>Synopsis: relayd silently ignores ill-defined protocol mixtures
>Category: system
>Environment:
System : OpenBSD 6.6
Details : OpenBSD 6.6 (GENERIC.MP) #372: Sat Oct 12 10:56:27 MDT
2019
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
a. Multiple `protocol`s lines are allowed in a relay but only the
*last* defines
what happens. It would be so much more helpful if this was a straight
error.
b. tcp/tls/http options can be set in `dns protocol`s -- though they
are ignored.
This should also be an error.
>How-To-Repeat:
a.
This relayd speaks DNS on UDP port 80:
```
$ cat > relayd.conf <<EOF
table <web> { "127.0.0.1" }
table <app> { "127.0.0.1" }
http protocol A {
return error
match request path "/app/*" forward to <app>
}
dns protocol B {
return error
}
relay P {
listen on 0.0.0.0 port 80
protocol A
forward to <web> port 8080
protocol B
forward to <app> port 8082
}
EOF
$ doas relayd -f relayd.conf
```
```
$ fstat | grep relayd | grep internet
_relayd relayd 29047 10* internet dgram udp *:80
_relayd relayd 40704 10* internet dgram udp *:80
_relayd relayd 21221 10* internet dgram udp *:80
_relayd relayd 88624 4* internet raw icmp 0x0
_relayd relayd 88624 5* internet raw icmp 0x0
_relayd relayd 88624 6* internet6 raw ipv6-icmp 0x0
_relayd relayd 88624 7* internet6 raw ipv6-icmp 0x0
```
while this one speaks http:
```
$ cat > relayd.conf <<EOF
table <web> { "127.0.0.1" }
table <app> { "127.0.0.1" }
dns protocol A {
return error
match request path "/app/*" forward to <app>
}
http protocol B {
return error
}
relay P {
listen on 0.0.0.0 port 80
protocol A
forward to <web> port 8080
protocol B
forward to <app> port 8082
}
EOF
$ doas relayd -f relayd.conf
```
```
$ fstat | grep relayd | grep internet
_relayd relayd 2564 10* internet stream tcp 0x0 *:80
_relayd relayd 29428 10* internet stream tcp 0x0 *:80
_relayd relayd 61476 10* internet stream tcp 0x0 *:80
_relayd relayd 90200 4* internet raw icmp 0x0
_relayd relayd 90200 5* internet raw icmp 0x0
_relayd relayd 90200 6* internet6 raw ipv6-icmp 0x0
_relayd relayd 90200 7* internet6 raw ipv6-icmp 0x0
$
$ curl http://localhost # demonstrate that relayd is speaking http
<!DOCTYPE html>
<html>
<head>
<title>500 Internal Server Error</title>
<style type="text/css"><!--
body { background-color: #a00000; color: white; font-family: 'Comic
Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>Internal Server Error</h1>
<div id='m'></div>
<div id='l'></div>
<hr><address>OpenBSD relayd at 0.0.0.0 port 80</address>
</body>
</html>
```
b.
You can see in the latter example that `match request path` is legal in
`dns protocol` blocks which makes no sense.
