Current OpenBSD implementation of PF divert-to works similarly to TPROXY
and only requires a getsockname() lookup to locate the TCP packet
original destination.
The work by Marios with some additional tweaks discovered in recent
testing has now gone into 3.HEAD providing Squid with working http_port
tproxy option.
We can use the same PF configuration to preform "intercept" option but
the old PF transparent code does lookups on /dev/pf which fails badly on
the new PF versions. getsockname() is what is really required and
already performed by TcpAcceptor on all incoming connections, so there
is no need for a special PF lookup code now.
This patch adds a new ./configure option --with-nat-devpf to enable the
old /dev/pf NAT lookup code in a backward-compatible way for older OS
versions and OpenBSD based distros which have not yet ported the new PF
code. The option is disabled by default since the systems requiring it
are fairly old now.
This also removes the getsockname() lookup in the IPFW lookup
implementation which is redundant behind TcpAcceptor.
NP: we still do not support the new PF "rdr-to" which is doing more
NAT-like operations that TPROXY-like ones. However nobody has been able
to supply any information on how we would lookup those details. So until
that appears we support both http(s)_port intercept and tproxy options
using only the PF divert-to syntax.
Amos
This archive was generated by hypermail 2.2.0 : Tue Apr 16 2013 - 12:00:06 MDT