Subject: Re: squid ARP ACLs
To: Ray Phillips <r.phillips@jkmrc.uq.edu.au>
From: Stephen Borrill <netbsd@precedence.co.uk>
List: netbsd-users
Date: 12/04/2006 16:28:39
[Copied to netbsd-users as not i386 specific]
On Mon, 4 Dec 2006, Ray Phillips wrote:
> squid [1] can use ACLs based on client MAC addresses if the option
> --enable-arp-acl is used with its ./configure command--provided, that is, the
> OS supports it.
>
> squid.conf notes:
>
> "the arp ACL code is not portable to all operating systems. It works on
> Linux, Solaris, FreeBSD and some other *BSD variants."
>
> Unfortunately NetBSD doesn't seem to be one of them.
>
> When I ran ./configure for squid-2.6.STABLE5's daily tar file from 20061120
> on a machine running NetBSD/i386 3.1 this was part of the output:
>
> ARP ACL lists enabled (ether address)
> WARNING: ARP ACL support probably won't work on i386-unknown-netbsdelf3.1.
>
> I tried make anyway; the last part of its output, containing the resultant
> errors is appended to this message.
>
> I wonder if there's a chance NetBSD could be tweaked so this option can be
> used, or if there's already a way to get it to work?
Last time I looked (a couple of years ago), there was no support for
NetBSD at all in the arp code. It didn't support our mechanism of looking
up arp entries from IP addresses. I added support and it worked fine, but
it wasn't pretty, so I didn't send it as a patch. I used the source code
for arp(8) as a reference and we don't have a get_mac_for_ip(XX) function
which is what squid expects. We retrieve (IIRC) a list which we can then
traverse, searching for matching entries. This struck me as very slow and
so we'd really need to build a level of caching into squid. It's been on
my to-do list since!
N.B. Both the NetBSD and squid side of things may have changed since I
last looked, so treat all of this with a pinch of salt.
--
Stephen