Date: Tue, 26 Apr 2016 07:53:21 -0700 From: Nick Rogers <ncrogers@gmail.com> To: Pavel Timofeev <timp87@gmail.com> Cc: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: Re: www/squid: reconsider enabling all options Message-ID: <CAKOb=YZZE2NdTF%2Bk%2Btc=LYviBmFi0NfuAe5vaN7B4iUbK2MbfQ@mail.gmail.com> In-Reply-To: <CAAoTqfvyLMFB6Ux1eL7jW5Wi-SZRGUqzWkBMOfWw%2B5smOoXZZQ@mail.gmail.com> References: <CAKOb=YZMqaDCHtVYxme_f1p2oQ7CVwWjbR7QoOMNtDL0p7C_rA@mail.gmail.com> <CAAoTqfvyLMFB6Ux1eL7jW5Wi-SZRGUqzWkBMOfWw%2B5smOoXZZQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 26, 2016 at 1:31 AM, Pavel Timofeev <timp87@gmail.com> wrote: > 2016-04-26 1:32 GMT+03:00 Nick Rogers <ncrogers@gmail.com>: > > Hello, > > > > I just recompiled my www/squid port to the latest 3.5.17 version. Prior > to > > this I was running 3.5.14. I immediately noticed that my transparent > proxy > > setup via PF was broken and throwing a "Forwarding loop detected" error > in > > the logs. > > > > I then noticed the following recent commit which enables all > options/knobs > > that do not require dependencies: > > https://svnweb.freebsd.org/ports?view=revision&revision=412287 > > > > This change enables the ipf-transparent (TP_IP), ipfw-transparent > (TP_IPF), > > and pf-transparent (TP_PF) options at the same time, and turned out to be > > the root of my "redirection loop" problem. > > > > I am unclear why, but in my experience these options have always been > > incompatible with each other, which is why in previous versions of the > > www/squid port and its prior iterations these knobs have always been > > disabled by default. I've always explicitly enabled TP_PF in my > make.conf. > > > > I was able to fix my issue by recompiling without the TP_IP and TP_IPF > > options, but I believe more thought/discussion should be given to all the > > new options that are now enabled by default in the port. > > > > Thanks! > > > > -Nick > > _______________________________________________ > > > Hi! I'm sorry, that's my fault. > > Do you think all three should be disabled by default, or we can enable > one of them mostly used? > I use TP_PF, and I always associate PF as FreeBSD's preferred/best firewall, but I'm sure a lot of people would disagree with me and use ipfw. > Do you know there is a related bug report in squid's buzilla? Do > squid's developers know about this incompatibility? > It yes it looks weird they don't check it in configure.ac script. > I'm not aware of a bug report. I had always assumed that the different options were incompatible and that the default state should be "disable all" and explicitly enable the one you want. Looking at the code for 3.5.17, it looks like ipfw/TP_IPFW takes precedence if it is enabled, regardless if pf/TP_PF is enabled. from Intercept.cc: /* NAT methods that use sock-opts to return client address */ if (NetfilterInterception(newConn, silent)) return true; if (IpfwInterception(newConn, silent)) return true; /* NAT methods that use ioctl to return client address AND destination address */ if (PfInterception(newConn, silent)) return true; if (IpfInterception(newConn, silent)) return true; This is probably why I was seeing a redirect loop error, because I'm using PF and it tried to run the ipfw nat hooks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKOb=YZZE2NdTF%2Bk%2Btc=LYviBmFi0NfuAe5vaN7B4iUbK2MbfQ>