REDIRECTIONS
Redirections represent a pf(4) rdr rule. They are used for stateful
redirections to the hosts in the specified tables. pf(4) rewrites the
target IP addresses and ports of the incoming connections, operating on
layer 3. The configuration directives that are valid in the redirect
context are described below:
disable
The redirection is initially disabled. It can be later enabled
through relayctl(8).
Specify the tables of target hosts to be used; see the TABLES
section above for information about table options. If the port
option is not specified, the port from the listen on directive
will be used. This directive can be specified twice - the second
entry will be used as the backup table if all hosts in the main
table are down. At least one entry for the main table is manda-
tory.
Specify an address and a port to listen on. pf(4) will redirect
incoming connections for the specified target to the hosts in the
main or backup table. The rdr rule can be optionally restricted
to a given interface name.
sticky-address
This has the same effect as specifying sticky-address for an rdr
rule in pf.conf(5). It will ensure that multiple connections
from the same source are mapped to the same redirection address.
tag name
Automatically tag packets passing through the pf(4) rdr rule with
the name supplied. This allows simpler filter rules.
RELAYS
Relays will forward traffic between a client and a target server. In
contrast to redirections and IP forwarding in the network stack, a relay
will accept incoming connections from remote clients as a server, open an
outgoing connection to a target host, and forward any traffic between the
target host and the remote client, operating on layer 7. A relay is also
called an application layer gateway or layer 7 proxy.
The main purpose of a relay is to provide advanced load balancing func-
tionality based on specified protocol characteristics, such as HTTP head-
ers, to provide SSL acceleration and to allow basic handling of the
underlying application protocol.
The relay configuration directives are described below:
disable
Start the relay but immediately close any accepted connections.
Specify the address and port of the target host to connect to.
If the port option is not specified, the port from the listen on
directive will be used.
The optional host retry option will be used as a tolerance for
failed host connections; the connection will be retried for
number more times.
Like the previous directive, but connect to a host from the
specified table; see the TABLES section above for information
about table options.
When redirecting connections with an rdr rule in pf.conf(5) to a
relay listening on localhost, this directive will look up the
real destination address of the intended target host, allowing
the relay to be run as a transparent proxy. If an additional
forward to directive to a specified address or table is present,
it will be used as a backup if the NAT lookup failed.
Specify the address and port for the relay to listen on. The
relay will accept incoming connections to the specified address.
If the port option is not specified, the port from the listen on
directive will be used.
If the ssl keyword is present, the relay will accept connections
using the encrypted SSL protocol. The relay will look up a pri-
vate key in /etc/ssl/private/address.key and a public certificate
in /etc/ssl/address.crt, where address is the specified IP
address of the relay to listen on. See ssl(8) for details about
SSL server certificates.
protocol name
Use the specified protocol definition for the relay. The generic
TCP protocol options will be used by default; see the PROTOCOLS
section below.
timeout seconds
Specify the timeout in seconds for accepted sessions. The
default timeout is 600 seconds (10 minutes).
