document UDP support

README.md

@@ -20,9 +20,9 @@ address.
 
 `sslh` has the bells and whistles expected from a mature
 daemon: privilege and capabilities dropping, inetd support,
-systemd support, transparent proxying,
+systemd support, transparent proxying, chroot, logging, 
-chroot, logging, IPv4 and IPv6, a fork-based and a
+IPv4 and IPv6, TCP and UDP, a fork-based and a select-based 
-select-based model, and more.
+model, and more.
 
 Install
 =======

doc/config.md

@@ -335,3 +335,17 @@ many connections to ssh from the same IP address...)
 
 See example files in scripts/fail2ban.
 
+UDP
+---
+
+`sslh` can perform demultiplexing on UDP packets as well.
+This only works with `sslh-select` (it is not possible to
+support UDP with a forking model). Specify a listening
+address and target protocols with `is_udp: true`. `sslh`
+will wait for incoming UDP packets, run the probes in the
+usual fashion, and forward packets to the appropriate
+target. `sslh` will then remember the association between
+remote host to target server for 60 seconds by default,
+which can be overriden with `udp_timeout`. This allows to
+process both single-datagram protocols such as DNS, and
+connection-based protocols such as QUIC.

example.cfg

@@ -94,7 +94,9 @@ protocols:
      { name: "tls"; host: "localhost"; port: "443";  tfo_ok: true },
 
 # Forward UDP 
-     { name: "regex"; host: "localhost"; is_udp: true; port: "123"; regex_patterns: [ "hello" ]; },
+     { name: "regex"; host: "localhost"; is_udp: true; port: "123";
+                      udp_timeout: 20;  # Time after which the "connection" is forgotten
+                      regex_patterns: [ "hello" ]; },
 
 # Regex examples -- better use the built-in probes for real-world use!
 # OpenVPN