On 2022-08-06, Todd Carpenter <[email protected]> wrote:
> Hi all,
>
> I've been trying to get relayd up and running on my configuration and had a
> couple of questions I could not find answers for.
>
> As I understand it, relayd is capable of making a "protocol" where you
> could essentially take connection details and call it whatever you like,
> then create rules in pf via that protocol.
>
> for example, in mwl's relayd book he creates a "dns fix protocol"
> relay dns {
> listen on 203.0.113.213 port 53
> forward to check tcp
> protocol dnsfix
> }
>
> questions:
> how can I pass this to pf.conf and apply stickines to it to ensure that if
> the protocol dnsfix was routed to server 52 on the back end.. that all
> future requests are sent to server 52 and not server 17 (ie is this a
> relayd.conf thing.. or a pf.conf thing)?
Relays are userland TCP proxies done inside relayd. Configuring them
is done in relayd.conf. See
man relayd.conf | less "+/set the scheduling algorithm"
> is it possible to have multiple ports and protocols wrapped into a new
> protocol?
> for example I need port 443 tcp, 10443 tcp, 8000 udp and 8001 tcp .. to be
> treated as a single connection. Is a protocol even the right tool for the
> job? If so, how do you add multiple ports? or does each rule need to be
> seperate? (an example would be awesome)
As a single protocol definition? You can't, you need separate ones.
> Next question, in regards to the previous question. How would you apply a
> stickiness state to ensure that all 4 ports from the same client are sent
> to the same server?
"mode source-hash" is probably the only option.
> last question..
> how do you decide what configuration should be placed in pf.conf vs
> relayd.conf? and if your using an anchor like relayd .. in terms of pf, is
> there 1 config or are they seperate?
>
> IE: if i have a <table> in relayd.conf that defines {server1,2,3,4} do I
> need the same table in my pf.conf file? or should I make the exact same
> table with a unique name? or are the relayd.conf tables used as both an
> anchor and expanded into the default pf.conf?
For the main part relayd loads what it needs into PF under the anchor.
If you're using _redirections_ with sticky-address and want that to persist
across multiple connections then see "src.track" in pf.conf(5).
--
Please keep replies on the mailing list.
