[PATCH] Transparent proxy support for OpenBSD 3.0+ (new PF filter)

[ I'm not on squid-dev - please CC me if I'm needed ]

Hi all,
        I've written a patch against 2.4STABLE2 to support the new PF
packet filtering/NAT system used in OpenBSD 3.0 and up (3.0 isn't
"officially" released until the 1st of December, but it's available in
CVS - this is what I'm working from). IPFilter was removed from OpenBSD
after the 2.9 release due to licensing reasons.

The new system works almost identically to IPFilter, bar some API
changes. The code I've added is pretty much a cut'n'paste of the IPFilter
support code.

I've added a --enable-pf-transparent configure option, as although it
works in a very similar manner to IPF, it's a completely different
codebase.

Bits I'm currently unhappy with in the patch:

        natfd = open("/dev/pf", O_RDWR);

Unlike IPFilter, PF doesn't appear to have a #define for the device name.

        if (ioctl(natfd, DIOCNATLOOK, &natlook) < 0) {
                if (errno != ENOENT) {
                /* ..... */
                } else {
                        snprintf(http->uri, url_sz, "http://%s:%d%s",
                                inet_ntoa(http->conn->me.sin_addr),
                                                vport, url);
                }
        } ...

I duplicated the above from the IPFilter proxy code, but perhaps it would
be better to return a parseHttpRequestAbort(...) rather than trying to
fudge it (which will pretty much always return http://127.0.0.1:80/foo).
As I'm not 100% sure of the intent in the IPFilter code, I left it in for
the sake of predictability.

Modified files:

        squid-2.4.STABLE2/acconfig.h
        squid-2.4.STABLE2/configure.in
        squid-2.4.STABLE2/src/client_side.c

Regards,
        Nic.

-- Nic Bellamy <nic@bellamy.co.nz>
   Bellamy Consulting (NZ) Limited. +64-6-377-4957 Mobile: +64-21-251-8954
   Internet Software & Security Consulting -- http://www.bellamy.co.nz/ --