summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd
AgeCommit message (Collapse)Author
2011-09-21During socket splicing the relayd session timeouts could not beAlexander Bluhm
measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
2011-09-16If a user configures logging explicitly in relayd.conf, do itAlexander Bluhm
regardlessly of debugging mode and compile switch. ok sthen@
2011-09-04KNF, fix white spaces in relayd. No binary change.Alexander Bluhm
ok pyr@ sthen@
2011-09-04Especially with SSL and short data transfers, it could happen thatAlexander Bluhm
the client closed before the connection to the server has been established. Then the relay closed immediately before transferring any data. The solution is to delay the close until the other side has an event buffer. ok sthen@
2011-09-04The relayd used the CHECK_TIMEOUT for connect and ssl handshake.Alexander Bluhm
This is 200 milliseconds and too short. Instead use the 600 seconds session timeout that is used for accepted sessions everywhere else. While there, make flag handling in relay_ssl_transaction() consistent to the other functions. tested and ok sthen@
2011-06-24seven main sections here, not six; from Nils AnspachJason McIntyre
in the long term, i guess we should avoid documenting the number of sections, since it's meaningless and is always in danger of going out of date...
2011-06-23Use a common text explaining how the various configuration parsers usingStuart Henderson
the standard OpenBSD-style parse.y handle continuing lines with backslashes, paying particular attention to how comments are handled (which can cause nasty side-effects if you're not expecting it). Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey, patrick keshishian and Florian Obser, ok jmc@.
2011-06-17don't leak fds in failure path (ie when hosts are down)Jonathan Gray
from Martin Matuska in PR 6624 ok phessler@
2011-05-26Add additional check to prevent running scripts when not configured.Reyk Floeter
2011-05-26fix "check script" by sending all required information to the parent.Reyk Floeter
2011-05-23Support interface groups in address specifications for tables orReyk Floeter
directives like "listen on egress". Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
2011-05-20Concurrent calls of "relayctl show sessions" could crash relayd. FixReyk Floeter
the show sessions handler by implementing it in an asynchronous way. Closes PR 6509 ok pyr@
2011-05-19Add a few missing checks of return values of memory allocations.Reyk Floeter
2011-05-19Fix reload support in relayd(8) by reimplementing large parts of theReyk Floeter
daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code. Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
2011-05-09Reorganize the relayd code to use the proc.c privsep API/commodityReyk Floeter
functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications. ok sthen@ pyr@
2011-05-09Reorganize the relayd code to use the proc.c privsep API/commodityReyk Floeter
functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications. ok sthen@ pyr@
2011-05-05Update all logging and debug functions to use the __func__ macroReyk Floeter
instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
2011-05-05Allow a user to specify the route priorityPeter Hessler
OK reyk@ claudio@ sthen@
2011-04-30no need to escape |, pointed out by jmc@Stuart Henderson
"it's worth killing, if just to stop it being copied all over the place"
2011-04-24Get rid of casts to struct rsession in relayd by not declaring aAlexander Bluhm
void pointer in struct ctl_relay_event. That way the compiler can do its job and enforce correct types. ok pyr@ deraadt@
2011-04-12Splicing is currently only supported for TCP relays, not for HTTP orReyk Floeter
others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
2011-04-12update flags and printing of flags in debug mode, handle splicing flag.Reyk Floeter
2011-04-12Enable socket splicing for relayd. This allows zero-copy dataAlexander Bluhm
forwarding for plain tcp connections. feedback and ok reyk@
2011-04-07tweak previous;Jason McIntyre
2011-04-07Add support for divert-to which provides some benefits over rdr-to.Reyk Floeter
ok mikeb@
2011-03-12Fix previous commit. When data arrives from the client before theAlexander Bluhm
server connection is set up, do not enable read events for the other side.
2011-03-12A connection that is constantly sending data uni-directionaly fromAlexander Bluhm
the client to the server did always trigger the session timeout. The reason for this behavior was that any read event reset the client side timeout. A read event on one side must reset the timeout for the other side instead. ok deraadt@
2011-02-28If 'check script' doesn't exit(), treat the service as 'down' ratherStuart Henderson
than 'unknown'. Fixes a problem where the script is killed due to expiry of the interval timer. ok pyr@ deraadt@
2011-02-13fix from pr 6314: allow debug logging before daemonization to helpOkan Demirmen
identify configuration issues. ok sthen@ pyr@
2011-02-08Log the time taken for all types of check, not just tcp checks.Stuart Henderson
ok pyr@
2010-12-31Add missing #includes instead of assuming that some system header pulls inPhilip Guenthe
the needed bits ok deraadt@, millert@
2010-12-20Only set SO_REUSEPORT for listening ports.David Hill
Fixes "Address already in use" errors seen on high load. OK reyk@ pyr@
2010-11-30The returned SSL_METHOD of SSLv23_server_method()/SSLv23_client_method()Reyk Floeter
is const now, adjust the variable and silence a compiler warning.
2010-11-30The relayd processes did already bump up the socket file descriptorReyk Floeter
resource limits to the maximum of the daemon class but the host check process (hce/health checks) didn't and was limited to a fairly low default of 128 open sockets (openfiles-cur=128 in login.conf). This was reached fairly quickly with "check tcp" of many hosts. This diff increases the maximum number of monitored hosts and concurrent health checks in relayd in a significant way and may fix issues for people that have around 100 or more hosts (or fewer hosts with multiple checked ports). tested by phessler@ ok jsg@
2010-11-24When disabling and enabling tables set the number of hosts that are upJonathan Gray
to zero, consistent with pfe and makes other parts of the code better behaved. From Patrik Lundin. ok reyk@
2010-11-16Add support for enable/disable table when using relays instead of redirects.Jonathan Gray
From Patrik Lundin and Linus Widstromer. ok reyk@
2010-10-26no need for .Pp before lists;Jason McIntyre
2010-10-26redirects are loaded as "pass in quick ... rdr-to" pf rules by default. InReyk Floeter
some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
2010-10-18Missing semicolon, ok henning@Stuart Henderson
2010-10-12Plug a significant memory leak when using SSL.David Hill
ok claudio@, jsg@, phessler@
2010-09-02remove trailing spaces and tabs from source code; no binary changesIgor Sobrado
(verified by both sthen@ and me). ok sthen@; "just commit it" claudio@
2010-08-26stray spaces, no binary changeMarco Peereboom
2010-08-07Fix carp demotion on tables. For some reason the default values wereClaudio Jeker
inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
2010-08-03fix linecount bug with comments spanning multiple linesHenning Brauer
problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
2010-08-01Allow fallback tables for relays, not just redirections.Stuart Henderson
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
2010-05-26Move imsg into libutil and add a man page.Nicholas Marriott
Minor bump for libutil. Previous versions of this diff and man page looked at by various people. "you should just commit" deraadt
2010-05-26Rename some imsg bits to make namespace collisions less likely buf toNicholas Marriott
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE. ok henning gilles claudio jacekm deraadt
2010-05-24now that we can handle >9 args, put "-D name=value" on one line: it's a bitJason McIntyre
more readable, and fixes a spacing bug we had in smtpd.8;
2010-05-18use the right capitalization for "HyperText Transfer Protocol (HTTP)"Igor Sobrado
and "server". fixes for bgplg(8) and relayd.conf(5) suggested by jmc@, good catch! ok jmc@
2010-05-14allocate all struct event's on the heap, it looks cleaner, feels betterReyk Floeter
and follows a suggestion in event.h. also don't mix signal() and signal_set()/signal_add(). ok jsg@ gilles@