Added suport for *BSD firewalls (pf and ipfilter), and fixes build when -libs haven't been compiled with "nis" support. Works on freebsd, should work on openbsd, and needs a couple more lines for netbsd.
Created attachment 87824 [details] new squid ebuild with *bsd support.
Crappy summary.
Created attachment 87825 [details, diff] squid-pf-patch.diff The same just in patch form, for better looks.
net-proxy, can you take a look?
Is it really necessary to add freebsd-pf dependency? On linux, iptables support could be safely enabled, with or without iptables user-space tools (this option only enables transparent proxy functionality). I think it would be much simpler (from both dev and user pov) if we would simply force --enable-pf-transparent when installed on freebsd. Of course, if "ipf" is a valid option on freebsd, we have to make the selection available to user through a use flag, but otherwise I don't see why complicate things. The basic_modules part of the patch is fine by me, excepting the useless "if use elibc_uclibc...". basic_modules is initializated with the same value in both cases.
Indeed it is not a compile time dependency, neither a runtime one, just the user has to setup his /etc/pf.conf and configure a "minimal stateful firewall" for squid to work with this. So yes, freebsd-pf dependancy can be safely removed. About forced pf in freebsd, it may be the only OS that has the "choice" between the two firewall implementations (pf and ipfilter), but maybe netbsd has that choice too. The only OS where i'm sure it's the only alternative and can be enabled without problems is openbsd where pf is the only choice, afaik. If i'm right then ipfilter would be use.mask'ed in openbsd and you have still the two choices for {free,net}bsd. What about this for basic_modules? [...] local basic_modules="getpwnam,NCSA,SMB,MSNT,multi-domain-NTLM,winbind" use ldap && basic_modules="LDAP,${basic_modules}" use pam && basic_modules="PAM,${basic_modules}" use sasl && basic_modules="SASL,${basic_modules}" # Support for uclibc #61175 if use kernel_linux && ! use elibc_uclibc; then basic_modules="YP,${basic_modules}" elif use kernel_freebsd && built_with_use sys-freebsd/freebsd-lib nis; then basic_modules="YP,${basic_modules}" elif use kernel_openbsd && built_with_use sys-openbsd/openbsd-lib nis; then basic_modules="YP,${basic_modules}" fi [...]
The basic_module implementation described in comment #6 looks fine to me. BSD team, feel free to modify squid ebuild as discussed here.
I'm about to simplify the whole basic_modules selection to: local basic_modules="getpwnam,NCSA,SMB,MSNT,multi-domain-NTLM,winbind" use ldap && basic_modules="LDAP,${basic_modules}" use pam && basic_modules="PAM,${basic_modules}" use sasl && basic_modules="SASL,${basic_modules}" use nis && ! use elibc_uclibc && basic_modules="YP,${basic_modules}" Is there a pf-ipfilter relationship as it is between ipchains and iptables on Linux? In other words, is one of them obsoleted by the other?
(In reply to comment #8) > Is there a pf-ipfilter relationship as it is between ipchains and iptables on > Linux? In other words, is one of them obsoleted by the other? > Negative, pf and ipfilter are mere "alternatives" (in fbsd at least), they don't obsolete each other, but you wouldn't want to use both at the same time.
fixed in squid-2.5.14. The new local USE flags are pf-transparent and ipf-transparent.
