add support for "transparent" forwarding in relays: normally the l7

relay will connect to the target host with its own ip address, but
this mode will let it use the address of the client that is connecting
from the other side. for example, there is no need to add the
X-Forwarded-For HTTP headers for internal webservers in this mode
anymore since they magically see the remote client ip address in the
connection. it also allows to build fully-transparent ssl
encapsulation for tcp sessions and many other things...

based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon)
using the new BINDANY and divert-reply interfaces from markus@ (since n2k8)

ok markus@ pyr@

1 files changed, 7 insertions, 1 deletions

diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 5bf261b157e..16c609b0f69 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.87 2008/06/11 07:28:02 jmc Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.88 2008/06/11 18:21:20 reyk Exp $
 .\"
 .\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -474,6 +474,7 @@ configuration directives are described below:
 .It Ic disable
 Start the relay but immediately close any accepted connections.
 .It Xo
+.Op Ic transparent
 .Ic forward to
 .Ar address
 .Op Ic port Ar port
@@ -486,6 +487,11 @@ option is not specified, the port from the
 .Ic listen on
 directive will be used.
 .Pp
+Use the
+.Ic transparent
+keyword to enable fully-transparent mode; the source address of the
+client will be retained in this case.
+.Pp
 The optional host retry option will be used as a tolerance for failed
 host connections; the connection will be retried for
 .Ar number