>> Should "intercept" work with IPv6 on NetBSD 7-STABLE and IPFilter 5.1? Okay, we have "fixed" Squid interception, and IPFilter in the kernel, and now it's working good. But did we do it in the right way? While reading ip_nat.c in IPFilter, I found that SIOCGNATL - and its function called ipf_nat_lookupredir() - is a frontend to two functions: ipf_nat_inlookup() and ipf_nat_outlookup(). We are now calling SIOCGNATL to use ipf_nat_outlookup(). But should not we call it to use ipf_nat_inlookup() instead? In Squid, we are working with 3 different addresses: - source IP:port of the connection (browser client) - real destination IP:port (the target web server) - interception destination IP:port (Squid itself) In IPFilter, the terminology is different: "real" refers to the original source, not the original destination. In my understanding, on redirect (RDR) rules, where we know the original source address and the rewrited destination address, we should use ipf_nat_inlookup() to get the original destination address. ipf_nat_outlookup() should be used on source-NAT (MAP) scenarios, what we don't need for Squid. If that's true, IPFilter was correct - we have to revert our IPFilter patches - and modify Intercept.cc instead. See IPFilter source code comments below: ======== Function: ipf_nat_inlookup Returns: nat_t* - NULL == no match, else pointer to matching NAT entry Parameters: fin(I) - pointer to packet information flags(I) - NAT flags for this packet p(I) - protocol for this packet src(I) - source IP address mapdst(I) - destination IP address Lookup a nat entry based on the mapped destination ip address/port and real source address/port. We use this lookup when receiving a packet, we're looking for a table entry, based on the destination address. ======== Function: ipf_nat_outlookup Returns: nat_t* - NULL == no match, else pointer to matching NAT entry Parameters: fin(I) - pointer to packet information flags(I) - NAT flags for this packet p(I) - protocol for this packet src(I) - source IP address dst(I) - destination IP address rw(I) - 1 == write lock on held, 0 == read lock. Lookup a nat entry based on the source 'real' ip address/port and destination address/port. We use this lookup when sending a packet out, we're looking for a table entry, based on the source address. ======== See full ip_nat.c source code here: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/external/bsd/ipf/netinet/ip_nat.c?rev=1.16&content-type=text/x-cvsweb-markup Thank you, -- Gergely EGERVARY _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
