[stunnel-users] Stunnel forwarding IP

Peter Pentchev roam at ringlet.net
Tue Jan 4 17:24:47 CET 2011

On Wed, Dec 29, 2010 at 07:18:15PM -0500, oscaruser at programmer.net wrote:
> [second sending of the same message]
> OK I see transparent configuration option, but looks only available for
> Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result,
> "local_bind (original port): Can't assign requested address (49)".
> Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be
> using this feature (based on searching the stunnel-4.33 source code).

Okay, what do people think about the attached patch that is based on
Jason Helfman's work in a FreeBSD PR, but abstracts the transparent
proxying option (and the setsockopt() level, and the option's name)
so that it supports *both* the Linux IP_TRANSPARENT implementation and
*BSD's IP_BINDANY one, and leaves the door open for others in the future?

I'm about to commit this patch to the FreeBSD port of stunnel in
a couple of minutes; of course, it's up to Michal Trojnara to decide
whether to integrate it upstream in this or any other shape or form :)


Peter Pentchev	roam at space.bg    roam at ringlet.net    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This would easier understand fewer had omitted.
-------------- next part --------------
From 7d6ccd32177262dcbd980be4c0769c4494f1514d Mon Sep 17 00:00:00 2001
From: Peter Pentchev <roam at ringlet.net>
Date: Tue, 4 Jan 2011 18:17:10 +0200
Subject: [PATCH] Abstract transparent proxying to also support IP_BINDANY.

The implementation is based on Jason Helfman's patch in
FreeBSD PR 153568, but is a bit more abstract to also allow
other transparent proxying implementations.

Reported by:	Jason Helfman <jhelfman at experts-exchange.com>,
		oscaruser at programmer.net
 src/client.c |    9 +++++----
 src/common.h |    9 +++++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/client.c b/src/client.c
index f4b11a0..0e01c7e 100644
--- a/src/client.c
+++ b/src/client.c
@@ -1034,15 +1034,16 @@ static int connect_remote(CLI *c) { /* connect to remote host */
 static void local_bind(CLI *c) {
     int on=1;
     if(c->opt->option.transparent) {
-        if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
-            sockerror("setsockopt IP_TRANSPARENT");
+        if(setsockopt(c->fd, STUNNEL_TRANSPARENT_LEVEL,
+	   STUNNEL_TRANSPARENT, &on, sizeof on))
+            sockerror("setsockopt " STUNNEL_TRANSPARENT_NAME);
         /* ignore the error to retain Linux 2.2 compatibility */
         /* the error will be handled by bind(), anyway */
-#endif /* IP_TRANSPARENT */
     memcpy(&addr, &c->bind_addr.addr[0], sizeof addr);
     if(ntohs(addr.in.sin_port)>=1024) { /* security check */
diff --git a/src/common.h b/src/common.h
index 0fe3aff..0a1cf6d 100644
--- a/src/common.h
+++ b/src/common.h
@@ -337,6 +337,15 @@ extern char *sys_errlist[];
 /* old kernel headers without IP_TRANSPARENT definition */
 #define IP_TRANSPARENT 19
 #endif /* IP_TRANSPARENT */
+#else /* __linux__ */
+#ifdef IP_BINDANY
 #endif /* __linux__ */
 #endif /* USE_WIN32 */

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110104/db4b4f9b/attachment.sig>

More information about the stunnel-users mailing list