Hi,
So, do you want IPv4/IPv6 dual-stacked transparent interception on your
NetBSD box? Unfortunately, you are out of luck.
On NetBSD, we have three choices for packet filtering:
- Darren Reed's "IPFilter". It has known bugs for years, and looks
abandoned.
- OpenBSD's "PF". It's NetBSD port
Thanks for the testing and feedback. I've applied this as part-2 of the
bug 4302 updates. It will be in the next releases of 3.5 and 4.x.
One more patch for Intercept.cc:
On NetBSD, USE_INET6 is only defined by netinet/ip_compat.h if
__NetBSD_Version__ is defined by sys/param.h:
#if
> Thanks for the testing and feedback. I've applied this as part-2 of the
> bug 4302 updates. It will be in the next releases of 3.5 and 4.x.
you are the hero of the day, thank you very much!
--
Gergely EGERVARY
___
squid-users mailing list
> Getting closer, but still not there...
Hah, we need to apply the kern/50198 patch to ipnat_6.c too.
--- ip_nat6.c.orig 2015-08-08 18:31:21.0 +0200
+++ ip_nat6.c 2016-10-04 14:04:21.0 +0200
@@ -2470,8 +2469,8 @@
}
}
> Aha. Damn macros.
>
> There are a few changes needed, for both v4/v6 inputs and 'realip'
> processing. This attached patch should be what you need for Squid-3.5 to
> work.
Getting closer, but still not there...
The browser client is 2001:738:7a00:a::a:d, the remote destination is
> Is there another defined somewhere else? For some reason your Squid is
> managing to build with just "nl_inip" (no 'addr') in the field name.
There's a copy in /usr/include/netinet, but it's the same:
typedef struct natlookup {
i6addr_tnl_inipaddr;
i6addr_t
Apparently the IPFilter 5.1 code defines an 32-bit IPv4-only structure
for 64-bit IPv6 addresses to be placed into. That was supposed to be
fixed in IPFilter 5.0.3.
Can you look through your system for code header files that define
"struct natlookup" and show me what they contain?
in
2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert
non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128
And what are your squid.conf http_port line(s) ?
http_port 127.0.0.1:8080
http_port [::1]:8080
http_port 172.28.0.20:3128 intercept
http_port 172.28.0.20:8080
http_port
Hi,
I'm running on NetBSD 7-STABLE, with IPFilter 5.1
(--enable-ipf-transparent)
NAT interception rule:
rdr wm1 from 2001:738:7a00:a::/64 to any port = 80 ->
2001:738:7a00:a::14 port 3128 tcp
cache.log:
2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
connection on FD 18
Hi,
Should "intercept" work with IPv6 on NetBSD 7-STABLE and IPFilter 5.1?
I have the patch applied for kern/50198, and it's working fine with
IPv4. I only get a connection reset by peer on IPv6.
Thank You,
--
Gergely EGERVARY
___
squid-users mailing
You saved hours of debugging for me. Thank You!
It works with the patch applied.
--
Gergely EGERVARY
This is a bug in IPFilter 5. We're waiting to hear back from the
IPFilter maintainer before committing.
Try this patch (and read the PR for more info):
---
Hi,
I'm running on:
- NetBSD 7.0_STABLE (checked out today)
- Squid 3.5.12 from NetBSD pkgsrc 2015Q4
- IP Filter: v5.1.2 (536)
Configured with "--enable-ipf-transparent":
$ ./configure --sysconfdir=/usr/pkg/etc/squid
--localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid
You missed out saying how you tested it. That matters.
For example, from the Squid log line it appears you made a connection
directly to the intercept port without going through the NAT system. Of
course the NAT system would have no record of it under those circumstances.
Yes, I tested it
13 matches
Mail list logo
