From c04988575816e4db6f20d572d727f4fef716f42f Mon Sep 17 00:00:00 2001
From: yrutschle <git1@rutschle.net>
Date: Fri, 16 Jul 2021 22:37:41 +0200
Subject: [PATCH] document UDP support

---
 README.md     |  6 +++---
 doc/config.md | 14 ++++++++++++++
 example.cfg   |  4 +++-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9e060be..802076b 100644
--- a/README.md
+++ b/README.md
@@ -20,9 +20,9 @@ address.
 
 `sslh` has the bells and whistles expected from a mature
 daemon: privilege and capabilities dropping, inetd support,
-systemd support, transparent proxying,
-chroot, logging, IPv4 and IPv6, a fork-based and a
-select-based model, and more.
+systemd support, transparent proxying, chroot, logging, 
+IPv4 and IPv6, TCP and UDP, a fork-based and a select-based 
+model, and more.
 
 Install
 =======
diff --git a/doc/config.md b/doc/config.md
index f9360b5..150fb5b 100644
--- a/doc/config.md
+++ b/doc/config.md
@@ -335,3 +335,17 @@ many connections to ssh from the same IP address...)
 
 See example files in scripts/fail2ban.
 
+UDP
+---
+
+`sslh` can perform demultiplexing on UDP packets as well.
+This only works with `sslh-select` (it is not possible to
+support UDP with a forking model). Specify a listening
+address and target protocols with `is_udp: true`. `sslh`
+will wait for incoming UDP packets, run the probes in the
+usual fashion, and forward packets to the appropriate
+target. `sslh` will then remember the association between
+remote host to target server for 60 seconds by default,
+which can be overriden with `udp_timeout`. This allows to
+process both single-datagram protocols such as DNS, and
+connection-based protocols such as QUIC.
diff --git a/example.cfg b/example.cfg
index c25b095..1d5167d 100644
--- a/example.cfg
+++ b/example.cfg
@@ -94,7 +94,9 @@ protocols:
      { name: "tls"; host: "localhost"; port: "443";  tfo_ok: true },
 
 # Forward UDP 
-     { name: "regex"; host: "localhost"; is_udp: true; port: "123"; regex_patterns: [ "hello" ]; },
+     { name: "regex"; host: "localhost"; is_udp: true; port: "123";
+                      udp_timeout: 20;  # Time after which the "connection" is forgotten
+                      regex_patterns: [ "hello" ]; },
 
 # Regex examples -- better use the built-in probes for real-world use!
 # OpenVPN