I just wanted to clarify, for relayd.. Is it possible to filter / loadbalance based on the SPI information of the 4 byte headers within ipsec? https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload
*Security Parameters Index* (32 bits)Arbitrary value used (together with the destination IP address) to identify the security association <https://en.wikipedia.org/wiki/Security_association> of the receiving party I could not find any information that relates specifically to ipsec traffic Thanks Again. On Sun, Aug 7, 2022 at 3:59 AM Stuart Henderson <stu.li...@spacehopper.org> wrote: > On 2022-08-06, Todd Carpenter <tcarpenter...@gmail.com> wrote: > > Hi all, > > > > I've been trying to get relayd up and running on my configuration and > had a > > couple of questions I could not find answers for. > > > > As I understand it, relayd is capable of making a "protocol" where you > > could essentially take connection details and call it whatever you like, > > then create rules in pf via that protocol. > > > > for example, in mwl's relayd book he creates a "dns fix protocol" > > relay dns { > > listen on 203.0.113.213 port 53 > > forward to check tcp > > protocol dnsfix > > } > > > > questions: > > how can I pass this to pf.conf and apply stickines to it to ensure that > if > > the protocol dnsfix was routed to server 52 on the back end.. that all > > future requests are sent to server 52 and not server 17 (ie is this a > > relayd.conf thing.. or a pf.conf thing)? > > Relays are userland TCP proxies done inside relayd. Configuring them > is done in relayd.conf. See > > man relayd.conf | less "+/set the scheduling algorithm" > > > is it possible to have multiple ports and protocols wrapped into a new > > protocol? > > for example I need port 443 tcp, 10443 tcp, 8000 udp and 8001 tcp .. to > be > > treated as a single connection. Is a protocol even the right tool for > the > > job? If so, how do you add multiple ports? or does each rule need to be > > seperate? (an example would be awesome) > > As a single protocol definition? You can't, you need separate ones. > > > Next question, in regards to the previous question. How would you apply a > > stickiness state to ensure that all 4 ports from the same client are sent > > to the same server? > > "mode source-hash" is probably the only option. > > > last question.. > > how do you decide what configuration should be placed in pf.conf vs > > relayd.conf? and if your using an anchor like relayd .. in terms of pf, > is > > there 1 config or are they seperate? > > > > IE: if i have a <table> in relayd.conf that defines {server1,2,3,4} do I > > need the same table in my pf.conf file? or should I make the exact same > > table with a unique name? or are the relayd.conf tables used as both an > > anchor and expanded into the default pf.conf? > > For the main part relayd loads what it needs into PF under the anchor. > > If you're using _redirections_ with sticky-address and want that to persist > across multiple connections then see "src.track" in pf.conf(5). > > > -- > Please keep replies on the mailing list. > >
