Hi, I'd like to run relayd as _relayd group always so that we can use "group _relayd" in a pf rule. This makes it possible to write a pf rule easily which is to match only connections from relayd(8).
Also as for relayd.conf(5), I'd like to mention that "divert-reply" is required for "transparent forward" and add an example pf rule which uses "group _relayd". ok? Run relayd(8) as _relayd group user. Index: usr.sbin/relayd/relayd.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.182 diff -u -p -r1.182 relayd.c --- usr.sbin/relayd/relayd.c 15 Sep 2019 19:23:29 -0000 1.182 +++ usr.sbin/relayd/relayd.c 26 Jul 2020 08:39:27 -0000 @@ -201,6 +201,11 @@ main(int argc, char *argv[]) if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) errx(1, "unknown user %s", RELAYD_USER); + if (setgroups(1, &ps->ps_pw->pw_gid) == -1 || + setresgid(ps->ps_pw->pw_gid, ps->ps_pw->pw_gid, ps->ps_pw->pw_gid) + == -1) + err(1, "unable to set group ids"); + log_init(debug, LOG_DAEMON); log_setverbose(verbose); Add a mention that "divert-reply" rule is required for "transparent forward" and add an example which uses "group _relayd" to match the outgoing connections. Index: usr.sbin/relayd/relayd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.198 diff -u -p -r1.198 relayd.conf.5 --- usr.sbin/relayd/relayd.conf.5 1 Jul 2020 06:47:18 -0000 1.198 +++ usr.sbin/relayd/relayd.conf.5 26 Jul 2020 08:39:27 -0000 @@ -622,6 +622,10 @@ Use the .Ic transparent keyword to enable fully-transparent mode; the source address of the client will be retained in this case. +For this case, +additional +.Xr pf 4 +rule with divert-reply option is required for the outgoing connection. .Pp The .Ic with tls @@ -1627,6 +1631,31 @@ relay tlsinspect { protocol httpfilter forward with tls to destination } +.Ed +.Pp +If you want to use fully-transparent mode, +you can add the +.Ic transparent +keyword to +.Ic forward +option: +.Bd -literal -offset indent +relay tlsinspect { + listen on 127.0.0.1 port 8443 tls + protocol httpfilter + transparent forward with tls to destination +} +.Ed +.Pp +And add a matching divert-reply rule in +.Xr pf.conf 5 . +You can use +.Dq group _relayd +to match only connections from +.Xr relayd 8 +precisely: +.Bd -literal -offset indent +pass out proto tcp to port 443 group _relayd divert-reply .Ed .Pp The next simple router configuration example can be used to run