- Add an OPTION to enable transparent proxying with IPFW

- Include official patchset #10799
- Minor fixes

Submitted by:	Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)

5 files changed, 312 insertions, 5 deletions

diff --git a/www/squid26/Makefile b/www/squid26/Makefile
index 9fac6b748b93..54f8810d1153 100644
--- a/www/squid26/Makefile
+++ b/www/squid26/Makefile
@@ -69,8 +69,6 @@
 #     to indicate variance within an accelerator setup. Typically used
 #     together with other code that adds custom HTTP headers to the
 #     requests.
-#    --enable-auth-on-acceleration
-#     Enable authentication in accelerators.
 #    --enable-forward-log
 #     Enable experimental forward_log directive.
 #    --enable-multicast-miss
@@ -78,6 +76,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.6.1
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://archive.progeny.com/squid/%SUBDIR%/ \
@@ -101,8 +100,8 @@ PATCH_SITES=	http://www.squid-cache.org/%SUBDIR%/ \
 		http://www1.uk.squid-cache.org/%SUBDIR%/ \
 		http://www1.jp.squid-cache.org/%SUBDIR%/ \
 		http://www1.tw.squid-cache.org/%SUBDIR%/
-PATCH_SITE_SUBDIR=	Versions/v2/2.6/bugs
-PATCHFILES=
+PATCH_SITE_SUBDIR=	Versions/v2/2.6/changesets/
+PATCHFILES=	10799.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -145,6 +144,7 @@ OPTIONS=	SQUID_LDAP_AUTH "Install LDAP authentication helpers" off \
 		SQUID_ARP_ACL "Enable ACLs based on ethernet address" off \
 		SQUID_PF "Enable transparent proxying with PF" off \
 		SQUID_IPFILTER "Enable transp. proxying with IPFilter" off \
+		SQUID_IPFW "Enable transparent proxying with IPFW" off \
 		SQUID_FOLLOW_XFF "Follow X-Forwarded-For headers" off \
 		SQUID_ICAP "Enable ICAP client functionality" off \
 		SQUID_AUFS "Enable the aufs storage scheme" off \
@@ -331,12 +331,15 @@ IGNORE=		IPFilter headers are not part of the base system
 CONFIGURE_ARGS+=	--enable-ipf-transparent
 .endif
 .endif
+.if defined(WITH_SQUID_IPFW)
+CFLAGS+=	-DIPFW_TRANSPARENT
+.endif
 .if defined(WITH_SQUID_FOLLOW_XFF)
 CONFIGURE_ARGS+=	--enable-follow-x-forwarded-for
 .endif
 .if defined(WITH_SQUID_ICAP)
 IGNORE=		patches for ICAP support are not yet updated
-EXTRA_PATCHES+=	
+EXTRA_PATCHES+=
 #CONFIGURE_ARGS+=	--enable-icap-support
 #error_files+=		ERR_ICAP_FAILURE
 .endif
diff --git a/www/squid26/distinfo b/www/squid26/distinfo
index 311c668b1599..1d11150734c3 100644
--- a/www/squid26/distinfo
+++ b/www/squid26/distinfo
@@ -1,3 +1,6 @@
 MD5 (squid2.6/squid-2.6.STABLE1.tar.bz2) = d6bb23a67b0475cca11d4af8d574d054
 SHA256 (squid2.6/squid-2.6.STABLE1.tar.bz2) = a9efea26f1c3966dff69f80c271a73562afed5c65929d69dab713308dd402ba9
 SIZE (squid2.6/squid-2.6.STABLE1.tar.bz2) = 1212556
+MD5 (squid2.6/10799.patch) = 3a3d941b0d256a1da9ad8f2430da4e2b
+SHA256 (squid2.6/10799.patch) = 0f010962faae226a21761996df7c487ed6ca2d51458e6941a9f2a5b69aa3e6c3
+SIZE (squid2.6/10799.patch) = 1288
diff --git a/www/squid26/files/patch-changeset.10801 b/www/squid26/files/patch-changeset.10801
new file mode 100644
index 000000000000..f73e5dbf7b4d
--- /dev/null
+++ b/www/squid26/files/patch-changeset.10801
@@ -0,0 +1,284 @@
+---------------------
+PatchSet 10801 
+Date: 2006/07/04 21:51:15
+Author: hno
+Branch: HEAD
+Tag: (none) 
+Log:
+Bug #1650: transparent interception "Unable to forward this request at this time"
+
+this patch clears up some confusion between accelerated and transparently
+intercepted requests, clearly separating the two cases.
+
+With this patch the --enable-auth-on-acceleration is removed again as it
+no longer serves any purpose as there no longer is any conflict between
+the processing accelerated and transparently intercepted requests.
+
+Members: 
+	configure:1.388->1.389 
+	configure.in:1.384->1.385 
+	include/autoconf.h.in:1.153->1.154 
+	src/acl.c:1.303->1.304 
+	src/client_side.c:1.657->1.658 
+	src/structs.h:1.489->1.490 
+
+Index: squid/configure
+===================================================================
+RCS file: /cvsroot/squid/squid/configure,v
+retrieving revision 1.388
+retrieving revision 1.389
+diff -u -r1.388 -r1.389
+--- configure	1 Jul 2006 18:42:04 -0000	1.388
++++ configure	4 Jul 2006 21:51:15 -0000	1.389
+@@ -907,8 +907,6 @@
+   --enable-forw-via-db    Enable Forw/Via database
+   --enable-cache-digests  Use Cache Digests
+ 			  see http://www.squid-cache.org/FAQ/FAQ-16.html
+-  --enable-auth-on-acceleration
+-			  Enable authentication in accelerators
+   --enable-default-err-language=lang
+ 			  Select default language for Error pages (see
+ 			  errors directory)
+@@ -4220,20 +4218,6 @@
+ 
+ fi;
+ 
+-# Check whether --enable-auth-on-acceleration or --disable-auth-on-acceleration was given.
+-if test "${enable_auth_on_acceleration+set}" = set; then
+-  enableval="$enable_auth_on_acceleration"
+-   if test "$enableval" = "yes" ; then
+-    echo "AUTH_ON_ACCELERATION enabled"
+-
+-cat >>confdefs.h <<\_ACEOF
+-#define AUTH_ON_ACCELERATION 1
+-_ACEOF
+-
+-  fi
+-
+-fi;
+-
+ # Check whether --enable-default-err-language or --disable-default-err-language was given.
+ if test "${enable_default_err_language+set}" = set; then
+   enableval="$enable_default_err_language"
+Index: squid/configure.in
+===================================================================
+RCS file: /cvsroot/squid/squid/configure.in,v
+retrieving revision 1.384
+retrieving revision 1.385
+diff -u -r1.384 -r1.385
+--- configure.in	1 Jul 2006 18:41:21 -0000	1.384
++++ configure.in	4 Jul 2006 21:51:15 -0000	1.385
+@@ -736,15 +736,6 @@
+   fi
+ ])
+ 
+-AC_ARG_ENABLE(auth-on-acceleration,
+-[  --enable-auth-on-acceleration
+-			  Enable authentication in accelerators],
+-[ if test "$enableval" = "yes" ; then
+-    echo "AUTH_ON_ACCELERATION enabled"
+-    AC_DEFINE(AUTH_ON_ACCELERATION, 1, [Enable authentication support in accelerators])
+-  fi
+-])
+-
+ dnl Select Default Error language
+ AC_ARG_ENABLE(default-err-language,
+ [  --enable-default-err-language=lang
+Index: squid/include/autoconf.h.in
+===================================================================
+RCS file: /cvsroot/squid/squid/include/autoconf.h.in,v
+retrieving revision 1.153
+retrieving revision 1.154
+diff -u -r1.153 -r1.154
+--- include/autoconf.h.in	21 Jun 2006 20:33:46 -0000	1.153
++++ include/autoconf.h.in	4 Jul 2006 21:51:16 -0000	1.154
+@@ -3,9 +3,6 @@
+ /* Defines how many threads aufs uses for I/O */
+ #undef AUFS_IO_THREADS
+ 
+-/* Enable authentication support in accelerators */
+-#undef AUTH_ON_ACCELERATION
+-
+ /* If you are upset that the cachemgr.cgi form comes up with the hostname
+    field blank, then define this to getfullhostname() */
+ #undef CACHEMGR_HOSTNAME
+Index: squid/src/acl.c
+===================================================================
+RCS file: /cvsroot/squid/squid/src/acl.c,v
+retrieving revision 1.303
+retrieving revision 1.304
+diff -u -r1.303 -r1.304
+--- src/acl.c	17 Jun 2006 23:31:03 -0000	1.303
++++ src/acl.c	4 Jul 2006 21:51:16 -0000	1.304
+@@ -400,6 +400,10 @@
+ 	    type->accelerated = 1;
+ 	    continue;
+ 	}
++	if (strcmp(t, "transparent") == 0) {
++	    type->transparent = 1;
++	    continue;
++	}
+ 	if (strcmp(t, "internal") == 0) {
+ 	    type->internal = 1;
+ 	    continue;
+@@ -1679,6 +1683,8 @@
+ {
+     if (type->accelerated && request->flags.accelerated)
+ 	return 1;
++    if (type->transparent && request->flags.transparent)
++	return 1;
+     if (type->internal && request->flags.internal)
+ 	return 1;
+     return 0;
+@@ -1691,20 +1697,15 @@
+     http_hdr_type headertype;
+     if (NULL == r) {
+ 	return -1;
+-    } else if (!r->flags.accelerated) {
+-	/* Proxy authorization on proxy requests */
+-	headertype = HDR_PROXY_AUTHORIZATION;
+-    } else if (r->flags.internal) {
+-	/* WWW authorization on accelerated internal requests */
+-	headertype = HDR_AUTHORIZATION;
+-    } else {
+-#if AUTH_ON_ACCELERATION
++    } else if (r->flags.accelerated) {
+ 	/* WWW authorization on accelerated requests */
+ 	headertype = HDR_AUTHORIZATION;
+-#else
+-	debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n");
++    } else if (r->flags.transparent) {
++	debug(28, 1) ("aclAuthenticated: authentication not applicable on transparently intercepted requests.\n");
+ 	return -1;
+-#endif
++    } else {
++	/* Proxy authorization on proxy requests */
++	headertype = HDR_PROXY_AUTHORIZATION;
+     }
+     /* get authed here */
+     /* Note: this fills in checklist->auth_user_request when applicable (auth incomplete) */
+@@ -2911,6 +2912,8 @@
+ 	wordlistAdd(&W, "accelerated");
+     if (type->internal)
+ 	wordlistAdd(&W, "internal");
++    if (type->transparent)
++	wordlistAdd(&W, "transparent");
+     return W;
+ }
+ 
+Index: squid/src/client_side.c
+===================================================================
+RCS file: /cvsroot/squid/squid/src/client_side.c,v
+retrieving revision 1.657
+retrieving revision 1.658
+diff -u -r1.657 -r1.658
+--- src/client_side.c	4 Jul 2006 00:06:11 -0000	1.657
++++ src/client_side.c	4 Jul 2006 21:51:17 -0000	1.658
+@@ -3482,7 +3482,7 @@
+     /*
+      * Deny loops when running in accelerator/transproxy mode.
+      */
+-    if (http->flags.accel && r->flags.loopdetect) {
++    if (r->flags.loopdetect && (http->flags.accel || http->flags.transparent)) {
+ 	http->al.http.code = HTTP_FORBIDDEN;
+ 	err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN);
+ 	err->request = requestLink(http->orig_request);
+@@ -3684,15 +3684,19 @@
+     if (method == METHOD_CONNECT) {
+ 	if (http_ver.major < 1)
+ 	    goto invalid_request;
++	if (conn->port->accel)
++	    goto invalid_request;
+     } else if (*url == '/')
+   accel:{
+ 	int vhost = conn->port->vhost || conn->port->transparent;
+-	int vport = conn->port->vport || conn->transparent;
++	int vport = conn->port->vport;
++	int accel = conn->port->accel;
++	if (!vport && conn->transparent)
++	    vport = ntohs(conn->me.sin_port);
+ 	if (Config.onoff.global_internal_static && conn->port->accel && internalCheck(url)) {
+ 	    /* prepend our name & port */
+ 	    http->uri = xstrdup(internalStoreUri("", url));
+ 	    http->flags.internal = 1;
+-	    http->flags.accel = 1;
+ 	    debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri);
+ 	} else if (vhost && (t = mime_get_header(req_hdr, "Host"))) {
+ 	    url_sz = strlen(url) + 32 + Config.appendDomainLen +
+@@ -3724,14 +3728,14 @@
+ 	    /* prepend our name & port */
+ 	    http->uri = xstrdup(internalStoreUri("", url));
+ 	    http->flags.internal = 1;
+-	    http->flags.accel = 1;
+ 	    debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri);
+ 	} else {
+ 	    goto invalid_request;
+ 	}
+-	http->flags.accel = 1;
+-    } else if (conn->transparent) {
+-	http->flags.accel = 1;
++	if (accel)
++	    http->flags.accel = 1;
++	else if (conn->port->transparent)
++	    http->flags.transparent = 1;
+     } else if (conn->port->accel) {
+ 	http->flags.accel = 1;
+ 	if (!conn->port->vhost) {
+@@ -3743,9 +3747,6 @@
+ 		url = (char *) "/";
+ 	    goto accel;
+ 	}
+-    } else {
+-	/* Proxy request */
+-	http->flags.accel = 0;
+     }
+     if (!http->uri) {
+ 	/* No special rewrites have been applied above, use the
+@@ -3753,7 +3754,6 @@
+ 	url_sz = strlen(url) + Config.appendDomainLen + 5;
+ 	http->uri = xcalloc(url_sz, 1);
+ 	strcpy(http->uri, url);
+-	http->flags.accel = 0;
+     }
+     if (!stringHasCntl(http->uri))
+ 	http->log_uri = xstrndup(http->uri, MAX_URL);
+@@ -3989,6 +3989,7 @@
+ 	    request->flags.tproxy = conn->port->tproxy;
+ #endif
+ 	    request->flags.accelerated = http->flags.accel;
++	    request->flags.transparent = http->flags.transparent;
+ 	    /*
+ 	     * cache the Content-length value in request_t.
+ 	     */
+Index: squid/src/structs.h
+===================================================================
+RCS file: /cvsroot/squid/squid/src/structs.h,v
+retrieving revision 1.489
+retrieving revision 1.490
+diff -u -r1.489 -r1.490
+--- src/structs.h	30 Jun 2006 21:23:05 -0000	1.489
++++ src/structs.h	4 Jul 2006 21:51:18 -0000	1.490
+@@ -346,6 +346,7 @@
+ 
+ struct _acl_request_type {
+     unsigned int accelerated:1;
++    unsigned int transparent:1;
+     unsigned int internal:1;
+ };
+ 
+@@ -1190,6 +1191,7 @@
+     AccessLogEntry al;
+     struct {
+ 	unsigned int accel:1;
++	unsigned int transparent:1;
+ 	unsigned int internal:1;
+ 	unsigned int done_copying:1;
+ 	unsigned int purging:1;
+@@ -1785,6 +1787,7 @@
+     unsigned int nocache_hack:1;	/* for changing/ignoring no-cache requests */
+ #endif
+     unsigned int accelerated:1;
++    unsigned int transparent:1;
+     unsigned int internal:1;
+     unsigned int body_sent:1;
+     unsigned int reset_tcp:1;
diff --git a/www/squid26/files/patch-src-client_side.c b/www/squid26/files/patch-src-client_side.c
new file mode 100644
index 000000000000..3c9eed63c572
--- /dev/null
+++ b/www/squid26/files/patch-src-client_side.c
@@ -0,0 +1,16 @@
+--- ./src/client_side.c.orig	Thu Jul  6 11:44:18 2006
++++ ./src/client_side.c	Thu Jul  6 11:52:07 2006
+@@ -4490,6 +4490,13 @@
+ 	    return -1;
+     }
+ }
++#elif IPFW_TRANSPARENT
++static int inline
++clientNatLookup(ConnStateData * conn)
++{
++    static time_t last_reported = 0;
++    return 0;
++}
+ #else
+ static int inline
+ clientNatLookup(ConnStateData * conn)
diff --git a/www/squid26/files/squid.in b/www/squid26/files/squid.in
index d7ae60bba649..284b0112010d 100644
--- a/www/squid26/files/squid.in
+++ b/www/squid26/files/squid.in
@@ -15,6 +15,7 @@
 #
 
 squid_stop() {
+	echo "Stopping ${name}."
 	${command} -k shutdown
 	run_rc_command poll
 }