Bug #1378: Transparent proxy problem with IP Filter

On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device
fails.
On Solaris the following message can appear in cache.log:
parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument

This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later.

Forward port of 2.5 patch.

diff --git a/configure.in b/configure.in
index 5e016bca2f75f3c7cd1d67f2fb789afc43afc059..8594aa4e48fd9c918da77cab2b22bfeb46305979 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,7 @@ dnl  Configuration input file for Squid
 dnl
 dnl  Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9)
 dnl
-dnl  $Id: configure.in,v 1.385 2005/09/11 21:08:52 serassio Exp $
+dnl  $Id: configure.in,v 1.386 2005/09/12 14:20:02 serassio Exp $
 dnl
 dnl
 dnl
@@ -13,7 +13,7 @@ AC_CONFIG_SRCDIR([src/main.cc])
 AC_CONFIG_AUX_DIR(cfgaux)
 AM_INIT_AUTOMAKE(squid, 3.0-PRE3-CVS)
 AM_CONFIG_HEADER(include/autoconf.h)
-AC_REVISION($Revision: 1.385 $)dnl
+AC_REVISION($Revision: 1.386 $)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 
@@ -1660,6 +1660,7 @@ AC_CHECK_HEADERS( \
        ip_fil_compat.h \
        ip_fil.h \
        ip_nat.h \
+       ipl.h \
        libc.h \
        limits.h \
        malloc.h \
@@ -1732,6 +1733,7 @@ AC_CHECK_HEADERS(net/if.h \
        netinet/ip_compat.h\
        netinet/ip_fil.h\
        netinet/ip_nat.h\
+       netinet/ipl.h \
        sys/mount.h\
        resolv.h,,,SQUID_BSDNET_INCLUDES)
 

diff --git a/src/IPInterception.cc b/src/IPInterception.cc
index 3c55c41ec43391bc4c07aad0aba4a1a709e95936..64f1832f1550e6d011a2bb67a5b4f64c46a8570d 100644 (file)
--- a/src/IPInterception.cc
+++ b/src/IPInterception.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: IPInterception.cc,v 1.11 2005/07/10 19:13:17 serassio Exp $
+ * $Id: IPInterception.cc,v 1.12 2005/09/12 14:20:02 serassio Exp $
  *
  * DEBUG: section 89    NAT / IP Interception 
  * AUTHOR: Robert Collins
@@ -43,6 +43,11 @@
 #endif
 #include <netinet/tcp.h>
 #include <net/if.h>
+#ifdef HAVE_IPL_H
+#include <ipl.h>
+#elif HAVE_NETINET_IPL_H
+#include <netinet/ipl.h>
+#endif
 #if HAVE_IP_FIL_COMPAT_H
 #include <ip_fil_compat.h>
 #elif HAVE_NETINET_IP_FIL_COMPAT_H
@@ -84,12 +89,26 @@ int
 clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct sockaddr_in *dst)
 {
 
+#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
+
+    struct ipfobj obj;
+#endif
+
     struct natlookup natLookup;
     static int natfd = -1;
     static int siocgnatl_cmd = SIOCGNATL & 0xff;
     static time_t last_reported = 0;
     int x;
 
+#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
+
+    obj.ipfo_rev = IPFILTER_VERSION;
+    obj.ipfo_size = sizeof(natLookup);
+    obj.ipfo_ptr = &natLookup;
+    obj.ipfo_type = IPFOBJ_NATLOOKUP;
+    obj.ipfo_offset = 0;
+#endif
+
     natLookup.nl_inport = me.sin_port;
     natLookup.nl_outport = peer.sin_port;
     natLookup.nl_inip = me.sin_addr;
@@ -100,9 +119,9 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s
     {
         int save_errno;
         enter_suid();
-#ifdef IPL_NAME
+#ifdef IPNAT_NAME
 
-        natfd = open(IPL_NAME, O_RDONLY, 0);
+        natfd = open(IPNAT_NAME, O_RDONLY, 0);
 #else
 
         natfd = open(IPL_NAT, O_RDONLY, 0);
@@ -123,13 +142,17 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s
         }
     }
 
+#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
+    x = ioctl(natfd, SIOCGNATL, &obj);
+
+#else
     /*
-     * IP-Filter changed the type for SIOCGNATL between
-     * 3.3 and 3.4.  It also changed the cmd value for
-     * SIOCGNATL, so at least we can detect it.  We could
-     * put something in configure and use ifdefs here, but
-     * this seems simpler.
-     */
+    * IP-Filter changed the type for SIOCGNATL between
+    * 3.3 and 3.4.  It also changed the cmd value for
+    * SIOCGNATL, so at least we can detect it.  We could
+    * put something in configure and use ifdefs here, but
+    * this seems simpler.
+    */
     if (63 == siocgnatl_cmd)
     {
 
@@ -140,6 +163,7 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s
         x = ioctl(natfd, SIOCGNATL, &natLookup);
     }
 
+#endif
     if (x < 0)
     {
         if (errno != ESRCH) {