Hi, So, do you want IPv4/IPv6 dual-stacked transparent interception on your NetBSD box? Unfortunately, you are out of luck. On NetBSD, we have three choices for packet filtering: - Darren Reed's "IPFilter". It has known bugs for years, and looks abandoned. - OpenBSD's "PF". It's NetBSD port is very outdated, and porting newer version of PF is abandoned by NetBSD developers. Squid has support for PF interception for IPv4 only. (Newer OpenBSD PF supports IPv6 with TPROXY, but TPROXY is not supported by NetBSD version of PF) - NetBSD's "NPF". It's quite new, and missing features like TPROXY / divert sockets support, and Squid does not have interception code for it. We start working on NPF intercept support, but there's no working code yet. Until then, I have prepared a very simple patch for Squid - enabling IPv6 for PF interception. It works for me on my NetBSD 7-STABLE box. Please review and test it, especially on OpenBSD and newer PF versions. If it's approiate, please commit it. Thank you. --- Intercept.cc.orig 2016-10-09 21:58:01.000000000 +0200 +++ Intercept.cc 2016-12-02 22:57:24.000000000 +0100 @@ -336,13 +336,20 @@ } memset(&nl, 0, sizeof(struct pfioc_natlook)); - newConn->remote.getInAddr(nl.saddr.v4); - nl.sport = htons(newConn->remote.port()); - newConn->local.getInAddr(nl.daddr.v4); + if (newConn->remote.isIPv6()) { + newConn->remote.getInAddr(nl.saddr.v6); + newConn->local.getInAddr(nl.daddr.v6); + nl.af = AF_INET6; + } else { + newConn->remote.getInAddr(nl.saddr.v4); + newConn->local.getInAddr(nl.daddr.v4); + nl.af = AF_INET; + } + + nl.sport = htons(newConn->remote.port()); nl.dport = htons(newConn->local.port()); - nl.af = AF_INET; nl.proto = IPPROTO_TCP; nl.direction = PF_OUT; @@ -358,7 +365,11 @@ debugs(89, 9, HERE << "address: " << newConn); return false; } else { - newConn->local = nl.rdaddr.v4; + if (newConn->remote.isIPv6()) { + newConn->local = nl.rdaddr.v6; + } else { + newConn->local = nl.rdaddr.v4; + } newConn->local.port(ntohs(nl.rdport)); debugs(89, 5, HERE << "address NAT: " << newConn); return true; -- Gergely EGERVARY _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users