Hi Willy,

Sorry for the weird syntax.. I made the text 'bold', but that seams to have come out differently...

Anyway i hope the 'patch' below is something you can work with.?
As for renaming the CONFIG_HAP_LINUX_TPROXY to something different would require everyone that on a regular basis builds HAProxy with this feature to change their build flags.. So i don't think it should be renamed/removed. Also while adding another flag for clarity purposes, i don't think it really adds that much ease of use, and would require new make scripts and several other changes though-out where transparent proxying is implemented.

Ive changed the defines a little more to i think be 'best compatible' with i think any circumstances..

Is this something that you could 'apply'?:

--- workoriginal/haproxy-1.5-dev18/include/common/compat.h 2013-04-26 19:36:15.000000000 +0000 +++ work/haproxy-1.5-dev18/include/common/compat.h 2013-04-26 20:32:15.000000000 +0000
@@ -81,7 +81,16 @@
 #endif

/* On Linux, IP_TRANSPARENT and/or IP_FREEBIND generally require a kernel patch */
+/* On FreeBSD, IP_BINDANY is supported from FreeBSD 8 and up */
 #if defined(CONFIG_HAP_LINUX_TPROXY)
+  #if defined(BSD) && defined(IP_BINDANY) && defined(IPV6_BINDANY)
+    /* FreeBSD defines */
+    #define SOL_IP           IPPROTO_IP
+    #define SOL_IPV6         IPPROTO_IPV6
+    #define IP_TRANSPARENT   IP_BINDANY
+    #define IPV6_TRANSPARENT IPV6_BINDANY
+  #endif
+
 #if !defined(IP_FREEBIND)
 #define IP_FREEBIND 15
 #endif /* !IP_FREEBIND */



Op 26-4-2013 8:33, Willy Tarreau schreef:
Hi,

On Fri, Apr 26, 2013 at 12:55:23AM +0200, PiBa-NL wrote:
Hi All / Developers,

Seams i have tranparent proxying working now on FreeBSD 8.3 with
HAProxy1.5dev18 + small modification.
Needed to add a firewall forwarding rule to forward the traffic to the
localhost for socket processing.

Could a developer please make the following change?

/*/* Add the following on line 33 of /include/common/compact.h */*//*
*//*#ifdef *//*IP_BINDANY*//*
*//*  /* FreeBSD define variables */*//*
*//*  #define SOL_IP         IPPROTO_IP*//*
*//*  #define SOL_IPV6       IPPROTO_IPV6*//*
*//*  #define IP_TRANSPARENT IP_BINDANY*//*
*//*#endif*/
It's quite hard to exactly understand what needs to be changed with such
a syntax, could you please send a standard patch ? For this, just do a
"diff -urN" between the original source directory and the modified one.

Also I'm wondering whether we should define USE_FREEBSD_TPROXY instead of
USE_LINUX_TPROXY for this. Maybe we should rename CONFIG_HAP_LINUX_TPROXY
to CONFIG_HAP_FULL_TPROXY and adapt it depending on the OS.

After this haproxy can be successfully compiled on FreeBSD8.3 with the
USE_LINUX_TPROXY=yes build option and transparent proxying works when
the fwd firewall rule is made active.

On my pfSense2.1 system the following worked to load ipfw and add the
fwd rule in ipfw.. :
/sbin/kldload ipfw
/sbin/sysctl net.inet.ip.pfil.inbound="pf"
net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf"
net.inet6.ip6.pfil.outbound="pf"
/sbin/sysctl net.link.ether.ipfw=1
ipfw_context -a haproxy
ipfw_context -s haproxy
ipfw_context -a haproxy -n em0
*ipfw -x haproxy add 20 fwd localhost tcp from IP-BACKEND-SERVER 80 to
any in recv em0*

(This firewall rule should actually also check if the correct 'uid' of
the haproxy process is set to also allow directly contacting the
backendserver, but i could not get that part to work though that is not
a HAProxy issue so should get fixed elsewhere.) And ideally it should be
possible with 'pf' instead of 'ipfw', but that is still something i'm
trying to investigate..
Maybe such information should go into a dedicated file in the doc/ directory.

If this is not the correct way to fix/change this for FreeBSD could
someone please advice on what is.?
Thanks in advance.

PiBa-NL
Thanks,
Willy



Reply via email to