#
1.256 |
|
17-Jun-2024 |
sashan |
Change adds a 'log' option to relayd.conf(5) rule. The relayd(8) then uses the option to set corresponding `log` action in pf(4) rules it generates to handle network traffic.
The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr).
OK sashan@
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.255 |
|
29-Oct-2023 |
kn |
Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.
OK benno
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.254 |
|
03-Jul-2023 |
claudio |
Use ibuf_data() instead of accessing ibuf->buf directly. OK tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.253 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.252 |
|
17-Jan-2021 |
rob |
Don't leak host address. Found with clang static analyzer.
OK tb@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.255 |
|
29-Oct-2023 |
kn |
Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.
OK benno
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.254 |
|
03-Jul-2023 |
claudio |
Use ibuf_data() instead of accessing ibuf->buf directly. OK tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.253 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.252 |
|
17-Jan-2021 |
rob |
Don't leak host address. Found with clang static analyzer.
OK tb@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.254 |
|
03-Jul-2023 |
claudio |
Use ibuf_data() instead of accessing ibuf->buf directly. OK tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.253 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.252 |
|
17-Jan-2021 |
rob |
Don't leak host address. Found with clang static analyzer.
OK tb@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.253 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.252 |
|
17-Jan-2021 |
rob |
Don't leak host address. Found with clang static analyzer.
OK tb@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.252 |
|
17-Jan-2021 |
rob |
Don't leak host address. Found with clang static analyzer.
OK tb@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.251 |
|
09-Jan-2021 |
denis |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.250 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.249 |
|
30-Oct-2020 |
martijn |
Remove deprecated snmp keyword.
OK denis@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.248 |
|
26-Oct-2020 |
martijn |
Let relayd make use of libagentx. No functional change intended.
OK tb@ Enthousiasm from Mischa Peters
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.247 |
|
25-Oct-2020 |
denis |
Remove trailing spaces & tabs
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.246 |
|
14-Sep-2020 |
martijn |
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases.
This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future.
Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.245 |
|
14-May-2020 |
pvk |
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.244 |
|
12-Feb-2020 |
benno |
improve parsing of relay {} sections: - Do not accept multiple protocol statements, as only one will be used, it is better to error out if more arespecified. - do not allow tcp and http options in dns protocol definitions, they are ignored anyway. Suggested by Nick (nick -AT- kousu -DOT- ca) thanks. ok claudio@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.243 |
|
18-Sep-2019 |
benno |
remove old log options 'log update/all' that were replaced with 'log state changes/host checks/connection' some time ago. ok reyk@ claudio@ on first version, kn@ noticed that the tokens could be removed too.
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.242 |
|
15-Sep-2019 |
rob |
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.241 |
|
13-Jul-2019 |
chrisz |
fix error description on invalid forward ip.
OK benno@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.240 |
|
05-Jul-2019 |
patrick |
Fix integer sizes in format strings and enable formatting warnings for yyerror.
From Moritz Buhl ok claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.239 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.238 |
|
31-May-2019 |
reyk |
Add support for SNI with new "tls keypair" option to load additional certs.
Tested by many (thanks!)
Feedback & OK rob@
|
#
1.237 |
|
31-May-2019 |
reyk |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.236 |
|
29-May-2019 |
reyk |
Fix the check if a relay has been specified twice
Relays cannot have the same name or listen address. If a listen address is specified multiple times, the parser expands the configuration into multiple relays automatically.
OK rob@
|
#
1.235 |
|
29-May-2019 |
reyk |
Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI.
Ok rob@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.234 |
|
10-May-2019 |
reyk |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.233 |
|
13-Mar-2019 |
benno |
remove unused keyword "virtual". ok gcc, claudio@ agrees
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.232 |
|
04-Mar-2019 |
benno |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.231 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.230 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.229 |
|
22-Oct-2018 |
denis |
Make host_*() AF-agnostic
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
With input & test by kn@ and benno@
OK benno@ kn@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.228 |
|
07-Sep-2018 |
miko |
replace malloc()+strlcpy() with strndup() in cmdline_symset().
"looks good" gilles@ halex@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.227 |
|
06-Aug-2018 |
benno |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.226 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.225 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.224 |
|
11-Jun-2018 |
denis |
Fix an off-by-one line count when using include statements.
Thanks to otto@ for the initial diff.
OK benno@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.223 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
#
1.222 |
|
18-Apr-2018 |
claudio |
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|
#
1.221 |
|
29-Nov-2017 |
benno |
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
|
#
1.220 |
|
27-Nov-2017 |
claudio |
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
|
#
1.219 |
|
27-Nov-2017 |
claudio |
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
|
#
1.218 |
|
16-Nov-2017 |
bluhm |
Check that http options are only configured in http protocols. OK benno@
|
#
1.217 |
|
15-Nov-2017 |
benno |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.216 |
|
28-Aug-2017 |
florian |
65535 is a valid port to listen on. Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT gmail, thanks! chris@ pointed out that more than httpd(8) is effected. OK gilles@
|
#
1.215 |
|
27-May-2017 |
claudio |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.214 |
|
05-Jan-2017 |
krw |
Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
#
1.213 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
#
1.212 |
|
26-Sep-2016 |
reyk |
spacing
|
#
1.211 |
|
03-Sep-2016 |
reyk |
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
|
#
1.210 |
|
02-Sep-2016 |
reyk |
Move snmp options into struct relayd_config and delay start of the snmp subsystem until the configuration is done.
OK benno@ claudio@
|
#
1.209 |
|
02-Sep-2016 |
reyk |
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts.
With input from and OK claudio@ benno@
|
#
1.208 |
|
01-Sep-2016 |
claudio |
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.207 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.206 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.205 |
|
20-Aug-2015 |
deraadt |
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.204 |
|
02-May-2015 |
claudio |
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.203 |
|
08-Feb-2015 |
reyk |
branches: 1.203.2; Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
|
#
1.202 |
|
22-Jan-2015 |
reyk |
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself.
OK benno@
|
#
1.201 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.200 |
|
16-Jan-2015 |
deraadt |
Adapt to <limits.h> universe. ok millert
|
#
1.199 |
|
23-Dec-2014 |
reyk |
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
#
1.198 |
|
21-Dec-2014 |
guenther |
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
#
1.197 |
|
18-Dec-2014 |
reyk |
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
#
1.196 |
|
12-Dec-2014 |
reyk |
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now.
(btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
#
1.195 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.194 |
|
19-Nov-2014 |
blambert |
Support exporting relayd statistics via AgentX/snmpd
This should be equivalent to the statistics available via the various relaydctl show commands
okay benno@ reyk@
|
#
1.193 |
|
07-Nov-2014 |
jsing |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended.
ok reyk@
|
#
1.192 |
|
02-Nov-2014 |
bluhm |
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
|
#
1.191 |
|
20-Oct-2014 |
reyk |
Remove the "interface" option from the "transparent forward" directive. It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following directive in a relay block: "transparent forward to destination".
OK sthen@
|
#
1.190 |
|
15-Oct-2014 |
reyk |
Disable SSLv3 by default.
OK sthen@ jsing@
|
#
1.189 |
|
05-Sep-2014 |
blambert |
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
#
1.188 |
|
29-Aug-2014 |
blambert |
Implement consistent host hashing for relayd, based on work done by andre@
Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so.
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.187 |
|
11-Jul-2014 |
reyk |
Sometimes I just sort the tokens in parse.y
|
#
1.186 |
|
11-Jul-2014 |
reyk |
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults.
ok benno@
|
#
1.185 |
|
11-Jul-2014 |
reyk |
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part) ok benno@
|
#
1.184 |
|
09-Jul-2014 |
reyk |
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
#
1.183 |
|
25-Jun-2014 |
reyk |
sync copyright to reality according to my last changes
|
#
1.182 |
|
12-May-2014 |
andre |
Fix a leak from a recent added mark/marked keywords check.
ok reyk
|
#
1.181 |
|
08-May-2014 |
reyk |
fail for unsupported node action/type combinations. Also fail for the unsupported mark/marked combination in a single rule.
ok andre@
|
#
1.180 |
|
22-Apr-2014 |
reyk |
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id.
ok benno@
|
#
1.179 |
|
21-Apr-2014 |
reyk |
Add a few missing free's in the grammar.
|
#
1.178 |
|
20-Apr-2014 |
reyk |
Add a few more overflow checks for strlc* functions in parse.y
|
#
1.177 |
|
14-Apr-2014 |
blambert |
remove 'restricted' symbol from yacc parser, overlooked in previous commit
found by andre@
|
#
1.176 |
|
14-Apr-2014 |
blambert |
Adapt relayd to use AgentX protocol to send traps
ok reyk@ benno@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.175 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.174 |
|
21-Jan-2014 |
benno |
fix a a double free caused by a config with two listen on statements in a relay (the first one with ssl). found and fixed by Erik Lax <erik AT halon DOT se> ok phessler
|
#
1.173 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.172 |
|
09-Sep-2013 |
reyk |
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.171 |
|
30-May-2013 |
reyk |
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
#
1.170 |
|
27-Apr-2013 |
benno |
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl
tested with old and new time_t
ok florian@
|
#
1.169 |
|
04-Mar-2013 |
sthen |
sync yyerror() with bgpd; use vlog() to log parser errors so they show in logs if they occur when reloading. ok benno@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.168 |
|
19-Oct-2012 |
reyk |
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays.
ok benno@
|
#
1.167 |
|
04-Oct-2012 |
reyk |
spacing
|
#
1.166 |
|
03-Oct-2012 |
reyk |
Inherit and pass the relay table flags correctly.
|
#
1.165 |
|
03-Oct-2012 |
reyk |
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.164 |
|
29-May-2012 |
benno |
do not overwrite the table timeout with the global timeout when a table timeout is set. ok sthen@ giovanni@ henning@
|
#
1.163 |
|
08-May-2012 |
benno |
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
|
#
1.162 |
|
15-Apr-2012 |
jsg |
fix some leaks ok krw@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.161 |
|
21-Jan-2012 |
camield |
Only start the child processes after all of them reported to have loaded the config. Solves a race at startup time where processes can send status messages about hosts that other processes don't know about yet. (and have relayd abort with "desynchronized" or "invalid host id")
ok henning pyr deraadt solves the problem ok from benno todd
|
#
1.160 |
|
20-Jan-2012 |
camield |
Remove global carp demote option. It is currently broken, but also flawed by design.
ok henning pyr
|
#
1.159 |
|
21-Sep-2011 |
bluhm |
During socket splicing the relayd session timeouts could not be measured exactly in user land. Use the new idle timeout for socket splicing in the kernel to make it correct. Also do splicing with http if relayd does not check headers. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.158 |
|
26-May-2011 |
reyk |
Add additional check to prevent running scripts when not configured.
|
#
1.157 |
|
23-May-2011 |
reyk |
Support interface groups in address specifications for tables or directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
#
1.156 |
|
19-May-2011 |
reyk |
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@
|
#
1.155 |
|
09-May-2011 |
reyk |
Reorganize the relayd code to use the proc.c privsep API/commodity functions that are based on work for iked and smtpd. This simplifies the setup of privsep processes and moves some redundant and repeated code to a single place - which is always good from a quality and security point of view. The relayd version of proc.c is different to the current version in iked because it uses 1:N communications between processes, eg. a single parent process is talking to many forked relay children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
#
1.154 |
|
05-May-2011 |
reyk |
Update all logging and debug functions to use the __func__ macro instead of static function names. __func__ is C99 and perfectly fine to use. It also avoids printing errors; for example if a statement log_debug("foo:"..) was moved or copied from function foo() to bar() and the log message was not updated...
|
#
1.153 |
|
05-May-2011 |
phessler |
Allow a user to specify the route priority
OK reyk@ claudio@ sthen@
|
#
1.152 |
|
12-Apr-2011 |
reyk |
Splicing is currently only supported for TCP relays, not for HTTP or others (HTTP will need a more complicated splicing mechanism to switch between headers and bodies in userland and kernel). Add the "no splice" flag for non-TCP relays by default to indicate it in the debug and status output.
|
#
1.151 |
|
12-Apr-2011 |
reyk |
update flags and printing of flags in debug mode, handle splicing flag.
|
#
1.150 |
|
07-Apr-2011 |
reyk |
Add support for divert-to which provides some benefits over rdr-to.
ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.149 |
|
26-Oct-2010 |
reyk |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
#
1.148 |
|
18-Oct-2010 |
sthen |
Missing semicolon, ok henning@
|
#
1.147 |
|
02-Sep-2010 |
sobrado |
remove trailing spaces and tabs from source code; no binary changes (verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.146 |
|
07-Aug-2010 |
claudio |
Fix carp demotion on tables. For some reason the default values were inherited from the table definition even though these values could not be changed there. While there fix a memory leak in a rather strange case. OK phessler, jsg, pyr, sthen, deraadt
|
#
1.145 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.144 |
|
01-Aug-2010 |
sthen |
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.143 |
|
24-Feb-2010 |
jsg |
Sync the list of initialisation steps done for the default relay protocol with that done for specified relay protocols.
Makes it possible to use SSL for the default relay protocol.
From boudewijn@indes.com in pr 6316
|
#
1.142 |
|
27-Aug-2009 |
reyk |
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses.
ok gilles@ (i got inspired by smtpd)
|
#
1.141 |
|
13-Aug-2009 |
reyk |
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled.
ok pyr@, jmc@ for manpages
|
#
1.140 |
|
07-Aug-2009 |
reyk |
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
|
#
1.139 |
|
07-Aug-2009 |
reyk |
add missing line
|
#
1.138 |
|
07-Aug-2009 |
reyk |
allow to specify host attributes in an arbitrary order (parent, retry) by making the grammar a bit more flexible.
|
#
1.137 |
|
07-Aug-2009 |
reyk |
cosmetic change - move address into an own element
|
#
1.136 |
|
05-Aug-2009 |
reyk |
prevent configuration of relays listening to a single addr:port tuple twice
|
#
1.135 |
|
05-Aug-2009 |
reyk |
support multiple 'listen on' lines in a single relay block
|
#
1.134 |
|
05-Aug-2009 |
reyk |
tables don't need pf if running in "l7" relay mode
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.133 |
|
24-Apr-2009 |
reyk |
Allow UDP and/or TCP redirections instead of just TCP.
Thanks to Marek Grzybowski for feedback and testing.
ok jmc@ (manpage bits)
|
#
1.132 |
|
17-Apr-2009 |
reyk |
add "Connection: close" to HTTP check headers to deconfuse HTTP/1.1 servers claiming keepalive sessions.
From Camiel Dobbelaar
|
#
1.131 |
|
02-Apr-2009 |
reyk |
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
|
#
1.130 |
|
01-Apr-2009 |
reyk |
fix an incorrect flag in route mode.
From Padcal Lalonde, closes PR 6114
|
#
1.129 |
|
01-Apr-2009 |
reyk |
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course.
This was tested by some people a while ago.
|
#
1.128 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.127 |
|
05-Dec-2008 |
reyk |
use HTTP/1.1 instead of HTTP/1.0 if a host header is specified.
spotted by phessler@
|
#
1.126 |
|
17-Oct-2008 |
henning |
bring in the findeol() fix from pfctl. list of affected parsers by sthen
|
#
1.125 |
|
29-Sep-2008 |
reyk |
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
|
#
1.124 |
|
29-Sep-2008 |
reyk |
sort tokens for better readability
|
#
1.123 |
|
29-Sep-2008 |
reyk |
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world.
Tested and requested by many
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.122 |
|
22-Jul-2008 |
reyk |
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd.
manpage bits ok jmc@ yes, sounds good todd@
|
#
1.121 |
|
19-Jul-2008 |
reyk |
no need for using a TAILQ queue for the host children list, use a singly-linked SLIST instead. the only noticeable change is the reversed order to notify the children but it does not really matter here. also only walk through the children host list if the host itself is a potential parent.
|
#
1.120 |
|
19-Jul-2008 |
reyk |
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains).
discussed with pyr, tested in different setups
|
#
1.119 |
|
17-Jul-2008 |
reyk |
final reorder diff to use TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. now tables and relays are also matching the order in the config file.
ok pyr@
|
#
1.118 |
|
17-Jul-2008 |
reyk |
add the hosts in order to get host ids that match the order in the config file. ok pyr@
|
#
1.117 |
|
17-Jul-2008 |
reyk |
give sane ids to hosts, tables, redirections, relays, etc. - start counting at 1 and do not assign an id before inheriting a real table. makes more sense in the relayctl output.
ok pyr@
|
#
1.116 |
|
17-Jul-2008 |
reyk |
use getaddrinfo/getnameinfo to parse ipv6 addresses instead of inet_pton/inet_ntop to allow specifing and printing the IPv6 scope identifier. synced host_v6() with ntpd's version to use getaddrinfo() instead of inet_pton() - host_v4, host_v6, and host_dns could all use getaddrinfo in a single function by specifing different flags but this would diverge from the other daemons using this common interface so we keep this little overhead.
discussed with henning@ ok pyr@
|
#
1.115 |
|
11-Jun-2008 |
reyk |
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things...
based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)
ok markus@ pyr@
|
#
1.114 |
|
08-May-2008 |
reyk |
missed to set the default for tables to round-robin, so it was loadbalance after the grammar change. make it round-robin again.
|
#
1.113 |
|
07-May-2008 |
reyk |
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds.
discussed with many, thought about in the onsen
|
#
1.112 |
|
06-May-2008 |
reyk |
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
|
#
1.111 |
|
06-May-2008 |
pyr |
Do not unconditionnaly load pf. If pf isn't required by the configuration the initialisation isn't done properly.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.110 |
|
03-Mar-2008 |
reyk |
Inherit global table options.
From Armin Wolfermann
ok pyr@ deraadt@
|
#
1.109 |
|
27-Feb-2008 |
mpf |
Unbreak parser by initializing topfile correctly. I got fooled by patch(1). Sorry.
|
#
1.108 |
|
26-Feb-2008 |
mpf |
Have popfile() also close the main config file, but only do the final popfile call after yyparse() is done. This also fixes config reload on SIGHUP for some daemons.
Spotted by otto@. OK deraadt@
|
#
1.107 |
|
13-Feb-2008 |
reyk |
bump copyright
|
#
1.106 |
|
13-Feb-2008 |
reyk |
stylistic change: move code to add protonodes from the BNF into seperate functions in relayd.c (protonode_add/protonode_header). this code got to big to look nice in the BNF statements...
|
#
1.105 |
|
11-Feb-2008 |
reyk |
unbreak the dns protocol handler, closes pr 5717
Thanks to Nigel Taylor
|
#
1.104 |
|
11-Feb-2008 |
reyk |
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration.
ok pyr@ thib@
|
#
1.103 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, next struct relay. knf long line fixes will follow later.
ok thib@
|
#
1.102 |
|
31-Jan-2008 |
reyk |
add prefixes to names of structure elements to make it easier to grep for code, start with struct relayd. finally.
ok thib@
|
#
1.101 |
|
29-Jan-2008 |
pyr |
Free resources now that we don't always exit after an unsuccessful parsing of the configuration. From Igor Zinovik <zinovik at cs.karelia.ru> ok thib@ and me.
|
#
1.100 |
|
08-Dec-2007 |
pyr |
Rename everything which reffered to services refer to rdr for internals (for instance: rename struct service to struct rdr), refer to redirects otherwise (hoststatectl output). ok reyk@
|
#
1.99 |
|
08-Dec-2007 |
reyk |
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
|
#
1.98 |
|
08-Dec-2007 |
reyk |
some changes to the relayd.conf configuration language and grammar.
the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf)
discussed with pyr and deraadt ok pyr@
|
#
1.97 |
|
07-Dec-2007 |
reyk |
hoststated gets renamed to relayd. easier to type, and actually says what the daemon does - it is a relayer that pays attention to the status of pools of hosts; not a status checkers that happens to do some relaying
|
#
1.96 |
|
26-Nov-2007 |
reyk |
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information.
ok pyr@
|
#
1.95 |
|
24-Nov-2007 |
reyk |
sort includes, adjust to style(9)
|
#
1.94 |
|
23-Nov-2007 |
reyk |
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion.
ok pyr@ gilles@
|
#
1.93 |
|
22-Nov-2007 |
reyk |
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
|
#
1.92 |
|
21-Nov-2007 |
reyk |
spacing
|
#
1.91 |
|
21-Nov-2007 |
reyk |
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
|
#
1.90 |
|
21-Nov-2007 |
reyk |
move digest string handling into an extra function.
|
#
1.89 |
|
21-Nov-2007 |
reyk |
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage.
alright pyr@
|
#
1.88 |
|
21-Nov-2007 |
reyk |
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations.
ok pyr@ gilles@
|
#
1.87 |
|
20-Nov-2007 |
reyk |
allow to use the "include" directive in tables, services, relays, and protocols.
ok pyr@
|
#
1.86 |
|
20-Nov-2007 |
reyk |
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!).
ok pyr@
|
#
1.85 |
|
20-Nov-2007 |
pyr |
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
|
#
1.84 |
|
19-Nov-2007 |
reyk |
spacing
|
#
1.83 |
|
19-Nov-2007 |
reyk |
knf (replace some ';;' with a single ';')
|
#
1.82 |
|
19-Nov-2007 |
reyk |
rework the internal handling of protocol actions a little bit:
- allow to use a key for multiple times by appending a queue of additional matches to the tree node. for example, this allows to specify multiple "expect" or "filter" actions to white-/black-list a list of HTTP-headers, URLs, ..
- prevent specifing an HTTP header for multiple times when using the expect action.
- minor code shuffling
|
#
1.81 |
|
19-Nov-2007 |
reyk |
always enable "late connect" relay mode if an "expect" or "filter" action has been specified for the protocol. late connect mode first reads the complete request (HTTP header) before opening the inbound connection instead of relaying it line-by-line.
|
#
1.80 |
|
15-Nov-2007 |
pyr |
Do not insert proto_default inside the dynamically alloced protocol queue. Handle it as a special case in the one place where it actually matters instead.
|
#
1.79 |
|
14-Nov-2007 |
pyr |
reset global variables everytime we enter parse_config.
|
#
1.78 |
|
14-Nov-2007 |
pyr |
make protos dynamic too
|
#
1.77 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.76 |
|
04-Nov-2007 |
claudio |
Not using all defined protocols is not a hard error. Just print a warning but start anyway. OK reyk@
|
#
1.75 |
|
22-Oct-2007 |
pyr |
load certificates text at parse time. then load them in relay processes. this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
|
#
1.74 |
|
22-Oct-2007 |
reyk |
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code.
ok pyr@
|
#
1.73 |
|
22-Oct-2007 |
reyk |
do not check the file secrecy of hoststated.conf, there is no need to enforce the file ownership and permissions to root:wheel 0400 because we have nothing to hide.
ok pyr@
|
#
1.72 |
|
19-Oct-2007 |
pyr |
print system error when fopen fails.
|
#
1.71 |
|
19-Oct-2007 |
pyr |
Do log initialisation correctly, like bgpd does. This removes the double warn/log_warn madness i introduced yesterday. This also keeps messages on stderr at startup and when running with -n.
|
#
1.70 |
|
19-Oct-2007 |
pyr |
Move relays from static TAILQs to allocated ones. This syncs it with other hoststated entities and will make reload easier. This is step 1 out of 7 for reload.
|
#
1.69 |
|
19-Oct-2007 |
pyr |
keep log_warn messages to be informed when a failure occurs during a reload.
|
#
1.68 |
|
18-Oct-2007 |
deraadt |
unbreak tree
|
#
1.67 |
|
18-Oct-2007 |
pyr |
extra arg to warn slipped through.
|
#
1.66 |
|
18-Oct-2007 |
deraadt |
repair file security warnings; ok pyr
|
#
1.65 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.64 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.63 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.62 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.61 |
|
09-Oct-2007 |
deraadt |
use macro argument
|
#
1.60 |
|
05-Oct-2007 |
reyk |
cast to an int
|
#
1.59 |
|
02-Oct-2007 |
pyr |
stop messing with lgetc to please hoststated's check/expect. instead move some of the logic in yylex and do hoststated specific translations into hoststated.c ok gilles@
|
#
1.58 |
|
02-Oct-2007 |
pyr |
clean up merged code.
|
#
1.57 |
|
01-Oct-2007 |
pyr |
Add NUMBER to hoststated's lexer, very similar to what has gone in in the other daemons recently. Prompted and based on work by deraadt@ proofread and ok gilles@
|
#
1.56 |
|
01-Oct-2007 |
pyr |
keep lines < 80.
|
#
1.55 |
|
28-Sep-2007 |
pyr |
Correct my mail address.
|
#
1.54 |
|
10-Sep-2007 |
reyk |
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols.
ok gilles@, tested by some
|
#
1.53 |
|
07-Sep-2007 |
reyk |
store the table's port as the relay's dstport
|
#
1.52 |
|
05-Sep-2007 |
reyk |
store relay sessions in SPLAY trees instead of TAILQ lists. this will be used for faster lookups of sessions based on different criteria.
ok pyr@
|
#
1.51 |
|
04-Sep-2007 |
pyr |
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org>
ok reyk, jmc for the manpage bits.
|
#
1.50 |
|
05-Jul-2007 |
thib |
use a more traditional while() instead of for() for getopt(). sync usage() to the man page. format string fixes. complain about failed calloc()'s instead of exiting silently.
ok pry@,reyk@
|
#
1.49 |
|
31-May-2007 |
pyr |
do not forget to store table and backup table ids in the service configuration struct.
|
#
1.48 |
|
31-May-2007 |
pyr |
make sure object ids are reset before parsing the configuration file again.
|
#
1.47 |
|
31-May-2007 |
pyr |
allocate table lists and service lists instead of using static structs. split the code to start the event loop in two functions. introduce merge_config which will be used later on.
|
#
1.46 |
|
29-May-2007 |
pyr |
do not start relay processes when no L7 load balancing is needed. ok reyk@
|
#
1.45 |
|
29-May-2007 |
reyk |
add a new check method which allows to run external scripts/programs for custom evaluations.
pyr agrees to put it in now but to do some improvements of the timeout handling later.
|
#
1.44 |
|
29-May-2007 |
pyr |
move the ssl cipher suite string to a (small) static charbuf, this will make it easier to send the struct over the socket.
|
#
1.43 |
|
29-May-2007 |
pyr |
move struct relay to the runtime + config scheme. this time around, include hoststatectl changes too.
|
#
1.42 |
|
28-May-2007 |
pyr |
store the configuration file's path, this will be useful when reloading.
|
#
1.41 |
|
27-May-2007 |
pyr |
Second step towards hoststated reload: First split out hosts, tables and services into to structs, one that contains the runtime fields and one (inside the runtime) that contains mostly static fields that will be sent over the socket during reload.
Also move the demoted field of tables inside the flags field as its just a boolean. ok reyk@
|
#
1.40 |
|
27-May-2007 |
reyk |
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section.
this makes mcbride more happy ok pyr@
|
#
1.39 |
|
26-May-2007 |
pyr |
first steps for implementing reload: * make parse_config allocate the hoststated function by itself * make as many sockets as necessary to talk to the relay children * add send_all for talking to all children with advise and ok reyk@
|
#
1.38 |
|
12-Apr-2007 |
reyk |
add a new relay 'path' action to filter the URL path and arguments.
ok pyr@
|
#
1.37 |
|
21-Mar-2007 |
reyk |
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers.
ok pyr@
|
#
1.36 |
|
13-Mar-2007 |
reyk |
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers.
ok pyr@
|
#
1.35 |
|
07-Mar-2007 |
reyk |
- fix the hoststatectl host disable/enable commands to work with relay layer 7 loadbalancing. - allow to run relays with tables without depending on services - show hosts and tables assigned to relays in hoststatectl show commands
ok pyr@ deraadt@ with some input from mcbride@
|
#
1.34 |
|
06-Mar-2007 |
reyk |
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID"
tested by some people ok pyr@
|
#
1.33 |
|
27-Feb-2007 |
reyk |
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined.
for example: response change "Server" to "OpenBSD-hoststated/4.1"
ok pyr@
|
#
1.32 |
|
26-Feb-2007 |
pyr |
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
|
#
1.31 |
|
26-Feb-2007 |
pyr |
remove HTTP and HTTPS tokens, makes for cleaner parser. reorder other rules as well. ok reyk@
|
#
1.30 |
|
26-Feb-2007 |
pyr |
solve some conflicts in the configuration parser. configuration will need to be updated as some directives have changed. manpage and examples bits coming up. ok reyk@
|
#
1.29 |
|
26-Feb-2007 |
pyr |
KNF
|
#
1.28 |
|
26-Feb-2007 |
pyr |
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
|
#
1.27 |
|
24-Feb-2007 |
reyk |
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
|
#
1.26 |
|
22-Feb-2007 |
reyk |
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying.
see hoststated.conf(5) and my upcoming article on undeadly.org for details.
ok to commit deraadt@ pyr@
|
#
1.25 |
|
09-Feb-2007 |
reyk |
unbreak the symset function
|
#
1.24 |
|
08-Feb-2007 |
reyk |
carefully check some return values and make lint happier. never pass any truncated strings (table names/anchors/tags/...) to pf and the kernel.
ok pyr@
|
#
1.23 |
|
07-Feb-2007 |
reyk |
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode.
ok claudio@ pyr@
|
#
1.22 |
|
07-Feb-2007 |
reyk |
remove unused functions and variables which have been copied from ospfd(8) (can be re-imported later if required).
|
#
1.21 |
|
07-Feb-2007 |
reyk |
add the -D option to define macros on the command line (as found in bgpd(8), hostapd(8), ipsecctl(8), pfctl(8), ...).
|
#
1.20 |
|
30-Jan-2007 |
pyr |
small memleak plugged and style changes. ok reyk@
|
#
1.19 |
|
29-Jan-2007 |
pyr |
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
|
#
1.18 |
|
25-Jan-2007 |
niallo |
return 0, not NULL in a function returning int.
ok pyr@
|
#
1.17 |
|
24-Jan-2007 |
pyr |
Better handling of escaped CR-LF in the configuration file, commenting them out was previously broken. This is needed for send/expect scripts.
ok claudio@
|
#
1.16 |
|
12-Jan-2007 |
pyr |
eliminate duplicate tcp read/write code. ok claudio@, reyk@
|
#
1.15 |
|
09-Jan-2007 |
pyr |
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
|
#
1.14 |
|
09-Jan-2007 |
deraadt |
adapt to rename
|
#
1.13 |
|
08-Jan-2007 |
reyk |
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems.
change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*".
suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.12 |
|
08-Jan-2007 |
reyk |
allow to use service names in addition to numerical port numbers in the configuration file, eg. "real port http".
> From Pierre-Yves Ritschard (pyr at spootnik dot org)
ok claudio@
|
#
1.11 |
|
08-Jan-2007 |
reyk |
the timeout values are not allowed to exceed the global interval (i figured this out while testing hostated against a stottering spamd where the send/expect timeout needs be > 10 seconds). also use another struct timeval to store the interval for easier handling in the code.
ok Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.10 |
|
08-Jan-2007 |
reyk |
remove unused token.
|
#
1.9 |
|
08-Jan-2007 |
reyk |
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.8 |
|
03-Jan-2007 |
reyk |
spacing
|
#
1.7 |
|
03-Jan-2007 |
reyk |
allow the sticky-address option for round-robin pools.
From Pierre-Yves Ritschard (pyr at spootnik dot org)
|
#
1.6 |
|
25-Dec-2006 |
reyk |
fix the conversion from milliseconds to struct timeval, which uses seconds (tv_sec) and microseconds (tv_usec), but the code assumed seconds and milliseconds...
|
#
1.5 |
|
25-Dec-2006 |
reyk |
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly.
From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
|
#
1.4 |
|
16-Dec-2006 |
martin |
typo
|
#
1.3 |
|
16-Dec-2006 |
deraadt |
spacing
|
#
1.2 |
|
16-Dec-2006 |
reyk |
knf, spacing
please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
|
#
1.1 |
|
16-Dec-2006 |
reyk |
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd".
The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup.
ok deraadt@ claudio@
|