Merge branch 'master' of git://anonscm.debian.org/collab-maint/rsyslog

Conflicts:
	debian/changelog
	debian/patches/series
	debian/rules

2 files changed, 327 insertions, 65 deletions

diff --git a/plugins/imrelp/Makefile.in b/plugins/imrelp/Makefile.in
index 566efab..ec45d31 100644
--- a/plugins/imrelp/Makefile.in
+++ b/plugins/imrelp/Makefile.in
@@ -154,7 +154,6 @@ GREP = @GREP@
 GSS_LIBS = @GSS_LIBS@
 GUARDTIME_CFLAGS = @GUARDTIME_CFLAGS@
 GUARDTIME_LIBS = @GUARDTIME_LIBS@
-HAVE_LIBGCRYPT_CONFIG = @HAVE_LIBGCRYPT_CONFIG@
 HAVE_MYSQL_CONFIG = @HAVE_MYSQL_CONFIG@
 HAVE_ORACLE_CONFIG = @HAVE_ORACLE_CONFIG@
 HAVE_PGSQL_CONFIG = @HAVE_PGSQL_CONFIG@
@@ -175,14 +174,15 @@ LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBDBI_CFLAGS = @LIBDBI_CFLAGS@
 LIBDBI_LIBS = @LIBDBI_LIBS@
-LIBEE_CFLAGS = @LIBEE_CFLAGS@
-LIBEE_LIBS = @LIBEE_LIBS@
 LIBESTR_CFLAGS = @LIBESTR_CFLAGS@
 LIBESTR_LIBS = @LIBESTR_LIBS@
 LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
 LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBLOGGING_CFLAGS = @LIBLOGGING_CFLAGS@
 LIBLOGGING_LIBS = @LIBLOGGING_LIBS@
+LIBLOGGING_STDLOG_CFLAGS = @LIBLOGGING_STDLOG_CFLAGS@
+LIBLOGGING_STDLOG_LIBS = @LIBLOGGING_STDLOG_LIBS@
 LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@
 LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@
 LIBM = @LIBM@
@@ -207,6 +207,8 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
+OPENSSL_LIBS = @OPENSSL_LIBS@
 ORACLE_CFLAGS = @ORACLE_CFLAGS@
 ORACLE_LIBS = @ORACLE_LIBS@
 OTOOL = @OTOOL@
@@ -387,22 +389,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imrelp_la-imrelp.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
diff --git a/plugins/imrelp/imrelp.c b/plugins/imrelp/imrelp.c
index 5e0ae55..6787f91 100644
--- a/plugins/imrelp/imrelp.c
+++ b/plugins/imrelp/imrelp.c
@@ -4,7 +4,7 @@
  *
  * File begun on 2008-03-13 by RGerhards
  *
- * Copyright 2008-2012 Adiscon GmbH.
+ * Copyright 2008-2014 Adiscon GmbH.
  *
  * This file is part of rsyslog.
  *
@@ -47,6 +47,7 @@
 #include "prop.h"
 #include "ruleset.h"
 #include "glbl.h"
+#include "statsobj.h"
 
 MODULE_TYPE_INPUT
 MODULE_TYPE_NOKEEP
@@ -59,6 +60,7 @@ DEFobjCurrIf(prop)
 DEFobjCurrIf(errmsg)
 DEFobjCurrIf(ruleset)
 DEFobjCurrIf(glbl)
+DEFobjCurrIf(statsobj)
 
 /* forward definitions */
 static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal);
@@ -67,30 +69,88 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a
 /* Module static data */
 /* config vars for legacy config system */
 static relpEngine_t *pRelpEngine;	/* our relp engine */
-static prop_t *pInputName = NULL;	/* there is only one global inputName for all messages generated by this module */
-static struct configSettings_s {
+
+/* config settings */
+typedef struct configSettings_s {
 	uchar *pszBindRuleset;		/* name of Ruleset to bind to */
-} cs;
+} configSettings_t;
+static configSettings_t cs;
 
 struct instanceConf_s {
 	uchar *pszBindPort;		/* port to bind to */
+	uchar *pszBindRuleset;		/* name of ruleset to bind to */
+	uchar *pszInputName;		/* value for inputname property */
+	prop_t *pInputName;		/* InputName in property format for fast access */
+	ruleset_t *pBindRuleset;	/* ruleset to bind listener to */
+	sbool bKeepAlive;		/* support keep-alive packets */
+	sbool bEnableTLS;
+	sbool bEnableTLSZip;
+	int dhBits;
+	uchar *pristring;		/* GnuTLS priority string (NULL if not to be provided) */
+	uchar *authmode;		/* TLS auth mode */
+	uchar *caCertFile;
+	uchar *myCertFile;
+	uchar *myPrivKeyFile;
+	int iKeepAliveIntvl;
+	int iKeepAliveProbes;
+	int iKeepAliveTime;
+	struct {
+		int nmemb;
+		uchar **name;
+	} permittedPeers;
+
 	struct instanceConf_s *next;
+	/* with librelp, this module does not have any own specific session
+	 * or listener active data item. As a "work-around", we keep some
+	 * data items inside the configuration object. To keep things
+	 * decently clean, we put them all into their dedicated struct. So
+	 * it is easy to judge what is actual configuration and what is
+	 * dynamic runtime data. -- rgerhards, 2013-06-18
+	 */
+	struct {
+		statsobj_t *stats;	/* listener stats */
+		STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit)
+	} data;
 };
 
 
 struct modConfData_s {
 	rsconf_t *pConf;		/* our overall config object */
 	instanceConf_t *root, *tail;
-	uchar *pszBindRuleset;		/* name of Ruleset to bind to */
-	ruleset_t *pBindRuleset; /* due to librelp limitation, we need to bind all listerns to the same set */
+	uchar *pszBindRuleset;		/* default name of Ruleset to bind to */
 };
 
 static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
 static modConfData_t *runModConf = NULL;/* modConf ptr to use for the current load process */
 
+/* module-global parameters */
+static struct cnfparamdescr modpdescr[] = {
+	{ "ruleset", eCmdHdlrGetWord, 0 },
+};
+static struct cnfparamblk modpblk =
+	{ CNFPARAMBLK_VERSION,
+	  sizeof(modpdescr)/sizeof(struct cnfparamdescr),
+	  modpdescr
+	};
+
 /* input instance parameters */
 static struct cnfparamdescr inppdescr[] = {
-	{ "port", eCmdHdlrString, CNFPARAM_REQUIRED }
+	{ "port", eCmdHdlrString, CNFPARAM_REQUIRED },
+	{ "name", eCmdHdlrString, 0 },
+	{ "ruleset", eCmdHdlrString, 0 },
+	{ "keepalive", eCmdHdlrBinary, 0 },
+	{ "keepalive.probes", eCmdHdlrInt, 0 },
+	{ "keepalive.time", eCmdHdlrInt, 0 },
+	{ "keepalive.interval", eCmdHdlrInt, 0 },
+	{ "tls", eCmdHdlrBinary, 0 },
+	{ "tls.permittedpeer", eCmdHdlrArray, 0 },
+	{ "tls.authmode", eCmdHdlrString, 0 },
+	{ "tls.dhbits", eCmdHdlrInt, 0 },
+	{ "tls.prioritystring", eCmdHdlrString, 0 },
+	{ "tls.cacert", eCmdHdlrString, 0 },
+	{ "tls.mycert", eCmdHdlrString, 0 },
+	{ "tls.myprivkey", eCmdHdlrString, 0 },
+	{ "tls.compression", eCmdHdlrBinary, 0 }
 };
 static struct cnfparamblk inppblk =
 	{ CNFPARAMBLK_VERSION,
@@ -98,10 +158,35 @@ static struct cnfparamblk inppblk =
 	  inppdescr
 	};
 
-
+#include "im-helper.h" /* must be included AFTER the type definitions! */
+static int bLegacyCnfModGlobalsPermitted;/* are legacy module-global config parameters permitted? */
 
 /* ------------------------------ callbacks ------------------------------ */
 
+static void
+onErr(void *pUsr, char *objinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode)
+{
+	instanceConf_t *inst = (instanceConf_t*) pUsr;
+	errmsg.LogError(0, RS_RET_RELP_AUTH_FAIL, "imrelp[%s]: error '%s', object "
+			" '%s' - input may not work as intended",
+			inst->pszBindPort, errmesg, objinfo);
+}
+
+static void
+onGenericErr(char *objinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode)
+{
+	errmsg.LogError(0, RS_RET_RELP_ERR, "imrelp: librelp error '%s', object "
+			" '%s' - input may not work as intended", errmesg, objinfo);
+}
+
+static void
+onAuthErr(void *pUsr, char *authinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode)
+{
+	instanceConf_t *inst = (instanceConf_t*) pUsr;
+	errmsg.LogError(0, RS_RET_RELP_AUTH_FAIL, "imrelp[%s]: authentication error '%s', peer "
+			"is '%s'", inst->pszBindPort, errmesg, authinfo);
+}
+
 /* callback for receiving syslog messages. This function is invoked from the
  * RELP engine when a syslog message arrived. It must return a relpRetVal,
  * with anything else but RELP_RET_OK terminating the relp session. Please note
@@ -113,27 +198,27 @@ static struct cnfparamblk inppblk =
  * we will only see the hostname (twice). -- rgerhards, 2009-10-14
  */
 static relpRetVal
-onSyslogRcv(uchar *pHostname, uchar *pIP, uchar *msg, size_t lenMsg)
+onSyslogRcv(void *pUsr, uchar *pHostname, uchar *pIP, uchar *msg, size_t lenMsg)
 {
 	prop_t *pProp = NULL;
 	msg_t *pMsg;
+	instanceConf_t *inst = (instanceConf_t*) pUsr;
 	DEFiRet;
 
 	CHKiRet(msgConstruct(&pMsg));
-	MsgSetInputName(pMsg, pInputName);
+	MsgSetInputName(pMsg, inst->pInputName);
 	MsgSetRawMsg(pMsg, (char*)msg, lenMsg);
 	MsgSetFlowControlType(pMsg, eFLOWCTL_LIGHT_DELAY);
-	MsgSetRuleset(pMsg, runModConf->pBindRuleset);
+	MsgSetRuleset(pMsg, inst->pBindRuleset);
 	pMsg->msgFlags  = PARSE_HOSTNAME | NEEDS_PARSING;
 
-	/* TODO: optimize this, we can store it inside the session, requires
-	 * changes to librelp --> next librelp iteration?. rgerhards, 2012-10-29
-	 */
+	/* TODO: optimize this, we can store it inside the session */
 	MsgSetRcvFromStr(pMsg, pHostname, ustrlen(pHostname), &pProp);
 	CHKiRet(prop.Destruct(&pProp));
 	CHKiRet(MsgSetRcvFromIPStr(pMsg, pIP, ustrlen(pIP), &pProp));
 	CHKiRet(prop.Destruct(&pProp));
 	CHKiRet(submitMsg2(pMsg));
+	STATSCOUNTER_INC(inst->data.ctrSubmit, inst->data.mutCtrSubmit);
 
 finalize_it:
 
@@ -155,6 +240,22 @@ createInstance(instanceConf_t **pinst)
 	inst->next = NULL;
 
 	inst->pszBindPort = NULL;
+	inst->pszBindRuleset = NULL;
+	inst->pszInputName = NULL;
+	inst->pBindRuleset = NULL;
+	inst->bKeepAlive = 0;
+	inst->iKeepAliveIntvl = 0;
+	inst->iKeepAliveProbes = 0;
+	inst->iKeepAliveTime = 0;
+	inst->bEnableTLS = 0;
+	inst->bEnableTLSZip = 0;
+	inst->dhBits = 0;
+	inst->pristring = NULL;
+	inst->authmode = NULL;
+	inst->permittedPeers.nmemb = 0;
+	inst->caCertFile = NULL;
+	inst->myCertFile = NULL;
+	inst->myPrivKeyFile = NULL;
 
 	/* node created, let's add to config */
 	if(loadModConf->tail == NULL) {
@@ -170,16 +271,17 @@ finalize_it:
 }
 
 
-/* modified to work for module, not instance (as usual) */
+/* function to generate an error message if the ruleset cannot be found */
 static inline void
-std_checkRuleset_genErrMsg(modConfData_t *modConf, __attribute__((unused)) instanceConf_t *inst)
+std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, instanceConf_t *inst)
 {
-	errmsg.LogError(0, NO_ERRCODE, "imrelp: ruleset '%s' not found - "
-			"using default ruleset instead", modConf->pszBindRuleset);
+	errmsg.LogError(0, NO_ERRCODE, "imrelp[%s]: ruleset '%s' not found - "
+			"using default ruleset instead",
+			inst->pszBindPort, inst->pszBindRuleset);
 }
 
 
-/* This function is called when a new listener instace shall be added to 
+/* This function is called when a new listener instance shall be added to 
  * the current config object via the legacy config system. It just shuffles
  * all parameters to the listener in-memory instance.
  * rgerhards, 2011-05-04
@@ -194,9 +296,19 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
 	if(pNewVal == NULL || *pNewVal == '\0') {
 		errmsg.LogError(0, NO_ERRCODE, "imrelp: port number must be specified, listener ignored");
 	}
-	inst->pszBindPort = pNewVal;
-
+	if((pNewVal == NULL) || (pNewVal == '\0')) {
+		inst->pszBindPort = NULL;
+	} else {
+		CHKmalloc(inst->pszBindPort = ustrdup(pNewVal));
+	}
+	if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
+		inst->pszBindRuleset = NULL;
+	} else {
+		CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+	}
+	inst->pBindRuleset = NULL;
 finalize_it:
+	free(pNewVal);
 	RETiRet;
 }
 
@@ -204,19 +316,88 @@ finalize_it:
 static rsRetVal
 addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst)
 {
+	relpSrv_t *pSrv;
+	int relpRet;
+	uchar statname[64];
+	int i;
 	DEFiRet;
 	if(pRelpEngine == NULL) {
 		CHKiRet(relpEngineConstruct(&pRelpEngine));
 		CHKiRet(relpEngineSetDbgprint(pRelpEngine, dbgprintf));
 		CHKiRet(relpEngineSetFamily(pRelpEngine, glbl.GetDefPFFamily()));
 		CHKiRet(relpEngineSetEnableCmd(pRelpEngine, (uchar*) "syslog", eRelpCmdState_Required));
-		CHKiRet(relpEngineSetSyslogRcv(pRelpEngine, onSyslogRcv));
+		CHKiRet(relpEngineSetSyslogRcv2(pRelpEngine, onSyslogRcv));
+		CHKiRet(relpEngineSetOnErr(pRelpEngine, onErr));
+		CHKiRet(relpEngineSetOnGenericErr(pRelpEngine, onGenericErr));
+		CHKiRet(relpEngineSetOnAuthErr(pRelpEngine, onAuthErr));
 		if (!glbl.GetDisableDNS()) {
 			CHKiRet(relpEngineSetDnsLookupMode(pRelpEngine, 1));
 		}
 	}
 
-	CHKiRet(relpEngineAddListner(pRelpEngine, inst->pszBindPort));
+	CHKiRet(relpEngineListnerConstruct(pRelpEngine, &pSrv));
+	CHKiRet(relpSrvSetLstnPort(pSrv, inst->pszBindPort));
+	inst->pszInputName = ustrdup((inst->pszInputName == NULL) ?  UCHAR_CONSTANT("imrelp") : inst->pszInputName);
+	CHKiRet(prop.Construct(&inst->pInputName));
+	CHKiRet(prop.SetString(inst->pInputName, inst->pszInputName, ustrlen(inst->pszInputName)));
+	CHKiRet(prop.ConstructFinalize(inst->pInputName));
+	/* support statistics gathering */
+	CHKiRet(statsobj.Construct(&(inst->data.stats)));
+	snprintf((char*)statname, sizeof(statname), "imrelp[%s]",
+		 inst->pszBindPort);
+	statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */
+	CHKiRet(statsobj.SetName(inst->data.stats, statname));
+	STATSCOUNTER_INIT(inst->data.ctrSubmit, inst->data.mutCtrSubmit);
+	CHKiRet(statsobj.AddCounter(inst->data.stats, UCHAR_CONSTANT("submitted"),
+		ctrType_IntCtr, CTR_FLAG_RESETTABLE, &(inst->data.ctrSubmit)));
+	CHKiRet(statsobj.ConstructFinalize(inst->data.stats));
+	/* end stats counters */
+	relpSrvSetUsrPtr(pSrv, inst);
+	relpSrvSetKeepAlive(pSrv, inst->bKeepAlive, inst->iKeepAliveIntvl,
+			    inst->iKeepAliveProbes, inst->iKeepAliveTime);
+	if(inst->bEnableTLS) {
+		relpRet = relpSrvEnableTLS2(pSrv);
+		if(relpRet == RELP_RET_ERR_NO_TLS) {
+			errmsg.LogError(0, RS_RET_RELP_NO_TLS,
+					"imrelp: could not activate relp TLS, librelp "
+					"does not support it (most probably GnuTLS lib "
+					"is too old)!");
+			ABORT_FINALIZE(RS_RET_RELP_NO_TLS);
+		} else if(relpRet != RELP_RET_OK) {
+			errmsg.LogError(0, RS_RET_RELP_ERR,
+					"imrelp: could not activate relp TLS, code %d", relpRet);
+			ABORT_FINALIZE(RS_RET_RELP_ERR);
+		}
+		if(inst->bEnableTLSZip) {
+			relpSrvEnableTLSZip2(pSrv);
+		}
+		if(inst->dhBits) {
+			relpSrvSetDHBits(pSrv, inst->dhBits);
+		}
+		relpSrvSetGnuTLSPriString(pSrv, (char*)inst->pristring);
+		if(relpSrvSetAuthMode(pSrv, (char*)inst->authmode) != RELP_RET_OK) {
+			errmsg.LogError(0, RS_RET_RELP_ERR,
+					"imrelp: invalid auth mode '%s'", inst->authmode);
+			ABORT_FINALIZE(RS_RET_RELP_ERR);
+		}
+		if(relpSrvSetCACert(pSrv, (char*) inst->caCertFile) != RELP_RET_OK)
+			ABORT_FINALIZE(RS_RET_RELP_ERR);
+		if(relpSrvSetOwnCert(pSrv, (char*) inst->myCertFile) != RELP_RET_OK)
+			ABORT_FINALIZE(RS_RET_RELP_ERR);
+		if(relpSrvSetPrivKey(pSrv, (char*) inst->myPrivKeyFile) != RELP_RET_OK)
+			ABORT_FINALIZE(RS_RET_RELP_ERR);
+		for(i = 0 ; i <  inst->permittedPeers.nmemb ; ++i) {
+			relpSrvAddPermittedPeer(pSrv, (char*)inst->permittedPeers.name[i]);
+		}
+	}
+	relpRet = relpEngineListnerConstructFinalize(pRelpEngine, pSrv);
+	if(relpRet != RELP_RET_OK) {
+		errmsg.LogError(0, RS_RET_RELP_ERR,
+				"imrelp: could not activate relp listner, code %d", relpRet);
+		ABORT_FINALIZE(RS_RET_RELP_ERR);
+	}
+
+	resetConfigVariables(NULL,NULL);
 
 finalize_it:
 	RETiRet;
@@ -226,7 +407,7 @@ finalize_it:
 BEGINnewInpInst
 	struct cnfparamvals *pvals;
 	instanceConf_t *inst;
-	int i;
+	int i,j;
 CODESTARTnewInpInst
 	DBGPRINTF("newInpInst (imrelp)\n");
 
@@ -249,6 +430,41 @@ CODESTARTnewInpInst
 			continue;
 		if(!strcmp(inppblk.descr[i].name, "port")) {
 			inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "name")) {
+			inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "ruleset")) {
+			inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "keepalive")) {
+			inst->bKeepAlive = (sbool) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "keepalive.probes")) {
+			inst->iKeepAliveProbes = (int) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "keepalive.time")) {
+			inst->iKeepAliveTime = (int) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "keepalive.interval")) {
+			inst->iKeepAliveIntvl = (int) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "tls")) {
+			inst->bEnableTLS = (unsigned) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "tls.dhbits")) {
+			inst->dhBits = (unsigned) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "tls.prioritystring")) {
+			inst->pristring = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "tls.authmode")) {
+			inst->authmode = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "tls.compression")) {
+			inst->bEnableTLSZip = (unsigned) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "tls.cacert")) {
+			inst->caCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "tls.mycert")) {
+			inst->myCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "tls.myprivkey")) {
+			inst->myPrivKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "tls.permittedpeer")) {
+			inst->permittedPeers.nmemb = pvals[i].val.d.ar->nmemb;
+			CHKmalloc(inst->permittedPeers.name =
+				malloc(sizeof(uchar*) * inst->permittedPeers.nmemb));
+			for(j = 0 ; j <  pvals[i].val.d.ar->nmemb ; ++j) {
+				inst->permittedPeers.name[j] = (uchar*)es_str2cstr(pvals[i].val.d.ar->arr[j], NULL);
+			}
 		} else {
 			dbgprintf("imrelp: program error, non-handled "
 			  "param '%s'\n", inppblk.descr[i].name);
@@ -264,41 +480,76 @@ BEGINbeginCnfLoad
 CODESTARTbeginCnfLoad
 	loadModConf = pModConf;
 	pModConf->pConf = pConf;
+	pModConf->pszBindRuleset = NULL;
 	/* init legacy config variables */
 	cs.pszBindRuleset = NULL;
+	bLegacyCnfModGlobalsPermitted = 1;
 ENDbeginCnfLoad
 
 
+BEGINsetModCnf
+	struct cnfparamvals *pvals = NULL;
+	int i;
+CODESTARTsetModCnf
+	pvals = nvlstGetParams(lst, &modpblk, NULL);
+	if(pvals == NULL) {
+		errmsg.LogError(0, RS_RET_MISSING_CNFPARAMS, "error processing module "
+				"config parameters [module(...)]");
+		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+	}
+
+	if(Debug) {
+		dbgprintf("module (global) param blk for imrelp:\n");
+		cnfparamsPrint(&modpblk, pvals);
+	}
+
+	for(i = 0 ; i < modpblk.nParams ; ++i) {
+		if(!pvals[i].bUsed)
+			continue;
+		if(!strcmp(modpblk.descr[i].name, "ruleset")) {
+			loadModConf->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else {
+			dbgprintf("imrelp: program error, non-handled "
+			  "param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
+		}
+	}
+	/* remove all of our legacy module handlers, as they can not used in addition
+	 * the the new-style config method.
+	 */
+	bLegacyCnfModGlobalsPermitted = 0;
+finalize_it:
+	if(pvals != NULL)
+		cnfparamvalsDestruct(pvals, &modpblk);
+ENDsetModCnf
+
 BEGINendCnfLoad
 CODESTARTendCnfLoad
-	if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
-		loadModConf->pszBindRuleset = NULL;
+	if(loadModConf->pszBindRuleset == NULL) {
+		if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
+			loadModConf->pszBindRuleset = NULL;
+		} else {
+			CHKmalloc(loadModConf->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+		}
 	} else {
-		CHKmalloc(loadModConf->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+		if((cs.pszBindRuleset != NULL) && (cs.pszBindRuleset[0] != '\0')) {
+			errmsg.LogError(0, RS_RET_DUP_PARAM, "imrelp: warning: ruleset "
+					"set via legacy directive ignored");
+		}
 	}
-	loadModConf->pBindRuleset = NULL;
 finalize_it:
 	free(cs.pszBindRuleset);
+	cs.pszBindRuleset = NULL;
 	loadModConf = NULL; /* done loading */
 ENDendCnfLoad
 
-
 BEGINcheckCnf
-	rsRetVal localRet;
-	ruleset_t *pRuleset;
+	instanceConf_t *inst;
 CODESTARTcheckCnf
-	/* we emulate the standard "ruleset query" code provided by the framework
-	 * for *instances* (which we can currently not support due to librelp).
-	 */
-	if(pModConf->pszBindRuleset == NULL) {
-		pModConf->pBindRuleset = NULL;
-	} else {
-		localRet = ruleset.GetRuleset(pModConf->pConf, &pRuleset, pModConf->pszBindRuleset);
-		if(localRet == RS_RET_NOT_FOUND) {
-			std_checkRuleset_genErrMsg(pModConf, NULL);
+	for(inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+		if(inst->pszBindRuleset == NULL && pModConf->pszBindRuleset != NULL) {
+			CHKmalloc(inst->pszBindRuleset = ustrdup(pModConf->pszBindRuleset));
 		}
-		CHKiRet(localRet);
-		pModConf->pBindRuleset = pRuleset;
+		std_checkRuleset(pModConf, inst);
 	}
 finalize_it:
 ENDcheckCnf
@@ -311,8 +562,10 @@ CODESTARTactivateCnfPrePrivDrop
 	for(inst = runModConf->root ; inst != NULL ; inst = inst->next) {
 		addListner(pModConf, inst);
 	}
-	if(pRelpEngine == NULL)
+	if(pRelpEngine == NULL) {
+		errmsg.LogError(0, RS_RET_NO_LSTN_DEFINED, "imrelp: no RELP listener defined, module can not run.");
 		ABORT_FINALIZE(RS_RET_NO_RUN);
+	}
 finalize_it:
 ENDactivateCnfPrePrivDrop
 
@@ -323,13 +576,23 @@ ENDactivateCnf
 
 BEGINfreeCnf
 	instanceConf_t *inst, *del;
+	int i;
 CODESTARTfreeCnf
 	for(inst = pModConf->root ; inst != NULL ; ) {
 		free(inst->pszBindPort);
+		free(inst->pszBindRuleset);
+		free(inst->pszInputName);
+		free(inst->pristring);
+		free(inst->authmode);
+		statsobj.Destruct(&(inst->data.stats));
+		for(i = 0 ; i <  inst->permittedPeers.nmemb ; ++i) {
+			free(inst->permittedPeers.name[i]);
+		}
 		del = inst;
 		inst = inst->next;
 		free(del);
 	}
+	free(pModConf->pszBindRuleset);
 ENDfreeCnf
 
 /* This is used to terminate the plugin. Note that the signal handler blocks
@@ -385,11 +648,8 @@ CODESTARTmodExit
 	if(pRelpEngine != NULL)
 		iRet = relpEngineDestruct(&pRelpEngine);
 
-	/* global variable cleanup */
-	if(pInputName != NULL)
-		prop.Destruct(&pInputName);
-
 	/* release objects we used */
+	objRelease(statsobj, CORE_COMPONENT);
 	objRelease(ruleset, CORE_COMPONENT);
 	objRelease(glbl, CORE_COMPONENT);
 	objRelease(prop, CORE_COMPONENT);
@@ -420,6 +680,7 @@ CODEqueryEtryPt_STD_IMOD_QUERIES
 CODEqueryEtryPt_STD_CONF2_QUERIES
 CODEqueryEtryPt_STD_CONF2_PREPRIVDROP_QUERIES
 CODEqueryEtryPt_STD_CONF2_IMOD_QUERIES
+CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES
 CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
 ENDqueryEtryPt
 
@@ -435,19 +696,15 @@ CODEmodInit_QueryRegCFSLineHdlr
 	CHKiRet(objUse(errmsg, CORE_COMPONENT));
 	CHKiRet(objUse(net, LM_NET_FILENAME));
 	CHKiRet(objUse(ruleset, CORE_COMPONENT));
+	CHKiRet(objUse(statsobj, CORE_COMPONENT));
 
 	/* register config file handlers */
-	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputrelpserverbindruleset", 0, eCmdHdlrGetWord,
-		NULL, &cs.pszBindRuleset, STD_LOADABLE_MODULE_ID));
+	CHKiRet(regCfSysLineHdlr2((uchar*)"inputrelpserverbindruleset", 0, eCmdHdlrGetWord,
+				   NULL, &cs.pszBindRuleset, STD_LOADABLE_MODULE_ID, &bLegacyCnfModGlobalsPermitted));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputrelpserverrun", 0, eCmdHdlrGetWord,
 				   addInstance, NULL, STD_LOADABLE_MODULE_ID));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
 		resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
-
-	/* we need to create the inputName property (only once during our lifetime) */
-	CHKiRet(prop.Construct(&pInputName));
-	CHKiRet(prop.SetString(pInputName, UCHAR_CONSTANT("imrelp"), sizeof("imrelp") - 1));
-	CHKiRet(prop.ConstructFinalize(pInputName));
 ENDmodInit