ANY config example??
Eliezer
On 04/01/2013 03:35 PM, Amos Jeffries wrote:
> Current OpenBSD implementation of PF divert-to works similarly to
> TPROXY and only requires a getsockname() lookup to locate the TCP
> packet original destination.
>
> The work by Marios with some additional tweaks discovered in recent
> testing has now gone into 3.HEAD providing Squid with working
> http_port tproxy option.
>
> We can use the same PF configuration to preform "intercept" option but
> the old PF transparent code does lookups on /dev/pf which fails badly
> on the new PF versions. getsockname() is what is really required and
> already performed by TcpAcceptor on all incoming connections, so there
> is no need for a special PF lookup code now.
>
> This patch adds a new ./configure option --with-nat-devpf to enable
> the old /dev/pf NAT lookup code in a backward-compatible way for older
> OS versions and OpenBSD based distros which have not yet ported the
> new PF code. The option is disabled by default since the systems
> requiring it are fairly old now.
>
>
> This also removes the getsockname() lookup in the IPFW lookup
> implementation which is redundant behind TcpAcceptor.
>
>
> NP: we still do not support the new PF "rdr-to" which is doing more
> NAT-like operations that TPROXY-like ones. However nobody has been
> able to supply any information on how we would lookup those details.
> So until that appears we support both http(s)_port intercept and
> tproxy options using only the PF divert-to syntax.
>
> Amos
Received on Tue Apr 02 2013 - 07:46:06 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 02 2013 - 12:00:05 MDT