Proposal for PF ipv6 compatibility from squid-users.
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf
Of Egerv?ry Gergely
Sent: Monday, December 5, 2016 8:34 PM
To: squid-us...@lists.squid-cache.org
Subject: [squid-users] IPv6 support for PF interception
Hi,
So, do you want IPv4/IPv6 dual-stacked transparent interception on your NetBSD
box? Unfortunately, you are out of luck.
On NetBSD, we have three choices for packet filtering:
- Darren Reed's "IPFilter". It has known bugs for years, and looks abandoned.
- OpenBSD's "PF". It's NetBSD port is very outdated, and porting newer version
of PF is abandoned by NetBSD developers. Squid has support for PF interception
for IPv4 only. (Newer OpenBSD PF supports IPv6 with TPROXY, but TPROXY is not
supported by NetBSD version of PF)
- NetBSD's "NPF". It's quite new, and missing features like TPROXY / divert
sockets support, and Squid does not have interception code for it.
We start working on NPF intercept support, but there's no working code yet.
Until then, I have prepared a very simple patch for Squid - enabling IPv6 for
PF interception. It works for me on my NetBSD 7-STABLE box.
Please review and test it, especially on OpenBSD and newer PF versions.
If it's approiate, please commit it.
Thank you.
--- Intercept.cc.orig 2016-10-09 21:58:01.0 +0200
+++ Intercept.cc2016-12-02 22:57:24.0 +0100
@@ -336,13 +336,20 @@
}
memset(&nl, 0, sizeof(struct pfioc_natlook));
-newConn->remote.getInAddr(nl.saddr.v4);
-nl.sport = htons(newConn->remote.port());
-newConn->local.getInAddr(nl.daddr.v4);
+if (newConn->remote.isIPv6()) {
+newConn->remote.getInAddr(nl.saddr.v6);
+newConn->local.getInAddr(nl.daddr.v6);
+nl.af = AF_INET6;
+} else {
+newConn->remote.getInAddr(nl.saddr.v4);
+newConn->local.getInAddr(nl.daddr.v4);
+nl.af = AF_INET;
+}
+
+nl.sport = htons(newConn->remote.port());
nl.dport = htons(newConn->local.port());
-nl.af = AF_INET;
nl.proto = IPPROTO_TCP;
nl.direction = PF_OUT;
@@ -358,7 +365,11 @@
debugs(89, 9, HERE << "address: " << newConn);
return false;
} else {
-newConn->local = nl.rdaddr.v4;
+if (newConn->remote.isIPv6()) {
+newConn->local = nl.rdaddr.v6;
+} else {
+newConn->local = nl.rdaddr.v4;
+}
newConn->local.port(ntohs(nl.rdport));
debugs(89, 5, HERE << "address NAT: " << newConn);
return true;
--
Gergely EGERVARY
___
squid-users mailing list
squid-us...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
