Search squid archive

IPv6 support for PF interception

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

So, do you want IPv4/IPv6 dual-stacked transparent interception on your
NetBSD box? Unfortunately, you are out of luck.

On NetBSD, we have three choices for packet filtering:

- Darren Reed's "IPFilter". It has known bugs for years, and looks
abandoned.

- OpenBSD's "PF". It's NetBSD port is very outdated, and porting newer
version of PF is abandoned by NetBSD developers. Squid has support for
PF interception for IPv4 only. (Newer OpenBSD PF supports IPv6 with
TPROXY, but TPROXY is not supported by NetBSD version of PF)

- NetBSD's "NPF". It's quite new, and missing features like TPROXY /
divert sockets support, and Squid does not have interception code for
it.

We start working on NPF intercept support, but there's no working code
yet. Until then, I have prepared a very simple patch for Squid -
enabling IPv6 for PF interception. It works for me on my NetBSD 7-STABLE
box.

Please review and test it, especially on OpenBSD and newer PF versions.
If it's approiate, please commit it.

Thank you.

--- Intercept.cc.orig   2016-10-09 21:58:01.000000000 +0200
+++ Intercept.cc        2016-12-02 22:57:24.000000000 +0100
@@ -336,13 +336,20 @@
     }

     memset(&nl, 0, sizeof(struct pfioc_natlook));
-    newConn->remote.getInAddr(nl.saddr.v4);
-    nl.sport = htons(newConn->remote.port());

-    newConn->local.getInAddr(nl.daddr.v4);
+    if (newConn->remote.isIPv6()) {
+        newConn->remote.getInAddr(nl.saddr.v6);
+        newConn->local.getInAddr(nl.daddr.v6);
+        nl.af = AF_INET6;
+    } else {
+        newConn->remote.getInAddr(nl.saddr.v4);
+        newConn->local.getInAddr(nl.daddr.v4);
+        nl.af = AF_INET;
+    }
+
+    nl.sport = htons(newConn->remote.port());
     nl.dport = htons(newConn->local.port());

-    nl.af = AF_INET;
     nl.proto = IPPROTO_TCP;
     nl.direction = PF_OUT;

@@ -358,7 +365,11 @@
         debugs(89, 9, HERE << "address: " << newConn);
         return false;
     } else {
-        newConn->local = nl.rdaddr.v4;
+        if (newConn->remote.isIPv6()) {
+            newConn->local = nl.rdaddr.v6;
+        } else {
+            newConn->local = nl.rdaddr.v4;
+        }
         newConn->local.port(ntohs(nl.rdport));
         debugs(89, 5, HERE << "address NAT: " << newConn);
         return true;


--
Gergely EGERVARY
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux