| Age | Commit message (Collapse) | Author |
|---|
|
instead of flushing the complete source tracking table (sticky
addresses) in pf on host state changes, just flush the entries for
hosts that have been marked as down in the relayd table. this fixes
ugly problems with users loosing their sessions if another host or
redirection was going down.
ok cloder@
|
|
spotted by phessler@
|
|
arbitrary string in debugging mode, it will store an error code
(HCE_*) for each host. the error code can be translated to a string
(in log.c) for debugging but it will also be passed to relayctl via
the control socket.
from a user point of view, this will print a human-readable error
message in the "relayctl show hosts" output if a host is down because
the check failed. the relayctl(8) manpage includes detailed
explanations of the error messages including mitigations for the
most-common problems.
ok jmc@ (manpages)
ok phessler@
|
|
- log table changes in sync_table() if "log updates" is enabled.
before we only logged these changes in debug mode when running relayd
in foreground.
- type in a log message
|
|
ok espie, jmc
|
|
|
|
|
|
Use unsigned int for msg_iovlen.
ok henning@ claudio@
|
|
|
|
URL filter category etc.)
|
|
|
|
appear in URLs (eg. /index.html#anchor), so only allow full-line
comments indicated by a hash mark # at the beginning of a line.
|
|
just containing on key per line. this allows easier use of URL
white/blacklists from external sources.
|
|
|
|
stickyness with web applications that cannot do the clustering on
their own and require stickyness with HTTP to HTTPS migration. this
is required in many cases; it is a true fact that we cannot always fix
the backend application in the real world.
Tested and requested by many
|
|
ok pyr@
|
|
|
|
|
|
|
|
|
|
abort the session if we get an empty line except of the expected chunk
header.
|
|
|
|
|
|
nor chunked encoding. We don't know the length of the HTTP body in
this case, so it only works for single-pass HTTP responses without
subsequent HTTP response headers in the stream. You can still enforce
the Content-Length header with an "expect" rule.
For example, this fixes response handling from undeadly.org (thttpd)
if relayd is running as a transparent HTTP proxy.
|
|
OK reyk@
|
|
|
|
|
|
faithd(8) by doing a similar mapping of IPv4/6 addresses with
relayd(8) and pf(4) redirections without the need of the faith(4)
interface. The trick works in both directions, it can accept IPv6
connections and relay them to IPv4 hosts by extracting the last 4
octets from the IPv6 destination (like faithd(8)), and it can accept
IPv4 connections and relay them to IPv6 hosts by prepending the 4
octets of the original IPv4 destination to a configured IPv6 prefix.
An access list is not needed because the classification is done in
pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@
yes, sounds good todd@
|
|
|
|
singly-linked SLIST instead. the only noticeable change is the
reversed order to notify the children but it does not really matter
here. also only walk through the children host list if the host
itself is a potential parent.
|
|
inherit the state from another host with the specified Id; no
additional check will be for the inheriting host. This helps in
scenarios with lots of IP aliases that all point to the same service
on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
|
|
|
TAILQ_INSERT_HEAD. now tables and relays are also matching the order
in the config file.
ok pyr@
|
|
file. ok pyr@
|
|
counting at 1 and do not assign an id before inheriting a real table.
makes more sense in the relayctl output.
ok pyr@
|
|
inet_pton/inet_ntop to allow specifing and printing the IPv6 scope
identifier. synced host_v6() with ntpd's version to use getaddrinfo()
instead of inet_pton() - host_v4, host_v6, and host_dns could all use
getaddrinfo in a single function by specifing different flags but this
would diverge from the other daemons using this common interface so we
keep this little overhead.
discussed with henning@
ok pyr@
|
|
if it does.
|
|
doing a nat lookup. this fixes nat lookups when the relay is
listening to a wildcard IPv4/IPv6 address (like 0.0.0.0 or ::).
|
|
with ipv6.
|
|
|
|
produce the DNS request ids instead of a simple per-request
arc4random(). This ensure randomness but also satisfies the
non-repeating property we need.
ok deraadt@
|
|
unbreaks NAT lookups with UDP; tested as a transparent DNS relay.
|
|
|
|
forwarded dns request to the server instead of sending from the server
socket. this will fix the limitation the the dns relay had to listen
to the "0.0.0.0" address, and will also enable relayd to use the udp
source port randomization. relayd will know randomize the source port
(on OpenBSD) and DNS request identifier for the clients behind it.
ok pyr@
|
|
relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
|
|
|
seconds by default (pf's default is 86400s), they can be cranked with
the "session timeout" directive and it is consistent to relay session
timeouts. also remove the hack to modify the closing timeout because
pf's sloppy state handling is taking care about half connection
closing now.
|
|
where we only see the client side of the TCP session; this removes the
timeout limitations that we had before. document "route to" in the
manpage since it is fully working now.
|
|
list even after being sent successfully. this has imsg_get_fd()
keep returning the first fd. no impact in relayd.
"go for it" pyr@, "yeah someone screwed up in the copy" henning@
|
|
ok (some time ago) jmc@
|
