[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    match rules and relayd rdr
From:       Kapetanakis Giannis <bilias () edu ! physics ! uoc ! gr>
Date:       2024-05-10 11:27:11
Message-ID: 92cda507-6688-44b9-90bd-ce1181b39bdc () edu ! physics ! uoc ! gr
[Download RAW message or body]

Hi,

I want to convert a pf rule to rdr-to via relayd (add load balancer in 
the mix to multiple servers).

My hesitation is how to pass the extra tcp options I pass in the rule.
I believe this should be done via match rules, but I'm not sure if the 
pass rule should be on the pf or the relayd side.

The rule looks like this:

pass in quick on egress proto tcp from any to $server port = 80 flags 
S/SA set (prio(1, 2)) keep state (pflow, tcp.first 10, tcp.opening 10, 
tcp.established 18000, tcp.closing 30, tcp.finwait 30, tcp.closed 30) 
tag from_ext

Should I change the pf pass rule to match (with no quick) and add the 
relayd anchor after that (with pass in relayd, default)
or the other way around:
relayd anchor first, match in relayd and then pass in quick on the pf side.

I want to keep both the prio and tcp options as well as the rdr-to 
inserted from relayd.

Is it essentially the same either way?

Thanks,

G

[prev in list] [next in list] [prev in thread] [next in thread]