DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default transparent relay

Hi,
I am trying to forward port using relayd which works but what I really need is transparent relaying and I cannot make that one works :/

I have one OpenBSD 5.0 server with two network card (em0 can be ignored):
- em1: 192.168.33.10/24
- em2: 192.168.20.1/24

And another machine acting as server:
- em1: 192.168.33.11/24

My computer (client) is connected to the server on em2 and the server and router are connected with their em1 interfaces, the server use the router as its default route.

Here is my working configuration in non transparent mode:
pf.conf:
Code:
set skip on lo
anchor "relayd/*"
pass		# to establish keep-state
relayd.conf:
Code:
relay banana {
  listen on "192.168.20.1" port 8000
  forward to "192.168.33.11" port 80
}
After restarting relayd I connect with "curl http://192.168.20.1:8000" and I get the page served by the server machine, eveything is fine.



Now I tried switching to a transparent relay, I added this in pf.conf:
Code:
pass out log(all) on em1 divert-reply
and my relayd.conf now looks like this:
Code:
relay banana {
  listen on "192.168.20.1" port 8000
  transparent forward to "192.168.33.11" port 80 interface em1
}
After restarting relayd and reloading pf.conf if I start curl again I successfully connects to the relayd process but the relayd process never even try to connects to the http server on the server machine :/

I did some tests to ensure the routing was correct and the SO_BINDANY option worked by running this command on the router:
Code:
nc -s 192.168.20.254 192.168.33.11 80
When I do this it connects and if I type "GET /" it returns the web page and the server sees a connection from 192.168.20.254 so it works.


For some reason relayd cannot open the socket but I have no idea why...
relayd logging is not very helpful, I managed to force it in debug mode and I got this:

Code:
proc_dispatch: parent 1 got imsg 42 from relay 4
proc_dispatch: relay 1 got imsg 42 from parent 0
relay_dispatch_parent: session 1: expired
proc_dispatch: pfe 1 got imsg 39 from relay 4
# (previous line repeated a lot of time)

relay banana, session 1 (1 active), 0, 192.168.20.254 -> :80, bindany failed, invalid socket
# after the previous line the connection with curl is closed

proc_dispatch: pfe 1 got imsg 39 from relay 4
# (previous line repeated until I hit Ctrl+C)
Any idea why relayd would fails to establish the connection ? I am now digging into the relayd sources trying to find something helpful but not much luck for now...
Reply With Quote
  #2   (View Single Post)  
Old 27th March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default

I don't think my use case to be that exotic, is it ? Or is it that relayd is not really used at all ?
Reply With Quote
  #3   (View Single Post)  
Old 27th March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by schmurfy View Post
Or is it that relayd is not really used at all ?
The number of people who regularly answer OpenBSD questions on this site can be counted on one hand. If none of us felt we could add to the discussion, this should not be taken as a reflection of the larger community.

If you feel you can thoroughly articulate the problem, & can provide all relevant information, you might consider posting on misc@.
Reply With Quote
  #4   (View Single Post)  
Old 27th March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default

That's what I was afraid of, I hate mailing list...
I guess I will try my luck there.
Reply With Quote
  #5   (View Single Post)  
Old 20th April 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default

for the records if anyone comes here: transparent mode is broken in the relayd shipped with OpenBSD 5.0.

Here is a solution to this from the mailing list:

first fetch the openbsd sources and then:
$ cd src/usr.sbin/relayd
$ cvs up -D 2011/05/08
$ make install

This will get you a working version of relayd, you can try getting the associated relayctl but I wasn't able to make it works, it crashes the relayd daemon when used, only the reload seems to be working but does nothing at all. Also if you send a SIGHUP to the process it will just exits.

In the end I am now considering to write an alternative myself as closing every opened tcp connections when reloading the config (since restart is the only way) is not really an option for my use case.
Reply With Quote
  #6   (View Single Post)  
Old 20th April 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by schmurfy View Post
for the records if anyone comes here: transparent mode is broken in the relayd shipped with OpenBSD 5.0.

Here is a solution to this from the mailing list:

first fetch the openbsd sources and then:
$ cd src/usr.sbin/relayd
$ cvs up -D 2011/05/08
$ make install
It would be good to cite the source of your conclusion:

http://marc.info/?t=133285465600002&r=1&w=2

The above recipe is specifically explained in the following post:

http://marc.info/?l=openbsd-misc&m=133293448804527&w=2
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSMTPD as a GMail relay backrow OpenBSD General 1 25th December 2011 07:22 PM
Transparent proxy and bandwidth majkelos OpenBSD General 9 12th November 2011 02:52 AM
Transparent bridge performance with PF northwoods FreeBSD General 3 30th January 2009 09:48 AM
squid transparent questions toolbox FreeBSD Ports and Packages 0 20th December 2008 04:01 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM


All times are GMT. The time now is 03:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick