From owner-freebsd-ports@freebsd.org Tue Apr 26 14:53:22 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D1C4B1C9BB for ; Tue, 26 Apr 2016 14:53:22 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 131531017 for ; Tue, 26 Apr 2016 14:53:22 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: by mail-oi0-x231.google.com with SMTP id x19so17398645oix.2 for ; Tue, 26 Apr 2016 07:53:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=yrwwwSpi+HoPEktEV+w4orAtJShpJliWsi8owGB9AkQ=; b=hKu+9oPY0LZea5GuibVphWbG+yTFTrHV9NJ3ZguAib8f63xQBg6vjM/7OAL6b30UMo U3pLkGKfNZZ0lP1SIv9N+QYxJy3eC81GF/ee5O6CUXnuG/GaEF+1SGoE4OBkfuOgMt34 gYLbcXZm8e3e8/vZjL83GauQkj+D12NX1lyfbB4G1v7VRqvS5s9pru5dJC4QA9W9KuKK MTU1s8nZF58L1RCkO5vpoNUf35MKhOzVCdwwC82fkYfVZ2jNUQvBeizLxGnn0Vlfcp01 2jBsov2LFRNIh2c6GuaUwHf82Fi0b7fOKJN4qFAS4ysxLvOEQ6JDmATaVD209iMC52uc 96vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=yrwwwSpi+HoPEktEV+w4orAtJShpJliWsi8owGB9AkQ=; b=VecgpeUvon/kQ3Cm4OdgU2BmrBYLcDVbfVgpV/OZHou8gAaccDavCUPYlHx+GcUCE3 x+2+rbUwinjI0Sdd5tG0+zTHQg+o6nkcpIhXa0OxsdYjeen2jeRNkr3atNbvB2sD08gH 7RuR/psI9RJSeOsDg4l5kyu/9Dyz6NgLygDTHYDL6poISEaN1wc/JLCnvHiIf1yifeC4 G/M4LaUJtuWbxOxdURXBE74kV/9zNq/pgTY6Uu/tUc3jXbuO2zej07K6XJUo0ynrQjMk CZy5t7tFIlsSoheWwFiGj2jWX+hpWDj0SAz+rwvvK+X5Bb17p7yCFuEdiFeUt538TxX2 GluQ== X-Gm-Message-State: AOPr4FVlAjvOBTA8t0RXHtnT7wRln+vrzGm5zj9O26MGmWI7AvHkUomIWxCoPmtQSq4L46NDuE7sk5VQjvFdag== MIME-Version: 1.0 X-Received: by 10.157.40.242 with SMTP id s105mr1142994ota.68.1461682401458; Tue, 26 Apr 2016 07:53:21 -0700 (PDT) Received: by 10.202.242.132 with HTTP; Tue, 26 Apr 2016 07:53:21 -0700 (PDT) In-Reply-To: References: Date: Tue, 26 Apr 2016 07:53:21 -0700 Message-ID: Subject: Re: www/squid: reconsider enabling all options From: Nick Rogers To: Pavel Timofeev Cc: "freebsd-ports@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 14:53:22 -0000 On Tue, Apr 26, 2016 at 1:31 AM, Pavel Timofeev wrote: > 2016-04-26 1:32 GMT+03:00 Nick Rogers : > > Hello, > > > > I just recompiled my www/squid port to the latest 3.5.17 version. Prior > to > > this I was running 3.5.14. I immediately noticed that my transparent > proxy > > setup via PF was broken and throwing a "Forwarding loop detected" error > in > > the logs. > > > > I then noticed the following recent commit which enables all > options/knobs > > that do not require dependencies: > > https://svnweb.freebsd.org/ports?view=revision&revision=412287 > > > > This change enables the ipf-transparent (TP_IP), ipfw-transparent > (TP_IPF), > > and pf-transparent (TP_PF) options at the same time, and turned out to be > > the root of my "redirection loop" problem. > > > > I am unclear why, but in my experience these options have always been > > incompatible with each other, which is why in previous versions of the > > www/squid port and its prior iterations these knobs have always been > > disabled by default. I've always explicitly enabled TP_PF in my > make.conf. > > > > I was able to fix my issue by recompiling without the TP_IP and TP_IPF > > options, but I believe more thought/discussion should be given to all the > > new options that are now enabled by default in the port. > > > > Thanks! > > > > -Nick > > _______________________________________________ > > > Hi! I'm sorry, that's my fault. > > Do you think all three should be disabled by default, or we can enable > one of them mostly used? > I use TP_PF, and I always associate PF as FreeBSD's preferred/best firewall, but I'm sure a lot of people would disagree with me and use ipfw. > Do you know there is a related bug report in squid's buzilla? Do > squid's developers know about this incompatibility? > It yes it looks weird they don't check it in configure.ac script. > I'm not aware of a bug report. I had always assumed that the different options were incompatible and that the default state should be "disable all" and explicitly enable the one you want. Looking at the code for 3.5.17, it looks like ipfw/TP_IPFW takes precedence if it is enabled, regardless if pf/TP_PF is enabled. from Intercept.cc: /* NAT methods that use sock-opts to return client address */ if (NetfilterInterception(newConn, silent)) return true; if (IpfwInterception(newConn, silent)) return true; /* NAT methods that use ioctl to return client address AND destination address */ if (PfInterception(newConn, silent)) return true; if (IpfInterception(newConn, silent)) return true; This is probably why I was seeing a redirect loop error, because I'm using PF and it tried to run the ipfw nat hooks.