transparent proxying with squid and pf O_RDONLY

From: Andrey Matveev <evol@dont-contact.us>
Date: Fri, 6 Jan 2006 19:34:23 +0300

Hello,

Squid needs to open /dev/pf to query the packet filter. Today in
OpenBSD the default permissions for /dev/pf allow access only to
root and squid is running as user _squid, group _squid. So one
way to allow access to squid is by changing the GID of the file
to _squid and make it group-accessable:

# chgrp _squid /dev/pf
# chmod g+rw /dev/pf

Daniel Hartmeier has already committed a code which allows squid
to work group-read-only:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c.diff?r1=1.163&r2=1.164

And Brad Smith has already committed a change to openbsd squid port:

http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/patches/patch-src_client_side_c.diff?r1=1.3&r2=1.4

Now it is possible to do:

# chgrp _squid /dev/pf
# chmod g+r /dev/pf

Can you please apply this patch?

--- client_side.c.orig Fri Jan 6 01:09:02 2006
+++ client_side.c Fri Jan 6 01:09:34 2006
@@ -2824,7 +2824,7 @@
 #elif PF_TRANSPARENT
             static time_t last_reported = 0;
             if (pffd < 0)
- pffd = open("/dev/pf", O_RDWR);
+ pffd = open("/dev/pf", O_RDONLY);
             if (pffd < 0) {
                 if (squid_curtime - last_reported > 60) {
                     debug(50, 1) ("parseHttpRequest: PF open failed: %s\n", xstrerror());
Received on Fri Jan 06 2006 - 10:11:07 MST

This archive was generated by hypermail pre-2.1.9 : Fri Jan 27 2006 - 12:00:02 MST