NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/50198: Fwd: Re: [squid-users] intercept + IPv6 + IPFilter 5.1
The following reply was made to PR kern/50198; it has been noted by GNATS.
From: Stephen Borrill <sborrill%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: kern/50198: Fwd: Re: [squid-users] intercept + IPv6 + IPFilter
5.1
Date: Thu, 6 Oct 2016 08:50:11 +0100
Patch may not be correct after all, re-opening PR and stalling pullup
request.
-------- Forwarded Message --------
Subject: Re: [squid-users] intercept + IPv6 + IPFilter 5.1
Date: Wed, 5 Oct 2016 20:49:54 +0200
From: Egerváry Gergely <gergely%egervary.hu@localhost>
To: squid-users%lists.squid-cache.org@localhost
>> Should "intercept" work with IPv6 on NetBSD 7-STABLE and IPFilter 5.1?
Okay, we have "fixed" Squid interception, and IPFilter in the kernel,
and now it's working good. But did we do it in the right way?
While reading ip_nat.c in IPFilter, I found that SIOCGNATL - and its
function called ipf_nat_lookupredir() - is a frontend to two functions:
ipf_nat_inlookup() and ipf_nat_outlookup().
We are now calling SIOCGNATL to use ipf_nat_outlookup(). But should not
we call it to use ipf_nat_inlookup() instead?
In Squid, we are working with 3 different addresses:
- source IP:port of the connection (browser client)
- real destination IP:port (the target web server)
- interception destination IP:port (Squid itself)
In IPFilter, the terminology is different: "real" refers to the
original source, not the original destination.
In my understanding, on redirect (RDR) rules, where we know the
original source address and the rewrited destination address, we should
use ipf_nat_inlookup() to get the original destination address.
ipf_nat_outlookup() should be used on source-NAT (MAP) scenarios,
what we don't need for Squid.
If that's true, IPFilter was correct - we have to revert our IPFilter
patches - and modify Intercept.cc instead.
See IPFilter source code comments below:
========
Function: ipf_nat_inlookup
Returns: nat_t* - NULL == no match, else pointer to matching NAT entry
Parameters:
fin(I) - pointer to packet information
flags(I) - NAT flags for this packet
p(I) - protocol for this packet
src(I) - source IP address
mapdst(I) - destination IP address
Lookup a nat entry based on the mapped destination ip address/port
and real source address/port. We use this lookup when receiving a
packet, we're looking for a table entry, based on the destination
address.
========
Function: ipf_nat_outlookup
Returns: nat_t* - NULL == no match, else pointer to matching NAT entry
Parameters:
fin(I) - pointer to packet information
flags(I) - NAT flags for this packet
p(I) - protocol for this packet
src(I) - source IP address
dst(I) - destination IP address
rw(I) - 1 == write lock on held, 0 == read lock.
Lookup a nat entry based on the source 'real' ip address/port
and destination address/port. We use this lookup when sending a packet
out, we're looking for a table entry, based on the source address.
========
See full ip_nat.c source code here:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/external/bsd/ipf/netinet/ip_nat.c?rev=1.16&content-type=text/x-cvsweb-markup
Thank you,
--
Gergely EGERVARY
_______________________________________________
squid-users mailing list
squid-users%lists.squid-cache.org@localhost
http://lists.squid-cache.org/listinfo/squid-users
--
Stephen
Home |
Main Index |
Thread Index |
Old Index