Hello,
Squid needs to open /dev/pf to query the packet filter. Today in
OpenBSD the default permissions for /dev/pf allow access only to
root and squid is running as user _squid, group _squid. So one
way to allow access to squid is by changing the GID of the file
to _squid and make it group-accessable:
# chgrp _squid /dev/pf
# chmod g+rw /dev/pf
Daniel Hartmeier has already committed a code which allows squid
to work group-read-only:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c.diff?r1=1.163&r2=1.164
And Brad Smith has already committed a change to openbsd squid port:
Now it is possible to do:
# chgrp _squid /dev/pf
# chmod g+r /dev/pf
Can you please apply this patch?
--- client_side.c.orig Fri Jan 6 01:09:02 2006
+++ client_side.c Fri Jan 6 01:09:34 2006
@@ -2824,7 +2824,7 @@
#elif PF_TRANSPARENT
static time_t last_reported = 0;
if (pffd < 0)
- pffd = open("/dev/pf", O_RDWR);
+ pffd = open("/dev/pf", O_RDONLY);
if (pffd < 0) {
if (squid_curtime - last_reported > 60) {
debug(50, 1) ("parseHttpRequest: PF open failed: %s\n", xstrerror());
Received on Fri Jan 06 2006 - 10:11:07 MST
This archive was generated by hypermail pre-2.1.9 : Fri Jan 27 2006 - 12:00:02 MST