port randomization. relayd will know randomize the source port
(on OpenBSD) and DNS request identifier for the clients behind it.
ok pyr@
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
seconds by default (pf's default is 86400s), they can be cranked with
the "session timeout" directive and it is consistent to relay session
timeouts. also remove the hack to modify the closing timeout because
pf's sloppy state handling is taking care about half connection
closing now.
|
|
where we only see the client side of the TCP session; this removes the
timeout limitations that we had before. document "route to" in the
manpage since it is fully working now.
|
|
list even after being sent successfully. this has imsg_get_fd()
keep returning the first fd. no impact in relayd.
"go for it" pyr@, "yeah someone screwed up in the copy" henning@
|
|
ok (some time ago) jmc@
|
|
disadvantage of removing valid src nodes, but the advantage of not sending
out traffic to hosts that are not up anymore.
From a diff by <mkoc@prime.pl>, ok reyk@
|
|
option parsing. Found out the hard way by jdixon on ifstated.
ok sobrado@, jdixon@, millert@
|
|
|
|
loadbalance after the grammar change. make it round-robin again.
|
|
to pf route-to instead of the default rdr. it is a first steps towards
support for "direct server return" (dsr), an asynchronous mode where
the load balanced servers send the replies to a different gateway like
a l3 switch/router to handle higher amounts of return traffic.
because the state handling in pf isn't optimal for this case yet, it
just sees half of the TCP connection, the sessions are forced to time
out after fixed number of seconds.
discussed with many, thought about in the onsen
|
|
|
|
expected the keywords "forward timeout". rename it to "session
timeout" and sync the documentation with reality.
|
|
clarification.
From bsd at openbsd dot rutgers dot edu, closes pr5801
ok pyr@
|
|
|
|
requiring configuration to a pf requiring one.
ok reyk@
|
|
the initialisation isn't done properly.
|
|
|
|
way and didn't show since our read buffers are small.
``put it in'' reyk@
|
|
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
|
|
|
|
|
|
descriptors; ok hshoexer, also looked at by kettenis and henning
|
|
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
|
|
an extensive discussion with otto, kettenis, millert, and hshoexer
|
|
|
|
|
|
also adjust the documentation a little bit to decrease confusion about
the check timeout.
From pyr@
ok deraadt@
|
|
From Armin Wolfermann
ok pyr@ deraadt@
|
|
is assigned a random value for and id in relay_udp_server before where
the SPLAY_INSERT is performed, se_outkey is set to the return id rather
than the rl_dskkey. The relay_dns_request which occurs after the
SPLAY_INSERT no longer updates se_outkey, or se_key. The request is sent
using the random value already placed into the se_key when the session
is created.
From Nigel Taylor
ok pyr@ deraadt@
|
|
the tree lookups in some cases.
From Nigel Taylor
ok pyr@ deraadt@
|
|
I got fooled by patch(1). Sorry.
|
|
but only do the final popfile call after yyparse() is done.
This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
|
|
|
|
|
seperate functions in relayd.c (protonode_add/protonode_header). this
code got to big to look nice in the BNF statements...
|
|
|
|
Thanks to Nigel Taylor
|
|
a SNMP trap when the state of a host changes. relayd(8) will try to
(re-)connect to snmpd(8) and request it to send a trap to the
registered trap receivers, see snmpd.conf(5) for more information
about the configuration.
ok pyr@ thib@
|
|
was forgotten.
|
|
in other places;
ok reyk@
|
|
reused;
ok reyk@
|
|
shuffle the forward decleration of struct relay around too accommodate
this change;
ok reyk@
|
|
for code, next struct session;
ok reyk@;
|
|
for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
