Re: kern/50198: Fwd: Re: [squid-users] intercept + IPv6 + IPFilter 5.1

[Stephen Borrill <sborrill%NetBSD.org@localhost>]

The following reply was made to PR kern/50198; it has been noted by GNATS.

From: Stephen Borrill <sborrill%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/50198: Fwd: Re: [squid-users] intercept + IPv6 + IPFilter
 5.1
Date: Thu, 6 Oct 2016 08:50:11 +0100

 Patch may not be correct after all, re-opening PR and stalling pullup
 request.
 
 
 -------- Forwarded Message --------
 Subject: Re: [squid-users] intercept + IPv6 + IPFilter 5.1
 Date: Wed, 5 Oct 2016 20:49:54 +0200
 From: Egerváry Gergely <gergely%egervary.hu@localhost>
 To: squid-users%lists.squid-cache.org@localhost
 
 >> Should "intercept" work with IPv6 on NetBSD 7-STABLE and IPFilter 5.1?
 
 Okay, we have "fixed" Squid interception, and IPFilter in the kernel,
 and now it's working good. But did we do it in the right way?
 
 While reading ip_nat.c in IPFilter, I found that SIOCGNATL - and its
 function called ipf_nat_lookupredir() - is a frontend to two functions:
 ipf_nat_inlookup() and ipf_nat_outlookup().
 
 We are now calling SIOCGNATL to use ipf_nat_outlookup(). But should not
 we call it to use ipf_nat_inlookup() instead?
 
 In Squid, we are working with 3 different addresses:
 - source IP:port of the connection (browser client)
 - real destination IP:port (the target web server)
 - interception destination IP:port (Squid itself)
 
 In IPFilter, the terminology is different: "real" refers to the
 original source, not the original destination.
 
 In my understanding, on redirect (RDR) rules, where we know the
 original source address and the rewrited destination address, we should
 use ipf_nat_inlookup() to get the original destination address.
 
 ipf_nat_outlookup() should be used on source-NAT (MAP) scenarios,
 what we don't need for Squid.
 
 If that's true, IPFilter was correct - we have to revert our IPFilter
 patches - and modify Intercept.cc instead.
 
 See IPFilter source code comments below:
 
 ========
 Function: ipf_nat_inlookup
 Returns: nat_t* - NULL == no match, else pointer to matching NAT entry
 Parameters:
 fin(I) - pointer to packet information
 flags(I) - NAT flags for this packet
 p(I) - protocol for this packet
 src(I) - source IP address
 mapdst(I) - destination IP address
 
 Lookup a nat entry based on the mapped destination ip address/port
 and real source address/port. We use this lookup when receiving a
 packet, we're looking for a table entry, based on the destination
 address.
 
 ========
 Function: ipf_nat_outlookup
 Returns: nat_t* - NULL == no match, else pointer to matching NAT entry
 Parameters:
 fin(I) - pointer to packet information
 flags(I) - NAT flags for this packet
 p(I) - protocol for this packet
 src(I) - source IP address
 dst(I) - destination IP address
 rw(I) - 1 == write lock on held, 0 == read lock.
 
 Lookup a nat entry based on the source 'real' ip address/port
 and destination address/port. We use this lookup when sending a packet
 out, we're looking for a table entry, based on the source address.
 
 ========
 
 See full ip_nat.c source code here:
 
 http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/external/bsd/ipf/netinet/ip_nat.c?rev=1.16&content-type=text/x-cvsweb-markup
 
 Thank you,
 -- 
 Gergely EGERVARY
 
 _______________________________________________
 squid-users mailing list
 squid-users%lists.squid-cache.org@localhost
 http://lists.squid-cache.org/listinfo/squid-users
 
 
 -- 
 Stephen