On 3/04/2013 6:37 a.m., Eliezer Croitoru wrote:
On 04/02/2013 12:19 PM, Amos Jeffries wrote:
On 2/04/2013 5:13 p.m., Eliezer Croitoru wrote:
ANY config example??
Eliezer
On 04/01/2013 03:35 PM, Amos Jeffries wrote:
Current OpenBSD implementation of PF divert-to works similarly to
TPROXY and only requires a getsockname() lookup to locate the TCP
packet original destination.
The work by Marios with some additional tweaks discovered in recent
testing has now gone into 3.HEAD providing Squid with working
http_port tproxy option.
We can use the same PF configuration to preform "intercept" option
but the old PF transparent code does lookups on /dev/pf which fails
badly on the new PF versions. getsockname() is what is really
required and already performed by TcpAcceptor on all incoming
connections, so there is no need for a special PF lookup code now.
This patch adds a new ./configure option --with-nat-devpf to enable
the old /dev/pf NAT lookup code in a backward-compatible way for
older OS versions and OpenBSD based distros which have not yet
ported the new PF code. The option is disabled by default since the
systems requiring it are fairly old now.
This also removes the getsockname() lookup in the IPFW lookup
implementation which is redundant behind TcpAcceptor.
NP: we still do not support the new PF "rdr-to" which is doing more
NAT-like operations that TPROXY-like ones. However nobody has been
able to supply any information on how we would lookup those
details. So until that appears we support both http(s)_port
intercept and tproxy options using only the PF divert-to syntax.
Amos
I've updated
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
Amos
Thanks.
I was wondering if the tproxy in BSD is using auto\random src port on
the same IP? the same as in linux?
Yes Squid sets the port on outgoing packets to 0 for random
re-assignment. The only difference between OS is the kernel code. So the
socket options differ a little, but they all use the POSIX socket API
identically on all systems so far (Linux, OpenBSD 4.7+, FreeBSD 8+, NetBSD).
Amos
