On 2011-04-08, Reyk Floeter <r...@openbsd.org> wrote: > On Fri, Apr 08, 2011 at 03:25:55PM +0530, Indunil Jayasooriya wrote: >> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in >> transparent mode. I can browse internet. But, I get the below error. >> > >> # chgrp _squid /dev/pf >> # chmod g+rw /dev/pf >> > > scary. squid should not touch /dev/pf at all. we have a new method > in pf that does not require access to /dev/pf: divert-to. you can try > the following: > > - revert /dev/pf to the old 0600 permissions > - recompile squid _without_ --enable-pf-transparent (disable it) > - update your pf.conf to use divert-to instead of rdr-to > > divert-to provides the real destination address inline via the > standard getsockname() call which is done by squid by default if no > other transparent mode is configured (as far as I understand the code > in squid's client_side.c). the `traditional' rdr-to method had to do > an out-of-band call on /dev/pf to retrieve this information. > > reyk > >
The non-obvious thing here is you must bind the listening socket in squid to 127.0.0.1 e.g. http_port 127.0.0.1:3127 transparent I will talk to the port maintainer about removing --enable-pf-transparent.
