Hello, Squid needs to open /dev/pf to query the packet filter. Today in OpenBSD the default permissions for /dev/pf allow access only to root and squid is running as user _squid, group _squid. So one way to allow access to squid is by changing the GID of the file to _squid and make it group-accessable:
# chgrp _squid /dev/pf # chmod g+rw /dev/pf Daniel Hartmeier has already committed a code which allows squid to work group-read-only: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c.diff?r1=1.163&r2=1.164 And Brad Smith has already committed a change to openbsd squid port: http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/patches/patch-src_client_side_c.diff?r1=1.3&r2=1.4 Now it is possible to do: # chgrp _squid /dev/pf # chmod g+r /dev/pf Can you please apply this patch? --- client_side.c.orig Fri Jan 6 01:09:02 2006 +++ client_side.c Fri Jan 6 01:09:34 2006 @@ -2824,7 +2824,7 @@ #elif PF_TRANSPARENT static time_t last_reported = 0; if (pffd < 0) - pffd = open("/dev/pf", O_RDWR); + pffd = open("/dev/pf", O_RDONLY); if (pffd < 0) { if (squid_curtime - last_reported > 60) { debug(50, 1) ("parseHttpRequest: PF open failed: %s\n", xstrerror());
