diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2008-06-10 22:02:29 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2008-06-10 22:02:29 +0000 |
| commit | fffd33f5cf3a28ffac3ecc058982c26568ff8287 (patch) | |
| tree | fb86aaef76df1b0d8c72176a37a58e043562bd91 /usr.sbin | |
| parent | ccf96686165704508ca637c970a9015eba3f1657 (diff) | |
use sloppy pf state keeping for routed sessions (direct server return)
where we only see the client side of the TCP session; this removes the
timeout limitations that we had before. document "route to" in the
manpage since it is fully working now.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/relayd/pfe_filter.c | 7 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 27 |
2 files changed, 26 insertions, 8 deletions
diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index 6a4033dd2df..82e8f32e963 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.27 2008/05/16 14:47:58 pyr Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.28 2008/06/10 22:02:28 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -363,9 +363,10 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) rio.rule.direction = PF_IN; rio.rule.quick = 1; /* force first match */ - /* XXX This should use a loose pf state handling */ + /* Use sloppy state handling for half connections */ rio.rule.keep_state = PF_STATE_NORMAL; - rio.rule.timeout[PFTM_TCP_OPENING] = + rio.rule.rule_flag = PFRULE_STATESLOPPY; + rio.rule.timeout[PFTM_TCP_CLOSING] = rdr->conf.timeout.tv_sec; } diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 687d10fe6e3..81aaf12833c 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.84 2008/05/07 01:49:29 reyk Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.85 2008/06/10 22:02:28 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 7 2008 $ +.Dd $Mdocdate: June 10 2008 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -422,15 +422,32 @@ to listen on. will redirect incoming connections for the specified target to the hosts in the main or backup table. The rdr rule can be optionally restricted to a given interface name. +.It Xo +.Ic route to +.Aq Ar table +.Op Ic port Ar number +.Ar options ... +.Xc +Like the +.Ic forward to +directive, but directly route the packets to the target host without +modifying the target address. +This can be used for +.Dq direct server return +to force the target host to respond via a different gateway. +Note that the hosts have to accept sessions for the same address as +the gateway, this is typically done by configuring a loopback +interface on the host with this address. +.It Ic session timeout Ar seconds +Specify the timeout after closing in seconds for routed session +states. +The default timeout is 600 seconds (10 minutes). .It Ic sticky-address This has the same effect as specifying sticky-address for an rdr rule in .Xr pf.conf 5 . It will ensure that multiple connections from the same source are mapped to the same redirection address. -.It Ic session timeout Ar seconds -Specify the timeout in seconds for routed session states. -The default timeout is 600 seconds (10 minutes). .It Ic tag Ar name Automatically tag packets passing through the .Xr pf 4 |