From: Mischa Subject: Re: relayd: support multiple resolveble addresses To: tech@openbsd.org, rafael@sizeofvoid.org Date: Sat, 02 May 2026 17:08:18 +0200 Hi Kirill, Just to make sure, it's confirmed to be working as expected in -current. Mischa On 2026-05-02 14:23, Mischa wrote: > Hi Kirill, > > I tried the patch and when using "tls keypair" it doesn't like it. > Snippet of the config I used: > > ### > local_v4="46.23.xx.xx" > local_v6="2a03:6000:xx.::x" > table { 127.0.0.1 } > > http protocol httpsfilter { > tcp { nodelay, sack } > tls keypair example.com > tls { ciphers > "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384", > ecdhe "default", no client-renegotiation } > } > relay default_tls { > listen on $local_v4 port 443 tls > listen on $local_v6 port 443 tls > protocol httpsfilter > forward to port 443 > } > ### > > Mischa > > On 2026-05-02 13:43, Kirill A. Korinsky wrote: >> On Sat, 02 May 2026 11:16:13 +0200, >> Chris Narkiewicz wrote: >>> >>> On Mon, Apr 06, 2026 at 11:33:21AM +0200, Kirill A. Korinsky wrote: >>> > Here I changed parser to create a dedicated listener for each discovered >>> > and confiugred on a local inerface address. >>> >>> Update to /etc/examples/relayd.conf would be nice touch. >>> >> >> What is actually good sugestion. I not sure how to make it, but the >> most >> natural way is something like that: >> >> Index: etc/examples/relayd.conf >> =================================================================== >> RCS file: /home/cvs/src/etc/examples/relayd.conf,v >> diff -u -p -r1.6 relayd.conf >> --- etc/examples/relayd.conf 29 Oct 2023 11:27:11 -0000 1.6 >> +++ etc/examples/relayd.conf 2 May 2026 11:41:39 -0000 >> @@ -2,7 +2,6 @@ >> # >> # Macros >> # >> -ext_addr="192.168.1.1" >> webhost1="10.0.0.1" >> webhost2="10.0.0.2" >> sshhost1="10.0.0.3" >> @@ -24,7 +23,7 @@ table { 127.0.0.1 } >> # Services will be mapped to a rdr rule. >> # >> redirect www { >> - listen on $ext_addr port http interface trunk0 >> + listen on egress port http >> >> # tag every packet that goes thru the rdr rule with RELAYD >> pftag RELAYD >> @@ -51,7 +50,7 @@ http protocol https { >> >> relay wwwtls { >> # Run as a TLS accelerator >> - listen on $ext_addr port 443 tls >> + listen on egress port https tls >> protocol https >> >> # Forward to hosts in the webhosts table using a src/dst hash >> @@ -69,7 +68,7 @@ protocol sshtcp { >> >> relay sshgw { >> # Run as a simple TCP relay >> - listen on $ext_addr port 2222 >> + listen on egress port 2222 >> protocol sshtcp >> >> # Forward to the shared carp(4) address of an internal gateway