From: hno <>
Date: Sat, 13 Apr 2002 21:30:10 +0000 (+0000)
Subject: Bugzilla #314: Transparent proxy support for OpenBSD's PF
X-Git-Tag: SQUID_3_0_PRE1~1091
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b0dd4ac07f1992909b71b1ba57083a348e0b967;p=thirdparty%2Fsquid.git

Bugzilla #314: Transparent proxy support for OpenBSD's PF
patch by Brad Smith <brad@comstyle.com>
---

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index 37241b84a2..30ec39e506 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -86,5 +86,6 @@ and ideas to make this software available.
 	Miquel van Smoorenburg <miquels@cistron.nl>
 	Brian <hiryuu@envisiongames.net>
 	Ian Castle <ian.castle@coldcomfortfarm.net>
+	Brad Smitch <brad@comstyle.com>
 
 	Duane Wessels <wessels@squid-cache.org>
diff --git a/configure.in b/configure.in
index c6ccb01854..4b1f06d7b4 100644
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,7 @@ dnl  Configuration input file for Squid
 dnl
 dnl  Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9)
 dnl
-dnl  $Id: configure.in,v 1.263 2002/04/13 14:16:04 hno Exp $
+dnl  $Id: configure.in,v 1.264 2002/04/13 15:30:10 hno Exp $
 dnl
 dnl
 dnl
@@ -11,7 +11,7 @@ AC_INIT(src/main.c)
 AC_CONFIG_AUX_DIR(cfgaux)
 AM_INIT_AUTOMAKE(squid, 2.6-DEVEL)
 AM_CONFIG_HEADER(include/autoconf.h)
-AC_REVISION($Revision: 1.263 $)dnl
+AC_REVISION($Revision: 1.264 $)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 
@@ -759,6 +759,18 @@ AC_ARG_ENABLE(ipf-transparent,
   fi
 ])
 
+dnl Enable PF Transparent Proxy
+AC_ARG_ENABLE(pf-transparent,
+[  --enable-pf-transparent
+                          Enable Transparent Proxy support for systems
+                          using PF network address redirection.],
+[ if test "$enableval" = "yes" ; then
+	echo "PF Transparent Proxy enabled"
+	AC_DEFINE(PF_TRANSPARENT)
+	PF_TRANSPARENT="yes"
+  fi
+])
+
 dnl Enable Linux Netfilter (2.4) Transparent Proxy
 AC_ARG_ENABLE(linux-netfilter,
 [  --enable-linux-netfilter
@@ -1144,6 +1156,7 @@ AC_CHECK_HEADERS( \
 	memory.h \
 	mount.h \
 	net/if.h \
+	net/pfvar.h \
 	netdb.h \
 	netinet/if_ether.h \
 	netinet/in.h \
@@ -1733,6 +1746,25 @@ if test "$IPF_TRANSPARENT" = "no" ; then
     sleep 10
 fi
 
+dnl PF support requires a header file.
+if test "$PF_TRANSPARENT" ; then
+    AC_MSG_CHECKING(if PF header file is installed)
+    # hold on to your hats...
+    if test "$ac_cv_header_net_pfvar_h" = "yes"; then
+        PF_TRANSPARENT="yes"
+        AC_DEFINE(PF_TRANSPARENT, 1)
+    else
+        PF_TRANSPARENT="no"
+        AC_DEFINE(PF_TRANSPARENT, 0)
+    fi
+    AC_MSG_RESULT($PF_TRANSPARENT)
+fi
+if test "$PF_TRANSPARENT" = "no" ; then
+    echo "WARNING: Cannot find necessary PF header file"
+    echo "         Transparent Proxy support WILL NOT be enabled"
+    sleep 10
+fi
+
 dnl Linux-Netfilter support requires Linux 2.4 kernel header files.
 dnl Shamelessly copied from above
 if test "$LINUX_NETFILTER" ; then
diff --git a/src/client_side.cc b/src/client_side.cc
index e7e719b5cd..07f13c82b7 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.cc,v 1.571 2002/04/13 14:16:04 hno Exp $
+ * $Id: client_side.cc,v 1.572 2002/04/13 15:30:10 hno Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -62,6 +62,16 @@
 #endif
 #endif
 
+#if PF_TRANSPARENT
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/fcntl.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <net/pfvar.h>
+#endif
+
 #if LINUX_NETFILTER
 #include <linux/netfilter_ipv4.h>
 #endif
@@ -2084,6 +2094,10 @@ parseHttpRequest(ConnStateData * conn, method_t * method_p, int *status,
     static int siocgnatl_cmd = SIOCGNATL & 0xff;
     int x;
 #endif
+#if PF_TRANSPARENT
+    struct pfioc_natlook nl;
+    static int pffd = -1;
+#endif
 #if LINUX_NETFILTER
     size_t sock_sz = sizeof(conn->me);
 #endif
@@ -2314,6 +2328,36 @@ parseHttpRequest(ConnStateData * conn, method_t * method_p, int *status,
 		    inet_ntoa(natLookup.nl_realip),
 		    vport, url);
 	    }
+#elif PF_TRANSPARENT
+	    if (pffd < 0)
+		pffd = open("/dev/pf", O_RDWR);
+	    if (pffd < 0) {
+		debug(50, 1) ("parseHttpRequest: PF open failed: %s\n",
+		    xstrerror());
+		return parseHttpRequestAbort(conn, "error:pf-open-failed");
+	    }
+	    memset(&nl, 0, sizeof(struct pfioc_natlook));
+	    nl.saddr.v4.s_addr = http->conn->peer.sin_addr.s_addr;
+	    nl.sport = http->conn->peer.sin_port;
+	    nl.daddr.v4.s_addr = http->conn->me.sin_addr.s_addr;
+	    nl.dport = http->conn->me.sin_port;
+	    nl.af = AF_INET;
+	    nl.proto = IPPROTO_TCP;
+	    nl.direction = PF_OUT;
+	    if (ioctl(pffd, DIOCNATLOOK, &nl)) {
+		if (errno != ENOENT) {
+		    debug(50, 1) ("parseHttpRequest: PF lookup failed: ioctl(DIOCNATLOOK)\n");
+		    close(pffd);
+		    pffd = -1;
+		    return parseHttpRequestAbort(conn, "error:pf-lookup-failed");
+		} else
+		    snprintf(http->uri, url_sz, "http://%s:%d%s",
+			inet_ntoa(http->conn->me.sin_addr),
+			vport, url);
+	    } else
+		snprintf(http->uri, url_sz, "http://%s:%d%s",
+		    inet_ntoa(nl.rdaddr.v4),
+		    ntohs(nl.rdport), url);
 #else
 #if LINUX_NETFILTER
 	    /* If the call fails the address structure will be unchanged */