I don't think you can do this using SPI directly. If you use IKE then you might be able to do something in iked or isakmpd config to set PF tags, and then use PF rules to rewrite the dest port to point at something else to select a different relay in relayd..
On 2022/08/09 12:53, Todd Carpenter wrote: > I just wanted to clarify, for relayd.. > > Is it possible to filter / loadbalance based on the SPI information of the 4 > byte > headers within ipsec? > https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload > > Security Parameters Index (32 bits) > Arbitrary value used (together with the destination IP address) to > identify the security > association of the receiving party > > I could not find any information that relates specifically to ipsec > traffic > > Thanks Again. > > On Sun, Aug 7, 2022 at 3:59 AM Stuart Henderson <[email protected]> > wrote: > > On 2022-08-06, Todd Carpenter <[email protected]> wrote: > > Hi all, > > > > I've been trying to get relayd up and running on my configuration and > had a > > couple of questions I could not find answers for. > > > > As I understand it, relayd is capable of making a "protocol" where you > > could essentially take connection details and call it whatever you like, > > then create rules in pf via that protocol. > > > > for example, in mwl's relayd book he creates a "dns fix protocol" > > relay dns { > > listen on 203.0.113.213 port 53 > > forward to check tcp > > protocol dnsfix > > } > > > > questions: > > how can I pass this to pf.conf and apply stickines to it to ensure that > if > > the protocol dnsfix was routed to server 52 on the back end.. that all > > future requests are sent to server 52 and not server 17 (ie is this a > > relayd.conf thing.. or a pf.conf thing)? > > Relays are userland TCP proxies done inside relayd. Configuring them > is done in relayd.conf. See > > man relayd.conf | less "+/set the scheduling algorithm" > > > is it possible to have multiple ports and protocols wrapped into a new > > protocol? > > for example I need port 443 tcp, 10443 tcp, 8000 udp and 8001 tcp .. > to be > > treated as a single connection. Is a protocol even the right tool for > the > > job? If so, how do you add multiple ports? or does each rule need to be > > seperate? (an example would be awesome) > > As a single protocol definition? You can't, you need separate ones. > > > Next question, in regards to the previous question. How would you apply > a > > stickiness state to ensure that all 4 ports from the same client are > sent > > to the same server? > > "mode source-hash" is probably the only option. > > > last question.. > > how do you decide what configuration should be placed in pf.conf vs > > relayd.conf? and if your using an anchor like relayd .. in terms of > pf, is > > there 1 config or are they seperate? > > > > IE: if i have a <table> in relayd.conf that defines {server1,2,3,4} do > I > > need the same table in my pf.conf file? or should I make the exact same > > table with a unique name? or are the relayd.conf tables used as both an > > anchor and expanded into the default pf.conf? > > For the main part relayd loads what it needs into PF under the anchor. > > If you're using _redirections_ with sticky-address and want that to > persist > across multiple connections then see "src.track" in pf.conf(5). > > > -- > Please keep replies on the mailing list. > >
