relayd session timeout

2011-09-01 Thread Alexander Bluhm 
Hi,

The relayd used the CHECK_TIMEOUT for connect and ssl handshake.
This is 200 milliseconds and too short.  Instead use the 600 seconds
session timeout that is used for accepted sessions everywhere else.

While there, make flag handling in relay_ssl_transaction() consistent
to the other functions.

ok?

bluhm


Index: usr.sbin/relayd/relay.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.138
diff -u -p -r1.138 relay.c
--- usr.sbin/relayd/relay.c 20 May 2011 09:43:53 -  1.138
+++ usr.sbin/relayd/relay.c 1 Sep 2011 07:58:40 -
@@ -2279,7 +2279,8 @@ relay_connect(struct rsession *con)
 
if (errno == EINPROGRESS)
event_again(con-se_ev, con-se_out.s, EV_WRITE|EV_TIMEOUT,
-   relay_connected, con-se_tv_start, env-sc_timeout, con);
+   relay_connected, con-se_tv_start, rlay-rl_conf.timeout, 
+   con);
else
relay_connected(con-se_out.s, EV_WRITE, con);
 
@@ -2625,7 +2626,7 @@ relay_ssl_transaction(struct rsession *c
SSL *ssl;
const SSL_METHOD*method;
void(*cb)(int, short, void *);
-   u_intflags = EV_TIMEOUT;
+   u_intflag;
 
ssl = SSL_new(rlay-rl_ssl_ctx);
if (ssl == NULL)
@@ -2634,11 +2635,11 @@ relay_ssl_transaction(struct rsession *c
if (cre-dir == RELAY_DIR_REQUEST) {
cb = relay_ssl_accept;
method = SSLv23_server_method();
-   flags |= EV_READ;
+   flag = EV_READ;
} else {
cb = relay_ssl_connect;
method = SSLv23_client_method();
-   flags |= EV_WRITE;
+   flag = EV_WRITE;
}
 
if (!SSL_set_ssl_method(ssl, method))
@@ -2653,8 +2654,10 @@ relay_ssl_transaction(struct rsession *c
 
cre-ssl = ssl;
 
-   event_again(con-se_ev, cre-s, EV_TIMEOUT|flags,
-   cb, con-se_tv_start, env-sc_timeout, con);
+   DPRINTF(%s: session %d: scheduling on %s, __func__, con-se_id,
+   (flag == EV_READ) ? EV_READ : EV_WRITE);
+   event_again(con-se_ev, cre-s, EV_TIMEOUT|flag, cb,
+   con-se_tv_start, rlay-rl_conf.timeout, con);
return;
 
  err:
@@ -2721,7 +2724,7 @@ retry:
DPRINTF(%s: session %d: scheduling on %s, __func__, con-se_id,
(retry_flag == EV_READ) ? EV_READ : EV_WRITE);
event_again(con-se_ev, fd, EV_TIMEOUT|retry_flag, relay_ssl_accept,
-   con-se_tv_start, env-sc_timeout, con);
+   con-se_tv_start, rlay-rl_conf.timeout, con);
 }
 
 void
@@ -2780,7 +2783,7 @@ retry:
DPRINTF(%s: session %d: scheduling on %s, __func__, con-se_id,
(retry_flag == EV_READ) ? EV_READ : EV_WRITE);
event_again(con-se_ev, fd, EV_TIMEOUT|retry_flag, relay_ssl_connect,
-   con-se_tv_start, env-sc_timeout, con);
+   con-se_tv_start, rlay-rl_conf.timeout, con);
 }
 
 void

relayd session timeout

2011-03-11 Thread Alexander Bluhm 
Hi,

When relaying unidirectional tcp traffic, relayd handles session
timeouts in a strange way.

A connection that is constantly sending data from the client to the
server will always trigger the session timeout.  In contrast, if
the data is only transfered from the server to the client, the
session timeout works correctly.

The reason for this asymmetric behavoir is that any read event
resets the client side timeout.  I think a read event on one side
should reset the timeout for the other side.

ok?

bluhm


Index: relay.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.128
diff -u -p -r1.128 relay.c
--- relay.c 20 Dec 2010 12:38:06 -  1.128
+++ relay.c 11 Mar 2011 13:16:50 -
@@ -906,7 +906,7 @@ relay_read(struct bufferevent *bev, void
goto fail;
if (con-se_done)
goto done;
-   bufferevent_enable(con-se_in.bev, EV_READ);
+   bufferevent_enable(cre-dst-bev, EV_READ);
return;
  done:
relay_close(con, last read (done));