Re: [PATCH] NAT lookups upgrade for FreeBSD and OpenBSD

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Apr 2013 14:25:17 +1200

On 2/04/2013 1:35 a.m., Amos Jeffries wrote:
> Current OpenBSD implementation of PF divert-to works similarly to
> TPROXY and only requires a getsockname() lookup to locate the TCP
> packet original destination.
>
> The work by Marios with some additional tweaks discovered in recent
> testing has now gone into 3.HEAD providing Squid with working
> http_port tproxy option.
>
> We can use the same PF configuration to preform "intercept" option but
> the old PF transparent code does lookups on /dev/pf which fails badly
> on the new PF versions. getsockname() is what is really required and
> already performed by TcpAcceptor on all incoming connections, so there
> is no need for a special PF lookup code now.
>
> This patch adds a new ./configure option --with-nat-devpf to enable
> the old /dev/pf NAT lookup code in a backward-compatible way for older
> OS versions and OpenBSD based distros which have not yet ported the
> new PF code. The option is disabled by default since the systems
> requiring it are fairly old now.
>
>
> This also removes the getsockname() lookup in the IPFW lookup
> implementation which is redundant behind TcpAcceptor.

In absence of any objections a slightly more polished and tested verion
of this patch has been applied to trunk as rev.12757.

Amos
Received on Tue Apr 16 2013 - 02:25:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 16 2013 - 12:00:06 MDT