<sect1>Known issues
<p>
Although this release is deemed good enough for use in many setups, please note the existence of
-<url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&version=3.4" name="open bugs against Squid-3.4">.
+<url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.4" name="open bugs against Squid-3.4">.
<sect1>Changes since earlier releases of Squid-3.4
<itemize>
<item>Helper protocol extensions
<item>SSL Server Certificate Validator
+ <item>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
<em>ssl_crtd</em> related options.
+<sect1>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
+<p>Details at <url url="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">.
+
+<p>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
+ using several very simple methods. One of which is the <em>divert-to</em> rule type
+ which acts as a simple routing diversion instead of performing NAT packet alterations.
+
+<p>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.
+
+<p>This version of Squid adds support for these features through the ./configure
+ options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
+ systems with the required support. No special extras are required to enable
+ <em>http_port ... tproxy</em> configuration to work.
+
+<p>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
+ <em>./configure --enable-pf-transparent</em> has been altered and is expected to
+ break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
+ which do not yet support the getsockname() API.
+ These systems require <em>--with-nat-devpf</em> to enable /dev/pf support when using PF firewall.
+
+
<sect>Changes to squid.conf since Squid-3.3
<p>
There have been changes to Squid's configuration file since Squid-3.3.
<p>Use ACLs to annotate a transaction with customized annotations
which can be logged in access.log
+ <tag>spoof_client_ip</tag>
+ <p>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.
+
<tag>sslcrtvalidator_children</tag>
<p>Specifies the settings for how many SSL server certificate
validator helpers are run and when they are started.
<p>New result code <em>BH</em> to signal helper internal errors
<p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
+ <tag>http_port</tag>
+ <p>Support <em>tproxy</em> mode traffic on BSD systems with BINDANY support
+ (OpenBSD 5+, FreeBSD 9+ so far).
+ <p>Changed build options behind <em>intercept</em> traffic mode handling on BSD.
+ see <em>--enable-pf-transparent</em> for more details.
+
<tag>logformat</tag>
<p>New format code <em>%note</em> to log a transaction annotation linked to the
transaction by ICAP, eCAP, a helper, or the <em>note</em> squid.conf directive.
+ <tag>pipeline_prefetch</tag>
+ <p>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.
+
<tag>unlinkd_program</tag>
<p>New helper response format utilizing result codes <em>OK</em> and <em>BH</em>,
to signal helper lookup results. Also, key-value response values to return
<sect1>New options<label id="newoptions">
<p>
<descrip>
- <p><em>There are no new ./configure options in Squid-3.4.</em>
+ <tag>--with-nat-pf</tag>
+ <p>New option to alter the behaviour of <em>http_port ... intercept</em> option
+ in squid.conf.
+ <p>When this option is used Squid performs the /dev/pf lookups required to
+ support PF <em>rdr-to</em> rules. Otherwise Squid will perform perform the
+ getsockname() API calls to support PF <em>divert-to</em> rules.
+ <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
+ the getsockname() API in recent PF versions require this option.
</descrip>
<sect1>Changes to existing options<label id="modifiedoptions">
<p>
<descrip>
- <p><em>There are no changed ./configure options in Squid-3.4.</em>
+ <tag>--enable-pf-transparent</tag>
+ <p>NAT table support updated to use the getsockname() API provided by the
+ latest PF versions <em>divert-to</em>. This allows <em>http_port</em>
+ in squid.conf to support both <em>intercept</em> and <em>tproxy</em> traffic
+ and to silence NAT lookup failure messages on recent BSD.
+ <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
+ the getsockname() API in recent PF versions require <em>--with-nat-devpf</em>
+ to re-enable /dev/pf support when using PF firewall.
</descrip>
</p>
<tag>error_map</tag>
<p>Not yet ported from 2.6
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag not yet ported from 2.6
- <p><em>%DATA</em> format tag not yet ported from 2.6
-
<tag>external_refresh_check</tag>
<p>Not yet ported from 2.7
- <tag>http_port</tag>
- <p><em>act-as-origin</em> not yet ported from 2.7
-
<tag>ignore_ims_on_miss</tag>
<p>Not yet ported from 2.7