Hi, On Fri, Apr 26, 2013 at 12:55:23AM +0200, PiBa-NL wrote: > Hi All / Developers, > > Seams i have tranparent proxying working now on FreeBSD 8.3 with > HAProxy1.5dev18 + small modification. > Needed to add a firewall forwarding rule to forward the traffic to the > localhost for socket processing. > > Could a developer please make the following change? > > /*/* Add the following on line 33 of /include/common/compact.h */*//* > *//*#ifdef *//*IP_BINDANY*//* > *//* /* FreeBSD define variables */*//* > *//* #define SOL_IP IPPROTO_IP*//* > *//* #define SOL_IPV6 IPPROTO_IPV6*//* > *//* #define IP_TRANSPARENT IP_BINDANY*//* > *//*#endif*/
It's quite hard to exactly understand what needs to be changed with such a syntax, could you please send a standard patch ? For this, just do a "diff -urN" between the original source directory and the modified one. Also I'm wondering whether we should define USE_FREEBSD_TPROXY instead of USE_LINUX_TPROXY for this. Maybe we should rename CONFIG_HAP_LINUX_TPROXY to CONFIG_HAP_FULL_TPROXY and adapt it depending on the OS. > After this haproxy can be successfully compiled on FreeBSD8.3 with the > USE_LINUX_TPROXY=yes build option and transparent proxying works when > the fwd firewall rule is made active. > > On my pfSense2.1 system the following worked to load ipfw and add the > fwd rule in ipfw.. : > /sbin/kldload ipfw > /sbin/sysctl net.inet.ip.pfil.inbound="pf" > net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" > net.inet6.ip6.pfil.outbound="pf" > /sbin/sysctl net.link.ether.ipfw=1 > ipfw_context -a haproxy > ipfw_context -s haproxy > ipfw_context -a haproxy -n em0 > *ipfw -x haproxy add 20 fwd localhost tcp from IP-BACKEND-SERVER 80 to > any in recv em0* > > (This firewall rule should actually also check if the correct 'uid' of > the haproxy process is set to also allow directly contacting the > backendserver, but i could not get that part to work though that is not > a HAProxy issue so should get fixed elsewhere.) And ideally it should be > possible with 'pf' instead of 'ipfw', but that is still something i'm > trying to investigate.. Maybe such information should go into a dedicated file in the doc/ directory. > If this is not the correct way to fix/change this for FreeBSD could > someone please advice on what is.? > Thanks in advance. > > PiBa-NL Thanks, Willy
