From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 20 08:22:15 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBB7316A4CE for ; Wed, 20 Apr 2005 08:22:14 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88ABA43D46 for ; Wed, 20 Apr 2005 08:22:14 +0000 (GMT) (envelope-from valenok@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so76916wri for ; Wed, 20 Apr 2005 01:22:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=Y18WlfN1/DNS0ughS4N5H8gufU86dYW0bCD87I/S2ETCUB1D6abpQVJGylMrWTQF0XYzX+hmySEVG7dp7XoW2kpl6gd82kuX6KCPRm+cBWLTRhu7VtSWVAlX5xfwcKt5qcikvYMJyLFlAPvBAY3IC0xzeuvsqAw2JtUuszCb840= Received: by 10.54.53.53 with SMTP id b53mr148177wra; Wed, 20 Apr 2005 01:22:13 -0700 (PDT) Received: by 10.54.44.57 with HTTP; Wed, 20 Apr 2005 01:22:13 -0700 (PDT) Message-ID: <72c3a95705042001227812f6e6@mail.gmail.com> Date: Wed, 20 Apr 2005 08:22:13 +0000 From: Sergey Lyubka To: freebsd-hackers@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1250_18247984.1113985333807" Subject: transparent squid proxy + bridge X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sergey Lyubka List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2005 08:22:15 -0000 ------=_Part_1250_18247984.1113985333807 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi there, Recently I tried to make a transparent web proxy on a machine that run in bridging mode. At last, I decided to make a patch. Here it is for those who want to do the same. One interface should be given an IP address so squid may do a requests. Squid listens on 127.0.0.1:8080. I am using pf firewall, with this redirection rule: rdr on $int proto tcp from any to any port 80 -> (lo0) port 8080 This is what the patch does: static void ether_input() { ... if (packet_is_IP_packet && pf_enabled && mbuf_copy =3D copy_the_mbuf) { strip_ethernet_headers; run_the_firewall; if (packet_redirected_to_127.0.0.1) bypass_the_bridge free_the_mbuf_copy; } ... } The patch is small, so I include it inline. Tested on 5.4 ------=_Part_1250_18247984.1113985333807 Content-Type: application/octet-stream; name="if_ethersubr.c.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="if_ethersubr.c.patch" LS0tIC91c3Ivc3JjL3N5cy9uZXQvaWZfZXRoZXJzdWJyLmMub3JpZwlUaHUgTWFyIDMxIDE0OjU4 OjM2IDIwMDUKKysrIC91c3Ivc3JjL3N5cy9uZXQvaWZfZXRoZXJzdWJyLmMJVHVlIEFwciAxOSAx Mzo1MDowNSAyMDA1CkBAIC02Niw4ICs2NiwxMCBAQAogI2lmIGRlZmluZWQoSU5FVCkgfHwgZGVm aW5lZChJTkVUNikKICNpbmNsdWRlIDxuZXRpbmV0L2luLmg+CiAjaW5jbHVkZSA8bmV0aW5ldC9p bl92YXIuaD4KKyNpbmNsdWRlIDxuZXRpbmV0L2luX3N5c3RtLmg+CiAjaW5jbHVkZSA8bmV0aW5l dC9pZl9ldGhlci5oPgogI2luY2x1ZGUgPG5ldGluZXQvaXBfZncuaD4KKyNpbmNsdWRlIDxuZXRp bmV0L2lwLmg+CiAjaW5jbHVkZSA8bmV0aW5ldC9pcF9kdW1teW5ldC5oPgogI2VuZGlmCiAjaWZk ZWYgSU5FVDYKQEAgLTQ4NSw2ICs0ODcsOCBAQAogfQogI2VuZGlmCiAKKyNpbmNsdWRlIDxuZXQv cGZpbC5oPgorZXh0ZXJuIHN0cnVjdCBwZmlsX2hlYWQgaW5ldF9wZmlsX2hvb2s7CiAvKgogICog UHJvY2VzcyBhIHJlY2VpdmVkIEV0aGVybmV0IHBhY2tldDsgdGhlIHBhY2tldCBpcyBpbiB0aGUK ICAqIG1idWYgY2hhaW4gbSB3aXRoIHRoZSBldGhlcm5ldCBoZWFkZXIgYXQgdGhlIGZyb250LgpA QCAtNDkzLDcgKzQ5Nyw5IEBACiBldGhlcl9pbnB1dChzdHJ1Y3QgaWZuZXQgKmlmcCwgc3RydWN0 IG1idWYgKm0pCiB7CiAJc3RydWN0IGV0aGVyX2hlYWRlciAqZWg7CisJc3RydWN0IG1idWYgKm0y OwogCXVfc2hvcnQgZXR5cGU7CisJaW50IHRvbG9jYWwgPSAwOwogCiAJLyoKIAkgKiBEbyBjb25z aXN0ZW5jeSBjaGVja3MgdG8gdmVyaWZ5IGFzc3VtcHRpb25zCkBAIC01NzYsOCArNTgyLDUwIEBA CiAJCQlyZXR1cm47CiAJfQogCisjaWYgMQorCS8qKioqKioqKioqKioqKiogVUdMWSBIQUNLICEh ICoqKioqKioqKioqKioqKioqKiovCisJaWYgKGV0eXBlID09IDB4ODAwICYmCisJICAgIGluZXRf cGZpbF9ob29rLnBoX2J1c3lfY291bnQgIT0gLTEgJiYKKwkgICAgKG0yID0gbV9kdXAobSwgTV9E T05UV0FJVCkpICE9IE5VTEwpIHsKKwkJc3RydWN0IGlwICppcDsKKwkJCisJCW1fYWRqKG0yLCBF VEhFUl9IRFJfTEVOKTsJLyogcmVtb3ZlIGV0aGVyIGhkciAqLworCQlpcCA9IG10b2QobTIsIHN0 cnVjdCBpcCAqKTsKKworCQlpcC0+aXBfbGVuID0gbnRvaHMoaXAtPmlwX2xlbik7CisJCWlwLT5p cF9vZmYgPSBudG9ocyhpcC0+aXBfb2ZmKTsJCQorCQkKKwkJaWYgKG0yLT5tX3BrdGhkci5sZW4g PiBpcC0+aXBfbGVuKSB7CisJCQlpZiAobTItPm1fbGVuID09IG0yLT5tX3BrdGhkci5sZW4pIHsK KwkJCQltMi0+bV9sZW4gPSBpcC0+aXBfbGVuOworCQkJCW0yLT5tX3BrdGhkci5sZW4gPSBpcC0+ aXBfbGVuOworCQkJfSBlbHNlCisJCQkJbV9hZGoobTIsIGlwLT5pcF9sZW4gLSBtMi0+bV9wa3Ro ZHIubGVuKTsKKwkJfQorCQkKKwkJaWYgKHBmaWxfcnVuX2hvb2tzKCZpbmV0X3BmaWxfaG9vaywg Jm0yLCBtMi0+bV9wa3RoZHIucmN2aWYsCisJCSAgICBQRklMX0lOLCBOVUxMKSAhPSAwKSB7CisJ CQltX2ZyZWVtKG0pOworCQkJcmV0dXJuOworCQl9CisKKwkJaWYgKG0yID09IE5VTEwpCXsKKwkJ CW1fZnJlZW0obSk7CisJCQlyZXR1cm47CisJCX0KKwkJCisJCWlwID0gbXRvZChtMiwgc3RydWN0 IGlwICopOworCQlpZiAoaXAtPmlwX2RzdC5zX2FkZHIgPT0gbnRvaGwoSU5BRERSX0xPT1BCQUNL KSkKKwkJCXRvbG9jYWwgPSAxOworCisJCQorCQltX2ZyZWVtKG0yKTsKKwl9CisJLyoqKioqKioq KioqKioqKiBFTkQgT0YgVUdMWSBIQUNLICoqKioqKioqKioqKioqKioqKiovCisjZW5kaWYKKwog CS8qIENoZWNrIGZvciBicmlkZ2luZyBtb2RlICovCi0JaWYgKEJER19BQ1RJVkUoaWZwKSApIHsK KwlpZiAoQkRHX0FDVElWRShpZnApICYmIHRvbG9jYWwgPT0gMCkgewogCQlzdHJ1Y3QgaWZuZXQg KmJpZjsKIAogCQkvKgo= ------=_Part_1250_18247984.1113985333807--