[stunnel-users] Stunnel forwarding IP
Peter Pentchev
roam at ringlet.net
Tue Jan 4 17:24:47 CET 2011
On Wed, Dec 29, 2010 at 07:18:15PM -0500, oscaruser at programmer.net wrote:
> [second sending of the same message]
>
>
> OK I see transparent configuration option, but looks only available for
> Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result,
> "local_bind (original port): Can't assign requested address (49)".
> Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be
> using this feature (based on searching the stunnel-4.33 source code).
Okay, what do people think about the attached patch that is based on
Jason Helfman's work in a FreeBSD PR, but abstracts the transparent
proxying option (and the setsockopt() level, and the option's name)
so that it supports *both* the Linux IP_TRANSPARENT implementation and
*BSD's IP_BINDANY one, and leaves the door open for others in the future?
I'm about to commit this patch to the FreeBSD port of stunnel in
a couple of minutes; of course, it's up to Michal Trojnara to decide
whether to integrate it upstream in this or any other shape or form :)
G'luck,
Peter
--
Peter Pentchev roam at space.bg roam at ringlet.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This would easier understand fewer had omitted.
-------------- next part --------------
From 7d6ccd32177262dcbd980be4c0769c4494f1514d Mon Sep 17 00:00:00 2001
From: Peter Pentchev <roam at ringlet.net>
Date: Tue, 4 Jan 2011 18:17:10 +0200
Subject: [PATCH] Abstract transparent proxying to also support IP_BINDANY.
The implementation is based on Jason Helfman's patch in
FreeBSD PR 153568, but is a bit more abstract to also allow
other transparent proxying implementations.
http://www.freebsd.org/cgi/query-pr.cgi?pr=153568
Reported by: Jason Helfman <jhelfman at experts-exchange.com>,
oscaruser at programmer.net
---
src/client.c | 9 +++++----
src/common.h | 9 +++++++++
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index f4b11a0..0e01c7e 100644
--- a/src/client.c
+++ b/src/client.c
@@ -1034,15 +1034,16 @@ static int connect_remote(CLI *c) { /* connect to remote host */
static void local_bind(CLI *c) {
SOCKADDR_UNION addr;
-#ifdef IP_TRANSPARENT
+#ifdef STUNNEL_TRANSPARENT
int on=1;
if(c->opt->option.transparent) {
- if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
- sockerror("setsockopt IP_TRANSPARENT");
+ if(setsockopt(c->fd, STUNNEL_TRANSPARENT_LEVEL,
+ STUNNEL_TRANSPARENT, &on, sizeof on))
+ sockerror("setsockopt " STUNNEL_TRANSPARENT_NAME);
/* ignore the error to retain Linux 2.2 compatibility */
/* the error will be handled by bind(), anyway */
}
-#endif /* IP_TRANSPARENT */
+#endif /* STUNNEL_TRANSPARENT */
memcpy(&addr, &c->bind_addr.addr[0], sizeof addr);
if(ntohs(addr.in.sin_port)>=1024) { /* security check */
diff --git a/src/common.h b/src/common.h
index 0fe3aff..0a1cf6d 100644
--- a/src/common.h
+++ b/src/common.h
@@ -337,6 +337,15 @@ extern char *sys_errlist[];
/* old kernel headers without IP_TRANSPARENT definition */
#define IP_TRANSPARENT 19
#endif /* IP_TRANSPARENT */
+#define STUNNEL_TRANSPARENT IP_TRANSPARENT
+#define STUNNEL_TRANSPARENT_NAME "IP_TRANSPARENT"
+#define STUNNEL_TRANSPARENT_LEVEL SOL_IP
+#else /* __linux__ */
+#ifdef IP_BINDANY
+#define STUNNEL_TRANSPARENT IP_BINDANY
+#define STUNNEL_TRANSPARENT_NAME "IP_BINDANY"
+#define STUNNEL_TRANSPARENT_LEVEL IPPROTO_IP
+#endif
#endif /* __linux__ */
#endif /* USE_WIN32 */
--
1.7.3.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110104/db4b4f9b/attachment.sig>
More information about the stunnel-users
mailing list