On 2/04/2013 5:13 p.m., Eliezer Croitoru wrote:
> ANY config example??
>
> Eliezer
> On 04/01/2013 03:35 PM, Amos Jeffries wrote:
>> Current OpenBSD implementation of PF divert-to works similarly to
>> TPROXY and only requires a getsockname() lookup to locate the TCP
>> packet original destination.
>>
>> The work by Marios with some additional tweaks discovered in recent
>> testing has now gone into 3.HEAD providing Squid with working
>> http_port tproxy option.
>>
>> We can use the same PF configuration to preform "intercept" option
>> but the old PF transparent code does lookups on /dev/pf which fails
>> badly on the new PF versions. getsockname() is what is really
>> required and already performed by TcpAcceptor on all incoming
>> connections, so there is no need for a special PF lookup code now.
>>
>> This patch adds a new ./configure option --with-nat-devpf to enable
>> the old /dev/pf NAT lookup code in a backward-compatible way for
>> older OS versions and OpenBSD based distros which have not yet ported
>> the new PF code. The option is disabled by default since the systems
>> requiring it are fairly old now.
>>
>>
>> This also removes the getsockname() lookup in the IPFW lookup
>> implementation which is redundant behind TcpAcceptor.
>>
>>
>> NP: we still do not support the new PF "rdr-to" which is doing more
>> NAT-like operations that TPROXY-like ones. However nobody has been
>> able to supply any information on how we would lookup those details.
>> So until that appears we support both http(s)_port intercept and
>> tproxy options using only the PF divert-to syntax.
>>
>> Amos
>
I've updated http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
Amos
Received on Tue Apr 02 2013 - 09:19:42 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 02 2013 - 12:00:05 MDT