From: serassio <> Date: Mon, 12 Sep 2005 20:20:02 +0000 (+0000) Subject: Bug #1378: Transparent proxy problem with IP Filter X-Git-Tag: SQUID_3_0_PRE4~635 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbc5782ae3648c652e3e5e35d29d871d494f6005;p=thirdparty%2Fsquid.git Bug #1378: Transparent proxy problem with IP Filter On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device fails. On Solaris the following message can appear in cache.log: parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later. Forward port of 2.5 patch. --- diff --git a/configure.in b/configure.in index 5e016bca2f..8594aa4e48 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Configuration input file for Squid dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.385 2005/09/11 21:08:52 serassio Exp $ +dnl $Id: configure.in,v 1.386 2005/09/12 14:20:02 serassio Exp $ dnl dnl dnl @@ -13,7 +13,7 @@ AC_CONFIG_SRCDIR([src/main.cc]) AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE(squid, 3.0-PRE3-CVS) AM_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.385 $)dnl +AC_REVISION($Revision: 1.386 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -1660,6 +1660,7 @@ AC_CHECK_HEADERS( \ ip_fil_compat.h \ ip_fil.h \ ip_nat.h \ + ipl.h \ libc.h \ limits.h \ malloc.h \ @@ -1732,6 +1733,7 @@ AC_CHECK_HEADERS(net/if.h \ netinet/ip_compat.h\ netinet/ip_fil.h\ netinet/ip_nat.h\ + netinet/ipl.h \ sys/mount.h\ resolv.h,,,SQUID_BSDNET_INCLUDES) diff --git a/src/IPInterception.cc b/src/IPInterception.cc index 3c55c41ec4..64f1832f15 100644 --- a/src/IPInterception.cc +++ b/src/IPInterception.cc @@ -1,6 +1,6 @@ /* - * $Id: IPInterception.cc,v 1.11 2005/07/10 19:13:17 serassio Exp $ + * $Id: IPInterception.cc,v 1.12 2005/09/12 14:20:02 serassio Exp $ * * DEBUG: section 89 NAT / IP Interception * AUTHOR: Robert Collins @@ -43,6 +43,11 @@ #endif #include #include +#ifdef HAVE_IPL_H +#include +#elif HAVE_NETINET_IPL_H +#include +#endif #if HAVE_IP_FIL_COMPAT_H #include #elif HAVE_NETINET_IP_FIL_COMPAT_H @@ -84,12 +89,26 @@ int clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct sockaddr_in *dst) { +#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027) + + struct ipfobj obj; +#endif + struct natlookup natLookup; static int natfd = -1; static int siocgnatl_cmd = SIOCGNATL & 0xff; static time_t last_reported = 0; int x; +#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027) + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(natLookup); + obj.ipfo_ptr = &natLookup; + obj.ipfo_type = IPFOBJ_NATLOOKUP; + obj.ipfo_offset = 0; +#endif + natLookup.nl_inport = me.sin_port; natLookup.nl_outport = peer.sin_port; natLookup.nl_inip = me.sin_addr; @@ -100,9 +119,9 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s { int save_errno; enter_suid(); -#ifdef IPL_NAME +#ifdef IPNAT_NAME - natfd = open(IPL_NAME, O_RDONLY, 0); + natfd = open(IPNAT_NAME, O_RDONLY, 0); #else natfd = open(IPL_NAT, O_RDONLY, 0); @@ -123,13 +142,17 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s } } +#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027) + x = ioctl(natfd, SIOCGNATL, &obj); + +#else /* - * IP-Filter changed the type for SIOCGNATL between - * 3.3 and 3.4. It also changed the cmd value for - * SIOCGNATL, so at least we can detect it. We could - * put something in configure and use ifdefs here, but - * this seems simpler. - */ + * IP-Filter changed the type for SIOCGNATL between + * 3.3 and 3.4. It also changed the cmd value for + * SIOCGNATL, so at least we can detect it. We could + * put something in configure and use ifdefs here, but + * this seems simpler. + */ if (63 == siocgnatl_cmd) { @@ -140,6 +163,7 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s x = ioctl(natfd, SIOCGNATL, &natLookup); } +#endif if (x < 0) { if (errno != ESRCH) {