This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.
From Sören Tempel, mostly based on Asherah's latest patch.
ok florian tb
pf's rule names are limited by 32 characters, so lower the length bounds
for redirect names and tags that relayd accepts as valid config but would
later fail to load into pf. Also display the offending name on error.
from Mark Johnston
ok florian
When relayd(8) handles 'host disable/enable' command issued by relayctl(8),
it disables redirect it finds in tables for particular host. However there can
be multiple redirect instances which use the same host in relayd(8) tables.
This change makes relayd(8) to walk through all tables and disable all redirects
which match the host.
OK giovanni@, OK sashan@
the option to set corresponding `log` action in pf(4) rules it generates
to handle network traffic.
The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr).
OK sashan@
As usual proc_forward_imsg() is never forwarding a file descriptor so
just use -1 there. This should be replaced by imsg_forward().
All other changes are simple conversions.
OK tb@
Wait until we have a complete line before parsing the Content-Length,
Transfer-Encoding and Host headers. This prevents potential request
smuggling attacks. Filtering already happens after header line
continuation has been performed. Reported by Ben Kallus.
OK claudio@
1) reject headers with embedded NULs
2) reject headers with invalid characters in the name
3) reject Transfer-Encoding with values other than "chunked"
4) reject chunk values containing non-hex characters
5) reject Content-Length values of "+0" or "-0"
6) reject requests without a ' ' and headers without a ':'
Reported by Ben Kallus, OK bluhm@
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last
ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.
OK benno
What is achieved here through ENGINE can be done in a much simpler way
by setting the default RSA implementation. Drop a number of indirections
that only add a bit of logging. This removes a lot of boiler plate and
shows where the actual magic happens more clearly.
ok op tobhe
special. One can not define a struct for the route message since there is
different padding between 32 and 64 bit systems for struct sockaddr_in6.
Instead do what all other daemons do and use struct sockaddr_storage,
iovec and writev.
Problem reported by Joerg Streckfuss (streckfuss at dfn-cert.de)
OK tb@
Also document that fact, and that the existing ssl3 option
does nothing. This changes relayd to no longer request tls1.0
or tls1.1 in preparation for the upcoming deprecation of these
out of data protocols
ok jsing@ bluhm@ tb@ claudio@ benno@
children to just before. That way the parent disasociates from its
controling terminal and shell, but not from its children.
Remove the dup2() bits that were copied from daemon() to solve the
problem that the children still had the stdio fds open. This is now
done in the parent earlier.
Remove the setsid() and setpgid(). It is unclear what their intent
was, but they dont seem to make sense, as daemon() covers this as well
and there seems to be no reason the cildren procs need to do that.
ok claudio@ bluhm@
