Re: [PATCH] NAT lookups upgrade for FreeBSD and OpenBSD

On 3/04/2013 6:37 a.m., Eliezer Croitoru wrote:
> On 04/02/2013 12:19 PM, Amos Jeffries wrote:
>> On 2/04/2013 5:13 p.m., Eliezer Croitoru wrote:
>>> ANY config example??
>>>
>>> Eliezer
>>> On 04/01/2013 03:35 PM, Amos Jeffries wrote:
>>>> Current OpenBSD implementation of PF divert-to works similarly to
>>>> TPROXY and only requires a getsockname() lookup to locate the TCP
>>>> packet original destination.
>>>>
>>>> The work by Marios with some additional tweaks discovered in recent
>>>> testing has now gone into 3.HEAD providing Squid with working
>>>> http_port tproxy option.
>>>>
>>>> We can use the same PF configuration to preform "intercept" option
>>>> but the old PF transparent code does lookups on /dev/pf which fails
>>>> badly on the new PF versions. getsockname() is what is really
>>>> required and already performed by TcpAcceptor on all incoming
>>>> connections, so there is no need for a special PF lookup code now.
>>>>
>>>> This patch adds a new ./configure option --with-nat-devpf to enable
>>>> the old /dev/pf NAT lookup code in a backward-compatible way for
>>>> older OS versions and OpenBSD based distros which have not yet
>>>> ported the new PF code. The option is disabled by default since the
>>>> systems requiring it are fairly old now.
>>>>
>>>>
>>>> This also removes the getsockname() lookup in the IPFW lookup
>>>> implementation which is redundant behind TcpAcceptor.
>>>>
>>>>
>>>> NP: we still do not support the new PF "rdr-to" which is doing more
>>>> NAT-like operations that TPROXY-like ones. However nobody has been
>>>> able to supply any information on how we would lookup those
>>>> details. So until that appears we support both http(s)_port
>>>> intercept and tproxy options using only the PF divert-to syntax.
>>>>
>>>> Amos
>>>
>>
>> I've updated
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
>>
>> Amos
> Thanks.
> I was wondering if the tproxy in BSD is using auto\random src port on
> the same IP? the same as in linux?

Yes Squid sets the port on outgoing packets to 0 for random
re-assignment. The only difference between OS is the kernel code. So the
socket options differ a little, but they all use the POSIX socket API
identically on all systems so far (Linux, OpenBSD 4.7+, FreeBSD 8+, NetBSD).

Amos
Received on Thu Apr 04 2013 - 00:47:52 MDT