On 2/04/2013 1:35 a.m., Amos Jeffries wrote:
Current OpenBSD implementation of PF divert-to works similarly to
TPROXY and only requires a getsockname() lookup to locate the TCP
packet original destination.
The work by Marios with some additional tweaks discovered in recent
testing has now gone into 3.HEAD providing Squid with working
http_port tproxy option.
We can use the same PF configuration to preform "intercept" option but
the old PF transparent code does lookups on /dev/pf which fails badly
on the new PF versions. getsockname() is what is really required and
already performed by TcpAcceptor on all incoming connections, so there
is no need for a special PF lookup code now.
This patch adds a new ./configure option --with-nat-devpf to enable
the old /dev/pf NAT lookup code in a backward-compatible way for older
OS versions and OpenBSD based distros which have not yet ported the
new PF code. The option is disabled by default since the systems
requiring it are fairly old now.
This also removes the getsockname() lookup in the IPFW lookup
implementation which is redundant behind TcpAcceptor.
In absence of any objections a slightly more polished and tested verion
of this patch has been applied to trunk as rev.12757.
Amos
