relayd: set group and divert-reply

Sun, 26 Jul 2020 02:05:07 -0700 

Hi,

I'd like to run relayd as _relayd group always so that we can use
"group _relayd" in a pf rule.  This makes it possible to write a pf
rule easily which is to match only connections from relayd(8).

Also as for relayd.conf(5), I'd like to mention that "divert-reply" is
required for "transparent forward" and add an example pf rule which
uses "group _relayd".

ok?

Run relayd(8) as _relayd group user.

Index: usr.sbin/relayd/relayd.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
retrieving revision 1.182
diff -u -p -r1.182 relayd.c
--- usr.sbin/relayd/relayd.c    15 Sep 2019 19:23:29 -0000      1.182
+++ usr.sbin/relayd/relayd.c    26 Jul 2020 08:39:27 -0000
@@ -201,6 +201,11 @@ main(int argc, char *argv[])
        if ((ps->ps_pw =  getpwnam(RELAYD_USER)) == NULL)
                errx(1, "unknown user %s", RELAYD_USER);
 
+       if (setgroups(1, &ps->ps_pw->pw_gid) == -1 ||
+           setresgid(ps->ps_pw->pw_gid, ps->ps_pw->pw_gid, ps->ps_pw->pw_gid)
+           == -1)
+               err(1, "unable to set group ids");
+
        log_init(debug, LOG_DAEMON);
        log_setverbose(verbose);
 

Add a mention that "divert-reply" rule is required for "transparent
forward" and add an example which uses "group _relayd" to match the
outgoing connections.

Index: usr.sbin/relayd/relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.198
diff -u -p -r1.198 relayd.conf.5
--- usr.sbin/relayd/relayd.conf.5       1 Jul 2020 06:47:18 -0000       1.198
+++ usr.sbin/relayd/relayd.conf.5       26 Jul 2020 08:39:27 -0000
@@ -622,6 +622,10 @@ Use the
 .Ic transparent
 keyword to enable fully-transparent mode; the source address of the
 client will be retained in this case.
+For this case,
+additional
+.Xr pf 4
+rule with divert-reply option is required for the outgoing connection.
 .Pp
 The
 .Ic with tls
@@ -1627,6 +1631,31 @@ relay tlsinspect {
        protocol httpfilter
        forward with tls to destination
 }
+.Ed
+.Pp
+If you want to use fully-transparent mode,
+you can add the
+.Ic transparent
+keyword to
+.Ic forward
+option:
+.Bd -literal -offset indent
+relay tlsinspect {
+       listen on 127.0.0.1 port 8443 tls
+       protocol httpfilter
+       transparent forward with tls to destination
+}
+.Ed
+.Pp
+And add a matching divert-reply rule in
+.Xr pf.conf 5 .
+You can use
+.Dq group _relayd
+to match only connections from
+.Xr relayd 8
+precisely:
+.Bd -literal -offset indent
+pass out proto tcp to port 443 group _relayd divert-reply
 .Ed
 .Pp
 The next simple router configuration example can be used to run

Reply via email to