Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf). This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0. It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms? Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.
Issue: #65
Reported by: Vladimir Marteev
Local process lookup is independent of the NAT engine used, it depends
only on the operating system's process enumeration API. Moving the code
out of NAT lookup also makes it work for static and SNI proxyspecs.
This exposes the pid lookup code as a standard attribute
of NAT lookup -- if a matching process cannot be found,
or if pid lookup isn't supported by the NAT backend,
a pid of -1 is returned.
This also adds the local_pid to the pxyconn context; this
will be used to populate log strings.
This uses Mac OS X's libproc to find the first process that owns
a matching socket. Currently, the results are simply logged;
the next step will be exposing this generically via
the NAT engine lookup API.
Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing
Apple headers in the source tree and enable private Apple code. Since
we are using an interface marked private by Apple, this code is very
experimental.
Issue: #15
Reported by: Amit Chowdhary
For Linux netfilter, IPV6_ORIGINAL_DST and SOL_IPV6 are defined to
SO_ORIGINAL_DST and SOL_IP respectively if they are not defined by the
system headers (they aren't defined on vanilla kernels). Undefine these
compatibility definitions after use, in order not to mess up the
diagnostic output of nat_version().
