On 04/02/2013 12:19 PM, Amos Jeffries wrote:
> On 2/04/2013 5:13 p.m., Eliezer Croitoru wrote:
>> ANY config example??
>>
>> Eliezer
>> On 04/01/2013 03:35 PM, Amos Jeffries wrote:
>>> Current OpenBSD implementation of PF divert-to works similarly to
>>> TPROXY and only requires a getsockname() lookup to locate the TCP
>>> packet original destination.
>>>
>>> The work by Marios with some additional tweaks discovered in recent
>>> testing has now gone into 3.HEAD providing Squid with working
>>> http_port tproxy option.
>>>
>>> We can use the same PF configuration to preform "intercept" option
>>> but the old PF transparent code does lookups on /dev/pf which fails
>>> badly on the new PF versions. getsockname() is what is really
>>> required and already performed by TcpAcceptor on all incoming
>>> connections, so there is no need for a special PF lookup code now.
>>>
>>> This patch adds a new ./configure option --with-nat-devpf to enable
>>> the old /dev/pf NAT lookup code in a backward-compatible way for
>>> older OS versions and OpenBSD based distros which have not yet
>>> ported the new PF code. The option is disabled by default since the
>>> systems requiring it are fairly old now.
>>>
>>>
>>> This also removes the getsockname() lookup in the IPFW lookup
>>> implementation which is redundant behind TcpAcceptor.
>>>
>>>
>>> NP: we still do not support the new PF "rdr-to" which is doing more
>>> NAT-like operations that TPROXY-like ones. However nobody has been
>>> able to supply any information on how we would lookup those details.
>>> So until that appears we support both http(s)_port intercept and
>>> tproxy options using only the PF divert-to syntax.
>>>
>>> Amos
>>
>
> I've updated
> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
>
> Amos
Thanks.
I was wondering if the tproxy in BSD is using auto\random src port on
the same IP? the same as in linux?
Eliezer
Received on Tue Apr 02 2013 - 17:37:32 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 04 2013 - 12:00:12 MDT