Matthew Petach wrote:
> Hm. All *available* interfaces. What about running the NIC
> in promiscuous mode, and simply having squid listen for ANY
> inbound packet destined for whatever port the conf file specifies?
> That way, you can remove the requirement for the ipfwadm, etc.
No. Promiscous mode does NOT solve the problem. Promiscous mode only
allows you to capture all packets in RAW format, not normal IP
processing. The big problem is not to get the network interface to
accept the packet (this can easily be done using clever routing
redirection). The hard part is to get the TCP/IP stack in the kernel to
forward the traffic to a local TCP/IP application, and this requires
kernel modification/support.
There is software available to do this on most platforms:
* On Linux you use ipfwadm and the built in transparent-proxy support.
* For most other OS:es (including Solaris2.6) ipfilter is available (see
Squid FAQ).
In both cases some small modifications to Squid is neeed to support both
old and new clients. The patch needed for Linux is available from my
home page (http://hem.passagen.se/hno/squid/), and this patch is
basically needed for ipfilter as well, but ipfilter requires some
additional patching (I don't know exactly how), as you have to replace
getsockname (or icpState->me.sin_addr) with something else to get the
intended destination address from ipfilters redirection tables... The
relevant part in the sources is the vhost_mode block in
icp.c:parseHttpRequest.
--- Henrik Nordström Sparetime Squid HackerReceived on Sun Mar 01 1998 - 10:46:23 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:07 MST