It is sometimes desirable to enable synproxy when using relayd's
redirects, this diff allow just that.
In case it gets mangled :
http://dargor.servebeer.com/~dargor/openbsd/relayd-forward-with-synproxy.diff
ok ?
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.182
diff -u -p -r1.182 parse.y
--- parse.y 12 May 2014 14:28:22 -0000 1.182
+++ parse.y 29 May 2014 00:15:28 -0000
@@ -160,16 +160,17 @@ typedef struct {
%token NODELAY NOTHING ON PARENT PATH PORT PREFORK PRIORITY PROTO
%token QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE RETRY
%token RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SNMP SOCKET
SPLICE
-%token SSL STICKYADDR STYLE TABLE TAG TCP TIMEOUT TO ROUTER RTLABEL
+%token SSL STICKYADDR STYLE SYNPROXY TABLE TAG TCP TIMEOUT TO ROUTER
RTLABEL
%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE MATCH
%token RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDH CURVE
%token <v.string> STRING
-%token <v.number> NUMBER
+%token <v.number> NUMBER
%type <v.string> hostname interface table optstring
%type <v.number> http_type loglevel mark trap
%type <v.number> direction dstmode flag forwardmode retry
%type <v.number> optssl optsslclient sslcache
%type <v.number> redirect_proto relay_proto match
+%type <v.number> rdrsynproxy
%type <v.port> port
%type <v.host> host
%type <v.addr> address
@@ -467,63 +468,69 @@ rdropts_l : rdropts_l rdroptsl nl
| rdroptsl optnl
;
-rdroptsl : forwardmode TO tablespec interface {
+rdrsynproxy : /*empty*/ { $$ = 0; }
+ | WITH SYNPROXY { $$ = 1; }
+ ;
+
+rdroptsl : forwardmode rdrsynproxy TO tablespec interface {
switch ($1) {
case FWD_NORMAL:
- if ($4 == NULL)
+ if ($5 == NULL)
break;
yyerror("superfluous interface");
- free($4);
+ free($5);
YYERROR;
case FWD_ROUTE:
- if ($4 != NULL)
+ if ($5 != NULL)
break;
yyerror("missing interface to route to");
- free($4);
+ free($5);
YYERROR;
case FWD_TRANS:
yyerror("no transparent forward here");
- if ($4 != NULL)
- free($4);
+ if ($5 != NULL)
+ free($5);
YYERROR;
}
- if ($4 != NULL) {
- if (strlcpy($3->conf.ifname, $4,
- sizeof($3->conf.ifname)) >=
- sizeof($3->conf.ifname)) {
+ if ($5 != NULL) {
+ if (strlcpy($4->conf.ifname, $5,
+ sizeof($4->conf.ifname)) >=
+ sizeof($4->conf.ifname)) {
yyerror("interface name truncated");
- free($4);
+ free($5);
YYERROR;
}
- free($4);
+ free($5);
}
- if ($3->conf.check == CHECK_NOCHECK) {
- yyerror("table %s has no check", $3->conf.name);
- purge_table(conf->sc_tables, $3);
+ if ($4->conf.check == CHECK_NOCHECK) {
+ yyerror("table %s has no check", $4->conf.name);
+ purge_table(conf->sc_tables, $4);
YYERROR;
}
if (rdr->backup) {
yyerror("only one backup table is allowed");
- purge_table(conf->sc_tables, $3);
+ purge_table(conf->sc_tables, $4);
YYERROR;
}
if (rdr->table) {
- rdr->backup = $3;
- rdr->conf.backup_id = $3->conf.id;
+ rdr->backup = $4;
+ rdr->conf.backup_id = $4->conf.id;
if (dstmode != rdr->conf.mode) {
yyerror("backup table for %s with "
"different mode", rdr->conf.name);
YYERROR;
}
} else {
- rdr->table = $3;
- rdr->conf.table_id = $3->conf.id;
+ rdr->table = $4;
+ rdr->conf.table_id = $4->conf.id;
rdr->conf.mode = dstmode;
}
- $3->conf.fwdmode = $1;
- $3->conf.rdrid = rdr->conf.id;
- $3->conf.flags |= F_USED;
+ $4->conf.fwdmode = $1;
+ $4->conf.rdrid = rdr->conf.id;
+ $4->conf.flags |= F_USED;
+ if ($2)
+ $4->conf.flags |= F_SYNPROXY;
}
| LISTEN ON STRING redirect_proto port interface {
if (host($3, &rdr->virts,
@@ -1995,6 +2002,7 @@ lookup(char *s)
{ "ssl", SSL },
{ "sticky-address", STICKYADDR },
{ "style", STYLE },
+ { "synproxy", SYNPROXY },
{ "table", TABLE },
{ "tag", TAG },
{ "tcp", TCP },
Index: pfe_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.53
diff -u -p -r1.53 pfe_filter.c
--- pfe_filter.c 27 Apr 2013 16:39:30 -0000 1.53
+++ pfe_filter.c 29 May 2014 00:15:28 -0000
@@ -415,6 +415,8 @@ sync_ruleset(struct relayd *env, struct
if (address->ipproto == IPPROTO_TCP) {
rio.rule.flags = TH_SYN;
rio.rule.flagset = (TH_SYN|TH_ACK);
+ if (t->conf.flags & F_SYNPROXY)
+ rio.rule.keep_state = PF_STATE_SYNPROXY;
}
break;
case FWD_ROUTE:
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.142
diff -u -p -r1.142 relayd.conf.5
--- relayd.conf.5 18 Apr 2014 13:55:26 -0000 1.142
+++ relayd.conf.5 29 May 2014 00:15:28 -0000
@@ -443,7 +443,9 @@ The redirection is initially disabled.
It can be later enabled through
.Xr relayctl 8 .
.It Xo
-.Ic forward to
+.Ic forward
+.Op Ic with synproxy
+.Ic to
.Aq Ar table
.Op Ic port Ar number
.Ar options ...
@@ -451,6 +453,11 @@ It can be later enabled through
Specify the tables of target hosts to be used; see the
.Sx TABLES
section above for information about table options.
+If the
+.Ic with synproxy
+option is specified, the rule will use the
+.Xr pf 4
+synproxy feature.
If the
.Ic port
option is not specified, the first port from the
Index: relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.180
diff -u -p -r1.180 relayd.h
--- relayd.h 20 May 2014 17:33:36 -0000 1.180
+++ relayd.h 29 May 2014 00:15:29 -0000
@@ -295,6 +295,7 @@ TAILQ_HEAD(addresslist, address);
#define F_DIVERT 0x01000000
#define F_SCRIPT 0x02000000
#define F_SSLINSPECT 0x04000000
+#define F_SYNPROXY 0x08000000
#define F_BITS \
"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \