DTLS Support

[mestery]

I have a use case where I want to proxy both TLS and DTLS. My client devices will use TLS first, then create a DTLS connection, and use both depending on various parameters. What I'd like to be able to do is proxy both TLS and DTLS, and land those sessions from a single client on the same backend (I'd also like to load balance the backend a bit, but the DTLS support at first is fine).

Maybe a config such as this:

listener 127.0.0.1:443 {
    protocol tls
    table TLSTable
}

listener 127.0.0.1:443 {
    protocol dtls
    table DTLSTable
}

table TLSTable {
    # Match exact request hostnames
    tls.example.com 192.0.2.10:4343
}

table DTLSTable {
    # Match exact request hostnames
    dtls.example.com 192.0.2.11:4343
}

[dlundquist]

Config syntax looks good. Note, there shouldn't be a reason why both listeners can't share a single table. I wonder how the existing listener, connection and buffer modules will work with UDP? Perhaps we can use "connected" UDP sockets for both the server and client side of each connection. If there is both a connected and an unconnected UDP socket open are incoming UDP packets from the peer socket address always received on the connected socket?

[mestery]

OK, I'll see if I can take a shot at hacking this together this week and get a pull request pushed out. It seems that things are pretty tied to TCP sockets at this point, but I think introducing the capability for the sockets to have a type shouldn't be too hard. Maybe I'll submit a PR for that first, we'll see.

[dlundquist]

It looks like UDP does a four-tuple lookup for the socket: https://elixir.bootlin.com/linux/latest/source/net/ipv4/udp.c#L2331